summaryrefslogtreecommitdiffstats
path: root/install/oddjob/etc
Commit message (Collapse)AuthorAgeFilesLines
* Add a new user to run the framework codeSimo Sorce2017-02-154-4/+4
| | | | | | | | | | | | | | | | | Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* replica promotion: fix AVC denials in remote connection checkJan Cholasta2016-02-111-1/+1
| | | | | | | | Also move com.redhat.idm.trust-fetch-domains to /usr/libexec/ipa/oddjob. https://fedorahosted.org/freeipa/ticket/5550 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica install: add remote connection check over APIJan Cholasta2015-12-112-0/+41
| | | | | | | | | | Add server_conncheck command which calls ipa-replica-conncheck --replica over oddjob. https://fedorahosted.org/freeipa/ticket/5497 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* trusts: add support for one-way trust and switch to it by defaultAlexander Bokovoy2015-07-082-0/+61
One-way trust is the default now, use 'trust add --two-way ' to force bidirectional trust https://fedorahosted.org/freeipa/ticket/4959 In case of one-way trust we cannot authenticate using cross-realm TGT against an AD DC. We have to use trusted domain object from within AD domain and access to this object is limited to avoid compromising the whole trust configuration. Instead, IPA framework can call out to oddjob daemon and ask it to run the script which can have access to the TDO object. This script (com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal to retrieve TDO object credentials from IPA LDAP if needed and then authenticate against AD DCs using the TDO object credentials. The script pulls the trust topology out of AD DCs and updates IPA LDAP store. Then IPA framework can pick the updated data from the IPA LDAP under normal access conditions. Part of https://fedorahosted.org/freeipa/ticket/4546 Reviewed-By: Tomas Babej <tbabej@redhat.com>
generated by cgit (git 2.34.1) at 2026-01-07 18:02:10 +0000