freeipa.git/ipalib, branch ccachesess FreeIPA patches Store session cookie in a ccache option 2017-03-09T13:43:49+00:00 Simo Sorce simo@redhat.com 2017-03-06T23:47:56+00:00 c1ae93acad645c7725041cc10bf14b10fb94533c Instead of using the kernel keyring, store the session cookie within the ccache. This way kdestroy will really wipe away all credentials. Ticket: https://pagure.io/freeipa/issue/6661 Signed-off-by: Simo Sorce <simo@redhat.com> 
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.

Ticket: https://pagure.io/freeipa/issue/6661

Signed-off-by: Simo Sorce <simo@redhat.com>
Don't use weak ciphers for client HTTPS connections 2017-03-09T09:27:55+00:00 Stanislav Laznicka slaznick@redhat.com 2017-02-23T13:31:50+00:00 fda22c33441d3b2c541a272e411ac1503a20fb01 https://pagure.io/freeipa/issue/6730 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://pagure.io/freeipa/issue/6730

Reviewed-By: Martin Basti <mbasti@redhat.com>
Allow login to WebUI using Kerberos aliases/enterprise principals 2017-03-08T14:56:11+00:00 Martin Babinsky mbabinsk@redhat.com 2016-09-22T07:58:47+00:00 f8d7e37a091c1df4c989b80b8d19e12ab35533c8 The logic of the extraction/validation of principal from the request and subsequent authentication was simplified and most of the guesswork will be done by KDC during kinit. This also allows principals from trusted domains to login via rpcserver. https://fedorahosted.org/freeipa/ticket/6343 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.

https://fedorahosted.org/freeipa/ticket/6343

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Fix cookie with Max-Age processing 2017-03-06T10:48:32+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-02T08:11:34+00:00 24eeb4d6a3be678d652247a4a862ffde037514da When cookie has Max-Age set it tries to get expiration by adding to a timestamp. Without this patch the timestamp would be set to None and thus the addition of timestamp + max_age fails https://pagure.io/freeipa/issue/6718 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Support for Certificate Identity Mapping 2017-03-02T14:09:42+00:00 Florence Blanc-Renaud flo@redhat.com 2016-12-20T15:21:58+00:00 9e24918c89f30a6d7064844dc0dd848bb35140df See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Env __setitem__: replace assert with exception 2017-03-01T11:59:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-02-27T12:08:36+00:00 770d4cda430803f8e020c57971c4dd8e802dc417 Use exception to make debugging issues easier. Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Use exception to make debugging issues easier.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor certmonger for OpenSSL certificates 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-27T08:34:23+00:00 51a2b1372936106ff95d5a45afc813f146653ae4 Currently, it was only possible to request an NSS certificate via certmonger. Merged start_tracking methods and refactored them to allow for OpenSSL certificates tracking. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Currently, it was only possible to request an NSS certificate
via certmonger. Merged start_tracking methods and refactored them
to allow for OpenSSL certificates tracking.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Workaround for certmonger's "Subject" representations 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-27T07:58:00+00:00 595f9b64e31dc9e4f035119e834db7e6cb152dce If an OpenSSL certificate is requested in Certmonger (CERT_STORAGE == "FILE") the "Subject" field of such Certificate is ordered as received. However, when an NSS certificate is requested, the "Subject" field takes the LDAP order (components get reversed). This is a workaround so that the behavior stays the same. The workaround should be removed when https://pagure.io/certmonger/issue/62 gets fixed. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove NSSConnection from the Python RPC module 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2016-12-20T09:05:36+00:00 dfd560a190cb2ab13f34ed9e21c5fb5c6e793f18 NSSConnection was causing a lot of trouble in the past and there is a lot of logic around it just to make it not fail. What's more, when using NSS to create an SSL connection in FIPS mode, NSS always requires database password which makes the `ipa` command totally unusable. NSSConnection is therefore replaced with Python's httplib.HTTPSConnection which is OpenSSL based. The HTTPSConnection is set up to handle authentication with client certificate for connections to Dogtag server as RA agent. It allows to handle client cert/private key in separate files and also encrypted private key files. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

The HTTPSConnection is set up to handle authentication with client
certificate for connections to Dogtag server as RA agent. It allows
to handle client cert/private key in separate files and also
encrypted private key files.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add fips_mode variable to env 2017-02-21T16:09:00+00:00 Tomas Krizek tkrizek@redhat.com 2017-02-06T12:08:11+00:00 3372ad2766c0d182fa88c8bc28cf43477dc4cb3b Variable fips_mode indicating whether machine is running in FIPS-enabled mode was added to env. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>