summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* trust: support retrieving POSIX IDs with one-way trust during trust-addoneway-trustAlexander Bokovoy2015-07-071-18/+65
| | | | | | | | | | With one-way trust we cannot rely on cross-realm TGT as there will be none. Thus, if we have AD administrator credentials we should reuse them. Additionally, such use should be done over Kerberos. Fixes: https://fedorahosted.org/freeipa/ticket/4960 https://fedorahosted.org/freeipa/ticket/4959
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-071-12/+32
| | | | | | | | | | | | | | | | | | | | | | | | One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546
* trusts: pass AD DC hostname if specified explicitlyAlexander Bokovoy2015-07-071-3/+7
| | | | Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
* ipa-adtrust-install: add IPA master host principal to adtrust agentsAlexander Bokovoy2015-07-074-30/+78
| | | | Fixes https://fedorahosted.org/freeipa/ticket/4951
* DNSSEC: ipa-dns-install: Detect existing master server sooner.Petr Spacek2015-07-071-14/+12
| | | | | | | | User should get the error before he installs missing packages etc. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: update messageMartin Basti2015-07-071-7/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNSSEC: allow to disable/replace DNSSEC key masterMartin Basti2015-07-075-22/+295
| | | | | | | | | | | | | | | This commit allows to replace or disable DNSSEC key master Replacing DNSSEC master requires to copy kasp.db file manually by user ipa-dns-install: --disable-dnssec-master DNSSEC master will be disabled --dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement --force Skip checks https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Server Upgrade: use debug log level for upgrade instead of infoMartin Basti2015-07-037-39/+39
| | | | | | Upgrade contains too many unnecessary info logs. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* winsync_migrate: Generalize membership migrationTomas Babej2015-07-021-21/+78
| | | | | | https://fedorahosted.org/freeipa/ticket/4943 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync_migrate: Migrate memberships of the winsynced usersTomas Babej2015-07-021-0/+51
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Fallback to AD DC LDAP only if specifically allowedTomas Babej2015-07-021-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the tool under ipaserver.install packageTomas Babej2015-07-021-0/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Rename to tool to achive consistency with other toolsTomas Babej2015-07-022-28/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Delete winsync agreement prior to migrationTomas Babej2015-07-021-0/+35
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require explicit specification of the target server and ↵Tomas Babej2015-07-021-0/+33
| | | | | | | | validate existing agreement https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Require root privilegesTomas Babej2015-07-021-1/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Add debugging message to failing kinit as httpTomas Babej2015-07-021-0/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* dcerpc: Change logging level for debug informationTomas Babej2015-07-021-2/+2
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Move the api initalization and LDAP connection to the main ↵Tomas Babej2015-07-021-3/+12
| | | | | | | | method https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Add option validation and handlingTomas Babej2015-07-021-0/+44
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* migrate-winsync: Create user ID overrides in place of winsynced user entriesTomas Babej2015-07-021-0/+32
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add a way to find all winsync usersTomas Babej2015-07-021-4/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* winsync-migrate: Add initial plumbingTomas Babej2015-07-022-0/+89
| | | | | | https://fedorahosted.org/freeipa/ticket/4524 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* KRA Install: check replica file if contains req. certificatesMartin Basti2015-07-021-0/+16
| | | | | | https://fedorahosted.org/freeipa/ticket/5059 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replication: fix regression in get_agreement_typePetr Vobornik2015-07-011-0/+3
| | | | | | | | dcb6916a3b0601e33b08e12aeb25357efed6812b introduced a regression where get_agreement_type does not raise NotFound error if an agreement for host does not exist. The exception was swallowed by get_replication_agreement. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* replica prepare: Do not use entry after disconnecting from LDAPJan Cholasta2015-07-011-2/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugin base classes and modules using API propertiesJan Cholasta2015-07-011-1/+6
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Pass API to plugins on initialization rather than using set_apiJan Cholasta2015-07-0111-83/+37
| | | | | | https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Specify plugins to import in API by module namesJan Cholasta2015-07-011-1/+1
| | | | | | | | | This change removes the automatic plugins sub-package magic and allows specifying modules in addition to packages. https://fedorahosted.org/freeipa/ticket/3090 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: Load ipaserver plugins when api.env.in_server is TrueJan Cholasta2015-07-018-11/+5
| | | | | | | https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* plugable: Move plugin base class and override logic to APIJan Cholasta2015-07-011-4/+1
