Commit Graph

9606 Commits

Author SHA1 Message Date
Martin Basti
5760cc9182 Use python2 for ipa cli
Switch 'ipa' command to py3 has been done prematurely, this commit sets python2 as interpreter for ipa cli.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-14 13:07:04 +02:00
Martin Basti
ee08f3e237 Revert "Switch /usr/bin/ipa to Python 3"
This reverts commit 1ebd8334bc.

Switch 'ipa' command to py3 has been done prematurely, thus this commit
reverts it from IPA 4.3.2 and temporarily from master because it is
blocker for developing of the new features.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-14 13:07:04 +02:00
Florence Blanc-Renaud
2c7ec27ad9 batch command can be used to trigger internal errors on server
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)

https://fedorahosted.org/freeipa/ticket/5810

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-14 09:26:15 +02:00
David Kupka
9f48c39649 installer: index() raises ValueError
Expecting IndexError instead of ValueError led to traceback instead of correctly
reporting the error situation.

https://fedorahosted.org/freeipa/ticket/5945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 18:04:40 +02:00
David Kupka
54318d1a2c installer: positional_arguments must be tuple or list of strings
Setting string here was causing search for substring instead of search for value
in tuple or list.

https://fedorahosted.org/freeipa/ticket/5945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 18:04:40 +02:00
Martin Babinsky
21def4fde0 Server Roles: provide an API for setting CA renewal master
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.

https://fedorahosted.org/freeipa/ticket/5689
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
5f7086e718 Server Roles: make *config-show consume relevant roles/attributes
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:

* config-{show,mod} will show list of all IPA masters, CA servers and CA
  renewal master

* dnsconfig-{show,mod} will list all DNS server and DNS key master

* trustconfig-{show,mod} will list all AD trust controllers and agents

* vaultconfig-show will list all Key Recovery Agents

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
b9aa31191b Server Roles: make server-{show,find} utilize role information
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).

server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
80cbddaa37 Server Roles: public API for server roles
This patch implements the `serverroles` API plugin which introduces the
following commands:

    * server-role-show SERVER ROLE: show status of a single role on a server
    * server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
      find role(s) SERVROLE and return their status on IPA
      masters. If --server option is given, the query is limited to this
      server. --status options filters the output by status [enabled vs.
      configurer vs. absent]

https://fedorahosted.org/freeipa/ticket/5181
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
40d8dded7f Test suite for serverroles backend
Tests retrieving roles/attributes and setting server attributes in various
scenarios.

https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
d07b7e0f6f Server Roles: Backend plugin to query roles and attributes
`serverroles` backend consumes the role/attribute instances defined in
`ipaserver/servroles.py` module to provide low-level API for querying
role/attribute status in the topology. This plugin shall be used to implement
higher-level API commands.

https://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
7e2bef0b9f Server Roles: definitions of server roles and attributes
This patch introduces classes which define the properties of server roles and
attributes and their relationship to LDAP attributes representing the
role/attribute.

A brief documentation about defining and using roles is given at the beginning
of the module.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Ludwig Krispenz
0b11b36bf2 v2 - avoid crash in topology plugin when host list contains host with no hostname
ticket #5928

prevent a crash when dereferncing a NULL hostnam, log an error to help debugging
fix an incorrect order of statement when freeing a host list

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-06-13 16:25:03 +02:00
Martin Basti
493ae1e502 Fix: Local variable s_indent might be referenced before defined
Sanity fix to make sure we do not hit UnboundLocalError and fail
terribly

https://fedorahosted.org/freeipa/ticket/5921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 13:58:36 +02:00
Pavel Vomacka
3bac6de49e Correct a jslint warning
This patch removes comma at the end of list, just because of jslint warning.
It does not have any impact on functionality.

https://fedorahosted.org/freeipa/ticket/5937

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-13 13:52:25 +02:00
Alexander Bokovoy
d6266476fa webui: support external flag to trust-add
https://fedorahosted.org/freeipa/ticket/5904

