mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00

Go to file

Christian Heimes dea059d158 Block PyOpenSSL to prevent SELinux execmem in wsgi Some dependencies like Dogtag's pki.client library and custodia use python-requsts to make HTTPS connection. python-requests prefers PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top of python-cryptography which trigger a execmem SELinux violation in the context of Apache HTTPD (httpd_execmem). When requests is imported, it always tries to import pyopenssl glue code from urllib3's contrib directory. The import of PyOpenSSL is enough to trigger the SELinux denial. Block any import of PyOpenSSL's SSL module in wsgi by raising an ImportError. The block is compatible with new python-requests with unbundled urllib3, too. Fixes: https://pagure.io/freeipa/issue/5442 Fixes: RHBZ#1491508 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>		2017-10-18 12:09:57 +02:00
asn1	fix minor spelling mistakes	2017-05-19 09:52:46 +02:00
client	Changing how commands handles error when it can't connect to IPA server	2017-08-11 13:55:39 +02:00
contrib	logging: do not reference loggers in arguments and attributes	2017-07-14 15:55:59 +02:00
daemons	ipa-kdb: reinit trusted domain data for enterprise principals	2017-10-13 13:43:35 +02:00
doc	logging: do not reference loggers in arguments and attributes	2017-07-14 15:55:59 +02:00
init	Move tmpfiles.d configuration handling back to spec file	2017-08-30 13:05:23 +02:00
install	Block PyOpenSSL to prevent SELinux execmem in wsgi	2017-10-18 12:09:57 +02:00
ipaclient	client: fix retrieving certs from HTTP	2017-09-13 10:38:08 +02:00
ipalib	p11-kit: add serial number in DER format	2017-10-17 16:43:15 +02:00
ipaplatform	p11-kit: add serial number in DER format	2017-10-17 16:43:15 +02:00
ipapython	cli: simplify parsing of arbitrary types	2017-10-04 10:09:18 +02:00
ipaserver	kra-install: better warning message	2017-10-17 15:59:58 +02:00
ipatests	Fixing param-{find,show} and output-{find,show} commands	2017-10-17 13:42:11 +02:00
po	fix minor spelling mistakes	2017-05-19 09:52:46 +02:00
pypi	tox testing support for client wheel packages	2017-04-12 16:53:22 +02:00
util	C compilation fixes and hardening	2017-03-01 10:38:01 +01:00
.freeipa-pr-ci.yaml	prci: update F26 template	2017-09-22 07:52:02 +02:00
.git-commit-template	git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org	2017-03-28 13:10:08 +02:00
.gitignore	install: do not assume /etc/krb5.conf.d exists	2017-06-28 15:44:51 +02:00
.mailmap	Update Contributors.txt	2017-02-23 10:16:44 +01:00
.test_runner_config_py3_temp.yaml	travis: remove "fast" from "makecache fast"	2017-09-08 15:42:07 +02:00
.test_runner_config.yaml	travis: remove "fast" from "makecache fast"	2017-09-08 15:42:07 +02:00
.tox-install.sh	tox testing support for client wheel packages	2017-04-12 16:53:22 +02:00
.travis_run_task.sh	Travis: build only py2 packages for py2 testing	2017-06-20 12:36:29 +02:00
.travis.yml	travis: make tests fail if pep8 does not pass	2017-10-10 10:05:37 +02:00
.wheelconstraints.in	Change the requirements for pylint in wheel	2017-09-08 15:42:07 +02:00
ACI.txt	Add --password-expiration to allow admin to force user password expiration	2017-03-31 12:19:40 +02:00
API.txt	Create a Certificate parameter	2017-07-27 10:28:58 +02:00
autogen.sh	build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches	2010-11-29 11:39:55 -05:00
BUILD.txt	Build: allow to build only py2 rpms for fedora	2017-06-20 12:36:29 +02:00
configure.ac	Move tmpfiles.d configuration handling back to spec file	2017-08-30 13:05:23 +02:00
Contributors.txt	Contributors.txt: update	2017-09-01 14:38:37 +02:00
COPYING	Change FreeIPA license to GPLv3+	2010-12-20 17:19:53 -05:00
COPYING.openssl	Add a clear OpenSSL exception.	2015-02-23 16:25:54 +01:00
freeipa.spec.in	Use 389-ds provided method for file limits tuning	2017-10-17 14:59:06 +02:00
ignore_import_errors.py	makeapi, makeaci: do not fail on missing imports	2016-10-24 14:11:08 +02:00
ipa	Use entry_points for ipa CLI	2017-04-11 13:29:50 +02:00
ipasetup.py.in	Misc Python 3 fixes for ipaserver.secrets	2017-08-11 13:47:35 +02:00
make-doc	Make an ipa-tests package	2013-06-17 19:22:50 +02:00
make-test	Use pytest conftest.py and drop pytest.ini	2017-01-05 17:37:02 +01:00
makeaci	config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`	2017-07-04 12:06:33 +02:00
makeapi	config: provide defaults for `xmlrpc_uri`, `ldap_uri` and `basedn`	2017-07-04 12:06:33 +02:00
Makefile.am	WebUI: remove creating js/libs symlink from makefile	2017-08-30 16:15:57 +02:00
Makefile.python.am	Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb	2017-03-15 13:48:23 +01:00
makerpms.sh	makerpms.sh: make git checkout optional	2017-08-18 11:46:13 +02:00
pylint_plugins.py	logging: do not reference loggers in arguments and attributes	2017-07-14 15:55:59 +02:00
pylintrc	pylint: make unsupported-assignment-operation check local	2017-09-08 15:42:07 +02:00
README.md	README: Fix trailing whitespace	2017-07-21 09:47:36 +02:00
server.m4	ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later	2017-07-11 15:21:35 +02:00
tox.ini	Slim down dependencies	2017-05-09 17:17:29 +02:00
VERSION.m4	VERSION: set 4.6 git snapshot	2017-09-01 14:39:22 +02:00
zanata.xml	Zanata: exlude testing ipa.pot file	2016-11-21 14:47:47 +01:00

README.md

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based managment tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://www.redhat.com/mailman/listinfo/freeipa-devel/ or join us in IRC at irc://irc.freenode.net/freeipa