| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
| |
In DomainValidator, we store a dictionary containing information
for trusted domains. This is a case-sensitive dictionary keyed by
the domain name.
We need to use case-insensitive dictionary since domain names
are generally case-insensitive.
https://fedorahosted.org/freeipa/ticket/3816
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If stdin is a TTY, ipaserver.install.installutils uses getpass and all
is well. Without a TTY, though, there were two problems:
* The prompt was not printed
* On end of file, an empty string was returned, which caused read_password
to enter an infinite loop.
Fix both problems.
https://fedorahosted.org/freeipa/ticket/3824
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3717
|
|
|
|
|
|
|
|
| |
Attempt to resolve SIDs through SSSD first to avoid using trust
account password. This makes possible to run HBAC test requests
without being in 'trusted admins' group.
https://fedorahosted.org/freeipa/ticket/3803
|
|
|
|
|
|
|
|
|
|
| |
When creating a trusted domain ID range, probe AD DC to get
information about ID space leveraged by POSIX users already
defined in AD, and create an ID range with according parameters.
For more details:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
https://fedorahosted.org/freeipa/ticket/3649
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enables support for trusted domains users for old clients through Schema
Compatibility plugin. SSSD supports trusted domains natively starting with
version 1.9 platform. For platforms that lack SSSD or run older SSSD version
one needs to use this option. When enabled, slapi-nis package needs to
be installed and schema-compat-plugin will be configured to provide lookup of
users and groups from trusted domains via SSSD on IPA server. These users and
groups will be available under cn=users,cn=compat,$SUFFIX and
cn=groups,cn=compat,$SUFFIX trees. SSSD will normalize names of users and
groups to lower case.
In addition to providing these users and groups through the compat tree,
this option enables authentication over LDAP for trusted domain users with DN
under compat tree, i.e. using bind DN uid=administrator@ad.domain,cn=users,cn=compat,$SUFFIX.
This authentication is related to PAM stack using 'system-auth' PAM
service. If you have disabled HBAC rule 'allow_all', then make sure there is
special service called 'system-auth' created and HBAC rule to allow access to
anyone to this rule on IPA masters is added. Please note that system-auth PAM
service is not used directly by any other application, therefore it is safe to
create one specifically to support trusted domain users via compatibility path.
https://fedorahosted.org/freeipa/ticket/3567
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3785
|
|
|
|
|
|
|
|
| |
The LDAP updater prints the initial and final states of an entry, as well
as details on the changes made to attributes. This has the potential to
expose sensitive values so exclude those from logging.
https://fedorahosted.org/freeipa/ticket/3782
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
|
|
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3745
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
|
|
|
|
|
|
| |
This fixes an outstanding permissions issue from the OTP work.
https://fedorahosted.org/freeipa/ticket/3693
|
|
|
|
|
|
| |
This prevents getting full member list from LDAP and putting it back later.
https://fedorahosted.org/freeipa/ticket/3706
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3707
|
|
|
|
|
|
|
| |
Incorrect tuple unpacking in adtrustinstance was causing ipa-adtrust-install
to fail when IPA was installed with no DNS.
https://fedorahosted.org/freeipa/ticket/3746
|
|
|
|
|
|
| |
Assign a default priority of 10 to our SASL mappings.
https://fedorahosted.org/freeipa/ticket/3330
|
|
|
|
|
|
|
|
|
|
| |
Create:
* kerberosauth.xpi
* krb.js
even when --http_pkcs12 option is used.
https://fedorahosted.org/freeipa/ticket/3747
|
|
|
|
|
|
|
|
| |
Logging tracebacks at the INFO level caused them to be displayed to user on the
command line. Change the log level to DEBUG, so that tracebacks are not visible
to user.
https://fedorahosted.org/freeipa/ticket/3704
|
|
|
|
|
|
|
|
| |
When adding a trust, if an id range already exists for this trust,
and options --base-id/--range-size are provided with the trust-add command,
trust-add should fail.
https://fedorahosted.org/freeipa/ticket/3635
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3675
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3667
|
|
|
|
|
|
| |
sys.stdout is buffered by default if redirected to a file.
This may causes automated installation to appear hung.
