summaryrefslogtreecommitdiffstats
path: root/ipa-client
Commit message (Collapse)AuthorAgeFilesLines
...
* Implement session activity timeoutJohn Dennis2012-02-271-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously sessions expired after session_auth_duration had elapsed commencing from the start of the session. We new support a "rolling" expiration where the expiration is advanced by session_auth_duration everytime the session is accessed, this is equivalent to a inactivity timeout. The expiration is still constrained by the credential expiration in all cases. The session expiration behavior is configurable based on the session_auth_duration_type. * Reduced the default session_auth_duration from 1 hour to 20 minutes. * Replaced the sesssion write_timestamp with the access_timestamp and update the access_timestamp whenever the session data is created, retrieved, or written. * Modify set_session_expiration_time to handle both an inactivity timeout and a fixed duration. * Introduce KerberosSession as a mixin class to share session duration functionality with all classes manipulating session data with Kerberos auth. This is both the non-RPC login class and the RPC classes. * Update make-lint to handle new classes. * Added session_auth_duration_type config item. * Updated default.conf.5 man page for new session_auth_duration_type item. * Removed these unused config items: mount_xmlserver, mount_jsonserver, webui_assets_dir https://fedorahosted.org/freeipa/ticket/2392
* Add client hostname requirements to manMartin Kosek2012-02-271-1/+6
| | | | | | | | Changing a client hostname after ipa-client-install would break the enrollment on IPA server. Update relevant man pages to contain such information. https://fedorahosted.org/freeipa/ticket/1967
* Configure ssh and sshd during ipa-client-install.Jan Cholasta2012-02-132-0/+114
| | | | | | | | | | | For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns ipa-client-install option is used. For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM options are enabled (this can be disabled using --no-sshd ipa-client-install option). ticket 1634
* Update host SSH public keys on the server during client install.Jan Cholasta2012-02-132-0/+67
| | | | | | | | This is done by calling host-mod to update the keys on IPA server and nsupdate to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp ipa-client-install option. https://fedorahosted.org/freeipa/ticket/1634
* Move the nsupdate functionality to separate function in ipa-client-install.Jan Cholasta2012-02-131-18/+26
| | | | | | Done as part of adding SSH support. https://fedorahosted.org/freeipa/ticket/1634
* Add API initialization to ipa-client-install.Jan Cholasta2012-02-131-9/+25
| | | | | | | | This change makes it possible to call IPA commands from ipa-client-install. Done to support adding SSH host keys to DNS. https://fedorahosted.org/freeipa/ticket/1634
* add session manager and cache krb authJohn Dennis2012-02-091-7/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds a session manager and support for caching authentication in the session. Major elements of the patch are: * Add a session manager to support cookie based sessions which stores session data in a memcached entry. * Add ipalib/krb_utils.py which contains functions to parse ccache names, format principals, format KRB timestamps, and a KRB_CCache class which reads ccache entry and allows one to extract information such as the principal, credentials, credential timestamps, etc. * Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so that all kerberos items are co-located. * Modify javascript in ipa.js so that the IPA.command() RPC call checks for authentication needed error response and if it receives it sends a GET request to /ipa/login URL to refresh credentials. * Add session_auth_duration config item to constants.py, used to configure how long a session remains valid. * Add parse_time_duration utility to ipalib/util.py. Used to parse the session_auth_duration config item. * Update the default.conf.5 man page to document session_auth_duration config item (also added documentation for log_manager config items which had been inadvertantly omitted from a previous commit). * Add SessionError object to ipalib/errors.py * Move Kerberos protection in Apache config from /ipa to /ipa/xml and /ipa/login * Add SessionCCache class to session.py to manage temporary Kerberos ccache file in effect for the duration of an RPC command. * Adds a krblogin plugin used to implement the /ipa/login handler. login handler sets the session expiration time, currently 60 minutes or the expiration of the TGT, whichever is shorter. It also copies the ccache provied by mod_auth_kerb into the session data. The json handler will later extract and validate the ccache belonging to the session. * Refactored the WSGI handlers so that json and xlmrpc could have independent behavior, this also moves where create and destroy context occurs, now done in the individual handler rather than the parent class. * The json handler now looks up the session data, validates the ccache bound to the session, if it's expired replies with authenicated needed error. * Add documentation to session.py. Fully documents the entire process, got questions, read the doc. * Add exclusions to make-lint as needed.
* localhost.localdomain clients refused to joinOndrej Hamada2012-01-222-0/+9
| | | | | | | | | Machines with hostname 'localhost' or 'localhost.localdomain' are refused from joining IPA domain and proper error message is shown. The hostname check is done both in 'ipa-client-install' script and in 'ipa-join'. https://fedorahosted.org/freeipa/ticket/2112
* Require an HTTP Referer header in the server. Send one in ipa tools.Rob Crittenden2011-12-122-4/+41
| | | | | | | | | | This is to prevent a Cross-Site Request Forgery (CSRF) attack where a rogue server tricks a user who was logged into the FreeIPA management interface into visiting a specially-crafted URL where the attacker could perform FreeIPA oonfiguration changes with the privileges of the logged-in user. https://bugzilla.redhat.com/show_bug.cgi?id=747710
* Check through all LDAP servers in the domain during IPA discoveryAlexander Bokovoy2011-12-091-9/+25
| | | | | | | | | When discovering IPA LDAP servers through DNS records, look through all servers found until first success. A master might be not available or denied access but replica may succeed. Ticket #1827 https://fedorahosted.org/freeipa/ticket/1827
* Client install checks for nss_ldapOndrej Hamada2011-12-051-18/+44
| | | | | | | | | | | | | | | | | | | | | | | | In order to check presence of nss_ldap or nss-pam-ldapd when installing client with '--no-sssd' option there was added code into ipa-client-install. Checking is based on existence of one of nss_ldap configuration files. This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or '/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with pam_ldap module and hence the presence of it is checked by looking for 'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against existence of 'nslcd.conf' file. All this checking is done by function nssldap_exists(). Because both modules are maintained by two different functions, the function returns tuple containing return code and dictionary structure - its key is name of target function and value is list of existing configuration files. Files to check are specified inside the nssldap_exists() function. nssldap_exists() also returns True if any of the mandatory files was found, otherwise returns False. In order to fit the returned values, the functions configure_{ldap|nslcd}_conf() were slightly modified. They accept one more parameter which is list of existing files. They are not checking existence of above mentioned files anymore. https://fedorahosted.org/freeipa/ticket/2063
* Fix coverity issues in client CLI toolsMartin Kosek2011-11-232-10/+24
| | | | | | | | This patch fixes 2 coverity issues: * ipa-client/config.c: CID 11090: Resource leak * ipa-client/ipa-getkeytab.c: CID 11018: Unchecked return value https://fedorahosted.org/freeipa/ticket/2035
* ticket 2022 - modify codebase to utilize IPALogManager, obsoletes loggingJohn Dennis2011-11-232-64/+45
| | | | | | | | | | | | change default_logger_level to debug in configure_standard_logging add new ipa_log_manager module, move log_mgr there, also export root_logger from log_mgr. change all log_manager imports to ipa_log_manager and change log_manager.root_logger to root_logger. add missing import for parse_log_level()
* Client install root privileges checkOndrej Hamada2011-11-211-2/+2
| | | | | | | | | ipa-client-install was failing and returning traceback when wasn't run by root. It was caused by logging initialization that was taking part before the root privileges check. To correct it, the check was moved before the logging initialization. https://fedorahosted.org/freeipa/ticket/2123
* Add configure check for libintl.hAlexander Bokovoy2011-11-162-0/+18
| | | | | | | | | There are some distributions which do not provide gettext support within libc. For these cases checking for libintl is required. https://fedorahosted.org/freeipa/ticket/1840
* Fix client krb5 domain mapping and DNSMartin Kosek2011-10-211-7/+13
| | | | | | | | | | | Add Kerberos mapping for clients outside of server domain. Otherwise certmonger had problems issuing the certificate. Also make sure that client DNS records on the server are set before certmonger is started and certificate is requested. Based on Lars Sjostrom patch. https://fedorahosted.org/freeipa/ticket/2006
