freeipa.git/install/share, branch cakeysfix FreeIPA patches Move the compat plugin setup at the end of install 2017-04-24T15:11:51+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-13T07:15:47+00:00 ddbbb1c58e8a4fec8129e7d1e941c54660af6a69 The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 Reviewed-By: Martin Basti <mbasti@redhat.com> 
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace hard-coded kdcproxy path with WSGI script 2017-04-12T11:05:23+00:00 Christian Heimes cheimes@redhat.com 2017-03-29T15:58:47+00:00 2cd6788c3f52a9b87f24b9b3e57d66a864397966 mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.

Resolves: https://pagure.io/freeipa/issue/6834

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Set "KDC:Disable Last Success" by default 2017-03-27T16:24:05+00:00 Martin Basti mbasti@redhat.com 2017-03-22T16:47:04+00:00 eeaf428b1befc37489ed5ee14ae193b46cbd1db7 In big deployments enabled recording of the last sucesfull login this creates a huge changelog on DS side and cause performance issues even if this is excluded from replication. Actually this is not used directly by FreeIPA so it is safe to remove in new installations. User who need this must manually remove "KDC:Disable Last Success" using `ipa config-mod` command or WebUI. https://pagure.io/freeipa/issue/5313 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
In big deployments enabled recording of the last sucesfull login
this creates a huge changelog on DS side and cause performance
issues even if this is excluded from replication.

Actually this is not used directly by FreeIPA so it is safe to remove
in new installations. User who need this must manually remove
"KDC:Disable Last Success" using `ipa config-mod` command or WebUI.

https://pagure.io/freeipa/issue/5313

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Support 8192-bit RSA keys in default cert profile 2017-03-22T11:29:23+00:00 Fraser Tweedale ftweedal@redhat.com 2017-03-22T04:06:16+00:00 1530758475c2e21dd732581ff6816e03ca74dede Update the caIPAserviceCert profile to accept 8192-bit RSA keys. Affects new installs only, because there is not yet a facility to update included profiles. Fixes: https://pagure.io/freeipa/issue/6319 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Update the caIPAserviceCert profile to accept 8192-bit RSA keys.
Affects new installs only, because there is not yet a facility to
update included profiles.

Fixes: https://pagure.io/freeipa/issue/6319
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add options to allow ticket caching 2017-03-16T12:10:37+00:00 Simo Sorce simo@redhat.com 2017-03-06T18:46:44+00:00 4ee7e4ee6d6500d8b8935c9033388adc4cdbe672 This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6771

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove allow_constrained_delegation from gssproxy.conf 2017-03-14T17:56:03+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-14T16:44:01+00:00 f4cd61f3011877fc9cc2a809438059b07362b0aa The Apache process must not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. https://pagure.io/freeipa/issue/6225 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Short name resolution: introduce the required schema 2017-03-14T17:37:10+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-09T13:24:21+00:00 594c87daf873ceec0c0cf3464bcb1aadb9f2b92a Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema. Extend ipaConfig object with ipaNameResolutionData objectclass during update. https://pagure.io/freeipa/issue/6372 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove copy-schema-to-ca.py from master branch 2017-03-14T14:16:20+00:00 Martin Basti mbasti@redhat.com 2017-03-10T12:30:43+00:00 f4c7f1dd8a9ce530a8291219a904686ee47e59c7 This script is used only for IPA <3.1, so it must be compatible with ipa-3-0 branch, so it should be placed there https://pagure.io/freeipa/issue/6540 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Support certificate login after installation and upgrade 2017-03-14T14:13:43+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-09T11:14:21+00:00 75c592d3b9081474cae51c929e6af29c7a0eebb6 Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Move csrgen templates into ipaclient package 2017-03-08T14:59:26+00:00 Christian Heimes cheimes@redhat.com 2017-03-02T15:09:53+00:00 80be18162921268be9c8981495c9e8a4de0c85cd csrgen broke packaging of ipaclient for PyPI. All csrgen related resources are now package data of ipaclient package. Package data is accessed with Jinja's PackageLoader() or through pkg_resources. https://pagure.io/freeipa/issue/6714 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Ben Lipton <blipton@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>