IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,788 Commits 11 Branches 60 Tags
d0a781b9c6911f1875df4b0c7da5e6ae030d36de
Commit Graph

1175 Commits

Author SHA1 Message Date
Tomas Babej
faec4ef9de certs: Fix incorrect flag handling in load_cacert 
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.

Make the load_cacert method respect trust_flags and make it a required
argument.

https://fedorahosted.org/freeipa/ticket/4779

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-12-02 14:44:42 +00:00
Gabe
5f223a89ad Update default NTP configuration 
- Add in missing 4th default ntp server
- Add iburst to configuration

https://fedorahosted.org/freeipa/ticket/4583

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-12-02 12:36:03 +01:00
David Kupka
3a6d714bb2 Use singular in help metavars + update man pages. 
https://fedorahosted.org/freeipa/ticket/4695

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-11-26 14:33:23 +01:00
Martin Basti
c13862104a Fix zonemgr option encoding detection 
Ticket: https://fedorahosted.org/freeipa/ticket/4766
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-25 13:15:44 +00:00
Jan Cholasta
bef1d18878 Add TLS 1.2 to the protocol list in mod_nss config 
https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-11-25 12:44:13 +01:00
Alexander Bokovoy
ed3dddab87 AD trust: improve trust validation 
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.

In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.

https://fedorahosted.org/freeipa/ticket/4764

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-11-25 12:23:17 +01:00
Martin Basti
230df95ed9 Fix detection of encoding in zonemgr option 
Ticket: https://fedorahosted.org/freeipa/ticket/4762
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-24 13:20:35 +00:00
Jan Cholasta
aa9ecb253a Stop tracking certificates before restoring them in ipa-restore 
https://fedorahosted.org/freeipa/ticket/4727

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-11-21 16:29:51 +01:00
David Kupka
373bbee4e3 ipa-restore: Check if directory is provided + better errors. 
https://fedorahosted.org/freeipa/ticket/4683

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-11-21 15:19:56 +01:00
Jan Cholasta
71c4d3e979 Use correct service name in cainstance.backup_config 
https://fedorahosted.org/freeipa/ticket/4754

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-11-21 13:22:11 +01:00
Petr Viktorin
b64f91fb43 dogtag plugin: Don't use doctest syntax for non-doctest examples 
https://fedorahosted.org/freeipa/ticket/4610

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-11-21 12:14:44 +01:00
Martin Basti
7de424f425 Fix: read_ip_addresses should return ipaddr object 
Interactive prompt callback returns list of str instead of CheckedIPAddress
instances.

Ticket: https://fedorahosted.org/freeipa/ticket/4747
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-21 08:54:17 +00:00
Petr Vobornik
a3c799f2f4 restore: clear httpd ccache after restore 
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:

 Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Decrypt integrity check failed)

https://fedorahosted.org/freeipa/ticket/4726

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-20 16:43:26 +01:00
Jan Cholasta
3d1e9813e6 Restore file extended attributes and SELinux context in ipa-restore 
https://fedorahosted.org/freeipa/ticket/4712

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-20 16:43:26 +01:00
Nathaniel McCallum
3c900ba7a8 Enable QR code display by default in otptoken-add 
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.

https://fedorahosted.org/freeipa/ticket/4703

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
 2014-11-19 14:26:00 +01:00
Martin Basti
d2ffd17617 Fix: zonemgr must be unicode value 
To support IDNA --zonemgr option must be unicode not ascii

https://fedorahosted.org/freeipa/ticket/4724

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-11-19 13:37:48 +01:00
Martin Basti
7c176b708e Fix named working directory permissions 
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.

Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-18 18:49:42 +00:00
Martin Basti
f62c7843ff Fix upgrade referint plugin 
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade

Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-11-13 13:26:34 +01:00
Martin Basti
40ea328a78 Fix: DNS policy upgrade raises asertion error 
Ticket: https://fedorahosted.org/freeipa/ticket/4708
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-13 12:12:28 +00:00
Martin Basti
a7162e7766 Fix: DNS installer adds invalid zonemgr email 
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.

Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-11-13 10:36:28 +00:00
Jan Cholasta
2639997dfe Fix CA certificate backup and restore 
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.

