The vault-add command has been fixed such that if the user/service
private vault container does not exist yet it will be created and
owned by the user/service instead of the vault creator.
https://fedorahosted.org/freeipa/ticket/5194
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.
Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.
List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI
https://fedorahosted.org/freeipa/ticket/5165
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.
When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.
Detect such domain collisions early and bail out with an appropriate
error message.
https://fedorahosted.org/freeipa/ticket/4549
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.
A new ACL has been added to allow a service to create its own
service container.
https://fedorahosted.org/freeipa/ticket/5172
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
usercertificate attr was moved from "System Modify Users" to this
new permission.
https://fedorahosted.org/freeipa/ticket/5177
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The reduce function is no longer a built-in in Python 3.
Importing it from functools works on both py2 and py3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The deprecated has_key method will be removed from dicts in Python 3.
For custom dict-like classes, has_key() is kept on Python 2,
but disabled for Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Python 3 uses double-underscored names for internal function attributes.
In Python 2.7, these names exist as aliases to the old 'func_*' and
'im_*' names.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
also show the message about the way UID/GID ranges are managed in FreeIPA in
the idrange-mod's help message
https://fedorahosted.org/freeipa/ticket/4826
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Non-admin user can now search for:
- hosts
- hostgroups
- netgroups
- servers
- services
(Fixes ACI issue where search returns nothing when user does't have
read rights for an attribute in search_attributes.
https://fedorahosted.org/freeipa/ticket/5167
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Depending on how the target principal name is conveyed to the
command (i.e. with / without realm), the KRB5PrincipalName / UPN
subjectAltName validation could be comparing unequal strings and
erroneously rejecting a valid request.
Normalise both side of the comparison to ensure that the principal
names contain realm information.
Fixes: https://fedorahosted.org/freeipa/ticket/5191
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
A bug in python-nss causes an error to be thrown when converting an
unrecognised OID to a string. If cert-request receives a PKCS #10
CSR with an unknown extension, the error is thrown.
Work around this error by first checking if the OID is recognised
and, if it is not, using a different method to obtain its string
representation.
Once the python-nss bug is fixed, this workaround should be
reverted. https://bugzilla.redhat.com/show_bug.cgi?id=1246729
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension. Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.
Also update cert-request to accept CSRs containing this extension.
Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Users cannot self-issue a certificate with a subjectAltName
extension (e.g. with rfc822Name altNames). Suppress the
cert-request "request certificate with subjectaltname" permission
check when the bind principal is the target principal (i.e.
cert-request self-service).
Fixes: https://fedorahosted.org/freeipa/ticket/5190
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The current error message upon a virutal command access denial does
not give any information about the virtual operation that was
prohibited. Add more information to the ACIError message.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch forces the user management CLI command to store certificates as
userCertificate;binary attribute. The code to retrieve of user information was
modified to enable outputting of userCertificate;binary attribute to the
command line.
The modification also fixes https://fedorahosted.org/freeipa/ticket/5173
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the --out option to user-show, bringing it into line with
host-show and service-show with the ability to save the user's
certificate(s) to a file.
https://fedorahosted.org/freeipa/ticket/5171
Reviewed-By: Martin Basti <mbasti@redhat.com>
certprofile-import no longer requires profileId in profile data. Instead
the profile ID from the command line is taken and added to the profile
data internally.
If profileId is set in the profile, then it still has to match the CLI
option.
https://fedorahosted.org/freeipa/ticket/5090
Reviewed-By: Martin Basti <mbasti@redhat.com>
A user can pass file names for password, public and private key files to
the vault plugin. The plugin attempts to read from these files. If any
file can't be, an internal error was raised. The patch wraps all reads
and turns any IOError and UnicodeError into a ValidationError.
https://fedorahosted.org/freeipa/ticket/5155
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
* handle not found error
* return new DN
https://fedorahosted.org/freeipa/ticket/5145
Reviewed-By: David Kupka <dkupka@redhat.com>
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.
https://fedorahosted.org/freeipa/ticket/5037
Reviewed-By: Martin Basti <mbasti@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.
https://fedorahosted.org/freeipa/ticket/5089
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.
This patch introduces a objectclass check in idoverride*-del
commands to prevent that.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.
The same restriction applies for the opposite direction, when
converting the object name to it's SID.
https://fedorahosted.org/freeipa/ticket/5029
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.
https://fedorahosted.org/freeipa/ticket/5146
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.
https://fedorahosted.org/freeipa/ticket/4969
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.
This prevents creation of a failing setup, as trusts would not work
properly in this case.
https://fedorahosted.org/freeipa/ticket/4799
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.
https://fedorahosted.org/freeipa/ticket/5075
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.
Related to https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.
Therefore all searches with filter set fail.
https://fedorahosted.org/freeipa/ticket/5130
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes regression caused by cd3ca94ff2.
Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server
https://fedorahosted.org/freeipa/ticket/5133
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.
https://fedorahosted.org/freeipa/ticket/5038
Reviewed-By: David Kupka <dkupka@redhat.com>
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.
https://fedorahosted.org/freeipa/ticket/5120
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 62e8002bc4.
Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
New certificate widget which replaced certificate status widget.
It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.
part of: https://fedorahosted.org/freeipa/ticket/5045
Reviewed-By: Martin Basti <mbasti@redhat.com>
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.
Certificate search facet allows to add a certificate.
User details facet allows to add a certificate.
part of
https://fedorahosted.org/freeipa/ticket/5046
Reviewed-By: Martin Basti <mbasti@redhat.com>
API refactoring caused that session_logout command was not registered.
