freeipa.git/ipaserver/plugins, branch clisesshandling FreeIPA patches ldap2: use LDAP whoami operation to retrieve bind DN for current connection 2017-03-22T16:19:22+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-03-22T11:00:22+00:00 7324451834ec03786fda947679f750fe2a72f29c For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
check for replica's KDC entry on master before requesting PKINIT cert 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:03:19+00:00 b45629fc480e61464b402ac2fc52c6f9fc61df0e This prevents replication-based race conditions to break PKINIT certificate requests on replica installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
check that the master requesting PKINIT cert has KDC enabled 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:00:49+00:00 8f4abf7bc1607fc44f528b8a443b69cb82269e69 https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
idviews: correctly handle modification of non-existent view 2017-03-15T08:48:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T07:18:39+00:00 1cdd5dee006426c996f67240b6cb2c1aa05e5168 the pre-callback in `idview-mod` did not correctly handle non-existent object during objectclass check. It will now correctly report that the object was not found instead on generic 'no such entry'. https://pagure.io/freeipa/issue/6372 Reviewed-By: Martin Basti <mbasti@redhat.com> 
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Re-use trust domain retrieval code in certmap validators 2017-03-14T17:37:10+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-14T12:57:43+00:00 4e5e3eebb223b7f2760e21f22e42775982104b0d https://pagure.io/freeipa/issue/6372 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
idview: add domain_resolution_order attribute 2017-03-14T17:37:10+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-09T18:02:49+00:00 544d66b7109300e570fb6849f0f9bab8020f3b66 `idview-add` and `idview-mod` can now set and validate the attribute. The required objectclass is added on-demand after modification https://pagure.io/freeipa/issue/6372 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
`idview-add` and `idview-mod` can now set and validate the attribute.
The required objectclass is added on-demand after modification

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaconfig: add the ability to manipulate domain resolution order 2017-03-14T17:37:10+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-09T17:14:52+00:00 1b5f56d15455b6019dd532cb9635fa2c44cb0022 optional attribute was added to config object along with validator that check for valid domain names and also checks whether the specified domains exist in FreeIPA or in trusted forests and, in case of trusted domains, are not disabled. Part of http://www.freeipa.org/page/V4/AD_User_Short_Names https://pagure.io/freeipa/issue/6372 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cert: include certificate chain in cert command output 2017-03-14T11:58:45+00:00 Jan Cholasta jcholast@redhat.com 2017-03-10T09:22:42+00:00 8ed891cb619abd2efd428f767edf760ebf5eec5d Include the full certificate chain in the output of cert-request, cert-show and cert-find if --chain or --all is specified. If output file is specified in the CLI together with --chain, the full certificate chain is written to the file. https://pagure.io/freeipa/issue/6547 Reviewed-By: David Kupka <dkupka@redhat.com> 
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
WebUI: add vault management 2017-03-14T09:40:10+00:00 Pavel Vomacka pvomacka@redhat.com 2016-10-05T10:06:27+00:00 39d7ef3de4b0345274b4b8e8f6918e3b714879ad Add vault management into WebUI, there are some constraints: - There is no crypto library so Symmetric and Assymetric vaults are not supported in WebUI. Also retrieving or archiving data is not supported. - There aren't any container support right now Supported is: - Browsing vaults - Adding Standard vaults (users, service, shared) - Removing vaults - Adding and removing owners - Adding and removing members https://fedorahosted.org/freeipa/ticket/5426 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
  are not supported in WebUI. Also retrieving or archiving data
  is not supported.
- There aren't any container support right now

Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
permissions: add permissions for read and mod of external group members 2017-03-13T17:18:31+00:00 Petr Vobornik pvoborni@redhat.com 2016-06-23T15:42:17+00:00 da5487c407bee9bce41f4012d07970916b9456c1 Issue: "User Administrator" role cannot add users to an External Group. https://fedorahosted.org/freeipa/ticket/5504 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Issue: "User Administrator" role cannot add users to an External Group.

https://fedorahosted.org/freeipa/ticket/5504

Reviewed-By: Martin Basti <mbasti@redhat.com>