Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.
After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check
This reverts some changes in commit
52b7101c11
Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.
https://fedorahosted.org/freeipa/ticket/4921
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Python modules pysss and pysss_murmur was part of package sssd-common.
Fedora 22 tries to get rid of python2 and therefore these modules were
extracted from package sssd-common to separate packages python-sss and
python-sss-murmur and python3 version of packages python3-sss
python3-sss-murmur
git grep "pysss" | grep import
ipalib/plugins/trust.py: import pysss_murmur #pylint: disable=F0401
ipaserver/dcerpc.py:import pysss
ipaserver/dcerpc.py is pacakged in freeipa-server-trust-ad
palib/plugins/trust.py is packaged in freeipa-python
Resolves:
https://fedorahosted.org/freeipa/ticket/4929
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Added dbus-python dependency to freeipa-python. This should fix
https://fedorahosted.org/freeipa/ticket/4863 and also cover dbus-python
dependencies in other freeipa-* packages.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues.
Reason: build fail on armv7hl
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.
Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.
Also add ipa.p11-kit to the files owned by the freeipa-python package.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the new default NSS database for IPA.
/etc/pki/nssdb is still maintained for backward compatibility.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This substantially reduces the FreeIPA dependencies and allows
QR codes to fit in a standard terminal.
https://fedorahosted.org/freeipa/ticket/4430
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
