Issue #5959: The framework needs to run in a spearate process - freeipa

freeipa

#5959 The framework needs to run in a spearate process

Closed: fixed 7 years ago Opened 7 years ago by simo.

The IPA framework should sto prunning as the Apache user and instead be run as a separate use via mod_wsgi configuration.

This is need to implement privilege separation so that the framework will not be able to impersonate random users, only the apache authentication modules should be able to.

This is related to both efforts to introduce External Authentication[1] and efforts to add GSSAPI authentication proxying to dogtag[2].

[1] http://www.freeipa.org/page/V4/External_Authentication
[2] https://fedorahosted.org/freeipa/ticket/5011

mbasti commented 7 years ago

master:

d5af11f renew agent: handle non-replicated certificates
ad49bda dogtaginstance: track server certificate with our renew agent
926fe20 cainstance: do not configure renewal guard

jcholast commented 7 years ago

master:

c894ebe Change session handling
38c6689 Generate tmpfiles config at install time
b109f5d Drop use of kinit_as_http from trust code
b6741d8 Use Anonymous user to obtain FAST armor ccache
d2f5fc3 Configure HTTPD to work via Gss-Proxy
d124e30 Separate RA cert store from the HTTP cert store
f648c56 Simplify NSSDatabase password file handling
c2b1b2a Always use /etc/ipa/ca.crt as CA cert file
4fd8983 Add a new user to run the framework code
4bd2d6a Rationalize creation of RA and HTTPD NSS databases
00a9d2f Fix uninstall stopping ipa.service
41c1efc Allow rpc callers to pass ccache and service names
09c92e2 Explicitly pass down ccache names for connections
e4d462a Insure removal of session on identity change

jcholast commented 7 years ago

master:

b4fa354 client install: create /etc/ipa/nssdb with correct mode
ba8a10f server upgrade: fix upgrade in CA-less
97e838e server upgrade: fix upgrade from pre-4.0
6d34c21 server upgrade: uninstall ipa_memcached properly

mbasti commented 7 years ago

master:

32076df Fix ipa-server-upgrade

Metadata Update from @simo:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

7 years ago

mbasti commented 7 years ago

master:

d5e7a57 Limit sessions to 30 minutes by default

mbabinsk commented 7 years ago

master:

8fb61a5 backup: backup anonymous keytab

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

7 years ago

pvoborni commented 7 years ago

Was implemented in 4.5. Regressions are filed separately.

Metadata Update from @pvoborni:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

important

Milestone

FreeIPA 4.5.1

None

affects_doc

None

source

None

knownissue

None

type

task

blockedby

None

test_case

None

component

IPA

blocking

5011

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

todo

tester

None

changelog

None

design

http://www.freeipa.org/page/V4/External_Authentication

freeipa

Source Code

#5959 The framework needs to run in a spearate process Closed: fixed 7 years ago Opened 7 years ago by simo.

Metadata

#5959 The framework needs to run in a spearate process

Closed: fixed 7 years ago Opened 7 years ago by simo.