summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* trust: support retrieving POSIX IDs with one-way trust during trust-addoneway-trustAlexander Bokovoy2015-07-073-33/+119
| | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959
* trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabsAlexander Bokovoy2015-07-071-0/+1
| | | | Part of https://fedorahosted.org/freeipa/ticket/4959
* ipa-pwd-extop: expand error message to tell what user is not allowed to ↵Alexander Bokovoy2015-07-071-2/+2
| | | | | | | | | | | fetch keytab When retrieving keytab, it is useful to know what user was attempting to fetch the keyts and failed. This is useful to debug one-way trust where SSSD forks out a process of ipa-getkeytab and it might be using a wrong credentials cache for authentication purposes. Part of https://fedorahosted.org/freeipa/ticket/4959
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-0711-51/+442
| | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546
* ipa-adtrust-install: allow configuring of trust agentsAlexander Bokovoy2015-07-072-1/+95
| | | | | | | | | | | | | Trust agents are IPA master without Samba which can serve information about users from trusted forests. Such IPA masters cannot be used to configure trust but they can resolve AD users and groups for IPA clients enrolled to them. Since support from both FreeIPA and SSSD is needed to enable trust agent support, we currently only consider those IPA masters which have been upgraded to FreeIPA 4.2 or later. Part of https://fedorahosted.org/freeipa/ticket/4951
* ipa-sidgen: reduce log level to normal if domain SID is not availableAlexander Bokovoy2015-07-071-1/+1
| | | | | | | | | | To support AD trust agents, we need to run sidgen and extdom plugins on every IPA master. Lack of working configuration, thus, is not a failure so reduce log level to normal as sidgen plugin will not be active if domain SID is missing but it can certainly be kept enabled. Part of https://fedorahosted.org/freeipa/ticket/4951
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-074-6/+18
| | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
* ipa-kdb: filter out group membership from MS-PAC for exact SID matches tooAlexander Bokovoy2015-07-071-1/+101
| | | | | | | | | | | | | | When incoming SID blacklist contains exact SIDs of users and groups, attempt to filter them out as well, according to [MS-PAC] 4.1.1.2. Note that we treat user's SID and primary group RID filtering as violation of the KDC policy because the resulting MS-PAC will have no user SID or primary group and thus will be invalid. For group RIDs we filter them out and in unlikely event of empty list of groups treat that as violation of the KDC policy as well. Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
* ipa-kdb: use proper memory chunk size when moving sidsAlexander Bokovoy2015-07-071-3/+17
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-076-32/+81
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4951
* add one-way trust support to ipasamAlexander Bokovoy2015-07-071-21/+85
| | | | | | | | | | | | | | | | | | | | | | | | | | When trust is established, ipasam module creates a number of objects in LDAP to represent the trust information. Among them, for one-way trust we create a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest and AD is a realm of the trusted Active Directory forest root domain. This principal is then used by SSSD on IPA masters to authenticate against trusted Active Directory domain controllers and retrieve information about user and group identities. FreeIPA also uses this principal's credentials to retrieve domain topology. The access to the keys of the principal should be well-protected. We only allow to retrieve the keytab for it for members of cn=adtrust agents group. This group is populated with host/ and cifs/ principals from IPA masters. Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install on the master which will be configured to be a domain controller (e.g. run Samba with ipasam), and specify --add-agents option to trigger activation of the interactive mode to specify which IPA masters to enable. Fixes https://fedorahosted.org/freeipa/ticket/4962 Part of fixes for https://fedorahosted.org/freeipa/ticket/4546
* DNSSEC: Detect attempt to install & disable master at the same time.Petr Spacek2015-07-071-0/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Allow to run subprocess with suplementary groupsMartin Basti2015-07-071-5/+21
| | | | | | | | | | Param suplementary_groups allows to specify list of group names to be used for subprocess. suplementary_groups param requires runas param to be specified. Required for ticket: https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-072-7/+22
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-077-22/+309
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* webui: add mangedby tab to otptokenPetr Vobornik2015-07-071-0/+6
| | | | | | | | Added managedby_user tab to manage users who can manage the token. https://fedorahosted.org/freeipa/ticket/5003 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: API browserPetr Vobornik2015-07-037-1/+1016
| | | | | | | | | First part of API browser - displaying metadata in more consumable way. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: menu and navigation fixesPetr Vobornik2015-07-033-5/+32
| | | | | | | | | | | | | | | | | | | fixes: 1. When navigation is initiated from clicking and a link with hash, update of facet state causes that subsequent click on a link with hash will be ignored. Caused by a code which prevents infinite loop because of facet state update. Now hash update is done only if it was really changed. 2. registered correct handler for standalone pages 3. fix selection of menu item where the items differ only in args. Chooses the item with the most similar state to current facet. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: fix webui specific metadataPetr Vobornik2015-07-032-1/+3
