[Pkg-freeipa-devel] freeipa: Changes to 'upstream-next'
Timo Aaltonen
tjaalton at moszumanska.debian.org
Fri Dec 23 06:23:04 UTC 2016
VERSION | 2
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2
freeipa.spec.in | 4
install/po/bn_IN.po | 4
install/po/ca.po | 4
install/po/cs.po | 4
install/po/de.po | 18
install/po/es.po | 151
install/po/eu.po | 4
install/po/fr.po | 1500 +-
install/po/hi.po | 4
install/po/hu.po | 4
install/po/id.po | 4
install/po/ipa.pot | 2355 +--
install/po/ja.po | 4
install/po/kn.po | 4
install/po/mr.po | 4
install/po/nl.po | 4
install/po/pl.po | 225
install/po/pt_BR.po | 4
install/po/ru.po | 4
install/po/sk.po | 4
install/po/tg.po | 4
install/po/uk.po | 242
install/po/zh_CN.po |12668 +++++++++++++++++-
install/share/smb.conf.template | 2
install/tools/man/ipa-adtrust-install.1 | 27
install/ui/src/freeipa/details.js | 1
install/ui/src/freeipa/field.js | 41
install/ui/src/freeipa/service.js | 52
install/updates/20-default_password_policy.update | 133
install/updates/Makefile.am | 1
ipaclient/plugins/automount.py | 4
ipaclient/plugins/otptoken_yubikey.py | 4
ipaclient/plugins/vault.py | 16
ipalib/parameters.py | 2
ipaserver/install/bindinstance.py | 7
ipaserver/install/httpinstance.py | 28
ipaserver/install/installutils.py | 20
ipaserver/install/ipa_server_certinstall.py | 40
ipaserver/install/plugins/update_ca_topology.py | 22
ipaserver/install/replication.py | 42
ipaserver/install/server/upgrade.py | 22
ipaserver/install/service.py | 1
ipaserver/plugins/cert.py | 21
ipaserver/plugins/certprofile.py | 5
ipaserver/plugins/domainlevel.py | 28
ipaserver/plugins/server.py | 2
ipaserver/plugins/trust.py | 15
ipatests/pytest_plugins/integration.py | 2
ipatests/test_integration/tasks.py | 50
ipatests/test_integration/test_idviews.py | 238
ipatests/test_integration/test_installation.py | 66
ipatests/test_integration/test_legacy_clients.py | 4
ipatests/test_integration/test_replica_promotion.py | 6
ipatests/test_integration/test_replication_layouts.py | 48
ipatests/test_integration/test_sudo.py | 4
ipatests/test_integration/test_topology.py | 143
ipatests/test_integration/test_trust.py | 113
ipatests/test_ipaserver/test_kadmin.py | 125
ipatests/test_xmlrpc/test_add_remove_cert_cmd.py | 82
ipatests/test_xmlrpc/test_cert_plugin.py | 22
ipatests/test_xmlrpc/test_idviews_plugin.py | 35
ipatests/test_xmlrpc/test_service_plugin.py | 10
ipatests/test_xmlrpc/tracker/host_plugin.py | 8
ipatests/test_xmlrpc/tracker/idview_plugin.py | 116
ipatests/test_xmlrpc/tracker/service_plugin.py | 7
ipatests/test_xmlrpc/tracker/user_plugin.py | 16
pylint_plugins.py | 2
zanata.xml | 2
70 files changed, 17032 insertions(+), 1830 deletions(-)
New commits:
commit 097ff54ebcb23e6438b3bf8022f7a66dd1e13aaa
Author: Petr Vobornik <pvoborni at redhat.com>
Date: Fri Dec 16 13:45:00 2016 +0100
Become IPA 4.4.3
diff --git a/VERSION b/VERSION
index 9df84a0..517a72b 100644
--- a/VERSION
+++ b/VERSION
@@ -21,7 +21,7 @@
########################################################
IPA_VERSION_MAJOR=4
IPA_VERSION_MINOR=4
-IPA_VERSION_RELEASE=2
+IPA_VERSION_RELEASE=3
########################################################
# For 'alpha' releases the version will be #
commit e02323c1c3b3c3dadd57d9f1885ec1af046718de
Author: Martin Babinsky <mbabinsk at redhat.com>
Date: Thu Dec 15 17:11:48 2016 +0100
