freeipa.git/API.txt, branch oneway-trust FreeIPA project trusts: add support for one-way trust and switch to it by default 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T12:57:02+00:00 3d975c104be2bd68df53617bc82883aa1a001833 One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546
trusts: pass AD DC hostname if specified explicitly 2015-07-07T08:05:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-05-28T11:49:58+00:00 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
new commands to manage user/host/service certificates 2015-07-02T14:43:44+00:00 Martin Babinsky mbabinsk@redhat.com 2015-06-23T11:42:01+00:00 76eea85701af80dc972c47e14aecc7a688b9c846 A new group of commands is introduced that simplifies adding and removing binary certificates to entries. A general form of the command is ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB] Part of http://www.freeipa.org/page/V4/User_Certificates and https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
A new group of commands is introduced that simplifies adding and removing
binary certificates to entries. A general form of the command is

ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB]

Part of http://www.freeipa.org/page/V4/User_Certificates and
https://fedorahosted.org/freeipa/ticket/4238

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
idviews: Fallback to AD DC LDAP only if specifically allowed 2015-07-02T11:23:21+00:00 Tomas Babej tbabej@redhat.com 2015-04-29T06:16:13+00:00 646253044028b86291430680981a40bef2bff1e6 https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Verify replication topology for a suffix 2015-06-29T15:11:53+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-17T11:50:32+00:00 5397150979a474f6df82e6df5287e1cc678a3479 Checks done: 1. check if the topology is not disconnected. In other words if there are replication paths between all servers. 2. check if servers don't have more than a recommended number of replication agreements(4) https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: David Kupka <dkupka@redhat.com> 
Checks done:
  1. check if the topology is not disconnected. In other words if
     there are replication paths between all servers.
  2. check if servers don't have more than a recommended number of
     replication agreements(4)

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: David Kupka <dkupka@redhat.com>
User life cycle: change user-del flags to be CLI-specific 2015-06-18T13:48:53+00:00 Jan Cholasta jcholast@redhat.com 2015-06-18T07:20:27+00:00 1d608251383e4842b89c941a76dbd13529558f42 Rename --permanently to --no-preserve. https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Rename --permanently to --no-preserve.

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
User life cycle: provide preserved user virtual attribute 2015-06-15T14:13:22+00:00 Jan Cholasta jcholast@redhat.com 2015-05-20T08:12:07+00:00 69607250b9762a6c9b657dd31653b03d54a7b411 https://fedorahosted.org/freeipa/ticket/3813 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
server: add "del" command 2015-06-15T14:06:48+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-11T13:38:32+00:00 d58bdf29a514a7868c63b767f4954891b10a574d this command is internal and is supposed to be used by ipa-replica-managed to delete replica. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
this command is internal and is supposed to be used by ipa-replica-managed to
delete replica.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
topology: restrict direction changes 2015-06-15T07:38:46+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-10T12:44:09+00:00 6b153ba876edf1ed9249ed29420a4af2b2e1830d topology plugin doesn't properly handle: - creation of segment with direction 'none' and then upgrade to other direction - downgrade of direction These situations are now forbidden in API. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
  direction
- downgrade of direction

These situations are now forbidden in API.

part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
disallow mod of topology segment nodes 2015-06-11T11:39:09+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-10T13:03:44+00:00 5089dde2cdbe22cabdbf74f325711ea5dcc22490 Mod of segment end will be disallowed in topology plugin. Reasoning (by Ludwig): if we want to properly allow mods to change connectivity and endpoints, then we would need to check if the mod disconnects the topology, delete existing agreements, check if the new would be a duplicate and create new agmts. There could be some difficult scenarios, like having A <--> B <--> C <--> D, if you modify the segment B-C to A-D topology breaks and is then reconnected. part of: https://fedorahosted.org/freeipa/ticket/4302 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Mod of segment end will be disallowed in topology plugin.

Reasoning (by Ludwig):  if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
  A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.

part of: https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>