summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipadb: reload trust information if domain is not knownSumit Bose2012-10-091-1/+39
| | | | | | | | | | Currently the data about trusted domains is read once at startup. If a new trust is added the KDC must be restarted to know about the new trust. This patch reloads the trust data if there is a request from an unknown domain. To make DOS attacks a bit harder the data can be updated only once in a minute. Fixes https://fedorahosted.org/freeipa/ticket/3156
* ipa-adtrust-install: create fallback group with ldif fileSumit Bose2012-10-093-30/+20
| | | | | | | | | | Currently the framework is used to add the group but we want to avoid that users are added explicitly to the group by removing the objectclasses groupofnames, ipausergroup and nestedgroup and we want to use a name with spaces in it. Both it not easy possible with the framework, a LDIF file is used instead to create the group. Fixes https://fedorahosted.org/freeipa/ticket/3147
* Handle NotFound exception when establishing trustAlexander Bokovoy2012-10-091-3/+34
| | | | | | | | | | | Establishing trust implies discovery of the trusted domain's domain controller via DNS. If DNS discovery is not possible, NotFound exception is raised. Intercept the exception and process it to help diagnose and fix actual problem: - if IPA is managing DNS, suggest to make a forward for the domain's zone - otherwise suggest to setup DNS forwarder at upstream DNS server https://fedorahosted.org/freeipa/ticket/3103
* support multi-line error messages in exceptionsAlexander Bokovoy2012-10-093-10/+42
|
* ipasam: generate proper SID for trusted domain objectSumit Bose2012-10-041-8/+49
|
* Add new ipaIDobject to DNA plugin configuratonSumit Bose2012-10-042-1/+6
|
* ipa-adtrust-install: print list of needed SRV recordsSumit Bose2012-10-041-9/+13
| | | | | | | If --no-msdcs is given on the command line all needed SRV records will be printed. Fixes https://fedorahosted.org/freeipa/ticket/3019
* Avoid ldapmodify error messages during ipa-adtrust-installSumit Bose2012-10-041-13/+34
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3012
* Add SIDs for existing users and groups at the end of ipa-adtrust-installSumit Bose2012-10-046-12/+43
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3104
* ipasam: add fallback primary groupSumit Bose2012-10-041-7/+230
| | | | https://fedorahosted.org/freeipa/ticket/2955
* ipa-adtrust-install: replace print with self.print_msgSumit Bose2012-10-041-14/+14
| | | | https://fedorahosted.org/freeipa/ticket/3019
* ipa-adtrust-install: Add fallback groupSumit Bose2012-10-042-13/+97
| | | | https://fedorahosted.org/freeipa/ticket/2955
* Removal of delegation-uris instruction from browser configPetr Vobornik2012-10-041-1/+0
| | | | | | Delegation is not needed since support of s4u2proxy mechanism. https://fedorahosted.org/freeipa/ticket/3094
* Configuration pages changed to use new FF extensionPetr Vobornik2012-10-0413-48/+550
| | | | | | | | | | | | | | | browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1]. Old configuration method was moved to ssbrowser.html. Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config. The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps. Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://fedorahosted.org/freeipa/ticket/823 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
* Build and installation of Kerberos authentication extensionPetr Vobornik2012-10-046-2/+32
| | | | | | | | | | | | This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension). Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter. If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet. In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file. Ticket: https://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extension makefilesPetr Vobornik2012-10-048-0/+111
| | | | | | Makefiles for new FF kerberos authentication extension ihttps://fedorahosted.org/freeipa/ticket/3094
* Kerberos authentication extensionPetr Vobornik2012-10-046-0/+306
| | | | | | | | | | | | | | | | | | | The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later. How it works: Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'. 'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages. Possible enhancement: * add UI for manual edit * more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page) * introspection of client (read ipa client install config and such) Ticket: https://fedorahosted.org/freeipa/ticket/3094 [1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046 [3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
* Support python-ldap 2.3 way of making LDAP controlAlexander Bokovoy2012-10-041-3/+11
| | | | | | | | This strange patch is to accomodate both python-ldap 2.3 and later versions. There was refactoring in python-ldap support for LDAP controls that split base class into two different, changing properties and method signatures. Luckily, we don't use any values passed to encodeControlValue.
