URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
Title: #4909: Add unauthenticated nsupdate
Action: opened
PR body:
"""
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
+
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
URL: https://github.com/freeipa/freeipa/pull/4923
Author: RichardKalinec
Title: #4923: Add support for app passwords
Action: opened
PR body:
"""
Users will be able to have additional passwords besides the primary one - app passwords. They will be usable for accessing all systems and services that his/her FreeIPA account is used for, but not to manage the account (including configuring the app passwords).
Resolves: https://pagure.io/freeipa/issue/4510
Design page and its discussion: https://github.com/freeipa/freeipa/pull/4061
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4923/head:pr4923
git checkout pr4923
URL: https://github.com/freeipa/freeipa/pull/4061
Author: RichardKalinec
Title: #4061: doc/designs: Add a design page for application-specific passwords
Action: opened
PR body:
"""
This design page describes a new enhancement: application-specific
passwords and permissions management for them. Users will be able to
have additional passwords besides the primary one, and set permissions
for them specifying what systems and services will each
application-specific password have access to. Application-specific
passwords will also be usable with other authentication mechanisms
incorporating passwords, namely otp, radius and hardened. They will
also be supported by ipa-kdb for Kerberos authentication.
https://pagure.io/freeipa/issue/4510
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4061/head:pr4061
git checkout pr4061
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/3774
Author: stanislavlevin
Title: #3774: [DNSSEC] WIP Allow using of a custom OpenSSL engine for BIND
Action: opened
PR body:
"""
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Currently, this PR implements just an abstract ability.
Actual configuration and tests results could be seen in my fork Azure Pipelines:
https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=…
Related: https://pagure.io/freeipa/issue/8094
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3774/head:pr3774
git checkout pr3774
URL: https://github.com/freeipa/freeipa/pull/4883
Author: menonsudhir
Title: #4883: ipatests: Tests for ipahealthcheck tool with IPA external CA
Action: opened
PR body:
"""
This testsuite checks whether the healthcheck tool reports correct status in a scenario when IPA server is setup with
external self-signed CA. Below are the checks covered.
IPACRLManagerCheck
IPACertmongerCA
IPAOpenSSLChainValidation
IPANSSChainValidation
IPARAAgent
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4883/head:pr4883
git checkout pr4883
URL: https://github.com/freeipa/freeipa/pull/4970
Author: fcami
Title: #4970: ipatests: test_epn: enhance CLI testing
Action: opened
PR body:
"""
Enhance test_EPN_nbdays so that it checks:
* that no emails get sent when using --dry-run
* that --from-nbdays implies --dry-run
* that --to-nbdays requires --from-nbdays
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4970/head:pr4970
git checkout pr4970
URL: https://github.com/freeipa/freeipa/pull/4895
Author: rcritten
Title: #4895: Simplify and make more reliable the server and client installation checks
Action: opened
PR body:
"""
Rather than relying on file existence and whether the installer backed up files actually set a value when the installation is complete for the client and server and use that.
For the server this can be reliable moving forward because we can detect the missing state and fix it on upgrades. On the client we're stuck so use it but leave the old method as a fallback. Also remove the requirement to pass in the filestore to the client check as that makes it more complex as a fact.
Both can be checked fairly easily with:
```
python -c 'from ipaclient.install.client import is_ipa_client_installed; print ("%s" % is_ipa_client_installed())'
python -c 'from ipaserver.install.installutils import is_ipa_configured; print("%s" % is_ipa_configured())'
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4895/head:pr4895
git checkout pr4895
URL: https://github.com/freeipa/freeipa/pull/4969
Author: marcus2376
Title: #4969: Issue 8407 - Support changelog integration into main database
Action: opened
PR body:
"""
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
https://pagure.io/freeipa/issue/8407
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4969/head:pr4969
git checkout pr4969