IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,730 Commits 11 Branches 60 Tags
c6afc489a1c9d86fd593bd47c4a8dae6d9a008d2
Commit Graph

7730 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade 
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-20 10:18:47 +02:00
Petr Vobornik
d8f05d8841 webui: management of keytab permissions 
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-20 10:13:47 +02:00
Nathaniel McCallum
41bf0ba940 Create ipa-otp-counter 389DS plugin 
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.

Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.

https://fedorahosted.org/freeipa/ticket/4493
https://fedorahosted.org/freeipa/ticket/4494

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-20 10:12:36 +02:00
Nathaniel McCallum
560606a991 Display token type when viewing token 
When viewing a token from the CLI or UI, the type of the token
should be displayed.

https://fedorahosted.org/freeipa/ticket/4563

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-20 09:59:19 +02:00
Martin Kosek
e296137853 Update contributors 
Add missing developers contributing to project git. Cancel "Past and
Occcasional" section and merge the people in the right categories.

Update .mailmap so that the Developer list can be easily re-generated.

Reviewed-By: Gabe Alford <redhatrises@gmail.com>
 2014-10-20 08:18:09 +02:00
Petr Vobornik
0a924603d0 webui: add new iduseroverride fields 
- add gecos, gidnumber, loginshell, sshkeys fields

https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-17 15:57:11 +02:00
Petr Vobornik
43d3593873 webui: add link to OTP token app 
- display info message which points user to FreeOTP project page
- the link or the text can be easily changed by a plugin if needed

https://fedorahosted.org/freeipa/ticket/4469

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-10-17 15:53:34 +02:00
Petr Vobornik
49fde3b047 idviews: error out if appling Default Trust View on hosts 
https://fedorahosted.org/freeipa/ticket/4615

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-17 14:28:13 +02:00
Petr Vobornik
b69a8dad2e tests: management of keytab permissions 
https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-17 14:11:35 +02:00
Petr Vobornik
59ee6314af keytab manipulation permission management 
Adds new API:
  ipa host-allow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-retrieve-keytab HOSTNAME --users=STR --groups STR
  ipa host-allow-create-keytab HOSTNAME --users=STR --groups STR
  ipa host-disallow-create-keytab HOSTNAME --users=STR --groups STR

  ipa service-allow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-retrieve-keytab PRINCIPAL --users=STR --groups STR
  ipa service-allow-create-keytab PRINCIPAL --users=STR --groups STR
  ipa service-disallow-create-keytab PRINCIPAL --users=STR --groups STR

these methods add or remove user or group DNs in `ipaallowedtoperform` attr with
`read_keys` and `write_keys` subtypes.

service|host-mod|show outputs these attrs only with --all option as:

  Users allowed to retrieve keytab: user1
  Groups allowed to retrieve keytab: group1
  Users allowed to create keytab: user1
  Groups allowed to create keytab: group1

Adding of object class is implemented as a reusable method since this code is
used on many places and most likely will be also used in new features. Older
code may be refactored later.

https://fedorahosted.org/freeipa/ticket/4419

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-17 14:11:35 +02:00
Petr Vobornik
6f81217c18 dns: fix privileges' memberof during dns install 
Permissions with member attrs pointing to privileges are created before the privileges.

Run memberof plugin task to fix other ends of the relationships.

https://fedorahosted.org/freeipa/ticket/4637

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-17 14:08:37 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled 
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
Jan Cholasta
6227ebb0cd Do not fix trust flags in the DS NSS DB in ipa-upgradeconfig 
It is necessary to fix trust flags only in the HTTP NSS DB, as it is used as
a source in the upload_cacrt update plugin.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
Jan Cholasta
cbb4caa350 Do not create ipa-pki-proxy.conf if CA is not configured in ipa-upgradeconfig 
This fixes upgrade from CA-less to CA-full after IPA upgrade.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
Martin Kosek
588e7bc899 Remove changetype attribute from update plugin 
The attribute addition had no effect, but it should not be there.
 2014-10-17 12:02:25 +02:00
Jan Cholasta
ca7e0c270f Add ipa-client-install switch --request-cert to request cert for the host 
The certificate is stored in /etc/ipa/nssdb under the nickname
"Local IPA host".

https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 19:11:52 +02:00
Jan Cholasta
4333a623da Fix certmonger.request_cert 
https://fedorahosted.org/freeipa/ticket/4550

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 19:11:52 +02:00
Jan Cholasta
fdc70e89e9 Fix CA cert validity check for CA-less and external CA installer options 
https://fedorahosted.org/freeipa/ticket/4612

