IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,609 Commits 11 Branches 60 Tags
cf860c71545fe93bebcb7dcb426795240e776eb3
Commit Graph

7609 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Cholasta
cf860c7154 Allow specifying signing algorithm of the IPA CA cert in ipa-ca-install 
The --ca-signing-algorithm option is available in ipa-server-install, make
it available in ipa-ca-install as well.

https://fedorahosted.org/freeipa/ticket/4447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-16 13:33:40 +02:00
David Kupka
3f9d1a71f1 Fix typo causing certmonger is provided with wrong path to ipa-submit. 
Using strip() instead split() caused that only first character of path was specified.
Also using shlex for more robust parsing.

https://fedorahosted.org/freeipa/ticket/4624

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-16 09:49:46 +02:00
David Kupka
47731f4584 Fix printing of reverse zones in ipa-dns-install. 
This was forgotten in patch for ticket
https://fedorahosted.org/freeipa/ticket/3575

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-10-16 08:02:02 +02:00
David Kupka
c44f4dcbea Stop dogtag when updating its configuration in ipa-upgradeconfig. 
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-15 09:12:11 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf 
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Ludwig Krispenz
08c3fe17ef Ignore irrelevant subtrees in schema compat plugin 
For changes in cn=changelog or o=ipaca the scheam comapat plugin doesn't need to be
executed. It saves many internal searches and reduces contribution to lock
contention across backens in DS.

https://fedorahosted.org/freeipa/ticket/4586

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-10-14 11:00:43 +02:00
David Kupka
c8f7cb0163 Set IPA CA for freeipa certificates. 
In previous versions (before moving certmonger.py to DBus) it was set and some
tools and modules depends on it. For example: ipa-getcert uses this to filter
freeipa certificates.

https://fedorahosted.org/freeipa/ticket/4618

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-14 10:55:29 +02:00
Jan Cholasta
4cdeacdedf Support MS CS as the external CA in ipa-server-install and ipa-ca-install 
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".

https://fedorahosted.org/freeipa/ticket/4496

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-13 12:18:09 +02:00
Alexander Bokovoy
9fcc9a0163 Require slapi-nis 0.54 or later for ID views support 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
6637449ad2 Update API version for ID views support 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
5ec23ccb5f Allow override of gecos field in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
b50524b10c Allow user overrides to specify GID of the user 
Resolves https://fedorahosted.org/freeipa/ticket/4617

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
ca42d3469a Allow user overrides to specify SSH public keys 
Overrides for users can have SSH public keys. This, however, will not enable
SSH public keys from overrides to be actually used until SSSD gets fixed to
pull them in.

SSSD ticket for SSH public keys in overrides:
https://fedorahosted.org/sssd/ticket/2454

Resolves https://fedorahosted.org/freeipa/ticket/4509

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
Alexander Bokovoy
63be2ee9f0 Support overridding user shell in ID views 
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-10-13 12:08:50 +02:00
David Kupka
35c7bd05af Check that port 8443 is available when installing PKI. 
https://fedorahosted.org/freeipa/ticket/4564

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-10 11:57:44 +02:00
Jan Cholasta
92a08266af Fix certmonger configuration in installer code 
https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-10 08:48:25 +02:00
Jan Cholasta
cf956fa998 Support building RPMs for RHEL/CentOS 7.0 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Jan Cholasta
8abc183996 Add RHEL platform module 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Jan Cholasta
308d2dd406 Split off generic Red Hat-like platform code from Fedora platform code 
https://fedorahosted.org/freeipa/ticket/4562

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-09 15:37:24 +02:00
Martin Basti
57c510dcc7 Fix ipactl service ordering 
Ipactl sorted service start order as string, which causes service with start order
100 starts before service with start order 30.

Patch fixes ipactl to use integers for ordering.

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-09 12:52:31 +02:00
Gabe
7b7567aabf Missing requires on python-dns in spec file 
- Updated to required python-dns version 1.11.1

https://fedorahosted.org/freeipa/ticket/4613

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-10-09 10:11:56 +02:00
Martin Basti
41015e6c9c DNS missing tests 
* try to remove non-existent permission
* try to remove idnssoamname using dnszone-mod --name-server=

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-09 10:02:22 +02:00
David Kupka
f36794e811 Fix example usage in ipa man page. 
https://fedorahosted.org/freeipa/ticket/4587

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-10-08 09:52:08 +02:00
Jan Cholasta
8e602eaf46 Remove misleading authorization error message in cert-request with --add 
https://fedorahosted.org/freeipa/ticket/4540

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-08 09:21:37 +02:00
Petr Viktorin
0cdaf2c48f sudo integration test: Remove the local user test 
SSSD does not support sudo rules for local users;
these should be added in a local sudoers file.

https://fedorahosted.org/freeipa/ticket/4608

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-03 14:19:42 +02:00
Petr Vobornik
81e4cac5cd webui-ci: adjust dnszone-add test to recent DNS changes 
'idnssoamname', 'ip_address' and 'force' fields were removed from DNS zone adder dialog in #4149

https://fedorahosted.org/freeipa/ticket/4604

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-03 12:21:16 +02:00
Petr Viktorin
cc085d1d4c backup/restore: Add files from /etc/ipa/nssdb 
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.

