December 2018 - FreeIPA-devel - Fedora mailing-lists

[freeipa PR#2464][opened] Support interactive prompt for ntp options
by Tiboris 11 Apr '19

11 Apr '19

URL: https://github.com/freeipa/freeipa/pull/2464 Author: Tiboris Title: #2464: Support interactive prompt for ntp options Action: opened PR body: """ FreeIPA will now ask user for NTP source server or pool address in interactive mode if there is no server nor pool specified and autodiscovery has not found any NTP source in DNS records. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2464/head:pr2464 git checkout pr2464

2 1

[freeipa PR#2635][opened] [Backport][ipa-4-7] Added automation for NTP options test scenarios
by Tiboris 29 Mar '19

29 Mar '19

URL: https://github.com/freeipa/freeipa/pull/2635 Author: Tiboris Title: #2635: [Backport][ipa-4-7] Added automation for NTP options test scenarios Action: opened PR body: """ This PR is **manual backport** of https://github.com/freeipa/freeipa/pull/2404 please wait for CI before pushing. In case of questions or problems contact @varunmylaraiah who is author of the original PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2635/head:pr2635 git checkout pr2635

1 1

[freeipa PR#2638][opened] Fix test_ntp_options
by Tiboris 29 Mar '19

29 Mar '19

URL: https://github.com/freeipa/freeipa/pull/2638 Author: Tiboris Title: #2638: Fix test_ntp_options Action: opened PR body: """ On nightly tests are failing because custom client and replica install methods Use methods: - tasks.replica_install() - tasks.client_isntall() instead of custom methods. Move ntp_pool/server to class scope. Related to: https://pagure.io/freeipa/issue/7719 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2638/head:pr2638 git checkout pr2638

1 1

[freeipa PR#1726][opened] [RFE] IPA server installation with successful message
by amitkumar50 29 Mar '19

29 Mar '19

URL: https://github.com/freeipa/freeipa/pull/1726 Author: amitkumar50 Title: #1726: [RFE] IPA server installation with successful message Action: opened PR body: """ This PR updates IPA success installation message as this: ============================================= IPA server installation successful You can access Web UI using https://ipaserver1.testrelm.test/ipa/ui Obtain a Kerberos Ticket for issuing IPA command 'kinit admin' Server is installed with following roles : * Directory Server * Kerbeors Server * Httpd Server * CA Server * DNS Server For troubleshooting and errors : Please visit : https://www.redhat.com/en For documentation : Please visit : https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/ht… Resolves: https://pagure.io/freeipa/issue/6355 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1726/head:pr1726 git checkout pr1726

2 1

[freeipa PR#2584][opened] ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
by tiran 29 Mar '19

29 Mar '19

URL: https://github.com/freeipa/freeipa/pull/2584 Author: tiran Title: #2584: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager Action: opened PR body: """ The PR was originally PR @abbra's PR https://github.com/freeipa/freeipa/pull/2106. PR-CI was broken for that PR. I also squashed some intermediate commits. ## Original PR message Password changes performed by cn=Directory Manager are excluded from password policy checks according to [1]. This is correctly handled by ipa-pwd-extop in case of a normal Kerberos principal in IPA. However, non-kerberos accounts were not excluded from the check. As result, password updates for PKI CA admin account in o=ipaca were failing if a password policy does not allow a password reuse. We are re-setting the password for PKI CA admin in ipa-replica-prepare in case the original directory manager's password was updated since creation of `cacert.p12`. Do password policy check for non-Kerberos accounts only if it was set by a regular user or admin. Changes performed by a cn=Directory Manager and passsync managers should be excluded from the policy check. Fixes: https://pagure.io/freeipa/issue/7181 Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> [1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h… """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2584/head:pr2584 git checkout pr2584

