Commit Graph

207 Commits

Author SHA1 Message Date
Jan Cholasta
db3e450732 Own /usr/share/ipa/ui/js/ in the spec file.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:44 +01:00
Jan Cholasta
652c4e6ace Use hardening flags for ipa-optd.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:41 +01:00
Petr Viktorin
ba0da01c1d Remove changelog from the spec
The project's history is kept in Git. We used the spec changelog
for changes to the spec itself, which doesn't make much sense.
Downstreams like Fedora use their own changelog anyway.

A single entry is left for tools that expect a changelog.
2013-11-26 15:37:18 +01:00
Jan Cholasta
f20577ddc4 Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
2013-11-26 12:58:17 +01:00
Tomas Babej
60b472479d platform: Add Fedora 19 platform file
Part of: https://fedorahosted.org/freeipa/ticket/3504
2013-11-20 13:13:38 +01:00
Martin Basti
e8fc70f149 Removed old firefox configuration scripts
Part of ticket https://fedorahosted.org/freeipa/ticket/3821
2013-11-15 13:30:39 +01:00
Petr Viktorin
88154b5709 Fix date in last changelog entry 2013-10-25 16:14:51 +02:00
Martin Kosek
4bed0de60d Remove mod_ssl conflict
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974
2013-10-25 15:35:39 +02:00
Martin Kosek
46b3588112 Require new SSSD to pull required AD subdomain fixes 2013-10-04 10:25:31 +02:00
Petr Viktorin
3e505fe532 Move tests to test directories
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.

Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
2013-09-25 10:13:56 +02:00
Ana Krivokapic
7c22b852c7 Follow tmpfiles.d packaging guidelines
https://fedorahosted.org/freeipa/ticket/3881
2013-09-16 13:33:13 +02:00
Petr Viktorin
f742520760 Add man pages for testing tools
Add man pages for ipa-run-tests, ipa-test-task, and ipa-test-config.

https://fedorahosted.org/freeipa/ticket/3855 (part 5)
2013-08-29 15:18:34 +02:00
Petr Viktorin
a8d2ec6677 Allow freeipa-tests to work with older paramiko versions
The integration testing framework used Paramiko SFTP files as
context managers. This feature is only available in Paramiko 1.10+.
Use an explicit context manager so that we don't rely on the feature.
2013-08-13 15:42:48 +02:00
Martin Kosek
b1474a53c0 Fix selected minor issues in the spec file and license
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
  overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
  pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files

https://fedorahosted.org/freeipa/ticket/3855
2013-08-13 15:31:46 +02:00
Martin Kosek
ba5311b7ba Remove rpmlint warnings in spec file
Specifically:
- combination of spaces and tabs in one line
- using macros in comments
- using "egrep" instead of "grep -E"

https://fedorahosted.org/freeipa/ticket/3855
2013-08-13 15:31:46 +02:00
Tomas Babej
69394bab5a Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
2013-08-09 12:14:42 +02:00
Martin Kosek
e57a9ae7d8 Add requires for slapi-nis and SSSD
Require slapi-nis 0.47.7 and sssd 1.11.0-0.1.beta2 required for core
features of 3.3.0 release.
2013-08-08 15:00:57 +02:00
Ana Krivokapic
fc3f3c90b9 Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:42 +02:00
Martin Kosek
6a0aabede5 Free NSS objects in --external-ca scenario
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.

Properly freeing the NSS objects avoid this crash.

https://fedorahosted.org/freeipa/ticket/3773
2013-07-26 12:51:10 +02:00
Petr Viktorin
e38816bdaf Add tar and xz dependencies to the freeipa-tests package
The beakerLib plugin collects log files via compressed tarballs,
so these dependencies are needed
2013-07-25 12:32:36 +02:00
Petr Viktorin
00dfd9399b Add the ipa-test-task tool
This script makes common testing tasks such as IPA installation
and uninstallation available outside of Python.

https://fedorahosted.org/freeipa/ticket/3721
2013-07-25 12:32:35 +02:00
Tomas Babej
d094481ea6 Move requirement for keyutils to freeipa-python package
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.

