This allows code to use multiple ccaches without having to muck with the
process global environment variables (KRB5CCNAME).
https://fedorahosted.org/freeipa/ticket/6543
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Avoid comparison of bytes with int in _is_null() check. b'' == 0
triggers a BytesWarning.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Closes: https://fedorahosted.org/freeipa/ticket/6631
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
for Decimal only from client to server direction uses __base64__
notation. Server replies with pure string for Decimal data, and also
server is able to parse string and create decimal values where needed.
without this we need ugly py3 code:
- return {'__base64__': base64.b64encode(str(val))}
+ return {'__base64__': base64.b64encode(
+ str(val).encode('ascii')).decode('ascii')}
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In 'store_session_cookie', if the server does not set the session
cookie for some reason, the 'session_cookie' variable does not get
assigned, resulting in UnboundLocalError. Set an initial value of
'None'.
Fixes: https://fedorahosted.org/freeipa/ticket/6636
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.
Note: python 3.6 supports bytes for json.loads()
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Let's replace some ugly hacks with proper pytest conftest.py hooks.
Test initialization of ipalib.api is now handled in
pytest_cmdline_main(). Pytest plugins, markers and ignores are also
moved into conftest.py. Additional guards make it possible to run tests
without ipaserver installed.
I added confcutdir to ensure that pytest does not leave our project
space. Pytest used pytest.ini or setup.py before but pytest.ini is gone.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.
https://fedorahosted.org/freeipa/ticket/6558
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Commint 2cbaf15604 introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.
This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.
Some scripts (e.g. servers, installers, and upgrades) set the confdir
explicitly and do not support the env var.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.
This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.
https://fedorahosted.org/freeipa/ticket/6490
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This reverts commit 1166fbc494. The proper fix
is to restore pre-thin client behavior of commands inheriting from
LocalOrRemote class.
https://fedorahosted.org/freeipa/ticket/6490
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.
Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
https://fedorahosted.org/freeipa/ticket/6514
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Hard-code the path to /bin/false in SubprocessError doc string.
Remove ipaplatform dependency from ipalib's setup.py and add it as optional
installer dependency to ipalib's and ipaclient's setup.py.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
CACERT depends on ipaplatform.
Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The certstore module depends on ipaplatform.
Move it to ipalib.install, as it is used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
kinit_password() depends on ipaplatform.
Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The certmonger and sysrestore modules depend on ipaplatform.
Move them to ipalib.install as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.
Fix some renamed modules, module members and functions.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Sprinkle 'pylint disable' comments over the code base to silence a bunch
of pylint warnings on Python 3. All silenced warnings are harmless and
not bugs.
https://fedorahosted.org/freeipa/ticket/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint is having a hard time with distutils.version in tox's virtual
envs. virtualenv uses some tricks to provide a virtual distutils
package, pylint can't cope with.
https://github.com/PyCQA/pylint/issues/73 suggests to use pkg_resources
instead. pkg_resources' version parser has some more benefits, e.g. PEP
440 conformity. But pkg_resources.parse_version() is a heavy weight solution
with reduced functionality, e.g. no access to major version.
For API_VERSION and plugin version we can use a much simpler and faster
approach.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa local-env simply dumps all values from api.env as sorted key="value"
pairs. It's a convenient helper for debugging and to write tests for
e.g. PR #182.
https://fedorahosted.org/freeipa/ticket/6490
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
api.env.nss_dir is no longer hard-coded to paths.IPA_NSSDB_DIR. Instead
the path is calculated relatively to api.env.confdir. The default value
is still /etc/ipa/nssdb. The change makes it a bit easier to run
FreeIPA's API with a custom configuration directory.
See https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR. Recent commits that switch to using python-cryptography for
cert and CSR handling broke this. Our acceptance tests use such
CSRs, hence the tests are now failing.
To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM. This avoids re-using the
user-supplied data, in case it has extraneous data.
Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
This code was presumably once used for testing, but has been
subsumed by the actual test suite.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects. Update the call sites
accordingly, including removal of NSS initialisation code.
Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames. The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Remove our hand-rolled pyasn1 specifications for X.509 in favour of
those provided by the pyasn1-modules library.
This also avoids a bug in our _Extension spec wherein parsing fails
if the 'critical' field is absent.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints. Add our own helper functions to format the
fingerprints as hex (with colons).
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).
Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.
Part of: https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.
dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.
Currently VPATH builds do not work for various reasons.
This should be fixed later on.
Most credit goes to these guys:
Christian Heimes <cheimes@redhat.com>
Petr Viktorin <pviktori@redhat.com>
Kevin Brown <kevin@kevin-brown.com>
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Set default time_limit and size_limit in ldap2 to unlimited.
* Set time_limit and size_limit to None in backend. This will respect
ipaconfig values.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.
Partially fixes https://fedorahosted.org/freeipa/ticket/6292
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove unnecessary check for absolute file paths for config file.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.
This covers only cases where fix was easy or only one unused variable
was in a module
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError. The exception includes no
information about the response status.
Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fixes the CLI not to always call the default version of a command even when
the version was explicitly specified.
https://fedorahosted.org/freeipa/ticket/6279
Reviewed-By: Martin Basti <mbasti@redhat.com>
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The subjectAltName extension parsing code in ipalib.x509 fails on
directoryName values because the Choice structure is not endowed
with an inner type. Implement the Name structure, whose inner type
is a CHOICE { SEQUENCE OF RelativeDistinguishedName }, to resolve.
Note that the structure still does not get fully parsed; only enough
to recognise the SequenceOf tag and not fail.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
For configuration where:
- AD example.com trusts IPA at ipa.example.com
- AD example.org trusts AD example.com
- a trust is tried to be established between ipa.example.com and
example.org,
there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.
This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.
A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:
1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
2. Establish trust between ipa.example.com and example.org
It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.
This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:
1. Attempt to establish trust and update trust topology information.
2. If trust topology conflict is detected as result of (1):
2.1. Fetch trust topology infromation for the conflicting forest
trust
2.2. Add exclusion entry to our domain to the trust topology obtained
in (2.1)
2.3. Update trust topology for the conflicting forest trust
3. Re-establish trust between ipa.example.com and example.org
We cannot do the same for shared secret trust and for external trust,
though:
1. For shared secret trust we don't have administrative credentials
in the forest reporting the conflict
2. For the external trust we cannot set topology information due to
MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
definition and thus setting topology information will fail.
To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.
Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
ipa.test_ipalib.test_frontend.test_Attribute.test_init
ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run
https://fedorahosted.org/freeipa/ticket/6188
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.
https://fedorahosted.org/freeipa/ticket/6215
Reviewed-By: Martin Basti <mbasti@redhat.com>
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.
Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.
This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.
https://fedorahosted.org/freeipa/ticket/6174
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Creating instance requires that complete schema for the command is
read from schema cache and passed to constructor. This operation takes
a lot of time. Utilizing class properties and pregenerated help bits
allows to get the necessary information directly from classes reducing
time it takes significantly.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Avoid need to instantiate all commands just to get information for
displaying help.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: David Kupka <dkupka@redhat.com>
Relax the check for valid hostname component by allowing multiple consecutive
'-' or '/' characters int he middle of the label (the first/last character
must still be alphanumeric or underscore). Also use verbose regex format to
document its structure.
https://fedorahosted.org/freeipa/ticket/4710
Reviewed-By: Martin Basti <mbasti@redhat.com>
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.
A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.
https://fedorahosted.org/freeipa/ticket/6037https://fedorahosted.org/freeipa/ticket/6061
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
the ResultFormattingError message class was missing a `type` member which
could cause `otptoken-add` command to crash during QR image rendering using
suboptimal TTY settings
https://fedorahosted.org/freeipa/ticket/6081
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliaseshttps://fedorahosted.org/freeipa/ticket/1365https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch introduces a separate Principal parameter that allows the framework
to syntactically validate incoming/outcoming principals by using a single
shared codebase.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