Add a basic test suite for `kadmin.local` interface
This small integration suite tests some basic operations using
kadmin.local interface on services in both kerberos and services
subtree.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
diff --git a/ipatests/test_ipaserver/test_kadmin.py b/ipatests/test_ipaserver/test_kadmin.py
new file mode 100644
index 0000000..1b38791
--- /dev/null
+++ b/ipatests/test_ipaserver/test_kadmin.py
@@ -0,0 +1,125 @@
+#
+# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
+#
+
+"""
+Test suite for creating principals via kadmin.local and modifying their keys
+"""
+
+import os
+import pytest
+import tempfile
+
+from ipalib import api
+
+from ipaserver.install import installutils
+
+
+ at pytest.yield_fixture()
+def keytab():
+ fd, keytab_path = tempfile.mkstemp(suffix='.keytab')
+ os.close(fd)
+
+ try:
+ yield keytab_path
+ finally:
+ try:
+ os.remove(keytab_path)
+ except OSError:
+ pass
+
+
+ at pytest.fixture()
+def service_in_kerberos_subtree(request):
+ princ = u'svc1/{0.host}@{0.realm}'.format(api.env)
+ installutils.kadmin_addprinc(princ)
+
+ def fin():
+ try:
+ installutils.kadmin(
+ 'delprinc -force {}'.format(princ))
+ except Exception:
+ pass
+ request.addfinalizer(fin)
+ return princ
+
+
+ at pytest.fixture()
+def service_in_service_subtree(request):
+ princ = u'svc2/{0.host}@{0.realm}'.format(api.env)
+ rpcclient = api.Backend.rpcclient
+ was_connected = rpcclient.isconnected()
+
+ if not was_connected:
+ rpcclient.connect()
+
+ api.Command.service_add(princ)
+
+ def fin():
+ try:
+ api.Command.service_del(princ)
+ except Exception:
+ pass
+
+ try:
+ if not was_connected:
+ rpcclient.disconnect()
+ except Exception:
+ pass
+
+ request.addfinalizer(fin)
+ return princ
+
+
+ at pytest.fixture(params=[service_in_kerberos_subtree,
+ service_in_service_subtree])
+def service(request):
+ return request.param(request)
+
+
+ at pytest.mark.skipif(
+ os.getuid() != 0, reason="kadmin.local is accesible only to root")
+class TestKadmin(object):
+ def assert_success(self, command, *args):
+ """
+ Since kadmin.local returns 0 also when internal errors occur, we have
+ to catch the command's stderr and check that it is empty
+ """
+ result = command(*args)
+ assert not result.error_output
+
+ def test_create_keytab(self, service, keytab):
+ """
+ tests that ktadd command works for both types of services
+ """
+ self.assert_success(
+ installutils.create_keytab,
+ keytab,
+ service)
+
+ def test_change_key(self, service, keytab):
+ """
+ tests that both types of service can have passwords changed using
+ kadmin
+ """
+ self.assert_success(
+ installutils.create_keytab,
+ keytab,
+ service)
+ self.assert_success(
+ installutils.kadmin,
+ 'change_password -randkey {}'.format(service))
+
+ def test_append_key(self, service, keytab):
+ """
+ Tests that we can create a new keytab for both service types and then
+ append new keys to it
+ """
+ self.assert_success(
+ installutils.create_keytab,
+ keytab,
+ service)
+ self.assert_success(
+ installutils.create_keytab,
+ keytab,
+ service)
commit f0f48ec14f3ff55852393927533ffd253cb5a04b
Author: Martin Babinsky <mbabinsk at redhat.com>
Date: Thu Dec 15 17:09:12 2016 +0100
Make `kadmin` family of functions return the result of ipautil.run
This allows for diagnose the output and error code of these operations.
