IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
13,875 Commits 11 Branches 60 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
bee4204039
Go to file
Alexander Bokovoy bee4204039 Support adding user ID overrides as group and role members 
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.

Treat user ID overrides as members of groups and roles.

For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.

We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.

With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.

Fixes: https://pagure.io/freeipa/issue/7255

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
.copr Adding auto COPR builds 2019-12-14 14:20:34 +02:00
.github Let GH auto-notify and auto-close stale PRs 2020-05-06 20:17:01 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client Remove remains of unused config options 2020-06-02 09:39:42 +02:00
contrib lite-server: Fix werkzeug deprecation warnings 2020-06-08 14:23:56 +02:00
daemons kdb: handle enterprise principal lookup in AS_REQ 2020-06-08 12:39:34 -04:00
doc Add design page for managing IPA resources as a user from a trusted Active Directory forest 2020-06-08 12:39:34 -04:00
init Move ipa's systemd tmpfiles from /var/run to /run 2018-10-15 10:04:33 +02:00
install Split named custom config to allow changes in options stanza 2020-06-08 15:53:40 +03:00
ipaclient Address issues found by new pylint 2.5.0 2020-04-30 09:41:41 +02:00
ipalib Remove remains of unused config options 2020-06-02 09:39:42 +02:00
ipaplatform Split named custom config to allow changes in options stanza 2020-06-08 15:53:40 +03:00
ipapython Explain the effect of OPT_X_TLS_PROTOCOL_MIN 2020-05-18 14:45:31 +02:00
ipaserver Support adding user ID overrides as group and role members 2020-06-08 12:39:34 -04:00
ipasphinx Create ipasphinx package for Sphinx plugins 2020-04-28 20:03:21 +02:00
ipatests Add test for sssd ad trust lookup with dn in certmaprule 2020-06-08 10:34:18 -03:00
po make: serialize strip-po / strip-pot 2020-06-05 09:34:46 +02:00
pypi Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
selinux Fix various OpenDNSSEC 2.1 issues 2020-04-21 21:37:06 +02:00
util util: replace NSS usage with OpenSSL 2020-06-08 12:54:19 +03:00
.freeipa-pr-ci.yaml Making nigthly test definition editable by FreeIPA's contributors 2018-07-27 09:50:06 +02:00
.git-commit-template git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org 2017-03-28 13:10:08 +02:00
.gitignore util: add unit test for pw hashing 2020-06-08 12:54:19 +03:00
.lgtm.yml WebUI: use python3-rjsmin to minify JavaScript files 2020-05-12 09:50:28 +02:00
.mailmap Update mailmap 2019-04-24 09:47:31 +02:00
.tox-install.sh Avoid use of '/tmp' for pip operations 2019-07-16 13:23:21 +03:00
.wheelconstraints.in Use pylint 1.7.5 with fix for bad python3 import 2017-12-19 13:28:06 +01:00
ACI.txt Support adding user ID overrides as group and role members 2020-06-08 12:39:34 -04:00
API.txt Support adding user ID overrides as group and role members 2020-06-08 12:39:34 -04:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Bootstrap Sphinx documentation 2020-03-21 07:40:33 +02:00
CODE_OF_CONDUCT.md Changing Django's CoC to reflect FreeIPA CoC 2018-03-26 09:51:25 +02:00
configure.ac ipa-print-pac: acquire and print PAC record for a user 2020-05-27 17:57:39 +03:00
Contributors.txt Update contributors 2019-11-12 20:49:18 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.doap.rdf Adding modified DOAP file 2018-06-22 11:02:40 -04:00
freeipa.spec.in Split named custom config to allow changes in options stanza 2020-06-08 15:53:40 +03:00
ipa.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipasetup.py.in Address inconsistent-return-statements 2018-11-13 13:37:58 +01:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
makeapi.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
Makefile.am Fix make devcheck 2020-05-06 09:13:32 +02:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am ipa-scripts: fix all ipa command line scripts to operate with -I 2019-09-19 10:44:09 -04:00
makerpms.sh Fix unnecessary usrmerge assumptions 2019-04-17 13:56:05 +02:00
pylint_plugins.py Remove remains of unused config options 2020-06-02 09:39:42 +02:00
pylintrc Address issues found by new pylint 2.5.0 2020-04-30 09:41:41 +02:00
README.md README: Update link to freeipa-devel archive 2019-03-20 17:32:43 +01:00
server.m4 ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset 2020-06-08 18:06:16 +02:00
tox.ini Reconfigure pycodestyle 2020-05-05 10:42:46 +02:00
VERSION.m4 Support adding user ID overrides as group and role members 2020-06-08 12:39:34 -04:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts