Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Admins should not modify topology suffices. They are created on
install/upgrade.
part of: https://fedorahosted.org/freeipa/ticket/4997
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
These entries were not added on upgrade from old IPA servers and on replica
creation.
https://fedorahosted.org/freeipa/ticket/4302
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: David Kupka <dkupka@redhat.com>
The ipa-pki-proxy.conf has been modified to optionally require
client certificate authentication for PKI REST services as it's
done in standalone PKI to allow the proper KRA installation.
https://fedorahosted.org/freeipa/ticket/5058
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
New commands have been added to archive and retrieve
data into and from a vault, also to retrieve the
transport certificate.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a new option to command ipa migrate-ds, --scope=[base,onelevel,subtree]
which allows the user to specify LDAP search depth for users and groups.
'onelevel' was the hard-coded level before this patch and is still
default. Specify 'subtree' to search nested OUs for users and groups.
https://fedorahosted.org/freeipa/ticket/2547
Reviewed-By: Martin Basti <mbasti@redhat.com>
Automatic login attempt is initiated by first failed xhr request which
happens in metadata phase.
New phase was added before metadata phase. It interrupts UI load and shows
login page if it's directly after logout(marked in session storage).
Successfull manual login resolves the phase so that metadata phase can
follow.
https://fedorahosted.org/freeipa/ticket/5008
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.
Set NSSVerifyClient optional to allow both certificate and password
authentication to work.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently, IPA certificate profile import happens at end of install.
Certificates issuance during the install process does work but uses
an un-customised caIPAserviceCert profile, resulting in incorrect
subject DNs and missing extensions. Furthermore, the
caIPAserviceCert profile shipped with Dogtag will eventually be
removed.
Move the import of included certificate profiles to the end of the
cainstance deployment phase, prior to the issuance of DS and HTTP
certificates.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Profile management patches introduced a regression where a custom
certificate subject base (if configured) is not used in the default
profile. Use the configured subject base.
Part of: https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Implements a base class to help test LDAP based plugins.
The class has been decoupled from the original host plugin test
and moved to separate module ipatests.test_xmlrpc.ldaptracker.
https://fedorahosted.org/freeipa/ticket/5032
Reviewed-By: David Kupka <dkupka@redhat.com>
when a server is removed from the topology the plugin tries to remove the
credentials from the replica and the bind dn group.
It performs an internal search for the ldap principal, but can fail if it was already removed
Due to an unitialized variable in this case it can eitehr crash or erroneously remove all
principals.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add the profile_id parameter to the 'request_certificate' function
and update call sites.
Also remove multiple occurrences of the default profile ID
'caIPAserviceCert'.
Part of: https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
There exist methods to split user or service/host principals, but
there is no method to split any kind of principal and allow the
caller to decide what to do.
Generalize ``ipalib.plugins.service.split_principal`` to return a
service of ``None`` if the principal is a user principal, rename it
``split_any_principal`` and reimplement ``split_principal`` to
preserve existing behaviour.
Part of: https://fedorahosted.org/freeipa/ticket/4938
Reviewed-By: Martin Basti <mbasti@redhat.com>
