Commit Graph

387 Commits

Author SHA1 Message Date
Jan Cholasta
9b0fa8debf Add subscription-manager dependency for RHEL.
ticket 1664
2011-08-23 00:27:30 -04:00
Martin Kosek
99e7b0c355 Update pki-ca version
Bump minimal pki-ca version in spec file to get fix for ipa
cert-request command.

https://fedorahosted.org/freeipa/ticket/1578
2011-08-12 08:52:23 +02:00
Martin Kosek
e2c8b9eee4 Update 389-ds-base version
Bump minimal 389-ds-base version in spec file to get in recent
Directory Server bug fixes.

https://fedorahosted.org/freeipa/ticket/1513
https://fedorahosted.org/freeipa/ticket/1525
https://fedorahosted.org/freeipa/ticket/1552
2011-08-11 22:08:05 +00:00
Martin Kosek
a1c690cc02 Fix client enrollment
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
2011-08-11 22:07:16 +00:00
Endi S. Dewata
bd2f4173b0 Fixed missing icons.
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.

Ticket #1559
2011-08-02 22:56:58 -04:00
Rob Crittenden
25d861dc01 Fix date order in changelog. 2011-07-28 18:53:25 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Rob Crittenden
44b3521fad Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.

https://fedorahosted.org/freeipa/ticket/1434
2011-07-29 11:18:49 +02:00
Rob Crittenden
3fe36a63b6 Add an arch-specific Requires on cyrus-sasl-gssapi
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.

https://fedorahosted.org/freeipa/ticket/1499
2011-07-24 19:58:03 -04:00
Endi S. Dewata
4ff959f55d Removed custom layouts using HTML templates.
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.

Ticket #1501
2011-07-21 11:47:57 -04:00
Jan Cholasta
95901bbdb5 Update minimum required version of python-netaddr.
ticket 1288
2011-07-17 22:44:21 -04:00
Rob Crittenden
3fdca99c48 Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
2011-07-17 22:16:32 -04:00
Adam Young
e4a444ba81 HBAC deny warning
shows dialog if there are any HBAC deny rules.  Dialog provides option to navigate to the HBAC page.  Deny rules have their rule type value show up in red.

Only shows up fro administrators, not for self service users.

https://fedorahosted.org/freeipa/ticket/1421
2011-07-06 21:52:00 +00:00
Rob Crittenden
8a32bb3746 Make dogtag an optional (and default un-) installed component in a replica.
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.

https://fedorahosted.org/freeipa/ticket/1251
2011-06-23 19:04:33 -04:00
Martin Kosek
f2df2a6954 Multi-process build problems
Fix a problem when a target missed a version-update requirement.
This caused build problems, especially in a parallel build
environment.

https://fedorahosted.org/freeipa/ticket/1215
2011-06-19 20:28:51 -04:00
Endi S. Dewata
b22a41ead5 Fixed build break.
The Makefile.am freeipa.spec.in have been updated according to the
recent file changes.
2011-06-15 15:56:39 +00:00
Martin Kosek
241ee334de Connection check program for replica installation
When connection between a master machine and future replica is not
sane, the replica installation may fail unexpectedly with
inconvenient error messages. One common problem is misconfigured
firewall.

This patch adds a program ipa-replica-conncheck which tests the
connection using the following procedure:

1) Execute the on-replica check testing the connection to master
2) Open required ports on local machine
3) Ask user to run the on-master part of the check OR run it
   automatically:
     a) kinit to master as default admin user with given password
     b) run the on-master part using ssh
4) When master part is executed, it checks connection back to
   the replica and prints the check result

This program is run by ipa-replica-install as mandatory part. It
can, however, be skipped using --skip-conncheck option.
ipa-replica-install now requires password for admin user to run
the command on remote master.

https://fedorahosted.org/freeipa/ticket/1107
2011-06-08 09:29:52 +02:00
Jan Cholasta
80b4b3d44b Parse netmasks in IP addresses passed to server install.
ticket 1212
2011-05-30 13:36:26 +02:00
Rob Crittenden
55f9836cb6 Update min nvr for selinux-policy and pki-ca for F-15+
Done with conditionals so still installable on F-14.

