Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.
Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.
This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.
So --enable=TRUE to --enable and --enable=FALSE to --disable
Fixes: https://pagure.io/freeipa/issue/9323
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This document showcases common usecases for the user to
interact with the PR-CI checker tool.
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.
Import the IPA CA chain for manual execution.
Also fix up some $ -> # to indicate root is needed.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit updates the subordinate design document to reflect the current state
and remove "outdated" message.
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There are some references and thoughts on expanding the
current migrate-ds plugin as well.
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Even though specifying 'raw' format is allowed, this breaks Read The
Docs which is not able to complete the full build of documentation and,
therefore, doesn't publish an updated documentation.
Pushed under one-liner rule.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Add design doc for the feature.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a template for new features in doc/designs/template.md
The template is excluded from automatic doc generation.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The RADIUS auth type is only supported with Kerberos currently.
This design proposes a way to make it work with LDAP binds
as well without relying ok workarounds.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The design draft lists the user stories, implementation choices,
implementation details, limitations, and changes for the new
Expired Password Notifications (EPN) feature.
Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
m2r converts code blocks into ReST code blocks with syntax highlighting.
Auto-detection of the language does not work correctly, though.
Explicitly set the language for console, ini, and Python blocks.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Add disable-stale-users.md: feature document for the upcoming DSU feature.
Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.
Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This document details authentication indicaters and kerberos ticket
policies implemented in IPA.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Document general design for Samba file server running on IPA client as a
domain member in IPA domain.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The hidden replica documentation mentioned using
$ ipa server-state <hostname> --state=enable
whereas the right command is
$ ipa server-state <hostname> --state=enabled
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The design draft explains implementation details, limitations, and API
changes for the new feature.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>