freeipa / freeipa-wiki Goto Github PK

Sources for www.freeipa.org

Shell 0.05% PHP 57.02% Ruby 0.06% JavaScript 40.50% CSS 1.09% Python 0.10% Makefile 0.01% Lua 0.01% Gherkin 0.02% Emacs Lisp 0.01% HTML 0.03% PLSQL 0.18% PLpgSQL 0.18% Perl 0.07% Batchfile 0.01% TSQL 0.05% Less 0.63% Handlebars 0.01% Mustache 0.01%

freeipa-wiki's Introduction

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

Allows all your users to access all the machines with the same credentials and security settings
Allows users to access personal files transparently from any machine in an authenticated and secure way
Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
Enables delegation of selected administrative tasks to other power users
Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

LDAP Server - based on the 389 project
KDC - based on MIT Kerberos implementation
PKI based on Dogtag project
Samba libraries for Active Directory integration
DNS Server based on BIND and the Bind-DynDB-LDAP plugin

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Building FreeIPA from source
- http://www.freeipa.org/page/Build
- See the BUILD.txt file in the source root directory

Licensing

Please see the file called COPYING.

Contacts

If you want to be informed about new code releases, bug fixes, security fixes, general news and information about the IPA server subscribe to the freeipa-announce mailing list at https://www.redhat.com/mailman/listinfo/freeipa-interest/ .
If you have a bug report please submit it at: https://pagure.io/freeipa/issues
If you want to participate in actively developing IPA please subscribe to the freeipa-devel mailing list at https://lists.fedoraproject.org/archives/list/[email protected]/ or join us in IRC at irc://irc.libera.chat/freeipa

freeipa-wiki's People

Contributors

Stargazers

Watchers

Forkers

harmzway abbra

freeipa-wiki's Issues

FreeIPA release - better automation of wiki updates

Lower amount of manual changes done to wiki, as part of FreeIPA release process.

See freeipa-devel thread for details.

Set up mail infrastructure

As announced in wiki migration thread, I plan to base FreeIPA wiki mail infrastructure on MailGun, so that wiki can send emails or notifications, when needed.

This has a lower priority, given that authentication is OIDC based and not password based currently and thus we do not need "forgotten password" emails.

Setup regular backup

Setup regular backup for the new wiki infrastructure.

www.freeipa.org down

Attempted accessing from several ISPs, getting the same error message (screenshot attached):

Application is not available

The application is currently not serving requests at this endpoint. It may not have been started or is still starting.

Possible reasons you are seeing this page:

The host doesn't exist. Make sure the hostname was typed correctly and that a route matching this hostname exists.
The host exists, but doesn't have a matching path. Check if the URL path was typed correctly and that the route was created using the desired path.
Route and path matches, but all pods are down. Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.

Deploy a web tracking service (piwik)

The current piwik service hosted on the old OpenShift deployment will stop working when OpenShift v2 goes EOL.

New piwik service should be deployed on current OpenShift container platform. A potential blocker to this effort is ability to deploy piwik on OpenShift (see matomo-org/docker#55)

Remove OIDC return_uri hack

As FreeIPA wiki is running behind proxy, it's internal URI is different from the exposed one. I had to hack OIDC plugin to return a configured return URI, otherwise Ipsilon would reject the OIDC authentication: cc32652.

This hack should be fixed, otherwise the OIDC plugin needs to be hacked again after every update.

Current OIDC plugin does not name new accounts properly

As reported in the FreeIPA wiki OIDC registration ticket, when OIDC plugin cannot find issuer&subject pair in FreeIPA wiki database, it will create a new account. However, it will not set the right user name:

+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
| user_id | user_name | user_real_name | user_password | user_newpassword | user_email | user_touched | user_token | user_email_authenticated | user_email_token | user_email_token_expires | user_registration | user_newpass_time | user_editcount | user_password_expires | subject | issuer |
+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
| 290 | User1 | Martin Kosek | | | mkosek @redhat.com | 20171110193530 | 160516ee51a82595e4ae6aa6364594ba | 20171110193524 | | NULL | 20171110193523 | NULL | 0 | NULL | mkosek | https://id.fedoraproject.org/openidc/ |
+---------+-----------+----------------+---------------+------------------+-------------------+----------------+----------------------------------+--------------------------+------------------+--------------------------+-------------------+-------------------+----------------+-----------------------+---------+---------------------------------------+
1 row in set (0.01 sec)

I am specifically talking about the "User1" part. https://www.mediawiki.org/wiki/Extension:OpenID_Connect is talking about "preferred username was provided by the issuer", so I wonder if there is some Ipsilon/OIDC setting that could let the plugin use Fedora user name as the "preferred username".

Workaround: have new user renamed manually by some of the wiki admins until this is fixed (you can drop email to mkosek at redhat.com).