freeipa.git/ipaserver, branch replica_kdc FreeIPA patches Configure KDC to use certs after they are deployed 2017-03-09T17:49:54+00:00 Simo Sorce simo@redhat.com 2017-03-09T17:49:54+00:00 d9fb5cb52b9450f6ac514b75ec4b74ec3d30affa Certmonger needs to access the KDC when it tries to obtain certs, so make sure the KDC can run, then reconfigure it to use pkinit anchors once certs are deployed. Signed-off-by: Simo Sorce <simo@redhat.com> 
Certmonger needs to access the KDC when it tries to obtain certs,
so make sure the KDC can run, then reconfigure it to use pkinit anchors
once certs are deployed.

Signed-off-by: Simo Sorce <simo@redhat.com>
backup: backup anonymous keytab 2017-03-09T17:22:34+00:00 Martin Basti mbasti@redhat.com 2017-03-09T16:25:49+00:00 8fb61a55fe32438752567bde8af73d6b8230a386 Freeipa stops working without anon keytab https://pagure.io/freeipa/issue/5959 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Freeipa stops working without anon keytab

https://pagure.io/freeipa/issue/5959

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
add whoami command 2017-03-09T13:10:02+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-03-02T16:03:05+00:00 381c1c7a8fe63526d21cb65decb75fb5ffda676a Whoami command allows to query details about currently authenticated identity. The command returns following information: * object class name * function to call to get actual details about the object * arguments to pass to the function There are five types of objects that could bind to IPA using their credentials. `ipa whoami` call expects one of the following: * users * staged users * hosts * Kerberos services * ID user override from the default trust view The latter category of objects is automatically mapped by SASL GSSAPI mapping rule in 389-ds for users from trusted Active Directory forests. The command is expected to be used by Web UI to define proper view for the authenticated identity. It is not visible in the command line interface is `ipa` command. Below is an example of how communication looks like for a host principal: # kinit -k # ipa console (Custom IPA interactive Python console) >>> api.Command.whoami() {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)} >>> Fixes https://pagure.io/freeipa/issue/6643 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Whoami command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.

Below is an example of how communication looks like for a host
principal:

   # kinit -k
   # ipa console
   (Custom IPA interactive Python console)
   >>> api.Command.whoami()
   {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
   >>>

Fixes https://pagure.io/freeipa/issue/6643

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
WebUI: Add cermapmatch module 2017-03-08T15:22:01+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-07T20:31:22+00:00 61cd4372e142662c06c881886709fe1b573102a9 Add module which can show users which are mapped to the provided certificate. Additionaly, the certificate is parsed and parsed information are also displayed. https://pagure.io/freeipa/issue/6601 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Allow login to WebUI using Kerberos aliases/enterprise principals 2017-03-08T14:56:11+00:00 Martin Babinsky mbabinsk@redhat.com 2016-09-22T07:58:47+00:00 f8d7e37a091c1df4c989b80b8d19e12ab35533c8 The logic of the extraction/validation of principal from the request and subsequent authentication was simplified and most of the guesswork will be done by KDC during kinit. This also allows principals from trusted domains to login via rpcserver. https://fedorahosted.org/freeipa/ticket/6343 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.

https://fedorahosted.org/freeipa/ticket/6343

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
dns: fix `dnsrecord_add` interactive mode 2017-03-08T14:52:41+00:00 Jan Cholasta jcholast@redhat.com 2017-02-23T13:21:59+00:00 1e912f5b83166154806e0382f3f028d0eac81731 `dnsrecord_add` interactive mode might prompt for value of non-existent arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This happens because `dnsrecord_add` extra flags are incorrectly defined as parts of the respective DNS records. Remove extra flags from DNS record parts to fix the interactive mode on old clients talking to new servers. Skip non-existent arguments in the interactive mode to fix new clients talking to old servers. https://fedorahosted.org/freeipa/ticket/6457 Reviewed-By: Martin Basti <mbasti@redhat.com> 
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
KRA: add --setup-kra to ipa-server-install 2017-03-08T14:50:30+00:00 Martin Basti mbasti@redhat.com 2017-03-02T16:08:59+00:00 4006cbbc02c368ac9e5e3721613158decb34fd37 This patch allows to install KRA on first IPA server in one step using ipa-server-install This option improves containers installation where ipa-server can be installed with KRA using one call without need to call docker exec. Please note the the original `kra.install()` calls in ipaserver/install/server/install.py were empty operations as it did nothing, so it is safe to move them out from CA block https://pagure.io/freeipa/issue/6731 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
IdM Server: list all Employees with matching Smart Card 2017-03-08T14:08:41+00:00 Florence Blanc-Renaud flo@redhat.com 2017-02-23T17:04:47+00:00 ea34e17a46a60efb9c4dc81dab919a1639dec73b Implement a new IPA command allowing to retrieve the list of users matching the provided certificate. The command is using SSSD Dbus interface, thus including users from IPA domain and from trusted domains. This requires sssd-dbus package to be installed on IPA server. https://fedorahosted.org/freeipa/ticket/6646 Reviewed-By: David Kupka <dkupka@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add support for custom table pagination size 2017-03-08T13:54:56+00:00 Pavel Vomacka pvomacka@redhat.com 2016-08-11T13:58:23+00:00 e1dfc51e48050ac1ad431d56003dc26e17ca653e New customization button opens dialog with field for setting the number of lines in tables. After saving the new value there is new topic which starts refreshing current table facet (if shown) and set all other facets expired. Therefore all tables are immediately regenerated. https://fedorahosted.org/freeipa/ticket/5742 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.

https://fedorahosted.org/freeipa/ticket/5742

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>