freeipa.git/install, branch oneway-trust FreeIPA project trust: support retrieving POSIX IDs with one-way trust during trust-add 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-07-06T14:46:24+00:00 52e2ec266a293891819682487e37644ffcf11e4a With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959
trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T17:56:12+00:00 a985b1792325e24584b2a0af27d88a494ef9c513 Part of https://fedorahosted.org/freeipa/ticket/4959 
Part of https://fedorahosted.org/freeipa/ticket/4959
trusts: add support for one-way trust and switch to it by default 2015-07-07T08:09:03+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-05T12:57:02+00:00 3d975c104be2bd68df53617bc82883aa1a001833 One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546
ipa-adtrust-install: allow configuring of trust agents 2015-07-07T08:05:48+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-06-04T21:29:36+00:00 65422777e6721bcf7708805f001eb39016495830 Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 
Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.

Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.

Part of https://fedorahosted.org/freeipa/ticket/4951
DNSSEC: Detect attempt to install & disable master at the same time. 2015-07-07T06:37:15+00:00 Petr Spacek pspacek@redhat.com 2015-06-30T20:05:44+00:00 8ee975b276d0728130a148b01f9bfc0b77524ae0 https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNSSEC: update message 2015-07-07T06:37:15+00:00 Martin Basti mbasti@redhat.com 2015-06-17T11:35:18+00:00 2e4e8d759d339ca1a6aec63230fba54c9c4e96bf https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNSSEC: allow to disable/replace DNSSEC key master 2015-07-07T06:37:15+00:00 Martin Basti mbasti@redhat.com 2015-05-13T12:45:32+00:00 e151492560db25fa13c2a3edf5e2139dc6629047 This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
webui: add mangedby tab to otptoken 2015-07-07T03:51:28+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-01T16:50:47+00:00 b258bcee8337063259aa38b4387b9bb5721fb380 Added managedby_user tab to manage users who can manage the token. https://fedorahosted.org/freeipa/ticket/5003 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Added managedby_user tab to manage users who can manage the token.

https://fedorahosted.org/freeipa/ticket/5003

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
webui: API browser 2015-07-03T08:42:16+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-05T17:03:46+00:00 2a976334c2160c91a61fb0c477777e7adbbd3150 First part of API browser - displaying metadata in more consumable way. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 
First part of API browser - displaying metadata in more consumable way.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
webui: menu and navigation fixes 2015-07-03T08:42:16+00:00 Petr Vobornik pvoborni@redhat.com 2015-06-26T08:34:37+00:00 392809f9847eee21c8022f53153463033cd53966 fixes: 1. When navigation is initiated from clicking and a link with hash, update of facet state causes that subsequent click on a link with hash will be ignored. Caused by a code which prevents infinite loop because of facet state update. Now hash update is done only if it was really changed. 2. registered correct handler for standalone pages 3. fix selection of menu item where the items differ only in args. Chooses the item with the most similar state to current facet. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com> 
fixes:

1. When navigation is initiated from clicking and a link with hash, update
of facet state causes that subsequent click on a link with hash will be
ignored. Caused by a code which prevents infinite loop because of facet
state update. Now hash update is done only if it was really changed.

2. registered correct handler for standalone pages

3. fix selection of menu item where the items differ only in args. Chooses
the item with the most similar state to current facet.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>