freeipa.git/ipalib, branch mspac FreeIPA patches Add IntEnum parameter to ipalib 2013-10-09T16:05:37+00:00 Nathaniel McCallum npmccallum@redhat.com 2013-10-09T08:16:46+00:00 88d003c68b3350185148a5499441c55db3b90398 






Allow multiple types in Param type validation
2013-10-09T16:05:37+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-09-30T16:45:37+00:00

4f6580f11ded1c456e0891023232b0d715d8aef7

Int already needed to take both int and long. This makes the functionality
available for all Param classes.





Int already needed to take both int and long. This makes the functionality
available for all Param classes.







Add optional_create flag
2013-10-08T14:46:20+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-10-01T17:57:24+00:00

e05dfbd8b4b4e040266ecfba579bcd64e22b342b












Don't special case the Password class in Param.__init__()
2013-10-08T14:14:32+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-09-30T17:06:37+00:00

fd63505f6d02e5ef4630df49054d3b11fffcf54f












Document no_search in Param flags
2013-10-07T12:00:52+00:00

Nathaniel McCallum
npmccallum@redhat.com

2013-10-01T17:55:22+00:00

12ae6a054a20134fe51f195933ced7b52b2bd2ed












ipa-kdb: Handle parent-child relationship for subdomains
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-10-03T10:30:44+00:00

d228b1bd70aeebb19fbf64ee64bbd662eda19fc4

When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.





When MS-PAC information is re-initialized, record also parent-child
relationship between trust root level domain and its subdomains.

Use parent incoming SID black list to check if child domain is not
allowed to access IPA realm.

We also should really use 'cn' of the entry as domain name.
ipaNTTrustPartner has different meaning on wire, it is an index
pointing to the parent domain of the domain and will be 0 for top
level domains or disjoint subdomains of the trust.

Finally, trustdomain-enable and trustdomain-disable commands should
force MS-PAC cache re-initalization in case of black list change.
Trigger that by asking for cross-realm TGT for HTTP service.







trust: integrate subdomains support into trust-add
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-27T10:39:57+00:00

f734988e24012bccdc5f982d56795213f9733f84












ipaserver/dcerpc: remove use of trust account authentication
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-27T10:36:59+00:00

a87813bf420c19a99b1a19711e63d231cd4afd86

Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.





Since FreeIPA KDC supports adding MS-PAC to HTTP/ipa.server principal,
it is possible to use it when talking to the trusted AD DC.

Remove support for authenticating as trust account because it should not
really be used other than within Samba.







frontend: report arguments errors with better detail
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-26T14:44:37+00:00

2d6c7e3adb47787ba7c38c303fd1f528f7d52a13

When reporting argument errors, show also a context -- what is processed,
what is the name of the command.





When reporting argument errors, show also a context -- what is processed,
what is the name of the command.







trusts: support subdomains in a forest
2013-10-04T08:25:31+00:00

Alexander Bokovoy
abokovoy@redhat.com

2013-09-18T15:04:19+00:00

0b29bfde0df92ed0a61b5ce099295c0b0c6495d4

Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909





Add IPA CLI to manage trust domains.

ipa trust-fetch-domains <trust>      -- fetch list of subdomains from AD side and add new ones to IPA
ipa trustdomain-find <trust>         -- show all available domains
ipa trustdomain-del <trust> <domain> -- remove domain from IPA view about <trust>
ipa trustdomain-enable <trust> <domain> -- allow users from trusted domain to access resources in IPA
ipa trustdomain-disable <trust> <domain> -- disable access to resources in IPA from trusted domain

By default all discovered trust domains are allowed to access IPA resources

IPA KDC needs also information for authentication paths to subdomains in case they
are not hierarchical under AD forest trust root. This information is managed via capaths
section in krb5.conf. SSSD should be able to generate it once
ticket https://fedorahosted.org/sssd/ticket/2093 is resolved.

part of https://fedorahosted.org/freeipa/ticket/3909