Without this it is possible to prepare a replica for a host that doesn't
exist in DNS. The result when this replica file is installed is that
replication will fail because the master won't be able to communicate
to the replica by name.
ticket 680
Currently the code depends on using a password to create replication
agreements. so this patch forces the request of the dirmgr password until we
can fix the internal issues that prevent using the amdin user with SASL/GSSAPI
to create replication agreements.
The previous code was removing only one agreement, leaving all other in place.
This would leave dangling replication agreements once the replica is
uninstalled.
Fixes: https://fedorahosted.org/freeipa/ticket/624
These commands can now be run exclusively o the replica that needs to be
resynced or reinitialized and the --from command must be used to tell from
which other replica it can will pull data.
Fixes: https://fedorahosted.org/freeipa/ticket/626
Part of this fix requires also giving proper permission to change the
replication agreements root.
While there also fix replica-related permissions to have the classic
add/modify/remove triplet of permissions.
Fixes: https://fedorahosted.org/freeipa/ticket/630
if ipa-replica-manage list is given a master name as argument then the tool
has the old behavior of listing that specific master replication agreements
Fixes: https://fedorahosted.org/freeipa/ticket/625
Can remove replication agreements between 2 replicas as long as it is
not the last agreement (except for Ad replication agreements, which can
always be removed).
Fixes: https://fedorahosted.org/freeipa/ticket/551
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
Notable changes include:
* parse AAAA records in dnsclient
* also ask for AAAA records when verifying FQDN
* do not use functions that are not IPv6 aware - notably socket.gethostbyname()
The complete list of functions was taken from http://www.akkadia.org/drepper/userapi-ipv6.html
section "Interface Checklist"
If the ticket is expired or otherwise unusable it should fall back to the DM
password. It was prompted for correctly but wasn't being passed on.
ticket 549
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
Instead of allocating a completely random start between 1M and 2G and a range
of 1M values, give 10000 possible 200k ranges. They all start at a 200k
boundary so they generate more readable IDs, at least until there arent't too
many users/replicas involved.
There was a corner case where the value of --ip-address was never verified
if you were also setting up DNS.
Added this bit of information to the man page too.
ticket 399
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
The signature of ldap2.get_entry() changed so normalize wasn't being
handled properly so the basedn was always being appended causing our
entry in cn=config to be not found.
ticket 414
Uses a new subclass IPAOptionParser in scripts instead of OptionParser
from the standard python library. IPAOptionParser uses its own IPAOption
class to store options, which adds a new 'sensitive' attribute.
https://fedorahosted.org/freeipa/ticket/393
