freeipa.git/ipaserver/plugins, branch fixlogout FreeIPA patches Fix session logout 2017-02-20T17:40:57+00:00 Simo Sorce simo@redhat.com 2017-02-20T17:38:11+00:00 85eb3103c04e6e125bdb1d09caed6a94580a7592 There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce <simo@redhat.com> 
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.

Fixes https://fedorahosted.org/freeipa/ticket/6685

Signed-off-by: Simo Sorce <simo@redhat.com>
Change session logout to kill only the cookie 2017-02-17T08:57:23+00:00 Simo Sorce simo@redhat.com 2017-02-16T16:07:31+00:00 b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c Removing the ccache goes too far as it will cause unrelated sessions to fail as well, this is a problem for accounts used to do unattended operations and that may operate in parallel. Fixes https://fedorahosted.org/freeipa/ticket/6682 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Removing the ccache goes too far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 d124e307f3b7d88bca53784f030ed6043b224432 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use Anonymous user to obtain FAST armor ccache 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 b6741d81e187fc84177c12ef8ad900d3b5cda6a4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Drop use of kinit_as_http from trust code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-07T09:33:40+00:00 b109f5d850ce13585d4392ca48896dc069a746e5 The framework will not have direct access to the keytab anymore. This function was used in two places, to fetch the domain list and to re-initialize the PAC when enabling or disabling a domain trust. The domian list is normally fetched via oddjob anyway so this use is not necesary anymore, and the MS-PAC re-initialization can be moved later to oddjob if needed. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Change session handling 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-19T13:23:55+00:00 c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow nsaccountlock to be searched in user-find command 2017-02-14T16:09:45+00:00 Gabe redhatrises@gmail.com 2017-02-12T00:13:08+00:00 a930ec824da0337109d646ab3acb495dc1b6ba63 This patch provides the ability to search and find users who are enabled/disabled in `ipa user-find` command without breaking API compatibility. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-find` command without breaking API compatibility.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
cryptography has deprecated serial in favor of serial_number 2017-02-10T15:16:44+00:00 Christian Heimes cheimes@redhat.com 2017-02-10T13:20:22+00:00 3d9bec2e879d60e6bb7b2602084d3314765a6283 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
py3: get_memberofindirect: fix ByteWarnings 2017-02-08T14:41:39+00:00 Martin Basti mbasti@redhat.com 2017-02-02T15:51:21+00:00 6bb5af7bea21d44b4e5ee20cfaa2f76b12ea0929 DN must be converted to bytes as other variables adn lists contain bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
py3: _convert_to_idna: fix bytes/unicode mistmatch 2017-02-08T07:32:44+00:00 Martin Basti mbasti@redhat.com 2017-01-27T11:06:54+00:00 a584758cfb87567a9c640ae107903b0f6c9fec30 ToASCII() returns bytes, it must be decoded to unicode https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
ToASCII() returns bytes, it must be decoded to unicode

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>