| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4713
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A host that has been recreated and does not have its
host entry disabled or removed, can be re-enrolled using
a previously backed up keytab file.
A new option --keytab has been added to ipa-client-install. This
can be used to specify path to the keytab and can be used instead
of -p or -w options.
A new option -f has been added to ipa-join. It forces client to
join even if the host entry already exits. A new certificate,
ssh keys are generated, ipaUniqueID stays the same.
Design page: http://freeipa.org/page/V3/Client_install_using_keytab
https://fedorahosted.org/freeipa/ticket/3374
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
There were a number of code paths where we would try to call
xmlrpc_env_clean() without having first called xmlrpc_env_init()
Re-order the code so we always initialize the XML-RPC client first.
I also noticed a place where the return value of strdup() was not
being checked for NULL.
https://fedorahosted.org/freeipa/ticket/3275
|
| |
|
|
|
|
|
|
|
|
| |
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.
https://fedorahosted.org/freeipa/ticket/2596
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two sides to this, the server and client side.
On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.
On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).
The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.
https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
|
| |
|
|
|
|
|
|
|
| |
Machines with hostname 'localhost' or 'localhost.localdomain' are
refused from joining IPA domain and proper error message is shown.
The hostname check is done both in 'ipa-client-install' script and in
'ipa-join'.
https://fedorahosted.org/freeipa/ticket/2112
|
| |
|
|
|
|
|
|
|
|
| |
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.
https://bugzilla.redhat.com/show_bug.cgi?id=747710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We determine the realm in the client installer so we can deduce
the base dn, pass that into ipa-join so we don't have to hunt for
it.
Re-order the bind so when doing an OTP enrollment so we can use the host
entry to authenticate before we retrieve the subject base, then initiate
the enrollment.
If ipa-join is called without a basedn it will still attempt to
determine it, but it will fail if anonymous binds are not allowed.
https://fedorahosted.org/freeipa/ticket/1935
|
| |
|
|
|
|
| |
This prevents broken DNS from causing enrollment problems.
https://fedorahosted.org/freeipa/ticket/1693
|
| |
|
|
|
|
|
|
| |
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.
https://fedorahosted.org/freeipa/ticket/1452
|
| |
|
|
|
|
|
|
|
|
|
| |
* Check remote LDAP server to see if it is a V2 server
* Replace numeric return values with alphanumeric constants
* Display the error message from the ipa-enrollment extended op
* Remove generic join failed error message when XML-RPC fails
* Don't display Certificate subject base when enrollment fails
* Return proper error message when LDAP bind fails
https://fedorahosted.org/freeipa/ticket/1417
|
| |
|
|
| |
tickets 1166, 1167, 1168, 1169
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/784
https://fedorahosted.org/freeipa/ticket/786
https://fedorahosted.org/freeipa/ticket/787
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently we forgot to check OID consistency between the schema and the
extensions, and we got duplicates.
Technically the schema was done later but it is easier to change the extensions
OIDs than to change the schema of current beta2/rc1 installations.
The only side effect is that older ipa-getkeytab and ipa-join binaries will
fail. So all the admin/client tools must be upgraded at the same time as well
as all the masters (otherwise some will show/accept the new OID while others
won't).
Fixes: https://fedorahosted.org/freeipa/ticket/976
|
| |
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/783
|
| |
|
|
|
|
|
| |
This patch fixes a possible situation when krb5_kt_close()
function is called with uninitialized keytab parameter.
https://fedorahosted.org/freeipa/ticket/712
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_get_default_realm() and asprintf() return values were ignored.
This could lead to unhandled error issues or memory access
issues.
This patch adds return value checks to all such functions.
As a consequence, one new return value has been added to man page.
https://fedorahosted.org/freeipa/ticket/720
|
| |
|
|
|
|
|
|
| |
In some cases recently freed memory was used/freed again. This
patch introduces more consistency between functions
join_ldap/join_krb5 when dealing with affected variables.
https://fedorahosted.org/freeipa/ticket/709
|
| |
|
|
|
|
|
|
|
| |
Remove the LDAP_DEPRECATED constant and do not use functions that are
marked as deprecated in recent OpenLDAP releases. Also always define
WITH_{MOZLDAP,OPENLDAP} since there are conditional header includes that
depend on that constant.
https://fedorahosted.org/freeipa/ticket/576
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
|
| |
Fixes errors about implicit function declaration and moves duplicated
gettext code into a common module. Also silences some warnings.
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add automatic creation of python an C file lists for potfiles
Deletes useless copy of Makefile in install/po
Remove duplicate maintainer-clean target
Add debug target that prints file lists
Unbreak update-po target, merges in patch from John
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unenrollment means that the host keytab is disabled on the server making
it possible to re-install on the client. This host principal is how we
distinguish an enrolled vs an unenrolled client machine on the server.
I added a --unroll option to ipa-join that binds using the host credentials
and disables its own keytab.
I fixed a couple of other unrelated problems in ipa-join at the same time.
I also documented all the possible return values of ipa-getkeytab and
ipa-join. There is so much overlap because ipa-join calls ipa-getkeytab
and it returns whatever value ipa-getkeytab returned on failure.
ticket 242
|
| |
|
|
| |
made the data type for server consistant and correct across its usage
|
| |
|
|
|
|
|
| |
Also re-arrange some code around reading the configuration file. In trying
to eliminate bogus error messages I prevented the file from being read at all.
It isn't a problem when joining with ipa-client (which uses -s) but it wouldn't
work if you don't pass in a server name.
|
| |
|
|
|
|
| |
- Don't run nscd if using sssd, the caching of nscd conflicts with sssd
- Set the minimum version of sssd to 1.1.1 to pick up needed hbac fixes
- only try to read the file configuration if the server isn't passed in
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the dogtag CA we can control what the subject of an issued
certificate is regardless of what is in the CSR, we just use the CN value.
The selfsign CA does not have this capability. The subject format must
match the configured format or certificate requests are rejected.
The default format is CN=%s,O=IPA. certmonger by default issues requests
with just CN so all requests would fail if using the selfsign CA.
This subject base is stored in cn=ipaconfig so we can just fetch that
value in the enrollment process and pass it to certmonger to request
the right thing.
Note that this also fixes ipa-join to work with the new argument passing
mechanism.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
|
| |
|
|
|
|
|
| |
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
overlap.
|
| | |
|
|
|
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
|
