Commit Graph

373 Commits

Author SHA1 Message Date
Nathaniel McCallum
7ad9f5d3d5 Prefer TCP connections to UDP in krb5 clients
In general, TCP is a better fit for FreeIPA due to large packet sizes.

However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.

https://fedorahosted.org/freeipa/ticket/4725

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-12-08 10:56:06 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:42:19 +01:00
Petr Viktorin
e57b7b5e87 copy_schema_to_ca: Fallback to old import location for ipaplatform.services
This file is copied to older servers that might not have the ipaplatform
refactoring.
Import from the old location if the new one is not available.

https://fedorahosted.org/freeipa/ticket/4763

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-25 09:20:28 +01:00
Martin Basti
a7162e7766 Fix: DNS installer adds invalid zonemgr email
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.

Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 10:36:28 +00:00
Martin Basti
ca030a089f DNSSEC: validate forwarders
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
9101cfa60f DNSSEC: opendnssec services
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
eb54814741 DNSSEC: DNS key synchronization daemon
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Martin Basti
9184d9a1bb DNSSEC: schema
Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-10-21 12:23:03 +02:00
Alexander Bokovoy
85ce380759 Change ipaOverrideTarget OID to avoid conflict with DNSSEC feature 2014-10-21 10:47:02 +03:00
Martin Basti
c655b7bf76 Remove ipaContainer, ipaOrderedContainer objectclass
https://fedorahosted.org/freeipa/ticket/4646

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-10-20 16:58:16 +02:00
Alexander Bokovoy
bd98ab0356 Support idviews in compat tree
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-10-20 16:47:49 +02:00
Martin Basti
7ad70025eb Make named.conf template platform independent
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Martin Basti
97195eb07c Add missing attributes to named.conf
Ticket: https://fedorahosted.org/freeipa/ticket/3801#comment:31
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-10-14 13:55:02 +02:00
Tomas Babej
b9425751b4 idviews: Add Default Trust View as part of adtrustinstall
Add a Default Trust View, which is used by SSSD as default mapping for AD users.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
277b762d36 idviews: Add ipaOriginalUid
For slapi-nis plugin, we need to cache the original uid value of the user in the override
object.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
16f3786d25 idviews: Add necessary schema for the ID views
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Petr Viktorin
d61fb40542 Update referential integrity config for DS 1.3.3
Hisorically DS provided defaults for the referential
integrity plugin in nsslapd-pluginArg*:

    nsslapd-pluginarg3: member
    nsslapd-pluginarg4: uniquemember
    nsslapd-pluginarg5: owner
    nsslapd-pluginarg6: seeAlso

In 389-ds 1.3.3, the multi-valued referint-membership-attr
is used instead.

The old way still works, but it requires that the values
are numbered consecutively, so IPA's defaults that started
with 7 were not taken into account.

Convert IPA defaults to use referint-membership-attr.

https://fedorahosted.org/freeipa/ticket/4537

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 17:42:08 +02:00
Jan Cholasta
1c612ad3e1 Add container for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
25c10bc161 Add LDAP schema for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
61f166da5d Add LDAP schema for wrapped cryptographic keys.
This is part of the schema at
<http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema>.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Nathaniel McCallum
d3638438fc Add TOTP watermark support
This prevents the reuse of TOTP tokens by recording the last token
interval that was used. This will be replicated as normal. However,
this patch does not increase the number of writes to the database
in the standard authentication case. This is because it also
eliminates an unnecessary write during authentication. Hence, this
patch should be write-load neutral with the existing code.

Further performance enhancement is desired, but is outside the
scope of this patch.

https://fedorahosted.org/freeipa/ticket/4410

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-07-25 10:41:17 +02:00
Martin Basti
3461be5c78 Fix: Missing ACI for records in 40-dns.update
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-04 12:27:24 +02:00
Martin Basti
3b310d6b4f DNSSEC: Add experimental support for DNSSEC
Ticket: https://fedorahosted.org/freeipa/ticket/4408
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-02 18:41:57 +02:00
Martin Basti
30551a8aa3 Add NSEC3PARAM to zone settings
Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Basti
ff7b44e3b0 Remove NSEC3PARAM record
Revert 5b95be802c

Ticket: https://fedorahosted.org/freeipa/ticket/4413
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-02 14:54:41 +02:00
Martin Kosek
21e1e4ac3b Update X-ORIGIN for 4.0
It was decided not to change the OID space for FreeIPA 4.0+ objectclasses.
However, we should still at least properly mark the X-ORIGIN to make
analyzing schema easier.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-01 13:57:06 +02:00
Martin Basti
c655aa2832 Fix ACI in DNS
Added ACI for idnssecinlinesigning, dlvrecord, nsec3paramrecord,
tlsarecord

