Commit Graph

5843 Commits

Author SHA1 Message Date
Rob Crittenden
be8c9ec9f2 Specify the location for the agent PKCS#12 file so we don't have to move it.
Dogtag 10.0.2 changed the default location for this file from /root/.pki
to /root/.dogtag which broke our install.

https://fedorahosted.org/freeipa/ticket/3599
2013-05-06 13:37:23 +02:00
Martin Kosek
77e4f445cc Update pki proxy configuration
Replicas with Dogtag pki-ca 10.0.2 CA require access to additional
Dogtag REST API calls. Update pki proxy configuration to allow that.

https://fedorahosted.org/freeipa/ticket/3601
2013-05-06 13:33:52 +02:00
Rob Crittenden
6e2c3a45a1 Handle a 501 in cert-find from dogtag as a "not supported"
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.

We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.

https://fedorahosted.org/freeipa/ticket/3549
2013-05-03 16:05:49 -04:00
Jan Cholasta
252de46ebf Fix normalization of FQDNs in DNS installer code.
https://fedorahosted.org/freeipa/ticket/3600
2013-05-03 18:05:50 +02:00
Sumit Bose
c152c9e7ff Allow ID-to-SID mappings in the extdom plugin
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
0f43cd6ea0 Do not store SID string in a local buffer
https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Sumit Bose
631b3cf7cd Do not lookup up the domain too early if only the SID is known
Request with a SID as input parameter do not contain the domain name,
hence is must be tried to resolve the SID first before the corresponding
domain can be looked up.

https://fedorahosted.org/freeipa/ticket/3596
2013-05-02 16:57:12 -04:00
Rob Crittenden
aa467af614 Add Nathaniel McCallum to Contributors.txt 2013-05-02 15:19:40 -04:00
Nathaniel McCallum
039b78abee Ignore log files from automake tests 2013-05-02 15:19:39 -04:00
Tomas Babej
66b1d435c3 Handle connection timeout in ipa-replica-manage
When connecting to replica, ipa-replica-manage could fail with
unknown error due to connection time out. This patch properly
handles the situation

Fixed in conjunction with https://fedorahosted.org/freeipa/ticket/3524
2013-05-02 10:55:54 -04:00
Tomas Babej
6839483d29 Enforce host existence only where needed in ipa-replica-manage
In ipa-replica-manage commands, we enforce that hostnames we work
with are resolvable. However, this caused errors while deleting
or disconnecting a ipa / winsync replica, if that replica was down
and authoritative server for itself.

Also adds an --no-lookup flag to disable host existence checks.

https://fedorahosted.org/freeipa/ticket/3524
2013-05-02 10:53:15 -04:00
Rob Crittenden
bfdcc7c62d Drop uniqueMember mapping with nss-pam-ldapd.
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589
2013-05-02 10:43:10 -04:00
Petr Vobornik
80c4228fe2 Fix: Certificate status is not visible in Service and Host page
https://fedorahosted.org/freeipa/ticket/3593
2013-04-30 17:30:15 +02:00
Jan Cholasta
ddd8988f1c Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
2013-04-30 11:05:39 -04:00
Tomas Babej
5d6a9d3bef Preserve already configured options in openldap conf
We should respect already configured options present in
/etc/openldap/ldap.conf when generating our own configuration.

With this patch, we only rewrite URI, BASE and TLS_CACERT options
only if they are not configured. In the case they are, our suggested
configuration is inserted as a comment.

Also adds tab as a delimeter character in /etc/openldap/ldap.conf

https://fedorahosted.org/freeipa/ticket/3582
2013-04-30 10:54:10 -04:00
Rob Crittenden
732d1042a3 Require version of NSS that properly parses base64-encoded certs
There were cases where a base64-encoded cert with no header/footer would
not be handled properly and rejected. This was causing the CA install
to fail.

https://fedorahosted.org/freeipa/ticket/3586
2013-04-29 09:49:37 -04:00
Ana Krivokapic
dfcdd9c403 Always stop dirsrv in 'ipactl stop'
Ensure that 'ipactl stop' stops the dirsrv instance, even when no other
services are running.

https://fedorahosted.org/freeipa/ticket/3574
2013-04-29 09:38:30 -04:00
Petr Viktorin
d4a0fa34af Fix syntax errors in schema files
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update

This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.

