Commit Graph

689 Commits

Author SHA1 Message Date
Martin Kosek
a001095856 Process relative nameserver DNS record correctly
Nameserver hostname passed to dnszone_add command was always treated
as FQDN even though it was a relative DNS name to the new zone. All
relative names were being rejected as unresolvable.

Modify --name-server option processing in dnszone_add and dnszone_mod
to respect FQDN/relative DNS name and do the checks accordingly. With
this change, user can add a new zone "example.com" and let dnszone_add
to create NS record "ns" in it, when supplied with its IP address. IP
address check is more strict so that it is not entered when no forward
record is created. Places misusing the option were fixed.

Nameserver option now also accepts zone name, which means that NS and A
record is placed to DNS zone itself. Also "@" is accepted as a nameserver
name, BIND understand it also as a zone name. As a side-effect of this
change, other records with hostname part (MX, KX, NS, SRV) accept "@"
as valid hostname. BIND replaces it with respective zone name as well.

Unit tests were updated to test the new format.

https://fedorahosted.org/freeipa/ticket/3204
2012-11-06 17:42:09 +01:00
Alexander Bokovoy
fc3834ca46 Resolve external members from trusted domain via Global Catalog
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD<domain> with principal ourdomain$@trusted.domain
5. Do LDAP SASL interactive bind using the ccache
6. Search for the member's SID
7. Decode SID
8. Replace external member name by SID
2012-11-01 15:46:58 -04:00
Rob Crittenden
1c7261773b Wait for the directory server to come up when updating the agent certificate.
It is possible that either or both of the LDAP instances are being restarted
during the renewal process. Make the script retry if this is the case.

It is also safe to re-run this script if it fails. It will take the current
ipaCert certificate and attempt to update the agent information in LDAP.

https://fedorahosted.org/freeipa/ticket/3179
2012-11-01 13:36:52 -04:00
Martin Kosek
d180d3c101 Use common encoding in modlist generation
ldap2 server plugin generates a modlist for every IPA command entry
modification. However, encoding of attributes entry_attrs generated
by our framework still does not  match entry read from LDAP (until
ticket #2265 is addressed), convert compared values to common ground
so that the comparison does not report false positives when encoding
do not match (e.g. 'int' and 'unicode').

https://fedorahosted.org/freeipa/ticket/3220
2012-11-01 15:32:11 +01:00
Martin Kosek
1d5027bfc9 Remove servertrls and clientctrls options from rename_s
python-ldap of version 2.3.10 and lower does not support serverctrls
and clientctrls fir rename_s operation. Do not use these options until
really needed. In that time, we may put a requirement in place, that
minimal python-ldap version is 2.3.11. Also add a notice explaining
why we did this change.

https://fedorahosted.org/freeipa/ticket/3199
2012-10-26 12:58:04 -04:00
Petr Viktorin
d6fbbd530e Make sure the CA is running when starting services
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
2012-10-23 22:02:21 -04:00
Tomas Babej
7ce6c4a2d3 Make service naming in ipa-server-install consistent
Forces more consistency into ipa-server-install output. All
descriptions of services that are not instances of
SimpleServiceInstance are now in the following format:

<Description> (<Service Name>)

Furthermore, start_creation method has been modified to support
custom start and end messages. See documentation for more info.

https://fedorahosted.org/freeipa/ticket/3059
2012-10-22 21:37:11 -04:00
John Dennis
38bbbdea61 log dogtag errors
If we get an error from dogtag we always did raise a
CertificateOperationError exception with a message describing the
problem. Unfortuanately that error message did not go into the log,
just sent back to the caller. The fix is to format the error message
and send the same message to both the log and use it to initialize the
CertificateOperationError exception. This is done in the utility
method raise_certificate_operation_error().

https://fedorahosted.org/freeipa/ticket/2622
2012-10-19 10:12:05 +02:00
Simo Sorce
2d42737d01 Add support for using AES fo cross-realm TGTs 2012-10-17 13:55:11 +02:00
Alexander Bokovoy
2d7f2928b9 Remove bogus check for smbpasswd
We don't use smbpasswd when configuring IPA for AD trusts anymore
because we switched to use Kerberos authentication in IPA passdb
backend based on CIFS service keytab.

https://fedorahosted.org/freeipa/ticket/3181
2012-10-16 09:05:55 +02:00
Rob Crittenden
5c054a77f3 Use TLS for CA replication
https://fedorahosted.org/freeipa/ticket/3162
2012-10-15 12:56:57 +02:00
Rob Crittenden
ea4f60b15a Explicitly disable betxn plugins for the time being.
This should work with 389-ds-base 1.2.x and 1.3.0.

Without other plugin changes 389-ds-base can deadlock.

https://fedorahosted.org/freeipa/ticket/3046
2012-10-10 20:24:10 -04:00
Rob Crittenden
392097f206 Configure the initial CA as the CRL generator.
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.

https://fedorahosted.org/freeipa/ticket/3051
2012-10-09 19:24:43 -04:00
Petr Viktorin
1dd103bc8c Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
2012-10-10 17:34:19 +02:00
Alexander Bokovoy
0840b588d7 Add cifs principal to S4U2Proxy targets only when running ipa-adtrust-install
Since CIFS principal is generated by ipa-adtrust-install and is only
usable after setting CIFS configuration, there is no need to include it
into default setup.

This should fix upgrades from 2.2 to 3.0 where CIFS principal does not
exist by default.

https://fedorahosted.org/freeipa/ticket/3041
2012-10-09 18:15:01 -04:00
Rob Crittenden
2ca7bb3134 Fix CS replication management.
The master side should be on the local side, replica1, not the
remote. This required reversing a few master variables. This impacts
the naming of the replication agreements.

When deleting an agreement pass in the DN of that agreement
rather than trying to calculate what it is on-the-fly. We cannot
be sure which side is the master/clone and since we search for it
anyway to determine if the agreement exists it is more correct
to use what we find.

The force flag wasn't being passed into del_link so there was no way
to force a deletion.

https://fedorahosted.org/freeipa/ticket/2858
2012-10-09 15:45:44 -04:00
Rob Crittenden
eb79f5c955 Set renewal time for the CA audit certificate to 720 days.
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951
2012-10-09 17:51:13 +02:00
Martin Kosek
74ebd0fd75 Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
2012-10-09 16:00:01 +02:00
Martin Kosek
2411377d40 Minor fixes for default SMB group
This patch contains additional minor fixes which were proposed during
review but were not pushed (accidentaly). Also amends a name of the
default SMB group in a list of protected groups in group.py.

https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 12:15:07 +02:00
Simo Sorce
19a9376c72 Fix trust attributes for ipa trust-add
The RC4 flags in the trust attributes makes sense only fro trust type MIT
We are using the UPLEVEL trust type.
2012-10-09 10:33:04 +02:00
Sumit Bose
12f4584f57 ipa-adtrust-install: create fallback group with ldif file
Currently the framework is used to add the group but we want to avoid
that users are added explicitly to the group by removing the
objectclasses groupofnames, ipausergroup and nestedgroup and we want to
use a name with spaces in it. Both it not easy possible with the
framework, a LDIF file is used instead to create the group.

Fixes https://fedorahosted.org/freeipa/ticket/3147
2012-10-09 10:22:16 +02:00
Sumit Bose
2eee4ce83d ipa-adtrust-install: print list of needed SRV records
If --no-msdcs is given on the command line all needed SRV records will
be printed.

Fixes https://fedorahosted.org/freeipa/ticket/3019
2012-10-04 22:15:36 -04:00
Sumit Bose
0d82862066 Avoid ldapmodify error messages during ipa-adtrust-install
Fixes https://fedorahosted.org/freeipa/ticket/3012
2012-10-04 22:15:36 -04:00
Sumit Bose
58a99dd5ac Add SIDs for existing users and groups at the end of ipa-adtrust-install
Fixes https://fedorahosted.org/freeipa/ticket/3104
2012-10-04 22:15:36 -04:00
Sumit Bose
503e03bf96 ipa-adtrust-install: replace print with self.print_msg
https://fedorahosted.org/freeipa/ticket/3019
2012-10-04 22:15:28 -04:00
Sumit Bose
fdd3299fa8 ipa-adtrust-install: Add fallback group
https://fedorahosted.org/freeipa/ticket/2955
2012-10-04 22:15:26 -04:00
Petr Vobornik
247a3a43b7 Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.

