Until incoming trust is validated from AD side, we cannot run any operations
against AD using the trust. Also, Samba currently does not suport verifying
trust against the other party (returns WERR_NOT_SUPPORTED).
This needs to be added to the documentation:
When using 'ipa trust-add ad.domain --trust-secret', one has to manually
validate incoming trust using forest trust properties in AD Domains and
Trusts tool.
Once incoming trust is validated at AD side, use IPA command
'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
From this point on the trust should be usable.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.
https://fedorahosted.org/freeipa/ticket/3369
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
This patch adds option to define which item of which array attribute of specification object will be replaced by a new value.
The difference between combination of $add and $del is that it keeps position of that item in the array.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Boolean object properties can have different default meaning for not defined
value. This patch allows to defined this meaning to `boolean_formatter` by
introduction of `emty_value` property. `boolean_state_evaluator` was modified
to leverage it as well.
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
directory service for gid/uid<->sid resolution.
Additionally, this patch further reduces number of queries by:
- fast fail on uidNumber=0 which doesn't exist in FreeIPA,
- return fallback group correctly when looking up user primary group as is
done during init,
- checking for group objectclass in case insensitive way
Patch by Jason Woods <devel@jasonwoods.me.uk>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4234
and
https://bugzilla.redhat.com/show_bug.cgi?id=1073829https://bugzilla.redhat.com/show_bug.cgi?id=1074314
Reviewed-By: Sumit Bose <sbose@redhat.com>
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file
is used consistently in the installers.
https://fedorahosted.org/freeipa/ticket/4240
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When string is not terminated, queries with corrupted base may be sent
to LDAP:
... cn=ipa1.example.com<garbage>,cn=masters...
https://fedorahosted.org/freeipa/ticket/4214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This makes searching faster if there are many legacy permissions present.
The root entry (which contains all legacy permission ACIs) is only
looked up once.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
LDAPUpdate adds the display-only 'attributelevelrights' attribute,
which doesn't exist in LDAP. Remove it before reverting entry.
https://fedorahosted.org/freeipa/ticket/4212
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When client principal is the same as supplied client entry, don't fetch it
again.
Note that when client principal is not NULL, client entry might be NULL for
cross-realm case, so we need to make sure to not dereference NULL pointer here.
Also fix reverted condition for case when we didn't find the client principal
in the database, preventing a memory leak.
https://fedorahosted.org/freeipa/ticket/4223
Reviewed-By: Sumit Bose <sbose@redhat.com>
Replace the make-testcert command with a module that creates
the certificate when it is first needed.
As a result the tests are more self-contained, and can be run from
a read-only location (such as installed from a system package).
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In cases where logging was already configured by the time
API.bootstrap() was called, saving the argument parser was
mistakenly skipped along with the logging configuration.
Always set the argument parser on the API object.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If SSH keys have not been generated prior to enrolling the client to the
IPA server, they will not be uploaded to the server, since they're not
present. Clarify this issue in the man pages.
https://fedorahosted.org/freeipa/ticket/4055
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
RFC 4226 states the following in section 4:
R6 - The algorithm MUST use a strong shared secret. The length of
the shared secret MUST be at least 128 bits. This document
RECOMMENDs a shared secret length of 160 bits.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We had originally decided to provide defaults on the server side so that they
could be part of a global config for the admin. However, on further reflection,
only certain defaults really make sense given the limitations of Google
Authenticator. Similarly, other defaults may be token specific.
Attempting to handle defaults on the server side also makes both the UI and
the generated documentation unclear.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using the input environment saved in self._session_env
outside of the config loading meant that methods of
configuration other than environment variables wouldn't
be possible.
Restructure the roles/extra_roles to not depend on _session_env.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3938
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Fixes issue when:
1. 2 dialogs are opened
2. top dialog's close button is focused
3. user presses enter to execute 'close' action
4. dialog is immediately closed (enter key is still pressed)
5. second dialog automatically receives focus (it's top dialog now)
6. user releases the key
7. second dialog reacts to keyup event - which is by default confirmation mixin's confirm event
8. UNDESIRED behavior occurs
Now confirmation mixin remembers which keys were pressed and released and reacts only to those which originated there.
https://fedorahosted.org/freeipa/ticket/4098
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
https://fedorahosted.org/freeipa/ticket/4202
Reviewed-By: Martin Kosek <mkosek@redhat.com>
forest trust
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.
https://fedorahosted.org/freeipa/ticket/4204
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.
https://fedorahosted.org/freeipa/ticket/4196
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog
https://fedorahosted.org/freeipa/ticket/4097
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
