summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* ipa-adtrust-install: configure compatibility tree to serve trusted domain usersAlexander Bokovoy2013-07-181-1/+21
| | | | | | | | | | | | | | | | | | | | | | | | | Enables support for trusted domains users for old clients through Schema Compatibility plugin. SSSD supports trusted domains natively starting with version 1.9 platform. For platforms that lack SSSD or run older SSSD version one needs to use this option. When enabled, slapi-nis package needs to be installed and schema-compat-plugin will be configured to provide lookup of users and groups from trusted domains via SSSD on IPA server. These users and groups will be available under cn=users,cn=compat,$SUFFIX and cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and groups to lower case. In addition to providing these users and groups through the compat tree, this option enables authentication over LDAP for trusted domain users with DN under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX. This authentication is related to PAM stack using 'system-auth' PAM service. If you have disabled HBAC rule 'allow_all', then make sure there is special service called 'system-auth' created and HBAC rule to allow access to anyone to this rule on IPA masters is added. Please note that system-auth PAM service is not used directly by any other application, therefore it is safe to create one specifically to support trusted domain users via compatibility path. https://fedorahosted.org/freeipa/ticket/3567
* Hide sensitive attributes in LDAP updater logging and outputRob Crittenden2013-07-181-19/+47
| | | | | | | | The LDAP updater prints the initial and final states of an entry, as well as details on the changes made to attributes. This has the potential to expose sensitive values so exclude those from logging. https://fedorahosted.org/freeipa/ticket/3782
* Provide ipa-advise toolTomas Babej2013-07-174-0/+254
| | | | | | | | | | | | | | Provides a pluggable framework for generating configuration scriptlets and instructions for various machine setups and use cases. Creates a new ipa-advise command, available to root user on the IPA server. Also provides an example configuration plugin, config-fedora-authconfig. https://fedorahosted.org/freeipa/ticket/3670
* Change group ownership of CRL publish directoryTomas Babej2013-07-161-0/+13
| | | | | | | | | | | Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no longer owned by created with package installation. The directory is rather created/removed with the CA instance itself. This ensures proper creation/removeal, group ownership and SELinux context. https://fedorahosted.org/freeipa/ticket/3727
* Return the correct Content-type on negotiated XML-RPC requests.Rob Crittenden2013-07-151-2/+2
| | | | https://fedorahosted.org/freeipa/ticket/3745
* Make sure replication works after DM password is changedAna Krivokapic2013-07-111-0/+36
| | | | | | | | | | | | | | | | Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594
* Permit reads to ipatokenRadiusProxyUser objectsNathaniel McCallum2013-07-111-1/+1
| | | | | | This fixes an outstanding permissions issue from the OTP work. https://fedorahosted.org/freeipa/ticket/3693
* Use LDAP modify operation directly to add/remove group members.Jan Cholasta2013-07-111-23/+13
| | | | | | This prevents getting full member list from LDAP and putting it back later. https://fedorahosted.org/freeipa/ticket/3706
* Check trust chain length in CA-less install.Jan Cholasta2013-07-111-2/+9
| | | | https://fedorahosted.org/freeipa/ticket/3707
* Fix bug in adtrustinstanceAna Krivokapic2013-07-091-2/+2
| | | | | | | Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install to fail when IPA was installed with no DNS. https://fedorahosted.org/freeipa/ticket/3746
* Enable SASL mapping fallback.Jan Cholasta2013-06-272-2/+7
| | | | | | Assign a default priority of 10 to our SASL mappings. https://fedorahosted.org/freeipa/ticket/3330
* Create Firefox configuration extension on CA-less installPetr Vobornik2013-06-272-11/+16
| | | | | | | | | | Create: * kerberosauth.xpi * krb.js even when --http_pkcs12 option is used. https://fedorahosted.org/freeipa/ticket/3747
* Do not display traceback to userAna Krivokapic2013-06-241-5/+4
| | | | | | | | Logging tracebacks at the INFO level caused them to be displayed to user on the command line. Change the log level to DEBUG, so that tracebacks are not visible to user. https://fedorahosted.org/freeipa/ticket/3704
* Fail when adding a trust with a different rangeAna Krivokapic2013-06-241-3/+12
| | | | | | | | When adding a trust, if an id range already exists for this trust, and options --base-id/--range-size are provided with the trust-add command, trust-add should fail. https://fedorahosted.org/freeipa/ticket/3635
* Do not track DS certificate in CA-less setup.Jan Cholasta2013-06-121-2/+0
| | | | https://fedorahosted.org/freeipa/ticket/3675
* Skip empty lines when parsing pk12util output.Jan Cholasta2013-06-121-1/+1
|
* Handle exceptions gracefully when verifying PKCS#12 files.Jan Cholasta2013-06-122-2/+11
| | | | https://fedorahosted.org/freeipa/ticket/3667
* Flush stream after writing service messagesPetr Viktorin2013-06-111-0/+1
| | | | | | sys.stdout is buffered by default if redirected to a file. This may causes automated installation to appear hung. Flush the stream so that messages are written immediately.