Create /etc/ipa/nssdb after restore if necessary.

https://fedorahosted.org/freeipa/ticket/4711

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-11 16:13:52 +01:00
Petr Vobornik
61d98bdc59 ldapupdater: set baserid to 0 for ipa-ad-trust-posix ranges 
New updater plugin which sets baserid to 0 for ranges with type ipa-ad-trust-posix

https://fedorahosted.org/freeipa/ticket/4221

Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-11-11 10:56:16 +01:00
Petr Viktorin
a8e2a242be ipa-restore: Don't crash if AD trust is not installed 
https://fedorahosted.org/freeipa/ticket/4668

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-11 09:54:29 +00:00
Martin Basti
730f33680b Fix upgrade: do not use invalid ldap connection 
Ticket: https://fedorahosted.org/freeipa/ticket/4670
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-11-06 10:45:16 +01:00
Jan Cholasta
2cf0f0a658 Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage 
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.

https://fedorahosted.org/freeipa/ticket/4629

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-11-05 15:26:42 +01:00
David Kupka
364d466fd7 Respect UID and GID soft static allocation. 
https://fedoraproject.org/wiki/Packaging:UsersAndGroups?rd=Packaging/UsersAndGroups#Soft_static_allocation

https://fedorahosted.org/freeipa/ticket/4585

Reviewed-By: Martin Basti <mbasti@redhat.com>
 2014-11-05 15:22:51 +01:00
Endi S. Dewata
0b08043c37 Fixed KRA backend. 
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-04 16:33:16 +01:00
Gabe
7eca640ffa Remove trivial path constants from modules 
https://fedorahosted.org/freeipa/ticket/4399

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-11-04 12:57:01 +01:00
Martin Basti
5e1172f560 fix forwarder validation errors 
Fix tests, validation in dnsconfig mod, wuser warning

Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-21 15:55:09 +02:00
Alexander Bokovoy
20761f7fcd Default to use TLSv1.0 and TLSv1.1 on the IPA server side 
We only will be changing the setting on the install.
For modifying existing configurations please follow instructions
at https://access.redhat.com/solutions/1232413

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-21 15:54:02 +02:00
Martin Basti
3eec7e1f53 fix DNSSEC restore named state 
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-21 15:52:47 +02:00
Alexander Bokovoy
eb4d559f3b updater: enable uid uniqueness plugin for posixAccounts 
https://fedorahosted.org/freeipa/ticket/4636

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-21 13:46:55 +02:00
Martin Basti
49547a54dd DNSSEC: add files to backup 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
8f2f5dfbdf DNSSEC: modify named service to support dnssec 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
ca030a089f DNSSEC: validate forwarders 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
30bc3a55cf DNSSEC: platform paths and services 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
9101cfa60f DNSSEC: opendnssec services 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
eb54814741 DNSSEC: DNS key synchronization daemon 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
9184d9a1bb DNSSEC: schema 
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Martin Basti
78018dd67d Add mask, unmask methods for service 
This patch allows mask and unmask services in IPA

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-21 12:23:03 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree 
Reviewed-By: Tomas Babej <tbabej@redhat.com>
 2014-10-20 16:47:49 +02:00
Nathaniel McCallum
68825e7ac6 Configure IPA OTP Last Token plugin on upgrade 
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-20 10:18:47 +02:00
Petr Vobornik
6f81217c18 dns: fix privileges' memberof during dns install 
Permissions with member attrs pointing to privileges are created before the privileges.

Run memberof plugin task to fix other ends of the relationships.

https://fedorahosted.org/freeipa/ticket/4637

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-17 14:08:37 +02:00
Jan Cholasta
608851d3f8 Check LDAP instead of local configuration to see if IPA CA is enabled 
The check is done using a new hidden command ca_is_enabled.

https://fedorahosted.org/freeipa/ticket/4621

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-17 12:53:11 +02:00
David Kupka
c44f4dcbea Stop dogtag when updating its configuration in ipa-upgradeconfig. 
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.

https://fedorahosted.org/freeipa/ticket/4569

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-10-15 09:12:11 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent 
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf 
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
 2014-10-14 13:55:02 +02:00
Jan Cholasta
4cdeacdedf Support MS CS as the external CA in ipa-server-install and ipa-ca-install 
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".

https://fedorahosted.org/freeipa/ticket/4496

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-13 12:18:09 +02:00
David Kupka
35c7bd05af Check that port 8443 is available when installing PKI. 
https://fedorahosted.org/freeipa/ticket/4564

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-10-10 11:57:44 +02:00
Jan Cholasta
92a08266af Fix certmonger configuration in installer code 
https://fedorahosted.org/freeipa/ticket/4619

Reviewed-By: David Kupka <dkupka@redhat.com>
 2014-10-10 08:48:25 +02:00