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-16 18:09:49 +02:00
Nathaniel McCallum
284792e7d8 Remove token vendor, model and serial defaults 
These defaults are pretty useless and cause more confusion than
they are worth. The serial default never worked anyway. And now
that we are displaying the token type separately, there is no
reason to doubly record these data points.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 17:55:39 +02:00
Nathaniel McCallum
c5f7ca58a1 Remove token ID from self-service UI 
Also, fix labels to properly use i18n strings for token types.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 17:53:27 +02:00
Martin Kosek
061f7ff331 Raise better error message for permission added to generated tree 
https://fedorahosted.org/freeipa/ticket/4523

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
 2014-10-16 16:00:18 +02:00
Jan Cholasta
cf860c7154 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install 
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.

https://fedorahosted.org/freeipa/ticket/4447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 13:33:40 +02:00
David Kupka
3f9d1a71f1 Fix typo causing certmonger is provided with wrong path to ipa-submit. 
Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-16 09:49:46 +02:00
David Kupka
47731f4584 Fix printing of reverse zones in ipa-dns-install. 
This was forgotten in patch for ticket
https://fedorahosted.org/freeipa/ticket/3575

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-10-16 08:02:02 +02:00
David Kupka
c44f4dcbea Stop dogtag when updating its configuration in ipa-upgradeconfig. 
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-15 09:12:11 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf 
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Ludwig Krispenz
08c3fe17ef Ignore irrelevant subtrees in schema compat plugin 
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.

https://fedorahosted.org/freeipa/ticket/4586

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-10-14 11:00:43 +02:00
David Kupka
c8f7cb0163 Set IPA CA for freeipa certificates. 
In previous versions (before moving certmonger.py to DBus) it was set and some
tools and modules depends on it. For example: ipa-getcert uses this to filter
freeipa certificates.

https://fedorahosted.org/freeipa/ticket/4618

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-14 10:55:29 +02:00
Jan Cholasta
4cdeacdedf Support MS CS as the external CA in ipa-server-install and ipa-ca-install 
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".

https://fedorahosted.org/freeipa/ticket/4496

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-13 12:18:09 +02:00
Alexander Bokovoy
9fcc9a0163 Require slapi-nis 0.54 or later for ID views support 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
6637449ad2 Update API version for ID views support 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
5ec23ccb5f Allow override of gecos field in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
b50524b10c Allow user overrides to specify GID of the user 
Resolves https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
ca42d3469a Allow user overrides to specify SSH public keys 
Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.

SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454

Resolves https://fedorahosted.org/freeipa/ticket/4509

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
63be2ee9f0 Support overridding user shell in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
David Kupka
35c7bd05af Check that port 8443 is available when installing PKI. 
https://fedorahosted.org/freeipa/ticket/4564

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-10 11:57:44 +02:00
Jan Cholasta
92a08266af Fix certmonger configuration in installer code 
https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-10 08:48:25 +02:00
Jan Cholasta
cf956fa998 Support building RPMs for RHEL/CentOS 7.0 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Jan Cholasta
8abc183996 Add RHEL platform module 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Jan Cholasta
308d2dd406 Split off generic Red Hat-like platform code from Fedora platform code 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Martin Basti
57c510dcc7 Fix ipactl service ordering 
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.

Patch fixes ipactl to use integers for ordering.

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-09 12:52:31 +02:00
Gabe
7b7567aabf Missing requires on python-dns in spec file 
- Updated to required python-dns version 1.11.1

https://fedorahosted.org/freeipa/ticket/4613

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-10-09 10:11:56 +02:00
Martin Basti
41015e6c9c DNS missing tests 
* try to remove non-existent permission
* try to remove idnssoamname using dnszone-mod --name-server=

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-09 10:02:22 +02:00
David Kupka
f36794e811 Fix example usage in ipa man page. 
https://fedorahosted.org/freeipa/ticket/4587

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-10-08 09:52:08 +02:00
Jan Cholasta
8e602eaf46 Remove misleading authorization error message in cert-request with --add 
https://fedorahosted.org/freeipa/ticket/4540

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-08 09:21:37 +02:00
Petr Viktorin
0cdaf2c48f sudo integration test: Remove the local user test 
SSSD does not support sudo rules for local users;
these should be added in a local sudoers file.

https://fedorahosted.org/freeipa/ticket/4608

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-03 14:19:42 +02:00
Petr Vobornik
81e4cac5cd webui-ci: adjust dnszone-add test to recent DNS changes 
'idnssoamname', 'ip_address' and 'force' fields were removed from DNS zone adder dialog in #4149

https://fedorahosted.org/freeipa/ticket/4604

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-03 12:21:16 +02:00
Petr Viktorin
cc085d1d4c backup/restore: Add files from /etc/ipa/nssdb 
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.

https://fedorahosted.org/freeipa/ticket/4597

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-02 13:53:55 +02:00
Petr Viktorin
21276e8a3f test_forced_client_reenrollment: Don't check for host certificates 
Since ticket 4449 we no longer generate host certificates by defailt.
Checdk that they are not present.

https://fedorahosted.org/freeipa/ticket/4601
 2014-10-02 11:55:04 +02:00