mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Go to file

Rob Crittenden 8c241869dd Don't always override the port in import_included_profiles

I can only guess to the original purpose of this override. I
believe it was because this is called in the installer prior
to Apache being set up. The expectation was that this would
only be called locally. It predates the RestClient class.

RestClient will attempt to find an available service. In this
case, during a CA installation, the local server is not
considered available because it lacks an entry in
cn=masters. So it will never be returned as an option.

So by overriding the port to 8443 the remote connection will
likely fail because we don't require that the port be open.

So instead, instantiate a RestClient and see what happens.

There are several use-cases:

1. Installing an initial server. The RestClient connection
   should fail, so we will fall back to the override port and
   use the local server. If Apache happens to be running with
   a globally-issued certificate then the RestClient will
   succeed. In this case if the connected host and the local
   hostname are the same, override in that case as well.

2. Installing as a replica. In this case the local server should
   be ignored in all cases and a remote CA will be picked with
   no override done.

3. Switching from CA-less to CA-ful. The web server will be
   trusted but the RestClient login will fail with a 404. Fall
   back to the override port in this case.

The motivation for this is trying to install an EL 8.x replica
against an EL 7.9 server. 8.5+ includes the ACME service and
a new profile is needed which doesn't exist in 7. This was
failing because the RestClient determined that the local server
wasn't running a CA so tried the remote one (7.9) on the override
port 8443. Since this port isn't open: failure.

Chances are that adding the profile is still going to fail
because again, 7.9 lacks ACME capabilities, but it will fail in
a way that allows the installation to continue.

I suspect that all of the overrides can similarly handled, or
handled directly within the RestClient class, but for the sake
of "do no harm" I'm only changing this instance for now.

https://pagure.io/freeipa/issue/9100

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

2022-02-03 13:36:18 -05:00

.copr

Adding auto COPR builds

2019-12-14 14:20:34 +02:00

.github

Let GH auto-notify and auto-close stale PRs

2020-05-06 20:17:01 +02:00

asn1

fix minor spelling mistakes

2017-05-19 09:52:46 +02:00

client

Fix use of comparison functions to avoid GCC bug 95189

2021-11-23 10:31:34 +01:00

contrib

Parse the debugging cache log to determine the read savings

2021-05-12 10:45:57 -04:00

daemons

ipa-kdb: do not remove keys for hardened auth-enabled users

2022-02-02 15:42:45 +01:00

doc

doc/designs: fix formatting in LDAPI autobind design

2021-11-02 15:38:05 +02:00

init

configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in

2021-11-25 21:02:56 -05:00

install

ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus

2022-01-31 18:14:22 -05:00

ipaclient

Make the schema cache TTL user-configurable

2021-11-03 10:59:10 +01:00

ipalib

Make the schema cache TTL user-configurable

2021-11-03 10:59:10 +01:00

ipaplatform

ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles

2021-11-25 21:02:56 -05:00

ipapython

Don't store entries with a usercertificate in the LDAP cache

2021-09-16 13:16:17 -04:00

ipaserver

Don't always override the port in import_included_profiles

2022-02-03 13:36:18 -05:00

ipasphinx

Create ipasphinx package for Sphinx plugins

2020-04-28 20:03:21 +02:00

ipatests

ipatests: add case for hardened-only ticket policy

2022-02-02 15:42:45 +01:00

Update translations to FreeIPA master state

2021-11-25 18:58:57 +01:00

pypi

Cleanup shebang and executable bit

2018-07-05 19:46:42 +02:00

selinux

ipa config: add --enable-sid option

2021-11-02 10:11:28 +01:00

util

ipa_pwd: Remove unnecessary conditional

2021-01-15 10:01:28 +01:00

.freeipa-pr-ci.yaml

ipatests: revert wrong commit on gating definition

2021-11-02 11:40:25 +01:00

.git-commit-template

git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org

2017-03-28 13:10:08 +02:00

.gitignore

Add basic support for subordinate user/group ids

2021-07-09 09:47:30 -04:00

.lgtm.yml

Fix lgtm file classification

2021-03-08 08:31:41 +01:00

.mailmap

mailmap: add ftweedal

2020-11-11 14:08:35 +02:00

.tox-install.sh

azure: Don't customize pip's builddir

2021-10-21 08:03:03 +02:00

.wheelconstraints.in

Constrain pylint to supported versions

2021-05-03 09:16:14 +02:00

ACI.txt

Redesign subid feature

2021-07-09 09:47:30 -04:00

API.txt

automember default group: remove --desc parameter

2022-01-13 14:12:49 -05:00

autogen.sh

build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches

2010-11-29 11:39:55 -05:00

BUILD.txt

Bootstrap Sphinx documentation

2020-03-21 07:40:33 +02:00

CODE_OF_CONDUCT.md

Changing Django's CoC to reflect FreeIPA CoC

2018-03-26 09:51:25 +02:00

configure.ac

ipa-kdb: refactor KDB driver to prepare for KDB version 9

2022-01-24 17:38:24 -05:00

Contributors.txt

Update list of contributors

2021-11-25 19:12:45 +01:00

COPYING

Change FreeIPA license to GPLv3+

2010-12-20 17:19:53 -05:00

COPYING.openssl

Add a clear OpenSSL exception.

2015-02-23 16:25:54 +01:00

freeipa.doap.rdf

Adding modified DOAP file

2018-06-22 11:02:40 -04:00

freeipa.spec.in

freeipa.spec: depend on bind-dnssec-utils

2021-11-25 16:49:00 +01:00

ipa.in

Replace PYTHONSHEBANG with valid shebang

2019-06-24 09:35:57 +02:00

ipasetup.py.in

Address inconsistent-return-statements

2018-11-13 13:37:58 +01:00

make-doc

Make an ipa-tests package

2013-06-17 19:22:50 +02:00

make-test

Use pytest conftest.py and drop pytest.ini

2017-01-05 17:37:02 +01:00

makeaci.in

Replace PYTHONSHEBANG with valid shebang

2019-06-24 09:35:57 +02:00

makeapi.in

Replace PYTHONSHEBANG with valid shebang

2019-06-24 09:35:57 +02:00

Makefile.am

pycodestyle: Check *.in Python files

2021-08-24 16:49:10 +02:00

Makefile.python.am

Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb

2017-03-15 13:48:23 +01:00

Makefile.pythonscripts.am

ipa-scripts: fix all ipa command line scripts to operate with -I

2019-09-19 10:44:09 -04:00

makerpms.sh

Fix unnecessary usrmerge assumptions

2019-04-17 13:56:05 +02:00

pylint_plugins.py

pylint: Adapt to new Pylint 2.8

2021-04-27 13:28:42 +02:00

pylintrc

pylint: Adapt to new Pylint 2.8

2021-04-27 13:28:42 +02:00

README.md

Update IRC links to point to Libera.chat

2021-05-27 18:26:28 +03:00

server.m4

ipa-kdb: refactor KDB driver to prepare for KDB version 9

2022-01-24 17:38:24 -05:00

tox.ini

azure: Don't customize pip's builddir

2021-10-21 08:03:03 +02:00

VERSION.m4

ipa config: add --enable-sid option

2021-11-02 10:11:28 +01:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join us in IRC at irc://irc.libera.chat/freeipa

Languages

Python 75.7%

JavaScript 10.9%

C 10.8%

Roff 1.1%

Makefile 0.4%

Other 1.1%