* Add update plugin to fill in ipaRangeType attributeTomas Babej2013-06-102-0/+117
| | | | | | | | | | | | | | Previously, we deduced the range type from the range objectclass and filled in virtual attribute in post_callback phase. Having a ipaRangeType attributeType in schema, we need to fill the attribute values to ranges created in previous IPA versions. The plugin follows the same approach, setting ipa-local or ipa-ad-trust value to the ipaRangeType attribute according to the objectclass of the range. Part of https://fedorahosted.org/freeipa/ticket/3647
* Manage ipa-otpd.socket by IPATomas Babej2013-06-062-8/+34
| | | | | | | | Adds a new simple service called OtpdInstance, that manages ipa-otpd.socket service. Added to server/replica installer and ipa-upgradeconfig script. https://fedorahosted.org/freeipa/ticket/3680
* Use private ccache in ipa install toolsTomas Babej2013-06-051-0/+22
| | | | | | | | All installers that handle Kerberos auth, have been altered to use private ccache, that is ipa-server-install, ipa-dns-install, ipa-replica-install, ipa-ca-install. https://fedorahosted.org/freeipa/ticket/3666
* Remove code to install Dogtag 9Petr Viktorin2013-05-313-176/+11
| | | | | | | | | Since we depend on Dogtag 10 now, there is no need to keep code that installs a Dogtag 9 CA. Support for upgraded Dogtag-9-style instances is left in. https://fedorahosted.org/freeipa/ticket/3529
* Support multiple local domain ranges with RID base setTomas Babej2013-05-301-16/+34
| | | | | | | | | | | | | | | In ip-adtrust-install, "adding RID bases" step would fail if there was more than one local range defined. This can be a common case if e.g. there are users that migrated from previous IdM solution. With this patch, we fail only if there are multiple local ranges that do not have RID bases set. Keep in mind that overlap checking is ensured by ipa-range-check DS plugin. https://fedorahosted.org/freeipa/ticket/3498
* Avoid exporting KRB5_KTNAME in dirsrv envMartin Kosek2013-05-241-1/+0
| | | | | The variable is already defined, exporting in dirsrv systemd environment is not needed and produces a (benign) error.
* Add IPA OTP schema and ACLsNathaniel McCallum2013-05-172-8/+20
| | | | | | | | | | This commit adds schema support for two factor authentication via OTP devices, including RADIUS or TOTP. This schema will be used by future patches which will enable two factor authentication directly. https://fedorahosted.org/freeipa/ticket/3365 http://freeipa.org/page/V3/OTP
* Set KRB5CCNAME so that dirsrv can work with newer krb5-serverMartin Kosek2013-05-141-0/+18
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv. https://fedorahosted.org/freeipa/ticket/3628
* Fix ipa-ca DNS name creationMartin Kosek2013-05-091-6/+10
| | | | | | | Previous fix (6d06a7e) did not work properly on a CA-less replica with CA-powered master. https://fedorahosted.org/freeipa/ticket/3617
* Do not add ipa-ca records on CA-less installsMartin Kosek2013-05-091-1/+1
| | | | | | ipa-dns-install crashed when it was run on a CA-less server. https://fedorahosted.org/freeipa/ticket/3617
* Set KRB5CCNAME so httpd s4u2proxy can with with newer krb5-serverRob Crittenden2013-05-091-0/+18
| | | | | | | | | | | The DIR ccache format is now the default in krb5-server 1.11.2-4 but /run/user/<uid> isn't created for Apache by anything so it has no ccache (and it doesn't have SELinux permissions to write here either). Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd. https://fedorahosted.org/freeipa/ticket/3607
* Specify the location for the agent PKCS#12 file so we don't have to move it.Rob Crittenden2013-05-061-3/+1
| | | | | | | Dogtag 10.0.2 changed the default location for this file from /root/.pki to /root/.dogtag which broke our install. https://fedorahosted.org/freeipa/ticket/3599
* Handle a 501 in cert-find from dogtag as a "not supported"Rob Crittenden2013-05-031-0/+4
| | | | | | | | | | | Upgrading from d9 -> d10 does not set up the RESTful interface in dogtag, they just never coded it. Rather than trying to backport things they have decided to not support upgrades. We need to catch this and report a more reasonable error. They are returning a 501 (HTTP method unimplemented) in this case. https://fedorahosted.org/freeipa/ticket/3549
* Fix normalization of FQDNs in DNS installer code.Jan Cholasta2013-05-031-7/+6
| | | | https://fedorahosted.org/freeipa/ticket/3600
* Handle socket.gethostbyaddr() exceptions when verifying hostnames.Rob Crittenden2013-04-241-0/+2
| | | | | | | | | | Log any socket exceptions raised and let the process continue. This failure isn't a show-stopper. Other checks past this will catch any other problems. This was seen when /etc/hosts and /etc/resolv.conf were both empty. https://fedorahosted.org/freeipa/ticket/3581
