Commit 7284097eed kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.
The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.
Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.
Issue: https://pagure.io/freeipa/issue/7612
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.
https://pagure.io/freeipa/issue/7239
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.
Apparently no manual or automated test ran into the timeout during
testing.
Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.
Use realmdomains to find a correct exclusion entry to build.
Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Make CA bundles, certs, and cert directories world-accessible in
upgrader.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.
Note: executable for a directory means, that a process is allowed to
traverse into the directory.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.
The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.
setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.
Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.
Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.
See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.
Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:
The ipa-client-install command was successful
This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.
In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.
Check to see if it is configured at all before trying to
disable it.
https://pagure.io/freeipa/issue/6610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.
Fixes backup/restore tests runs. Maybe something else.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix 994f71ac8a was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.
When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.
Upon restoring it will always write the camel-case version.
https://pagure.io/freeipa/issue/6721
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
Only validate the password if the IPA configuration is available
and dirsrv is running.
https://pagure.io/freeipa/issue/7136https://pagure.io/freeipa/issue/7535
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The site and module configs are split on Debian, server setup needs
to match that.
Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.
Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
kadmind doesn't start without it, and Debian doesn't ship it by default.
Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.
Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.
https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).
If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.
The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.
In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.
This PR addresses the changes agreed in Bugzilla.
Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-advise config-fedora-authconfig produces a script with authconfig
instructions for configuring Fedora 18/19 client with IPA server
without use of SSSD. Fedora 18 and 19 are not supported any more,
so the plugin could be removed.
Resolves: https://pagure.io/freeipa/issue/7533
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).
So this kind of behaviour is a bug, as it was determined on IRC.
This patch removes possibility to add more then one radius server
into radius proxy.
Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The director /etc/httpd/alias was created by mod_nss. Since FreeIPA no
longer depends on mod_nss, the directory is no longer created on fresh
systems.
Note: At first I wanted to move the file to /var/lib/ipa/private/ or
/var/lib/httpd/. SELinux prevents write of httpd_t to ipa_var_lib_t. I'm
going to move the file after a new SELinux policy is available.
See: https://pagure.io/freeipa/issue/7529
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The NSSDatabase object doesn't know the format of an NSS database
until the database is created so an explcit call to nssdb.create_db.
https://pagure.io/freeipa/issue/7469
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.
For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.
In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.
https://pagure.io/freeipa/issue/6843
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This will allow for whitespace around the separator and changes the
default space separator into white space (space + tabs) to be more
generic and work better on Ubuntu which uses tabs in its Apache
configuration.
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
We added the separator to the regex in set_directive_lines to avoid
grabbing just a prefix. This doesn't allow for whitespace around
the separator.
For the Apache case we expected that the separator would be just
spaces but it can also use tabs (like Ubuntu 18). Add a special
case so that passing in a space separator is treated as whitespace
(tab or space).
https://pagure.io/freeipa/issue/7490
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The installer reports the CA configuration that will be used,
including whether the CA is self-signed or externally-signed.
Installation with external CA takes two steps. The first step
correctly reports the externally signed configuration (like the
above), but the second step reports a self-signed configuration.
The CA *is* externally signed, but the configuration gets reported
incorrectly at step 2. This could confuse the administrator. Fix
the message.
Fixes: https://pagure.io/freeipa/issue/7523
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-advise config-client-for-smart-card-auth was producing a shell script
calling authconfig.
With the migration from authconfig to authselect, the script needs to
be updated and call authselect enable-feature with-smartcard instead.
Related to
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration
Fixes:
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipa-advise config-server-for-smart-card-auth produces a script that
was still using /etc/httpd/conf.d/nss.conf instead of
/etc/httpd/conf.d/ssl.conf for setting the Apache SSLOCSPEnable Directive.
The fix replaces references to nss.conf with ssl.conf.
https://pagure.io/freeipa/issue/7515
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Without GSSPROXY_CONF being backed up, we would get this error
"ipa: ERROR: No valid Negotiate header in server response"
when running any ipa command after a backup restore.
This commit also fixes the tests:
- TestBackupAndRestore::test_full_backup_and_restore
- TesttBackupAndRestore::test_full_backup_and_restore_with_selinux_booleans_off
https://pagure.io/freeipa/issue/7473
Reviewed-By: Christian Heimes <cheimes@redhat.com>
CA replica installation fails, because 'caSigningCert cert-pki-ca' is
imported a second time under a different name. The issue is caused
by the fact, that SQL NSS DB handles duplicated certificates differently
than DBM format.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1561730
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The option realm was being passed in instead of realm_name.
https://pagure.io/freeipa/issue/7489
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We already validate that --setup-dns is specified when any of
DNS-related options provided by a user. Do the same for --setup-adtrust
case.
Fixes: https://pagure.io/freeipa/issue/7410
Reviewed-By: Christian Heimes <cheimes@redhat.com>
389-ds 1.3.5 changed the error message format for
nsds5ReplicaLastUpdateStatus value. Now it produces
"Error (%d) %s" instead of "%d %s".
Change the check_repl_update() to handle both formats.
Fixes: https://pagure.io/freeipa/issue/7442
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When we attempt to update an entry during upgrade, it may have already
contain the data in question between the check and the update. Ignore
the change in this case and record it in the log.
