The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.
https://fedorahosted.org/freeipa/ticket/5146
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.
https://fedorahosted.org/freeipa/ticket/4969
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes regression caused by cd3ca94ff2.
Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server
https://fedorahosted.org/freeipa/ticket/5133
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.
https://fedorahosted.org/freeipa/ticket/5038
Reviewed-By: David Kupka <dkupka@redhat.com>
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.
https://fedorahosted.org/freeipa/ticket/5120
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 62e8002bc4.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
New certificate widget which replaced certificate status widget.
It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.
part of: https://fedorahosted.org/freeipa/ticket/5045
Reviewed-By: Martin Basti <mbasti@redhat.com>
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.
Certificate search facet allows to add a certificate.
User details facet allows to add a certificate.
part of
https://fedorahosted.org/freeipa/ticket/5046
Reviewed-By: Martin Basti <mbasti@redhat.com>
API refactoring caused that session_logout command was not registered.
Commands in ipalib/plugins directory are automatically registered.
Reviewed-By: Martin Basti <mbasti@redhat.com>
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension. Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.
Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it. Use split_any_principal to do the
splitting correctly, also taking realm into account.
Reviewed-By: David Kupka <dkupka@redhat.com>
This reverts commit ea7f392bb9.
The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.
https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This can be either set in IPA config file or specified as
'ipa --skip-version-check [COMMAND]'.
part of https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.
Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--out=FILENAME' option to `certprofile-show'. When given,
it exports the profile configuration from Dogtag and writes it to
the named file.
Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin
https://fedorahosted.org/freeipa/ticket/5097
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
added to commands: doc, proper args, NO_CLI
added to options: default_from, cli_name, cli_short_name and others
https://fedorahosted.org/freeipa/ticket/3129
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new group of commands is introduced that simplifies adding and removing
binary certificates to entries. A general form of the command is
ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB]
Part of http://www.freeipa.org/page/V4/User_Certificates and
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Validation of certificate is now handled by `x509.validate_certificate'.
Revocation of the host and service certificates was factored out to a separate
function.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch extends the API framework with a set of classes which add/remove
values to a single LDAPObject attribute.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
