freeipa.git/ipaserver/plugins, branch webui_isolate FreeIPA patches Separate RA cert store from the HTTP cert store 2017-02-14T22:37:16+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 63e18ecfe383827678cf77463520463ca7a4d821 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Use Anonymous user to obtain FAST armor ccache 2017-02-14T22:36:58+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 399ab5b87a6d983bd5e3882d0660b81942c184e4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Drop use of kinit_as_http from trust code 2017-02-14T22:36:50+00:00 Simo Sorce simo@redhat.com 2016-12-07T09:33:40+00:00 09886c1e89532a64c4f1e5b5a68135390113f5b3 The framework will not have direct access to the keytab anymore. This function was used in two places, to fetch the domain list and to re-initialize the PAC when enabling or disabling a domain trust. The domian list is normally fetched via oddjob anyway so this use is not necesary anymore, and the MS-PAC re-initialization can be moved later to oddjob if needed. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Change session handling 2017-02-14T22:36:04+00:00 Simo Sorce simo@redhat.com 2016-08-19T13:23:55+00:00 8b88ef00331f1fbb28802b3eba5ced62daeffc9e Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
cryptography has deprecated serial in favor of serial_number 2017-02-10T15:16:44+00:00 Christian Heimes cheimes@redhat.com 2017-02-10T13:20:22+00:00 3d9bec2e879d60e6bb7b2602084d3314765a6283 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
py3: get_memberofindirect: fix ByteWarnings 2017-02-08T14:41:39+00:00 Martin Basti mbasti@redhat.com 2017-02-02T15:51:21+00:00 6bb5af7bea21d44b4e5ee20cfaa2f76b12ea0929 DN must be converted to bytes as other variables adn lists contain bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
py3: _convert_to_idna: fix bytes/unicode mistmatch 2017-02-08T07:32:44+00:00 Martin Basti mbasti@redhat.com 2017-01-27T11:06:54+00:00 a584758cfb87567a9c640ae107903b0f6c9fec30 ToASCII() returns bytes, it must be decoded to unicode https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
ToASCII() returns bytes, it must be decoded to unicode

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: DNS: get_record_entry_attrs: do not modify dict during iteration 2017-02-08T07:32:44+00:00 Martin Basti mbasti@redhat.com 2017-01-26T09:25:46+00:00 03d0a55e8a21a334ca4dc625527cae93633a7314 In py3 keys() doesn't return list but iterator so it must be transformed to tuple otherwise iterator will be broken. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: _ptrrecord_precallaback: use bytes with labels 2017-02-08T07:32:44+00:00 Martin Basti mbasti@redhat.com 2017-01-25T14:38:03+00:00 a3d3b0ad2537c9d11d9c6108c31e079f0dfcf31c DNS labels are bytes so bytes must be used for comparison https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
DNS labels are bytes so bytes must be used for comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: remove_entry_from_group: attribute name must be string 2017-02-08T07:32:44+00:00 Martin Basti mbasti@redhat.com 2017-01-25T13:56:07+00:00 a93b2bea5ce88a934ba2ab39bdaa518fb55064c4 Do not encode attribute names https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Do not encode attribute names

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>