Commit Graph

13601 Commits

Author SHA1 Message Date
Fraser Tweedale
638d98625c initial commit 2020-03-21 07:40:34 +02:00
Abhijeet
4a48fe3102 Update workshop.rst
Correction in Windows hosts file path.
2020-03-21 07:40:34 +02:00
Fraser Tweedale
73da58024d remove proposal 2020-03-21 07:40:34 +02:00
Fraser Tweedale
fb5ab1d4af add copyright notice 2020-03-21 07:40:34 +02:00
Fraser Tweedale
1723910acc freeipa-workshop: fix mod_authnz_pam link 2020-03-21 07:40:34 +02:00
Fraser Tweedale
df3115680e merge (most of) zdover's edits 2020-03-21 07:40:34 +02:00
zdover
39d1715c54 100 percent complete edit 2020-03-21 07:40:34 +02:00
zdover
e8c9efed0d sixty percent edited 2020-03-21 07:40:34 +02:00
zdover
2012713c24 thirty percent edited 2020-03-21 07:40:34 +02:00
zdover
dd22a3c299 first tranche of edits 2020-03-21 07:40:34 +02:00
zdover
37b38eadc5 making a list's items agree with one another 2020-03-21 07:40:34 +02:00
Fraser Tweedale
a209cb9d37 20151029-osdc-freeipa-workshop: add app.py 2020-03-21 07:40:34 +02:00
Fraser Tweedale
32b37185ba osdc-freeipa-workshop: add certificate management module 2020-03-21 07:40:34 +02:00
Fraser Tweedale
855556e064 osdc-freeipa-workshop: add OS X and update Debian/Ubuntu details 2020-03-21 07:40:34 +02:00
Fraser Tweedale
326011dad8 osdc-freeipa-workshop: add debian/ubuntu prep instructions 2020-03-21 07:40:34 +02:00
Fraser Tweedale
9c2072c643 osdc-freeipa-workshop: support vagrant-libvirt on Fedora 2020-03-21 07:40:34 +02:00
Fraser Tweedale
69b2fd6f1c osdc-freeipa-workshop: presentation, minor curriculum edits 2020-03-21 07:40:34 +02:00
Fraser Tweedale
31676d7c9b osdc-freeipa-workshop: typospotting 2020-03-21 07:40:34 +02:00
Fraser Tweedale
7a865b7fba osdc-freeipa-workshop: remove definition list of VMs 2020-03-21 07:40:34 +02:00
Fraser Tweedale
fe03beb0e7 osdc-freeipa-workshop: add missing dnf install vagrant 2020-03-21 07:40:34 +02:00
Fraser Tweedale
514f4c298c osdc-freeipa-workshop: clarify prep goals and VirtualBox version 2020-03-21 07:40:34 +02:00
Fraser Tweedale
e76d172682 osdc-freeipa-workshop: update troubleshooting doc 2020-03-21 07:40:33 +02:00
Fraser Tweedale
77cb86bcf3 osdc-freeipa-workshop: incorporate wibrown\'s feedback 2020-03-21 07:40:33 +02:00
Fraser Tweedale
1445311e74 osdc-freeipa-workshop: update f22 installation steps 2020-03-21 07:40:33 +02:00
Fraser Tweedale
4c5db75445 osdc-freeipa-workshop: add Windows prep details 2020-03-21 07:40:33 +02:00
Fraser Tweedale
c90fabd6b1 osdc-freeipa-workshop: add Vagrantfile clone instructions and curriculum overview 2020-03-21 07:40:33 +02:00
Fraser Tweedale
0417063d49 osdc-freeipa-workshop: remove vagrant-hostmanager steps, add editing notes 2020-03-21 07:40:33 +02:00
Fraser Tweedale
aafbbd9bce osdc-freeipa-workshop: selinux and other minor fixes 2020-03-21 07:40:33 +02:00
Fraser Tweedale
ea16b85390 osdc-freeipa-workshop: add mod_lookup_identity and mod_authnz_pam sections 2020-03-21 07:40:33 +02:00
Fraser Tweedale
70ec83dd39 osdc-freeipa-workshop: add mod_auth_gssapi section 2020-03-21 07:40:33 +02:00
Fraser Tweedale
26f4be5839 sudo make me a sandwich 2020-03-21 07:40:33 +02:00
Fraser Tweedale
96f93687d9 osdc-freeipa-workshop: add rpmfusion instructions 2020-03-21 07:40:33 +02:00
Fraser Tweedale
64109d5ac4 osdc-freeipa-workshop: external authnz module (WIP); minor fixes 2020-03-21 07:40:33 +02:00
Fraser Tweedale
71ec597caa osdc-freeipa-workshop: add initial workshop modules 2020-03-21 07:40:33 +02:00
Fraser Tweedale
f8638e9696 fix osdc2015 and lca2016 dates 2020-03-21 07:40:33 +02:00
Christian Heimes
a4efb3028b Test documentation builds in Azure 2020-03-21 07:40:33 +02:00
Christian Heimes
a4456b010a Include design documentation 2020-03-21 07:40:33 +02:00
Christian Heimes
d267d43447 Introduce FreeIPA
Copied from https://www.freeipa.org/page/About
2020-03-21 07:40:33 +02:00
Christian Heimes
080a5831ea Bootstrap Sphinx documentation
Run sphinx-quickstart and include sphinx dependencies.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
2020-03-21 07:40:33 +02:00
Florence Blanc-Renaud
3753862401 ipatests: wait for SSSD to become online in backup/restore tests
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.

Fixes: https://pagure.io/freeipa/issue/8228

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-21 07:37:05 +02:00
Christian Heimes
d23322434f Move freeipa-selinux dependency to freeipa-common
The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-20 15:18:30 +01:00
Christian Heimes
a55a722237 Integrate ipa_custodia policy
ipa-custodia is an internal service for IPA. The upstream SELinux policy
has a separate module for ipa_custodia. Fold the current policy from
Fedora rawhide into ipa's SELinux policy.

Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-20 15:18:30 +01:00
sumenon
c77f4213e9 ipatests: Added testcase to check logrotate is added for healthcheck tool
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2020-03-20 08:20:56 +01:00
Alexander Bokovoy
2997a74abc Prevent adding IPA objects as external members of external groups
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.

RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.

Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-19 13:27:30 +01:00
Florence Blanc-Renaud
20d601e9c3 xmlrpc tests: add a test for idview-apply on a master
Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.

Related: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-19 10:55:11 +01:00
Florence Blanc-Renaud
e08f7a9ef3 idviews: prevent applying to a master
Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.

Fixes: https://pagure.io/freeipa/issue/5662

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-19 10:55:11 +01:00
Stanislav Levin
14c9cf9988 pki-proxy: Don't rely on running apache until it's configured
This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.

Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-18 16:36:36 +02:00
Anuja More
6018ccaa8d Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Anuja More
b2ab2863ca ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Christian Heimes
7a9ac1f586 Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.

Allow all hosts to read some entries from active DNS records.

Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-16 13:04:17 +01:00