| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/2337
|
|
|
|
|
|
|
|
|
|
|
| |
Add new attributes and objectclasses to support new features:
- global bind-dyndb-ldap settings in LDAP
- conditional per-zone forwarding
- per-zone configuration of automatic PTR updates
- AllowQuery and AllowTransfer ACIs
https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072
|
|
|
|
|
|
|
|
|
|
|
|
| |
We had this in v1 but removed it with v2 because we no longer used
TurboGears for the UI. Because we are now proxying requests to dogtag
we need to re-add this so that mod_ssl doesn't interfere with our
communication.
mod_ssl always blindly registers itself as the SSL provider for mod_proxy.
mod_nss will only register itself if mod_ssl hasn't already done so.
https://fedorahosted.org/freeipa/ticket/2177
|
|
|
|
|
|
| |
replication.
https://fedorahosted.org/freeipa/ticket/2118
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
|
|
|
|
|
|
|
|
|
|
|
| |
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1764
|
|
|
|
|
|
|
| |
Require that the tool be run as root to avoid a permission-related
backtrace.
https://fedorahosted.org/freeipa/ticket/1758
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1874
|
|
|
|
| |
We now use our own ipa-kdb DAL driver
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.
Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.
https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The develop.js is no longer necessary because the code in it has
been merged into the main code.
An empty extension.js has been added to provide a place for UI
customization.
Ticket #2099
|
| |
|
|
|
|
|
|
|
| |
The images have been renamed to be more consistent and moved into
the "images" directory to mimic the original jQuery UI structure.
Ticket #1613
|
|
|
|
|
|
|
| |
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.
Ticket #1444
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool
https://fedorahosted.org/freeipa/ticket/1181
|
|
|
|
|
|
|
|
|
|
| |
The server package needs to be installed before the server-selinux
package otherwise the SELinux contexts won't get set properly.
The (postun) is so you can continue to do yum erase freeipa-python
and it will pick up everything else.
https://fedorahosted.org/freeipa/ticket/1779
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1619
|
|
|
|
|
|
|
|
|
| |
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.
https://fedorahosted.org/freeipa/ticket/1605
|
|
|
|
|
|
|
|
| |
This is a soft dependency, min nvr version will only be required
when bind/bind-dyndb-ldap are installed.
https://fedorahosted.org/freeipa/ticket/1121
https://fedorahosted.org/freeipa/ticket/1573
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1576
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
Signed-off-by: Simo Sorce <ssorce@redhat.com>
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/1686
|
|
|
|
|
|
| |
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
|
| |
|
|
|
|
| |
ticket 1664
|
|
|
|
|
|
|
| |
Bump minimal pki-ca version in spec file to get fix for ipa
cert-request command.
https://fedorahosted.org/freeipa/ticket/1578
|
|
|
|
|
|
|
|
|
| |
Bump minimal 389-ds-base version in spec file to get in recent
Directory Server bug fixes.
https://fedorahosted.org/freeipa/ticket/1513
https://fedorahosted.org/freeipa/ticket/1525
https://fedorahosted.org/freeipa/ticket/1552
|
|
|
|
|
|
|
|
| |
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.
https://fedorahosted.org/freeipa/ticket/1452
|
|
|
|
|
|
|
| |
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.
Ticket #1559
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.
Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.
Test user coming from source host to a service on a named host against
existing enabled rules.
ipa hbactest --user= --srchost= --host= --service=
[--rules=rules-list] [--nodetail] [--enabled] [--disabled]
--user, --srchost, --host, and --service are mandatory, others are optional.
If --rules is specified simulate enabling of the specified rules and test
the login of the user using only these rules.
If --enabled is specified, all enabled HBAC rules will be added to simulation
If --disabled is specified, all disabled HBAC rules will be added to simulation
If --nodetail is specified, do not return information about rules matched/not matched.
If both --rules and --enabled are specified, apply simulation to --rules _and_
all IPA enabled rules.
If no --rules specified, simulation is run against all IPA enabled rules.
EXAMPLES:
1. Use all enabled HBAC rules in IPA database to simulate:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
2. Disable detailed summary of how rules were applied:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
--------------------
Access granted: True
--------------------
3. Test explicitly specified HBAC rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: myrule
4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
matched: allow_all
5. Test all disabled HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
---------------------
Access granted: False
---------------------
notmatched: new-rule
6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
---------------------
Access granted: False
---------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
7. Test all (enabled and disabled) HBAC rules in IPA database:
$ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
--------------------
Access granted: True
--------------------
notmatched: my-second-rule
notmatched: my-third-rule
notmatched: myrule
notmatched: new-rule
matched: allow_all
Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.
Specifying them through --rules option explicitly enables them only in
simulation run.
Specifying non-existing rules will not grant access and report non-existing
rules in output.
|
|
|
|
|
|
|
| |
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.
https://fedorahosted.org/freeipa/ticket/1434
|
|
|
|
|
|
|
|
| |
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.
https://fedorahosted.org/freeipa/ticket/1499
|
|
|
|
|
|
|
| |
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.
Ticket #1501
|
|
|
|
| |
ticket 1288
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
|
|
|
|
|
|
|
|
| |
shows dialog if there are any HBAC deny rules. Dialog provides option to navigate to the HBAC page. Deny rules have their rule type value show up in red.
Only shows up fro administrators, not for self service users.
https://fedorahosted.org/freeipa/ticket/1421
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.
A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.
This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.
https://fedorahosted.org/freeipa/ticket/1251
|
|
|
|
|
|
|
|
| |
Fix a problem when a target missed a version-update requirement.
This caused build problems, especially in a parallel build
environment.
https://fedorahosted.org/freeipa/ticket/1215
|
|
|
|
|
| |
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
|