Fixes: https://pagure.io/freeipa/issue/7450
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit afc0d4b62d added an upgrade
step that add an attribute to a replica config entry. The entry
only exists after a replica has been added, so upgrade was broken
for standalone server. Catch and suppress the NotFound error.
Related to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.
See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
According to a comment, certutil may create files in the current working
directory. Rather than changing the cwd of the current process,
FreeIPA's certutil wrapper now changes cwd for the subprocess only.
See: https://pagure.io/freeipa/issue/7416
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Without ldap_uri, IPAKEMKeys parses /etc/ipa/default.conf. During
uninstallation, the file may no longer contain ldap_uri. This workaround
is required for test case
test_replica_promotion.py::TestReplicaPromotionLevel0::test_promotion_disabled
Fixes: https://pagure.io/freeipa/issue/7474
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The installer now checks that port 8080 is available and not in use by
any other application.
The port checker has been rewritten to use bind() rather than just
checking if a server responds on localhost. It's much more reliable and
detects more problems.
Original patch by m3gat0nn4ge.
Co-authored-by: Mega Tonnage <m3gat0nn4ge@gmail.com>
Fixes: https://pagure.io/freeipa/issue/7415
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a note in cainstance.configure_instance that "admin_password" is
the password to be used for the PKI admin account, NOT the IPA admin
password. In fact, it is set to the Directory Manager password.
This comment would have saved me some time during recent
investigation of a replica installation issue.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit aee0d2180c adds an upgrade step
that adds system crypto policy include to named.conf. This step
omitted the named.conf existence check; upgrade fails when it does
not exist. Add the existence check.
Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.
Part of: https://pagure.io/freeipa/issue/4853
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.
This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For redundancy and security against catastrophic failure of a CA
master, there must be more than one CA master in a topology.
Replica installation is a good time to warn about this situation.
Print a warning at the end of ipa-replica-install, if there is only
one CA replica in the topology.
Fixes: https://pagure.io/freeipa/issue/7459
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With e6c707b168 we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.
https://pagure.io/freeipa/issue/7424
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.
This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them. Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried. Setting a shorter timeout allows the request to be
re-tried.
Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support. It is known that a
value of 5s is too short in HSM environment.
This fix requires pki-core >= 10.6.0, which is already required by
the spec file.
Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.
Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
Installer now prints runtime of each step / part to install log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.
https://pagure.io/freeipa/issue/7440
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions
but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.
The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.
Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.
https://pagure.io/freeipa/issue/7438
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup. With the move to mod_ssl, it now raises an
exception, so remove it.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The disable system trust feature is no longer used.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Verify the certificate issued during an installation belongs
to its private key.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.
We already have a backup of nss.conf from pre-install. Stick with
that.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Change some built-in assumptions that Apache has an NSS certificate
database.
Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.
Drop mod_nss-specific methods and functions.
There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.
TODO:
- backup and restore
- use user-provided PKCS#12 file for the certificate and key
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.
Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.
Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.
This patch fixes it. Also added regression test.
https://pagure.io/freeipa/issue/7234
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If the replication agreement does not exist, a custom exception is
raised explaining the problem.
https://pagure.io/freeipa/issue/7201
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
KRA installer restarts 389-DS, which disrupts named-pkcs11
bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS
resolver.
Fixes: https://pagure.io/freeipa/issue/5813
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
389-DS >= 1.4.0 on Fedora 28 has a default entry for
cn=RSA,cn=encryption,cn=config. The installer now updates the entry in
case it already exists. This ensures that token and personality are
correct for freeIPA
Fixes: https://pagure.io/freeipa/issue/7393
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.
Fixes: https://pagure.io/freeipa/issue/7316
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ipa-server-upgrade command now checks for presence of ipa-custodia's
config and server keys. In case any of the files is missing, it
re-creates both files.
Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does
not auto-detect broken or mismatching keys yet.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
LDAP client returns values as bytes, thus bindmgr must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In py3 iteration over bytes returns integers, in py2 interation over
bytes returns string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
LDAP client returns values as bytes, thus ipa-dnskeysyncd must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
f51869bf52
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem
After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.
Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
https://pagure.io/freeipa/issue/7049
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of: https://pagure.io/freeipa/issue/7287
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.
The new DirectiveSetter context manager wraps everything under an easy
to use interface.
https://pagure.io/freeipa/issue/7312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
To separate concerns and make it easier to test set_directive,
extract function ``set_directive_lines`` to do the line-wise
search/replace, leaving ``set_directive`` to deal with the file
handling.
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.
This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.
The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.
Fixes: https://pagure.io/freeipa/issue/6968
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Keys are removed from disk and LDAP
https://pagure.io/freeipa/issue/7253
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In structured mode, dict size is modified by del record[attr].
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.
The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
Fixes:
https://pagure.io/freeipa/issue/7274
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.
Fixes https://pagure.io/freeipa/issue/6666
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.
pwdfile.txt is created by CAInstance.create_certstore_passwdfile()
Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When some users are setting the umask to 0027 due to security
policies ipa-restore will result not working dirsrv.
So a fix is to temporary set umask to 0022 while ipa-restore is
running.
https://pagure.io/freeipa/issue/6844
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Change eb6d4c3037 deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.
Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
User would like to see CA installation command in KRA installation
warning message.
This makes warning message similar to other installer messages where it
does suggests a command to run.
https://pagure.io/freeipa/issue/6952
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure). `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".
To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update ipa-cacert-manage to support the MS V2 certificate template
extension.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
