freeipa.git/install/conf, branch review FreeIPA patches mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5 2015-11-26T14:20:19+00:00 Christian Heimes cheimes@redhat.com 2015-07-17T10:40:29+00:00 b6c893aae63b6b77871c775d062a5c7e1c470ad9 By default mod_auth_gssapi allows all locally available mechanisms. If the gssntlmssp package is installed, it also offers ntlmssp. This has the annoying side effect that some browser will pop up a username/password request dialog if no Krb5 credentials are available. The patch restricts the mechanism to krb5 and removes ntlmssp and iakerb support from Apache's ipa.conf. The new feature was added to mod_auth_gssapi 1.3.0. https://fedorahosted.org/freeipa/ticket/5114 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp.  This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.

The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.

The new feature was added to mod_auth_gssapi 1.3.0.

https://fedorahosted.org/freeipa/ticket/5114

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add ipa-custodia service 2015-10-15T12:24:33+00:00 Simo Sorce simo@redhat.com 2015-05-08T17:39:29+00:00 463dda30679da9ac5eea5683984002989965e2a5 Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixed KRA installation problem. 2015-06-10T08:37:40+00:00 Endi S. Dewata edewata@redhat.com 2015-06-08T05:30:47+00:00 62ef11efad4ebbb8fa6f13a15c5ed8e833e90d43 The ipa-pki-proxy.conf has been modified to optionally require client certificate authentication for PKI REST services as it's done in standalone PKI to allow the proper KRA installation. https://fedorahosted.org/freeipa/ticket/5058 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.

https://fedorahosted.org/freeipa/ticket/5058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-pki-proxy: allow certificate and password authentication 2015-06-05T17:12:46+00:00 Fraser Tweedale ftweedal@redhat.com 2015-06-05T09:02:58+00:00 355b6d416d800692f7028e057ff76aab9f8c0470 ipa-replica-install --setup-ca is failing because the security domain login attempts password authentication, but the current ipa-pki-proxy requires certificate authentication. Set NSSVerifyClient optional to allow both certificate and password authentication to work. Reviewed-By: Martin Basti <mbasti@redhat.com> 
ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-pki-proxy: provide access to profiles REST API 2015-06-04T08:27:33+00:00 Fraser Tweedale ftweedal@redhat.com 2015-04-29T10:07:58+00:00 273a297e97f157fb596cd9be0dc75a1382b94cfc Part of: https://fedorahosted.org/freeipa/ticket/57 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
move IPA-related http runtime directories to common subdirectory 2015-05-19T12:59:18+00:00 Martin Babinsky mbabinsk@redhat.com 2015-05-15T13:37:05+00:00 7ff7b1f533cc10c44acf6020b545b253de1ad37b When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com> 
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
Bump ipa.conf version to 17. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:18:11+00:00 b9657975b790252c952499c1cd40dc6a666d452f Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use mod_auth_gssapi instead of mod_auth_kerb. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:17:55+00:00 5a03462bfc94d09192c935b2a158958481d1df01 https://fedorahosted.org/freeipa/ticket/4190 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4190

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Remove unused part of ipa.conf. 2015-03-30T13:06:12+00:00 David Kupka dkupka@redhat.com 2015-03-30T08:11:19+00:00 8c72e2efad4e375af55b5a167153f2d1447624d4 Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from IPA 1.0. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
IPA 1.0.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>