In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:08:04 -04:00
Alexander Bokovoy
459c83fb75 Support python-ldap 2.3 way of making LDAP control
This strange patch is to accomodate both python-ldap 2.3 and later versions.
There was refactoring in python-ldap support for LDAP controls that split
base class into two different, changing properties and method signatures.

Luckily, we don't use any values passed to encodeControlValue.
2012-10-04 17:00:56 +02:00
Martin Kosek
0c2d0bb2b0 Fill ipakrbprincipalalias on upgrades
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106
2012-10-02 15:17:42 -04:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Petr Viktorin
c16c257145 Fix NS records in installation
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.

Fix this error and add a check for empty DNS labels to the validator
2012-09-27 16:01:22 +02:00
Alexander Bokovoy
fbfa3b56fa Change the way SID comparison is done for belonging to trusted domain
Fixes trust use on RHEL 6.
2012-09-27 14:00:40 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Sumit Bose
d0f672c131 Update krb5.conf during ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/2515
2012-09-19 20:47:31 -04:00
Petr Viktorin
4bb4535101 Use correct Dogtag port in ipaserver.install.certs
On an instance upgraded from Dogtag 9 to Dogtag 10,
ipa-replica-prepare used the wrong port number. Fix that.
2012-09-20 13:58:53 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Petr Viktorin
f0829efe1f Only stop the main DS instance when upgrading it
We've been stopping both DS instances (main and PKI) when upgrading.
This can happen while the CA is running. In some cases stopping the PKI
DS also killed the CA.

Only stop the specific instance for upgrades.

Also, wait for open ports after the upgrade is complete. The wait was
skipped previously. This can prevent bugs if scripts that need a DS are
run after the upgrade.

https://fedorahosted.org/freeipa/ticket/3083
2012-09-17 18:43:59 -04:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Ade Lee
3dd31a8756 Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:36 -04:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00
Martin Kosek
c0630950a1 Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:27 -04:00
Martin Kosek
2ecfe571fa Run index task in ldap updater only when needed
When LDAP updater detected an update instruction in indexing tree, it run
an indexing task and waited until it ends. However, the task was run
regardless of the update instruction result. This lead to unnecessary
index tasks being defined and waited for which makes the whole LDAP
last longer.

Execute indexing task only when an index add/update instruction is
successful.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:19 -04:00
Martin Kosek
edf8138568 Add attributeTypes to safe schema updater
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.

Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.

https://fedorahosted.org/freeipa/ticket/2440
2012-09-16 17:59:06 -04:00
Rob Crittenden
0f81268ec4 Fix some restart script issues found with certificate renewal.
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.

The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.

Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.

https://fedorahosted.org/freeipa/ticket/3006
2012-09-06 19:09:18 -04:00
Rob Crittenden
26dfbe61dd Add version to replica prepare file, prevent installing to older version 2012-09-07 12:58:55 +02:00
Martin Kosek
917a480675 Add safe updates for objectClasses
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.

When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.

One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.

https://fedorahosted.org/freeipa/ticket/2440
2012-09-04 22:45:27 -04:00
Petr Viktorin
2ede70b720 Add nsds5ReplicaStripAttrs to replica agreements
Generalize the fix_replica_memberof update plugin to allow updating more
replication attributes.

Add nsds5ReplicaStripAttrs to replication agreements on update and
replica install.

https://fedorahosted.org/freeipa/ticket/2534
2012-09-04 05:30:57 -04:00
Martin Kosek
be8a9e6ddb Make replica install more robust
Under certain circumstances, replica installation may fail in
"enable GSSAPI for replication" step when it cannot sync LDAP service
principals. There is often not much we can do as Directory Server
may be in an unrecoverable state but we should at least wait longer
before we give up.

A function checking replication status was also fixed to give more
accurate results by properly comparing start/end time of the
replication process and returning an error message to calling
function. This error message is then returned to user if do not
manage to get the LDAP service principals to give him a pointer
to the actual issue.

https://fedorahosted.org/freeipa/ticket/2950
2012-09-03 21:05:16 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00