https://fedorahosted.org/freeipa/ticket/4597

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-02 13:53:55 +02:00
Petr Viktorin
21276e8a3f test_forced_client_reenrollment: Don't check for host certificates 
Since ticket 4449 we no longer generate host certificates by defailt.
Checdk that they are not present.

https://fedorahosted.org/freeipa/ticket/4601
 2014-10-02 11:55:04 +02:00
Martin Kosek
3b8a7883de Sudorule RunAsUser should work with external groups 
https://fedorahosted.org/freeipa/ticket/4600

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-02 11:06:47 +02:00
Petr Viktorin
3eca0ff2fe test_service_plugin: Do not lowercase memberof_role 
This adjusts the test for the change in commit 792c3f9c8c

Related ticket: https://fedorahosted.org/freeipa/ticket/4192
 2014-10-01 12:43:40 +02:00
Francesco Marella
f5b302be47 Refactor selinuxenabled check 
Ticket: https://fedorahosted.org/freeipa/ticket/4571
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
 2014-09-30 19:03:40 +02:00
Nathaniel McCallum
915837c14a Move OTP synchronization step to after counter writeback 
This prevents synchronization when an authentication collision occurs.

https://fedorahosted.org/freeipa/ticket/4493

Reviewed-By: Thierry bordaz (tbordaz) <tbordaz@redhat.com>
 2014-09-30 16:19:06 +02:00
Petr Viktorin
9ba33971fa VERSION,Makefile: Rename "pre" to "alpha" 
Last time (2.1) we used "Preview/Testing" for the pre-beta release,
but the Git tags were still named alpha_*.

Use "alpha", remove "pre".
 2014-09-30 13:24:26 +02:00
Tomas Babej
00457a9c10 idviews: Fix typo in upgrade handling of the Default Trust View 
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-09-30 11:49:53 +02:00
Petr Vobornik
00d598bab0 webui: add link from host to idview 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
0e76bc1cb6 webui: list only not-applied hosts in "apply to host" dialog 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
2cc78acf9b webui: facet group labels for idview's facets 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
ae5a34cbbc webui: new ID views section 
https://fedorahosted.org/freeipa/ticket/4535

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
749101db74 webui: add simple link column support 
Usual link columns are link with primary key of current entity.

This patch allows to create a link to arbitrary non-nested entity.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
8b0e2ed991 webui: allow to skip link widget link validation 
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
27196b92c6 webui: do not show internal facet name to user 
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
26bd309c96 webui: treat value as pkey in link widget 
Current default mechanism of a link widget assumes that pkeys of a current facet are pkeys for the link. It works for the only usage - in password policy. It's rather inflexible since it can't be used if the keys are in other attribute. This behavior is also bad in nested entities - creates a link to itself which is pointless.

This patch changes the default behavior to assume that the supplied value are the pkeys and that the last pkey is the value to display.

It also keeps the old method of overriding `other_pkeys` method so if the last and only pkey is the actual value to display then the method can tranform it into the pkeys which keeps compatibility with descendant widgets (`host_dnsrecord_entity_link_widget`, `dnsrecord_host_link_widget`).

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Petr Vobornik
15b6ed6705 webui: improve breadcrumb navigation 
Fixes issue when:
- user navigates to a nested facet
- refreshes browser
- uses breadcrumb navigation to go to parent entity page which requires a pkey. E.g. from automount keys to maps.

The old code relies on the facet, that user visited the parent facet before and therefore the facet has pkey stored. It fails after the browser reload.

Allows to specify a containing_facet. It allows breadcrumb navigation to return to a different facet than the 'default'.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-09-30 10:47:03 +02:00
Tomas Babej
2a230b6cc1 idviews: Create Default Trust View for upgraded servers 
For upgraded servers with enabled AD trust support, we want to
ensure that Default Trust View entry is created.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
51816930a6 idviews: Make sure only regular IPA objects are allowed to be overriden 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
902655da59 idviews: Display the list of hosts when using --all 
Enumerating hosts is a potentially expensive operation (uses paged
search to list all the hosts the ID view applies to). Show the list
of the hosts only if explicitly asked for (or asked for --all).
Do not display with --raw, since this attribute does not exist in
LDAP.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
47268575c9 idviews: Catch errors on unsuccessful AD object lookup when resolving object name to anchor 
When resolving non-existent objects, domain validator will raise ValidationError. We need
to anticipate and properly handle this case.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
dbf8d97ecf idviews: Make sure the dict.get method is not abused for MUST attributes 
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00
Tomas Babej
13089eae52 idviews: Handle Default Trust View properly in the framework 
Make sure that:
1.) IPA users cannot be added to the Default Trust View
2.) Default Trust View cannot be deleted or renamed

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-09-30 10:42:06 +02:00