freeipa.git/ipaserver/plugins, branch fix_ber_scanf FreeIPA patches Modify webUI to adhere to new IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:10:31+00:00 b66e8a1ee295e11e286979a0bd9ce303cbab2aa5 Given the changes in IPA server API changes, whebUI is modified to utilize new authentication indicators, and disabled custom indicators for services' white list. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Extend the list of supported pre-auth mechanisms in IPA server API 2019-09-10T09:33:21+00:00 Changmin Teng cteng@redhat.com 2019-07-29T15:00:35+00:00 d0570404ef5a79dfc08d7959d21e9e4843973faf As new authentication indicators implemented, we also modified server API to support those new values. Also, "krbprincipalauthind" attribute is modified to use a pre-defined set of values instead of arbitrary strings. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> 
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
config plugin: replace 'is 0' with '== 0' 2019-09-04T06:28:14+00:00 Florence Blanc-Renaud flo@redhat.com 2019-09-03T09:48:50+00:00 4a437a3c422ee8a7b3dfee9a90abc2d9cc9e7990 Since python3.8, identity checks with literal produce syntax warnings. Replace the check 'if .. is 0' with 'if .. == 0' Related: https://pagure.io/freeipa/issue/8057 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow insecure binds for migration 2019-08-13T16:43:58+00:00 Christian Heimes cheimes@redhat.com 2019-08-13T15:22:01+00:00 a36556e1064900af7a75ca6f07aba66212cf321a Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind over an insecure connection. Password logins were only allowed over LDAPS or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases. This commit lifts the restriction and permits insecure binds over plain LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA certificate is configured with a plain LDAP connection. Fixes: https://pagure.io/freeipa/issue/8040 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Don't return SSH keys with ipa host-find --pkey-only 2019-08-07T06:35:28+00:00 Rob Crittenden rcritten@redhat.com 2019-08-01T17:53:44+00:00 73c32dbfeb9a67a476243540dc724784b1a007aa This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82 https://pagure.io/freeipa/issue/8029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82

https://pagure.io/freeipa/issue/8029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
user-stage: transfer all attributes from preserved to stage user 2019-07-31T06:34:34+00:00 Florence Blanc-Renaud flo@redhat.com 2019-07-23T07:31:53+00:00 27baf3501389cc3c8a12e06686da13a874d3f9da The user-stage command is internally implemented as: - user_show(all=True) in order to read the user attributes - loop on the attributes defined as possible to add using stageuser-add and transform them into new options for stageuser_add (for instance stageuser-add provides the option --shell for the attribute loginshell, but there is no option for the attribute businesscategory). - call stageuser_add in order to create a new entry in the active users subtree - user-del to remove the previous entry in the staged users subtree The issue is in the 2nd step. Only the attributes with a stageuser-add option are processed. The logic of the code should be slightly modified, so that all the attributes read in the first step are processed: - if they correspond to an option of stageuser-add, process them like it's currently done. For instance if the entry contains displayname, then it should be processed as --displayName=value in the stageuser-add cmd - if they do not correspond to an option of stageuser-add, add them with --setattr=<attrname>=<attrvalue> Note that some attributes may need to be filtered, for instance user-show returns has_password or has_keytab, which do not correspond to attributes in the LDAP entry. Fixes: https://pagure.io/freeipa/issue/7597 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The user-stage command is internally implemented as:
- user_show(all=True) in order to read the user attributes
- loop on the attributes defined as possible to add using stageuser-add and
transform them into new options for stageuser_add (for instance stageuser-add
provides the option --shell for the attribute loginshell, but there is no
option for the attribute businesscategory).
- call stageuser_add in order to create a new entry in the active users subtree
- user-del to remove the previous entry in the staged users subtree

The issue is in the 2nd step. Only the attributes with a stageuser-add option
are processed.
The logic of the code should be slightly modified, so that all the attributes
read in the first step are processed:
- if they correspond to an option of stageuser-add, process them like it's
currently done. For instance if the entry contains displayname, then it
should be processed as --displayName=value in the stageuser-add cmd
- if they do not correspond to an option of stageuser-add, add them with
--setattr=<attrname>=<attrvalue>

Note that some attributes may need to be filtered, for instance user-show
returns has_password or has_keytab, which do not correspond to attributes
in the LDAP entry.

Fixes: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
WebUI: Add PKINIT status field to 'Configuration' page 2019-07-26T16:10:02+00:00 Serhii Tsymbaliuk stsymbal@redhat.com 2019-07-23T13:08:12+00:00 6af723c0c36bc1d7b4c4357b466a285254e0e176 - Add 'Server Options' section to the page - Add 'IPA master capable of PKINIT' field to the 'Server Options' Ticket: https://pagure.io/freeipa/issue/7305 Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'

Ticket: https://pagure.io/freeipa/issue/7305

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Remove posixAccount from service_find search filter 2019-07-19T17:13:34+00:00 Rob Crittenden rcritten@redhat.com 2019-07-19T12:55:02+00:00 e771fa59ff65545ff1e84f1cd30e06556fabcee3 This will allow cifs principals to be found. They were suppressed because they include objectclass=posixAccount. This is a bit of a historical anomaly. This was included in the filter from the initial commit (though it was person, not posixAccount). I believe it was a mistake from the beginning but it wasn't noticed because it didn't cause any obvious issues. https://pagure.io/freeipa/issue/8013 Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com> 
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.

This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.

https://pagure.io/freeipa/issue/8013

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
certmap rules: altSecurityIdentities should only be used for trusted domains 2019-07-17T14:50:07+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-05-03T10:00:18+00:00 41ca4d484e7492bf469d73c6e627cc6df46eebf8 IPA LDAP has no altSecurityIdentities in use, it only should apply to identities in trusted Active Directory domains. Add checks to enforce proper certmap rule attribution for specific Active Directory domains. Related: https://pagure.io/freeipa/issue/7932 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.

Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.

Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Make use of single configuration point for SELinux 2019-07-01T11:44:57+00:00 Stanislav Levin slev@altlinux.org 2019-06-27T08:52:40+00:00 b2acd65013348c0f5d91582f240714b0f3357678 For now, FreeIPA supports SELinux things as they are in RedHat/Fedora. But different distributions may have their own SELinux customizations. This moves SELinux configuration out to platform constants: - SELINUX_MCS_MAX - SELINUX_MCS_REGEX - SELINUX_MLS_MAX - SELINUX_MLS_REGEX - SELINUX_USER_REGEX - SELINUX_USERMAP_DEFAULT - SELINUX_USERMAP_ORDER and applies corresponding changes to the test code. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>