Commit Graph

374 Commits

Author SHA1 Message Date
Nathaniel McCallum
49038cda9f Add OTP last token plugin
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.

Thanks to Mark Reynolds for helping me with this patch.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
a91c0972b9 Update ACIs to permit users to add/delete their own tokens
https://fedorahosted.org/freeipa/ticket/4087

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-13 19:43:29 +01:00
Nathaniel McCallum
6c500ccf05 Move ipa-otpd socket directory
https://fedorahosted.org/freeipa/ticket/4167
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-11 17:36:19 +01:00
Petr Spacek
c919363538 Remove working directory for bind-dyndb-ldap plugin.
The working directory will be provided directly
by bind-dyndb-ldap package.

This partially reverts commit 689382dc83.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-27 16:04:33 +01:00
Petr Spacek
04627b72d6 Limit memberOf and refInt DS plugins to main IPA suffix.
This drastically improves performance of retro changelog trimming.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-27 14:40:36 +01:00
Jan Cholasta
923e9d8bed Fix ntpd config on clients.
https://fedorahosted.org/freeipa/ticket/4094
2014-01-24 13:01:32 +01:00
Petr Vobornik
3e0ae97268 Use only system fonts
This commit changes how fonts are used.

- remove usage of bundled fonts and only system fonts are used instead
  - by using alias in httpd conf
  - by using local("Font Name") directive in font-face
- removed usage of overpass font
- redefined Open Sans font-face declarations. Note: upstream is doing the
  same change so we will be fine on upgrade.
- introduce variable.less for variable definitions and overrides. This file
  will be very useful when we upgrade to newer RCUE so we will be able to
  redefine their and bootstrap's variables.

Fixes: https://fedorahosted.org/freeipa/ticket/2861
2014-01-21 12:05:09 +01:00
Petr Vobornik
cbfed871e7 Use RCUE fonts
https://fedorahosted.org/freeipa/ticket/3902
2014-01-21 12:04:02 +01:00
Petr Vobornik
3241c2cb3a RCUE initial commit
https://fedorahosted.org/freeipa/ticket/3902
2014-01-21 12:04:02 +01:00
Ana Krivokapic
689382dc83 Enable Retro Changelog and Content Synchronization DS plugins
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.

Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-14 16:37:56 +01:00
Martin Kosek
0accfabfa3 Increase Java stack size on s390 platforms
As reported in https://bugzilla.redhat.com/show_bug.cgi?id=1040576,
the default stack trace needs to be also increased on s390 platforms
to prevent rhino segfault.
2014-01-03 13:56:05 +01:00
Xiao-Long Chen
5e96fbc22a Use /usr/bin/python2
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
2014-01-03 09:46:05 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Martin Kosek
f9aad573b1 Increase Java stack size on PPC platforms
Wit the default stack size, rhino segfaulted on PPC platforms.

https://bugzilla.redhat.com/show_bug.cgi?id=1040576
2013-12-13 15:22:55 +01:00
Jan Cholasta
5e2f7b68f0 Remove CFLAGS duplication.
https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:41 +01:00
Jan Cholasta
75dadc1d8f Include LDFLAGS provided by rpmbuild in global LDFLAGS in the spec file.
Remove explicitly specified hardening flags from LDFLAGS in ipa-otpd.

https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:40 +01:00
Jan Cholasta
f618e35a1a Prefer user CFLAGS/CPPFLAGS over those provided by rpmbuild in the spec file.
https://fedorahosted.org/freeipa/ticket/3896
2013-12-06 14:44:40 +01:00
Jan Cholasta
db3e450732 Own /usr/share/ipa/ui/js/ in the spec file.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:44 +01:00
Jan Cholasta
652c4e6ace Use hardening flags for ipa-optd.
https://fedorahosted.org/freeipa/ticket/4010
2013-12-02 12:37:41 +01:00
Petr Viktorin
ba0da01c1d Remove changelog from the spec
The project's history is kept in Git. We used the spec changelog
for changes to the spec itself, which doesn't make much sense.
Downstreams like Fedora use their own changelog anyway.

A single entry is left for tools that expect a changelog.
2013-11-26 15:37:18 +01:00
Jan Cholasta
f20577ddc4 Remove mod_ssl port workaround.
https://fedorahosted.org/freeipa/ticket/4021
2013-11-26 12:58:17 +01:00
Tomas Babej
60b472479d platform: Add Fedora 19 platform file
Part of: https://fedorahosted.org/freeipa/ticket/3504
2013-11-20 13:13:38 +01:00
Martin Basti
e8fc70f149 Removed old firefox configuration scripts
Part of ticket https://fedorahosted.org/freeipa/ticket/3821
2013-11-15 13:30:39 +01:00
Petr Viktorin
88154b5709 Fix date in last changelog entry 2013-10-25 16:14:51 +02:00
Martin Kosek
4bed0de60d Remove mod_ssl conflict
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).

To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.

https://fedorahosted.org/freeipa/ticket/3974
2013-10-25 15:35:39 +02:00
Martin Kosek
46b3588112 Require new SSSD to pull required AD subdomain fixes 2013-10-04 10:25:31 +02:00
Petr Viktorin
3e505fe532 Move tests to test directories
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.

Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
2013-09-25 10:13:56 +02:00
Ana Krivokapic
7c22b852c7 Follow tmpfiles.d packaging guidelines
https://fedorahosted.org/freeipa/ticket/3881
2013-09-16 13:33:13 +02:00
Petr Viktorin
f742520760 Add man pages for testing tools
Add man pages for ipa-run-tests, ipa-test-task, and ipa-test-config.

https://fedorahosted.org/freeipa/ticket/3855 (part 5)
2013-08-29 15:18:34 +02:00
Petr Viktorin
a8d2ec6677 Allow freeipa-tests to work with older paramiko versions
The integration testing framework used Paramiko SFTP files as
context managers. This feature is only available in Paramiko 1.10+.
Use an explicit context manager so that we don't rely on the feature.
2013-08-13 15:42:48 +02:00
Martin Kosek
b1474a53c0 Fix selected minor issues in the spec file and license
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
  overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
  pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files

https://fedorahosted.org/freeipa/ticket/3855
2013-08-13 15:31:46 +02:00
Martin Kosek
ba5311b7ba Remove rpmlint warnings in spec file
Specifically:
- combination of spaces and tabs in one line
- using macros in comments
- using "egrep" instead of "grep -E"

https://fedorahosted.org/freeipa/ticket/3855
2013-08-13 15:31:46 +02:00
Tomas Babej
69394bab5a Remove support for IPA deployments with no persistent search
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.

https://fedorahosted.org/freeipa/ticket/3632
2013-08-09 12:14:42 +02:00
Martin Kosek
e57a9ae7d8 Add requires for slapi-nis and SSSD
Require slapi-nis 0.47.7 and sssd 1.11.0-0.1.beta2 required for core
features of 3.3.0 release.
2013-08-08 15:00:57 +02:00
Ana Krivokapic
fc3f3c90b9 Add ipa-advise plugins for legacy clients
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.

Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:

* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
  systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms

https://fedorahosted.org/freeipa/ticket/3671
https://fedorahosted.org/freeipa/ticket/3672
2013-08-07 09:18:42 +02:00
Martin Kosek
6a0aabede5 Free NSS objects in --external-ca scenario
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.

Properly freeing the NSS objects avoid this crash.

https://fedorahosted.org/freeipa/ticket/3773
2013-07-26 12:51:10 +02:00
Petr Viktorin
e38816bdaf Add tar and xz dependencies to the freeipa-tests package
The beakerLib plugin collects log files via compressed tarballs,
so these dependencies are needed
2013-07-25 12:32:36 +02:00
Petr Viktorin
00dfd9399b Add the ipa-test-task tool
This script makes common testing tasks such as IPA installation
and uninstallation available outside of Python.

https://fedorahosted.org/freeipa/ticket/3721
2013-07-25 12:32:35 +02:00
Tomas Babej
d094481ea6 Move requirement for keyutils to freeipa-python package
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.

Both freeipa-server and freeipa-client require freeipa-python.

https://fedorahosted.org/freeipa/ticket/3808
2013-07-24 17:17:56 +02:00
Martin Kosek
9c851019ae Bump minimum SSSD version
Pick up latest SSSD 1.11 Beta development
2013-07-24 13:37:45 +02:00
Nathaniel McCallum
6c0b7f3389 Use libunistring ulc_casecmp() on unicode strings
https://fedorahosted.org/freeipa/ticket/3772
2013-07-18 18:08:53 +02:00
Ana Krivokapic
f98054a31a Bump version of sssd in spec file
https://fedorahosted.org/freeipa/ticket/3652
2013-07-18 17:49:28 +02:00
Martin Kosek
1dcbb3adfa Require new selinux-policy replacing old server-selinux subpackage
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
  writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
  SELinux upgrade issues

https://fedorahosted.org/freeipa/ticket/3788
2013-07-17 16:21:14 +02:00
Tomas Babej
c81849712f Provide ipa-advise tool
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.

Creates a new ipa-advise command, available to root user
on the IPA server.

Also provides an example configuration plugin,
config-fedora-authconfig.

https://fedorahosted.org/freeipa/ticket/3670
2013-07-17 13:49:59 +02:00
Petr Vobornik
2a9be92855 Upstream Web UI tests
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests

https://fedorahosted.org/freeipa/ticket/3744
2013-07-16 13:15:59 +02:00
Tomas Babej
7a105604e2 Change group ownership of CRL publish directory
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
2013-07-16 12:17:40 +02:00
Petr Viktorin
353f3c62c3 Add a framework for integration testing
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:06 +02:00
Petr Viktorin
c577420e40 Add a framework for integration test configuration
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.

Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.

Part of the work for https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:05 +02:00
Martin Kosek
57fd275d7a Run server upgrade and restart in posttrans
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).

https://fedorahosted.org/freeipa/ticket/3739
2013-07-11 18:05:03 +03:00
Tomas Babej
8c16188519 Add libsss_nss_idmap-devel to BuildRequires 2013-07-11 14:41:19 +03:00
Ana Krivokapic
c1e9b6fa1d Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594
2013-07-11 12:39:29 +03:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Martin Kosek
77ae4da706 Remove entitlement support
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739
2013-06-26 14:11:42 +02:00
Petr Viktorin
e87807d379 Add ipa-run-tests command
Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:58 +02:00
Petr Viktorin
c60142efda Make an ipa-tests package
Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM
containing the test suite

Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:50 +02:00
Martin Kosek
6d66e826c1 Drop redundant directory /var/cache/ipa/sessions
This directory is no longer used as session storage.
2013-06-17 17:35:37 +02:00
Martin Kosek
ad6abdb576 Drop SELinux subpackage
All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.

https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684
2013-06-17 17:35:37 +02:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Martin Kosek
58dd5b970e Fix SASL_NOCANON behavior for LDAPI
Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
behavior for socket based connections (#960222).
2013-05-10 14:18:10 +02:00
Petr Viktorin
8f6e6514c4 Only require libsss_nss_idmap-python in Fedora 19+
The package is only available in Fedora 19.
This means SID resolution in the UI won't work in Fedora 18.
2013-05-07 13:18:48 +02:00
Alexander Bokovoy
03cdc22c94 Resolve SIDs in Web UI
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.

