IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity
15,414 Commits 11 Branches 59 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
93548f2569
Go to file
Francisco Trivino 93548f2569 Vault: fix interoperability issues with older RHEL systems 
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
.copr Adding auto COPR builds 2019-12-14 14:20:34 +02:00
.github Let GH auto-notify and auto-close stale PRs 2020-05-06 20:17:01 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client Pass the curl write callback by name instead of address 2022-11-16 14:50:22 -05:00
contrib Parse the debugging cache log to determine the read savings 2021-05-12 10:45:57 -04:00
daemons ipa-kdb: for delegation check, use different error codes before and after krb5 1.20 2022-11-14 10:12:42 -05:00
doc doc: Design for HSM support 2022-11-18 16:05:31 -05:00
init Fix ipa-ccache-sweeper activation timer and clean up service file 2022-08-29 18:28:42 +02:00
install webui: Add name to 'Certificates' table 2022-11-15 13:04:22 +01:00
ipaclient Vault: fix interoperability issues with older RHEL systems 2022-11-21 10:41:10 -05:00
ipalib Add PKINIT support to ipa-client-install 2022-11-16 14:32:05 +02:00
ipaplatform Add missing parameter to Suse modify_nsswitch_pam_stack 2022-06-23 13:06:02 -04:00
ipapython Support tokens and optional password files when opening an NSS db 2022-11-16 14:47:53 -05:00
ipaserver Vault: fix interoperability issues with older RHEL systems 2022-11-21 10:41:10 -05:00
ipasphinx docs: force sphinx version above 3.0 to avoid caching in RTD 2022-05-04 10:40:07 +03:00
ipatests ipatests: re-enable dnssec tests 2022-11-21 14:24:17 +01:00
po Remove empty translation for 'si' which breaks linter 2022-10-02 12:07:20 +03:00
pypi Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
selinux External IdP: initial SELinux policy 2022-05-10 15:52:41 +03:00
util ipa_pwd: Remove unnecessary conditional 2021-01-15 10:01:28 +01:00
.freeipa-pr-ci.yaml ipatests: revert wrong commit on gating definition 2021-11-02 11:40:25 +01:00
.git-commit-template Commit template: use either Fixes or Related 2022-02-14 11:21:01 +02:00
.gitignore gitignore: add install/oddjob/org.freeipa.server.config-enable-sid 2022-08-16 13:07:03 +02:00
.lgtm.yml Fix lgtm file classification 2021-03-08 08:31:41 +01:00
.mailmap mailmap: add ftweedal 2020-11-11 14:08:35 +02:00
.readthedocs.yaml docs: add the readthedocs configuration 2022-05-04 09:36:40 +03:00
.tox-install.sh azure: Don't customize pip's builddir 2021-10-21 08:03:03 +02:00
.wheelconstraints.in azure: Bump supported Pylint 2022-03-11 13:37:08 -05:00
ACI.txt Add support for Random Serial Numbers v3 2022-06-09 08:35:15 +02:00
API.txt Vault: fix interoperability issues with older RHEL systems 2022-11-21 10:41:10 -05:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt BUILD.txt: remove redundant dnf-builddep option 2022-07-05 14:26:52 +02:00
CODE_OF_CONDUCT.md Changing Django's CoC to reflect FreeIPA CoC 2018-03-26 09:51:25 +02:00
configure.ac Implement LDAP bind grace period 389-ds plugin 2022-05-30 17:24:22 +03:00
Contributors.txt Update list of contributors 2022-06-15 16:26:55 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.doap.rdf Adding modified DOAP file 2018-06-22 11:02:40 -04:00
freeipa.spec.in Spec file: bump bind version on f37+ 2022-11-21 14:24:17 +01:00
ipa.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipasetup.py.in pylint: Fix use-maxsplit-arg 2022-03-11 13:37:08 -05:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci.in Warn for permissions with read/write/search/compare and no attrs 2022-07-15 16:59:15 +02:00
makeapi.in doc: generate API Reference 2022-11-16 14:46:17 -05:00
Makefile.am ipatest: fix prci checker target masked return code & add pylint 2022-08-01 09:34:42 -04:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am ipa-scripts: fix all ipa command line scripts to operate with -I 2019-09-19 10:44:09 -04:00
makerpms.sh Fix unnecessary usrmerge assumptions 2019-04-17 13:56:05 +02:00
pylint_plugins.py external-idp: add support to manage external IdP objects 2022-05-10 15:52:41 +03:00
pylintrc pylint: Skip use-implicit-booleaness-not-comparison 2022-03-11 13:37:08 -05:00
README.md Update IRC links to point to Libera.chat 2021-05-27 18:26:28 +03:00
server.m4 ipa-kdb: add krb5 1.20 support 2022-11-02 11:03:04 +02:00
tox.ini ipatests: Checker script for prci definitions 2022-07-15 17:09:17 +02:00
VERSION.m4 Vault: fix interoperability issues with older RHEL systems 2022-11-21 10:41:10 -05:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts