IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
7,421 Commits 11 Branches 60 Tags 60 MiB
451c2e2bc4
Commit Graph

7421 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Cholasta
24932b2d91 Add functions for DER encoding certificate extensions to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
b5471a9f3e Get CA certs for /etc/pki/nssdb from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
eaebefe5f6 Allow overriding NSS database path in RPCClient. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
459d6cff4e Get CA certs for /etc/ipa/ca.crt from certificate store in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
6870eb909e Add function for writing list of certificates to a PEM file to ipalib.x509. 
Also rename load_certificate_chain_from_file to
load_certificate_list_from_file.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd400588d7 Support multiple CA certificates in /etc/ipa/ca.crt in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
29f42cbec1 Refactor CA certificate fetching code in ipa-client-install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9e223e6fd4 Upload renewed CA cert to certificate store on renewal. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
6f01499419 Import CA certs from certificate store to HTTP NSS database on server install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
82d682fa64 Import CA certs from certificate store to DS NSS database on replica install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB. 
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
feecdb4cdc Rename CertDB method add_cert to import_cert. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
5f29a71bd7 Upload CA chain from DS NSS database to certificate store on server update. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
05212a17a9 Upload CA chain from DS NSS database to certificate store on server install. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
de695e688e Add certificate store module ipalib.certstore. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
239ef955af Add function for extracting extended key usage from certs to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
4ae3f815ba Add functions for extracting certificates fields in DER to ipalib.x509. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
fd80cc1c59 Configure attribute uniqueness for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1c612ad3e1 Add container for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
25c10bc161 Add LDAP schema for certificate store. 
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61f166da5d Add LDAP schema for wrapped cryptographic keys. 
This is part of the schema at
<http://www.freeipa.org/page/V4/PKCS11_in_LDAP/Schema>.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d2bf0b8b54 Fix trust flags in HTTP and DS NSS databases. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9d4eeeda55 Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
a8a44c1c71 Remove certificate "External CA cert" from /etc/pki/nssdb on client uninstall. 
This is a no longer used nickname for CA certificate on CA-less server
installs.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
52f72ec058 Do not treat the IPA RA cert as CA cert in DS NSS database. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
61159b7ff2 Check that renewed certificates coming from LDAP are actually renewed. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts. 
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
e16d2623ae Remove master ACIs when deleting a replica. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
d1386be4d5 Pick new CA renewal master when deleting a replica. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
baa665fe40 Load sysupgrade.state on demand. 
This prevents SELinux denials when the sysupgrade module is imported in a
confined process.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
031096324d Alert user when externally signed CA is about to expire. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
ba3c7b4a89 Add CA certificate management tool ipa-cacert-manage. 
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
031b281921 Add method for verifying CA certificates to NSSDatabase. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2c43a3d0d5 Move external cert validation from ipa-server-install to installutils. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2109d6611b Provide additional functions to ipapython.certmonger. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9e188574a5 Add method for setting CA renewal master in LDAP to CAInstance. 
Allow checking and setting CA renewal master for non-local CA instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
2f6990c256 Track CA certificate using dogtag-ipa-ca-renew-agent. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
9393c3978e Automatically update CA certificate in LDAP on renewal. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
73d8db6d92 Allow IPA master hosts to update CA certificate in LDAP. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
35857026e6 Support CA certificate renewal in dogtag-ipa-ca-renew-agent. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Jan Cholasta
ee96533aab Add function for checking if certificate is self-signed to ipalib.x509. 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2014-07-30 16:04:21 +02:00
Petr Viktorin
410da23aec test_ipagetkeytab: Fix assertion in negative test 
The ipagetkeytab command recently changed its failure output
to accomodate pre-4.0 servers.
Update the test to reflect this.

Related: https://fedorahosted.org/freeipa/ticket/4446
Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-30 11:02:23 +02:00
Martin Kosek
aa0639284c Do not crash client basedn discovery when SSF not met 
ipa-client-install runs anonymous search in non-rootdse space which
may raise UNWILLING_TO_PERFORM error. This case was only covered for
BIND, but not for the actual LDAP queries.

https://fedorahosted.org/freeipa/ticket/4459

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 17:48:05 +02:00
David Kupka
724391a71b Verify otptoken timespan is valid 
When creating or modifying otptoken check that token validity start is not after
validity end.

https://fedorahosted.org/freeipa/ticket/4244

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
 2014-07-29 17:09:29 +02:00
David Kupka
f7e00b9ad6 test group: remove group from protected group. 
Related to https://fedorahosted.org/freeipa/ticket/4448

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 17:07:11 +02:00
David Kupka
6119c21441 Fix group-remove-member crash when group is removed from a protected group 
https://fedorahosted.org/freeipa/ticket/4448

Reviewed-By: Martin Kosek <mkosek@redhat.com>
 2014-07-29 13:10:51 +02:00
Jan Cholasta
785e13dd1e Exclude attributelevelrights from --raw result processing in baseldap. 
https://fedorahosted.org/freeipa/ticket/4371

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
 2014-07-29 12:00:13 +02:00