summaryrefslogtreecommitdiffstats
path: root/ipaserver/plugins/trust.py
Commit message (Collapse)AuthorAgeFilesLines
* server: define missing virtual attributesJan Cholasta2016-06-301-20/+26
| | | | | | | | | | | Move virtual attributes defined in output params of methods into params of the related object. This fixes the virtual attributes being ommited in CLI output. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
* adtrust: optimize forest root LDAP filterAlexander Bokovoy2016-06-151-5/+3
| | | | | | | | | | | | | | | | | | | | | | `ipa trust-find' command should only show trusted forest root domains The child domains should be visible via ipa trustdomain-find forest.root The difference between forest root (or external domain) and child domains is that root domain gets ipaIDObject class to allow assigning a POSIX ID to the object. This POSIX ID is used by Samba when an Active Directory domain controller connects as forest trusted domain object. Child domains can only talk to IPA via forest root domain, thus they don't need POSIX ID for their TDOs. This allows us a way to differentiate objects for the purpose of 'trust-find' / 'trustdomain-find' commands. Fixes https://fedorahosted.org/freeipa/ticket/5942 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Server Roles: make *config-show consume relevant roles/attributesMartin Babinsky2016-06-131-0/+31
| | | | | | | | | | | | | | | | | | | | | This patch modifies config objects so that the roles/attributes relevant to the configuration are shown in the output: * config-{show,mod} will show list of all IPA masters, CA servers and CA renewal master * dnsconfig-{show,mod} will list all DNS server and DNS key master * trustconfig-{show,mod} will list all AD trust controllers and agents * vaultconfig-show will list all Key Recovery Agents http://www.freeipa.org/page/V4/Server_Roles https://fedorahosted.org/freeipa/ticket/5181 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* adtrust: support UPNs for trusted domain usersAlexander Bokovoy2016-06-111-19/+50
| | | | | | | | | | | | | | | | | | | | Add support for additional user name principal suffixes from trusted Active Directory forests. UPN suffixes are property of the forest and as such are associated with the forest root domain. FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued attribute of ipaNTTrustedDomain object class. In order to look up UPN suffixes, netr_DsRGetForestTrustInformation LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts. For more details on UPN and naming in Active Directory see https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* adtrust: remove nttrustpartner parameterAlexander Bokovoy2016-06-101-4/+0
| | | | | | | | | | | | | | | MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent domain's container). Remove the argument that was never used externally but only supplied by trust-specific code inside the IPA framework. Part of https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Revert "adtrust: remove nttrustpartner parameter"Martin Basti2016-06-101-0/+4
| | | | | | | | | | This reverts commit 185806432d6dfccc5cdd73815471ce60a575b073. The wrong version of patch has been pushed. https://fedorahosted.org/freeipa/ticket/5354 Reviewed-By: Martin Basti <mbasti@redhat.com>
* adtrust: remove nttrustpartner parameterAlexander Bokovoy2016-06-101-4/+0
| | | | | | | | | | | | | MS-ADTS spec requires that TrustPartner field should be equal to the commonName (cn) of the trust. We used it a bit wrongly to express trust relationship between parent and child domains. In fact, we have parent-child relationship recorded in the DN (child domains are part of the parent domain's container). Remove the argument that was never used externally but only supplied by trust-specific code inside the IPA framework. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* trusts: Add support for an external trust to Active Directory domainAlexander Bokovoy2016-06-091-14/+47
| | | | | | | | | | | | | | | External trust is a trust that can be created between Active Directory domains that are in different forests or between an Active Directory domain. Since FreeIPA does not support non-Kerberos means of communication, external trust to Windows NT 4.0 or earlier domains is not supported. The external trust is not transitive and can be established to any domain in another forest. This means no access beyond the external domain is possible via the trust link. Resolves: https://fedorahosted.org/freeipa/ticket/5743 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipalib: move server-side plugins to ipaserverJan Cholasta2016-06-031-0/+1725
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins. Remove the now unused ipalib.plugins package. https://fedorahosted.org/freeipa/ticket/4739 Reviewed-By: David Kupka <dkupka@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 03:06:22 +0000