IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
11,889 Commits 11 Branches 60 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
73f61ce214
Go to file
Sumit Bose 73f61ce214 ipa-kdb: update trust information in all workers 
Currently there is already code to make sure that after trust is established an
AS-REQ of the local HTTP principal causes a refresh of the internal structures
holding the information about the trusted domains.

But this refreshes only the data of the current krb5kdc worker process on the
local host. Other workers and the KDCs on other hosts will update the data
eventually when a request with a principal from a trusted realm is handled.

During this phase, which might last quite long if remote principals are only
handled rarely, TGTs for local principals might or might not contain a PAC
because the decision if a PAC should be added or not is based on the
information about trusted domains. Since the PAC is needed to access services
on the AD side this access might fail intermittently depending which worker
process on which host is handling the request. This might e.g. affect SSSD
running on the IPA server with two-way trust.

To fix this this patch calls ipadb_reinit_mspac() whenever a PAC is needed but
without the 'force' flag so that the refresh will only happen if it wasn't
called recently (currently not more often than once a minute).

An alternative might be to do the refresh only when processing cross-realm TGT
requests. But this would be already too late because the local principal asking
for a cross-realm ticket would not have a PAC and hence the first attempt will
still fail due to the missing PAC. And injecting the PAC in the cross-realm TGT
while there is none in the requesting ticket does not sound right.

Related to https://pagure.io/freeipa/issue/7351

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2018-02-08 18:46:47 +01:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
contrib logging: do not reference loggers in arguments and attributes 2017-07-14 15:55:59 +02:00
daemons ipa-kdb: update trust information in all workers 2018-02-08 18:46:47 +01:00
doc logging: do not reference loggers in arguments and attributes 2017-07-14 15:55:59 +02:00
init Move tmpfiles.d configuration handling back to spec file 2017-08-30 13:05:23 +02:00
install Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
ipaclient Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
ipalib Improve warning message for malformed certificates 2018-02-06 11:42:34 +01:00
ipaplatform Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
ipapython Replace hard-coded paths with path constants 2018-02-08 09:32:12 +01:00
ipaserver Restart named-pkcs11 after KRA installation 2018-02-08 16:58:13 +01:00
ipatests Fix detection of KRA installation so upgrades can succeed 2018-02-08 09:39:18 +01:00
po fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
pypi Use namespace-aware meta importer for ipaplatform 2017-11-15 14:17:24 +01:00
util C compilation fixes and hardening 2017-03-01 10:38:01 +01:00
.freeipa-pr-ci.yaml prci: run full external_ca test suite 2018-01-09 10:17:01 +01:00
.git-commit-template git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org 2017-03-28 13:10:08 +02:00
.gitignore Include npm related files into Makefile and .gitignore 2017-12-14 18:57:37 +01:00
.mailmap Update Contributors.txt 2017-02-23 10:16:44 +01:00
.test_runner_config_py3_temp.yaml travis-ci: collect logs from cmocka tests 2017-11-29 15:55:00 +02:00
.test_runner_config.yaml Edit TravisCI conf files to run WebUI unit tests 2017-12-14 18:57:37 +01:00
.tox-install.sh tox testing support for client wheel packages 2017-04-12 16:53:22 +02:00
.travis_run_task.sh Run tox tests for PyPI packages on Travis 2017-11-20 17:01:59 +01:00
.travis.yml Edit TravisCI conf files to run WebUI unit tests 2017-12-14 18:57:37 +01:00
.wheelconstraints.in Use pylint 1.7.5 with fix for bad python3 import 2017-12-19 13:28:06 +01:00
ACI.txt Add --password-expiration to allow admin to force user password expiration 2017-03-31 12:19:40 +02:00
API.txt parameters: introduce CertificateSigningRequest 2017-10-25 09:44:37 +02:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Add make targets for fast linting and testing 2017-12-11 20:40:06 +01:00
configure.ac Add make targets for fast linting and testing 2017-12-11 20:40:06 +01:00
Contributors.txt Contributors.txt: update 2017-09-01 14:38:37 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.spec.in Bump python-ldap version to fix syncrepl bug 2018-02-08 09:30:29 +01:00
ipa Use entry_points for ipa CLI 2017-04-11 13:29:50 +02:00
ipasetup.py.in Add python_requires to Python package metadata 2017-12-11 15:32:45 +01:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci LGTM: Use of exit() or quit() 2018-01-09 07:53:28 +01:00
makeapi Remove ignore_import_errors 2017-11-15 11:06:53 +01:00
Makefile.am Make fastlint even faster 2018-01-08 09:52:49 +01:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
makerpms.sh makerpms.sh: make git checkout optional 2017-08-18 11:46:13 +02:00
pylint_plugins.py Documenting kinit_lifetime in /etc/ipa/default.conf 2018-01-12 20:33:20 +01:00
pylintrc LGTM: Name unused variable in loop 2018-01-09 07:53:28 +01:00
README.md README: Fix trailing whitespace 2017-07-21 09:47:36 +02:00
server.m4 ipa-extdom-extop: refactor nsswitch operations 2017-11-30 11:38:03 +02:00
tox.ini Slim down dependencies 2017-05-09 17:17:29 +02:00
VERSION.m4 Add make targets for fast linting and testing 2017-12-11 20:40:06 +01:00
zanata.xml Zanata: exlude testing ipa.pot file 2016-11-21 14:47:47 +01:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based managment tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts