Commit Graph

2753 Commits

Author SHA1 Message Date
Martin Basti
2427b2c242 Remove ico files from Makefile
Icons were removed in a4be844809 but still
persist in Makefile. This patch fixes Makefile.

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-27 16:19:49 +02:00
Petr Vobornik
a4be844809 webui: add Kerberos configuration instructions for Chrome
* IE section moved at the end
* Chrome section added
* FF and IE icons removed

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 13:50:49 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
Martin Basti
82aaa1e6d0 Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand

https://fedorahosted.org/freeipa/ticket/4988

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-17 16:47:18 +02:00
Yuri Chornoivan
75fde43491 Fix minor typos
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 14:33:30 +02:00
David Kupka
e5d179b5b9 migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.

https://fedorahosted.org/freeipa/ticket/4953

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 10:30:42 +02:00
Petr Vobornik
9083c528f7 webui: fix user reset password dialog
Could not open user password dialog.

regression introduced in ed78dcfa3a

https://fedorahosted.org/freeipa/ticket/5131

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:28:38 +02:00
Alexander Bokovoy
c6a1bd591e oddjob: avoid chown keytab to sssd if sssd user does not exist
If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 13:41:08 +02:00
Martin Basti
8bc0e9693b copy-schema-to-ca: allow to overwrite schema files
If content of source and target file differs, the script will ask user
for permission to overwrite target file.

https://fedorahosted.org/freeipa/ticket/5034

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-15 07:11:21 +00:00
Tomas Babej
5106421961 Revert "Hide topology and domainlevel features"
This reverts commit 62e8002bc4.

Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-10 15:26:50 +02:00
Petr Vobornik
0b943f3ce9 webui: remove cert manipulation actions from host and service
Remove
* cert_view
* cert_get
* cert_revoke
* cert_restore

These actions require serial number which is not provided to Web UI if
multiple certificates are present.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
cf8b56cc75 webui: show multiple cert
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
7c481b1e90 webui: cert-request improvements
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Tomas Babej
9c5df3cf76 upgrade: Enable and start oddjobd if adtrust is available
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Petr Vobornik
f13cce2d9c webui: hide facet tab in certificate details facet
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Petr Vobornik
927391125c webui: caacl
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Petr Vobornik
a3727387ee webui: certificate profiles
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Endi S. Dewata
bf6df3df9b Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-08 06:30:23 +00:00
Alexander Bokovoy
2dd5b46d25 trust: support retrieving POSIX IDs with one-way trust during trust-add
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
5025204175 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d5aa1ee04e trusts: add support for one-way trust and switch to it by default
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
14992a07fc ipa-adtrust-install: allow configuring of trust agents
Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.

Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.

Part of https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Martin Basti
1d9bdb2409 Fix regression: ipa-dns-install will add CA records if required
https://fedorahosted.org/freeipa/ticket/5101

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 00:32:05 +02:00
Tomas Babej
62e8002bc4 Hide topology and domainlevel features
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:09:09 +02:00
Christian Heimes
25d1afdc54 Improve error handling in ipa-httpd-kdcproxy
The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles
connection and authentication errors more gracefully. If the script is
not able to conenct to LDAP, it only prints a warning and exits with
status code 0. All other errors are still reported as fatal error and
result in a non-zero exit code.

This fixes a problem with offline RPM updates. A restart of Apache no
longer fails when LDAP is not running.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-07 16:31:04 +02:00
Tomas Babej
12b053df30 l10n: Update translation strings
* Generate new l10n strings
* Include newly created python implicit files
* Merges already translated strings from Zanata

https://fedorahosted.org/freeipa/ticket/4832

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-07 12:07:15 +02:00
Endi S. Dewata
475ade4bec Added ipaVaultPublicKey attribute.
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Endi S. Dewata
fc5c614950 Added symmetric and asymmetric vaults.
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Petr Spacek
8ee975b276 DNSSEC: Detect attempt to install & disable master at the same time.
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Martin Basti
2e4e8d759d DNSSEC: update message
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Martin Basti
e151492560 DNSSEC: allow to disable/replace DNSSEC key master
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Petr Vobornik
b258bcee83 webui: add mangedby tab to otptoken
Added managedby_user tab to manage users who can manage the token.

