freeipa.git/install, branch fix_ber_scanf FreeIPA patches adtrust: add default read_keys permission for TDO objects 2019-09-12T14:17:53+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-09-12T08:21:51+00:00 0be98884991ff14720dfce428e4f23ebc4a42311 If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys attribute values, it cannot be used by SSSD to retrieve TDO keys and the whole communication with Active Directory domain controllers will not be possible. This seems to affect trusts which were created before ipaAllowedToPerform;read_keys permission granting was introduced (FreeIPA 4.2). Add back the default setting for the permissions which grants access to trust agents and trust admins. Resolves: https://pagure.io/freeipa/issue/8067 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
WebUI: Make 'Unlock' option is available only on locked user page 2019-09-11T16:26:34+00:00 Serhii Tsymbaliuk stsymbal@redhat.com 2019-08-19T15:28:57+00:00 123c93f92c575eeb4344f918b86112937b8cb4e8 The implementation includes checking password policy for selected user. 'Unlock' option is available only in case user reached a limit of login failures. Ticket: https://pagure.io/freeipa/issue/5062 Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Armando Neto <abiagion@redhat.com> 
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Modify webUI to adhere to new IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:10:31+00:00 b66e8a1ee295e11e286979a0bd9ce303cbab2aa5 Given the changes in IPA server API changes, whebUI is modified to utilize new authentication indicators, and disabled custom indicators for services' white list. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add a skeleton kdcpolicy plugin 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2018-07-11T20:48:01+00:00 179c8f4009adc30b9b3c497855f15927016c84db Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Move certauth configuration into a server krb5.conf template 2019-09-10T09:33:21+00:00 Robbie Harwood rharwood@redhat.com 2019-04-11T22:11:06+00:00 39e3704a0679d117f5145044e73726175a8f600b Signed-off-by: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Add new authentication indicators in kdc.conf.template 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:17:08+00:00 9c0a35f1e79033585786c2567aedcb3b4c10a6b6 As of release 1.17, KDC can be configured to apply authentication indicator for SPAKE, PKINIT, and encrypted challenge preauth via FAST channel, which are not configured in current version of freeIPA. Note that even though the value of encrypted_challenge_indicator is attached only when encrypted challenge preauth is performed along a FAST channel, it's possible to perform FAST without encrypted challenge by using SPAKE. Since there is no reason to force clients not to use SPAKE while using FAST, we made a design choice to merge SPAKE and FAST in a new option called "Hardened Password", which requires user to use at least one of SPAKE or FAST channel. Hence same value attaching to both spake_preauth_indicator and encrypted_challenge_indicator. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Skip lock and fork in ipa-server-guard on unsupported ops 2019-09-06T14:29:43+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T17:32:56+00:00 65d38af9e27f894ec8260b9d8d7bcbdcb79b5c0f On startup certmonger performs a number of options on the configured CA (IPA, not to be confused with the real dogtag CA) and the tracking requests. Break early for operations that are not supported by ipa-submit. This will save both a fork and a lock call. https://bugzilla.redhat.com/show_bug.cgi?id=1656519 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit 2019-09-06T14:29:43+00:00 Rob Crittenden rcritten@redhat.com 2019-09-04T17:31:58+00:00 0770254ce347c9892f6b143bb5f48fb1b0826e2a Wait until we know a supported operation is being called (SUBMIT and POLL) before initializing the API, which can be an expensive operation. https://bugzilla.redhat.com/show_bug.cgi?id=1656519 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Move ipachangeconf from ipaclient.install to ipapython 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:05+00:00 e5af8c19a9e40fb3b96c56ace081f79980437fc2 This will let us call it from ipaplatform. Mark the original location as deprecated. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
install: Add missing scripts to app_DATA. 2019-08-11T08:37:29+00:00 Timo Aaltonen tjaalton@debian.org 2019-08-09T20:03:25+00:00 0000fe0502e75fcc68c6b9a8bc5b2b5a79fb4888 Signed-off-by: Timo Aaltonen <tjaalton@debian.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>