freeipa.git/ipaclient/install, branch webui_isolate FreeIPA patches Separate RA cert store from the HTTP cert store 2017-02-14T22:37:16+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 63e18ecfe383827678cf77463520463ca7a4d821 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
client install: correctly report all failures 2017-01-20T16:34:07+00:00 Jan Cholasta jcholast@redhat.com 2017-01-03T06:43:12+00:00 26630db9d0fb1d9c8a02840b71b3fb3e8bdf3e0d In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
disable hostname canonicalization by Kerberos library 2017-01-11T15:18:24+00:00 Martin Babinsky mbabinsk@redhat.com 2017-01-09T13:36:33+00:00 566c86a782bfd7d50938866e9f89faf56cea773f By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa_generate_password algorithm change 2017-01-06T08:26:56+00:00 Petr Spacek pspacek@redhat.com 2016-12-21T14:07:34+00:00 fb7c111ac13510609e2cba14ecf88cd2ed291a4b A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
client, platform: Use paths.SSH* instead of get_config_dir(). 2017-01-05T16:50:03+00:00 Timo Aaltonen tjaalton@debian.org 2016-12-01T12:08:58+00:00 0ff12de338a8db32bb10e1b41f32255e7b971b6f Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Configure Anonymous PKINIT on server install 2016-12-12T12:39:44+00:00 Simo Sorce simo@redhat.com 2016-07-26T15:19:01+00:00 ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server install: fix external CA install 2016-12-08T11:08:49+00:00 Jan Cholasta jcholast@redhat.com 2016-11-30T12:55:38+00:00 4fff09978eab520d130d87c0112b5caac907e651 Replace the dual definitions of domain_name, dm_password and admin_password knobs in server install with single definitions using the original names without the 'new_' prefix. This fixes the options read from the installer option cache in step 2 of external CA install to use the correct knob names. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.

This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaclient: move install modules to the install subpackage 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-23T14:42:08+00:00 70c3cd7f482bee7d5ad12062daa7ad6181a29094 The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend
on ipaplatform.

Move them to ipaclient.install as they are used only from the client
installer.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
constants: remove CACERT 2016-11-29T13:50:51+00:00 Jan Cholasta jcholast@redhat.com 2016-11-22T13:42:33+00:00 977050c66bccd7b8cf468c115d73250505a01034 CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>