Commit message (Collapse)AuthorAgeFilesLines
* Gain information from ADad-workTomas Babej2013-07-184-44/+259
* Bump version of sssd in spec fileAna Krivokapic2013-07-181-1/+4
| | | |
* Add 'ipa_server_mode' option to SSSD configurationAna Krivokapic2013-07-182-1/+14
| | | |
* WIP: reinit mspac on HTTP TGT acquisition to aid trust-add caseAlexander Bokovoy2013-07-183-6/+26
* ipa-kdb: cache KDC hostname on startupAlexander Bokovoy2013-07-183-6/+19
| | | | | | | | | | | We need KDC hostname for several purposes: - short-circuit detection of principals on the same server as KDC - generating NetBIOS name Make sure we cache hostname information on startup and use it instead of detecting the hostname in run-time. This will miss the case that KDC hostname got changed but such cases are not supported anyway without restarting KDC and making changes to principals.
* ipa-adtrust-install: configure compatibility tree to serve trusted domain usersAlexander Bokovoy2013-07-183-2/+61
| | | | | | | | | | | | | | | | | | | | | | | | | Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path.
* Hide sensitive attributes in LDAP updater logging and outputRob Crittenden2013-07-181-19/+47
| | | | | | | | The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging.
* Add Camellia ciphers to allowed list.Rob Crittenden2013-07-183-0/+10
| | | |
* Require new selinux-policy replacing old server-selinux subpackageMartin Kosek2013-07-171-1/+5
| | | | | | | | | | Features of the new policy: - labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is writeable by PKI and readable by HTTPD - contains Conflicts with old freeipa-server-selinux package to avoid SELinux upgrade issues
* Run gpg-agent explicitly when encrypting/decrypting files.Jan Cholasta2013-07-171-7/+12
| | | | | | Also add an option to to redirect command output to /dev/null.
* Provide ipa-advise toolTomas Babej2013-07-1714-3/+382
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig.
* Upstream Web UI testsPetr Vobornik2013-07-1633-0/+4026
| | | | | | Documentation:
* Fix container element in adder dialogsPetr Vobornik2013-07-162-9/+9
| | | | | | | | Host and DNS adder dialogs used span element as container for block elements. It's not valid nor consistent with other forms. 'span' was replaced by 'div'
* Better automated test supportPetr Vobornik2013-07-166-11/+19
| | | | | | | 1. add class to active facet instead of using direct style modification for hiding/showing 2. add name attribute to tables and dialog buttons and error dialog
* Change group ownership of CRL publish directoryTomas Babej2013-07-164-7/+22
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context.
* Use pkg-config to detect cmockaLukas Slebodnik2013-07-151-25/+12
| | | |
* Integration test config: Make it possible to specify host IPPetr Viktorin2013-07-152-20/+28
* BeakerLib plugin: Log http links in test docstringsPetr Viktorin2013-07-151-0/+13
| | | | The main case for this is having ticket numbers in the Beaker ouput.
* Make BeakerLib logging less verbosePetr Viktorin2013-07-154-18/+15
| | | | | | | | | | | | | Logs from Beaker jobs are normally very brief, with the standard output/error containing detailed information. Make ipa-run-tests with BeakerLib plugin follow this convention. Only include INFO and higher level messages in the Beaker logs. Downgrade several message levels to DEBUG. Log to console using Python logging instead of showing the Beaker logs. Since ipa-run-tests sets up its own logging, Nose's own log handling just causes duplicate messages. Disable it with --nologcapture.
* Use dosctrings in BeakerLib phase descriptionsPetr Viktorin2013-07-152-4/+21
| | | | | | | Phase names are now in the format: test-module-TestClass-test_method: First line of docstring
* Host class improvementsPetr Viktorin2013-07-153-15/+34
| | | | | | | | | | - Use the external hostname when connecting to remote hosts - Make it possible to specify working directory for remote commands - Move kinit calls to installation code This allows tests where installation is done later - Log at error level when a remote command fails unexpectedly - Clean up test directory before testing - Break infinite recursion in mkdir_recursive if dir can't be created
* tests: Configure/unconfigure remote hostsPetr Viktorin2013-07-154-9/+135
| | | | | | | | Set up the hostname, /etc/resolv.conf, and /etc/hosts on remote hosts in the test setup. Undo the changes in test teardown. Part of the work for
* tests: Allow public keys for authentication to the remote machinesPetr Viktorin2013-07-152-2/+23
| | | | Part of the work for
* Show logs in failed testsPetr Viktorin2013-07-152-0/+31
| | | | | | | | | | | Output from IPA's log manager is not captured by Nose's logcapture plugin. Forward IPA logs to a regular Python logger so that they are shown on failures. IPA log messages are also shown on standard error. Filter out Paramiko logs by default; these are too verbose. Part of the work for:
* Collect logs from testsPetr Viktorin2013-07-152-12/+69
| | | | | | | | After each test, and after class setups and teardowns, the BeakerLib integration plugin now downloads log files from the remote masters and submits them using rlFileSubmit. Part of the work for:
* Introduce a class for remote commandsPetr Viktorin2013-07-152-46/+132
| | | | | | | | | | | | Introduce a class inspired by subprocess.Popen that handles running a command on a remote machine and handling its output. To separate stdout & stderr streams of a remote command, they need to be read in parallel, so that one of them doesn't stall the runner when its buffer fills up. Accomplish this by using a thread for each stream. Part of the work for:
* Add a framework for integration testingPetr Viktorin2013-07-156-55/+450
| | | | | | | | | | | | Add methods to run commands and copy files to Host objects. Adds a base class for integration tests which can currently install and uninstall IPA in a "star" topology with per-test specified number of hosts. A simple test for user replication between two masters is provided. Log files from the remote hosts can be marked for collection, but the actual collection is left to a Nose plugin. Part of the work for:
* Add a framework for integration test configurationPetr Viktorin2013-07-156-10/+484
| | | | | | | | | | | Integration tests are configured via environment variables. Add a framework for parsing these variables and storing them in easy-to-use objects. Add an `ipa-test-config` executable that loads the configuration and prints out variables needed in shell scripts. Part of the work for
* Add a plugin for test orderingPetr Viktorin2013-07-152-1/+73
| | | | | | | | | | Tests in test classes decorated by @ipatests.order_plugin.ordered are sorted by the source line number instead of alphabetically, if the plugin is enabled. The ipa-run-tests helper now loads and enables the plugin. This should make writing integration tests easier.
* Remove unused variableJakub Hrozek2013-07-152-5/+0
* Return the correct Content-type on negotiated XML-RPC requests.Rob Crittenden2013-07-151-2/+2
| | | |
* Run server upgrade and restart in posttransMartin Kosek2013-07-111-9/+16
| | | | | | | Running server upgrade or restart in %post or %postun may cause issues when there are still parts of old FreeIPA software (like entitlements plugin).
* Use --ignore-dependencies only when necessaryAna Krivokapic2013-07-111-4/+5
| | | | | | | | | | Using the --ignore-dependencies switch was causing the ipactl stop command not to stop all instances of dirsrv and dogtag. Make sure the switch is used only when necessary, i.e. to prevent ipa-otpd.socket from getting stuck during the shutdown transaction.
* Add libsss_nss_idmap-devel to BuildRequiresTomas Babej2013-07-111-0/+1
* Fix for small syntax error in OTP schemaNathaniel McCallum2013-07-112-2/+2
| | | |
* Make sure replication works after DM password is changedAna Krivokapic2013-07-112-3/+42
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password
* Add --range-type option that forces range type of the trusted domainTomas Babej2013-07-114-6/+43
| | | | | | | | | | Adds --range-type option to ipa trust-add command. It takes two allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'. When --range-type option is not specified, the range type should be determined by ID range discovery.
* Avoid systemd service deadlock during shutdownAna Krivokapic2013-07-111-1/+11
| | | |
* Use correct DS instance in ipactl statusAna Krivokapic2013-07-112-13/+31
| | | | | | | Make sure ipactl status check for correct DS instance. It should check for 'dirsrv@IPA-REALM' and not ''.
* Generate syntethic MS-PAC for all services running on IPA masterAlexander Bokovoy2013-07-111-6/+73
| | | | | | | | | | | MS-PAC is required to be present in TGT if one wants to connect to AD services using this TGT. Users get MS-PAC by default, SSSD in ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP. This patch enables other services running on IPA master to connect to AD services. This is required for IPA python code doing discovery of remote AD domain settings shortly after IPA-AD trust has been established.
* Fix extdom plugin to provide unqualified name in response as sssd expectsAlexander Bokovoy2013-07-111-3/+30
| | | | | | | | | | | | | | | extdom plugin handles external operation over which SSSD asks IPA server about trusted domain users not found through normal paths but detected to belong to the trusted domains associated with IPA realm. SSSD expects that user or group name in the response will be unqualified because domain name for the user or group is also included in the response. Strip domain name from the name if getgrnam_r/getpwnam_r calls returned fully qualified name which includes the domain name we are asked to handle. The code already expects that fully-qualified names are following user@domain convention so we are simply tracking whether '@' symbol is present and is followed by the domain name.
* Make sure domain_name is also set when processing INP_NAME requestsAlexander Bokovoy2013-07-111-0/+1
* Remove winbind client configure checkSumit Bose2013-07-111-11/+0
| | | | | With the replacement of the winbind calls in the extdom plugin none of the plugins is using the winbind client libraries anymore.
* extdom: replace winbind calls with POSIX/SSSD callsSumit Bose2013-07-116-293/+253
| | | | | | | | | | | | | | | With the new ipa_server_mode SSSD is able to read user and group data from trusted AD domains directly and makes this data available via the NSS responder. With this mode enabled winbind is not needed anymore to lookup users and groups of trusted domains. This patch removed the calls to winbind from the extdom plugin and replaces them with standard POSIX calls like getpwnam() and calls from libsss_nss_idmap to lookup SIDs. Fixes because now the extdom plugin does not need to handle idranges anymore, but everything is done inside SSSD.
* Add PAC to master host TGTsSumit Bose2013-07-111-39/+115
| | | | | | | | | | | | | | | | | | | | For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. We use the well know RID of the Domain Computers group (515) for the primary gid element of the PAC, this is the same as AD uses for host tickets. The rid element of the PAC is set to the well know RID of the Domain Controllers group (516). This is working for the SSSD use case but might be improved later for more general use cases. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. Fixes
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-112-2/+2
| | | | | | This fixes an outstanding permissions issue from the OTP work.
* Add missing equality index for ipaUniqueId.Jan Cholasta2013-07-112-0/+15
| | | |
* Add missing substring indices for attributes managed by the referint plugin.Jan Cholasta2013-07-112-33/+43
| | | | | | | | The referint plugin does a substring search on these attributes each time an entry is deleted, which causes a noticable slowdown for large directories if the attributes are not indexed.
* Use LDAP modify operation directly to add/remove group members.Jan Cholasta2013-07-111-23/+13
| | | | | | This prevents getting full member list from LDAP and putting it back later.
* Use LDAP search instead of *group_show to check for a group objectclass.Jan Cholasta2013-07-113-37/+41
| | | |