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-01 12:43:55 +02:00
Martin Basti
12cb31575c DNSSEC: add TLSA record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-01 12:37:08 +02:00
Martin Kosek
bd29d3cbbc Fix objectClass casing in LDIF to prevent schema update error
When a new objectclass was defined as "objectclass" and not
"objectClass", it made the schema updater skip some objectclasses.

https://fedorahosted.org/freeipa/ticket/4405

Reviewed-By: Rich Megginson <rmeggins@redhat.com>
2014-06-27 16:29:57 +02:00
Simo Sorce
5c0e7a5fb4 keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-06-26 10:30:53 +02:00
Tomas Babej
b1275c5b1c sudorule: Enforce category ALL checks on dirsrv level
https://fedorahosted.org/freeipa/ticket/4341

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:51 +02:00
Tomas Babej
3a56b155e8 sudorule: Make sure sudoRunAsGroup is dereferencing the correct attribute
Makes sure we dereference the correct attribute. Also adds object class
checking.

https://fedorahosted.org/freeipa/ticket/4324

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:50 +02:00
Tomas Babej
9304b649a3 sudorule: Allow using external groups as groups of runAsUsers
Adds a new attribute ipaSudoRunAsExtUserGroup and corresponding hooks
sudorule plugin.

https://fedorahosted.org/freeipa/ticket/4263

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Tomas Babej
a228d7a3cb sudorule: Allow using hostmasks for setting allowed hosts
Adds a new --hostmasks option to sudorule-add-host and sudorule-remove-host
commands, which allows setting a range of hosts specified by a hostmask.

https://fedorahosted.org/freeipa/ticket/4274

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-25 20:14:49 +02:00
Petr Viktorin
439dd7fa74 Convert Service default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:41 +02:00
Petr Viktorin
820a60420d Convert Role default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
f881f06364 Convert the Modify privilege membership permission to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
0c4d13e136 Convert Netgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
978af07dd5 Convert Hostgroup default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
af366278b8 Convert Group default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
afac09b8f3 Convert Automount default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 13:53:40 +02:00
Petr Viktorin
8a5110305f Convert Host default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 12:44:32 +02:00
Petr Viktorin
f486d23ad6 Allow anonymous read access to virtual operation entries
These entries are the same in all IPA installations, so there's
no need to hide them.

Also remove the ipaVirtualOperation objectclass, since it is
no longer needed.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-20 22:18:43 +02:00
Martin Basti
7cdc4178b0 DNSSEC: DLVRecord type added
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 16:46:02 +02:00
Martin Basti
5b95be802c DNSSEC: added NSEC3PARAM record type
Ticket: https://fedorahosted.org/freeipa/ticket/4328
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 15:41:40 +02:00
Martin Basti
49068ade92 Separate master and forward DNS zones
Forward zones are stored in idnsforwadzone objectclasses.

design: http://www.freeipa.org/page/V4/Forward_zones

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-06-20 13:14:45 +02:00
Petr Viktorin
853b6ef4ce Convert DNS default permissions to managed
Convert the existing default permissions.

The Read permission is split between Read DNS Entries and Read
DNS Configuration.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Nathaniel McCallum
98851256f9 Add support for managedBy to tokens
This also constitutes a rethinking of the token ACIs after the introduction
of SELFDN support.

Admins, as before, have full access to all token permissions.

Normal users have read/search/compare access to all of the non-secret data
for tokens assigned to them, whether managed by them or not. Users can add
tokens if, and only if, they will also manage this token.

Managers can also read/search/compare tokens they manage. Additionally,
they can write non-secret data to their managed tokens and delete them.

When a normal user self-creates a token (the default behavior), then
managedBy is automatically set. When an admin creates a token for another
user (or no owner is assigned at all), then managed by is not set. In this
second case, the token is effectively read-only for the assigned owner.

This behavior enables two important other behaviors. First, an admin can
create a hardware token and assign it to the user as a read-only token.
Second, when the user is deleted, only his self-managed tokens are deleted.
All other (read-only) tokens are instead orphaned. This permits the same
token object to be reasigned to another user without loss of any counter
data.

https://fedorahosted.org/freeipa/ticket/4228
https://fedorahosted.org/freeipa/ticket/4259

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-16 10:13:59 +02:00
Petr Viktorin
53a63ae346 Convert User default permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00