freeipa.git, branch cachetickets FreeIPA patches Store session cookie in a ccache option 2017-03-06T23:47:56+00:00 Simo Sorce simo@redhat.com 2017-03-06T23:47:56+00:00 4a9b4a7769e36890f95d87053388579928088dd3 Instead of using the kernel keyring,s tore the session cookie within the ccache. This way kdestroy will really wipe away all creedntials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <simo@redhat.com> 
Instead of using the kernel keyring,s tore the session cookie within the
ccache. This way kdestroy will really wipe away all creedntials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce <simo@redhat.com>
Use GSS-SPNEGO if connecting locally 2017-03-06T19:19:30+00:00 Simo Sorce simo@redhat.com 2017-03-06T19:19:30+00:00 34553627ebd709dea371030b03607c9c167732b0 GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips therefore use it when possible. We only enable it for local connections for now because we only recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This change means a newer and an older version are not compatible. Restricting ourselves to the local host prevents issues with incomaptible services, and it is ok for us as we are only really lloking at speedups for the local shortlived connections performed by the framework. Most other clients have llonger lived connections, so peformance improvements there are not as important. Signed-off-by: Simo Sorce <simo@redhat.com> 
GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips
therefore use it when possible.

We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.

Restricting ourselves to the local host prevents issues with
incomaptible services, and it is ok for us as we are only really lloking
at speedups for the local shortlived connections performed by the
framework. Most other clients have llonger lived connections, so
peformance improvements there are not as important.

Signed-off-by: Simo Sorce <simo@redhat.com>
Add options to allow ticket caching 2017-03-06T18:46:44+00:00 Simo Sorce simo@redhat.com 2017-03-06T18:46:44+00:00 513c118d741594bf6bab6302a4b24c23168c4c44 This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <simo@redhat.com> 
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Signed-off-by: Simo Sorce <simo@redhat.com>
We don't offer no quickies 2017-03-06T12:13:10+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-06T11:23:55+00:00 30d7c210a4d153fcb5007651a80d8d53512abba3 It's not our main priority as developers to offer any forms of quickies nor guides on how to perform them. Reviewed-By: David Kupka <dkupka@redhat.com> 
It's not our main priority as developers to offer any forms of quickies
nor guides on how to perform them.

Reviewed-By: David Kupka <dkupka@redhat.com>
Fix cookie with Max-Age processing 2017-03-06T10:48:32+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-02T08:11:34+00:00 24eeb4d6a3be678d652247a4a862ffde037514da When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use https to get security domain from Dogtag 2017-03-03T12:33:51+00:00 Christian Heimes cheimes@redhat.com 2017-02-24T12:00:25+00:00 d1c5d92897d3e262edd2e43295c1270590aebd3d Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Extract method to map principal to princpal type 2017-03-03T11:09:57+00:00 Fraser Tweedale ftweedal@redhat.com 2017-01-25T06:14:59+00:00 11c9df25774fbc8ed24b30f75c205d12ca3c5b90 Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Remove redundant principal_type argument 2017-03-03T11:09:57+00:00 Fraser Tweedale ftweedal@redhat.com 2017-01-25T05:51:46+00:00 2066a80be21258d9311ae374fe124d9ac3b79acd Minor refactor to remove the redundant 'principal_type' argument from 'caacl_check' and associated functions. Part of: https://pagure.io/freeipa/issue/5011 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
man: update ipa-cacert-manage 2017-03-02T16:02:25+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-01T17:45:52+00:00 223a48b6d9916069971f79ab324ead26fa21c79d Make it clear this command is used to only renew certificate for the CA and provide guidance on how to renew other certificates. https://pagure.io/freeipa/issue/6648 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.

https://pagure.io/freeipa/issue/6648

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Change README to use Markdown 2017-03-02T15:55:57+00:00 Petr Vobornik pvoborni@redhat.com 2017-02-28T18:04:03+00:00 5e0ca17ca06ad26f291d4738766e194b3784c5bd So that it will be nicely formatted on FreeIPA Pagure landing page. https://pagure.io/freeipa Some links were updated as other projects also moved to Pagure.io. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
So that it will be nicely formatted on FreeIPA Pagure landing page.
  https://pagure.io/freeipa

Some links were updated as other projects also moved to Pagure.io.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>