Update .mailmap with misconfigured patch authors since the last
feature release. Based on the git history, add new Developer
contributors.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Commit 46ae52569a reimplemented reporting of
managed topology suffixes in server-find/show commands using membership
attributes. This patch fixes consumers of this attribute in ipa-replica-manage
command and webui to reflect this change.
Reviewed-By: Martin Basti <mbasti@redhat.com>
In non-interactive more option --auto-forwarders can be used to do the
same. --forward option can be used to supply additional IP addresses.
https://fedorahosted.org/freeipa/ticket/5438
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With the ability to promote replicas from an enrolled client the
uninstallation procedure has to be changed slightly. If the client-side
components are not removed last during replica uninstallation, we can end up
with leftover ipa default.conf preventing future client re-enrollment.
https://fedorahosted.org/freeipa/ticket/5410
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Default ldap search limit is now 30 sec by default during upgrade.
Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.
Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.
https://fedorahosted.org/freeipa/ticket/5267
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
If a first 4.3+ replica is installed in the domain, the custodia
container does not exist. Make sure it is created to avoid failures
during key generation.
https://fedorahosted.org/freeipa/ticket/5474
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
installing kra on promoted replica (domain level > 0) does not require
replica file.
https://fedorahosted.org/freeipa/ticket/5455
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Message that installation started/failed was shown even when
install_check fail (installation itself did not start).
This commit show messages only if installation started.
Enhacement for https://fedorahosted.org/freeipa/ticket/5455
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
with replica promotion (domain level > 0) there are no replica files,
thus adding replica file as parameter when domain level > 0 should be
disallowed.
https://fedorahosted.org/freeipa/ticket/5455
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use ding-libs to parse /etc/ipa/default.conf to find the IPA server
to contact by default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2203
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When topology graph was shown with domain level == 0, a view describing
that domain level needs to be at least 1 was shown.
If domain level is raised, this view is then properly replaced by the
graph when shown again.
https://fedorahosted.org/freeipa/ticket/4286
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Into:
* ActionMixin
* HeaderMixin
It is supposed to be used as a mixin classes to facet.Facets. In long
term it should replace/serve as a base class for facet.facet.
e.g:
var SomeFacet = declare([Facet, ActionMixin, HeaderMixin], {
foo: function() {}
});
Then following spec can be used:
some_facet_spec = {
name: 'some',
label: 'Some Facet',
tab_label: 'Some Facet',
facet_groups: [foo.bar_facet_group],
facet_group: 'search',
actions: ['refresh'],
control_buttons: [
{
name: 'refresh',
label: '@i18n:buttons.refresh',
icon: 'fa-refresh'
}
],
header_actions: [refresh]
};
reg.facet.register({
type: 'some',
ctor: SomeFacet,
spec: some_facet_spec
});
prerequisite for: https://fedorahosted.org/freeipa/ticket/4286
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
So that facet.simple_facet_header could be used even in pages without
entity structure - e.g. future topology graph.
prerequisite for: https://fedorahosted.org/freeipa/ticket/4286
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When we promote an IPA client to replica, we need to write master-like
default.conf once we start configuring directory server instance. This way
even if DS configuration fails for some reason the server uninstall code can
work properly and clean up partially configured replica.
https://fedorahosted.org/freeipa/ticket/5417
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp. This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Simple regexp substitution caused that the domain directive fell under
an inapprorpiate section, if the domain directive was not present. Hence
the idmapd.conf file was not properly parsed.
Use IPAChangeConf to put the directive in its correct place even if it
the domain directive is missing.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
The IPAChangeConf normallizes section names to lower case. There are
cases where this behaviour might not be desirable, so provide a way to
opt out.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
Reviewed-By: Petr Spacek <pspacek@redhat.com>
To debug DNS issues other commands should be used like 'dig', 'host',
'nslookup' instead of command 'ipa dns-resolve'.
This command is executed on server side, what may not be helpful with
debugging clients.
'ipa dns-resolve' command is worse copy of host command, users should use
'host' command instead.
dns-resolve is removed from CLI
https://fedorahosted.org/freeipa/ticket/5466
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Return False does not mean that update failed, it mean that nothing has
been updated, respectively ldap is up to date.
https://fedorahosted.org/freeipa/ticket/5482
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If the code within the private_ccache contextmanager does not
set/removes the KRB5CCNAME, the pop method will raise KeyError, which
will cause unnecessary termination of the code flow.
Make sure the KRB5CCNAME is popped out of os.environ only if present.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
Replica does not need to have A/AAAA records during install, so we
cannot enforce it and service must be added with --force option.
https://fedorahosted.org/freeipa/ticket/5420
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.
https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Tomas Babej <tbabej@redhat.com>
