mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Go to file

Christian Heimes 4911a3f055 Prevent local account takeover It was found that if an account was created with a name corresponding to an account local to a system, such as 'root', was created via IPA, such account could access any enrolled machine with that account, and the local system privileges. This also bypass the absence of explicit HBAC rules. root principal alias ------------------- The principal "root@REALM" is now a Kerberos principal alias for "admin". This prevent user with "User Administrator" role or "System: Add User" privilege to create an account with "root" principal name. Modified user permissions ------------------------- Several user permissions no longer apply to admin users and filter on posixaccount object class. This prevents user managers from modifying admin acounts. - System: Manage User Certificates - System: Manage User Principals - System: Manage User SSH Public Keys - System: Modify Users - System: Remove Users - System: Unlock user ``System: Unlock User`` is restricted because the permission also allow a user manager to lock an admin account. ``System: Modify Users`` is restricted to prevent user managers from changing login shell or notification channels (mail, mobile) of admin accounts. New user permission ------------------- - System: Change Admin User password The new permission allows manipulation of admin user password fields. By default only the ``PassSync Service`` privilege is allowed to modify admin user password fields. Modified group permissions -------------------------- Group permissions are now restricted as well. Group admins can no longer modify the admins group and are limited to groups with object class ``ipausergroup``. - System: Modify Groups - System: Remove Groups The permission ``System: Modify Group Membership`` was already limited. Notes ----- Admin users are mostly unaffected by the new restrictions, except for the fact that admins can no longer change krbPrincipalAlias of another admin or manipulate password fields directly. Commands like ``ipa passwd otheradmin`` still work, though. The ACI ``Admin can manage any entry`` allows admins to modify other entries and most attributes. Managed permissions don't install ``obj.permission_filter_objectclasses`` when ``ipapermtargetfilter`` is set. Group and user objects now have a ``permission_filter_objectclasses_string`` attribute that is used by new target filters. Misc changes ------------ Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute was raising a generic base class for LDAP execution errors. Fixes: https://pagure.io/freeipa/issue/8326 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>		2020-06-15 22:44:42 +03:00
.copr	Adding auto COPR builds	2019-12-14 14:20:34 +02:00
.github	Let GH auto-notify and auto-close stale PRs	2020-05-06 20:17:01 +02:00
asn1	fix minor spelling mistakes	2017-05-19 09:52:46 +02:00
client	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
contrib	lite-server: Fix werkzeug deprecation warnings	2020-06-08 14:23:56 +02:00
daemons	libotp: Replace NSS with OpenSSL HMAC	2020-06-08 20:04:18 +03:00
doc	Add design page for managing IPA resources as a user from a trusted Active Directory forest	2020-06-08 12:39:34 -04:00
init	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
install	Prevent local account takeover	2020-06-15 22:44:42 +03:00
ipaclient	IPA-EPN: Don't treat givenname differently	2020-06-10 11:22:58 -04:00
ipalib	Prevent local account takeover	2020-06-15 22:44:42 +03:00
ipaplatform	Overhaul bind upgrade process	2020-06-10 16:07:07 +02:00
ipapython	Explain the effect of OPT_X_TLS_PROTOCOL_MIN	2020-05-18 14:45:31 +02:00
ipaserver	Prevent local account takeover	2020-06-15 22:44:42 +03:00
ipasphinx	Create ipasphinx package for Sphinx plugins	2020-04-28 20:03:21 +02:00
ipatests	Prevent local account takeover	2020-06-15 22:44:42 +03:00
po	Update translation files	2020-06-10 22:27:31 +03:00
pypi	Cleanup shebang and executable bit	2018-07-05 19:46:42 +02:00
selinux	Fix various OpenDNSSEC 2.1 issues	2020-04-21 21:37:06 +02:00
util	util: replace NSS usage with OpenSSL	2020-06-08 12:54:19 +03:00
.freeipa-pr-ci.yaml	Making nigthly test definition editable by FreeIPA's contributors	2018-07-27 09:50:06 +02:00
.git-commit-template	git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org	2017-03-28 13:10:08 +02:00
.gitignore	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
.lgtm.yml	WebUI: use python3-rjsmin to minify JavaScript files	2020-05-12 09:50:28 +02:00
.mailmap	Update mailmap	2019-04-24 09:47:31 +02:00
.tox-install.sh	Avoid use of '/tmp' for pip operations	2019-07-16 13:23:21 +03:00
.wheelconstraints.in	Use pylint 1.7.5 with fix for bad python3 import	2017-12-19 13:28:06 +01:00
ACI.txt	Prevent local account takeover	2020-06-15 22:44:42 +03:00
API.txt	Support adding user ID overrides as group and role members	2020-06-08 12:39:34 -04:00
autogen.sh	build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches	2010-11-29 11:39:55 -05:00
BUILD.txt	Bootstrap Sphinx documentation	2020-03-21 07:40:33 +02:00
CODE_OF_CONDUCT.md	Changing Django's CoC to reflect FreeIPA CoC	2018-03-26 09:51:25 +02:00
configure.ac	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
Contributors.txt	update list of contributors	2020-06-10 22:28:56 +03:00
COPYING	Change FreeIPA license to GPLv3+	2010-12-20 17:19:53 -05:00
COPYING.openssl	Add a clear OpenSSL exception.	2015-02-23 16:25:54 +01:00
freeipa.doap.rdf	Adding modified DOAP file	2018-06-22 11:02:40 -04:00
freeipa.spec.in	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
ipa.in	Replace PYTHONSHEBANG with valid shebang	2019-06-24 09:35:57 +02:00
ipasetup.py.in	Address inconsistent-return-statements	2018-11-13 13:37:58 +01:00
make-doc	Make an ipa-tests package	2013-06-17 19:22:50 +02:00
make-test	Use pytest conftest.py and drop pytest.ini	2017-01-05 17:37:02 +01:00
makeaci.in	Replace PYTHONSHEBANG with valid shebang	2019-06-24 09:35:57 +02:00
makeapi.in	Replace PYTHONSHEBANG with valid shebang	2019-06-24 09:35:57 +02:00
Makefile.am	Fix make devcheck	2020-05-06 09:13:32 +02:00
Makefile.python.am	Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb	2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am	ipa-scripts: fix all ipa command line scripts to operate with -I	2019-09-19 10:44:09 -04:00
makerpms.sh	Fix unnecessary usrmerge assumptions	2019-04-17 13:56:05 +02:00
pylint_plugins.py	Remove remains of unused config options	2020-06-02 09:39:42 +02:00
pylintrc	Address issues found by new pylint 2.5.0	2020-04-30 09:41:41 +02:00
README.md	README: Update link to freeipa-devel archive	2019-03-20 17:32:43 +01:00
server.m4	Move ipa-epn systemd files and run RPM hooks	2020-06-11 17:27:31 +02:00
tox.ini	Reconfigure pycodestyle	2020-05-05 10:42:46 +02:00
VERSION.m4	Support adding user ID overrides as group and role members	2020-06-08 12:39:34 -04:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join us in IRC at irc://irc.freenode.net/freeipa