Commit Graph

10954 Commits

Author SHA1 Message Date
Martin Babinsky
aa353c5f21 Merge AD trust configurator into server installer
ipa-server-install is now able to configure Samba and winbind services
and manage trusts to Active Directory right off the bat with following
alterations from standalone installer:

   * sidgen task is always triggered since there are only a few entries
     to tag in the beginning

   * the `--add-agents` option is hardcoded to False, as there are no
     potential agents to resolve and addd when setting up the first
     master in topology

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
13b5821fa4 expose AD trust related knobs in composite installers
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
77857ea776 Add AD trust installer interface for composite installer
This interface is to be used to provide AD trust-related options in
server and replica installer.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
289060dd98 check for installed dependencies when *not* in standalone mode
The condition that controls when to check for samba dependencies was
misformulated. The check should be run when the installer is *not* run
as standalone. In standalone mode the check is already made in different
place so the original code triggered it twice.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
ef37c42ab9 print the installation info only in standalone mode
There is no point in emitting this message during server/replica
install.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
c17215ea3d adtrust.py: Use logging to emit error messages
Plain print messages are a) not logged into files and b) get lost in the
output from composite installer.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
9348cfa996 Refactor the code searching and presenting missing trust agents
Use newly implemented APIs for searching and presenting potential
trust agents.

https://fedorahosted.org/freeipa/ticket/6639

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
c5bae57759 only check for netbios name when LDAP backend is connected
This is to prevent errors due to non-existent LDAP connection such as
when installing first IPA master.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
4ba6b96839 Refactor the code checking for missing SIDs
Decompose the individual sub-tasks into separate functions. Also perform
the lookup only when LDAP is connected.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Stanislav Laznicka
052de4308c Fix replica with --setup-ca issues
nolog argument of ipautil.run requires tuple, not a string.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 13:39:44 +00:00
Christian Heimes
79c0e6d355 Remove import nss from test_ldap
test_ldap just imported nss.nss to call nss_init_nodb(). It should be
safe to remove the call. Let's see what CI has to say.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-01 13:55:22 +01:00
Fraser Tweedale
49f87f34be dogtag: remove redundant property definition
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 13:53:18 +01:00
Simo Sorce
d5e7a57e5b Limit sessions to 30 minutes by default
When we changed the session handling code we unintentinally extended
sessions expiraion time to the whole ticket lifetime of 24h.

Related to https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 13:43:40 +01:00
Christian Heimes
a163ad77b3 certdb: Don't restore_context() of new NSSDB
It's not necesary to restore the context of newly created files. SELinux
ensures that new files have the correct permission. An explicit
restore_context() is only required when either policies have changed or
the context was changed manually.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 13:42:01 +01:00
Tomas Krizek
5055b34cef test_config: fix fips_mode key in Env
Setting fips_mode to object would fail if ipaplatform.tasks module
wasn't present.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 12:59:21 +01:00
Tomas Krizek
770d4cda43 Env __setitem__: replace assert with exception
Use exception to make debugging issues easier.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 12:59:21 +01:00
Christian Heimes
135d0b5dd1 Finish port to PyCA cryptography
* add missing default_backend
* unpad encrypted data
* use cryptography's hashes and HMAC construct
* remove hard dependency on python-nss from setup.py

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 12:51:50 +01:00
Nathaniel McCallum
d00ae870dd Migrate OTP import script to python-cryptography
https://fedorahosted.org/freeipa/ticket/5192

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 12:51:50 +01:00
Christian Heimes
3be696c92f Drop in-memory copy of schema zip file
The schema cache used a BytesIO buffer to read/write schema cache before
it got flushed to disk. Since the schema cache is now loaded in one go,
the temporary buffer is no longer needed.

File locking has been replaced with a temporary file and atomic rename.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Christian Heimes
332dbab1ff Speed up client schema cache
It's inefficient to open a zip file over and over again. By loading all
members of the schema cache file at once, the ipa CLI script starts
about 25 to 30% faster for simple cases like help and ping.

Before:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m13.608s
user    0m10.316s
sys     0m1.121s

After:

$ time for i in {1..20}; do ./ipa ping >/dev/null; done

real    0m9.330s
user    0m7.635s
sys     0m1.146s

https://fedorahosted.org/freeipa/ticket/6690

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-01 12:50:43 +01:00
Florence Blanc-Renaud
c49320435d Define template version in certmap.conf
A previous commit (ffb9a09a0d) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-01 12:46:50 +01:00
Ganna Kaihorodova
10494b1bb3 Tests: Basic coverage with tree root domain
Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-01 12:29:25 +01:00
Christian Heimes
2828a2b92b C compilation fixes and hardening
Fix "implicit declaration of function ‘strlen’" in ipa_pwd_ntlm.c,
credits to Lukas.

Add -Werror=implicit-function-declaration to CFLAGS to point developers
to missing includes. It causes compilation to fail when a developer
forgets to add a required include. The problem is no longer hidden in a
massive wall of text from make.

Silence a harmless error from 389-DS slapi.h until the bug is fixed in
downstream, https://pagure.io/389-ds-base/issue/48979

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 10:38:01 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
24b134c633 Added a PEMFileHandler for Custodia store
This is a preparation step to be able to handle sending RA agent
certificate over Custodia during domain level 1 replica installation.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
51a2b13729 Refactor certmonger for OpenSSL certificates
Currently, it was only possible to request an NSS certificate
via certmonger. Merged start_tracking methods and refactored them
to allow for OpenSSL certificates tracking.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
595f9b64e3 Workaround for certmonger's "Subject" representations
If an OpenSSL certificate is requested in Certmonger
(CERT_STORAGE == "FILE") the "Subject" field of such Certificate
is ordered as received. However, when an NSS certificate is
requested, the "Subject" field takes the LDAP order
(components get reversed). This is a workaround so that the behavior
stays the same.

The workaround should be removed when
https://pagure.io/certmonger/issue/62 gets fixed.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
76e8d7b35d Remove ipapython.nsslib as it is not used anymore
Previous changes allowed the removal of nsslib.

So long, and thanks for all the fish.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a9d1fb7d9 Remove NSSConnection from otptoken plugin
Replace NSSConnection with httplib.HTTPSConenction to be able to remove
NSSConnection for good.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
afea026a5c Remove pkcs12 handling functions from CertDB
These functions don't require anything from the CertDB instance,
move them out so no needless instantiation of CertDB is performed
in order to use them.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
0a54fac02c Remove NSSConnection from Dogtag
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.

A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
6b074ad833 Move publishing of CA cert to cainstance creation on master
IPAHTTPSConnection which is set up first time in certificate profiles
migration to LDAP requires CA cert to be stored in a file.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
1e89d28aaf Don't run kra.configure_instance if not necessary
If kra should not be set up, don't run the code as it would only
prolong the installations.

Previously, krainstance configuration would be performed just to
export the client certificate and private key to authenticate to
certificate server. This is now performed somewhere else therefore
there's no need to run KRAInstance.configure_instance.

The kra.install() method still performs actions on replicas and
we're keeping it in server installer to conform to the installers
design.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a1494c9ae Move RA agent certificate file export to a different location
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
dfd560a190 Remove NSSConnection from the Python RPC module
NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.

NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.

The HTTPSConnection is set up to handle authentication with client
certificate for connections to Dogtag server as RA agent. It allows
to handle client cert/private key in separate files and also
encrypted private key files.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Florence Blanc-Renaud
98e3b14a04 Fix ipa.service unit re. gssproxy
ipa.service unit defines Requires=gssproxy. Because of this, during
ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit
(hence stopping LDAP server and breaking the connection api.Backend.ldap2).
Calls using this connection after gssproxy restart fail and ipa-server-upgrade
exits on failure.
The fix defines Wants=gssproxy to avoid the restart of ipa.service

https://fedorahosted.org/freeipa/ticket/6705

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-01 10:29:57 +01:00
Fraser Tweedale
b81ac59640 ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 14:30:23 +00:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
4350dcdea2 csrgen: Allow overriding the CSR generation profile
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Ben Lipton
39a5d9c5aa csrgen: Automate full cert request flow
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.

Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs

Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Thorsten Scherf
16dac0252e added ssl verification using IPA trust anchor
https://fedorahosted.org/freeipa/ticket/6686

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-27 07:53:05 +00:00
Stanislav Laznicka
e2d1b21c50 Remove md5_fingerprints from IPA
MD5 is a grandpa and FIPS does not like it at all.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-23 18:59:01 +01:00
Christian Heimes
dcb6181525 lite-server: validate LDAP connection and cache schema
The LDAP schema cache makes the lite-server behave more like mod_wsgi.

See https://fedorahosted.org/freeipa/ticket/6679

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:55:38 +01:00
Thorsten Scherf
573a0f1ffe added help about default value for --external-ca-type option
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:54:53 +01:00
Jan Cholasta
19060db1b8 compat: fix Any params in batch and dnsrecord
The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
were incorrectly defined as `Str` instead of `Any`.

https://fedorahosted.org/freeipa/ticket/6647

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:53:50 +01:00
Stanislav Laznicka
a39effed76 Remove DM password files after successfull pkispawn run
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-23 14:54:43 +01:00
Stanislav Laznicka
728a6bd422 Remove ra_db argument from CAInstance init
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-23 14:54:43 +01:00
Martin Kosek
b367c3a622 Update Contributors.txt
Update mailmap with the new mistyped authors and generate a new
Contributors list.

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-23 10:16:44 +01:00
Stanislav Laznicka
32076df102 Fix ipa-server-upgrade
Running ipa-server-upgrade would fail to stop ipa_memcached if
it's already uninstalled.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-23 10:14:49 +01:00
Stanislav Laznicka
8c2cd66269 Use newer Certificate.serial_number in krainstance.py
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-02-23 10:14:04 +01:00