Otherwise there is no way to infer their success or failure apart from
inspecting logs post-mortem.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 597d74a..07e438d 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -446,14 +446,17 @@ def get_directive(filename, directive, separator=' '):
return None
def kadmin(command):
- ipautil.run(["kadmin.local", "-q", command,
- "-x", "ipa-setup-override-restrictions"])
+ return ipautil.run(["kadmin.local", "-q", command,
+ "-x", "ipa-setup-override-restrictions"],
+ capture_output=True,
+ capture_error=True)
+
def kadmin_addprinc(principal):
- kadmin("addprinc -randkey " + principal)
+ return kadmin("addprinc -randkey " + principal)
def kadmin_modprinc(principal, options):
- kadmin("modprinc " + options + " " + principal)
+ return kadmin("modprinc " + options + " " + principal)
def create_keytab(path, principal):
try:
@@ -462,7 +465,7 @@ def create_keytab(path, principal):
except os.error:
root_logger.critical("Failed to remove %s." % path)
- kadmin("ktadd -k " + path + " " + principal)
+ return kadmin("ktadd -k " + path + " " + principal)
def resolve_ip_addresses_nss(fqdn):
"""Get list of IP addresses for given host (using NSS/getaddrinfo).
commit 84f6df6349b5c412467746777e905d9e4f8792ca
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu Dec 15 16:30:00 2016 +0200
ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.
Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.
Fixes https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Martin Babinsky <mbabinsk at redhat.com>
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 076314a..0c810af 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
}
kerr = ipadb_simple_search(ipactx,
- ipactx->realm_base, LDAP_SCOPE_SUBTREE,
+ ipactx->base, LDAP_SCOPE_SUBTREE,
src_filter, std_pwdpolicy_attrs, &res);
if (kerr) {
goto done;
commit 171bc3e6853f905184584e414cefa4f7296c02ea
Author: David Kupka <dkupka at redhat.com>
Date: Fri Nov 25 00:10:41 2016 +0100
tests: Expect krbpwdpolicyreference in result of {host,service}-{find,show} --all
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
index 5f87def..b1bb5ab 100644
--- a/ipatests/test_xmlrpc/test_idviews_plugin.py
+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
@@ -1029,6 +1029,11 @@ class test_idviews(Declarative):
serverhostname=[host3],
ipaassignedidview=[idview1],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1059,6 +1064,11 @@ class test_idviews(Declarative):
memberof_hostgroup=[hostgroup2],
memberofindirect_hostgroup=[hostgroup1],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1113,6 +1123,11 @@ class test_idviews(Declarative):
memberofindirect_hostgroup=[hostgroup1],
ipaassignedidview=[idview1],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1143,6 +1158,11 @@ class test_idviews(Declarative):
memberof_hostgroup=[hostgroup1],
ipaassignedidview=[idview1],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1216,6 +1236,11 @@ class test_idviews(Declarative):
serverhostname=[host1],
memberof_hostgroup=[hostgroup1],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1244,6 +1269,11 @@ class test_idviews(Declarative):
objectclass=objectclasses.host,
serverhostname=[host3],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
@@ -1499,6 +1529,11 @@ class test_idviews(Declarative):
objectclass=objectclasses.host,
serverhostname=[host4],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ api.env.container_host,
+ api.env.basedn,
+ )],
),
),
),
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index fb2c4e7..f3940f4 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -270,6 +270,11 @@ class test_service(Declarative):
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Service Password Policy',
+ api.env.container_service,
+ api.env.basedn,
+ )],
),
),
),
@@ -334,6 +339,11 @@ class test_service(Declarative):
ipakrbrequirespreauth=True,
ipakrbokasdelegate=False,
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Service Password Policy',
+ api.env.container_service,
+ api.env.basedn,
+ )],
),
],
),
diff --git a/ipatests/test_xmlrpc/tracker/host_plugin.py b/ipatests/test_xmlrpc/tracker/host_plugin.py