* ipa-adtrust-install: remove wrong check for dm_passwordSumit Bose2012-10-041-4/+0
| | | | | | | Additionally this patch removes a comment which makes no sense at this place anymore. Fixes https://fedorahosted.org/freeipa/ticket/3023
* Clear kernel keyring in client installer, save dbdir on new connectionsRob Crittenden2012-10-032-1/+25
| | | | | | | | | | | | | | | | | | | This patch addresses two issues: 1. If a client is previously enrolled in an IPA server and the server gets re-installed then the client machine may still have a keyring entry for the old server. This can cause a redirect from the session URI to the negotiate one. As a rule, always clear the keyring when enrolling a new client. 2. We save the NSS dbdir in the connection so that when creating a new session we can determine if we need to re-initialize NSS or not. Most of the time we do not. The dbdir was not always being preserved between connections which could cause an NSS_Shutdown() to happen which would fail because of existing usage. This preserves the dbdir information when a new connection is created as part of the session mechanism. https://fedorahosted.org/freeipa/ticket/3108
* Wait for secure Dogtag ports when starting the pki servicesPetr Viktorin2012-10-031-4/+4
| | | | | | | | Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
* Fill ipakrbprincipalalias on upgradesMartin Kosek2012-10-023-1/+102
| | | | | | | | | | | | | | From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalalias attribute used for case-insensitive principal searches. However, services created in previous version do not have this objectclass (and attribute) and thus case-insensitive searches may return inconsistent results. Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat Treat the ipakrbprincipal as optional to avoid missing services in service-find command if the upgrade fails for any reason. https://fedorahosted.org/freeipa/ticket/3106
* Restrict admins group modificationsTomas Babej2012-10-033-6/+56
| | | | | | | | Group-mod command no longer allows --rename and/or --external changes made to the admins group. In such cases, ProtectedEntryError is being raised. https://fedorahosted.org/freeipa/ticket/3098
* Add --rid-base and --secondary-rid-base to ipa-adtrust-install man pageSumit Bose2012-10-031-0/+10
| | | | Fixes https://fedorahosted.org/freeipa/ticket/3038
* Enhance description of --no-msdcs in man pageSumit Bose2012-10-031-1/+25
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2972
* Add man page paragraph about running ipa-adtrust-install multiple timesSumit Bose2012-10-031-0/+8
| | | | Fixes https://fedorahosted.org/freeipa/ticket/2967
* Improve user addition to default group in user-addTomas Babej2012-10-032-1/+74
| | | | | | | | | | On adding new user, user-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure AlreadyGroupMember exception is caught in such cases. https://fedorahosted.org/freeipa/ticket/3097
* Only use service PAC type as an overrideMartin Kosek2012-10-036-28/+70
| | | | | | | | | | | | | | PAC type (ipakrbauthzdata attribute) was being filled for all new service automatically. However, the PAC type attribute was designed to serve only as an override to default PAC type configured in IPA config. With PAC type set in all services, users would have to update all services to get new PAC types configured in IPA config. Do not set PAC type for new services. Add new NONE value meaning that we do not want any PAC for the service (empty/missing attribute means that the default PAC type list from IPA config is read). https://fedorahosted.org/freeipa/ticket/2184
* Do not produce unindexed search on every DEL commandMartin Kosek2012-10-013-1/+25
| | | | | | | | | | | | Every <plugin>-del command executes an "(objectclass=*)" search to find out if a deleted node has any child nodes which would need to be deleted first. This produces an unindexed search for every del command which biases access log audits and may affect performance too. Since most of the *-del commands delete just a single object (user, group, RBAC objects, SUDO or HBAC objects, ...) and not a tree (automount location, dns zone, ...) run a single entry delete first and only revert to subtree search&delete when that fails.
