URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
Title: #4909: Add unauthenticated nsupdate
Action: opened
PR body:
"""
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
+
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
URL: https://github.com/freeipa/freeipa/pull/4923
Author: RichardKalinec
Title: #4923: Add support for app passwords
Action: opened
PR body:
"""
Users will be able to have additional passwords besides the primary one - app passwords. They will be usable for accessing all systems and services that his/her FreeIPA account is used for, but not to manage the account (including configuring the app passwords).
Resolves: https://pagure.io/freeipa/issue/4510
Design page and its discussion: https://github.com/freeipa/freeipa/pull/4061
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4923/head:pr4923
git checkout pr4923
URL: https://github.com/freeipa/freeipa/pull/4061
Author: RichardKalinec
Title: #4061: doc/designs: Add a design page for application-specific passwords
Action: opened
PR body:
"""
This design page describes a new enhancement: application-specific
passwords and permissions management for them. Users will be able to
have additional passwords besides the primary one, and set permissions
for them specifying what systems and services will each
application-specific password have access to. Application-specific
passwords will also be usable with other authentication mechanisms
incorporating passwords, namely otp, radius and hardened. They will
also be supported by ipa-kdb for Kerberos authentication.
https://pagure.io/freeipa/issue/4510
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4061/head:pr4061
git checkout pr4061
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/5055
Author: rebeccc
Title: #5055: Add krbtpolicy for jittered lifetime
Action: opened
PR body:
"""
Continuation of #5029
This KDC extension will create a jittered lifetime for services with a lifetime greater than 60 minutes. The lifetime will be set to a random number between max_life - 60 minutes and max_life.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5055/head:pr5055
git checkout pr5055
URL: https://github.com/freeipa/freeipa/pull/5039
Author: cipherboy
Title: #5039: Add dependency on pki-acme
Action: opened
PR body:
"""
With the merging of #4723, pki-acme should be added as a dependency of
IPA. Note that this is only necessary on PKI >= 10.10 and shouldn't be
backported to RHEL 8.3 as the subpackage doesn't exist there.
Related: https://github.com/dogtagpki/pki/pull/513
`Signed-off-by: Alexander Scheel <ascheel(a)redhat.com>`
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5039/head:pr5039
git checkout pr5039
URL: https://github.com/freeipa/freeipa/pull/5067
Author: rcritten
Title: #5067: Require at least 2Gb of available RAM to install the server
Action: opened
PR body:
"""
Require at least 2Gb of available RAM to install the server
Verify that there is at least 2Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.
Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).
Add a switch to skip this memory test if the user is sure they
know what they are doing.
https://pagure.io/freeipa/issue/8404
NOTE: I'm not aware of a pythonic "is this in a contaner" so I rolled my own.
IPA is actually installable, with a CA in < 2GB of RAM but things are very tight
and the end result isn't all that useful. 2GB should be considered the absolute
minimum. This is not including swap.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5067/head:pr5067
git checkout pr5067
URL: https://github.com/freeipa/freeipa/pull/5070
Author: stanislavlevin
Title: #5070: DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one
Action: opened
PR body:
"""
For now, `resolve_address` for `dnspython` < 2.0.0 is actually the instance method of the global DNSResolver object and is not the instance method of the corresponding object from which it was called. This can result in unexpected behavior.
Signed-off-by: Stanislav Levin <slev(a)altlinux.org>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5070/head:pr5070
git checkout pr5070
URL: https://github.com/freeipa/freeipa/pull/5069
Author: stanislavlevin
Title: #5069: [Backport][ipa-4-8] [Azure] Add rawhide definitions
Action: opened
PR body:
"""
This PR was opened manually because PR #5047 was pushed to master and backport to `ipa-4-8` is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5069/head:pr5069
git checkout pr5069