freeipa.git, branch ad-work

Gain information from AD

2013-07-18T14:16:49+00:00

Bump version of sssd in spec file

2013-07-18T14:16:49+00:00

https://fedorahosted.org/freeipa/ticket/3652

Add 'ipa_server_mode' option to SSSD configuration

2013-07-18T14:16:49+00:00

https://fedorahosted.org/freeipa/ticket/3652

WIP: reinit mspac on HTTP TGT acquisition to aid trust-add case

2013-07-18T14:16:49+00:00

ipa-kdb: cache KDC hostname on startup

2013-07-18T14:16:48+00:00

We need KDC hostname for several purposes:
- short-circuit detection of principals on the same server as KDC
- generating NetBIOS name

Make sure we cache hostname information on startup and use it
instead of detecting the hostname in run-time. This will miss the
case that KDC hostname got changed but such cases are not supported
anyway without restarting KDC and making changes to principals.

ipa-adtrust-install: configure compatibility tree to serve trusted domain users

2013-07-18T07:56:37+00:00

Enables  support  for  trusted  domains  users  for old clients through Schema
Compatibility plugin.  SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs  to  use  this  option.  When  enabled, slapi-nis  package  needs  to
be  installed  and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under  cn=users,cn=compat,$SUFFIX  and
cn=groups,cn=compat,$SUFFIX trees.  SSSD will normalize names of users and
groups to lower case.

In  addition  to  providing  these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.

This authentication  is related to  PAM  stack  using  'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is  not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.

https://fedorahosted.org/freeipa/ticket/3567

Hide sensitive attributes in LDAP updater logging and output

2013-07-18T07:49:43+00:00

The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.

https://fedorahosted.org/freeipa/ticket/3782

Add Camellia ciphers to allowed list.

2013-07-18T07:49:38+00:00

https://fedorahosted.org/freeipa/ticket/3749

Require new selinux-policy replacing old server-selinux subpackage

2013-07-17T14:21:14+00:00

Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
  writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
  SELinux upgrade issues

https://fedorahosted.org/freeipa/ticket/3788

Run gpg-agent explicitly when encrypting/decrypting files.

2013-07-17T14:15:15+00:00

Also add an option to ipautil.run to redirect command output to /dev/null.

https://fedorahosted.org/freeipa/ticket/3767