URL: https://github.com/freeipa/freeipa/pull/2106
Author: abbra
Title: #2106: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2106/head:pr2106
git checkout pr2106
URL: https://github.com/freeipa/freeipa/pull/2331
Author: mrizwan93
Title: #2331: Installation of replica against a specific server
Action: opened
PR body:
"""
Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 so that replica2 will fetch secrets from
master as custodia service is not running on replica1.
related ticket: https://pagure.io/freeipa/issue/7566
Signed-off-by: Mohammad Rizwan Yusuf <myusuf(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2331/head:pr2331
git checkout pr2331
URL: https://github.com/freeipa/freeipa/pull/2147
Author: frozencemetery
Title: #2147: Add a skeleton kdcpolicy plugin
Action: opened
PR body:
"""
Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
Back in krb5-1.16 (and in RHEL-7.5), I added the [kdcpolicy plugin](http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/kdcpolicy.html) to krb5. This interface allows a module to hook all AS and TGS requests, potentially reject them, and manipulate ticket lifetimes. This PR is a basic implementation of the interface, with all the plumbing IPA needs to get it loaded and installed.
There are two use cases I had in mind, though of course many more are possible (this is a very powerful place to have a hook into the KDC):
- Reduced ticket lifetimes based on [auth indicator](http://web.mit.edu/kerberos/krb5-devel/doc/admin/auth_indicator.…
- Adding (well, subtracting) random jitter from certain principal lifetimes to reduce contention from groups of tickets all needing renewal simultaneously
Since presumably we don't want any of that to be hardcoded behavior, the difficult part is now making it all configurable. (As well as figuring out any behavior we want to control at the moment). Per IRC conversation, I'm opening this PR so that we have something to look at while we discuss that.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2147/head:pr2147
git checkout pr2147
URL: https://github.com/freeipa/freeipa/pull/2307
Author: tiran
Title: #2307: Use pki config file template
Action: opened
PR body:
"""
WIP
For HSM support and more flexible options.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2307/head:pr2307
git checkout pr2307
URL: https://github.com/freeipa/freeipa/pull/2411
Author: onkarkarale
Title: #2411: Test ipa-server-install when mandatory params not specified.
Action: opened
PR body:
"""
When installing ipa-server in unattended mode (i.e -U option),
some manadatory params should be specified with the install
commands like -p, -r and -a etc. If we don't specify these
params, installation will fail.
Signed-off-by: Onkar Karale <karaleonkar19(a)gmail.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2411/head:pr2411
git checkout pr2411