February 2020 - FreeIPA-devel - Fedora mailing-lists

[freeipa PR#4061][opened] doc/designs: Add a design page for application-specific passwords
by RichardKalinec 07 Mar '21

07 Mar '21

URL: https://github.com/freeipa/freeipa/pull/4061 Author: RichardKalinec Title: #4061: doc/designs: Add a design page for application-specific passwords Action: opened PR body: """ This design page describes a new enhancement: application-specific passwords and permissions management for them. Users will be able to have additional passwords besides the primary one, and set permissions for them specifying what systems and services will each application-specific password have access to. Application-specific passwords will also be usable with other authentication mechanisms incorporating passwords, namely otp, radius and hardened. They will also be supported by ipa-kdb for Kerberos authentication. https://pagure.io/freeipa/issue/4510 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4061/head:pr4061 git checkout pr4061

2 1

[freeipa PR#3275][opened] Issue 7975 - Accept 389-ds JSON replication status messages
by marcus2376 01 Dec '20

01 Dec '20

URL: https://github.com/freeipa/freeipa/pull/3275 Author: marcus2376 Title: #3275: Issue 7975 - Accept 389-ds JSON replication status messages Action: opened PR body: """ Description: 389-ds now stores a replication agreement status message in a JSON string in a new attribute: replicaLastInitStatusJSON replicaLastUpdateStatusJSON The original status attributes' values are not changing at this time, but there are plans to do so eventually as the old status format is confusing. http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html https://pagure.io/freeipa/issue/7975 Reviewed by: ? """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3275/head:pr3275 git checkout pr3275

3 2

[freeipa PR#3774][opened] [DNSSEC] WIP Allow using of a custom OpenSSL engine for BIND
by stanislavlevin 31 Aug '20

31 Aug '20

URL: https://github.com/freeipa/freeipa/pull/3774 Author: stanislavlevin Title: #3774: [DNSSEC] WIP Allow using of a custom OpenSSL engine for BIND Action: opened PR body: """ For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11' support. Till recently, that was the strict requirement of DNSSEC. The problem is that this restricts cross-platform features of FreeIPA. With the help of libp11, which provides `pkcs11` engine plugin for the OpenSSL library for accessing PKCS11 modules in a semi- transparent way, FreeIPA could utilize OpenSSL version of BIND. BIND in turn provides ability to specify the OpenSSL engine on the command line of `named` and all the BIND `dnssec-*` tools by using the `-E engine_name`. Currently, this PR implements just an abstract ability. Actual configuration and tests results could be seen in my fork Azure Pipelines: https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=… https://dev.azure.com/slev0400/slev/_build/results?buildId=627&view=logs&j=… Related: https://pagure.io/freeipa/issue/8094 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3774/head:pr3774 git checkout pr3774

2 1

[freeipa PR#3544][opened] [WIP] ipa-join: allowing call with jsonrpc into freeipa API
by mulatinho 09 Jul '20

09 Jul '20

URL: https://github.com/freeipa/freeipa/pull/3544 Author: mulatinho Title: #3544: [WIP] ipa-join: allowing call with jsonrpc into freeipa API Action: opened PR body: """ - Adding JSON-C and LibCURL library into configure.ac and Makefile.am - Creating a API call with option '-j' or '--jsonrpc' to make host join on FreeIPA with JSONRPC and libCURL. TODO: unenroll process with JSONRPC. To test the call: # kinit admin # ipa-join -s server.freeipa.ipadomain -j Debug: # ipa-join -s server.freeipa.ipadomain -j -d Related: https://pagure.io/freeipa/issue/7966 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3544/head:pr3544 git checkout pr3544

2 1

[freeipa PR#3832][opened] [WIP][PoC] Web UI: Use system jQuery bundle
by serg-cymbaluk 20 Apr '20

20 Apr '20

URL: https://github.com/freeipa/freeipa/pull/3832 Author: serg-cymbaluk Title: #3832: [WIP][PoC] Web UI: Use system jQuery bundle Action: opened PR body: """ """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3832/head:pr3832 git checkout pr3832

1 1

[freeipa PR#4102][opened] [WIP] Debian: write out only one CA certificate per file
by yrro 08 Apr '20

08 Apr '20

URL: https://github.com/freeipa/freeipa/pull/4102 Author: yrro Title: #4102: [WIP] Debian: write out only one CA certificate per file Action: opened PR body: """ ca-certificates populates /etc/ssl/certs with symlinks to its input files and then runs 'openssl rehash' to create the symlinks that libssl uses to look up a CA certificate to see if it is trused. 'openssl rehash' ignores any files that contain more than one certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>. With this change, we write out trusted CA certificates to /usr/local/share/ipa-ca, one certificate per file. Fixes: https://pagure.io/freeipa/issue/8106 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4102/head:pr4102 git checkout pr4102

2 1

[freeipa PR#3924][opened] ipatests: add test for sssd behavior with disabled trustdomains
by wladich 03 Apr '20

