Packaging of sssd was changed and more sub-packages are build
from sssd.src.rpm. Especially python bindings and development packages
are already in sub-packages. As a result of this change the meta package
sssd can be removed from BuildRequires without any problem.
FreeIPA spec file contained build requirement for latest version of
sssd even though the latest sssd was not required for building
FreeIPA rpms. In many cases, it was sufficient just to change requirements
for FreeIPA packages instead of build requirements.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Dogtag 10.2.6-12 includes automatic upgrade from Tomcat 7 to Tomcat 8.
Otherwise FreeIPA is broken after upgrades. This affects Fedora 22 to
Fedora 23 upgrades.
https://bugzilla.redhat.com/show_bug.cgi?id=1274915
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The DNA plugin needed to be fixed to deal with replica binddn groups.
Version 1.3.4.4 is needed for that.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
https://fedorahosted.org/freeipa/ticket/5297
Reviewed-By: Martin Basti <mbasti@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
python-gssapi had a bug in exception handling that caused exceptions to be
shadowed by LookupError. The new version should fix the problem.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
>>> from M2Crypto import RC4
>>> from ipaserver.dcerpc import arcfour_encrypt
>>> RC4.RC4(b'key').update(b'data')
'o\r@\x8c'
>>> arcfour_encrypt(b'key', b'data')
Traceback (most recent call last):
...
ValueError: Invalid key size (24) for RC4.
Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>>> arcfour_encrypt(b'key12', b'data')
'\xcd\xf80d'
>>> RC4.RC4(b'key12').update(b'data')
'\xcd\xf80d'
http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4https://fedorahosted.org/freeipa/ticket/5148
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.
https://fedorahosted.org/freeipa/ticket/4923
Reviewed-By: David Kupka <dkupka@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.
IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.
https://fedorahosted.org/freeipa/ticket/4058
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.
https://fedorahosted.org/freeipa/ticket/5135
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.
This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.
Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The directory was in the python subpackage, but that broke client-only
build. We don't want the directory to be installed on clients anyway,
since it is part of a server-side feature.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New schema (for LDAP-based profiles) was introduced in Dogtag, but
Dogtag does not yet have a reliable method for upgrading its schema.
Use FreeIPA's schema update machinery to add the new attributeTypes
and objectClasses defined by Dogtag.
Also update the pki dependencies to 10.2.5, which provides the
schema update file.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Commit 9f049ca144 introduced dependency on
python-setuptools on line:
from pkg_resources import parse_version
This dependency is missing on minimal installation and then ipa-server-upgrade
fails on rpm install/upgrade.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.
Set required version of 389-ds-base to 1.3.4.0 GA.
https://fedorahosted.org/freeipa/ticket/4567
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxyhttps://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Install the Dogtag CA to use the LDAPProfileSubsystem instead of the
default (file-based) ProfileSubsystem.
Part of: https://fedorahosted.org/freeipa/ticket/4560
Reviewed-By: Martin Basti <mbasti@redhat.com>
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged
into a single code base, keep their respective bits in separate modules in the
package.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Martin Basti <mbasti@redhat.com>
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: David Kupka <dkupka@redhat.com>
Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.
After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check
This reverts some changes in commit
52b7101c11
Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.
https://fedorahosted.org/freeipa/ticket/4921
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Python modules pysss and pysss_murmur was part of package sssd-common.
Fedora 22 tries to get rid of python2 and therefore these modules were
extracted from package sssd-common to separate packages python-sss and
python-sss-murmur and python3 version of packages python3-sss
python3-sss-murmur
git grep "pysss" | grep import
ipalib/plugins/trust.py: import pysss_murmur #pylint: disable=F0401
ipaserver/dcerpc.py:import pysss
ipaserver/dcerpc.py is pacakged in freeipa-server-trust-ad
palib/plugins/trust.py is packaged in freeipa-python
Resolves:
https://fedorahosted.org/freeipa/ticket/4929
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Added dbus-python dependency to freeipa-python. This should fix
https://fedorahosted.org/freeipa/ticket/4863 and also cover dbus-python
dependencies in other freeipa-* packages.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues.
Reason: build fail on armv7hl
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.
Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.
Also add ipa.p11-kit to the files owned by the freeipa-python package.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the new default NSS database for IPA.
/etc/pki/nssdb is still maintained for backward compatibility.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This substantially reduces the FreeIPA dependencies and allows
QR codes to fit in a standard terminal.
https://fedorahosted.org/freeipa/ticket/4430
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch adds an explicit build dependency to
python-backports-ssl_match_hostname.
Without it, the build-time lint would fail.
https://fedorahosted.org/freeipa/ticket/4515
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Without python-backports-ssl_match_hostname installed, an ipa-client
installation could have failed with:
from backports.ssl_match_hostname import match_hostname
ImportError: No module named ssl_match_hostname
This patch adds an explicit dependency to
python-backports-ssl_match_hostname.
https://fedorahosted.org/freeipa/ticket/4515
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Requiring a specific version of Java leads to breakages, like the
one happening on nightly builds in Fedora Rawhide right now.
We should use the more generic 'java' BuildRequires instead of the
versioned one.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Theme package is contains resources for PKI web interface. This interface
is not needed by FreeIPA as it rather utilizes it's API. As recommended in
https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard
dependency.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previous versions of libkrb5 can't handle expired passwords
inside the FAST tunnel. This breaks the password change UI
in FreeIPA.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The code has been moved to its own, separate repository at
git://git.fedorahosted.org/git/freeipa-foreman-smartproxy.git
Reviewed-By: Martin Kosek <mkosek@redhat.com>
standalone page for OTP token synchronization. It reuses SyncOTPScreen
widget instead of reimplementing the logic as in other standalone pages.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current compiled Web UI layer (app.js) contains every FreeIPA plugin and
not just the UI framework. It's not possible to start just a simple facet.
This commit creates a basis for a layer (core.js) which contains only
framework code and not entity related code.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The newly created ipaplatform subdirectories base and fedora were
mentioned multiple times in the specfile, which produced build
warnings.
Part of: https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This will allow us to make vendors' lives easier by embedding a
vendor tag to installation logs.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Drop the logrotate file because Apache manages the logs
Drop the systemd configuration because we run in Apache
Import json_encode_binary from ipalib
Fix Requires
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This currently server supports only host and hostgroup commands for
retrieving, adding and deleting entries.
The incoming requests are completely unauthenticated and by default
requests must be local.
Utilize GSS-Proxy to manage the TGT.
Configuration information is in the ipa-smartproxy man page.
Design: http://www.freeipa.org/page/V3/Smart_Proxyhttps://fedorahosted.org/freeipa/ticket/4128
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reimplementation of unauthorized dialog into separate widget. It uses RCUE
design.
New features compared to unauthorized dialog:
- reflects auth methods from `auth` module
- validation summary
- differentiates Kerberos auth failure with session expiration
- Caps Lock warning
- form based method doesn't allow password only submission
https://fedorahosted.org/freeipa/ticket/4017https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.
selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.
This change is Fedora 20+.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
python-pyasn1 and python-qrcode were imported by ipalib but not
required by python subpackage.
https://fedorahosted.org/freeipa/ticket/4275
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
We use Java classes which are bundled with rhino when uglifying
Javascript sources at build-time, so we need rhino at build-time.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
