This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.
Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.
Fixes https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object. When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles. This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
https://fedorahosted.org/freeipa/ticket/6560
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.
https://fedorahosted.org/freeipa/ticket/6539
Reviewed-By: Martin Basti <mbasti@redhat.com>
There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.
https://fedorahosted.org/freeipa/ticket/6546
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Martin Basti <mbasti@redhat.com>
Pre-3.3 masters do not support setting 'nsds5replicabinddngroup'
attribute on existing replica entry during setup of initial replication.
In this case UNWILLING_TO_PERFORM is returned. The code can interpret
this error as an indication of old master and fall back to just adding
its LDAP principal to entry's 'nsds5replicabinddn' attribute.
https://fedorahosted.org/freeipa/ticket/6532
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Instead of checking sysrestore status which leads to incorrect
evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
into named.conf to see whther it was already modified by IPA installer.
https://fedorahosted.org/freeipa/ticket/6503
Reviewed-By: Martin Basti <mbasti@redhat.com>