03 Apr '20

URL: https://github.com/freeipa/freeipa/pull/3924 Author: wladich Title: #3924: ipatests: add test for sssd behavior with disabled trustdomains Action: opened PR body: """ When a trusted subdomain is disabled in ipa, users from this domain should not be able to access resources ipa resources. Related to: https://pagure.io/SSSD/sssd/issue/4078 This PR also adds * utility function for getting sssd version on remore host * a context manager for declaring part of test as xfail """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3924/head:pr3924 git checkout pr3924

1 1

[freeipa PR#3487][opened] Allow rename of a host group
by abbra 31 Mar '20

31 Mar '20

URL: https://github.com/freeipa/freeipa/pull/3487 Author: abbra Title: #3487: Allow rename of a host group Action: opened PR body: """ Fixes: https://pagure.io/freeipa/issue/6783 Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3487/head:pr3487 git checkout pr3487

1 1

[freeipa PR#4193][opened] [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates
by frasertweedale 24 Mar '20

24 Mar '20

URL: https://github.com/freeipa/freeipa/pull/4193 Author: frasertweedale Title: #4193: [ACME] Add ipa-ca.$DOMAIN alias to IPA server HTTP certificates Action: opened PR body: """ First PR for the ACME effort. This is needed so ACME clients can reach IPA ACME service via the ``ipa-ca.$DOMAIN`` DNS name (ACME requires TLS). This change is also reasonable, independent of the ACME effort. https://pagure.io/freeipa/issue/8186 ``` 83a5a3aa6 (Fraser Tweedale, 11 hours ago) upgrade: add ipa-ca.$DOMAIN alias to HTTP certificate If the HTTP certificate does not have the ipa-ca.$DOMAIN dNSName, resubmit the certificate request to add the name. This action is performed after the tracking request has already been updated. Note: due to https://pagure.io/certmonger/issue/143 the resubmitted request, if it does not immediately succeed and if the notAfter date of the current certificate is still far off, the request could get stuck in state CA_UNREACHABLE until a Certmonger restart. There is not much we can do about that in the middle of ipa-server-upgrade. Part of: https://pagure.io/freeipa/issue/8186 efe071539 (Fraser Tweedale, 12 hours ago) httpinstance: add ipa-ca.$DOMAIN alias in initial request For new server/replica installation, issue the HTTP server certificate with the 'ipa-ca.$DOMAIN' SAN dNSName. This is accomplished by adding the name to the Certmonger tracking request. Part of: https://pagure.io/freeipa/issue/8186 feea49420 (Fraser Tweedale, 3 days ago) cert-request: allow ipa-ca.$DOMAIN dNSName for IPA servers ACME support requires TLS and we want ACME clients to access the service via the ipa-ca.$DOMAIN DNS name. So we need to add the ipa-ca.$DOMAIN dNSName to IPA servers' HTTP certificates. To facilitiate this, add a special case to the cert-request command processing. The rule is: - if the dnsName being validated is "ipa-ca.$DOMAIN" - and the subject principal is an "HTTP/..." service - and the subject principal's hostname is an IPA server Then that name (i.e. "ipa-ca.$DOMAIN") is immediately allowed. Otherwise continue with the usual dnsName validation. Part of: https://pagure.io/freeipa/issue/8186 62129a44a (Fraser Tweedale, 3 days ago) httpinstance: add fqdn and ipa-ca alias to Certmonger request When (re-)tracking the HTTP certificate, explicitly add the server FQDN and ipa-ca.$DOMAIN DNS names to the Certmonger tracking request. Part of: https://pagure.io/freeipa/issue/8186 fe3489cf4 (Fraser Tweedale, 4 days ago) certmonger: support dnsname as request search criterion We need to be able to filter Certmonger tracking requests by the DNS names defined for the request. The goal is to add the 'ipa-ca.$DOMAIN' alias to the HTTP certificate tracking requests, so we will use that name as a search criterion. Implement support for this. As a result of this commit it will be easy to add support for subset match of other Certmonger request list properties. Just add the property name to the ARRAY_PROPERTIES list (and update the 'criteria' description in the module docstring!) Part of: https://pagure.io/freeipa/issue/8186 ea6d31bdf (Fraser Tweedale, 4 days ago) certmonger: move 'criteria' description to module docstring The 'criteria' parameter is used by several subroutines in the ipalib.install.certmonger module. It has incomplete documentation spread across several of these subroutines. Move the documentation to the module docstring and reference it where appropriate. Part of: https://pagure.io/freeipa/issue/8186 aa7b88ad6 (Fraser Tweedale, 4 days ago) certmonger: avoid mutable default argument certmonger._get_requests has a mutable default argument. Although at the present time it is never modified, this is an antipattern to be avoided. Part of: https://pagure.io/freeipa/issue/8186 ``` """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4193/head:pr4193 git checkout pr4193

1 1

[freeipa PR#4158][opened] Add pytest OpenSSH transport with password
by tiran 24 Mar '20

24 Mar '20

URL: https://github.com/freeipa/freeipa/pull/4158 Author: tiran Title: #4158: Add pytest OpenSSH transport with password Action: opened PR body: """ The pytest_multihost transport does not provide password-based authentication for OpenSSH transport. The OpenSSH command line tool has no API to pass in a password securely. The patch implements a custom transport that uses sshpass hack. It is not recommended for production but good enough for testing. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4158/head:pr4158 git checkout pr4158

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel February 2020