Commit Graph

412 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
91334b271a ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.

Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-21 18:58:16 +02:00
Rob Crittenden
47fbe05f7f Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.

This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:

Added option "('one', 'two')" to Sudo Rule "test"

or

Added option "(u'one', u'Two')" to Sudo Rule "test"

instead of with this change:

Added option "one,two" to Sudo Rule "test"

Removing an option works in a similar way.

The value is normalized on the client side in order to ensure that
the option value is always a tuple.

https://pagure.io/freeipa/issue/2278

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-08 10:47:58 +02:00
Rob Crittenden
3568a3d1e7 Provide more information in ipa-certupdate on ccache failure
ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.

Include the principal being retrieved and the keytab being
used.

This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.

https://pagure.io/freeipa/issue/8257

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-08-02 15:31:24 -04:00
Rob Crittenden
3e9bb606b4 Display all orphaned keys in automountlocation-tofiles
Only the first key was being displayed for any orphaned map.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-26 11:07:57 -04:00
François Cami
2e31e8479a ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 11:41:07 +03:00
François Cami
20c7bd5eba ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 11:41:07 +03:00
François Cami
72f44b5596 ipa-client-install: remove fsync in do_nsupdate()
No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.

Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 11:41:07 +03:00
MIZUTA Takeshi
e357153e57 Fix the option to match in the ipa-client-automount usage and man-page
The command usage and man-page options may not match.
In ipa-client-automount, fix to match usage and man-page.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-18 15:02:59 +02:00
MIZUTA Takeshi
6ed80ee182 Add -d option to match in the ipa-client-samba usage and man-page
The ipa-client-samba man-page describes the -d option, but the -d option cannot actually be used.
Fix ipa-client-samba to enable the -d option.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-18 15:01:36 +02:00
Florence Blanc-Renaud
ec8d72cf7c client install: do not capture sudo -V stdout
ipa-client-install is checking if the sudo command is available
by calling 'sudo -V'. The call is currently using subprocess.popen
which redirects the output to the default stdout.
Use ipautil.run instead of subprocess.popen as this does not
capture stdout (the command output is just logged in the debug file).

Fixes: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-04-15 15:41:39 +02:00
François Cami
abaa614a3c ipa-client-install: output a warning if sudo is not present (2)
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2021-03-16 08:44:03 -04:00
Florence Blanc-Renaud
178dec8fc3 pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.

Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-22 16:18:11 -05:00
Rob Crittenden
ab13cf52f2 Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.

This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-18 16:43:04 +01:00
François Cami
a912bbbe0e ipa-client-install: output a warning if sudo is not present
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
Alexander Bokovoy
3231c6fc79 client: synchronize ignored return codes with ipa-rmkeytab
Refactoring ipa-rmkeytab with commit
f3f9672d52 led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.

Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-03 14:21:31 -05:00
Rob Crittenden
767232b478 Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Rob Crittenden
53f4fd9126 Don't change the CA profile when modifying request in ipa_certupdate
The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.

https://pagure.io/freeipa/issue/8644

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-01-07 14:01:26 +01:00
François Cami
e7827a6f0c ipa-client-install: unilaterally set dns_lookup_kdc to True
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.

Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.

Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into  /etc/krb5.conf realm entries.

Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-18 13:35:06 +02:00
Rob Crittenden
15b30e15a4 Create IPA ssh client configuration and move ProxyCommand
The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-23 09:04:27 +01:00
Rob Crittenden
d9b259dd58 Use host keytab to obtain credentials needed for ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.

It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.

Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.

https://pagure.io/freeipa/issue/8531

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-11-18 16:27:12 +02:00
Stanislav Levin
17f430efc4 EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
32aa1540f0 EPN: Enable certificate validation and hostname checking
https://pagure.io/freeipa/issue/8579
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Stanislav Levin
94adee3c73 EPN: Don't downgrade security
If an administrator requests `smtp_security=starttls`, but SMTP
server disables STARTTLS, then EPN downgrade security to `none`,
which means plain text. Administrator doesn't expect such behavior.

Fixes: https://pagure.io/freeipa/issue/8578
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
3ab3ed5ff2 Retry chronyc waitsync only once
It's unlikely that a third chrony synchronization attempt is going to
succeed after the the first two attempts have failed. Perform more
retries with smaller timeout.

This speed up installer by 11 seconds on systems without fully
configured chronyd or no chronyd (e.g. containers).

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-30 17:01:01 +02:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
6e85872528 pylint: Fix warning W0612(unused-variable)
New warnings were found by new pylint (2.5.3).

Fixes: https://pagure.io/freeipa/issue/8468
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-23 09:16:18 +03:00
François Cami
97006786df IPA-EPN: enhance input validation
Enhance input validation:
* make sure --from-nbdays and --to-nbdays are integer
* make sure --from-nbdays < --to-nbdays

Fixes: https://pagure.io/freeipa/issue/8444
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-08-12 09:02:08 -04:00
François Cami
22cf65b09a IPA-EPN: Fix SMTP connection error handling
Enhance error message when SMTP is down.

Fixes: https://pagure.io/freeipa/issue/8445
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-10 09:02:59 -04:00
François Cami
5fc526b1af IPA-EPN: Use a helper to retrieve LDAP attributes from an entry
Allow for empty attributes.

Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-07 17:14:24 -04:00
Christian Heimes
999485909a Don't configure authselect in containers
freeipa-container images come with authselect pre-configured. There is
no need to configure, migrate, or restore authselect. The --mkhomedir
option is not supported, too.

Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-06 14:20:54 +02:00
Rob Crittenden
5e02713481 Don't use the has_files() to know if client/server is configured
Use the is_ipa_configure() and is_ipa_client_configured() utilities
instead which are much more robust.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Rob Crittenden
4758db121e Simplify determining if IPA client configuration is complete
When asking the quesiton "is my IPA client configured?" right now
we look at whether the installation backed up any files and
/etc/ipa/default.conf exists.

Instead set a new state, installation, to True as soon as the
client installation finishes.

Unlike the server there is no upgrade process for clients so this
isn't going to be all that useful for quite some time unless that
changes because upgrading an existing install won't set this
to True.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Christian Heimes
664007e031 Explicitly pass keytab to ipa-join
ipa-join defaults to /etc/krb5.keytab. Use ``-k paths.KRB5_KEYTAB`` to
write the keytab to /data share in containers.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-07-30 11:38:25 +02:00
Fraser Tweedale
53d472b490 certupdate: update config after deployment becomes CA-ful
When a deployment gets promoted from CA-less to CA-ful other
replicas still have enable_ra=False in default.conf, and do not have
the ra-agent key and certificate.  Enhance ipa-certupdate to detect
when the deployment has become CA-ful; retrieve the ra-agent
credential and update default.conf.

The rationale for adding this behaviour to ipa-certupdate is that it
is already necessary to use this command to update local trust
stores with the new CA certificate(s).  So by using ipa-certupdate
we avoid introducing additional steps for administrators.

It is necessary to choose a CA master to use as the ca_host.  We use
the first server returned by LDAP.  A better heuristic might be to
choose a master in the same location but this is just left as a
comment unless or until the need is proven.

Finally, defer the httpd service restart until after the possible
update of default.conf so that the IPA API executes with the new
configuration.

This change also addresses the case of a CA server being removed
from the topology, i.e. ipa-certupdate detects when non-CA replicas
are pointing at the removed server, and chooses a new ca_host.

HOW TO TEST:

1. Install a CA-less server (first server).

2. Install a CA-less replica.

3. Run 'ipa-ca-install' on first server, promoting deployment from
   CA-less to CA-ful.

4. Run 'ipa-certupdate' on second server.

5. Exceute 'ipa cert-show 5' on second server.  Should succeed,
   because ra-agent credential was retrieved and default.conf
   updated at step #4.

Fixes: https://pagure.io/freeipa/issue/7188
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-16 15:30:53 +10:00
Fraser Tweedale
e4462a9443 certupdate: only add LWCA tracking requests on CA servers
ipa-certupdate throws an exception when executed on a non-CA server
in a CA-ful deployment with lightweight sub-CAs (LWCAs).  Check that
we are on a CA server before attempting to create Certmonger
tracking requests for LWCAs.

HOW TO TEST

1. Install first server (with CA)
2. Install replica without CA
3. Create sub-CA (`ipa ca-add`)
4. Run `ipa-certupdate` on replica.  Observe that no stack trace is
   produced.

Fixes: https://pagure.io/freeipa/issue/8399
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-09 10:22:50 +10:00
Florence Blanc-Renaud
3cf9979aec ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"

As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).

There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.

Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
Rob Crittenden
ba7974bfd1 IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
3b266d3957 IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.

Default to no wait, value in milliseconds.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
a2728c758e IPA-EPN: Add mail-test option for testing sending live email
To make testing easier for administrators the --mail-test option
can be used to send live e-mail from ipa-epn. It sends mail
to the smtp_admin user processing the template with dummy data.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
c3cbaed9fd IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions
Tested security mode with none, starttls and ssl security.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
03caa7f965 Add a jinja2 e-mail template for EPN
Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.

Collect first and last name as well for each user in order to
provide more options for the template engine.

Make the From address configurable, defaulting to noreply@ipa_domain
Make Subject configurable too.

Don't rely on the MTA to set Message-Id: set it using the email
module.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
François Cami
b8886c3e97 IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.

EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.

EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.

EPN does not keep state. The list of affected users is built at runtime
but never kept.

TLS/STARTTLS SMTP code is untested and unlikely to work as-is.

Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
Christian Heimes
9941c9ee95 Address issues found by new pylint 2.5.0
* fix multiple exception-escape
* fix function signatures of DsInstance start/stop/restart
* silence f-string-without-interpolation
* fix too-many-function-args in host plugin

Fixes: https://pagure.io/freeipa/issue/8297
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-04-30 09:41:41 +02:00
Julian Gethmann
273ff2708c Fix typo in idrange.py docstring
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-14 09:48:50 +02:00
François Cami
e1b6e3ba9b ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.

Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.

Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-14 09:33:43 +02:00
Rob Crittenden
6cb4f4bd50 ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Alexander Bokovoy
3d402b69eb ipa-client-samba: map domain sid of trust domain properly for display
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.

Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-12-13 17:33:33 +02:00