When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.
This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.
When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.
https://fedorahosted.org/freeipa/ticket/2602
We were returning '' for the first entry when hostcat and usercat were
set to all. All subsequent entries were padded with - which effectively
denied access.
This requires slapi-nis 0.40+
https://fedorahosted.org/freeipa/ticket/2192
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.
This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.
bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.
https://fedorahosted.org/freeipa/ticket/2569
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
We originally designed netgroups to use a special membership attribute,
memberNisNetgroup. We changed it at implementation time but never updated
the mapping.
https://fedorahosted.org/freeipa/ticket/2359
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
The permission "Modify Group membership" is used to delegate group
management responsibilities. We don't want that to include managing
the admins group.
https://fedorahosted.org/freeipa/ticket/2416
https://fedorahosted.org/freeipa/ticket/2238
It doesn't make a lot of sense for ipausers to be a posix group and
we will save a few cycles in compat and sssd by making it non-posix.
This is for new installs only.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
A forwardable ticket is still required but we no longer need to send
the TGT to the IPA server. A new flag, --delegate, is available if
the old behavior is required.
Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up
needed patches for S4U2Proxy to work.
https://fedorahosted.org/freeipa/ticket/1098https://fedorahosted.org/freeipa/ticket/2246
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
This will allow one to define what SELinux context a given user gets
on a given machine. A rule can contain a set of users and hosts or it
can point to an existing HBAC rule that defines them.
https://fedorahosted.org/freeipa/ticket/755
This resolves two issues:
1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
values weren't calculated properly
For updates we need to add in the members and recalculate memberof via
a DS task.
https://fedorahosted.org/freeipa/ticket/1898
The samba LDAP schema is updated to the lastest version available from the
samba source code to be able to use the new trust related object class and
attributes.
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils
https://fedorahosted.org/freeipa/ticket/1708
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:
1) Zone refresh
Set --zone-refresh in installation to define number of seconds
between bind-dyndb-ldap polls for new DNS zones. User now
doesn't have to restart name server when a new zone is added.
2) New zone notifications
Use LDAP persistent search mechanism to immediately get
notification when any new DNS zone is added. Use --zone-notif
install option to enable. This option is mutually exclusive
with Zone refresh.
To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:
dynamic-db "ipa" {
...
arg "zone_refresh 0";
arg "psearch yes";
};
This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.
https://fedorahosted.org/freeipa/ticket/826
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).
It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
We need an indicator to see if a keytab has been set on host and
service entries. We also need a way to know if a one-time password is
set on a host.
This adds an ACI that grants search on userPassword and
krbPrincipalKey so we can do an existence search on them. This way
we can tell if the attribute is set and create a fake attribute
accordingly.
When a userPassword is set on a host a keytab is generated against
that password so we always set has_keytab to False if a password
exists. This is fine because when keytab gets generated for the
host the password is removed (hence one-time).
This adds has_keytab/has_password to the user, host and service plugins.
ticket https://fedorahosted.org/freeipa/ticket/1538
The default precedence for plugins is 50 and the run in more or less
alphabetical order (but not guaranteed). This plugin needs to run after
the others have already done their work.
https://fedorahosted.org/freeipa/ticket/1370
This fixes a regression.
We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.
https://fedorahosted.org/freeipa/ticket/302
There was no point in limiting autobind root to just search cn=config since
it could always just modify its way out of the box, so remove the
restriction.
The upgrade log wasn't being created. Clearing all other loggers before
we calling logging.basicConfig() fixes this.
Add a global exception when performing updates so we can gracefully catch
and log problems without leaving the server in a bad state.
https://fedorahosted.org/freeipa/ticket/1243https://fedorahosted.org/freeipa/ticket/1254
