summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* install: create ff krb extension on every install, replica install and upgradePetr Vobornik2014-09-112-14/+2
| | | | | | | | | | We don't want to copy the extension from master to replica because the replica may use newer version of FreeIPA and therefore the extension code might be obsolete. Same reason for upgrades. https://fedorahosted.org/freeipa/ticket/4478 Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
* Use autobind when updating CA people entries during certificate renewalJan Cholasta2014-09-091-11/+3
| | | | | | | | | Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump selinux-policy in the spec file. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Remove internaldb password from password.confAna Krivokapic2014-09-091-0/+3
| | | | | | | | | Remove internaldb password from password.conf after switching over to client certificate authentication. The password is no longer needed. https://fedorahosted.org/freeipa/ticket/4005 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Backup CS.cfg before modifying itJan Cholasta2014-09-051-0/+21
| | | | | | https://fedorahosted.org/freeipa/ticket/4166 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix: Add managed read permissions for compat tree and operational attrsPetr Viktorin2014-09-051-0/+18
| | | | | | | | | | | This is a fix for an earlier version, which was committed by mistake as: master: 418ce870bfbe13cea694a7b862cafe35c703f660 ipa-4-0: 3e2c86aeabbd2e3c54ad73a40803ef2bf5b0cb17 ipa-4-1: 9bcd88589e30d31d3f533cd42d2f816ef01b07c7 Thanks to Alexander Bokovoy for contributions https://fedorahosted.org/freeipa/ticket/4521
* Make CA-less ipa-server-install option --root-ca-file optional.Jan Cholasta2014-09-054-33/+45
| | | | | | | | | | | | | The CA cert specified by --root-ca-file option must always be the CA cert of the CA which issued the server certificates in the PKCS#12 files. As the cert is not actually user selectable, use CA cert from the PKCS#12 files by default if it is present. Document --root-ca-file in ipa-server-install man page. https://fedorahosted.org/freeipa/ticket/4457 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Use certmonger D-Bus API instead of messing with its files.David Kupka2014-09-055-34/+14
| | | | | | | | | | | | FreeIPA certmonger module changed to use D-Bus to communicate with certmonger. Using the D-Bus API should be more stable and supported way of using cermonger than tampering with its files. >=certmonger-0.75.13 is needed for this to work. https://fedorahosted.org/freeipa/ticket/4280 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Normalize external CA cert before passing it to pkispawnJan Cholasta2014-09-041-2/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4019 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Add record(s) to /etc/host when IPA is configured as DNS server.David Kupka2014-09-031-1/+1
| | | | | | | | | | This is to avoid chicken-egg problem when directory server fails to start without resolvable hostname and named fails to provide hostname without directory server. https://fedorahosted.org/freeipa/ticket/4220 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipaserver/dcerpc.py: Make sure trust is established only to forest root domainAlexander Bokovoy2014-09-011-0/+6
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/4463 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipaserver/dcerpc.py: be more open to what domains can be seen through the ↵Alexander Bokovoy2014-09-011-1/+1
| | | | | | | | forest trust https://fedorahosted.org/freeipa/ticket/4463 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows ↵Alexander Bokovoy2014-09-011-3/+10
| | | | | | | | Server prior to 2012 http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipaserver/dcerpc.py: make PDC discovery more robustAlexander Bokovoy2014-09-011-5/+16
| | | | | | | | | | Certain operations against AD domain controller can only be done if its FSMO role is primary domain controller. We need to use writable DC and PDC when creating trust and updating name suffix routing information. https://fedorahosted.org/freeipa/ticket/4479 Reviewed-By: Sumit Bose <sbose@redhat.com>
* ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GCAlexander Bokovoy2014-09-011-1/+5
| | | | | | https://fedorahosted.org/freeipa/ticket/4458 Reviewed-By: Sumit Bose <sbose@redhat.com>
* Add a KRA to IPAAde Lee2014-08-229-447/+1593
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the capability of installing a Dogtag KRA to an IPA instance. With this patch, a KRA is NOT configured by default when ipa-server-install is run. Rather, the command ipa-kra-install must be executed on an instance on which a Dogtag CA has already been configured. The KRA shares the same tomcat instance and DS instance as the Dogtag CA. Moreover, the same admin user/agent (and agent cert) can be used for both subsystems. Certmonger is also confgured to monitor the new subsystem certificates. To create a clone KRA, simply execute ipa-kra-install <replica_file> on a replica on which a Dogtag CA has already been replicated. ipa-kra-install will use the security domain to detect whether the system being installed is a replica, and will error out if a needed replica file is not provided. The install scripts have been refactored somewhat to minimize duplication of code. A new base class dogtagintance.py has been introduced containing code that is common to KRA and CA installs. This will become very useful when we add more PKI subsystems. The KRA will install its database as a subtree of o=ipaca, specifically o=ipakra,o=ipaca. This means that replication agreements created to replicate CA data will also replicate KRA data. No new replication agreements are required. Added dogtag plugin for KRA. This is an initial commit providing the basic vault functionality needed for vault. This plugin will likely be modified as we create the code to call some of these functions. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 The uninstallation option in ipa-kra-install is temporarily disabled. Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Convert external CA chain to PKCS#7 before passing it to pkispawn.Jan Cholasta2014-08-141-1/+12
| | | | | | https://fedorahosted.org/freeipa/ticket/4397 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Fix parsing of long nicknames in certutil -L output.Jan Cholasta2014-08-071-4/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/4453 Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* ipa-adtrust-install does not re-add member in adtrust agents groupMartin Kosek2014-08-071-18/+21
