IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,557 Commits 11 Branches 60 Tags 60 MiB
1d6f591cc5
Commit Graph

7557 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Cholasta
de695e688e Add certificate store module ipalib.certstore. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
239ef955af Add function for extracting extended key usage from certs to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
4ae3f815ba Add functions for extracting certificates fields in DER to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd80cc1c59 Configure attribute uniqueness for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1c612ad3e1 Add container for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
25c10bc161 Add LDAP schema for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61f166da5d Add LDAP schema for wrapped cryptographic keys. 
This is part of the schema at
<http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema>.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d2bf0b8b54 Fix trust flags in HTTP and DS NSS databases. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9d4eeeda55 Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
a8a44c1c71 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. 
This is a no longer used nickname for CA certificate on CA-less server
installs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
52f72ec058 Do not treat the IPA RA cert as CA cert in DS NSS database. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61159b7ff2 Check that renewed certificates coming from LDAP are actually renewed. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts. 
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
e16d2623ae Remove master ACIs when deleting a replica. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d1386be4d5 Pick new CA renewal master when deleting a replica. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
baa665fe40 Load sysupgrade.state on demand. 
This prevents SELinux denials when the sysupgrade module is imported in a
confined process.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
031096324d Alert user when externally signed CA is about to expire. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
ba3c7b4a89 Add CA certificate management tool ipa-cacert-manage. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
031b281921 Add method for verifying CA certificates to NSSDatabase. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2c43a3d0d5 Move external cert validation from ipa-server-install to installutils. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2109d6611b Provide additional functions to ipapython.certmonger. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9e188574a5 Add method for setting CA renewal master in LDAP to CAInstance. 
Allow checking and setting CA renewal master for non-local CA instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2f6990c256 Track CA certificate using dogtag-ipa-ca-renew-agent. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9393c3978e Automatically update CA certificate in LDAP on renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
73d8db6d92 Allow IPA master hosts to update CA certificate in LDAP. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
35857026e6 Support CA certificate renewal in dogtag-ipa-ca-renew-agent. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
ee96533aab Add function for checking if certificate is self-signed to ipalib.x509. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Petr Viktorin
410da23aec test_ipagetkeytab: Fix assertion in negative test 
The ipagetkeytab command recently changed its failure output
to accomodate pre-4.0 servers.
Update the test to reflect this.

Related: https://fedorahosted.org/freeipa/ticket/4446
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-30 11:02:23 +02:00
Martin Kosek
aa0639284c Do not crash client basedn discovery when SSF not met 
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.

https://fedorahosted.org/freeipa/ticket/4459

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 17:48:05 +02:00
David Kupka
724391a71b Verify otptoken timespan is valid 
When creating or modifying otptoken check that token validity start is not after
validity end.

https://fedorahosted.org/freeipa/ticket/4244

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-07-29 17:09:29 +02:00
David Kupka
f7e00b9ad6 test group: remove group from protected group. 
Related to https://fedorahosted.org/freeipa/ticket/4448

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 17:07:11 +02:00
David Kupka
6119c21441 Fix group-remove-member crash when group is removed from a protected group 
https://fedorahosted.org/freeipa/ticket/4448

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-29 13:10:51 +02:00
Jan Cholasta
785e13dd1e Exclude attributelevelrights from --raw result processing in baseldap. 
https://fedorahosted.org/freeipa/ticket/4371

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 12:00:13 +02:00
Jan Cholasta
1313537736 Check if /root/ipa.csr exists when installing server with external CA. 
Remove the file on uninstall.

https://fedorahosted.org/freeipa/ticket/4303

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-28 19:28:27 +02:00
Martin Basti
42d035f64c FIX: named_enable_dnssec should verify if DNS is installed 
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-28 17:42:38 +02:00
Martin Basti
00309f8e42 Fix DNS upgrade plugin should check if DNS container exists 
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-28 17:42:38 +02:00
Petr Viktorin
ab5edd0e45 Update API.txt 
Additional fix for https://fedorahosted.org/freeipa/ticket/4323
 2014-07-28 15:21:55 +02:00
Tomas Babej
e74307caa6 ipalib: idrange: Make non-implemented range types fail the validation 
The ipa-ipa-trust and ipa-ad-winsync ID Range types were allowed to
pass the validation tests, however, they are not implemented nor
checked by the 389 server plugin.

https://fedorahosted.org/freeipa/ticket/4323

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-07-28 12:18:23 +02:00
Petr Vobornik
8288135b5b webui: add bounce url to reset_password.html 
reset_password.html now redirects browser to URL specified in 'redirect'
uri component (if present).

The component has to be URI encoded. ie (in browser console):

$ encodeURIComponent('http://pvoborni.fedorapeople.org/doc/#!/guide/Debugging')

-->
"http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging"

-->

https://my.freeipa.server/ipa/ui/reset_password.html?redirect=http%3A%2F%2Fpvoborni.fedorapeople.org%2Fdoc%2F%23!%2Fguide%2FDebugging

https://fedorahosted.org/freeipa/ticket/4440

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:36:08 +02:00
Petr Vobornik
ac7df79a43 webui: remove remaining action-button-disabled occurrences 
Buttons in hbactest check for 'action-button-disabled' but it's never set.

https://fedorahosted.org/freeipa/ticket/4258

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:24:21 +02:00
Petr Vobornik
3966417779 webui: replace action_buttons with action_widget 
Simplify code base by reuse of 'disable' feature of button_widget. All
occurrences of action-button which were disabled/enabled were replaced
by button-widget.

https://fedorahosted.org/freeipa/ticket/4258

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:24:21 +02:00
Petr Vobornik
9aed114d82 webui: detach facet nodes 
Detach/attach facet nodes when switching facets instead of
hiding/showing.

Keeps dom-tree more simple.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:21:37 +02:00
Petr Vobornik
fb975bba20 webui: internet explorer fixes 
Fixed:
1. IE doesn't support value 'initial' in CSS rule.
2. setting innerHTML='' also destroys content of child nodes in
LoginScreen in IE -> reattached buttons have no text.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:20:15 +02:00
Petr Vobornik
4059aa12a4 webui: fix nested items creation in dropdown list 
Items nested in other items were created in root list instead of nested list.

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:18:44 +02:00
Petr Vobornik
855c59c7fc webui: support wildcard attribute level rights 
Reproduction:
* add 'extensibleObject' object class to target object

https://fedorahosted.org/freeipa/ticket/4380

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
 2014-07-28 10:13:24 +02:00
Petr Vobornik
c475c093c9 baseldap: return 'none' attr level right as unicode string 
Returning non-unicode causes serialization into base64 which causes havoc
in Web UI.

https://fedorahosted.org/freeipa/ticket/4454

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-07-25 13:27:33 +02:00
Nathaniel McCallum
d3638438fc Add TOTP watermark support 
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2014-07-25 10:41:17 +02:00