index 7561906..4562d5d 100644
--- a/ipatests/test_xmlrpc/tracker/host_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/host_plugin.py
@@ -40,7 +40,8 @@ class HostTracker(KerberosAliasMixin, Tracker):
retrieve_all_keys = retrieve_keys | {
u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid',
u'krbcanonicalname', u'managing_host', u'objectclass',
- u'serverhostname', u'ipakrboktoauthasdelegate'}
+ u'serverhostname', u'ipakrboktoauthasdelegate',
+ u'krbpwdpolicyreference'}
create_keys = retrieve_keys | {'objectclass', 'ipauniqueid',
'randompassword'}
update_keys = retrieve_keys - {'dn'}
@@ -113,6 +114,11 @@ class HostTracker(KerberosAliasMixin, Tracker):
managing_host=[self.fqdn],
serverhostname=[self.shortname],
ipakrboktoauthasdelegate=False,
+ krbpwdpolicyreference=[DN(
+ u'cn=Default Host Password Policy',
+ self.api.env.container_host,
+ self.api.env.basedn,
+ )],
)
self.exists = True
diff --git a/ipatests/test_xmlrpc/tracker/service_plugin.py b/ipatests/test_xmlrpc/tracker/service_plugin.py
index 8a52446..e93a37f 100644
--- a/ipatests/test_xmlrpc/tracker/service_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/service_plugin.py
@@ -43,7 +43,7 @@ class ServiceTracker(KerberosAliasMixin, Tracker):
retrieve_all_keys = retrieve_keys | {
u'ipaKrbPrincipalAlias', u'ipaUniqueID', u'krbExtraData',
u'krbLastPwdChange', u'krbLoginFailedCount', u'memberof',
- u'objectClass', u'ipakrbrequirespreauth',
+ u'objectClass', u'ipakrbrequirespreauth', u'krbpwdpolicyreference',
u'ipakrbokasdelegate', u'ipakrboktoauthasdelegate'}
create_keys = (retrieve_keys | {u'objectclass', u'ipauniqueid'}) - {
@@ -96,6 +96,11 @@ class ServiceTracker(KerberosAliasMixin, Tracker):
u'krbcanonicalname': [u'{0}'.format(self.name)],
u'has_keytab': False,
u'ipakrboktoauthasdelegate': False,
+ u'krbpwdpolicyreference': [DN(
+ u'cn=Default Service Password Policy',
+ self.api.env.container_service,
+ self.api.env.basedn,
+ )],
}
for key in self.options:
commit 08e7af9f0f8acac3dcd8dde1eee53261e5d25f1f
Author: David Kupka <dkupka at redhat.com>
Date: Thu Sep 29 15:59:34 2016 +0200
password policy: Add explicit default password policy for hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka at redhat.com>
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 0000000..b1f9754
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# kerberos services
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:description: Default Password Policy for Kerberos Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 455fd20..310ae39 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -23,6 +23,7 @@ app_DATA = \
20-winsync_index.update \
20-idoverride_index.update \
20-uuid.update \
+ 20-default_password_policy.update \
21-replicas_container.update \
21-ca_renewal_container.update \
21-certstore_container.update \
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 057cd3d..6bb2e76 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -252,6 +252,7 @@ class Service(object):
# There is no service in the wrong location, nothing to do.
# This can happen when installing a replica
return None
+ entry.pop('krbpwdpolicyreference', None) # don't copy virtual attr
newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
self.admin_conn.delete_entry(entry)
commit c12a52f0d78b30931713a3548b22e799d41f3622
Author: Fraser Tweedale <ftweedal at redhat.com>
Date: Tue Nov 15 14:02:54 2016 +1000
certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object. When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles. This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
https://fedorahosted.org/freeipa/ticket/6560
Reviewed-By: Jan Cholasta <jcholast at redhat.com>
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
index f446607..2bd3311 100644
--- a/ipaserver/plugins/certprofile.py
+++ b/ipaserver/plugins/certprofile.py
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
reason=_('Certificate profiles cannot be renamed'))
if 'file' in options:
+ # ensure operator has permission to update a certprofile
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
+ raise errors.ACIError(info=_(
+ "Insufficient privilege to modify a certificate profile."))
