Update the ipa to ipa migration doc in regards to the new IPA migration tool
Fixes: https://pagure.io/freeipa/issue/9547
Signed-off-by: Mark Reynolds <mreynolds@redhatr.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).
This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.
Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Unfortunately, using pydata_sphinx_theme extension generates warnings in
sphix processing. These warnings cause documentation build to be
considered a failure:
WARNING: the pydata_sphinx_theme extension is not safe for parallel writing
WARNING: doing serial write
....
build finished with problems, 2 warnings.
make: *** [Makefile:24: html] Error 1
Since the build is already doing a serial write, enforce it from start.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Lay out the supported migration paths. Users are likely to get
creative with migration so we need to narrow the path for which
we can provide support.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.
This commit introduces explicit targets and references to ensure that
the pages are correctly linked.
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Include changes related to passkey auth indicators.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This includes:
* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
IPA API commands to manage RBCD access controls.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.
Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.
This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When you run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server. Other files
are updated as well to reflect this change.
Additionally some typos are fixed with this patch too.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.
So --enable=TRUE to --enable and --enable=FALSE to --disable
Fixes: https://pagure.io/freeipa/issue/9323
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This document showcases common usecases for the user to
interact with the PR-CI checker tool.
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.
Import the IPA CA chain for manual execution.
Also fix up some $ -> # to indicate root is needed.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replaced URL in Markdown Format with the proper reStructuredText markup
in file doc/workshop/12-external-idp-support.rst
Signed-off-by: Lenz Grimmer <lenz.grimmer@percona.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).
Related: https://pagure.io/freeipa/issue/9259
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit updates the subordinate design document to reflect the current state
and remove "outdated" message.
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There are some references and thoughts on expanding the
current migrate-ds plugin as well.
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>