freeipa.git/install/conf, branch mindatefix FreeIPA patches mod_auth_gssapi: enable unique credential caches names 2016-06-24T14:06:49+00:00 Petr Vobornik pvoborni@redhat.com 2016-06-23T13:58:15+00:00 fd840a9cd7974c735ab7b0f6773fd5cda8638585 mod_auth_gssapi > 1.4.0 implements support for unique ccaches names. Without it ccache name is derived from pricipal name. It solves a race condition in two concurrent request of the same principal. Where first request deletes the ccache and the second tries to use it which then fails. It may lead e.g. to a failure of two concurrent ipa-client-install. With this feature there are two ccaches so there is no clash. https://fedorahosted.org/freeipa/ticket/5653 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
mod_auth_gssapi > 1.4.0 implements support for unique ccaches names.
Without it ccache name is derived from pricipal name.

It solves a race condition in two concurrent request of the same
principal. Where first request deletes the ccache and the second
tries to use it which then fails. It may lead e.g. to a failure of
two concurrent ipa-client-install.

With this feature there are two ccaches so there is no clash.

https://fedorahosted.org/freeipa/ticket/5653

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add 'ca' plugin 2016-06-15T05:13:38+00:00 Fraser Tweedale ftweedal@redhat.com 2015-05-14T05:46:06+00:00 3d4db834caa0688bcefc0092b7978402b783eaf3 This commit adds the 'ca' plugin for creating and managing lightweight CAs. The initial implementation supports a single level of sub-CAs underneath the IPA CA. This commit also: - adds the container for FreeIPA CA objects - adds schema for the FreeIPA CA objects - updates ipa-pki-proxy.conf to allow access to the Dogtag lightweight CAs REST API. Part of: https://fedorahosted.org/freeipa/ticket/4559 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Upgrade mod_wsgi socket-timeout on existing installation 2016-06-06T16:02:28+00:00 Martin Basti mbasti@redhat.com 2016-06-06T13:45:48+00:00 5cb03128f8fa4b3e01db86247efbd9ffa888708d The original fix was efective only on new installations. https://fedorahosted.org/freeipa/ticket/5833 Reviewed-By: Martin Basti <mbasti@redhat.com> 
The original fix was efective only on new installations.

https://fedorahosted.org/freeipa/ticket/5833

Reviewed-By: Martin Basti <mbasti@redhat.com>
Increased mod_wsgi socket-timeout 2016-06-02T17:26:32+00:00 Stanislav Laznicka slaznick@redhat.com 2016-05-27T12:44:30+00:00 12d8a0cf22a271ff41e02f4bcf862877dd680ae5 Longer-running CLI commands sometimes fail with "gateway time out" although the task still runs and finishes on server, not notifying the CLI back. Increasing socket-timeout should solve this. https://fedorahosted.org/freeipa/ticket/5833 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Longer-running CLI commands sometimes fail with "gateway time out" although
the task still runs and finishes on server, not notifying the CLI back.
Increasing socket-timeout should solve this.

https://fedorahosted.org/freeipa/ticket/5833

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add X-Frame-Options and frame-ancestors options 2016-04-15T13:44:44+00:00 Pavel Vomacka pvomacka@redhat.com 2016-03-10T17:32:50+00:00 6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb These two options allow preventing clickjacking attacks. They don't allow open FreeIPA in frame, iframe or object element. https://fedorahosted.org/freeipa/ticket/4631 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.

https://fedorahosted.org/freeipa/ticket/4631

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5 2015-11-26T14:20:19+00:00 Christian Heimes cheimes@redhat.com 2015-07-17T10:40:29+00:00 b6c893aae63b6b77871c775d062a5c7e1c470ad9 By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp.  This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.

The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.

The new feature was added to mod_auth_gssapi 1.3.0.

https://fedorahosted.org/freeipa/ticket/5114

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add ipa-custodia service 2015-10-15T12:24:33+00:00 Simo Sorce simo@redhat.com 2015-05-08T17:39:29+00:00 463dda30679da9ac5eea5683984002989965e2a5 Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixed KRA installation problem. 2015-06-10T08:37:40+00:00 Endi S. Dewata edewata@redhat.com 2015-06-08T05:30:47+00:00 62ef11efad4ebbb8fa6f13a15c5ed8e833e90d43 The ipa-pki-proxy.conf has been modified to optionally require client certificate authentication for PKI REST services as it's done in standalone PKI to allow the proper KRA installation. https://fedorahosted.org/freeipa/ticket/5058 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.

https://fedorahosted.org/freeipa/ticket/5058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-pki-proxy: allow certificate and password authentication 2015-06-05T17:12:46+00:00 Fraser Tweedale ftweedal@redhat.com 2015-06-05T09:02:58+00:00 355b6d416d800692f7028e057ff76aab9f8c0470 ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. Reviewed-By: Martin Basti <mbasti@redhat.com> 
ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.

Reviewed-By: Martin Basti <mbasti@redhat.com>