+
with self.api.Backend.ra_certprofile as profile_api:
profile_api.disable_profile(keys[0])
try:
commit 2a2652187eaddec5d2a9cd757cec5874597213bc
Author: Martin Basti <mbasti at redhat.com>
Date: Wed Dec 14 17:17:07 2016 +0100
freeipa-4.4.3: update translations
Reviewed-By: Martin Babinsky <mbabinsk at redhat.com>
diff --git a/install/po/bn_IN.po b/install/po/bn_IN.po
index 727c0e1..d5d2eb7 100644
--- a/install/po/bn_IN.po
+++ b/install/po/bn_IN.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: ipa\n"
"Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n"
-"POT-Creation-Date: 2016-08-29 10:39+0200\n"
+"POT-Creation-Date: 2016-12-14 17:00+0100\n"
"PO-Revision-Date: 2015-01-05 01:08-0500\n"
"Last-Translator: Copied by Zanata <copied-by-zanata at zanata.org>\n"
"Language-Team: Bengali (India) (http://www.transifex.com/projects/p/freeipa/"
@@ -19,7 +19,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.6\n"
msgid "Passwords do not match"
msgstr "পাসওয়ার্ড দুটি মিলছে না"
diff --git a/install/po/ca.po b/install/po/ca.po
index c4feabc..e0ab376 100644
--- a/install/po/ca.po
+++ b/install/po/ca.po
@@ -8,7 +8,7 @@ msgid ""
msgstr ""
"Project-Id-Version: ipa\n"
"Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n"
-"POT-Creation-Date: 2016-08-29 10:39+0200\n"
+"POT-Creation-Date: 2016-12-14 17:00+0100\n"
"PO-Revision-Date: 2015-01-05 01:08-0500\n"
"Last-Translator: Copied by Zanata <copied-by-zanata at zanata.org>\n"
"Language-Team: Catalan (http://www.transifex.com/projects/p/freeipa/language/"
@@ -18,7 +18,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.6\n"
msgid "Error"
msgstr "Error"
diff --git a/install/po/cs.po b/install/po/cs.po
index 8f16e6b..9dc807b 100644
--- a/install/po/cs.po
+++ b/install/po/cs.po
@@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: ipa\n"
"Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n"
-"POT-Creation-Date: 2016-08-29 10:39+0200\n"
+"POT-Creation-Date: 2016-12-14 17:00+0100\n"
"PO-Revision-Date: 2015-06-29 01:17-0400\n"
"Last-Translator: Josef Hruška <hrusjos at gmail.com>\n"
"Language-Team: Czech (http://www.transifex.com/projects/p/freeipa/language/"
@@ -19,7 +19,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.6\n"
msgid "A string searched in all relevant object attributes"
msgstr "Řetězec vyhledávaný ve všech odpovídajících atributech objektu"
diff --git a/install/po/de.po b/install/po/de.po
index 15bf418..04394fe 100644
--- a/install/po/de.po
+++ b/install/po/de.po
@@ -9,14 +9,15 @@
# David Kreitschmann <david at kreitschmann.de>, 2015. #zanata
# Martin Kosek <mkosek at redhat.com>, 2015. #zanata
# Tomas Babej <tbabej at redhat.com>, 2015. #zanata
+# David Kreitschmann <david at kreitschmann.de>, 2016. #zanata
# Martin Bašti <mbasti at redhat.com>, 2016. #zanata
msgid ""
msgstr ""
"Project-Id-Version: ipa\n"
"Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n"
-"POT-Creation-Date: 2016-08-29 10:39+0200\n"
-"PO-Revision-Date: 2016-06-17 07:17-0400\n"
-"Last-Translator: Martin Bašti <mbasti at redhat.com>\n"
+"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"PO-Revision-Date: 2016-11-25 04:33-0500\n"
+"Last-Translator: David Kreitschmann <david at kreitschmann.de>\n"
"Language-Team: German (http://www.transifex.com/projects/p/freeipa/language/"
"de/)\n"
"Language: de\n"
@@ -24,7 +25,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.6\n"
msgid "Failed members"
msgstr "Fehler bei Mitgliedern"
@@ -138,6 +139,9 @@ msgstr "preserve und no-preserve kann nicht gleichzeitig gesetzt sein"
msgid "Invalid credentials"
msgstr "Ungültige Zugangsdaten"
+msgid "Change password"
+msgstr "Passwort ändern"
+
msgid "Data"
msgstr "Daten"
@@ -3205,6 +3209,9 @@ msgstr "Speichern"
msgid "Set"
msgstr "Setzen"
+msgid "Stage"
+msgstr "Vorbereiten"
+
msgid "Update"
msgstr "Speichern"