* Add ipa-ca records for existing CA masters when installing DNS for the first ↵Jan Cholasta2013-04-241-5/+29
| | | | | | time. https://fedorahosted.org/freeipa/ticket/3564
* Add DNS records for existing masters when installing DNS for the first time.Jan Cholasta2013-04-241-41/+85
| | | | https://fedorahosted.org/freeipa/ticket/3564
* Use correct zone when removing DNS records of a master.Jan Cholasta2013-04-181-3/+2
| | | | https://fedorahosted.org/freeipa/ticket/3563
* Update only selected attributes for winsync agreementTomas Babej2013-04-163-13/+18
| | | | | | | | | | | | Trying to insert nsDS5ReplicatedAttributeListTotal and nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors. With this patch, these attributes are skipped for winsync agreements. Made find_ipa_replication_agreements() in replication.py more corresponding to find_replication_agreements. It returns list of entries instead of unicode strings now. https://fedorahosted.org/freeipa/ticket/3522
* Drop --selfsign server functionalityPetr Viktorin2013-04-157-797/+137
| | | | | Design: http://freeipa.org/page/V3/Drop_selfsign_functionality Ticket: https://fedorahosted.org/freeipa/ticket/3494
* Remove obsolete self-sign references from man pages, docstrings, commentsPetr Viktorin2013-04-151-3/+2
| | | | Part of the work for https://fedorahosted.org/freeipa/ticket/3494
* Uninstall selfsign CA on upgradePetr Viktorin2013-04-153-7/+19
| | | | | | | | | This will convert a master with a selfsign CA to a CA-less one in ipa-upgradeconfig. The relevant files are left in place and can be used to manage certs manually. Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
* Use A/AAAA records instead of CNAME records in ipa-ca.Jan Cholasta2013-04-152-26/+110
| | | | https://fedorahosted.org/freeipa/ticket/3547
* Add nfs:NONE to default PAC types only when neededTomas Babej2013-04-152-0/+58
| | | | | | | | | We need to add nfs:NONE as a default PAC type only if there's no other default PAC type for nfs. Adds a update plugin which determines whether default PAC type for nfs is set and adds nfs:NONE PAC type accordingly. https://fedorahosted.org/freeipa/ticket/3555
* Apply LDAP update files in blocks of 10, as originally designed.Rob Crittenden2013-04-124-4/+30
| | | | | | | | | | | | | | | In order to have control over the order that updates are applied a numbering system was created for the update files. These values were not actually used. The updates were sorted by DN length and in most cases this was adequate for proper function. The exception was with roles where in some cases a role was added as a member of a permission before the role itself was added so the memberOf value was never created. Now updates are computed and applied in blocks of 10. https://fedorahosted.org/freeipa/ticket/3377
* Full system backup and restoreRob Crittenden2013-04-123-10/+1355
| | | | | | | | | This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128
* Use only one URL for OCSP and CRL in IPA certificate profile.Jan Cholasta2013-04-111-45/+14
| | | | https://fedorahosted.org/freeipa/ticket/3552
* Load the CA cert into server NSS databasesPetr Viktorin2013-04-024-11/+24
| | | | | | | | | The CA cert was not loaded, so if it was missing from the PKCS#12 file, installation would fail. Pass the cert filename to the server installers and include it in the NSS DB. Part of the work for: https://fedorahosted.org/freeipa/ticket/3363
* Support installing with custom SSL certs, without a CAPetr Viktorin2013-04-025-19/+161
| | | | | Design: http://freeipa.org/page/V3/CA-less_install https://fedorahosted.org/freeipa/ticket/3363
* dsinstance, httpinstance: Don't hardcode 'Server-Cert'Petr Viktorin2013-04-022-12/+22
|
* Trust CAs from PKCS#12 files even if they don't have Friendly NamesPetr Viktorin2013-04-021-1/+2
| | | | | Instead of trusting all certificates with friendly names, now all certs without a "u" flag are trusted as root certs.
* ipaserver.install.certs: Introduce NSSDatabase as a more generic certutil ↵Petr Viktorin2013-04-021-95/+191
| | | | | | | | | | | | | | wrapper The CertDB class was meant to be a wrapper around NSS databases, certutil, pk12util, etc. Unfortunately, over time it grew too dependent on the particular scenarios it is used in. Introduce a new class that has no knowledge about IPA configuration, and move generic code to it. In the future, generic code should be moved to NSSDatabase, code for the self-signed CA should be removed, and IPA-specific code may stay in CertDB (which calls NSSDatabase).
generated by cgit (git 2.34.1) at 2024-05-07 13:14:23 +0000