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-11 17:28:25 +02:00
Alexander Bokovoy
5b0dbe7e59 webui: show UPN suffixes in trust properties
https://fedorahosted.org/freeipa/ticket/5937

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-11 17:28:25 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Alexander Bokovoy
b506fd178e adtrust: support GSSAPI authentication to LDAP as Active Directory user
In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 13:39:02 +02:00
Alexander Bokovoy
a0f953e0ff adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Part of https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 12:24:00 +02:00
Martin Basti
478017357b Revert "adtrust: remove nttrustpartner parameter"
This reverts commit 185806432d.

The wrong version of patch has been pushed.

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-10 12:20:17 +02:00
Alexander Bokovoy
185806432d adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 09:58:43 +02:00
Alexander Bokovoy
8ca7a4c947 trusts: Add support for an external trust to Active Directory domain
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.

The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.

Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-09 21:04:31 +02:00
Martin Basti
971b4bf009 Fix resolve_rrsets: RRSet is not hashable
We cannot use set() with RRSet objects, because RRSet object is not
hashable. A set was replaced by list.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-09 15:42:10 +02:00
Florence Blanc-Renaud
53524fbbff add context to exception on LdapEntry decode error
When reading the content of an invalid LDAP entry, the exception
only displays the attribute name and value, but not the DN of the entry.
Because of this, it is difficult to identify the root cause of the
problem.

The fix raises a ValueError exception which also contains the entry DN.

https://fedorahosted.org/freeipa/ticket/5434

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-09 14:31:40 +02:00
Sumit Bose
aa734da494 extdom: add certificate request
Related to https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-06-09 14:28:47 +02:00
Pavel Vomacka
b1df1cfe71 Add lists of hosts allowed to create or retrieve keytabs
Attributes tables are added on host and service pages.

https://fedorahosted.org/freeipa/ticket/5931

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-09 14:24:54 +02:00
Pavel Vomacka
5f48df48d4 DNS Locations: WebUI part
WebUI part of DNS Location feature.

https://fedorahosted.org/freeipa/ticket/5905

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-09 14:20:02 +02:00
Pavel Vomacka
5a8ad3e982 Add adapter attribute for choosing record
The new attribute of the adapter contains the name of record which will be
extracted from API call result.

Part of: https://fedorahosted.org/freeipa/ticket/5905

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-09 14:20:02 +02:00
Pavel Vomacka
740099cf0b Fix bad searching of reverse DNS zone
There was a problem with finding correct DNS zone. It found a first substring match.
Therefore when there was location 0.10.10.in-addr.arpa. and 110.10.10.in-addr.arpa
the location for IP address 10.10.110.1 was the first one, which is incorrect. Now
it finds the second one, because it finds the longest match.

https://fedorahosted.org/freeipa/ticket/5796

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-09 14:04:33 +02:00
David Kupka
da5885b72a man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
https://fedorahosted.org/freeipa/ticket/5694

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-09 13:08:46 +02:00
Jan Cholasta
0f99531256 spec file: require correct packages to get API plugins
Since ipalib.plugins was split into ipaserver.plugins and
ipaclient.plugins, require python-ipaserver and/or python-ipaclient instead
of python-ipalib where appropriate.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
64aa4496e2 schema: fix typo
This fixes summary lines for commands in the help command.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
585e0d1b8c schema: fix topic command output
Return topic names as text instead of binary blob.

This fixes ipa help topic display.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
3157eec28f replica install: use remote server API to create service entries
Use the existing remote server API to create service entries instead of a
client API.

This fixes a crash during replica promotion due to unavailable schema.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
9c19dd3506 schema: do not validate unrequested params in command_defaults
Request specific params when getting the defaults instead of getting
defaults for all params and filtering the result.

This fixes command_defaults failing with validation errors on unrequested
params.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Fraser Tweedale
4660bb7ff0 Add custodia store for lightweight CA key replication
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself.  This requires a
PKIArchiveOptions format (signing key wrapped with host CA key) -
PKCS #12 cannot be used because that would require decrypting the
key in Dogtag's memory, albeit temporarily.