Both freeipa-server and freeipa-client require freeipa-python.

https://fedorahosted.org/freeipa/ticket/3808
2013-07-24 17:17:56 +02:00
Martin Kosek
9c851019ae Bump minimum SSSD version
Pick up latest SSSD 1.11 Beta development
2013-07-24 13:37:45 +02:00
Nathaniel McCallum
6c0b7f3389 Use libunistring ulc_casecmp() on unicode strings
https://fedorahosted.org/freeipa/ticket/3772
2013-07-18 18:08:53 +02:00
Ana Krivokapic
f98054a31a Bump version of sssd in spec file
https://fedorahosted.org/freeipa/ticket/3652
2013-07-18 17:49:28 +02:00
Martin Kosek
1dcbb3adfa Require new selinux-policy replacing old server-selinux subpackage
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
  writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
  SELinux upgrade issues

https://fedorahosted.org/freeipa/ticket/3788
2013-07-17 16:21:14 +02:00
Tomas Babej
c81849712f Provide ipa-advise tool
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.

Creates a new ipa-advise command, available to root user
on the IPA server.

Also provides an example configuration plugin,
config-fedora-authconfig.

https://fedorahosted.org/freeipa/ticket/3670
2013-07-17 13:49:59 +02:00
Petr Vobornik
2a9be92855 Upstream Web UI tests
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests

https://fedorahosted.org/freeipa/ticket/3744
2013-07-16 13:15:59 +02:00
Tomas Babej
7a105604e2 Change group ownership of CRL publish directory
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
2013-07-16 12:17:40 +02:00
Petr Viktorin
353f3c62c3 Add a framework for integration testing
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:06 +02:00
Petr Viktorin
c577420e40 Add a framework for integration test configuration
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.

Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.

Part of the work for https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:05 +02:00
Martin Kosek
57fd275d7a Run server upgrade and restart in posttrans
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).

https://fedorahosted.org/freeipa/ticket/3739
2013-07-11 18:05:03 +03:00
Tomas Babej
8c16188519 Add libsss_nss_idmap-devel to BuildRequires 2013-07-11 14:41:19 +03:00
Ana Krivokapic
c1e9b6fa1d Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594
2013-07-11 12:39:29 +03:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Martin Kosek
77ae4da706 Remove entitlement support
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739
2013-06-26 14:11:42 +02:00
Petr Viktorin
e87807d379 Add ipa-run-tests command
Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:58 +02:00
Petr Viktorin
c60142efda Make an ipa-tests package
Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM
containing the test suite

Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:50 +02:00
Martin Kosek
6d66e826c1 Drop redundant directory /var/cache/ipa/sessions
This directory is no longer used as session storage.
2013-06-17 17:35:37 +02:00
Martin Kosek
ad6abdb576 Drop SELinux subpackage
All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.

https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684
2013-06-17 17:35:37 +02:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Martin Kosek
58dd5b970e Fix SASL_NOCANON behavior for LDAPI
Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
behavior for socket based connections (#960222).
2013-05-10 14:18:10 +02:00
Petr Viktorin
8f6e6514c4 Only require libsss_nss_idmap-python in Fedora 19+
The package is only available in Fedora 19.
This means SID resolution in the UI won't work in Fedora 18.
2013-05-07 13:18:48 +02:00
Alexander Bokovoy
03cdc22c94 Resolve SIDs in Web UI
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.

The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.

Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.

Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.

https://fedorahosted.org/freeipa/ticket/3302
2013-05-06 20:44:00 +02:00
Petr Vobornik
c72d0f5075 Generate plugin index dynamically
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:30 +02:00
Petr Vobornik
74b6099fb0 Web UI plugin loader
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:20 +02:00
Rob Crittenden
6e2c3a45a1 Handle a 501 in cert-find from dogtag as a "not supported"
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.

We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.

https://fedorahosted.org/freeipa/ticket/3549
2013-05-03 16:05:49 -04:00
Rob Crittenden
bfdcc7c62d Drop uniqueMember mapping with nss-pam-ldapd.
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589
2013-05-02 10:43:10 -04:00
Jan Cholasta
ddd8988f1c Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
2013-04-30 11:05:39 -04:00
Rob Crittenden
732d1042a3 Require version of NSS that properly parses base64-encoded certs
There were cases where a base64-encoded cert with no header/footer would
not be handled properly and rejected. This was causing the CA install
to fail.

https://fedorahosted.org/freeipa/ticket/3586
2013-04-29 09:49:37 -04:00