The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.

Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.

Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.

https://fedorahosted.org/freeipa/ticket/3302
2013-05-06 20:44:00 +02:00
Petr Vobornik
c72d0f5075 Generate plugin index dynamically
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:30 +02:00
Petr Vobornik
74b6099fb0 Web UI plugin loader
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:20 +02:00
Rob Crittenden
6e2c3a45a1 Handle a 501 in cert-find from dogtag as a "not supported"
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.

We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.

https://fedorahosted.org/freeipa/ticket/3549
2013-05-03 16:05:49 -04:00
Rob Crittenden
bfdcc7c62d Drop uniqueMember mapping with nss-pam-ldapd.
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589
2013-05-02 10:43:10 -04:00
Jan Cholasta
ddd8988f1c Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
2013-04-30 11:05:39 -04:00
Rob Crittenden
732d1042a3 Require version of NSS that properly parses base64-encoded certs
There were cases where a base64-encoded cert with no header/footer would
not be handled properly and rejected. This was causing the CA install
to fail.

https://fedorahosted.org/freeipa/ticket/3586
2013-04-29 09:49:37 -04:00
Ana Krivokapic
cc3c543265 Fix the spec file
Correct ownership for /etc/ipa and remove unnecessary %config directive.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-22 11:46:59 +02:00
Ana Krivokapic
2a8f1b0b16 Handle missing /etc/ipa in ipa-client-install
Make sure /etc/ipa is created and owned by freeipa-python package.

Report correct error to user if /etc/ipa is missing during client installation.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-19 10:57:07 -04:00
Martin Kosek
cbd00072fd Require new samba and krb5
Require samba 4.0.5 (passdb API changed). Make sure that we use the
right epoch number with samba so that the Requires is correctly
enforced.

Require krb5 1.11.2-1 to fix missing PAC issue.

Also fix backup dir permissions.
2013-04-16 11:05:19 -04:00
Rob Crittenden
c8694cb19f Full system backup and restore
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.

http://freeipa.org/page/V3/Backup_and_Restore

https://fedorahosted.org/freeipa/ticket/3128
2013-04-12 09:59:17 -04:00
Alexander Bokovoy
4dcc947687 spec: detect Kerberos DAL driver ABI change from installed krb5-devel
Find out Kerberos middle version to infer ABI changes in DAL driver.

We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
2013-04-04 13:31:27 -04:00
Martin Kosek
f1e2465520 Require 389-base-base 1.3.0.5
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
  enabled

https://fedorahosted.org/freeipa/ticket/3540
2013-04-02 17:00:17 +02:00
Martin Kosek
d8f75e9e0c Remove syslog.target from ipa.server
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.

https://fedorahosted.org/freeipa/ticket/3511
2013-03-29 08:59:41 +01:00
Martin Kosek
13b1028ac8 Remove build warnings
Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500
2013-03-29 08:59:36 +01:00
Martin Kosek
e13a437031 Clean spec file for Fedora 19
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
  an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
  cluttering rpm update output
* Remove httpd_conf constant which was not used

https://fedorahosted.org/freeipa/ticket/3502
2013-03-29 08:59:32 +01:00
Martin Kosek
a8a77bfb68 Bump selinux-policy requires
The higher version is reported to fix a Fedora 17 to 18 upgrade issue.

https://fedorahosted.org/freeipa/ticket/3399
2013-03-26 15:26:15 +01:00
Petr Spacek
952a7ac9f5 Add 389 DS plugin for special idnsSOASerial attribute handling
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.

https://fedorahosted.org/freeipa/ticket/3347

Signed-off-by: Petr Spacek <pspacek@redhat.com>
2013-03-22 14:31:22 +01:00
Petr Viktorin
55cfd06e3a Better logging for AdminTool and ipa-ldap-updater
- Automatically add a "Logging and output options" group with the --quiet,
    --verbose, --log-file options.
- Set up logging based on these options; details are in the setup_logging
    docstring and in the design document.
- Don't bind log methods as individual methods of the class. This means one
    less linter exception.
- Make the help for command line options consistent with optparse's --help and
    --version options.

Design document: http://freeipa.org/page/V3/Logging_and_output
2013-02-01 13:44:55 -05:00
Rob Crittenden
045b6e6ed9 Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
2013-01-29 11:16:38 -05:00
Rob Crittenden
41d11f443b Make certmonger a (pre) requires on server, restart it before upgrading
certmonger may provide new CAs, as in the case from upgrading IPA 2.2
to 3.x. We need these new CAs available during the upgrade process.

The certmonger package does its own condrestart as part of %postun
which runs after the %post script of freeipa-server, so we need to
restart it ourselves before upgrading.

https://fedorahosted.org/freeipa/ticket/3378
2013-01-25 10:08:37 +01:00
Petr Vobornik
69c2f077df Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
Rhino is needed for Web UI build. Rhino needs java, but from package perspective
java-1.7.0-openjdk requires rhino. So the correct BuildRequires is
java-1.7.0-openjdk.
2013-01-22 17:05:29 +01:00
Petr Vobornik
c71937fc0c Updated makefiles to build FreeIPA Web UI layer
Updated makefiles to comply to new directory structure and also to use builder
for building Web UI.

