summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* webui: show multiple certPetr Vobornik2015-07-097-6/+116
| | | | | | | | | | | New certificate widget which replaced certificate status widget. It can display multiple certs. Drawback is that it cannot display if the certificate was revoked. Web UI does not have the information. part of: https://fedorahosted.org/freeipa/ticket/5045 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: cert-request improvementsPetr Vobornik2015-07-096-34/+168
| | | | | | | | | | | | | | | Certificate request action and dialog now supports 'profile_id', 'add' and 'principal' options. 'add' and 'principal' are disaplayed only if certificate is added from certificate search facet. Certificate search facet allows to add a certificate. User details facet allows to add a certificate. part of https://fedorahosted.org/freeipa/ticket/5046 Reviewed-By: Martin Basti <mbasti@redhat.com>
* move session_logout command to ipalib/plugins directoryPetr Vobornik2015-07-084-31/+37
| | | | | | | | API refactoring caused that session_logout command was not registered. Commands in ipalib/plugins directory are automatically registered. Reviewed-By: Martin Basti <mbasti@redhat.com>
* upgrade: Enable and start oddjobd if adtrust is availableTomas Babej2015-07-082-0/+25
| | | | | | | If ipa-adtrust-install has already been run on the system, enable and start the oddjobd service. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* adtrustinstance: Enable and start oddjobdTomas Babej2015-07-082-0/+30
| | | | | | | Enable and start the oddjobd service as part of the ipa-adtrust-install for the new IPA installations. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* cert-request: enforce caacl for principals in SANFraser Tweedale2015-07-081-17/+25
| | | | | | | | | cert-request currently does not enforce caacls for principals included in the subjectAltName requestExtension. Enforce for any dNSName values recognised as hosts/services known to FreeIPA. Fixes: https://fedorahosted.org/freeipa/ticket/5096 Reviewed-By: David Kupka <dkupka@redhat.com>
* caacl: fix incorrect construction of HbacRequest for hostsFraser Tweedale2015-07-081-3/+4
| | | | | | | | The _acl_make_request function is using the 'host/' prefix itself instead of the hostname after it. Use split_any_principal to do the splitting correctly, also taking realm into account. Reviewed-By: David Kupka <dkupka@redhat.com>
* webui: hide facet tab in certificate details facetPetr Vobornik2015-07-081-0/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: caaclPetr Vobornik2015-07-087-1/+414
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: certificate profilesPetr Vobornik2015-07-085-1/+117
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix logging in APIMartin Basti2015-07-081-2/+2
| | | | | | Setup log in API before first usage Reviewed-By: Tomas Babej <tbabej@redhat.com>
* spec file: Update minimal versions of required packagesJan Cholasta2015-07-081-8/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5103 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Upgrade: Do not show upgrade failed message when IPA is not installedMartin Basti2015-07-082-1/+6
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipalib: Fix skip_version_check optionJan Cholasta2015-07-083-9/+9
| | | | | | | | | | | This reverts commit ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474. The option can be either set in IPA config file or specified as 'ipa -e skip_version_check=1 [COMMAND]'. https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added vault access control.Endi S. Dewata2015-07-086-33/+226
| | | | | | | | | | | New LDAP ACIs have been added to allow vault owners to manage the vaults and to allow members to access the vaults. New CLIs have been added to manage the owner and member list. The LDAP schema has been updated as well. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()Sumit Bose2015-07-081-0/+60
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: make string_to_sid() and dom_sid_string() more robustSumit Bose2015-07-081-1/+10
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: add unit-test for filter_logon_info()Sumit Bose2015-07-083-50/+323
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: convert test to cmockaSumit Bose2015-07-082-88/+49
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* extdom: add unit-test for get_user_grouplist()Sumit Bose2015-07-084-2/+1045
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trust: support retrieving POSIX IDs with one-way trust during trust-addAlexander Bokovoy2015-07-083-33/+119
| | | | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabsAlexander Bokovoy2015-07-081-0/+1
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-pwd-extop: expand error message to tell what user is not allowed to ↵Alexander Bokovoy2015-07-081-2/+2
| | | | | | | | | | | | | fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-0811-52/+443
| | | | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: allow configuring of trust agentsAlexander Bokovoy2015-07-082-1/+95
| | | | | | | | | | | | | | | Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-sidgen: reduce log level to normal if domain SID is not availableAlexander Bokovoy2015-07-081-1/+1
| | | | | | | | | | | | To support AD trust agents, we need to run sidgen and extdom plugins on every IPA master. Lack of working configuration, thus, is not a failure so reduce log level to normal as sidgen plugin will not be active if domain SID is missing but it can certainly be kept enabled. Part of https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-084-7/+19
| | | | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-086-32/+81
| | | | | | Fixes https://fedorahosted.org/freeipa/ticket/4951 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* add one-way trust support to ipasamAlexander Bokovoy2015-07-081-21/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches tooAlexander Bokovoy2015-07-081-1/+99
| | | | | | | | | | | | | | | | | | When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1 it is OK to have empty group RIDs array as GroupCount SHOULD be equal to Groups.MembershipCount returned by SamrGetGroupsForUser [MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-kdb: use proper memory chunk size when moving sidsAlexander Bokovoy2015-07-081-3/+17
| | | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Raise ACIError correctlyTomas Babej2015-07-081-3/+5
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-replica-prepare: Do not create DNS zone it automatically.David Kupka2015-07-081-5/+8
| | | | | | | | | When --ip-address is specified check if relevant DNS zone exists in IPA managed DNS server, exit with error when not. https://fedorahosted.org/freeipa/ticket/5014 Reviewed-By: Martin Basti <mbasti@redhat.com>
* add option to skip client API version checkMartin Babinsky2015-07-085-6/+15
| | | | | | | | | This can be either set in IPA config file or specified as 'ipa --skip-version-check [COMMAND]'. part of https://fedorahosted.org/freeipa/ticket/4768 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix regression: ipa-dns-install will add CA records if requiredMartin Basti2015-07-081-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5101 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* certprofile: add ability to update profile config in DogtagFraser Tweedale2015-07-084-6/+48
| | | | | | | | | Add the `--file=FILENAME' option to `certprofile-mod' which, when given, will update the profile configuration in Dogtag to the contents of the file. Fixes: https://fedorahosted.org/freeipa/ticket/5093 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile: add option to export profile configFraser Tweedale2015-07-084-6/+48
| | | | | | | | | Add the `--out=FILENAME' option to `certprofile-show'. When given, it exports the profile configuration from Dogtag and writes it to the named file. Fixes: https://fedorahosted.org/freeipa/ticket/5091 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel featuresTomas Babej2015-07-086-5/+20
| | | | | | | | | | | * Hide topology and domainlevel commands in the CLI * Hide topology and domainlevel in the WebUI * Set maximum allowed domain level to 0 * Do not configure and enable the topology plugin https://fedorahosted.org/freeipa/ticket/5097 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error handling in ipa-httpd-kdcproxyChristian Heimes2015-07-071-20/+55
| | | | | | | | | | | | | The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles connection and authentication errors more gracefully. If the script is not able to conenct to LDAP, it only prints a warning and exits with status code 0. All other errors are still reported as fatal error and result in a non-zero exit code. This fixes a problem with offline RPM updates. A restart of Apache no longer fails when LDAP is not running. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* FIX: Clear SSSD caches when uninstalling the clientMartin Basti2015-07-071-7/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/5049 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* l10n: Update translation stringsTomas Babej2015-07-0720-5461/+14028
| | | | | | | | | | * Generate new l10n strings * Include newly created python implicit files * Merges already translated strings from Zanata https://fedorahosted.org/freeipa/ticket/4832 Reviewed-By: Martin Basti <mbasti@redhat.com>
* l10n: Add configuration file for ZanataTomas Babej2015-07-071-0/+31
| | | | | | | | | Zanata cliens require the presence of a XML configuration file inside the git repository of the project. https://fedorahosted.org/freeipa/ticket/4832 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Added ipaVaultPublicKey attribute.Endi S. Dewata2015-07-075-16/+17
| | | | | | | | | A new attribute ipaVaultPublicKey has been added to replace the existing ipaPublicKey used to store the vault public key. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Added symmetric and asymmetric vaults.Endi S. Dewata2015-07-076-72/+794
| | | | | | | | | | | The vault plugin has been modified to support symmetric and asymmetric vaults to provide additional security over the standard vault by encrypting the data before it's sent to the server. The encryption functionality is implemented using the python-cryptography library. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* DNSSEC: Detect attempt to install & disable master at the same time.Petr Spacek2015-07-071-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow to run subprocess with suplementary groupsMartin Basti2015-07-071-5/+21
| | | | | | | | | | Param suplementary_groups allows to specify list of group names to be used for subprocess. suplementary_groups param requires runas param to be specified. Required for ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-072-7/+22
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-077-22/+309
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* webui: add mangedby tab to otptokenPetr Vobornik2015-07-071-0/+6
| | | | | | | | Added managedby_user tab to manage users who can manage the token. https://fedorahosted.org/freeipa/ticket/5003 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
generated by cgit (git 2.34.1) at 2024-11-12 22:14:50 +0000