IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-28 09:06:44 -06:00
Code Issues Packages Projects Releases Wiki Activity
5,524 Commits 11 Branches 59 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
a1991aeac1
Go to file
John Dennis a1991aeac1 Use secure method to acquire IPA CA certificate 
Major changes ipa-client-install:

* Use GSSAPI connection to LDAP server to download CA cert (now
  the default method)

* Add --ca-cert-file option to load the CA cert from a disk file.
  Validate the file. If this option is used the supplied CA cert
  is considered definitive.

* The insecure HTTP retrieval method is still supported but it must be
  explicitly forced and a warning will be emitted.

* Remain backward compatible with unattended case (except for aberrant
  condition when preexisting /etc/ipa/ca.crt differs from securely
  obtained CA cert, see below)

* If /etc/ipa/ca.crt CA cert preexists the validate it matches the
  securely acquired CA cert, if not:

  - If --unattended and not --force abort with error

  - If interactive query user to accept new CA cert, if not abort

  In either case warn user.

* If interactive and LDAP retrieval fails prompt user if they want to
  proceed with insecure HTTP method

* If not interactive and LDAP retrieval fails abort unless --force

* Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution,
  if ipa-client-install fails it will be restored.

Other changes:

* Add new exception class CertificateInvalidError

* Add utility convert_ldap_error() to ipalib.ipautil

* Replace all hardcoded instances of /etc/ipa/ca.crt in
  ipa-client-install with CACERT constant (matches existing practice
  elsewhere).

* ipadiscovery no longer retrieves CA cert via HTTP.

* Handle LDAP minssf failures during discovery, treat failure to check
  ldap server as a warninbg in absebce of a provided CA certificate via
  --ca-cert-file or though existing /etc/ipa/ca.crt file.

Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
2013-01-23 14:26:42 -05:00
.tx Add Transifex tx client configuration file 2011-03-07 16:05:33 -05:00
checks Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
contrib Set master_kdc and dns_lookup_kdc to true 2012-09-19 20:47:12 -04:00
daemons ipa-kdb: Support Windows 2012 Server 2012-12-07 13:21:52 -05:00
doc Replace float with Decimal 2012-01-20 08:13:44 +01:00
init Get list of service from LDAP only at startup 2012-11-01 10:58:19 -04:00
install Upload CA cert in the directory on install 2013-01-23 14:26:41 -05:00
ipa-client Use secure method to acquire IPA CA certificate 2013-01-23 14:26:42 -05:00
ipalib Use secure method to acquire IPA CA certificate 2013-01-23 14:26:42 -05:00
ipapython Use secure method to acquire IPA CA certificate 2013-01-23 14:26:42 -05:00
ipaserver Use secure method to acquire IPA CA certificate 2013-01-23 14:26:42 -05:00
selinux Update SELinux policy for dogtag10 2012-11-30 11:12:51 -05:00
tests permission-find no longer crashes with --targetgroup 2013-01-11 10:51:31 +01:00
util Make encode_ntlm_keys() public 2012-09-06 09:24:58 +02:00
.bzrignore Added top-level tests/ package that will contain all unit tests 2008-10-07 20:36:44 -06:00
.gitignore Dojo Builder 2013-01-18 15:10:35 +01:00
API.txt Sort Options and Outputs in API.txt 2012-12-12 14:10:47 +01:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Rename ipa.spec.in to freeipa.spec.in in BUILD.txt. 2011-02-10 17:52:43 -05:00
Contributors.txt Add Ana Krivokapic to Contributors.txt 2013-01-17 10:33:03 -05:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
freeipa.spec.in Fix BuildRequires: rhino replaced with java-1.7.0-openjdk 2013-01-22 17:05:29 +01:00
ipa Execute /usr/bin/python directly instead of /usr/bin/env python 2011-01-14 16:27:48 -05:00
ipa-compliance.cron Add support for tracking and counting entitlements 2011-02-02 10:00:38 -05:00
ipa.1 Fix various typos. 2012-09-18 08:45:28 +02:00
lite-server.py Tweak the session auth to reflect developer consensus. 2012-02-27 05:54:29 -05:00
make-doc This patch removes the existing UI functionality, as a prep for adding the Javascript based ui. 2010-07-29 10:44:56 -04:00
make-lint Compliant client side session cookie behavior 2012-12-10 12:45:09 -05:00
make-test Pass make-test arguments through to Nose 2012-04-11 22:20:07 -04:00
make-testcert Use DN objects instead of strings 2012-08-12 16:23:24 -04:00
makeapi Sort Options and Outputs in API.txt 2012-12-12 14:10:47 +01:00
Makefile Updated makefiles to build FreeIPA Web UI layer 2013-01-18 15:10:37 +01:00
MANIFEST.in Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
README Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
setup-client.py Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
setup.py Add plugin framework to LDAP updates. 2011-11-22 23:57:10 -05:00
TODO Parse comma-separated lists of values in all parameter types. This can be enabled for a specific parameter by setting the "csv" option to True. 2011-11-30 17:08:35 +01:00
VERSION Relax restriction for leading/trailing whitespaces in *-find commands 2012-12-11 12:34:28 +01:00
version.m4.in Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00

README 

                               IPA Server

  What is it?
  -----------

  For efficiency, compliance and risk mitigation, organizations need to
  centrally manage and correlate vital security information including:

    * Identity (machine, user, virtual machines, groups, authentication
      credentials)
    * Policy (configuration settings, access control information)
    * Audit (events, logs, analysis thereof) 

  Since these are not new problems. there exist many approaches and
  products focused on addressing them. However, these tend to have the
  following weaknesses:

    * Focus on solving identity management across the enterprise has meant
      less focus on policy and audit.
    * Vendor focus on Web identity management problems has meant less well
      developed solutions for central management of the Linux and Unix
      world's vital security info. Organizations are forced to maintain
      a hodgepodge of internal and proprietary solutions at high TCO.
    * Proprietary security products don't easily provide access to the
      vital security information they collect or manage. This makes it
      difficult to synchronize and analyze effectively. 

  The Latest Version
  ------------------

  Details of the latest version can be found on the IPA server project
  page under <http://www.freeipa.org/>.

  Documentation
  -------------

  The most up-to-date documentation can be found at
  <http://freeipa.org/page/Documentation/>.

  Quick Start
  -----------

  To get started quickly, start here:
  <https://fedorahosted.org/freeipa/wiki/QuickStartGuide>

  Licensing
  ---------

  Please see the file called COPYING.

  Contacts
  --------

     * If you want to be informed about new code releases, bug fixes,
       security fixes, general news and information about the IPA server
       subscribe to the freeipa-announce mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-interest/>.

     * If you have a bug report please submit it at:
       <https://bugzilla.redhat.com>

     * If you want to participate in actively developing IPA please
       subscribe to the freeipa-devel mailing list at
       <https://www.redhat.com/mailman/listinfo/freeipa-devel/> or join
       us in IRC at irc://irc.freenode.net/freeipa