https://fedorahosted.org/freeipa/ticket/5003

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-07 05:51:28 +02:00
Petr Vobornik
2a976334c2 webui: API browser
First part of API browser - displaying metadata in more consumable way.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-03 10:42:16 +02:00
Petr Vobornik
392809f984 webui: menu and navigation fixes
fixes:

1. When navigation is initiated from clicking and a link with hash, update
of facet state causes that subsequent click on a link with hash will be
ignored. Caused by a code which prevents infinite loop because of facet
state update. Now hash update is done only if it was really changed.

2. registered correct handler for standalone pages

3. fix selection of menu item where the items differ only in args. Chooses
the item with the most similar state to current facet.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-03 10:42:16 +02:00
Petr Vobornik
8d8aa60dbd webui: fix webui specific metadata
Mark all Web UI specific metadata so they could be filtered out
in the API Browser.

Fix cert name.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-03 10:42:16 +02:00
Petr Vobornik
114f11fe5a webui: ListViewWidget
A widget for rendering a list of groups of items. Intended to be
used in sidebar. Plan is to serve also as a base for FacetGroupsWidget.

https://fedorahosted.org/freeipa/ticket/3129

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-03 10:42:16 +02:00
Petr Vobornik
2b8e1caa7b topologysegment: hide direction and enable options
These options should not be touched by users yet.

https://fedorahosted.org/freeipa/ticket/5061

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-03 08:47:23 +02:00
Petr Vobornik
fa4954c35d ipa-replica-manage del: add timeout to segment removal check
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-03 08:47:23 +02:00
Petr Vobornik
6be7d41ba1 ipa-replica-manage del: relax segment deletement check if topology is disconnected
https://fedorahosted.org/freeipa/ticket/5072

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-03 08:47:23 +02:00
Tomas Babej
199358112e man: Add manpage for ipa-winsync-migrate
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-02 13:23:21 +02:00
Tomas Babej
f8d1458fda winsync-migrate: Include the tool parts in Makefile and friends
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-02 13:23:21 +02:00
Tomas Babej
19d62e9aa4 winsync-migrate: Move the tool under ipaserver.install package
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-02 13:23:21 +02:00
Tomas Babej
e9a3b99717 winsync-migrate: Rename to tool to achive consistency with other tools
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-02 13:23:21 +02:00
Tomas Babej
0cb87fc31a winsync-migrate: Add initial plumbing
https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-02 13:23:21 +02:00
Jan Cholasta
e39fe4ed31 plugable: Pass API to plugins on initialization rather than using set_api
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Jan Cholasta
fe2accf776 ipalib: Load ipaserver plugins when api.env.in_server is True
https://fedorahosted.org/freeipa/ticket/3090
https://fedorahosted.org/freeipa/ticket/5073

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Petr Vobornik
659b88b820 topology: check topology in ipa-replica-manage del
ipa-replica-manage del now:
- checks the whole current topology(before deletion), reports issues
- simulates deletion of server and checks the topology again, reports issues

Asks admin if he wants to continue with the deletion if any errors are found.

https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-29 17:11:08 +02:00
Rob Crittenden
ce50630d5e Add ACI to allow hosts to add their own services
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.

Set required version of 389-ds-base to 1.3.4.0 GA.

https://fedorahosted.org/freeipa/ticket/4567

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 13:41:52 +02:00
Martin Basti
16f47ed452 Fix indicies ntUserDomainId, ntUniqueId
ntUserDomainId and ntUniqueId  contained "eq,pres" index value, which is
not valid.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-29 13:40:29 +02:00
Christian Heimes
495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00