| | | | | | | | | | | | When a CIFS service exists and adtrust agents group does not have it as a member attribute (for whatever reason), re-running ipa-adtrust-install does not fix the inconsistency. Make the installer more robust by being able to fix the inconsistency. https://fedorahosted.org/freeipa/ticket/4464 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Enable NSS PKIX certificate path discovery and validation for Dogtag.Jan Cholasta2014-07-301-0/+6
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow upgrading CA-less to CA-full using ipa-ca-install.Jan Cholasta2014-07-301-4/+4
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow adding CA certificates to certificate store in ipa-cacert-manage.Jan Cholasta2014-07-301-2/+55
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.Jan Cholasta2014-07-301-5/+24
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add new NSSDatabase method get_cert for getting certs from NSS databases.Jan Cholasta2014-07-301-1/+13
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow multiple CA certificates in replica info files.Jan Cholasta2014-07-301-1/+15
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add function for writing list of certificates to a PEM file to ipalib.x509.Jan Cholasta2014-07-302-2/+2
| | | | | | | | | | Also rename load_certificate_chain_from_file to load_certificate_list_from_file. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Import CA certs from certificate store to HTTP NSS database on server install.Jan Cholasta2014-07-301-0/+5
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Import CA certs from certificate store to DS NSS database on replica install.Jan Cholasta2014-07-302-1/+29
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add new add_cert method for adding certificates to NSSDatabase and CertDB.Jan Cholasta2014-07-302-15/+13
| | | | | | | | | | Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and remove add_single_pem_cert. Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Rename CertDB method add_cert to import_cert.Jan Cholasta2014-07-301-3/+3
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Upload CA chain from DS NSS database to certificate store on server update.Jan Cholasta2014-07-301-16/+52
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Upload CA chain from DS NSS database to certificate store on server install.Jan Cholasta2014-07-301-19/+17
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for certificate store.Jan Cholasta2014-07-302-0/+76
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add LDAP schema for certificate store.Jan Cholasta2014-07-301-0/+1
| | | | | | | Part of https://fedorahosted.org/freeipa/ticket/3259 Part of https://fedorahosted.org/freeipa/ticket/3520 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix trust flags in HTTP and DS NSS databases.Jan Cholasta2014-07-304-14/+26
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.Jan Cholasta2014-07-301-4/+6
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not treat the IPA RA cert as CA cert in DS NSS database.Jan Cholasta2014-07-301-1/+1
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Allow IPA master hosts to read and update IPA master information.Jan Cholasta2014-07-301-0/+38
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Do not use ldapi in certificate renewal scripts.Jan Cholasta2014-07-301-8/+13
| | | | | | This prevents SELinux denials when accessing the ldapi socket. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Remove master ACIs when deleting a replica.Jan Cholasta2014-07-301-0/+43
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Load sysupgrade.state on demand.Jan Cholasta2014-07-301-1/+9
| | | | | | | This prevents SELinux denials when the sysupgrade module is imported in a confined process. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add CA certificate management tool ipa-cacert-manage.Jan Cholasta2014-07-301-0/+285
| | | | | | Part of https://fedorahosted.org/freeipa/ticket/3737 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add permissions for CA certificate renewal.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for verifying CA certificates to NSSDatabase.Jan Cholasta2014-07-301-0/+23
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Move external cert validation from ipa-server-install to installutils.Jan Cholasta2014-07-301-1/+49
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Add method for setting CA renewal master in LDAP to CAInstance.Jan Cholasta2014-07-301-3/+38
| | | | | | Allow checking and setting CA renewal master for non-local CA instances. Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Track CA certificate using dogtag-ipa-ca-renew-agent.Jan Cholasta2014-07-301-7/+13
| | | | Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Fix DNS upgrade plugin should check if DNS container existsMartin Basti2014-07-281-0/+4
| | | | | | | Fortunately this cause no error, because dnszone-find doesnt raise exception if there is no DNS container Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* Always record that pkicreate has been executed.David Kupka2014-07-221-3/+10
| | | | | | | | | Record that pkicreate/pkispawn has been executed to allow cleanup even if the installation did not finish correctly. https://fedorahosted.org/freeipa/ticket/2796 Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Fix login password expiration detection with OTPNathaniel McCallum2014-07-211-31/+9
| | | | | | | | | | | | | | | | | | | | | The preexisting code would execute two steps. First, it would perform a kinit. If the kinit failed, it would attempt to bind using the same credentials to determine if the password were expired. While this method is fairly ugly, it mostly worked in the past. However, with OTP this breaks. This is because the OTP code is consumed by the kinit step. But because the password is expired, the kinit step fails. When the bind is executed, the OTP token is already consumed, so bind fails. This causes all password expirations to be reported as invalid credentials. After discussion with MIT, the best way to handle this case with the standard tools is to set LC_ALL=C and check the output from the command. This eliminates the bind step altogether. The end result is that OTP works and all password failures are more performant. https://fedorahosted.org/freeipa/ticket/4412 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* Enable debug pid in smb.confGabe2014-07-181-0/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3485 Reviewed-By: Tomas Babej <tbabej@redhat.com>
generated by cgit (git 2.34.1) at 2024-05-14 23:35:55 +0000