IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
14,971 Commits 11 Branches 60 Tags 60 MiB
Python 75.7%
JavaScript 10.9%
C 10.8%
Roff 1.1%
Makefile 0.4%
Other 1.1%
db69855646
Go to file
Rob Crittenden db69855646 Clean up the PKI securitydomain when removing a server 
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.

Removing entries is straightforward using the PKI REST API.

In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.

Related commits are b3c2197b7e
and ba4df6449a.

These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.

In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-08-16 09:12:55 +02:00
.copr Adding auto COPR builds 2019-12-14 14:20:34 +02:00
.github Let GH auto-notify and auto-close stale PRs 2020-05-06 20:17:01 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client ipa-getkeytab: fix compiler warnings 2021-07-30 08:45:08 -04:00
contrib Parse the debugging cache log to determine the read savings 2021-05-12 10:45:57 -04:00
daemons ds: Support renaming of a replication plugin in 389-ds 2021-06-01 17:09:28 +03:00
doc Redesign subid feature 2021-07-09 09:47:30 -04:00
init systemd: enforce en_US.UTF-8 locale in systemd units 2020-12-10 14:38:05 +02:00
install Clean up the PKI securitydomain when removing a server 2021-08-16 09:12:55 +02:00
ipaclient Provide more information in ipa-certupdate on ccache failure 2021-08-02 15:31:24 -04:00
ipalib ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency 2021-07-13 16:52:57 +02:00
ipaplatform rhel platform: add a named crypto-policy support 2021-07-16 15:38:53 +02:00
ipapython Parse cert chain as JSON not XML 2021-08-09 08:44:52 +02:00
ipaserver Clean up the PKI securitydomain when removing a server 2021-08-16 09:12:55 +02:00
ipasphinx Create ipasphinx package for Sphinx plugins 2020-04-28 20:03:21 +02:00
ipatests ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files 2021-08-13 09:19:48 +02:00
po po/zh_CN.po: Update translations to FreeIPA master state 2021-06-04 12:29:48 +03:00
pypi Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
selinux selinux: modify policy to allow one-way trust 2021-01-09 12:33:58 +01:00
util ipa_pwd: Remove unnecessary conditional 2021-01-15 10:01:28 +01:00
.freeipa-pr-ci.yaml Making nigthly test definition editable by FreeIPA's contributors 2018-07-27 09:50:06 +02:00
.git-commit-template git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org 2017-03-28 13:10:08 +02:00
.gitignore Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00
.lgtm.yml Fix lgtm file classification 2021-03-08 08:31:41 +01:00
.mailmap mailmap: add ftweedal 2020-11-11 14:08:35 +02:00
.tox-install.sh tox: Don't expand symlinks 2020-08-31 09:46:03 +03:00
.wheelconstraints.in Constrain pylint to supported versions 2021-05-03 09:16:14 +02:00
ACI.txt Redesign subid feature 2021-07-09 09:47:30 -04:00
API.txt Redesign subid feature 2021-07-09 09:47:30 -04:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Bootstrap Sphinx documentation 2020-03-21 07:40:33 +02:00
CODE_OF_CONDUCT.md Changing Django's CoC to reflect FreeIPA CoC 2018-03-26 09:51:25 +02:00
configure.ac ipa-getkeytab: add option to discover servers using DNS SRV 2021-07-30 08:45:08 -04:00
Contributors.txt Contributors: add new contributors to the list 2021-06-04 09:12:54 +03:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.doap.rdf Adding modified DOAP file 2018-06-22 11:02:40 -04:00
freeipa.spec.in freeipa.spec.in: remove python3-pexpect from Requires 2021-08-02 22:32:39 +02:00
ipa.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipasetup.py.in Address inconsistent-return-statements 2018-11-13 13:37:58 +01:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
makeapi.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
Makefile.am Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am ipa-scripts: fix all ipa command line scripts to operate with -I 2019-09-19 10:44:09 -04:00
makerpms.sh Fix unnecessary usrmerge assumptions 2019-04-17 13:56:05 +02:00
pylint_plugins.py pylint: Adapt to new Pylint 2.8 2021-04-27 13:28:42 +02:00
pylintrc pylint: Adapt to new Pylint 2.8 2021-04-27 13:28:42 +02:00
README.md Update IRC links to point to Libera.chat 2021-05-27 18:26:28 +03:00
server.m4 extdom-extop: refactor tests to use unshare+chroot to override nss_files configuration 2020-08-04 18:43:22 +03:00
tox.ini pytest: Show extra summary information for all except passed tests 2021-05-25 10:45:49 +03:00
VERSION.m4 Add basic support for subordinate user/group ids 2021-07-09 09:47:30 -04:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts