freeipa.git/ipalib, branch certauth Unnamed repository; edit this file 'description' to name the repository. Support for Certificate Identity Mapping 2017-02-23T12:05:07+00:00 Florence Blanc-Renaud flo@redhat.com 2016-12-20T15:21:58+00:00 3ca9af4dfd3029c57b008bb59547388a79a36161 See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542
Add fips_mode variable to env 2017-02-21T16:09:00+00:00 Tomas Krizek tkrizek@redhat.com 2017-02-06T12:08:11+00:00 3372ad2766c0d182fa88c8bc28cf43477dc4cb3b Variable fips_mode indicating whether machine is running in FIPS-enabled mode was added to env. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add fix for ipa plugins command 2017-02-17T09:22:07+00:00 Abhijeet Kasurde akasurde@redhat.com 2017-01-12T13:08:37+00:00 b3c41f21e51e5389d95b5486dcdfdc3f9a8b0424 Fix adds count of plugins loaded to return dict Fixes https://fedorahosted.org/freeipa/ticket/6513 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Fix adds count of plugins loaded to return dict

Fixes https://fedorahosted.org/freeipa/ticket/6513

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Explicitly remove support of SSLv2/3 2017-02-17T09:04:00+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-13T11:31:29+00:00 ac6f573a3014aa09811ca1559d470afe75eadbec It was possible to set tls_version_min/max to 'ssl2' or 'ssl3', even though newer versions of NSS will fail to set this as a valid TLS version. This patch explicitly checks for deprecated TLS versions prior to creating a TLS connection. Also, we don't allow tls_version_min/max to be set to a random string anymore. https://fedorahosted.org/freeipa/ticket/6607 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Explain more performance tricks in doc string 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-14T12:19:19+00:00 1d7fcfe15d279e50d9ac29464a30f8e594db1802 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Pretty print JSON in debug mode (debug level >= 2) 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-13T18:09:14+00:00 3cac0378e94efc2ee1070eff2984eb1147bcf463 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Convert list to tuples 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-13T09:46:36+00:00 b12b1e4c0b19a84ccffcc702ab608d818382a697 Some tests assume that JSON deserializier returns tuples instead of lists. I don't think it is necessary but let's pass the tests for now. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some tests assume that JSON deserializier returns tuples instead of
lists. I don't think it is necessary but let's pass the tests for now.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Faster JSON encoder/decoder 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-13T08:46:39+00:00 8159c2883bf66980582d1227c364df4e592bdd7e Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Insure removal of session on identity change 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2017-02-14T12:16:54+00:00 e4d462ad53597fd5410aa4e94a57bb15b92a3f13 If we are changing identiy (different principal) insure we remove the session cookie stored on the rpc context so that we do not mistakenly connect with the previous identity credentials. https://fedorahosted.org/freeipa/ticket/6543 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
If we are changing identiy (different principal) insure we remove the
session cookie stored on the rpc context so that we do not mistakenly
connect with the previous identity credentials.

https://fedorahosted.org/freeipa/ticket/6543

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow rpc callers to pass ccache and service names 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2017-02-13T13:29:35+00:00 41c1efc44a6b809445facd4772574595029553b1 This allows code to use multiple ccaches without having to muck with the process global environment variables (KRB5CCNAME). https://fedorahosted.org/freeipa/ticket/6543 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This allows code to use multiple ccaches without having to muck with the
process global environment variables (KRB5CCNAME).

https://fedorahosted.org/freeipa/ticket/6543

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>