FreeIPA package spec is modified to use the output of the builder.

https://fedorahosted.org/freeipa/ticket/112
2013-01-18 15:10:37 +01:00
Timo Aaltonen
ed84963927 convert the base platform modules into packages 2013-01-14 14:39:54 +01:00
Endi Sukma Dewata
dae4ea4c7e Configuring CA with ConfigParser.
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.

PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
2012-12-10 10:27:54 -05:00
Martin Kosek
6cb7441d15 Bump 389-ds-base minimum in our spec file
Our code needs both Requires and BuildRequires set to 389-ds-base
which supports transactions. Also add the requires to configure.ac.
2012-12-07 13:59:59 +01:00
Rob Crittenden
e05a720b12 Set min for selinux-policy to 3.11.1-60
This fixes errors including sssd domain mapping in krb5.conf (#873429)

https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:54:42 -05:00
Jakub Hrozek
a35d4dcbfd Add the includedir to krb5.conf on upgrades
https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:54:29 -05:00
Jakub Hrozek
b64dc9362d Specify includedir in krb5.conf on new installs
https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:53:22 -05:00
Martin Kosek
3896bf370a Change network configuration file
Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279
2012-12-05 13:30:31 +01:00
Petr Viktorin
1d3ddeff54 Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
2012-11-23 12:19:19 +01:00
Ade Lee
18a210996d Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
2012-11-23 12:19:19 +01:00
Alexander Bokovoy
7960b5c67f trusts: replace use of python-crypto by m2crypto
python-crypto package is not available everywhere, use m2crypto instead.

Originally we thought to extend python-krbV to provide krb5_c_encrypt()
wrapper but m2crypto is readily available.

https://fedorahosted.org/freeipa/ticket/3271
2012-11-21 11:57:15 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Martin Kosek
dce53e455f Prepare spec file for Fedora 18
FreeIPA 3.0 is being released to Fedora 18 only. Since we only support
Fedora 17 and Fedora 18 in FreeIPA 3.0+, compatibility code for older
Fedoras can be dropped. This should clean up the spec file and make it
more readable.

Dogtag10 Requires were fixed. Without this patch, there is a conflict
on dogtag-pki-common-theme.

Tar requirement was added to avoid crashes in ipa-replica-prepare on
some minimal Fedora composes.

https://fedorahosted.org/freeipa/ticket/2748
https://fedorahosted.org/freeipa/ticket/3237
2012-11-15 13:32:02 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Simo Sorce
7f272a39b6 Get list of service from LDAP only at startup
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).

This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
2012-11-01 10:58:19 -04:00
Sumit Bose
fe66fbe637 Restart httpd if ipa-server-trust-ad is installed or updated
If ipa-server-trust-ad is installed after the ipa server is installed
and configured, httpd needs a restart for additional python modules to
be loaded into httpd on IPA initialization.

Fixes https://fedorahosted.org/freeipa/ticket/3185
2012-10-31 08:48:25 +01:00
Martin Kosek
1ed8ba6a75 Avoid uninstalling dependencies during package lifetime
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.

Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.

https://fedorahosted.org/freeipa/ticket/3189
2012-10-25 15:35:58 -04:00
Martin Kosek
a5ec992ed9 Report ipa-upgradeconfig errors during RPM upgrade
Report errors just like with ipa-ldap-updater. These messages should warn
user that some parts of the upgrades may have not been successful and
he should follow up on them. Otherwise, user may not notice them at all.

ipa-upgradeconfig now has a new --quiet option to make it output only error
level log messages or higher. ipa-upgradeconfig run without options still
pring INFO log messages as it can provide a clean overview about its
actions (unlike ipa-ldap-updater).

https://fedorahosted.org/freeipa/ticket/3157
2012-10-18 21:10:17 -04:00
Simo Sorce
f1ce31486c Use stricter requirement for krb5-server
Our code strictly depends on 1.10 as the KDC DAL plugin interface is not
guaranteed stable and indeed is different in 1.9 and will be different
in 1.11
So we cannot allow upgrades to 1.11 until we can provide a plugin that matches
1.11's interface.
2012-10-10 17:08:03 -04:00
Alexander Bokovoy
9cd0b7b498 Make sure samba{,4}-winbind-krb5-locator package is not used with trusts
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, use alternatives mechanism
to turn off the locator plugin by symlinking it to /dev/null.

https://fedorahosted.org/freeipa/ticket/3102
2012-10-09 22:24:34 -04:00
Petr Viktorin
1dd103bc8c Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
2012-10-10 17:34:19 +02:00
Martin Kosek
74ebd0fd75 Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
2012-10-09 16:00:01 +02:00
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Petr Vobornik
247a3a43b7 Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.

In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:08:04 -04:00
Petr Vobornik
206b6ca04b Kerberos authentication extension makefiles
Makefiles for new FF kerberos authentication extension

ihttps://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:07:34 -04:00
Martin Kosek
63c7f61501 Add support for unified samba packages
Fedora 18 and later has moved unified samba and samba4 packages. Update
Requires and BuildRequires in spec file to require correct versions.

