With the new ipa_server_mode SSSD is able to read user and group data
from trusted AD domains directly and makes this data available via the
NSS responder. With this mode enabled winbind is not needed anymore to
lookup users and groups of trusted domains.
This patch removed the calls to winbind from the extdom plugin and
replaces them with standard POSIX calls like getpwnam() and calls from
libsss_nss_idmap to lookup SIDs.
Fixes https://fedorahosted.org/freeipa/ticket/3637 because now the
extdom plugin does not need to handle idranges anymore, but everything
is done inside SSSD.
For a proper SASL bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
We use the well know RID of the Domain Computers group (515) for the
primary gid element of the PAC, this is the same as AD uses for host
tickets. The rid element of the PAC is set to the well know RID of the
Domain Controllers group (516). This is working for the SSSD use case
but might be improved later for more general use cases.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
Fixes https://fedorahosted.org/freeipa/ticket/3651
The referint plugin does a substring search on these attributes each time an
entry is deleted, which causes a noticable slowdown for large directories if
the attributes are not indexed.
https://fedorahosted.org/freeipa/ticket/3706
Add a new API command 'adtrust_is_enabled', which can be used to determine
whether ipa-adtrust-install has been run on the system. This new command is not
visible in IPA CLI.
Use this command in idrange_add to conditionally require rid-base and
secondary-rid-base options.
Add tests to cover the new functionality
https://fedorahosted.org/freeipa/ticket/3634
Logging tracebacks at the INFO level caused them to be displayed to user on the
command line. Change the log level to DEBUG, so that tracebacks are not visible
to user.
https://fedorahosted.org/freeipa/ticket/3704
When adding a trust, if an id range already exists for this trust,
and options --base-id/--range-size are provided with the trust-add command,
trust-add should fail.
https://fedorahosted.org/freeipa/ticket/3635
Improve handling of command line options related to forced client re-enrollment
in ipa-client-install:
* Make --keytab and --principal options mutually exclusive.
* Warn that using --force-join together with --keytab provides no additional
functionality.
https://fedorahosted.org/freeipa/ticket/3686
Hardcoded values for range parameters such as base RID or range
size could be the reason the tests produced incorrect results,
as the ranges could get in conflict with already existing ranges
on the server.
Patch dynamically chooses ID and RID range space at the end of
all ranges already present on the server.
https://fedorahosted.org/freeipa/ticket/3662
The plugin hooks into the Nose runner and IPA's logging infrastructure
and calls the appropriate BeakerLib functions (rl*).
IPA's log_manager is extended to accept custom Handler classes.
The ipa-run-tests helper now loads the plugin.
Patr of the work for: https://fedorahosted.org/freeipa/ticket/3621
There is a JS error.
Rule tables with external member has more than one column and therefore exclude parameter for adder dialog is not array of strings but array of objects. normalize_values function can't work with it and causes JS error.
This patch creates proper exclude array before passing it to adder dialog.
https://fedorahosted.org/freeipa/ticket/3711
sys.stdout is buffered by default if redirected to a file.
This may causes automated installation to appear hung.
Flush the stream so that messages are written immediately.
Following values of ipaRangeType attribute are supported
and translated accordingly in the idrange commands:
'ipa-local': 'local domain range'
'ipa-ad-winsync': 'Active Directory winsync range'
'ipa-ad-trust': 'Active Directory domain range'
'ipa-ad-trust-posix': 'Active Directory trust range with
POSIX attributes'
'ipa-ipa-trust': 'IPA trust range'
Part of https://fedorahosted.org/freeipa/ticket/3647
Previously, we deduced the range type from the range objectclass
and filled in virtual attribute in post_callback phase.
Having a ipaRangeType attributeType in schema, we need to fill
the attribute values to ranges created in previous IPA versions.
The plugin follows the same approach, setting ipa-local or
ipa-ad-trust value to the ipaRangeType attribute according
to the objectclass of the range.
Part of https://fedorahosted.org/freeipa/ticket/3647
This adds a new LDAP attribute ipaRangeType with
OID 2.16.840.1.113730.3.8.11.41 to the LDAP Schema.
ObjectClass ipaIDrange has been altered to require
ipaRangeType attribute.
Part of https://fedorahosted.org/freeipa/ticket/3647
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