The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).

https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:15:16 -04:00
Petr Viktorin
e9863e3fe3 Fix syntax of the dc attributeType
dc syntax is changed from Directory String to IA5 String to conform
to RFC 2247.

Part of the work for https://fedorahosted.org/freeipa/ticket/3578
2013-04-26 11:13:52 -04:00
Martin Kosek
5af2e1779a Add userClass attribute for hosts
This new freeform host attribute will allow provisioning systems
to add custom tags for host objects which can be later used for
in automember rules or for additional local interpretation.

Design page: http://www.freeipa.org/page/V3/Integration_with_a_provisioning_systems
Ticket: https://fedorahosted.org/freeipa/ticket/3583
2013-04-26 10:20:17 -04:00
Tomas Babej
e10d934230 Make gecos field editable in Web UI
This patch exposes user entry gecos field in Web UI.

https://fedorahosted.org/freeipa/ticket/3569
2013-04-25 17:27:10 +02:00
Tomas Babej
2973128cf0 Allow underscore in record targets
Makes record target validation less strict and allows underscore.
This is requirement for IPA sites.

https://fedorahosted.org/freeipa/ticket/3550
2013-04-25 12:45:54 +02:00
Ana Krivokapic
4cff518517 Add missing permissions to Host Administrators privilege
The 'Host Administrators' privilege was missing two permissions
('Retrieve Certificates from the CA' and 'Revoke Certificate'), causing
the inability to remove a host with a certificate.

https://fedorahosted.org/freeipa/ticket/3585
2013-04-24 14:35:22 -04:00
Ana Krivokapic
6d2176322c Do not display an interactive mode message in unattended mode
https://fedorahosted.org/freeipa/ticket/3576
2013-04-24 13:33:49 -04:00
Rob Crittenden
bd89e49ed7 Handle socket.gethostbyaddr() exceptions when verifying hostnames.
Log any socket exceptions raised and let the process continue. This
failure isn't a show-stopper. Other checks past this will catch any
other problems.

This was seen when /etc/hosts and /etc/resolv.conf were both empty.

https://fedorahosted.org/freeipa/ticket/3581
2013-04-24 15:28:57 +02:00
Jan Cholasta
63e79a3d86 Add ipa-ca records for existing CA masters when installing DNS for the first time.
https://fedorahosted.org/freeipa/ticket/3564
2013-04-24 14:36:28 +02:00
Jan Cholasta
014f296274 Add DNS records for existing masters when installing DNS for the first time.
https://fedorahosted.org/freeipa/ticket/3564
2013-04-24 14:36:28 +02:00
Tomas Babej
40966cbe63 Avoid removing sss from nssswitch.conf during client uninstall
This patch makes sure that sss is not removed from nsswitch.conf
which causes probles with later uses of sssd. Makes sure that
authconfig with --disablesssd option is not executed during
ipa client uninstall.

https://fedorahosted.org/freeipa/ticket/3577
2013-04-23 16:14:25 -04:00
Tomas Babej
6e8d311dac Add hint message about --force-join option when enrollment fails
When client enrollment fails due to the fact that host entry
already exists on the server, display an message informing the
user about the possibility of using --force-join option.

https://fedorahosted.org/freeipa/ticket/3572
2013-04-23 16:11:31 -04:00
Ana Krivokapic
cc3c543265 Fix the spec file
Correct ownership for /etc/ipa and remove unnecessary %config directive.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-22 11:46:59 +02:00
Ana Krivokapic
2a8f1b0b16 Handle missing /etc/ipa in ipa-client-install
Make sure /etc/ipa is created and owned by freeipa-python package.