* If our domain is already configured in sssd.conf start with a new config.Rob Crittenden2011-10-131-1/+12
| | | | https://fedorahosted.org/freeipa/ticket/1989
* Update all LDAP configuration files that we can.Rob Crittenden2011-10-131-2/+5
| | | | | | | LDAP can be configured in any number of places, we need to update everything we find. https://fedorahosted.org/freeipa/ticket/1986
* Fix ipa-client-install -U option alignmentMartin Kosek2011-10-141-0/+1
|
* Document --preserve-sssd option of ipa-client-installAlexander Bokovoy2011-10-141-0/+9
| | | | | | | | | | | Add documentation about --preserve-sssd, an ipa-client-install's option to honor previously available SSSD configuration in case it is not possible to merge it cleanly with the new one. In this case ipa-client-install will fail and ask user to fix SSSD config before continuing. Additional fix for https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* Hostname used by IPA must be a system hostnameMartin Kosek2011-10-131-1/+3
| | | | | | | | | | | Make sure that the hostname IPA uses is a system hostname. If user passes a non-system hostname, update the network settings and system hostname in the same way that ipa-client-install does. This step should prevent various services failures which may not be ready to talk to IPA with non-system hostname. https://fedorahosted.org/freeipa/ticket/1931
* Refactor authconfig use in ipa-client-installAlexander Bokovoy2011-10-121-20/+90
| | | | | | | | | | | | | When certain features are being configured via authconfig, we need to remember what was configured and what was the state before it so that during uninstall we restore proper state of the services. Mostly it affects sssd configuration with multiple domains but also pre-existing LDAP and krb5 configurations. This should fix following tickets: https://fedorahosted.org/freeipa/ticket/1750 https://fedorahosted.org/freeipa/ticket/1769
* ipa-client-install hangs if the discovered server is unresponsiveMartin Kosek2011-10-122-3/+6
| | | | | | | | Add a timeout to the wget call to cover a case when autodiscovered server does not response to our attempt to download ca.crt. Let user specify a different IPA server in that case. https://fedorahosted.org/freeipa/ticket/1960
* Remove more redundant configuration values from krb5.conf.Jan Cholasta2011-10-111-6/+0
| | | | ticket 1358
* Make ipa-join work against an LDAP server that disallows anon bindsRob Crittenden2011-10-113-109/+94
| | | | | | | | | | | | | | | We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935
* Increase number of 'getent passwd attempts' to 10Alexander Bokovoy2011-10-111-4/+4
| | | | | | | | During ipa-client-install SSSD is not always started up properly for some reason, things like "getent passwd admin" do not work. This is particulary true for large setups where admin is included in a large set of groups. https://fedorahosted.org/freeipa/ticket/1774
* Make sure ipa-client-install returns correct error codeMartin Kosek2011-10-071-0/+2
| | | | https://fedorahosted.org/freeipa/ticket/1937
* Before kinit, try to sync time with the NTP servers of the domain we are joiningAlexander Bokovoy2011-10-063-0/+58
| | | | | | | | | | | | | | When running ipa-client-install on a system whose clock is not in sync with the master, kinit fails and enrollment is aborted. Manual checking of current time at the master and adjusting on the client-to-be is then needed. The patch tries to fetch SRV records for NTP servers of the domain we aim to join and runs ntpdate to get time synchronized. If no SRV records are found, sync with IPA server itself. If that fails, warn that time might be not in sync with KDC. https://fedorahosted.org/freeipa/ticket/1773
* Install tools crash when password prompt is interruptedMartin Kosek2011-10-061-2/+11
| | | | | | | | | When getpass.getpass() function is interrupted via CTRL+D, EOFError exception is thrown. Most of the install tools are not prepared for this event and crash with this exception. Make sure that it is handled properly and nice error message is printed. https://fedorahosted.org/freeipa/ticket/1916
* Fix 'referenced before assignment' warningAlexander Bokovoy2011-10-051-0/+1
|
* Setup and restore ntp configuration on the client side properlyAlexander Bokovoy2011-10-052-16/+62