Add a new custodia store that executes a 'pki' command to acquire
the wrapped key.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
903a90fb4e Authorise CA Agent to manage lightweight CAs
Add Dogtag ACLs that authorise the CA Agent certificate to manage
lightweight CAs.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
b0d9a4728f Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade.  The
specific configuration steps are:

- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
  to invoke ipa-pki-retrieve-key for key retrieval

Also bump the minimum version of Dogtag to 10.3.2.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
0d37d230c0 Optionally add service name to Custodia key DNs
Lightweight CAs support introduces new service principals for
Dogtag, with Custodia keys.  The current Custodia key creation uses
a DN that contains only they key type and the hostname, so keys for
multiple services on the same host cannot be created.

Add the 'generate_keys' method to generate keys for a host or an
arbitrary service.  When a service name is given, add the key
entries in a nested container with RDN 'cn=<service name>'.  (The
container is assumed to exist).

This change does not affect searching because subtree search is
used, filtering on the ipaKeyUsage and memberPrincipal attributes.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
b584ffa4ac Add ACIs for Dogtag custodia client
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys.  Add an ACI to permit this.

Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Alexander Bokovoy
29d669fec1 otptoken: support Python 3 for the qr code
When IPA client is using Python 3, there is no str.decode() method
anymore.

ipa: ERROR: AttributeError: 'str' object has no attribute 'decode'
Traceback (most recent call last):
 File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run
   sys.exit(api.Backend.cli.run(argv))
 File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run
   rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
 File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli
   qr = self._get_qrcode(output, uri, options['version'])
 File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode
   qr_code = qr_output.getvalue().decode(encoding)
AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred

Fixes https://fedorahosted.org/freeipa/ticket/5938

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 08:09:33 +02:00
Fraser Tweedale
6b3db0dc73 Load server plugins in certmonger renewal helper
The certmonger renewal helper needs to load server plugins to
operate.  Initialise the API with in_server=True.

Fixes: https://fedorahosted.org/freeipa/ticket/5943
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 15:01:07 +02:00
Fraser Tweedale
f94ccca676 Allow CustodiaClient to be used by arbitrary principals
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.

For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica.  Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.

Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab.  Update call sites accordingly.

Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-08 10:16:28 +02:00
Pavel Vomacka
afededacb9 Auth Indicators WebUI part
Add custom_checkbox_widget on service page. The old  aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.

https://fedorahosted.org/freeipa/ticket/5872

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-07 19:30:07 +02:00
Martin Basti
1d9425dab7 Exclude unneeded dirs and files from pylint check
Generated files or paths that does not contain src files should be
skipped:
* yacctab.py - autogenerated
* lextab.py - autogenerated
* dist/* - doesn't contain usefule src files

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-07 13:49:06 +02:00
David Kupka
05878f1153 test: test_cli: Do not expect defaults in kwargs.
Client is no longer forwarding in arguments with default values to the server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-06 19:53:59 +02:00
Florence Blanc-Renaud
c4a8e64cdf Add the culprit line when a configuration file has an incorrect format
For instance if /etc/nsswitch.conf contains an incorrect line
sudoers		file sss
(Note the missing : after sudoers)
ipa-client-install exits with a SyntaxError traceback but does not state
which line caused the issue.
With the fix, the filename and the line are displayed in the SyntaxError
message.

https://fedorahosted.org/freeipa/ticket/5811

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-06 19:06:32 +02:00
Pavel Vomacka
91ac959fe5 Extend the certificate request dialog
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.

https://fedorahosted.org/freeipa/ticket/5645

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-06 18:34:33 +02:00
Stanislav Laznicka
c56d65b064 Removed dead code from LDAP{Remove,Add}ReverseMember
https://fedorahosted.org/freeipa/ticket/5892

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-06 18:26:14 +02:00