The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
https://pagure.io/freeipa/issue/6966
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load. Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.
Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.
https://pagure.io/freeipa/issue/7015
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.
Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.
For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982
Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.
The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test
https://pagure.io/freeipa/issue/6935
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When requesting certificate for KDC profile, make sure its public part
is actually readable to others.
Fixes https://pagure.io/freeipa/issue/6973
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Warn the user some modifications may break IPA setup or upgrade.
All changes the user makes should be explicitly supported and mentioned
in the documentation. Undocumented and unsupported changes, such as
renaming dyndb part from "ipa" will break IPA.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Allow replacing the KDC certificate.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.
Make sure `cacert.pem` is exported in all installation code paths.
Use the KDC certificate itself as a PKINIT anchor in `login_password`.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Introduce new IPAKrb5 lens to handle krb5.conf and kdc.conf changes using
Augeas. The stock Krb5 lens does not work on our krb5.conf and kdc.conf.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.
Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.
Make sure both bundles are exported in all installation code paths.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add named constants for common trust flag combinations.
Use the named constants instead of trust flags strings in the code.
https://pagure.io/freeipa/issue/6831
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.
Fixes https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Extract copy-pasted code to a single function.
Related https://pagure.io/freeipa/issue/6892
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.
This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:
```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.
This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Make sure a CSR is exported for the IPA CA whenever certmonger detects that
the CA certificate is about to expire.
This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA
instead of the `ipaCSRExport` virtual profile to export the CSR.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.
Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.
This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.
The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.
Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.
Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.
This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)
Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.
https://pagure.io/freeipa/issue/5799
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD
https://pagure.io/freeipa/issue/6922
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
In commit 157831a287 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.
https://pagure.io/freeipa/issue/6860
Reviewed-By: Martin Basti <mbasti@redhat.com>
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.
Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.
https://pagure.io/freeipa/issue/6370
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.
https://pagure.io/freeipa/issue/6928
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This reverts commit 2bab2d4963. It was
pointed out that apache has no access to /var/lib/ipa directory breaking
the session handling.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The entries in cn=topology,cn=ipa,cn=etc should not be taken in
account for the compat plugin.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.
Resolves: https://pagure.io/freeipa/issue/6834
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Directive LookupUserByCertificateParamName tells mod_lookup_identity module the
name of GET parameter that is used to provide username in case certificate is
mapped to multiple user accounts.
Without this directive login with certificate that's mapped to multiple users
doesn't work.
https://pagure.io/freeipa/issue/6860
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Connect to LDAP after kinit is done, otherwise GSSAPI authentication will
fail.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fixes an issue where the renew agent uses GSSAPI for LDAP connection but
fails because it is not authenticated.
This reverts commit 7462adec13.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