Also require libwbclient-devel which now provides libwbclient.h instead
of samba4-devel package.

https://fedorahosted.org/freeipa/ticket/3118
2012-10-01 17:32:02 +02:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00
Sumit Bose
d491ba0289 ipasam: Fixes build with samba4 rc1 2012-09-14 16:50:52 +02:00
Rob Crittenden
a01fbb91e8 Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning.
If the DB is bigger than nsslapd-cachememsize then a warning will be
logged by 389-ds-base.

https://fedorahosted.org/freeipa/ticket/2739
2012-09-05 15:52:51 -04:00
Tomas Babej
f397db79dd Adds dependency on samba4-winbind.
Dependency on samba4-winbind has been added to the package
freeipa-server-trust-ad.
2012-08-22 17:22:48 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Martin Kosek
af4d534428 Fix client-only build
Client-only build unconditionally touched some files from freeipa-server
package and thus the installation crashed. Fix spec file to enable
client-only builds like "make client-rpms".
2012-08-17 14:24:15 +02:00
Martin Kosek
adc2f77a39 Bump bind-dyndb-ldap version in spec file
The updated version of the BIND LDAP plugin includes completed
support of DNS zone transfers. With the new version, users will be
able to configure slave DNS servers for IPA master DNS server.
2012-08-17 12:07:25 +02:00
Martin Kosek
8c7556db83 Bump bind-dyndb-ldap version for F18
bind-dyndb-ldap with SOA serial autoincrement was released. Bump
the package version in the spec file. The version is bumped for
F18 only as it was released only to rawhide and we don't want to
break development on F17.

https://fedorahosted.org/freeipa/ticket/2554
2012-08-02 17:22:19 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Simo Sorce
cc466e98ff Add all external samba libraries to BuildRequires
Also move them in the right spot (if ! only client) so that they are required
only when building the server.
2012-07-25 13:34:49 -04:00
Simo Sorce
dedb180ddc Add libtalloc-devel as spec file BuildRequire 2012-07-24 14:25:43 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Martin Kosek
c20d4c71b8 Print ipa-ldap-updater errors during RPM upgrade
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.

Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.

Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:45 +02:00
Rob Crittenden
a4d2bcde33 Fix compatibility with Fedora 18.
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.

https://fedorahosted.org/freeipa/ticket/2839
2012-07-02 15:20:13 +02:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Martin Kosek
302d5afe8b Add missing libsss_idmap Requires on freeipa-server-trust-ad 2012-06-28 13:48:45 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Rob Crittenden
f4d2f2a65b Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
2012-06-25 17:24:34 -04:00
Rob Crittenden
c9954878b8 Add logging to ipa-upgradeconfig
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log

Will output basic stauts information if executed from the command-line.

https://fedorahosted.org/freeipa/ticket/2696
2012-06-21 20:53:36 -04:00
Petr Vobornik
1eab43d292 Separate reset password page
This patch adds separate reset password page. It is a complement to separate login page. It differentiate from reset password capabilities in Web UI's anauthorized dialog by not performing login. This is useful for users who wants only to reset the password and not to use Web UI. And also for users who are using the separate login page.

https://fedorahosted.org/freeipa/ticket/2755
2012-06-21 12:46:59 +02:00
Ondrej Hamada
f298a20d27 Case sensitive renaming of objects
When renaming object its case sensitivity is obeyed. This was DS bug.
Unit tests were corrected and minimal DS version was updated in spec
file.

https://fedorahosted.org/freeipa/ticket/2620
2012-06-20 15:47:02 +02:00
Rob Crittenden
54135ecd9a Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331
2012-06-14 14:02:26 +02:00
Alexander Bokovoy
a5fcfc2c7e Move AD trust support code to freeipa-server-trust-ad subpackage
DCERPC code in AD trusts implementation depends on Samba 4 Python bindings.
Make this dependency optional for main freeipa-server package by moving
the dependency to freeipa-server-trust-ad subpackage.

Main interface to AD trusts (ipalib/plugins/trust.py) will still stay,
as well as LDIF files and updates as they are not causing real dependency.

https://fedorahosted.org/freeipa/ticket/2821
2012-06-13 12:05:03 +03:00
Martin Kosek
ce97d6f8e7 Enable persistent search by default
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.

Make this mechanism default in ipa-server-install and ipa-dns-istall.

https://fedorahosted.org/freeipa/ticket/2524
2012-06-10 21:23:15 -04:00
Martin Kosek
c856fb6073 Add sysupgrade state file
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.

This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
2012-06-10 21:23:10 -04:00
Petr Viktorin
cf72738b21 Add samba4-python to BuildRequires 2012-06-07 11:42:39 +02:00
Alexander Bokovoy
e3d171126f Add python-crypto to build requires for AD server-side code 2012-06-07 09:39:11 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Rob Crittenden
717bbcd2bf Configure certmonger to execute restart scripts on renewal.
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
2012-04-10 01:08:41 -04:00
Rob Crittenden
7471ba2237 Return consistent value when hostcat and usercat is all.
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.

This requires slapi-nis 0.40+

https://fedorahosted.org/freeipa/ticket/2192
2012-04-08 16:54:32 -04:00
Rob Crittenden
9bb1e6c03e Add requires on python-krbV to client subpackage
This is needed since ipa-client-install initializes the ipalib api.

https://fedorahosted.org/freeipa/ticket/2577
2012-03-28 08:53:01 +02:00
John Dennis
e2a3907726 Replace broken i18n shell test with Python test
We had been using shell scripts and sed to test our translations. But
trying to edit pot and po files with sed is nearly impossible because
the file format can vary significantly and the sed editing was failing
and gettext tools were complaining about our test strategy.  We had
been using a Python script (test_i18n.py) to perform the actual test
after using shell, sed, and gettext tools to create the files. There
is a Python library (polib) which can read/write/edit pot/po/mo files
(used internally by Transifex, our translation portal). The strategy
now is to do everything in Python (in test_i18n.py). This is easier,
more robust and allows us to do more things.