@@ -4104,6 +4111,9 @@ msgstr "Die Globale Passwortregel kann nicht gelöscht werden"
msgid "priority cannot be set on global policy"
msgstr "Priorität der globalen Regel kann nicht gesetzt werden"
+msgid "RADIUS Servers"
+msgstr "Radius Server"
+
msgid "roles"
msgstr "Rollen"
diff --git a/install/po/es.po b/install/po/es.po
index 24a3072..32dc0ce 100644
--- a/install/po/es.po
+++ b/install/po/es.po
@@ -13,13 +13,14 @@
# jdennis <jdennis at redhat.com>, 2011
# Petr Viktorin <encukou at gmail.com>, 2012
# Brian Curtich <bcurtich at gmail.com>, 2016. #zanata
+# Omar Berroterán S. <omarberroteranlkf at gmail.com>, 2016. #zanata
msgid ""
msgstr ""
"Project-Id-Version: ipa\n"
"Report-Msgid-Bugs-To: https://fedorahosted.org/freeipa/newticket\n"
-"POT-Creation-Date: 2016-08-29 10:39+0200\n"
-"PO-Revision-Date: 2016-05-20 05:18-0400\n"
-"Last-Translator: Brian Curtich <bcurtich at gmail.com>\n"
+"POT-Creation-Date: 2016-12-14 17:00+0100\n"
+"PO-Revision-Date: 2016-09-08 09:31-0400\n"
+"Last-Translator: Omar Berroterán S. <omarberroteranlkf at gmail.com>\n"
"Language-Team: Spanish (http://www.transifex.com/projects/p/freeipa/language/"
"es/)\n"
"Language: es\n"
@@ -27,7 +28,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
-"X-Generator: Zanata 3.9.3\n"
+"X-Generator: Zanata 3.9.6\n"
msgid "Failed members"
msgstr "Miembros fallidos"
@@ -47,12 +48,39 @@ msgstr "Fallado servicio/servicio grupos"
msgid "Failed to remove"
msgstr "No se ha podido quitar"
+msgid "Failed RunAs"
+msgstr "Error al ejecutar como"
+
+msgid "Failed RunAsGroup"
+msgstr "Erro al ejecutar grupo como"
+
+msgid "Failed profiles"
+msgstr "Errores en los perfiles"
+
+msgid "Failed CAs"
+msgstr "Error en CAs"
+
msgid "Failed managedby"
msgstr "Falló managedby"
+msgid "Failed allowed to retrieve keytab"
+msgstr "Falló permitir recuperar una KeyTab"
+
+msgid "Failed allowed to create keytab"
+msgstr "Falló permitir crear una KeyTab"
+
+msgid "Failed targets"
+msgstr "Error en Objetivos"
+
+msgid "Failed owners"
+msgstr "Error en Propietarios"
+
msgid "Failed to add"
msgstr "Fallo al añadir"
+msgid "maps not connected to /etc/auto.master:"
+msgstr "mapa no conectado a /etc/auto.master"
+
msgid "Import automount files for a specific location."
msgstr "Importar ficheros de automontaje para una localización específica."
@@ -72,15 +100,106 @@ msgstr ""
msgid "File %(file)s not found"
msgstr "No se encontró el archivo %(file)s "
+#, python-format
+msgid "key %(key)s already exists"
+msgstr "key %(key)s ya existe"
+
+#, python-format
+msgid "map %(map)s already exists"
+msgstr "map %(map)s ya existe"
+
+msgid "Imported maps:"
+msgstr "Mapas importados"
+
+#, python-format
+msgid "Added %(map)s"
+msgstr "%(map)s agregados"
+
+msgid "Imported keys:"
+msgstr "Llaves (keys) importadas"
+
+#, python-format
+msgid "Added %(src)s to %(dst)s"
+msgstr "Agregado %(src)s a %(dst)s"
+
+msgid "Ignored keys:"
+msgstr "Llaves ignoradas: "
+
+#, python-format
+msgid "Ignored %(src)s to %(dst)s"
+msgstr "%(src)s a %(dst)s ignorados"
+
+msgid "Duplicate maps skipped:"
+msgstr "Mapa duplicado omitido"
+
+#, python-format
+msgid "Skipped %(map)s"
+msgstr "%(map)s omitido"
+
+msgid "Duplicate keys skipped:"
+msgstr "Llaves duplicadas omitidas"
+
+#, python-format
+msgid "Skipped %(key)s"
+msgstr "%(key)s omitida"
+
msgid "Unrevoked"
msgstr "No revocado"
msgid "Error"
msgstr "Error"
+msgid "Input filename"
+msgstr "Entrada nombre de archivo"
+
+msgid "File to load the certificate from."
+msgstr "Archivo desde donde cargar el certificado"
+
+msgid "cannot specify both raw certificate and file"
+msgstr "no puede especificar un certificado RAW y un archivo"
+
+#, python-format
+msgid "Profile configuration stored in file '%(file)s'"
+msgstr "Perfil de configuración guardado en el archivo '%(file)s'"
+
More information about the Pkg-freeipa-devel
mailing list