URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/2106
Author: abbra
Title: #2106: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2106/head:pr2106
git checkout pr2106
URL: https://github.com/freeipa/freeipa/pull/3349
Author: amore17
Title: #3349: ipatests: filter_users should be applied correctly if SSSD starts offline
Action: opened
PR body:
"""
Added tests which validates that filter_users is applied correctly
when SSSD starts in offline mode, which checks that no look up
should be in data provider and NCE/USER/ipa_domain/user should be
added to negative cache.
Related Tickets:
https://pagure.io/SSSD/sssd/issue/3983https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3349/head:pr3349
git checkout pr3349
URL: https://github.com/freeipa/freeipa/pull/3183
Author: tiran
Title: #3183: Require a SASL SSF of >= 56 on client side
Action: opened
PR body:
"""
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections. Although at least AES128 is enforced
pretty much everywhere, 56 is required.
The origianl commit 350954589774499d99bf87cb5631c664bb0707c4 added minimum
SSF on LDAP client and LDAP server. Some LDAP consumers like realmd are
not compatible with strong SSF yet.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3183/head:pr3183
git checkout pr3183
URL: https://github.com/freeipa/freeipa/pull/2812
Author: tiran
Title: #2812: Require secure-binds for password login
Action: opened
PR body:
"""
nsslapd-require-secure-binds restricts password based simple binds to
secure connections. It does not prevent a careless user from
transmitting a password in plain text. But it makes it obvious that he
did something bad. Password based bind attempts over an insecure
connections are refused with:
Confidentiality required: Operation requires a secure connection
Secure connections are:
* LDAP connections on port 389 with STARTTLS
* LDAPS connections in port 636
* LDAPI connections to a local Unix sockets
Anonymous bind (simple_bind with empty DN and password) and GSSAPI
bind operations are not affected.
nsslapd-require-secure-binds is enabled after 389-DS is configured for
TLS/SSL.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
**NOTE** The change may cause compatibility issues with applications that don't perform secure binds.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2812/head:pr2812
git checkout pr2812
URL: https://github.com/freeipa/freeipa/pull/3039
Author: tiran
Title: #3039: Add temporary directory manager
Action: opened
PR body:
"""
The temporary directory manager simplifies the handling of temporary
files that are shared with other processes or kept through out the life
time of the current process. It should only be used in case
tempfile.NamedTemporaryFile is not up for the task.
The manager creates a new temporary directory for each user. The
directory and all its files are accessible by the target user and the
root group ($uid:root / 0o770 / 0o660) to avoid DAC override capability.
The temporary directory is automatically removed on process exit.
Related: https://pagure.io/freeipa/issue/7911
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3039/head:pr3039
git checkout pr3039
URL: https://github.com/freeipa/freeipa/pull/3102
Author: tiran
Title: #3102: Workaround for AJP to bind on IPv6 localhost
Action: opened
PR body:
"""
Tomcat's AJP connector binds to IPv4 localhost only. This causes issues
with IPv6-only environment. The installer now detects if localhost6 is
available and working, then configures Dogtag's Tomcat to use
localhost6.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3102/head:pr3102
git checkout pr3102
URL: https://github.com/freeipa/freeipa/pull/2331
Author: mrizwan93
Title: #2331: Installation of replica against a specific server
Action: opened
PR body:
"""
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 so that replica2 will fetch secrets from
master as custodia service is not running on replica1.
related ticket: https://pagure.io/freeipa/issue/7566
Signed-off-by: Mohammad Rizwan Yusuf <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2331/head:pr2331
git checkout pr2331
URL: https://github.com/freeipa/freeipa/pull/3416
Author: mulatinho
Title: #3416: Issue #7987 - Fix python3 shebang scripts
Action: opened
PR body:
"""
Hi guys, it is my first contribution to the project, it seems that ipa python scripts was using -E flag and @cheimes suggested that -I flag would be a better alternative, I saw that was part of 4.8 version milestone and make a change. Hope it everything is OK :)
All the scripts now are using this shebang:
```#!/usr/bin/python3 -I```
I am testing the scripts but until now everything is OK.
Related: https://pagure.io/freeipa/issue/7987
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3416/head:pr3416
git checkout pr3416