URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/3774
Author: stanislavlevin
Title: #3774: [DNSSEC] WIP Allow using of a custom OpenSSL engine for BIND
Action: opened
PR body:
"""
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Currently, this PR implements just an abstract ability.
Actual configuration and tests results could be seen in my fork Azure Pipelines:
https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…
Related: https://pagure.io/freeipa/issue/8094
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3774/head:pr3774
git checkout pr3774
URL: https://github.com/freeipa/freeipa/pull/3544
Author: mulatinho
Title: #3544: [WIP] ipa-join: allowing call with jsonrpc into freeipa API
Action: opened
PR body:
"""
- Adding JSON-C and LibCURL library into configure.ac and Makefile.am
- Creating a API call with option '-j' or '--jsonrpc' to make host join on FreeIPA with JSONRPC and libCURL.
TODO: unenroll process with JSONRPC.
To test the call:
# kinit admin
# ipa-join -s server.freeipa.ipadomain -j
Debug:
# ipa-join -s server.freeipa.ipadomain -j -d
Related: https://pagure.io/freeipa/issue/7966
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3544/head:pr3544
git checkout pr3544
URL: https://github.com/freeipa/freeipa/pull/2106
Author: abbra
Title: #2106: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2106/head:pr2106
git checkout pr2106
URL: https://github.com/freeipa/freeipa/pull/3509
Author: frasertweedale
Title: #3509: [Backport][ipa-4-7] Profile-based system cert renewal
Action: opened
PR body:
"""
Manual backport of #3316 to ipa-4-7. We
may need to backport this change all the way to ipa-4-6 to allow us to change
the IPA RA certificate profile on older releases.
See also https://github.com/freeipa/freeipa/pull/3508 which is the ipa-4-7 backport PR.
There were some trivial conflicts. There were substantive conflicts for two patches,
but these were due to the switch from mod_nss to mod_ssl, and from NSSDB-based
IPA RA cert to PEM files. Those patches were not relevant, and were dropped.
https://pagure.io/freeipa/issue/7991
Do not rely on CI only; I will have to test this change myself so I'll add WIP
label, and remove it when I'm satisfied.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3509/head:pr3509
git checkout pr3509
URL: https://github.com/freeipa/freeipa/pull/3508
Author: frasertweedale
Title: #3508: [Backport][ipa-4-7] Profile-based system cert renewal
Action: opened
PR body:
"""
Manual backport of https://github.com/freeipa/freeipa/pull/3316 to ipa-4-7. We
may need to backport this change all the way to ipa-4-6 to allow us to change
the IPA RA certificate profile on older releases. Currently this change is on
master and ipa-4-8, so ipa-4-7 is the next step.
There were some trivial conflicts. The only substantive conflicts were in
`dogtaginstance.py`. These were resolved by cherry-picking
8686cd3b4b69f725aee05c9cdd3034d7436055d3 ahead of the original patchset.
https://pagure.io/freeipa/issue/7991
Do not rely on CI only; I will have to test this change myself so I'll add WIP
label, and remove it when I'm satisfied.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3508/head:pr3508
git checkout pr3508