| | | | | | | | | When setting up the client-side NTP configuration, make sure that /etc/ntp/step-tickers point to IPA NTP server as well. When restoring the client during ipa-client-install --uninstall, make sure NTP configuration is fully restored and NTP service is disabled if it was disabled before the installation. https://fedorahosted.org/freeipa/ticket/1770
* Add a function for formatting network locations of the form host:port for ↵Jan Cholasta2011-10-052-11/+11
| | | | | | | | | use in URLs. If the host part is a literal IPv6 address, it must be enclosed in square brackets (RFC 2732). ticket 1869
* Configure pam_krb5 on the client only if sssd is not configuredAlexander Bokovoy2011-10-041-7/+8
| | | | https://fedorahosted.org/freeipa/ticket/1775
* ipa-client assumes a single namingcontextMartin Kosek2011-09-301-18/+14
| | | | | | | | | When LDAP server contains more that one suffixes, the ipa client installation does not detect it as IPA server and fails to install. Fix ipa server discovery so that it correctly searches all naming contexts for the IPA one. https://fedorahosted.org/freeipa/ticket/1868
* ipa-client-install: Fix joining when LDAP access is restrictedSimo Sorce2011-09-302-22/+43
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/1881
* Don't remove /tmp when removing temp cert dirMarko Myllynen2011-09-221-1/+1
| | | | | | If /tmp happens to be empty os.removedirs() happily removes it... https://fedorahosted.org/freeipa/ticket/1843
* Don't log one-time password in logs when configuring client.Rob Crittenden2011-09-231-4/+5
| | | | https://fedorahosted.org/freeipa/ticket/1801
* include <stdint.h> for uintptr_tMarko Myllynen2011-09-221-0/+1
|
* Fix client install on IPv6 machines.Jan Cholasta2011-09-191-2/+7
| | | | ticket 1804
* Convert client-side tools to platform-independent access to system servicesAlexander Bokovoy2011-09-132-118/+96
| | | | https://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-3/+6
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve ipa-join man pageMartin Kosek2011-09-071-1/+12
| | | | | | Make it clear in man pages that ipa-join -u does not remove keytab. https://fedorahosted.org/freeipa/ticket/1317
* Improve man pages structureMartin Kosek2011-09-076-63/+87
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Roll back changes if client installation fails.Rob Crittenden2011-08-291-80/+115
| | | | | | | | | | | | If the client installer fails for some reason and --force was not used then roll back the configuration. This is needed because we touch /etc/sysconfig/network early in the configuration and if it fails due to any number of issues (mostly related to authentication) it will not be reset. We may as well run through the entire uninstall process to be sure the system has been reset. https://fedorahosted.org/freeipa/ticket/1704
* ipa-client-install breaks network configurationMartin Kosek2011-08-291-5/+5
| | | | | | | | | Do not forget to add new line in updated /etc/sysconfig/network configuration. Move the actual change of the hostname after the user confirmation about proceeding with installation. It confused users when the hostname change occurred before this prompt. https://fedorahosted.org/freeipa/ticket/1724
* Disable reverse lookups in ipa-join and ipa-getkeytabRob Crittenden2011-08-252-0/+14
| | | | | | This prevents broken DNS from causing enrollment problems. https://fedorahosted.org/freeipa/ticket/1693
* Fix build warningsSimo Sorce2011-08-261-1/+1
| | | | Some are actual bugs.
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-0/+10
| | | | ticket 1580
* Fix client enrollmentMartin Kosek2011-08-111-1/+3
| | | | | | | | Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client enrollment. The unconditional GSSAPI was previously dropped from curl because of CVE-2011-2192. https://fedorahosted.org/freeipa/ticket/1452
* Ensure network configuration file has proper permissionsAlexander Bokovoy2011-08-101-0/+10
| | | | | | | | | | As network configuration file is created as temporary file, it has stricter permissions than we need for the target system configuration file. Ensure permissions are properly reset before installing file. If permissions are not re-set, system may have no networking enabled after reboot. https://fedorahosted.org/freeipa/ticket/1606
generated by cgit (git 2.34.1) at 2025-09-07 18:04:25 +0000