Report correct error to user if /etc/ipa is missing during client installation.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-19 10:57:07 -04:00
Petr Viktorin
9125285a05 Use two digits for each part of NUM_VERSION
https://fedorahosted.org/freeipa/ticket/3545
2013-04-19 10:55:05 -04:00
Ana Krivokapic
18149fadb6 Do not sort dictionaries in assert_deepequal utility function
Sorting lists of dictionaries in assert_deepequal was causing inconsistencies
in unit test execution. To fix this, do not sort lists if their elements are
dictionaries.

https://fedorahosted.org/freeipa/ticket/3562
2013-04-19 12:46:25 +02:00
Ana Krivokapic
4f47ac9d7f Improve help text for HBAC service groups
Remove the part of help text for HBAC service groups which contains
an example suggesting that nested groups are supported. Nested
groups are not supported in HBAC service groups.

https://fedorahosted.org/freeipa/ticket/3548
2013-04-18 17:29:07 -04:00
Jan Cholasta
692fe7cbf7 Use correct zone when removing DNS records of a master.
https://fedorahosted.org/freeipa/ticket/3563
2013-04-18 08:05:17 +02:00
Rob Crittenden
5484b32d13 Become 3.2.0 Beta 1 2013-04-16 11:06:36 -04:00
Martin Kosek
cbd00072fd Require new samba and krb5
Require samba 4.0.5 (passdb API changed). Make sure that we use the
right epoch number with samba so that the Requires is correctly
enforced.

Require krb5 1.11.2-1 to fix missing PAC issue.

Also fix backup dir permissions.
2013-04-16 11:05:19 -04:00
Tomas Babej
fe3ba33d26 Update only selected attributes for winsync agreement
Trying to insert nsDS5ReplicatedAttributeListTotal and
nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors.
With this patch, these attributes are skipped for winsync agreements.

Made find_ipa_replication_agreements() in replication.py more
corresponding to find_replication_agreements. It returns list of
entries instead of unicode strings now.

https://fedorahosted.org/freeipa/ticket/3522
2013-04-16 10:05:43 -04:00
Ana Krivokapic
a730b6e7b5 Integrate realmdomains with IPA DNS
Add an entry to realmdomains when a DNS zone is added to IPA.
Delete the related entry from realmdomains when the DNS zone is deleted
from IPA.

Add _kerberos TXT record to DNS zone when a new realmdomain is added.
Delete _kerberos TXT record from DNS zone when realmdomain is deleted.

Add unit tests to cover new functionality.

https://fedorahosted.org/freeipa/ticket/3544
2013-04-16 15:50:24 +02:00
Petr Viktorin
e736e75ce9 Drop --selfsign server functionality
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
2013-04-15 16:56:12 -04:00
Petr Viktorin
006ab23c6d Remove obsolete self-sign references from man pages, docstrings, comments
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
2013-04-15 16:56:06 -04:00
Petr Viktorin
4e3c1051d0 Uninstall selfsign CA on upgrade
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
2013-04-15 16:55:27 -04:00
Jan Cholasta
fe00788bb4 Delete DNS records in ipa-ca on ipa-csreplica-manage del.
https://fedorahosted.org/freeipa/ticket/3547
2013-04-15 21:12:41 +02:00
Jan Cholasta
f684c6d6f8 Use A/AAAA records instead of CNAME records in ipa-ca.
https://fedorahosted.org/freeipa/ticket/3547
2013-04-15 21:12:36 +02:00
Petr Viktorin
ddeb1cea55 Update translations from Transifex 2013-04-15 18:46:27 +02:00
Tomas Babej
75f0801324 Add nfs:NONE to default PAC types only when needed
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.

https://fedorahosted.org/freeipa/ticket/3555
2013-04-15 14:46:21 +02:00
Petr Viktorin
b36380fff8 ipa-server-install: correct help text for --external_{cert,ca}_file
The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.

https://fedorahosted.org/freeipa/ticket/3523
2013-04-15 13:32:58 +02:00
Ana Krivokapic
b8b573a966 Deprecate HBAC source hosts from CLI
Hide the commands and options listed below from the CLI,
but keep them in the API. When called directly from the API,
raise appropriate exceptions informing the user that the
functionality has been deprecated.

Affected commands: hbacrule_add_sourcehost, hbacrule_remove_sourcehost.
Affected options: sourcehostcategory, sourcehost_host and
sourcehost_hostgroup (hbacrule); sourcehost (hbactest).

https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Ana Krivokapic
d03255571c Remove any reference to HBAC source hosts from help
https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00
Ana Krivokapic
39982f6696 Remove HBAC source hosts from web UI
https://fedorahosted.org/freeipa/ticket/3528
2013-04-12 14:07:55 -04:00