freeipa.git/install/share, branch fix_ber_scanf FreeIPA patches Add a skeleton kdcpolicy plugin 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2018-07-11T20:48:01+00:00 179c8f4009adc30b9b3c497855f15927016c84db Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add new authentication indicators in kdc.conf.template 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:17:08+00:00 9c0a35f1e79033585786c2567aedcb3b4c10a6b6 As of release 1.17, KDC can be configured to apply authentication indicator for SPAKE, PKINIT, and encrypted challenge preauth via FAST channel, which are not configured in current version of freeIPA. Note that even though the value of encrypted_challenge_indicator is attached only when encrypted challenge preauth is performed along a FAST channel, it's possible to perform FAST without encrypted challenge by using SPAKE. Since there is no reason to force clients not to use SPAKE while using FAST, we made a design choice to merge SPAKE and FAST in a new option called "Hardened Password", which requires user to use at least one of SPAKE or FAST channel. Hence same value attaching to both spake_preauth_indicator and encrypted_challenge_indicator. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
install: fix --external-ca-profile option 2019-07-17T14:58:58+00:00 Fraser Tweedale ftweedal@redhat.com 2019-07-12T03:13:02+00:00 21a9a7107a2028354c0fc15540b8f15d279e5fce Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config. This results in the --external-ca-profile option never setting the requested values in the CSR (the default V1 template type specifying "SubCA" is always used). Remove relevant fields from both ipaca_default.ini and ipaca_customize.ini. This allows the IPA framework to set the values (i.e. when --external-ca-type=ms-cs and --external-ca-profile=... demand it). It also allows users to override the pki_req_ext_* settings. Part of: https://pagure.io/freeipa/issue/7548 Related: https://pagure.io/freeipa/issue/5608 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).

Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini.  This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it).  It also allows users to
override the pki_req_ext_* settings.

Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Create indexes for altSecurityIdentities and ipaCertmapData attributes 2019-07-17T14:50:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-03T06:00:09+00:00 725899595f42b607989db96d849e1b4f01de7faa During an investigation into filter optimisation in 389DS it was discovered that two attributes of the certmap query are unindexed. Due to the nature of LDAP filters, if any member of an OR query is unindexed, the entire OR becomes unindexed. This is then basically a full-table scan, which applies the filter test to the contained members. Fixes: https://pagure.io/freeipa/issue/7932 Fixes: https://pagure.io/freeipa/issue/7933 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.

This is then basically a full-table scan, which applies the filter test
to the contained members.

Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add altSecurityIdentities attribute from MS-WSPP schema definition 2019-07-17T14:50:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-03T05:57:07+00:00 5a83eea20bdd0c1c6302eada774ef3d8cfa04e36 Active Directory schema includes altSecurityIdentities attribute which presents alternative security identities for a bindable object in Active Directory. FreeIPA doesn't currently use this attribute. However, SSSD certmap library may generate searches referencing the attribute if it is specified in the certificate mapping rule. Such search might be considered unindexed in 389-ds. Define altSecurityIdentities attribute to allow specifying indexing rules for it. Fixes: https://pagure.io/freeipa/issue/7932 Related: https://pagure.io/freeipa/issue/7933 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Remove DES3 and RC4 enctypes from Kerberos 2019-07-02T07:35:00+00:00 Rob Crittenden rcritten@redhat.com 2019-07-01T18:40:00+00:00 dd9fd0971f352e4bed50b79b8b3147d6a94956b7 These are already marked as deprecated by the KDC. Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
These are already marked as deprecated by the KDC.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Don't configure disabled krb5 enctypes in FIPS mode 2019-07-02T07:35:00+00:00 Rob Crittenden rcritten@redhat.com 2019-07-01T17:33:39+00:00 a43100badc43a2b22efd472ff4108b9821631311 The only permitted ciphers are the AES family (called aes, which is the combination of: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128). DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES is permitted, the KDF used for it in krb5 is not, and Microsoft doesn't implement 3DES anyway. This is only applied on new installations because we don't allow converting a non-FIPS install into a FIPS one. Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make use of single configuration point for SELinux 2019-07-01T11:44:57+00:00 Stanislav Levin slev@altlinux.org 2019-06-27T08:52:40+00:00 b2acd65013348c0f5d91582f240714b0f3357678 For now, FreeIPA supports SELinux things as they are in RedHat/Fedora. But different distributions may have their own SELinux customizations. This moves SELinux configuration out to platform constants: - SELINUX_MCS_MAX - SELINUX_MCS_REGEX - SELINUX_MLS_MAX - SELINUX_MLS_REGEX - SELINUX_USER_REGEX - SELINUX_USERMAP_DEFAULT - SELINUX_USERMAP_ORDER and applies corresponding changes to the test code. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make use of the single configuration point for the default shells 2019-06-19T09:39:51+00:00 Stanislav Levin slev@altlinux.org 2019-06-15T14:25:51+00:00 d86b57c05764f771b1568409efd31c9e7b302919 For now all the default shells of users and admin are hardcoded in different parts of the project. This makes it impossible to run the test suite against the setup, which has the default shell differed from '/bin/sh'. The single configuration point for the shell of users and admin is added to overcome this limitation. Fixes: https://pagure.io/freeipa/issue/7978 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>