freeipa.git/ipalib, branch cakeysfix FreeIPA patches Remove the cachedproperty class 2017-05-02T15:33:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-28T07:31:45+00:00 92313c9e9d37733feb79d1b1c825178f48d6c69c The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixed typo in ipa-client-install output 2017-05-02T11:41:20+00:00 Thorsten Scherf tscherf@redhat.com 2017-04-28T14:40:17+00:00 e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use only anonymous PKINIT to fetch armor ccache 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-31T12:14:11+00:00 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Since the anonymous principal can only use PKINIT to fetch credential cache it makes no sense to try and use its kerberos key to establish FAST channel. We should also be able to use custom PKINIT anchor for the armoring. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.

We should also be able to use custom PKINIT anchor for the armoring.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fix PKCS11 helper 2017-04-12T07:54:10+00:00 Martin Basti mbasti@redhat.com 2017-03-29T16:53:11+00:00 e8f2a415b3dcba30b0c39cd542acd6b459f46957 Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
setup, pylint, spec file: drop python-nss dependency 2017-03-31T10:20:35+00:00 Jan Cholasta jcholast@redhat.com 2017-03-30T10:26:29+00:00 2b33230f669ca22d6948a4a351b4c92ba15222ab Remove the unused python-nss dependency. Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Remove the unused python-nss dependency.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
certdb: use certutil and match_hostname for cert verification 2017-03-31T10:20:35+00:00 Jan Cholasta jcholast@redhat.com 2017-01-02T12:53:18+00:00 9183cf2a7505624235b255b1406702cdaa65bb38 Use certutil and ssl.match_hostname calls instead of python-nss for certificate verification. Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Use certutil and ssl.match_hostname calls instead of python-nss for
certificate verification.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add --password-expiration to allow admin to force user password expiration 2017-03-31T10:19:40+00:00 Gabe redhatrises@gmail.com 2017-03-31T00:21:47+00:00 274b0bcf5ff2408739d94ba1b1b4bca69f310dfc - Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Prevent churn on ccaches 2017-03-28T11:36:30+00:00 Simo Sorce simo@redhat.com 2017-03-23T21:49:27+00:00 d63326632b796a5ec9c6468c5ffe0c5a846501e1 We slice down the received cookie so that just the content that matter is preserved. Thi is ok because servers can't trust anything else anyway and will accept a cookie with the ancillary data missing. By removing variable parts like the expiry component added by mod_session or the Expiration or Max-Age metadata we keep only the part of the cookie that changes only when a new session is generated. This way when storing the cookie we actually add a new entry in the ccache only when the session actually changes, and this prevents churn on FILE based ccaches. Related https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
We slice down the received cookie so that just the content that matter
is preserved. Thi is ok because servers can't trust anything else anyway
and will accept a cookie with the ancillary data missing.

By removing variable parts like the expiry component added by
mod_session or the Expiration or Max-Age metadata we keep only the part
of the cookie that changes only when a new session is generated.

This way when storing the cookie we actually add a new entry in the
ccache only when the session actually changes, and this prevents churn
on FILE based ccaches.

Related https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Handle failed authentication via cookie 2017-03-28T11:36:30+00:00 Simo Sorce simo@redhat.com 2017-03-22T22:38:22+00:00 fbbeb132bf37f8a03ef2f2184adb11796ab13d8b If cookie authentication fails and we get back a 401 see if we tried a SPNEGO auth by checking if we had a GSSAPI context. If not it means our session cookie was invalid or expired or some other error happened on the server that requires us to try a full SPNEGO handshake, so go ahead and try it. Fixes https://pagure.io/freeipa/issue/6775 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.

Fixes https://pagure.io/freeipa/issue/6775

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add debug logging for keep-alive 2017-03-20T18:24:28+00:00 Christian Heimes cheimes@redhat.com 2017-03-20T07:47:51+00:00 b2bdd2e1a912573ae4a3e8e5f40831a800d972f7 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>