Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.
A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If kra should not be set up, don't run the code as it would only
prolong the installations.
Previously, krainstance configuration would be performed just to
export the client certificate and private key to authenticate to
certificate server. This is now performed somewhere else therefore
there's no need to run KRAInstance.configure_instance.
The kra.install() method still performs actions on replicas and
we're keeping it in server installer to conform to the installers
design.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.
NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.
The HTTPSConnection is set up to handle authentication with client
certificate for connections to Dogtag server as RA agent. It allows
to handle client cert/private key in separate files and also
encrypted private key files.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa.service unit defines Requires=gssproxy. Because of this, during
ipa-server-upgrade, the restart of gssproxy triggers a restart of ipa unit
(hence stopping LDAP server and breaking the connection api.Backend.ldap2).
Calls using this connection after gssproxy restart fail and ipa-server-upgrade
exits on failure.
The fix defines Wants=gssproxy to avoid the restart of ipa.service
https://fedorahosted.org/freeipa/ticket/6705
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
CAs consist of a FreeIPA and a corresponding Dogtag object. When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object. In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.
These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed. This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
https://pagure.io/freeipa/issue/6713
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In case users want multiple CSR generation profiles that work with the
same dogtag profile, or in case the profiles are not named the same,
this flag allows specifying an alternative CSR generation profile.
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allows the `ipa cert-request` command to generate its own CSR. It no
longer requires a CSR passed on the command line, instead it creates a
config (bash script) with `cert-get-requestdata`, then runs it to build
a CSR, and submits that CSR.
Example usage (NSS database):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --database /tmp/certs
Example usage (PEM private key file):
$ ipa cert-request --principal host/test.example.com --profile-id caIPAserviceCert --private-key /tmp/key.pem
https://fedorahosted.org/freeipa/ticket/4899
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ra_db argument to CAInstance init is a constant so it can
be removed. This constant corresponds to the default CertDB directory
and since CertDB now passes passwords to its inner NSSDatabase instance
we do need to care about having our own run_certutil() method.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Update mailmap with the new mistyped authors and generate a new
Contributors list.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
adtrustinstance will now use parent's methods to retrieve keys for CIFS
principal. Since the keys are appended to the host keytab
(/etc/krb5.keytab) we need to make sure that only the stale CIFS keys
are purged from the file and that we do not re-set its ownership.
https://fedorahosted.org/freeipa/ticket/6638
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.
The default actions should be usable by most installers without specific
overriding.
https://fedorahosted.org/freeipa/ticket/6638
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
--without-ipatests skips building and installation of the ipatests
package. By default the ipatests package is always build and installed
by make install.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
"dirsrv/slapi-plugin.h" is unnecessary for build of ipa_pwd.
This patch allow us to move DIRSRV to daemon only dependencies
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.
Fixes https://fedorahosted.org/freeipa/ticket/6685
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Commit 1e6a204b43 added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.
Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.
https://fedorahosted.org/freeipa/ticket/6675
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.
Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.
Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.
Create the directory with mode 644 to fix the issue.
https://fedorahosted.org/freeipa/ticket/5959
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When combobox is opened then ESC key should close it. There was a bug
that ESC key closed also the dialog. It was caused by bad keyboard event
handling. The CB was closed by keydown event and the dialog by keyup.
Therefore the propagating of keyup and keydown event is stopped when CB
is opened (when the event is fired on CB element).
https://fedorahosted.org/freeipa/ticket/6388
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adder dialog is mixed with confirmation_mixin. That mixin calls on_cancel method
when closing dialog using ESC key. Previously the on_cancel method
was not defined, therefore dialog was not correctly closed. This was the root
cause of the bug, that adder dialog cannot be opened after closing it using ESC.
Now the default function for on_cancel is dialog.close. So dialog
is correctly closed.
https://fedorahosted.org/freeipa/ticket/6388
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"
address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