| | | | | | | | | | | | Each API object now maintains its own view of registered plugins. This change removes the need to register plugin base classes. This reverts commit 2db741e847c60d712dbc8ee1cd65a978a78eb312. https://fedorahosted.org/freeipa/ticket/3090 https://fedorahosted.org/freeipa/ticket/5073 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Migrate CA profiles after enabling LDAPProfileSubsystemFraser Tweedale2015-07-012-29/+112
| | | | | | | After enabling LDAPProfileSubsystem in Dogtag, migrate the file-based profiles into the LDAP database. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Upgrade CA schema during upgradeFraser Tweedale2015-07-011-0/+23
| | | | | | | | | | | | New schema (for LDAP-based profiles) was introduced in Dogtag, but Dogtag does not yet have a reliable method for upgrading its schema. Use FreeIPA's schema update machinery to add the new attributeTypes and objectClasses defined by Dogtag. Also update the pki dependencies to 10.2.5, which provides the schema update file. Reviewed-By: Martin Basti <mbasti@redhat.com>
* Sanitize CA replica installMartin Basti2015-06-301-12/+10
| | | | | | | | Check if cafile exist first. https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix upgrade of HTTPInstance for KDC ProxyChristian Heimes2015-06-291-0/+6
| | | | | | | HTTPInstance needs a LDAP connection for KDC Proxy upgrade. The patch ensures that an admin_conn is available. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Fix removal of ipa-kdc-proxy.conf symlinkChristian Heimes2015-06-292-2/+2
| | | | | | | installutils.remove_file() ignored broken symlinks. Now it uses os.path.lexists() to detect and also remove dangling symlinks. Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* fix force-sync, re-initialize of replica and a check for replication ↵Petr Vobornik2015-06-292-16/+4
| | | | | | | | | | | | | agreement existence in other words limit usage of `agreement_dn` method only for manipulation and search of agreements which are not managed by topology plugin. For other cases is safer to search for the agreement. https://fedorahosted.org/freeipa/ticket/5066 Reviewed-By: David Kupka <dkupka@redhat.com>
* upgrade: Raise error when certmonger is not running.David Kupka2015-06-291-0/+3
| | | | | | | | | | Certmonger should be running (should be started on system boot). Either user decided to stop it or it crashed. We should just error out and let user check & fix it. https://fedorahosted.org/freeipa/ticket/5080 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* fix handling of ldap.LDAPError in installerPetr Vobornik2015-06-291-3/+7
| | | | | | | | 'info' is optional component in LDAPError http://www.python-ldap.org/doc/html/ldap.html#exceptions Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-243-1/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Replicas cannot define their own master password.Simo Sorce2015-06-241-8/+0
| | | | | | | | | Seem like this slipped in during the refactoring of the install tools. https://fedorahosted.org/freeipa/ticket/4468 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* ipa-ca-install fix: reconnect ldap2 after DS restartMartin Basti2015-06-181-0/+9
| | | | | | https://fedorahosted.org/freeipa/ticket/5064 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Clarify error messages in ipa-replica-prepare: add_dns_records()Petr Spacek2015-06-181-3/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Clarify recommendation about --ip-address option in ipa-replica-prepaprePetr Spacek2015-06-181-2/+3
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error messages about reverse address resolution in ipa-replica-preparePetr Spacek2015-06-181-2/+8
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* install: Fix ipa-replica-install not installing RA certJan Cholasta2015-06-182-9/+14
| | | | | | https://fedorahosted.org/freeipa/ticket/4468 Reviewed-By: David Kupka <dkupka@redhat.com>
* Server Upgrade: disconnect ldap2 connection before DS restartMartin Basti2015-06-151-0/+5
| | | | | | | | Without this patch, the invalid api.Backend.ldap2 connection was used to communicate with DS and it raises network error after DS restart. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Use 389-ds centralized scripts.David Kupka2015-06-112-4/+12
| | | | | | | | | Directory server is deprecating use of tools in instance specific paths. Instead tools in bin/sbin path should be used. https://fedorahosted.org/freeipa/ticket/4051 Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNSSEC: Improve global forwarders validationMartin Basti2015-06-111-11/+21
| | | | | | | | | | Validation now provides more detailed information and less false positives failures. https://fedorahosted.org/freeipa/ticket/4657 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Add CA ACL pluginFraser Tweedale2015-06-112-0/+29
| | | | | | | | | | | | | | | | | | | Implement the caacl commands, which are used to indicate which principals may be issued certificates from which (sub-)CAs, using which profiles. At this commit, and until sub-CAs are implemented, all rules refer to the top-level CA (represented as ".") and no ca-ref argument is exposed. Also, during install and upgrade add a default CA ACL that permits certificate issuance for all hosts and services using the profile 'caIPAserviceCert' on the top-level CA. Part of: https://fedorahosted.org/freeipa/ticket/57 Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-19 13:30:51 +0000