mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Go to file

Alexander Bokovoy a5d38ca171 host: update System: Manage Host Keytab permission

Since commit 5c0e7a5fb4, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.

If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.

This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.

There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.

Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.

Fixes: https://pagure.io/freeipa/issue/9496

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

2024-01-12 18:41:01 -05:00

.copr

Adding auto COPR builds

2019-12-14 14:20:34 +02:00

.github

Let GH auto-notify and auto-close stale PRs

2020-05-06 20:17:01 +02:00

asn1

fix minor spelling mistakes

2017-05-19 09:52:46 +02:00

client

component: mail_from_realname config setting added to IPA-EPN

2023-07-26 09:01:37 -04:00

contrib

Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3

2023-05-31 09:21:48 +02:00

daemons

ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD

2023-12-22 10:34:19 +01:00

doc

Include supported migration scenarios in the ipa-to-ipa docs

2024-01-09 16:15:23 -05:00

init

Fix ipa-ccache-sweeper activation timer and clean up service file

2022-08-29 18:28:42 +02:00

install

webui: Unify user group members columns with users columns

2024-01-12 15:26:45 +01:00

ipaclient

ipa-client-automount: Don't use deprecated ipadiscovery.IPADiscovery

2024-01-11 17:13:35 +01:00

ipalib

pylint: fix errors

2024-01-09 08:40:47 +01:00

ipaplatform

ipaplatform: add opencloudos/tencentos support

2024-01-12 08:36:20 -05:00

ipapython

get_directive: don't error out on substring mismatch

2024-01-11 17:19:47 +01:00

ipaserver

host: update System: Manage Host Keytab permission

2024-01-12 18:41:01 -05:00

ipasphinx

ipasphinx: Correct import of progress_message for Sphinx 6.1.0+

2023-04-28 13:20:30 -04:00

ipatests

host: update System: Manage Host Keytab permission

2024-01-12 18:41:01 -05:00

Update translations to FreeIPA master state

2023-11-20 14:44:56 +01:00

pypi

Cleanup shebang and executable bit

2018-07-05 19:46:42 +02:00

selinux

Allow ipa-otpd to access USB devices for passkeys

2023-09-18 17:36:40 +02:00

util

ipa_pwd: Remove unnecessary conditional

2021-01-15 10:01:28 +01:00

.freeipa-pr-ci.yaml

ipatests: revert wrong commit on gating definition

2021-11-02 11:40:25 +01:00

.git-commit-template

Commit template: use either Fixes or Related

2022-02-14 11:21:01 +02:00

.gitignore

gitignore: add install/oddjob/org.freeipa.server.config-enable-sid

2022-08-16 13:07:03 +02:00

.lgtm.yml

Fix lgtm file classification

2021-03-08 08:31:41 +01:00

.mailmap

mailmap: add ftweedal

2020-11-11 14:08:35 +02:00

.readthedocs.yaml

docs: add the readthedocs configuration

2022-05-04 09:36:40 +03:00

.tox-install.sh

azure: Don't customize pip's builddir

2021-10-21 08:03:03 +02:00

.wheelconstraints.in

pylint: updates related to deprecations

2024-01-09 08:40:47 +01:00

ACI.txt

host: update System: Manage Host Keytab permission

2024-01-12 18:41:01 -05:00

API.txt

passkeyconfig: require-user-verification is a boolean

2023-06-01 08:20:37 +02:00

autogen.sh

build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches

2010-11-29 11:39:55 -05:00

BUILD.txt

BUILD.txt: remove redundant dnf-builddep option

2022-07-05 14:26:52 +02:00

CODE_OF_CONDUCT.md

Changing Django's CoC to reflect FreeIPA CoC

2018-03-26 09:51:25 +02:00

configure.ac

Tolerate absence of PAC ticket signature depending of server capabilities

2023-05-24 13:20:38 +02:00

Contributors.txt

Update list of contributors

2023-10-03 14:57:20 +02:00

COPYING

Change FreeIPA license to GPLv3+

2010-12-20 17:19:53 -05:00

COPYING.openssl

Add a clear OpenSSL exception.

2015-02-23 16:25:54 +01:00

freeipa.doap.rdf

Adding modified DOAP file

2018-06-22 11:02:40 -04:00

freeipa.spec.in

Use ssl.match_hostname from urllib3 as it was removed from Python 3.12

2023-07-19 08:27:30 +02:00

gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc

spec: verify upstream source signature

2023-04-18 08:32:54 +02:00

ipa.in

Replace PYTHONSHEBANG with valid shebang

2019-06-24 09:35:57 +02:00

ipasetup.py.in

pylint: replace deprecated distutils module

2023-01-10 08:30:58 +01:00

make-doc

Make an ipa-tests package

2013-06-17 19:22:50 +02:00

make-test

Use pytest conftest.py and drop pytest.ini

2017-01-05 17:37:02 +01:00

makeaci.in

Warn for permissions with read/write/search/compare and no attrs

2022-07-15 16:59:15 +02:00

makeapi.in

doc: allow notes on Param API Reference pages

2023-03-29 10:53:25 +02:00

Makefile.am

fastlint: Correct concatenation of file lists

2023-03-24 11:49:23 +01:00

Makefile.python.am

Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb

2017-03-15 13:48:23 +01:00

Makefile.pythonscripts.am

ipa-scripts: fix all ipa command line scripts to operate with -I

2019-09-19 10:44:09 -04:00

makerpms.sh

Fix unnecessary usrmerge assumptions

2019-04-17 13:56:05 +02:00

pylint_plugins.py

pylint: updates related to deprecations

2024-01-09 08:40:47 +01:00

pylintrc

pylint: disable new checks

2024-01-09 08:40:47 +01:00

README.md

Update IRC links to point to Libera.chat

2021-05-27 18:26:28 +03:00

server.m4

kdb: Use krb5_pac_full_sign_compat() when available

2023-05-24 13:20:38 +02:00

tox.ini

Tox: use sitepackages

2024-01-09 08:40:47 +01:00

VERSION.m4

Bump to IPA 4.12

2023-08-21 16:39:16 +02:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/ or join us in IRC at irc://irc.libera.chat/freeipa

Languages

Python 75.7%

JavaScript 10.9%

C 10.8%

Roff 1.1%

Makefile 0.4%

Other 1.1%