* add python-polib to BuildRequires

* Remove the logic for creating the test lang from Makefile.in and
  replace it with calls to test_i18n.py

* add argument parsing, usage, configuration parameters, etc. to
  test_i18n.py to make it easier to use and configurable.

* add function to generate a test po and mo file. It also
  writes the files and creates the test directory structure.

* Took the existing validate code and refactored it into validation
  function. It used to just pick one string and test it, now it
  iterates over all strings and all plural forms.

* Validate anonymous Python format substitutions in pot file

* added support for plural forms.

* Add pot po file validation for variable substitution

* In install/po subdir you can now do:
  $ make test
  $ make validate-pot
  $ make validate-po

* The options for running test_i18n.py are:

$ ./test_i18n.py --help
Usage:

test_i18n.py --test-gettext
test_i18n.py --create-test
test_i18n.py --validate-pot [pot_file1, ...]
test_i18n.py --validate-po po_file1 [po_file2, ...]

Options:
  -h, --help            show this help message and exit
  -s, --show-strings    show the offending string when an error is detected
  --pedantic            be aggressive when validating
  -v, --verbose         be informative
  --traceback           print the traceback when an exception occurs

  Operational Mode:
    You must select one these modes to run in

    -g, --test-gettext  create the test translation file(s) and exercise them
    -c, --create-test   create the test translation file(s)
    -P, --validate-pot  validate pot file(s)
    -p, --validate-po   validate po file(s)

  Run Time Parameters:
    These may be used to modify the run time defaults

    --test-lang=TEST_LANG
                        test po file uses this as it's basename (default=test)
    --lang=LANG         lang used for locale, MUST be a valid lang
                        (default=xh_ZA)
    --domain=DOMAIN     translation domain used during test (default=ipa)
    --locale=LOCALE     locale used during test (default=test_locale)
    --pot-file=POT_FILE
                        default pot file, used when validating pot file or
                        generating test po and mo files (default=ipa.pot)

https://fedorahosted.org/freeipa/ticket/2044
2012-03-26 20:29:26 -04:00
Rob Crittenden
00ce15b744 Set minimum version of 389-ds-base to 1.2.10.4-2 to fix upgrade issue
The IPA upgrade process was starting before 389-ds had upgraded the
database which caused corruption.

https://fedorahosted.org/freeipa/ticket/2541
2012-03-26 09:48:43 +02:00
Petr Viktorin
a4394e5e4a Add missing BuildRequires
Since our build process runs pylint, we need all Python dependencies
installed at RPM creation time.
This adds python-lxml and python-pyasn1 to BuildRequires.

https://fedorahosted.org/freeipa/ticket/2538
2012-03-26 09:38:08 +02:00
Rob Crittenden
8f71f42ef7 No longer shell escape the DM password when calling pkisilent.
pkisilent was modified to handle escaping characters itself in
BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388

This removes the workaround from ticket 1636.

https://fedorahosted.org/freeipa/ticket/2529
2012-03-21 10:08:43 +01:00
Martin Kosek
9d0ef96c67 Allow port numbers for idnsForwarders
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]

https://fedorahosted.org/freeipa/ticket/2462
2012-03-20 15:37:53 +01:00
Petr Vobornik
2449b4d827 Fixed rpm build warning - extension.js listed twice
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js

This is because of a glob:
%{_usr}/share/ipa/ui/*.js

and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js

https://fedorahosted.org/freeipa/ticket/2253
2012-03-19 18:38:46 +01:00
Rob Crittenden
8b2090fae6 Set minimum version of selinux-policy to pick up memcached fix
This package version adds a boolean, httpd_manage_ipa, that enables
the ipa_memcached service to work.

https://fedorahosted.org/freeipa/ticket/2433
2012-03-11 22:36:44 -04:00
Jan Cholasta
afad0775e1 Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
2012-03-01 18:42:56 -05:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Rob Crittenden
872047fa0e Add Requires to ipa-client on oddjob-mkhomedir
https://fedorahosted.org/freeipa/ticket/2337
2012-02-27 11:00:26 +01:00
Martin Kosek
1816643a43 Update schema for bind-dyndb-ldap
Add new attributes and objectclasses to support new features:
  - global bind-dyndb-ldap settings in LDAP
  - conditional per-zone forwarding
  - per-zone configuration of automatic PTR updates
  - AllowQuery and AllowTransfer ACIs

https://fedorahosted.org/freeipa/ticket/2215
https://fedorahosted.org/freeipa/ticket/2072
2012-02-24 09:40:36 +01:00
Rob Crittenden
915286fed2 Add Conflicts on mod_ssl because it interferes with mod_proxy and dogtag
We had this in v1 but removed it with v2 because we no longer used
TurboGears for the UI. Because we are now proxying requests to dogtag
we need to re-add this so that mod_ssl doesn't interfere with our
communication.

mod_ssl always blindly registers itself as the SSL provider for mod_proxy.
mod_nss will only register itself if mod_ssl hasn't already done so.

https://fedorahosted.org/freeipa/ticket/2177
2012-02-22 18:27:54 -05:00
Rob Crittenden
dc5592af1d Set min for 389-ds-base to 1.2.10.1-1 to fix install segfault, schema replication.
https://fedorahosted.org/freeipa/ticket/2118
2012-02-15 23:43:08 -05:00
Simo Sorce
2e2b0c13e2 Require krb5 1.10 2012-02-16 14:45:38 -05:00
Rob Crittenden
2da6d6e746 Don't set delegation flag in client, we're using S4U2Proxy now
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.

Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.

https://fedorahosted.org/freeipa/ticket/1098
https://fedorahosted.org/freeipa/ticket/2246
2012-02-15 17:08:33 +01:00
Rob Crittenden
95b1848f19 Stop and uninstall ipa_kpasswd on upgrade, fix dbmodules in krb5.conf
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.

The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.

https://fedorahosted.org/freeipa/ticket/2341
2012-02-15 15:19:32 +01:00
John Dennis
d1e0c1b606 Add ipa_memcached service
* Adds ipa_memcached SystemV initscript

* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
  to recreate /var/run/ipa_memcached on reboot.

* Adds ipa_memcached config file

* Adds memcacheinstnace.py to manage ipa_memcaced as
  as SimpleService object.

* Updates the IPA service list to include ipa_memcached,
  at service positon 39, httpd is position 40

* Updates the spec file:
  - requires the memcached daemon and python client
  - installs service or initscripts depending on OS
  - installs config file
  - creates /var/run/ipa_memcached directory

* Modifies ipa-server-install to install ipa_memcached
2012-02-09 13:20:28 -06:00
Rob Crittenden
4dfec211f7 %ghost the UI files that we install/create on the fly
https://fedorahosted.org/freeipa/ticket/1764
2012-01-31 18:38:46 +01:00
Rob Crittenden
f3b606b627 Update and package ipa-upgradeconfig man page.
Require that the tool be run as root to avoid a permission-related
backtrace.

https://fedorahosted.org/freeipa/ticket/1758
2012-01-23 16:07:49 +01:00
Simo Sorce
86f908a0e4 slapi-plugins: use thread-safe ldap library 2012-01-13 19:07:47 +02:00
Rob Crittenden
c08296adff Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
2012-01-10 22:39:26 -05:00
Alexander Bokovoy
d738b6e718 Fix dependency for samba4-devel package 2011-12-09 16:58:59 +02:00
Sumit Bose
edb6ed5007 Add ipasam samba passdb backend
https://fedorahosted.org/freeipa/ticket/1874
2011-12-06 08:29:53 -05:00
Simo Sorce
1039653a1b spec: We do not need krb5-server-ldap anymore
We now use our own ipa-kdb DAL driver
2011-11-29 09:29:42 -05:00
Rob Crittenden
2f4b3972a0 Add plugin framework to LDAP updates.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
2011-11-22 23:57:10 -05:00
Simo Sorce
710f435c20 Create skeleton CLDAP server as a DS plugin 2011-11-21 18:52:48 -05:00
Endi S. Dewata
20ad8fe1ba Removed develop.js.
The develop.js is no longer necessary because the code in it has
been merged into the main code.

An empty extension.js has been added to provide a place for UI
customization.

Ticket #2099
2011-11-14 16:47:10 -05:00
Simo Sorce
18537d55a7 Add support for generating PAC for AS requests for user principals 2011-11-07 14:25:07 -05:00
Endi S. Dewata
52981883ab Fixed inconsistent image names.
The images have been renamed to be more consistent and moved into
the "images" directory to mimic the original jQuery UI structure.

Ticket #1613
2011-10-27 14:05:12 +00:00
Endi S. Dewata
f168afbeb6 Removed HBAC deny rule warning.
The HBAC deny rule is no longer supported so it's no longer necessary
to show the warning.

Ticket #1444
2011-10-26 12:53:28 +00:00
Alexander Bokovoy
80b4220a05 Update spec file to use systemd on Fedora 16 and above 2011-10-24 15:11:04 +02:00
Rob Crittenden
da4b447bd0 Set min nvr of 389-ds-base to 1.2.10-0.4.a4 for limits fixes (740942, 742324) 2011-10-13 15:28:52 -04:00
Adam Young
ae65c01932 Force the upgrade of pki-setup when upgrading the RPMS 2011-10-09 23:36:36 -04:00
JR Aquino
1ac613fc18 25 Create Tool for Enabling/Disabling Managed Entry Plugins
Remove legacy ipa-host-net-manage
Add ipa-managed-entries tool
Add man page for ipa-managed-entries tool

https://fedorahosted.org/freeipa/ticket/1181
2011-09-21 09:22:13 +02:00
Rob Crittenden
80a4db80ba Change the Requires for the server and server-selinux for proper order
The server package needs to be installed before the server-selinux
package otherwise the SELinux contexts won't get set properly.

The (postun) is so you can continue to do yum erase freeipa-python
and it will pick up everything else.

https://fedorahosted.org/freeipa/ticket/1779
2011-09-15 23:41:56 -04:00
Sumit Bose
29a7a7e8ce Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
2011-09-14 18:45:13 -04:00
Alexander Bokovoy
1362202653 Introduce platform-specific adaptation for services used by FreeIPA.
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:25:58 +02:00
Martin Kosek
806a40846b Set bind and bind-dyndb-ldap min nvr
This is a soft dependency, min nvr version will only be required
when bind/bind-dyndb-ldap are installed.

