| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Instead of using the kernel keyring,s tore the session cookie within the
ccache. This way kdestroy will really wipe away all creedntials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GSS-SPNEGO allows us to negotiate a sasl bind with less roundrtrips
therefore use it when possible.
We only enable it for local connections for now because we only
recently fixed Cyrus SASL to do proper GSS-SPNEGO negotiation. This
change means a newer and an older version are not compatible.
Restricting ourselves to the local host prevents issues with
incomaptible services, and it is ok for us as we are only really lloking
at speedups for the local shortlived connections performed by the
framework. Most other clients have llonger lived connections, so
peformance improvements there are not as important.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
|
| |
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
|
|
|
|
| |
It's not our main priority as developers to offer any forms of quickies
nor guides on how to perform them.
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails
https://pagure.io/freeipa/issue/6718
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
|
|
|
| |
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.
Part of: https://pagure.io/freeipa/issue/5011
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.
https://pagure.io/freeipa/issue/6648
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
| |
So that it will be nicely formatted on FreeIPA Pagure landing page.
https://pagure.io/freeipa
Some links were updated as other projects also moved to Pagure.io.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
https://fedorahosted.org/freeipa/ticket/6542
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
| |
* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
automake was complaining about duplicated definitions of pkginstall. It
was defined to true in Makefile.python.am only to be overriden in some
Makefile.am.
Now we assume that pkginstall is implicit true and only skip
installation when pkginstall is explicitly set to false.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
pylint gets confused by duplicated package names, e.g. ipaplatform and
pypi/ipaplatform.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Some calls to setup.py specified a build base, some did not. This can
lead to issues, e.g. build, clean and install are using different build
directories.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
| |
I also renamed the base directory to pypi and added a new build target
pypi_packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
|
|
| |
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6650
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Require the user to provide the PKINIT cert with --pkinit-cert-file or
disable PKINIT with --no-pkinit in CA-less ipa-server-install,
ipa-replica-prepare and ipa-replica-install.
Do not attempt to issue the PKINIT cert in CA-less ipa-server-upgrade.
https://pagure.io/freeipa/issue/5678
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
In CA-less mode there's no /etc/pki/pki-tomcat/password.conf so it
does not make sense to try to create a password file for an NSS
database from it (the NSS database does not exist either).
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
ipalib.x509 no longer raises NSPRError. PyCA cryptography raises
ValueError for invalid certs.
https://fedorahosted.org/freeipa/ticket/5695
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
A couple of tests were added to server/replica install integration
suite to test AD trust install w/ various combinations of other optional
components.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Since AD trust installer is now a part of composite installers, their
man pages were updated with separate section documenting relevant AD
trust-related option descriptions.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
`--rid-base` and `--secondary-rid-base` had `-U` option assigned
by error in the man page. Remove it as these options have not short
alias.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
`ipa-replica-install` is now able to configure Samba and winbind
services in order to manage Active Directory trusts. `--add-agents`
option is exposed in replica installer, while `--add-sids` now defaults
to `False` since adding a first AD trust controller to an existing
sizeable deployment can result in stuck installation as sidgen tasks can
take a long time to complete. That's why adding SIDs should be a
conscious decision in this case.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-server-install is now able to configure Samba and winbind services
and manage trusts to Active Directory right off the bat with following
alterations from standalone installer:
* sidgen task is always triggered since there are only a few entries
to tag in the beginning
* the `--add-agents` option is hardcoded to False, as there are no
potential agents to resolve and addd when setting up the first
master in topology
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This interface is to be used to provide AD trust-related options in
server and replica installer.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
The condition that controls when to check for samba dependencies was
misformulated. The check should be run when the installer is *not* run
as standalone. In standalone mode the check is already made in different
place so the original code triggered it twice.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
There is no point in emitting this message during server/replica
install.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Plain print messages are a) not logged into files and b) get lost in the
output from composite installer.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Use newly implemented APIs for searching and presenting potential
trust agents.
https://fedorahosted.org/freeipa/ticket/6639
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
This is to prevent errors due to non-existent LDAP connection such as
when installing first IPA master.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.
https://fedorahosted.org/freeipa/ticket/6630
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
nolog argument of ipautil.run requires tuple, not a string.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
|
|
|
|
|
| |
test_ldap just imported nss.nss to call nss_init_nodb(). It should be
safe to remove the call. Let's see what CI has to say.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'. Remove the redundant property
definition.
Part of: https://pagure.io/freeipa/issue/3473
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
When we changed the session handling code we unintentinally extended
sessions expiraion time to the whole ticket lifetime of 24h.
Related to https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
| |
Setting fips_mode to object would fail if ipaplatform.tasks module
wasn't present.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
| |
Use exception to make debugging issues easier.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
| |
* add missing default_backend
* unpad encrypted data
* use cryptography's hashes and HMAC construct
* remove hard dependency on python-nss from setup.py
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5192
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
| |
The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.
File locking has been replaced with a temporary file and atomic rename.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.
Before:
$ time for i in {1..20}; do ./ipa ping >/dev/null; done
real 0m13.608s
user 0m10.316s
sys 0m1.121s
After:
$ time for i in {1..20}; do ./ipa ping >/dev/null; done
real 0m9.330s
user 0m7.635s
sys 0m1.146s
https://fedorahosted.org/freeipa/ticket/6690
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A previous commit (ffb9a09a0d63f7edae2b647b5c1d503d1d4d7a6e) removed the
definition of VERSION 2 in certmap.conf.template.
ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.
The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).
The fix also logs an error when a template file is not versioned.
https://fedorahosted.org/freeipa/ticket/6354
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
|
|
|
|
|
|
|
| |
Extend existing legacy client tests to cover test cases with tree root domain.
https://fedorahosted.org/freeipa/ticket/6489
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.
Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.
Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|