URL: https://github.com/freeipa/freeipa/pull/4909
Author: fcami
Title: #4909: Add unauthenticated nsupdate
Action: opened
PR body:
"""
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
+
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
####
This is purely WIP:
- it needs a proper test
- there are more nsupdate calls that should be adapted.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4909/head:pr4909
git checkout pr4909
URL: https://github.com/freeipa/freeipa/pull/4923
Author: RichardKalinec
Title: #4923: Add support for app passwords
Action: opened
PR body:
"""
Users will be able to have additional passwords besides the primary one - app passwords. They will be usable for accessing all systems and services that his/her FreeIPA account is used for, but not to manage the account (including configuring the app passwords).
Resolves: https://pagure.io/freeipa/issue/4510
Design page and its discussion: https://github.com/freeipa/freeipa/pull/4061
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4923/head:pr4923
git checkout pr4923
URL: https://github.com/freeipa/freeipa/pull/4061
Author: RichardKalinec
Title: #4061: doc/designs: Add a design page for application-specific passwords
Action: opened
PR body:
"""
This design page describes a new enhancement: application-specific
passwords and permissions management for them. Users will be able to
have additional passwords besides the primary one, and set permissions
for them specifying what systems and services will each
application-specific password have access to. Application-specific
passwords will also be usable with other authentication mechanisms
incorporating passwords, namely otp, radius and hardened. They will
also be supported by ipa-kdb for Kerberos authentication.
https://pagure.io/freeipa/issue/4510
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4061/head:pr4061
git checkout pr4061
URL: https://github.com/freeipa/freeipa/pull/5071
Author: fcami
Title: #5071: 389-DS BDB: switch deadlock behavior to DB_LOCK_MINWRITE
Action: opened
PR body:
"""
Some IPA updates are expensive in term of processing and #page hit.
The likelihood to generate a DS Berkeley DB database deadlock can be high
for some common operations.
When a deadlock is detected one deadlocking thread needs to be
rejected to let the other(s) complete.
DB_LOCK_YOUNGEST (9) is the DS default: it means the most recent operation
fails in favor to the oldest one.
DB_LOCK_MINWRITE (6) means the reader(s) are rejected in favor
of the writers even if the reader(s) are older.
Switch the default for FreeIPA to DB_LOCK_MINWRITE for new installs and
also existing installs at update time.
This depends on the backend redesign (https://pagure.io/389-ds-base/issue/49476)
and therefore is valid on 389-DS 1.4.2.3 and higher.
Explanation provided by Thierry Bordaz.
Fixes: https://pagure.io/freeipa/issue/8479
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5071/head:pr5071
git checkout pr5071
URL: https://github.com/freeipa/freeipa/pull/3275
Author: marcus2376
Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages
Action: opened
PR body:
"""
Description:
389-ds now stores a replication agreement status message in a JSON string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.htmlhttps://pagure.io/freeipa/issue/7975
Reviewed by: ?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3275/head:pr3275
git checkout pr3275
URL: https://github.com/freeipa/freeipa/pull/5147
Author: mrizwan93
Title: #5147: External-CA scenarios for ACME service
Action: opened
PR body:
"""
Inherited the TestACME class by overriding install()
to install the ipa master with external CA. It will
setup the External-CA and will call all the test
method from TestACME class.
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5147/head:pr5147
git checkout pr5147
URL: https://github.com/freeipa/freeipa/pull/5119
Author: rcritten
Title: #5119: Require an ipa-ca SAN on 3rd party certs if ACME is enabled
Action: opened
PR body:
"""
Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
Add a status option to ipa-acme-manage.
https://pagure.io/freeipa/issue/8498
Marking as ipa-next since I'm sure yet if ACME is going to be backported to ipa-4-8.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5119/head:pr5119
git checkout pr5119
URL: https://github.com/freeipa/freeipa/pull/5107
Author: tiran
Title: #5107: [Container] Unify access to FQDN
Action: opened
PR body:
"""
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5107/head:pr5107
git checkout pr5107
URL: https://github.com/freeipa/freeipa/pull/5160
Author: rcritten
Title: #5160: Add libpwquality checking to IPA password policy
Action: opened
PR body:
"""
This adds support for some of the libpwquality password checking features:
* palindromes (automatic)
* maximum number of repeats in a row
* maximum number of monotonic sequences (abcde, 1234, etc)
* check for username in the password
* dict check via cracklib
I attempted to retain backwards compatibility so didn't enable the character class evaluations. We could totally do this but it add six more knobs.
I didn't enable the gecos check to avoid an nss lookup which would pass through a lot of libraries only to end up back at IPA :-)
Note that pwquality has a minimum character limit of six which is different than IPA so a limit of six is enforced if any of the pwqualtiy values are set.
I suspect the SELinux policy I wrote isn't awesome.
TODO: finalize the IANA attributes and objectclasses values
TODO: merge the test into another class or determine frequency to execute
TODO: I'm open to ipa-next only
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5160/head:pr5160
git checkout pr5160