https://fedorahosted.org/freeipa/ticket/1121
https://fedorahosted.org/freeipa/ticket/1573
2011-09-09 14:24:06 +02:00
Rob Crittenden
f59e8145fa Set min nvr of 389-ds-base to 1.2.9.7-1 for BZ 728605
https://fedorahosted.org/freeipa/ticket/1576
2011-08-30 20:46:59 -04:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Rob Crittenden
3ef732d738 Set min nvr of pki-ca to 9.0.12 for fix in BZ 700505
https://fedorahosted.org/freeipa/ticket/1686
2011-08-28 20:56:18 -04:00
Simo Sorce
dfa944da24 daemons: Remove ipa_kpasswd
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
2011-08-26 08:26:08 -04:00
Simo Sorce
bac6f2dd13 ipa-kdb: Initial plugin skeleton 2011-08-26 08:24:49 -04:00
Jan Cholasta
9b0fa8debf Add subscription-manager dependency for RHEL.
ticket 1664
2011-08-23 00:27:30 -04:00
Martin Kosek
99e7b0c355 Update pki-ca version
Bump minimal pki-ca version in spec file to get fix for ipa
cert-request command.

https://fedorahosted.org/freeipa/ticket/1578
2011-08-12 08:52:23 +02:00
Martin Kosek
e2c8b9eee4 Update 389-ds-base version
Bump minimal 389-ds-base version in spec file to get in recent
Directory Server bug fixes.

https://fedorahosted.org/freeipa/ticket/1513
https://fedorahosted.org/freeipa/ticket/1525
https://fedorahosted.org/freeipa/ticket/1552
2011-08-11 22:08:05 +00:00
Martin Kosek
a1c690cc02 Fix client enrollment
Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
2011-08-11 22:07:16 +00:00
Endi S. Dewata
bd2f4173b0 Fixed missing icons.
The Makefile.am and the spec file have been fixed to include all
icons in the install/ui folder.

Ticket #1559
2011-08-02 22:56:58 -04:00
Rob Crittenden
25d861dc01 Fix date order in changelog. 2011-07-28 18:53:25 -04:00
Alexander Bokovoy
dd296eec13 Add hbactest command. https://fedorahosted.org/freeipa/ticket/386
HBAC rules control who can access what services on what hosts and from where.
You can use HBAC to control which users or groups on a source host can
access a service, or group of services, on a target host.

Since applying HBAC rules implies use of a production environment,
this plugin aims to provide simulation of HBAC rules evaluation without
having access to the production environment.

 Test user coming from source host to a service on a named host against
 existing enabled rules.

 ipa hbactest --user= --srchost= --host= --service=
              [--rules=rules-list] [--nodetail] [--enabled] [--disabled]

 --user, --srchost, --host, and --service are mandatory, others are optional.

 If --rules is specified simulate enabling of the specified rules and test
 the login of the user using only these rules.

 If --enabled is specified, all enabled HBAC rules will be added to simulation

 If --disabled is specified, all disabled HBAC rules will be added to simulation

 If --nodetail is specified, do not return information about rules matched/not matched.

 If both --rules and --enabled are specified, apply simulation to --rules _and_
 all IPA enabled rules.

 If no --rules specified, simulation is run against all IPA enabled rules.

EXAMPLES:

    1. Use all enabled HBAC rules in IPA database to simulate:
    $ ipa  hbactest --user=a1a --srchost=foo --host=bar --service=ssh
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    2. Disable detailed summary of how rules were applied:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --nodetail
    --------------------
    Access granted: True
    --------------------

    3. Test explicitly specified HBAC rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: myrule

    4. Use all enabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --enabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      matched: allow_all

    5. Test all disabled HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: new-rule

    6. Test all disabled HBAC rules in IPA database + explicitly specified rules:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --rules=my-second-rule,myrule --disabled
    ---------------------
    Access granted: False
    ---------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule

    7. Test all (enabled and disabled) HBAC rules in IPA database:
    $ ipa hbactest --user=a1a --srchost=foo --host=bar --service=ssh --enabled --disabled
    --------------------
    Access granted: True
    --------------------
      notmatched: my-second-rule
      notmatched: my-third-rule
      notmatched: myrule
      notmatched: new-rule
      matched: allow_all

Only rules existing in IPA database are tested. They may be in enabled or
disabled disabled state.

Specifying them through --rules option explicitly enables them only in
simulation run.

Specifying non-existing rules will not grant access and report non-existing
rules in output.
2011-07-28 18:01:44 -04:00
Rob Crittenden
44b3521fad Set minimum version of pki-ca to 9.0.10 to pick up new ipa cert profile
The caIPAserviceCert.cfg was updated to set the client cert flag on
server certs we issue.

https://fedorahosted.org/freeipa/ticket/1434
2011-07-29 11:18:49 +02:00
Rob Crittenden
3fe36a63b6 Add an arch-specific Requires on cyrus-sasl-gssapi
If you had a 64-bit system and installed a 32-bit version of IPA then
ipa-getkeytab probably wouldn't work because yum wouldn't know to pull
in the 32-bit version of cyrus-sasl-gssapi.

https://fedorahosted.org/freeipa/ticket/1499
2011-07-24 19:58:03 -04:00
Endi S. Dewata
4ff959f55d Removed custom layouts using HTML templates.
The code for supporting custom layouts using HTML templates has been
removed. If it's needed again in the future the code can be restored.

Ticket #1501
2011-07-21 11:47:57 -04:00
Jan Cholasta
95901bbdb5 Update minimum required version of python-netaddr.
ticket 1288
2011-07-17 22:44:21 -04:00
Rob Crittenden
3fdca99c48 Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
2011-07-17 22:16:32 -04:00
Adam Young
e4a444ba81 HBAC deny warning
shows dialog if there are any HBAC deny rules.  Dialog provides option to navigate to the HBAC page.  Deny rules have their rule type value show up in red.

Only shows up fro administrators, not for self service users.

https://fedorahosted.org/freeipa/ticket/1421
2011-07-06 21:52:00 +00:00