URL: https://github.com/freeipa/freeipa/pull/893
Author: martbab
Title: #893: smard card advises fixes + general improvements
Action: opened
PR body:
"""
Add some missing operations to the client/server smart card advises and fix
issues. Also provide more transparent generators of Bash control flow branches
and loops.
https://pagure.io/freeipa/issue/7036
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/893/head:pr893
git checkout pr893
URL: https://github.com/freeipa/bind-dyndb-ldap/pull/18
Author: tomaskrizek
Title: #18: Update to BIND 9.11.1
Action: opened
PR body:
"""
Bump BIND version to 9.11.1
---
Add empty callback for getsize
BIND introduced getsize method in db.h. This is related to
CVE-2016-6170 and allows to set restriction of zone size limit.
"""
To pull the PR as Git branch:
git remote add ghbind-dyndb-ldap https://github.com/freeipa/bind-dyndb-ldap
git fetch ghbind-dyndb-ldap pull/18/head:pr18
git checkout pr18
URL: https://github.com/freeipa/freeipa/pull/891
Author: frasertweedale
Title: #891: Add SKI and AKI to CA certs in ca-less integration test
Action: opened
PR body:
"""
The IPA installer now checks that CA certs include the Subject Key
Identifier extension (which is required by Dogtag and RFC 5280).
But this broke our integration tests, which were not adding the
extension.
Update the caless-create-pki script to add these extensions.
The Subject Key Identifier and Authority Key Identifier values are
randomly chosen for each CA, and propagated down to the 'gen_cert()'
subroutine so that profiles have access to them. Each profile can
choose how to use it. For now, only the 'ca' profile uses them, but
for maximum correctness the 'server' profile (i.e. for leaf
certificates) could be updated to add the CA's SKI to the AKI
extension. This is left for a later commit.
Fixes: https://pagure.io/freeipa/issue/7030
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/891/head:pr891
git checkout pr891
URL: https://github.com/freeipa/freeipa/pull/863
Author: frasertweedale
Title: #863: Add CommonNameToSANDefault to default cert profile
Action: opened
PR body:
"""
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Part of: https://pagure.io/freeipa/issue/4970
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/863/head:pr863
git checkout pr863
URL: https://github.com/freeipa/freeipa/pull/859
Author: frasertweedale
Title: #859: Add CommonNameToSANDefault to default cert profile
Action: opened
PR body:
"""
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subjet Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Part of: https://pagure.io/freeipa/issue/4970
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/859/head:pr859
git checkout pr859
URL: https://github.com/freeipa/freeipa/pull/872
Author: stlaz
Title: #872: Add IPA-specific bind unit file
Action: opened
PR body:
"""
During upgrade of Fedora 25 to 26, when FreeIPA is installed with
DNS, bind attempts to start before KDC which leads to a failed
start because it requires a ticket to connect to LDAP.
Add an own unit file with a dependency which sets bind to start
after the KDC service.
https://pagure.io/freeipa/issue/7018
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/872/head:pr872
git checkout pr872