| | | | | | | | | | | | Mark all Web UI specific metadata so they could be filtered out in the API Browser. Fix cert name. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* webui: ListViewWidgetPetr Vobornik2015-07-031-0/+233
| | | | | | | | | | A widget for rendering a list of groups of items. Intended to be used in sidebar. Plan is to serve also as a base for FacetGroupsWidget. https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* include more information in metadataPetr Vobornik2015-07-033-70/+24
| | | | | | | | | | | added to commands: doc, proper args, NO_CLI added to options: default_from, cli_name, cli_short_name and others https://fedorahosted.org/freeipa/ticket/3129 Reviewed-By: Martin Kosek <mkosek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-038-40/+40
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: make cn of new segment consistent with topology pluginPetr Vobornik2015-07-031-1/+1
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* topologysegment: hide direction and enable optionsPetr Vobornik2015-07-032-10/+4
| | | | | | | | These options should not be touched by users yet. https://fedorahosted.org/freeipa/ticket/5061 Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-replica-manage del: add timeout to segment removal checkPetr Vobornik2015-07-031-2/+10
| | | | Reviewed-By: David Kupka <dkupka@redhat.com>
* ipa-replica-manage del: relax segment deletement check if topology is ↵Petr Vobornik2015-07-032-6/+43
| | | | | | | | disconnected https://fedorahosted.org/freeipa/ticket/5072 Reviewed-By: David Kupka <dkupka@redhat.com>
* new commands to manage user/host/service certificatesMartin Babinsky2015-07-025-4/+166
| | | | | | | | | | | | A new group of commands is introduced that simplifies adding and removing binary certificates to entries. A general form of the command is ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB] Part of http://www.freeipa.org/page/V4/User_Certificates and https://fedorahosted.org/freeipa/ticket/4238 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* reworked certificate normalization and revocationMartin Babinsky2015-07-023-146/+55
| | | | | | | | | | | Validation of certificate is now handled by `x509.validate_certificate'. Revocation of the host and service certificates was factored out to a separate function. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* baseldap: add support for API commands managing only a single attributeMartin Babinsky2015-07-021-0/+114
| | | | | | | This patch extends the API framework with a set of classes which add/remove values to a single LDAPObject attribute. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* winsync_migrate: Generalize membership migrationTomas Babej2015-07-021-21/+78
| | | | | | https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync_migrate: Migrate memberships of the winsynced usersTomas Babej2015-07-021-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* man: Add manpage for ipa-winsync-migrateTomas Babej2015-07-023-0/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-023-14/+50
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Include the tool parts in Makefile and friendsTomas Babej2015-07-022-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the tool under ipaserver.install packageTomas Babej2015-07-022-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Rename to tool to achive consistency with other toolsTomas Babej2015-07-023-30/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Delete winsync agreement prior to migrationTomas Babej2015-07-021-0/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require explicit specification of the target server and ↵Tomas Babej2015-07-021-0/+33
| | | | | | | | validate existing agreement https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Do not abort the find & show commands on conversion errorsTomas Babej2015-07-021-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require root privilegesTomas Babej2015-07-021-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Add debugging message to failing kinit as httpTomas Babej2015-07-021-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Change logging level for debug informationTomas Babej2015-07-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the api initalization and LDAP connection to the main ↵Tomas Babej2015-07-021-3/+12
| | | | | | | | method https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Add option validation and handlingTomas Babej2015-07-021-0/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Create user ID overrides in place of winsynced user entriesTomas Babej2015-07-021-0/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add a way to find all winsync usersTomas Babej2015-07-021-4/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add initial plumbingTomas Babej2015-07-023-0/+112
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipaplatform: Remove redundant definitionsTomas Babej2015-07-022-6/+0
| | | | | | | | | | The variables path_namespace and task_namespace in the base platform are not used anywhere in the rest of the codebase and are just debris from previous implementation. This patch removes them. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* KRA Install: check replica file if contains req. certificatesMartin Basti2015-07-021-0/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-26 03:37:22 +0000