IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-16 03:11:57 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,392 Commits 11 Branches 59 Tags 60 MiB
04ea75a7a5
Commit Graph

7392 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Thierry bordaz (tbordaz)
04ea75a7a5 User Life Cycle: create containers and scoping DS plugins 
User Life Cycle is designed http://www.freeipa.org/page/V4/User_Life-Cycle_Management
It manages 3 containers (Staging, Active, Delete). At install/upgrade Delete and Staging
containers needs to be created.
		Active: cn=users,cn=accounts,$SUFFIX
		Delete: cn=deleted users,cn=accounts,cn=provisioning,$SUFFIX
		Stage:  cn=staged users ,cn=accounts,cn=provisioning,$SUFFIX

Plugins scopes:
		krbPrincipalName, krbCanonicalName, ipaUniqueID, uid:
			cn=accounts,SUFFIX
			cn=deleted users,cn=accounts,cn=provisioning,SUFFIX
		DNA:
			cn=accounts,SUFFIX

		Plugins exclude subtree:
		IPA UUID, Referential Integrity, memberOf:
			cn=provisioning,SUFFIX

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-19 09:48:20 +02:00
Jan Cholasta
359dfe58b9 Convert external CA chain to PKCS#7 before passing it to pkispawn. 
https://fedorahosted.org/freeipa/ticket/4397

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-14 10:06:27 +02:00
Martin Basti
4b5a488249 Tests: host tests with dns 
Test for: https://fedorahosted.org/freeipa/ticket/4164

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-11 16:01:38 +02:00
Martin Basti
ca001814ab Allow to add host if AAAA record exists 
http://fedorahosted.org/freeipa/ticket/4164

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-11 16:01:38 +02:00
Jan Cholasta
6bb240fa2c Fix parsing of long nicknames in certutil -L output. 
https://fedorahosted.org/freeipa/ticket/4453

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-07 15:07:39 +02:00
Tomas Babej
6bb4eea348 ipatests: test_trust: Add test to cover lookup of trusdomains 
Adds an integration tests that checks that all trustdomains are
able to be found by trustdomain-find command right after the
trust has been established.

Also moves some code to allow easier adding common test cases for
both POSIX and non-POSIX test classes.

https://fedorahosted.org/freeipa/ticket/4208

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-07 12:49:47 +02:00
Martin Kosek
7caed6ecfb ipa-adtrust-install does not re-add member in adtrust agents group 
When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.

Make the installer more robust by being able to fix the inconsistency.

https://fedorahosted.org/freeipa/ticket/4464

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-08-07 11:12:04 +02:00
Jan Cholasta
34de95545d Add test for baseldap.entry_to_dict. 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-08-04 11:21:32 +02:00
Petr Vobornik
80733bff15 webui-ci: fix reset password check 
After login, CI checks if password needs a reset by checking if
reset password fields are displayed. This check failed since
login facet was removed from DOM after successful auth. Weakening
the selector fixes it.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-31 12:02:58 +02:00
Jan Cholasta
044c5c833a Enable NSS PKIX certificate path discovery and validation for Dogtag. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
03b29b4c8e Update external CA cert in Dogtag NSS DB on IPA CA cert renewal. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d27e77adc5 Allow upgrading CA-less to CA-full using ipa-ca-install. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
8bbdfff102 Allow adding CA certificates to certificate store in ipa-cacert-manage. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1b8a1e5564 Update CS.cfg on IPA CA certificate chaining change in renew_ca_cert. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
18aa3216e0 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
f39c6ee544 Add new NSSDatabase method get_cert for getting certs from NSS databases. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
987bf3fbf0 Allow multiple CA certificates in replica info files. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
f1e186d7d8 Export full CA chain to /etc/ipa/ca.crt in ipa-server-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
60e19b585c Add client certificate update tool ipa-certupdate. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2b7a7c356c Get up-to-date CA certificates from certificate store in ipa-replica-install. 
Previously it used CA certificate from the replica info file directly.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
55d3bab57b Get CA certs for system-wide store from cert store in ipa-client-install. 
All of the certificates and associated key policy are now stored in
/etc/pki/ca-trust/source/ipa.p11-kit.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
24932b2d91 Add functions for DER encoding certificate extensions to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
b5471a9f3e Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
eaebefe5f6 Allow overriding NSS database path in RPCClient. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
459d6cff4e Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
6870eb909e Add function for writing list of certificates to a PEM file to ipalib.x509. 
Also rename load_certificate_chain_from_file to
load_certificate_list_from_file.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd400588d7 Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
29f42cbec1 Refactor CA certificate fetching code in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9e223e6fd4 Upload renewed CA cert to certificate store on renewal. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
6f01499419 Import CA certs from certificate store to HTTP NSS database on server install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
82d682fa64 Import CA certs from certificate store to DS NSS database on replica install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB. 
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
feecdb4cdc Rename CertDB method add_cert to import_cert. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
5f29a71bd7 Upload CA chain from DS NSS database to certificate store on server update. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
05212a17a9 Upload CA chain from DS NSS database to certificate store on server install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
de695e688e Add certificate store module ipalib.certstore. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
239ef955af Add function for extracting extended key usage from certs to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
4ae3f815ba Add functions for extracting certificates fields in DER to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd80cc1c59 Configure attribute uniqueness for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1c612ad3e1 Add container for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
25c10bc161 Add LDAP schema for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61f166da5d Add LDAP schema for wrapped cryptographic keys. 
This is part of the schema at
<http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema>.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d2bf0b8b54 Fix trust flags in HTTP and DS NSS databases. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9d4eeeda55 Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
a8a44c1c71 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. 
This is a no longer used nickname for CA certificate on CA-less server
installs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
52f72ec058 Do not treat the IPA RA cert as CA cert in DS NSS database. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61159b7ff2 Check that renewed certificates coming from LDAP are actually renewed. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts. 
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00