Flush the stream so that messages are written immediately.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
|
|
|
|
|
|
|
|
| |
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
|
|
|
|
|
|
|
|
| |
All installers that handle Kerberos auth, have been altered to use
private ccache, that is ipa-server-install, ipa-dns-install,
ipa-replica-install, ipa-ca-install.
https://fedorahosted.org/freeipa/ticket/3666
|
|
|
|
|
|
|
|
|
| |
Since we depend on Dogtag 10 now, there is no need to keep code
that installs a Dogtag 9 CA.
Support for upgraded Dogtag-9-style instances is left in.
https://fedorahosted.org/freeipa/ticket/3529
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ip-adtrust-install, "adding RID bases" step would fail
if there was more than one local range defined. This can be a
common case if e.g. there are users that migrated from previous
IdM solution.
With this patch, we fail only if there are multiple local ranges
that do not have RID bases set.
Keep in mind that overlap checking is ensured by ipa-range-check
DS plugin.
https://fedorahosted.org/freeipa/ticket/3498
|
|
|
|
|
| |
The variable is already defined, exporting in dirsrv systemd
environment is not needed and produces a (benign) error.
|
|
|
|
|
|
|
|
|
|
| |
This commit adds schema support for two factor authentication via
OTP devices, including RADIUS or TOTP. This schema will be used
by future patches which will enable two factor authentication
directly.
https://fedorahosted.org/freeipa/ticket/3365
http://freeipa.org/page/V3/OTP
|
|
|
|
|
|
|
|
|
|
|
| |
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
https://fedorahosted.org/freeipa/ticket/3628
|
|
|
|
|
|
|
| |
Previous fix (6d06a7e) did not work properly on a CA-less replica
with CA-powered master.
https://fedorahosted.org/freeipa/ticket/3617
|
|
|
|
|
|
| |
ipa-dns-install crashed when it was run on a CA-less server.
https://fedorahosted.org/freeipa/ticket/3617
|
|
|
|
|
|
|
|
|
|
|
| |
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.
https://fedorahosted.org/freeipa/ticket/3607
|
|
|
|
|
|
|
| |
Dogtag 10.0.2 changed the default location for this file from /root/.pki
to /root/.dogtag which broke our install.
https://fedorahosted.org/freeipa/ticket/3599
|
|
|
|
|
|
|
|
|
|
|
| |
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.
We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.
https://fedorahosted.org/freeipa/ticket/3549
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3600
|
|
|
|
|
|
|
|
|
|
| |
Log any socket exceptions raised and let the process continue. This
failure isn't a show-stopper. Other checks past this will catch any
other problems.
This was seen when /etc/hosts and /etc/resolv.conf were both empty.
https://fedorahosted.org/freeipa/ticket/3581
|
|
|
|
|
|
| |
time.
https://fedorahosted.org/freeipa/ticket/3564
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3564
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3563
|
|
|
|
|
|
|
|
|
|
|
|
| |
Trying to insert nsDS5ReplicatedAttributeListTotal and
nsds5ReplicaStripAttrs to winsync agreements caused upgrade errors.
With this patch, these attributes are skipped for winsync agreements.
Made find_ipa_replication_agreements() in replication.py more
corresponding to find_replication_agreements. It returns list of
entries instead of unicode strings now.
https://fedorahosted.org/freeipa/ticket/3522
|
|
|
|
|
| |
Design: http://freeipa.org/page/V3/Drop_selfsign_functionality
Ticket: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
|
|
|
|
|
| |
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
|
|
|
|
|
|
|
|
| |
We need to add nfs:NONE as a default PAC type only if there's no
other default PAC type for nfs. Adds a update plugin which
determines whether default PAC type for nfs is set and adds
nfs:NONE PAC type accordingly.
https://fedorahosted.org/freeipa/ticket/3555
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to have control over the order that updates are applied
a numbering system was created for the update files. These values
were not actually used.
The updates were sorted by DN length and in most cases this was
adequate for proper function. The exception was with roles where
in some cases a role was added as a member of a permission before
the role itself was added so the memberOf value was never created.
Now updates are computed and applied in blocks of 10.
https://fedorahosted.org/freeipa/ticket/3377
|