freeipa.git/install/share, branch cachetickets FreeIPA patches Add options to allow ticket caching 2017-03-06T18:46:44+00:00 Simo Sorce simo@redhat.com 2017-03-06T18:46:44+00:00 513c118d741594bf6bab6302a4b24c23168c4c44 This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Signed-off-by: Simo Sorce <simo@redhat.com> 
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Signed-off-by: Simo Sorce <simo@redhat.com>
Support for Certificate Identity Mapping 2017-03-02T14:09:42+00:00 Florence Blanc-Renaud flo@redhat.com 2016-12-20T15:21:58+00:00 9e24918c89f30a6d7064844dc0dd848bb35140df See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Define template version in certmap.conf 2017-03-01T11:46:50+00:00 Florence Blanc-Renaud flo@redhat.com 2017-01-23T17:06:53+00:00 c49320435ddc67210c0d95be273e971ea8ffad6d A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the definition of VERSION 2 in certmap.conf.template. ipa-server-upgrade tool compares the template version with the version in certmap.conf. As VERSION is not defined in either file, it concludes that version = 0 for both and does not make a backup of certmap.conf even though it prints that it will. The fix re-defines VERSION in the template and adapts the code because the template has changed (it is using $ISSUER_DN instead of CN=Certificate Authority,$SUBJECT_BASE). The fix also logs an error when a template file is not versioned. https://fedorahosted.org/freeipa/ticket/6354 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
csrgen: Support encrypted private keys 2017-02-28T09:02:49+00:00 Ben Lipton blipton@redhat.com 2017-02-09T01:56:37+00:00 ada91c20588046bb147fc701718d3da4d2c080ca https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove non-sensical kdestroy on https stop 2017-02-22T14:50:48+00:00 Simo Sorce simo@redhat.com 2017-02-15T09:44:59+00:00 b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Configure HTTPD to work via Gss-Proxy 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-11-29T16:10:22+00:00 d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use Anonymous user to obtain FAST armor ccache 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 b6741d81e187fc84177c12ef8ad900d3b5cda6a4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Generate tmpfiles config at install time 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-01T16:37:20+00:00 38c66896de1769077cd5b057133606ec5eeaf62b We do not want to generate runtime directories just because the packages are installed, but only if the server is actually setup and run. Also this will be needed later because we will create a user at install time and some tmpfiles will need to be owned by this user. As we are changing this code also rationalize the directory structure and move it from the http rundir to the ipa specific rundir. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change session handling 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-19T13:23:55+00:00 c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>