| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4249
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cert-request currently permits a limited number of request
extensions; uncommon and esoteric extensions are prohibited and this
limits the usefulness of custom profiles.
The Dogtag profile has total control over what goes into the final
certificate and has the option to reject request based on the
request extensions present or their values, so there is little
reason to restrict what extensions can be used in FreeIPA. Remove
the check.
Fixes: https://fedorahosted.org/freeipa/ticket/5205
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
SSSD 1.13.1 has required functionality tu support duslstack and
multihomed
https://fedorahosted.org/freeipa/ticket/4249
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5150
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5212
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4249
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.
https://fedorahosted.org/freeipa/ticket/5229
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Deletion of predefined profiles, including the default profile,
should not be allowed. Detect this case and raise an error.
Also update the predefined profiles collection to use namedtuple,
making it easier to access the various components.
Fixes: https://fedorahosted.org/freeipa/ticket/5198
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5207
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ipa-getkeytab is used to fetch trusted domain object credentials,
the fetched entry has always kvno 1. ipa-getkeytab always adds a key to
keytab which means older key versions will be in the SSSD keytab and
will confuse libkrb5 ccache initialization code as all kvno values are
equal to 1. Wrong key is picked up then and kinit fails.
To solve this problem, always remove existing
/var/lib/sss/keytabs/forest.keytab before retrieving a new one.
To make sure script's input cannot be used to define what should be
removed (by passing a relative path), make sure we retrieve trusted
forest name from LDAP. If it is not possible to retrieve, the script
will issue an exception and quit. If abrtd is running, this will be
recorded as a 'crash' and an attempt to use script by malicious user
would be recorded as well in the abrtd journal.
Additionally, as com.redhat.idm.trust-fetch-domains will create
ID ranges for the domains of the trusted forest if they don't exist,
it needs permissions to do so. The permission should be granted only
to cifs/ipa.master@IPA.REALM services which means they must have
krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of
cn=adtrust agents,cn=sysaccounts,... group.
Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Ticket https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5226
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4838
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5211
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5233
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5214
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5214
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5159
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5162
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5162
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.
When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.
Detect such domain collisions early and bail out with an appropriate
error message.
https://fedorahosted.org/freeipa/ticket/4549
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
usercertificate attr was moved from "System Modify Users" to this
new permission.
https://fedorahosted.org/freeipa/ticket/5177
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
| |
Python DBus binding could fail to guess the type signature from empty list.
This issue was seen but we don't have a reproducer. There is no harm in making
sure that it will not happen.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
ipa-client-install fails when an IP address is passed
to ipa-join instead of a FQDN
https://fedorahosted.org/freeipa/ticket/4932
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ipa vault commands now load and validate the public key for
asymmetric encryption, before sending it to the server. This prevents
invalid vaults and prohibits accidental exposure of private key
material.
https://fedorahosted.org/freeipa/ticket/5142
https://fedorahosted.org/freeipa/ticket/5143
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5170
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/5089
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
In Python 3, implicit relative imports will not be supported.
Use fully-qualified imports everywhere.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
The reduce function is no longer a built-in in Python 3.
Importing it from functools works on both py2 and py3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The deprecated has_key method will be removed from dicts in Python 3.
For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
| |
Python 3 uses double-underscored names for internal function attributes.
In Python 2.7, these names exist as aliases to the old 'func_*' and
'im_*' names.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
| |
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5184
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
also show the message about the way UID/GID ranges are managed in FreeIPA in
the idrange-mod's help message
https://fedorahosted.org/freeipa/ticket/4826
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5195
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services
(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.
https://fedorahosted.org/freeipa/ticket/5167
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The upgrade script is adding the default CA ACL with incorrect
attributes - usercategory=all instead of servicecategory=all. Fix
it to create the correct object.
Fixes: https://fedorahosted.org/freeipa/ticket/5185
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We need to detect a list of FreeIPA 4.2 (and above) servers, since
only there is the required version of SSSD present.
Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
to generate the list.
https://fedorahosted.org/freeipa/ticket/5199
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension. Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.
Also update cert-request to accept CSRs containing this extension.
Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited. Add more information to the ACIError message.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
If configuration entries already exist, upgrade will not add them
again.
https://fedorahosted.org/freeipa/ticket/5151
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4935
Reviewed-By: David Kupka <dkupka@redhat.com>
|
