| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The refsect id was copied from sssd.conf(5) and was wrong. Fixing the
refsect might help us if we ever generate other formats from XML and
certainly wouldn't hurt.
|
|
|
|
This option got already deprecated on the ipa server side.
Option is undocumented and warning is printed both to the sssd log files
and syslog.
Resolves:
https://fedorahosted.org/sssd/ticket/1918
|
|
Resolves:
https://fedorahosted.org/sssd/ticket/1187
|
|
|
|
https://fedorahosted.org/sssd/ticket/1993
SSSD needs to know that it is running on an IPA server and should not
look up trusted users and groups with the help of the extdom plugin
but do the lookups on its own. For this a new boolean configuration
option, is introduced which defaults to false but is set to true during
ipa-server-install or during updates of the FreeIPA server if it is not
already set.
|
|
https://fedorahosted.org/sssd/ticket/1924
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/1831
Adds a new option that can be used to force nsupdate to only use TCP to
communicate with the DNS server.
|
|
https://fedorahosted.org/sssd/ticket/1832
While some servers, such as FreeIPA allow the PTR record to be
synchronized when the forward record is updated, other servers,
including Active Directory, require that the PTR record is synchronized
manually.
This patch adds a new option, dyndns_update_ptr that automatically
generates appropriate DNS update message for updating the reverse zone.
This option is off by default in the IPA provider.
Also renames be_nsupdate_create_msg to be_nsupdate_create_fwd_msg
|
|
This new options adds the possibility of updating the DNS entries
periodically regardless if they have changed or not. This feature
will be useful mainly in AD environments where the Windows clients
periodically update their DNS records.
|
|
This patch introduces new options for dynamic DNS updates that are not
specific to any back end. The current ipa dyndns options are still
usable, just with a deprecation warning.
|
|
https://fedorahosted.org/sssd/ticket/1032
|
|
|
|
Option ipa_selinux_refresh is added to basic ipa options.
|
|
To make configuration easier the IPA subdomain provider should be always
loaded if the IPA ID provider is configured and the subdomain provider
is not explicitly disabled. But to avoid the overhead of regular
subdomain requests in setups where no subdomains are used the IPA
subdomain provider should behave differently if configured explicit or
implicit.
If the IPA subdomain provider is configured explicitly, i.e.
'subdomains_provider = ipa' can be found in the domain section of
sssd.conf subdomain request are always send to the server if needed.
If it is configured implicitly and a request to the server fails
with an indication that the server currently does not support subdomains
at all, e.g. is not configured to handle trust relationships, a new
request will be only send to the server after a long timeout or after
a going-online event.
To be able to make this distinction this patch save the configuration
status to the subdomain context.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
|
Since the PAC responder is used during the authentication of users from
trusted realms it is started automatically if the IPA ID provider is
configured for a domain to simplify the configuration.
Fixes https://fedorahosted.org/sssd/ticket/1613
|
|
|
|
https://fedorahosted.org/sssd/ticket/1563
|
|
|
|
This patch adds support for new config option ipa_backup_server. The
description of this option's functionality is included in man page in
one of previous patches.
|
|
|
|
The query is performed only if there is missing information in the
cache. That means this should be done only once after restart when cache
doesn't exist. All subsequent requests for subdomains won't include the
request for master domain.
|
|
|
|
|
|
|
|
|
|
For older platforms, do not add the 'realm' line in
the update message
|
|
Also add comment that setting ipa_hbac_support_srchost to False disables
search filters given in ipa_host_search_base
|
|
don't fetch all host groups if this option is false
https://fedorahosted.org/sssd/ticket/1078
|
|
|
|
|
|
https://fedorahosted.org/sssd/ticket/957
|
|
https://fedorahosted.org/sssd/ticket/1024
|
|
By default, we will treat the presence of any DENY rule as denying
all users. This option will allow the admin to explicitly ignore
DENY rules during a transitional period.
|
|
This option describes the time between refreshes of the HBAC rules
on the IPA server.
|
|
https://fedorahosted.org/sssd/ticket/807
|
|
|
|
Each back end can support id, auth or access provider, but each
back end supports different subset of these. Man pages should
describe which providers are supported by each back end.
Ticket: #615
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
This reverts commit 973b7c27c0b294b8b2f120296f64c6a3a36e44b7.
While this patch applied cleanly, it was uncompilable. Reverting
until it can be properly merged.
|
|
This adds two new options:
ipa_dyndns_update: Boolean value to select whether this client
should automatically update its IP address in FreeIPA DNS.
ipa_dyndns_iface: Choose an interface manually to use for
updating dynamic DNS. Default is to use the interface associated
with the LDAP connection to FreeIPA.
This patch supports A and AAAA records. It relies on the presence
of the nsupdate tool from the bind-utils package to perform the
actual update step. The location of this utility is set at build
time, but its availability is determined at runtime (so clients
that do not require dynamic update capability do not need to meet
this dependency).
|
|
Integrate the failover improvements with our back ends. The DNS domain
used in the SRV query is always the SSSD domain name.
Please note that this patch changes the default value of ldap_uri from
"ldap://localhost" to "NULL" in order to use service discovery with no
server set.
|
|
Also update BUILD.txt
|
