freeipa.git, branch replica_kdc FreeIPA patches Configure KDC to use certs after they are deployed 2017-03-09T17:49:54+00:00 Simo Sorce simo@redhat.com 2017-03-09T17:49:54+00:00 d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <simo@redhat.com> 
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.

Signed-off-by: Simo Sorce <simo@redhat.com>
backup: backup anonymous keytab 2017-03-09T17:22:34+00:00 Martin Basti mbasti@redhat.com 2017-03-09T16:25:49+00:00 8fb61a55fe32438752567bde8af73d6b8230a386 Freeipa stops working without anon keytab https://pagure.io/freeipa/issue/5959 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Freeipa stops working without anon keytab

https://pagure.io/freeipa/issue/5959

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
add whoami command 2017-03-09T13:10:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-03-02T16:03:05+00:00 381c1c7a8fe63526d21cb65decb75fb5ffda676a Whoami command allows to query details about currently authenticated identity. The command returns following information: * object class name * function to call to get actual details about the object * arguments to pass to the function There are five types of objects that could bind to IPA using their credentials. `ipa whoami` call expects one of the following: * users * staged users * hosts * Kerberos services * ID user override from the default trust view The latter category of objects is automatically mapped by SASL GSSAPI mapping rule in 389-ds for users from trusted Active Directory forests. The command is expected to be used by Web UI to define proper view for the authenticated identity. It is not visible in the command line interface is `ipa` command. Below is an example of how communication looks like for a host principal: # kinit -k # ipa console (Custom IPA interactive Python console) >>> api.Command.whoami() {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)} >>> Fixes https://pagure.io/freeipa/issue/6643 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Whoami command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.

Below is an example of how communication looks like for a host
principal:

   # kinit -k
   # ipa console
   (Custom IPA interactive Python console)
   >>> api.Command.whoami()
   {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
   >>>

Fixes https://pagure.io/freeipa/issue/6643

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-managed-entries: only permit running the command on IPA master 2017-03-09T09:31:43+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-08T15:45:08+00:00 5cb98496aa2e1e190219cf2f4a6208a38fa368d5 https://pagure.io/freeipa/issue/6735 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-managed-entries: use server-mode API 2017-03-09T09:31:43+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-08T11:16:31+00:00 715367506b11549aae69f913594ebc6d9c4d3e76 During LDAP connection management refactoring the ad-hoc ldap connection in `ipa-managed-entries` was replaced by calls to ldap2 backend without updating API initialization. https://pagure.io/freeipa/issue/6735 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Don't use weak ciphers for client HTTPS connections 2017-03-09T09:27:55+00:00 Stanislav Laznicka slaznick@redhat.com 2017-02-23T13:31:50+00:00 fda22c33441d3b2c541a272e411ac1503a20fb01 https://pagure.io/freeipa/issue/6730 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://pagure.io/freeipa/issue/6730

Reviewed-By: Martin Basti <mbasti@redhat.com>
WebUI: Add cermapmatch module 2017-03-08T15:22:01+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-07T20:31:22+00:00 61cd4372e142662c06c881886709fe1b573102a9 Add module which can show users which are mapped to the provided certificate. Additionaly, the certificate is parsed and parsed information are also displayed. https://pagure.io/freeipa/issue/6601 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
WebUI: Add Adapter for certmap_match result table 2017-03-08T15:22:01+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-07T20:30:45+00:00 358caa7da44c997b505f54ec70cb6be58d188751 Result of certmap_match command is in the following format: [{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2', uid:[uid21, uid22, uid23},...] For correct displaying in table we need to reformat it to the following: [{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},... This can be done using this Adapter. Part of: https://pagure.io/freeipa/issue/6601 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Result of certmap_match command is in the following format:
[{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2',
uid:[uid21, uid22, uid23},...]

For correct displaying in table we need to reformat it to the following:
[{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},...

This can be done using this Adapter.

Part of: https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
WebUI: Possibility to choose object when API call returns list of objects 2017-03-08T15:22:01+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-07T20:30:00+00:00 1d6cc35c03669ea67d9e9ee9ca0ff62401d1b157 In case that API call returns array of objects which contains data, using 'object_index' attribute in adapter specification we can set which object should be used. It is possible to choose only one object specified by its index in array. Part of: https://pagure.io/freeipa/issue/6601 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
In case that API call returns array of objects which contains data, using
'object_index' attribute in adapter specification we can set which object
should be used.

It is possible to choose only one object specified by its index in array.

Part of: https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>