1 1

[freeipa PR#2163][opened] Make ipaclient.csrgen optional
by tiran 27 Mar '19

27 Mar '19

URL: https://github.com/freeipa/freeipa/pull/2163 Author: tiran Title: #2163: Make ipaclient.csrgen optional Action: opened PR body: """ ipaclient's csrgen plugin has been turned into an optional dependency. The ipaclient plugin, helper modules like ipaclient.csrgen and templates are shipped conditionally. The ipaclient cert plugin and ipatests handle missing csrgen gracefully. Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2163/head:pr2163 git checkout pr2163

1 1

[freeipa PR#1843][opened] Allow issuing certificates with IP addresses in subjectAltName (ftweedal)
by frasertweedale 04 Mar '19

04 Mar '19

URL: https://github.com/freeipa/freeipa/pull/1843 Author: frasertweedale Title: #1843: Allow issuing certificates with IP addresses in subjectAltName (ftweedal) Action: opened PR body: """ Continuation of https://github.com/freeipa/freeipa/pull/1700 by @ipilcher, adding commits by @ftweedal. Please keep both PRs open for the time being. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1843/head:pr1843 git checkout pr1843

2 1

[freeipa PR#1883][opened] ipactl: Correction of named to named-pkcs11
by amitkumar50 21 Feb '19

21 Feb '19

URL: https://github.com/freeipa/freeipa/pull/1883 Author: amitkumar50 Title: #1883: ipactl: Correction of named to named-pkcs11 Action: opened PR body: """ Whenever ipactl status is run it returned: Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING ... This PR changes ipactl o/p to: Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named-pkcs11 Service: RUNNING Resolves: https://pagure.io/freeipa/issue/7446 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1883/head:pr1883 git checkout pr1883

2 1

[freeipa PR#2628][opened] [WIP] Refactor LDAPClient
by tiran 05 Feb '19

05 Feb '19

URL: https://github.com/freeipa/freeipa/pull/2628 Author: tiran Title: #2628: [WIP] Refactor LDAPClient Action: opened PR body: """ **WIP** Simplify LDAPClient construction and ensure that LDAP connections are always secure (LDAP + STARTTLS, LDAPI, LDAPS) unless explicitly stated otherwise. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2628/head:pr2628 git checkout pr2628

1 1

[freeipa PR#2697][opened] LDAPClient: Prefer LDAPI connections in installer and simplify API
by tiran 05 Feb '19

05 Feb '19

URL: https://github.com/freeipa/freeipa/pull/2697 Author: tiran Title: #2697: LDAPClient: Prefer LDAPI connections in installer and simplify API Action: opened PR body: """ On several occasions the installer uses LDAP + simple_bind rather than LDAPI with EXTERNAL bind. LDAPI (LDAP over Unix socket) is more secure, a tiny bit faster, and is immune to some network/DNS related issues. The changeset simplifies the LDAPClient API by introducing additional constructors. The new constructors are not only easier to use but also prevent some common pitfalls like LDAP connection without StartTSL. Several code paths now use ``LDAPClient.from_realm(realm_name)`` with external bind as root instead of LDAP with DM password. ### Add constructors to ldap client Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and LDAPClient.from_hostname_plain() constructors. The simple_bind() method now also refuses to transmit a password over a plain, unencrypted line. LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert by default. The constructor also automatically disables start_tls for ldaps and ldapi connections. ### Use new LDAPClient constructors Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors like LDAPClient.from_realm(). Some places now use LDAPI with external bind instead of LDAP with simple bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is no hard guarantee. The draft tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1 specifies that applications must verify that the resulting IP is a loopback API. LDAPI is always local and a bit more efficient, too. The simple_bind() method also prevents the caller from sending a password over an insecure line. ### Use LDAPS when installing CA on replica On a replica, 389-DS is already configured for secure connections when the CA is installed. ### Move realm_to_serverid/ldap_uri to ipaldap The helper function realm_to_serverid() and realm_to_ldap_uri() are useful outside the server installation framework. They are now in ipapython.ipaldap along other helpers for LDAP handling in FreeIPA. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2697/head:pr2697 git checkout pr2697

2 1

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel December 2018