ticket 1200
2011-05-13 12:56:32 -04:00
Martin Kosek
e64c1995d4 Update spec with missing BuildRequires for pylint check
https://fedorahosted.org/freeipa/ticket/1203
2011-05-05 16:23:24 +02:00
Rob Crittenden
cc87bc3f28 Bump version to 2.0.90 to distinguish between 2.0.x 2011-05-03 10:51:36 -04:00
Rob Crittenden
b9a2c11d6f Fix ORDERING in some attributetypes and remove other unnecessary elements.
Looking at the schema in 60basev2.ldif there were many attributes that did
not have an ORDERING matching rule specified correctly. There were also a
number of attributeTypes that should have been just SUP
distinguishedName that had a combination of SUP, SYNTAX, ORDERING, etc.

This requires 389-ds-base-1.2.8.0-1+

ticket 1153
2011-04-05 21:46:32 -04:00
Rob Crittenden
ca5332951c Automatically update IPA LDAP on rpm upgrades
Re-enable ldapi code in ipa-ldap-updater and remove the searchbase
restriction when run in --upgrade mode. This allows us to autobind
giving root Directory Manager powers.

This also:
 * corrects the ipa-ldap-updater man page
 * remove automatic --realm, --server, --domain options
 * handle upgrade errors properly
 * saves a copy of dse.ldif before we change it so it can be recovered
 * fixes an error discovered by pylint

ticket 1087
2011-03-21 13:23:53 -04:00
Rob Crittenden
388c9a1705 Add man page for the IPA configuration file
ticket 969
2011-02-23 11:56:31 -05:00
Rob Crittenden
854c740065 Move some BuildRequires so building with ONLY_CLIENT works.
ticket 978
2011-02-22 09:05:57 -05:00
Jakub Hrozek
2e25b2ed27 Make nsslib IPv6 aware 2011-02-21 14:52:25 -05:00
Simo Sorce
eab4e36ee5 Try to register DNS name through a DNS Update on install.
Fixes: https://fedorahosted.org/freeipa/ticket/935
2011-02-17 19:43:52 -05:00
Rob Crittenden
f2ed8de028 Move tools that are really only applicable to be run on the server
This moves a bunch of tools that only make sense to run on the actual
server from the admintools subpackage to the server subpackage.

ticket 947
2011-02-14 10:22:28 -05:00
Rob Crittenden
a880396de9 Add pyOpenSSL as a BuildRequires 2011-02-11 09:35:38 -05:00
Rob Crittenden
f34c0ab916 Set minimum version of sssd to 1.5.1
ticket 926
2011-02-10 13:51:35 -05:00
Jan Cholasta
8c1647af2e Remove unnecessary BuildRequires from the specfile. 2011-02-10 13:47:45 -05:00
Rob Crittenden
d30592ed6d Update minimum version of 389-ds-base, mod_nss and selinux-policy.
* Set min version of 389-ds-base to 1.2.8
* Set min version of mod_nss 1.0.8-10
* Set min version of selinux-policy to 3.9.7-27
2011-02-03 10:35:05 -05:00
Rob Crittenden
275998f6bd Add support for tracking and counting entitlements
Adds a plugin, entitle, to register to the entitlement server, consume
entitlements and to count and track them. It is also possible to
import an entitlement certificate (if for example the remote entitlement
server is unaviailable).

This uses the candlepin server from https://fedorahosted.org/candlepin/wiki
for entitlements.

Add a cron job to validate the entitlement status and syslog the results.

tickets 28, 79, 278
2011-02-02 10:00:38 -05:00
Rob Crittenden
878aa9ee1f Apply changes discovered in Fedora package review process (#672986)
Ticket 804
2011-01-27 17:09:19 -05:00
Simo Sorce
0eda5918f0 Add requires for the pki
First part of: https://fedorahosted.org/freeipa/ticket/855
2011-01-27 09:36:09 -05:00
Adam Young
fd1e78d2b2 error handling style
modifying the directories so they find the assets in the right locations
2011-01-25 16:47:09 -05:00
Jan Zeleny
24a582304f Rename package to freeipa
https://fedorahosted.org/freeipa/ticket/581
2011-01-25 14:18:18 -05:00