Commit Graph

3184 Commits

Author SHA1 Message Date
Fraser Tweedale
2d22f568a1 upgrade: log missing/misconfigured tracking requests
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
482866e47e upgrade: update KRA tracking requests
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates.  If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.

But the KRA was left out.  Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
4f4e2f96b0 upgrade: always add profile to tracking requests
The profile for every Dogtag system cert tracking request is now
explicitly specified.  So remove the code that handled unspecified
profiles.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
588f1ddce2 dogtaginstance: avoid special cases for Server-Cert
The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing.  But there is no real need for this - the only (potential)
difference is the token name.  Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
f6f6f83dca upgrade: add profile to Dogtag tracking requests
To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.

Update the upgrade method that checks tracking requests to look for
the profile.  Tracking requests will be recreated if the expected
data are not found.  The code that actually adds the tracking
requests was updated in a previous commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
3c388f5a22 dogtaginstance: add profile to tracking requests
Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.

To use fresh renewals the tracking request must record the profile
to be used.  Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.

Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger).  So we do not
need any special handling for those certificates.

This commit does not handle upgrade.  It will be handled in a
subsequent commit.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Rob Crittenden
e771fa59ff Remove posixAccount from service_find search filter
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.

This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.

https://pagure.io/freeipa/issue/8013

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-07-19 13:13:34 -04:00
Fraser Tweedale
7171142aaf Fix use of incorrect variable
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Fraser Tweedale
130e1dc343 move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Alexander Bokovoy
41ca4d484e certmap rules: altSecurityIdentities should only be used for trusted domains
IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.

Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.

Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:50:07 +03:00
Florence Blanc-Renaud
ef39e1b02a upgrade: remove ipaCert and key from /etc/httpd/alias
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.

The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.

Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-07-15 17:08:21 +03:00
Stanislav Levin
ac1ea0ec67 Fix test_webui.test_selinuxusermap
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-15 14:41:23 +03:00
Rob Crittenden
a43100badc Don't configure disabled krb5 enctypes in FIPS mode
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-02 10:35:00 +03:00
Rob Crittenden
c484d79ecf For Fedora and RHEL use system-wide crypto policy for mod_ssl
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.

For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.

Fixes: https://pagure.io/freeipa/issue/7667

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-01 14:55:29 +02:00
Stanislav Levin
b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00
Tibor Dudlák
c18ee9b641
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.

Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes

Related: https://pagure.io/freeipa/issue/3999

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-01 13:21:21 +02:00
Tibor Dudlák
339771b0d8
Remove unreachable code
Removing same elsif from install_check method.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-01 13:21:21 +02:00
Alexander Bokovoy
814592cf22 ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
afb8305ada ipaserver.plugins.service: add service-add-smb to set up an SMB service
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.

Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.

Most controversial would probably be a lack of the authentication
indicator that could be associated with the service.  However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.

Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
d631e008cc adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
cdb94e0ff2 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.

Move them to ipapython.ipautil and update references as well.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
6c9fcccfbc trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 13:30:59 +02:00
François Cami
b49c627aa6 ipa_client_automount.py and ipactl.py: fix codestyle
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Alexander Bokovoy
7af4c7d472 adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade

For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-27 16:50:15 +03:00
Alexander Bokovoy
34bfffd1be adtrust upgrade: fix wrong primary principal name
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.

This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.

Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-26 10:50:45 +02:00
Florence Blanc-Renaud
e9c4dcdb85 stageuser-find: fix search with non-posix user
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.

Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-25 11:02:59 -04:00
Rob Crittenden
0184e967e5 Log the raised message when DNS check_zone_overlap fails
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.

This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 14:04:03 +02:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
Christian Heimes
c027b9334b Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.

Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Fraser Tweedale
854d3053e2 Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**.  This can occur in
normal operation, and should be a temporary condition.  Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.

Also update the client-side plugin that handles the
--certificate-out option.  Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.

** after the Dogtag NullPointerException gets fixed!

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Rob Crittenden
f606d82024 Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.

https://pagure.io/freeipa/issue/7965

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-05 13:18:45 -04:00
Fraser Tweedale
f30f040dca avoid realm_to_serverid deprecation warning
ipaserver.installutils.realm_to_serverid was deprecated.  Use
ipapython.ipaldap.realm_to_serverid instead.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
162dce1c70 ipa-cert-fix: fix spurious renewal master change
We only want to become the renewal master if we actually renewed a
shared certificate.  But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset.  Fix the
bug.

A static type system would have excluded this bug.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
582cc7da1d ipa-cert-fix: handle 'pki-server cert-fix' failure
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart).  When this case arises, ignore the
CalledProcessError and continue.

We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier.  But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
e41b7457f3 ipa-cert-fix: use customary exit statuses
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured.  Update
ipa-cert-fix exit statuses accordingly.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
09aa3d1f76 Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions.  In particular:

- Run cert-fix with arguments particular to the IPA deployment.

- Update IPA RA certificate in the ipara user entry (if renewed).

- Add shared certificates (if renewed) to the ca_renewal LDAP
  container for replication.

- Become the CA renewal master if shared certificates were renewed.
  This ensures other CA replicas, including the previous CA renewal
  master if not the current host, pick up those new certificates
  when Certmonger attempts to renew them.

Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a3becc76dd constants: add ca_renewal container
Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
c28a42e27e cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates.  Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a2a006c746 Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Alexander Bokovoy
ef67dece52 ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Alexander Bokovoy
53a0fa9130 LDAPCreate: allow callers to override objectclasses
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.

We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.

Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.

Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Thierry Bordaz
67490acb04 Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-24 12:42:51 +02:00
Tibor Dudlák
e3f35843dc
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.

Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Florence Blanc-Renaud
9cd88587e4 CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.

RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.

The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN

Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-22 17:53:13 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Florence Blanc-Renaud
a425448914 Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db

The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.

Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:28:00 +02:00
Alexander Bokovoy
98b4c710d9 upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami@redhat.com>
2019-05-11 21:15:37 +02:00
François Cami
5331510eab ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-07 09:08:40 +02:00
François Cami
e6415ec321 ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.

Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-05-07 09:00:42 +02:00