freeipa.git/install/conf, branch kdc-fixes FreeIPA patches Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixed KRA installation problem. 2015-06-10T08:37:40+00:00 Endi S. Dewata edewata@redhat.com 2015-06-08T05:30:47+00:00 62ef11efad4ebbb8fa6f13a15c5ed8e833e90d43 The ipa-pki-proxy.conf has been modified to optionally require client certificate authentication for PKI REST services as it's done in standalone PKI to allow the proper KRA installation. https://fedorahosted.org/freeipa/ticket/5058 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.

https://fedorahosted.org/freeipa/ticket/5058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-pki-proxy: allow certificate and password authentication 2015-06-05T17:12:46+00:00 Fraser Tweedale ftweedal@redhat.com 2015-06-05T09:02:58+00:00 355b6d416d800692f7028e057ff76aab9f8c0470 ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. Reviewed-By: Martin Basti <mbasti@redhat.com> 
ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-pki-proxy: provide access to profiles REST API 2015-06-04T08:27:33+00:00 Fraser Tweedale ftweedal@redhat.com 2015-04-29T10:07:58+00:00 273a297e97f157fb596cd9be0dc75a1382b94cfc Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
move IPA-related http runtime directories to common subdirectory 2015-05-19T12:59:18+00:00 Martin Babinsky mbabinsk@redhat.com 2015-05-15T13:37:05+00:00 7ff7b1f533cc10c44acf6020b545b253de1ad37b When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com> 
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
Bump ipa.conf version to 17. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:18:11+00:00 b9657975b790252c952499c1cd40dc6a666d452f Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use mod_auth_gssapi instead of mod_auth_kerb. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:17:55+00:00 5a03462bfc94d09192c935b2a158958481d1df01 https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4190

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Remove unused part of ipa.conf. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:11:19+00:00 8c72e2efad4e375af55b5a167153f2d1447624d4 Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from IPA 1.0. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
IPA 1.0.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixed KRA backend. 2014-11-04T15:33:16+00:00 Endi S. Dewata edewata@redhat.com 2014-10-01T18:59:46+00:00 0b08043c37210d0f86cb0c66d659acafda0fb529 The KRA backend has been simplified since most of the tasks have been moved somewhere else. The transport certificate will be installed on the client, and it is not needed by KRA backend. The KRA agent's PEM certificate is now generated during installation due to permission issue. The kra_host() for now is removed since the current ldap_enable() cannot register the KRA service, so it is using the kra_host environment variable. The KRA installer has been modified to use Dogtag's CLI to create KRA agent and setup the client authentication. The proxy settings have been updated to include KRA's URLs. Some constants have been renamed for clarity. The DOGTAG_AGENT_P12 has been renamed to DOGTAG_ADMIN_P12 since file actually contains the Dogtag admin's certificate and private key and it can be used to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed to KRA_AGENT_PEM since it can only be used for KRA. The Dogtag dependency has been updated to 10.2.1-0.1. https://fedorahosted.org/freeipa/ticket/4503 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.

The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.

The proxy settings have been updated to include KRA's URLs.

Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.

The Dogtag dependency has been updated to 10.2.1-0.1.

https://fedorahosted.org/freeipa/ticket/4503

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Re-enable uninstall feature for ipa-kra-install 2014-09-15T08:58:29+00:00 Ade Lee alee@redhat.com 2014-09-02T02:49:54+00:00 9ca5a4e42084ba43e106fa3be9dac9965216e710 The underlying Dogtag issue (Dogtag ticket 1113) has been fixed. We can therefore re-enable the uninstall option for ipa-kra-install. Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds a debug statement to provide status to the user when an uninstall is done. Also, re-added the no_host_dns option which is used when unpacking a replica file. Part of the work for: https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: Petr Viktorin <pviktori@redhat.com> 
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done.  Also, re-added the no_host_dns option which is used when
unpacking a replica file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Petr Viktorin <pviktori@redhat.com>