* Index ipakrbprincipalalias and ipaautomountkey attributesMartin Kosek2012-10-012-0/+30
| | | | | | | | | | | | An unindexed search for ipakrbprincipalalias is fired for every ipa command (and other authentication events) which would degrade IPA server performance if not indexed. ipaautomountkey unindexed searches are hit when new key entries are being added. Add both indexes to new and updated IPA installs. https://fedorahosted.org/freeipa/ticket/3020 https://fedorahosted.org/freeipa/ticket/3025
* Improve DN usage in ipa-client-installMartin Kosek2012-10-023-64/+119
| | | | | | | | | | | | | | | | | | | | | A hotfix pushed in a scope of ticket 3088 forced conversion of DN object (baseDN) in IPA client discovery so that ipa-client-install does not crash when creating an IPA default.conf. Since this is not a preferred way to handle DN objects, improve its usage: - make sure, that baseDN retrieved by client discovery is always a DN object - update ipachangeconf.py code to handle strings better and instead of concatenating objects, make sure they are converted to string first As a side-effect of ipachangeconf changes, default.conf config file generated by ipa-client-install has no longer empty new line at the end of a file. Whole ipachangeconf.py has been modified to be compliant with PEP8. https://fedorahosted.org/freeipa/ticket/3088
* Add support for unified samba packagesMartin Kosek2012-10-011-1/+17
| | | | | | | | | | Fedora 18 and later has moved unified samba and samba4 packages. Update Requires and BuildRequires in spec file to require correct versions. Also require libwbclient-devel which now provides libwbclient.h instead of samba4-devel package. https://fedorahosted.org/freeipa/ticket/3118
* Improve StrEnum validation error messageMartin Kosek2012-10-012-7/+33
| | | | | | | | Do not print list of possible values as "%r" but simply as a list of quoted values which should make it easier to read for users. Also add a special case when there is just one allowed value. https://fedorahosted.org/freeipa/ticket/2869
* Fix NS records in installationPetr Viktorin2012-09-272-1/+6
| | | | | | | | Our installation added two final dots to the NS records, so the records were invalid, Bind ignored the entire zone, and name resolution didn't work. Fix this error and add a check for empty DNS labels to the validator
* Don't use bare except: clauses in ipa-client-installPetr Viktorin2012-09-271-13/+13
| | | | | | | | Instead of `except:`, use `except Exception:`. This means that errors like KeyboardInterrupt are not handled, letting them terminate the script as expected. https://fedorahosted.org/freeipa/ticket/2941
* Change the way SID comparison is done for belonging to trusted domainAlexander Bokovoy2012-09-271-16/+12
| | | | Fixes trust use on RHEL 6.
* Validate SELinux users in config-modMartin Kosek2012-09-272-24/+69
| | | | | | | | config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993
* Use custom zonemgr for reverse zonesMartin Kosek2012-09-264-70/+33
| | | | | | | | | | | | | | When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was missing in function creating reverse zone. Consolidate functions creating forward and reverse zones to avoid code duplication and errors like this one. Reverse zones are now created with custom zonemgr (when entered by user). https://fedorahosted.org/freeipa/ticket/2790
* Make sure external group members are listed for the external groupAlexander Bokovoy2012-09-251-19/+10
| | | | https://fedorahosted.org/freeipa/ticket/2975
* Fix python syntax in ipa-client-automountRob Crittenden2012-09-241-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3081
* Always handle NotFound error in dnsrecord-modPetr Viktorin2012-09-242-2/+11
| | | | | | | | When there were no updated attrs when modifying a nonexistent DNS record, the error was not handled and caused an internal server error later (old_entry was used uninitialized). https://fedorahosted.org/freeipa/ticket/3055
* Check direct/reverse hostname/address resolution in ipa-replica-installPetr Viktorin2012-09-201-19/+141
| | | | | | | | | | | | | Forward and reverse resolution of the newly created replica is already checked via get_host_name (which calls verify_fqdn). Add the same check for the existing master. Additionally, if DNS is installed on the remote host, check forward and reverse resolution of both replicas using that DNS only (ignoring /etc/hosts). These checks give only warnings and, in interactive installs, a "Continue?" prompt. https://fedorahosted.org/freeipa/ticket/2845
* Update krb5.conf during ipa-adtrust-installSumit Bose2012-09-191-0/+62
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Set master_kdc and dns_lookup_kdc to trueSumit Bose2012-09-195-3/+8
| | | | https://fedorahosted.org/freeipa/ticket/2515
* Improves sssd.conf handling during ipa-client uninstallTomas Babej2012-09-202-17/+110
| | | | | | | | | | | | | | | | | | | | | | | The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740
* Document use of external group membershipAlexander Bokovoy2012-09-201-0/+29
|
* Add documentation for 'ipa trust' set of commandsAlexander Bokovoy2012-09-201-2/+58
|
* Fix error messages and use proper ImportError for dcerpc importAlexander Bokovoy2012-09-201-7/+6
|
* validate SID for trusted domain when adding/modifying ID rangeAlexander Bokovoy2012-09-201-3/+28
| | | | https://fedorahosted.org/freeipa/ticket/3087
* Use correct Dogtag port in ipaserver.install.certsPetr Viktorin2012-09-201-2/+2
| | | | | On an instance upgraded from Dogtag 9 to Dogtag 10, ipa-replica-prepare used the wrong port number. Fix that.
generated by cgit (git 2.34.1) at 2025-09-06 23:28:52 +0000