| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
This is a soft dependency, min nvr version will only be required
when bind/bind-dyndb-ldap are installed.
https://fedorahosted.org/freeipa/ticket/1121
https://fedorahosted.org/freeipa/ticket/1573
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1576
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1686
|
|
|
|
|
|
| |
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
|
| |
|
|
|
|
| |
ticket 1664
|
|
|
|
|
|
|
| |
Bump minimal pki-ca version in spec file to get fix for ipa
cert-request command.
https://fedorahosted.org/freeipa/ticket/1578
|
|
|
|
|
|
|
|
|
| |
Bump minimal 389-ds-base version in spec file to get in recent
Directory Server bug fixes.
https://fedorahosted.org/freeipa/ticket/1513
https://fedorahosted.org/freeipa/ticket/1525
https://fedorahosted.org/freeipa/ticket/1552
|
|
|
|
|
|
|
|
| |
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.
https://fedorahosted.org/freeipa/ticket/1452
|
|
|
|
|
|
|
| |
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.
Ticket #1559
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
|
|
|
|
|
|
|
| |
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.
https://fedorahosted.org/freeipa/ticket/1434
|
|
|
|
|
|
|
|
| |
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.
https://fedorahosted.org/freeipa/ticket/1499
|
|
|
|
|
|
|
| |
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.
Ticket #1501
|
|
|
|
| |
ticket 1288
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
|
|
|
|
|
|
|
|
| |
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
|
|
|
|
|
|
|
|
| |
Fix a problem when a target missed a version-update requirement.
This caused build problems, especially in a parallel build
environment.
https://fedorahosted.org/freeipa/ticket/1215
|
|
|
|
|
| |
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.
This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:
1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
automatically:
a) kinit to master as default admin user with given password
b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
the replica and prints the check result
This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.
https://fedorahosted.org/freeipa/ticket/1107
|
|
|
|
| |
ticket 1212
|
|
|
|
|
|
| |
Done with conditionals so still installable on F-14.
ticket 1200
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1203
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.
This requires 389-ds-base-1.2.8.0-1+
ticket 1153
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.
This also:
* corrects the ipa-ldap-updater man page
* remove automatic --realm, --server, --domain options
* handle upgrade errors properly
* saves a copy of dse.ldif before we change it so it can be recovered
* fixes an error discovered by pylint
ticket 1087
|
|
|
|
| |
ticket 969
|
|
|
|
| |
ticket 978
|
| |
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/935
|
|
|
|
|
|
|
| |
This moves a bunch of tools that only make sense to run on the actual
server from the admintools subpackage to the server subpackage.
ticket 947
|
| |
|
|
|
|
| |
ticket 926
|
| |
|
|
|
|
|
|
| |
* Set min version of 389-ds-base to 1.2.8
* Set min version of mod_nss 1.0.8-10
* Set min version of selinux-policy to 3.9.7-27
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).
This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.
Add a cron job to validate the entitlement status and syslog the results.
tickets 28, 79, 278
|
|
|
|
| |
Ticket 804
|
|
|
|
| |
First part of: https://fedorahosted.org/freeipa/ticket/855
|
|
|
|
| |
modifying the directories so they find the assets in the right locations
|
|
https://fedorahosted.org/freeipa/ticket/581
|