URL: https://github.com/freeipa/freeipa/pull/855
Author: simo5
Title: #855: Prevent issues with older clients
Action: opened
PR body:
"""
Older clients have issues parsing cookies, and cannot handle well the MaxAge setting.
So the first patch is about removing it.
Unfortunately this means cookies will be valid for the duration of the authentication ticket which is set to 24h by default.
This is a bit high, so the second patch adds the ability to set the "kinit_lifetime" in /etc/api/default.conf so that users authenticating using username/password can have their tickets (and therefore their session) hard capped at whatever lifetime is set there.
Users that use HTTP negotiate can control their session duration by getting shorter lived tickets via kinit.
In all cases users can click on the logout button to blow away credentials.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/855/head:pr855
git checkout pr855
URL: https://github.com/freeipa/freeipa/pull/841
Author: sumit-bose
Title: #841: ipa-kdb: use canonical principal in certauth plugin
Action: opened
PR body:
"""
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.
Resolves https://pagure.io/freeipa/issue/6993
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/841/head:pr841
git checkout pr841
URL: https://github.com/freeipa/freeipa/pull/843
Author: felipevolpone
Title: #843: [WIP] Fixing test_installation.py tests
Action: opened
PR body:
"""
I've been working on the test_installation.py suite and figure out how to solve some of them.
The TestInstallWithCA1 have 9 tests failing; 6 of them can be fixed adding
```bash
<ip> ipa-ca.$DOMAIN
```
into the master `/etc/hosts`. After that, three of them are still failing.
The log: https://paste.fedoraproject.org/paste/7n3CMEH5nhiHu~Vai8cObV5M1UNdIGYhyRLiv….
They are:
* test_replica1_with_ca_install
* test_replica2_with_ca_kra_install
* test_replica1_ipa_kra_install
I've moved the tests
* test_replica2_with_ca_kra_install
* test_replica1_ipa_kra_install
to a new class (TestInstallWithCA1_KRA1) and created a new install method, which use the `setup_kra=True` option in the install_master method. The tests are still failing, but for another reason, the logs: https://paste.fedoraproject.org/paste/ytzzIUDhh5ARcunpSfSubV5M1UNdIGYhyRLiv…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/843/head:pr843
git checkout pr843
URL: https://github.com/freeipa/freeipa/pull/852
Author: HonzaCholasta
Title: #852: pkinit manage: introduce ipa-pkinit-manage
Action: opened
PR body:
"""
**server certinstall: update KDC master entry**
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.
**pkinit manage: introduce ipa-pkinit-manage**
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
**server upgrade: do not enable PKINIT by default**
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.
Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.
https://pagure.io/freeipa/issue/7000
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/852/head:pr852
git checkout pr852