Commands in ipalib/plugins directory are automatically registered.
Reviewed-By: Martin Basti <mbasti@redhat.com>
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension. Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.
Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it. Use split_any_principal to do the
splitting correctly, also taking realm into account.
Reviewed-By: David Kupka <dkupka@redhat.com>
This reverts commit ea7f392bb9.
The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.
https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This can be either set in IPA config file or specified as
'ipa --skip-version-check [COMMAND]'.
part of https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.
Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the `--out=FILENAME' option to `certprofile-show'. When given,
it exports the profile configuration from Dogtag and writes it to
the named file.
Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin
https://fedorahosted.org/freeipa/ticket/5097
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
added to commands: doc, proper args, NO_CLI
added to options: default_from, cli_name, cli_short_name and others
https://fedorahosted.org/freeipa/ticket/3129
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new group of commands is introduced that simplifies adding and removing
binary certificates to entries. A general form of the command is
ipa [user/host/service]-[add/remove]-cert [pkey] --certificate=[BASE64 BLOB]
Part of http://www.freeipa.org/page/V4/User_Certificates and
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Validation of certificate is now handled by `x509.validate_certificate'.
Revocation of the host and service certificates was factored out to a separate
function.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch extends the API framework with a set of classes which add/remove
values to a single LDAPObject attribute.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Instead of internal error show 'DNS is not configured' message, when a
dns* command is executed.
https://fedorahosted.org/freeipa/ticket/5017
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This change removes the automatic plugins sub-package magic and allows
specifying modules in addition to packages.
https://fedorahosted.org/freeipa/ticket/3090
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For IPA users and groups we are able to trigger a removal of
any relevant ID overrides in user-del and group-del commands.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For various reasons, it can happen that the users or groups that
have overrides defined in a given ID view are no longer resolvable.
Since user and group names are used to specify the ID override objects
too by leveraging the respective user's or group's ipaUniqueID,
we need to provide a fallback in case these user or group entries
no longer exist.
https://fedorahosted.org/freeipa/ticket/5026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The availability of dcerpc bindings is being checked on the client
side as well, hence we need to define it properly.
https://fedorahosted.org/freeipa/ticket/5025
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Upstream PyKerberos uses a different argument ordering than
from the patch that Fedora/RHEL was carrying for
authGSSClientInit().
Using named arguments provides forwards and backwards
compatibility.
https://fedorahosted.org/freeipa/ticket/5085
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Checks done:
1. check if the topology is not disconnected. In other words if
there are replication paths between all servers.
2. check if servers don't have more than a recommended number of
replication agreements(4)
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-replica-manage del now:
- checks the whole current topology(before deletion), reports issues
- simulates deletion of server and checks the topology again, reports issues
Asks admin if he wants to continue with the deletion if any errors are found.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: David Kupka <dkupka@redhat.com>
In user_del, flags 'permanently' and 'preserve' were replaced with single
bool option 'preserve'
part of: https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
setting "nsds5BeginReplicaRefresh;left" to "start" reinintializes the
right node and not the left node. This patch fixes API to match the
behavior.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
topology plugin doesn't properly handle:
- creation of segment with direction 'none' and then upgrade to other
direction
- downgrade of direction
These situations are now forbidden in API.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Mod of segment end will be disallowed in topology plugin.
Reasoning (by Ludwig): if we want to properly allow mods to change
connectivity and endpoints, then we would need to check if the mod
disconnects the topology, delete existing agreements, check if the new
would be a duplicate and create new agmts. There could be some difficult
scenarios, like having
A <--> B <--> C <--> D,
if you modify the segment B-C to A-D topology breaks and is then
reconnected.
part of: https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
New commands have been added to archive and retrieve
data into and from a vault, also to retrieve the
transport certificate.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree]
which allows the user to specify LDAP search depth for users and groups.
'onelevel' was the hard-coded level before this patch and is still
default. Specify 'subtree' to search nested OUs for users and groups.
https://fedorahosted.org/freeipa/ticket/2547
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
There exist methods to split user or service/host principals, but
there is no method to split any kind of principal and allow the
caller to decide what to do.
Generalize ``ipalib.plugins.service.split_principal`` to return a
service of ``None`` if the principal is a user principal, rename it
``split_any_principal`` and reimplement ``split_principal`` to
preserve existing behaviour.
Part of: https://fedorahosted.org/freeipa/ticket/4938
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the 'certprofile' plugin which defines the commands for managing
certificate profiles and associated permissions.
Also update Dogtag network code in 'ipapython.dogtag' to support
headers and arbitrary request bodies, to facilitate use of the
Dogtag profiles REST API.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adding or removing certificates from a service via --addattr or
--delattr is broken. Get certificates from entry_attrs instead of
options.
https://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Martin Basti <mbasti@redhat.com>
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.
https://fedorahosted.org/freeipa/ticket/3644
Reviewed-By: Martin Basti <mbasti@redhat.com>
Update the framework to support multiple host and service
certificates.
host-mod and service-mod revoke existing certificates that are not
included in the modified entry. Using addattr=certificate=... will
result in no certificates being revoked.
The existing behaviour of host-disable, host-del, service-disable
and service-del (revoke existing certificate) is preserved but now
applies to all certificates in the host or service entry.
Also update host-show and service-show to write all the principal's
certificates to the file given by the ``--out=FILE`` option.
Part of: http://www.freeipa.org/page/V4/User_Certificateshttps://fedorahosted.org/freeipa/ticket/4238
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa server-find
ipa server-show FQDN
These commands display a list of IPA servers stored in cn=masters,cn=ipa,cn=etc,$SUFFIX
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
