Commit Graph

15890 Commits

Author SHA1 Message Date
Rob Crittenden
31d66bac64 Validate the HSM token library path and name during installation
It would fail eventually with the output in the CA logs but it
wasn't always very obvious and you had to wait a while to find
out about a typo.

Scraping modutil output is a bit ugly but it is guaranteed
to be installed and this should work both with p11-kit and
without.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
6b894f28b5 After installing a KRA, copy the updated token to other machines
This can be eventually squashed into the main "test" patch but
keeping it separate to make it easier to see what has happened.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Mohammad Rizwan
36dbc6b025 ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM.

Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
06a8791b9b tests: helper to copy files from one host to another
Simple function that takes a list of file names and copies
them from one host to another.

It isn't the most efficient but for a small number of files it
should be sufficient.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
b89aa91977 renew_ca_cert: set peer trust on the KRA audit certificate
The PKI audit certificates require that trusted peer (P) be
set on the certificate. This is done already for the CA audit
certificate. Also set this on the KRA audit certificate on
renewal.

https://pagure.io/freeipa/issue/9353

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
0708f603e2 renew_ca_cert: skip removing non-CA certs, fix nickname
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the  ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.

An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.

Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
d0c489e282 If HSM is configured add the token name to config-show output
A token can only be set in an HSM installation so this is implicit:
if a token exists then HSM is enabled, if not then it isn't.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
93622005ba Add token support to the renew_ca_cert certmonger helper
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
7ad3b489f6 Update SELinux policy to allow certmonger to PKI config files
Needed so the helper renew_ca_cert can read password.conf in order
to get the token password. These files are already readable with
FS permissions.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
a99091adc0 Add attribute ipacahsmconfiguration to the "Read CAs" ACI
This will allow the HSM stored configuration to be read.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
82c0b19acc Add HSM configuration options to installer scripts
The bulk of the installer effort to enable HSM support without
having to provide an override file.

This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
d9efa728c5 Add LDAP attribute ipaCaHSMConfiguration to store HSM state
This will be used so that when a replica is created it can
configure the HSM without relying on the user to pass in
the same token, library name, etc.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
f658a264f9 doc: Add token-password-file to HSM design, set new OID
Clarify when the user will be prompted interactively during
installation.

Set the OID for ipaCaHSMConfiguration.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
e3234708ac Don't move KRA keys when key backup is disabled
The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.

With an HSM you don't export private keys.

Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
73d52a6135 Only generate kracert.p12 when not installing with HSM
The private keys are not retrievable from an HSM by
design so don't try during KRA install.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
34f28f06db Add token support to installer certificate handling
Pass along the user-provided password file, if any, to the
underlying NSS database. This will provide for per-token
passwords.

If a token is in a nickname then break it out and pass it to
certutil separately.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
e6078c639c Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
cba3094c9a Support the certmonger nss-user option
Some certificate operations need to be executed as a specific
user so that underlying files will have the correct ownership.
certmogner normally runs as root. The nss-user option defines
a user to switch to when saving NSS certifciates so if a
software token (e.g. SoftHSM) then the files created will be
owned by the token owner.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Florence Blanc-Renaud
bb8dd0bfcd Spec file: depend on nfs-utils or nfsv4-client-utils
The freeipa-client package currently requires nfs-utils.
The requirement can be relaxed and modified into nfs-utils or
nfsv4-client-utils.

Fixes: https://pagure.io/freeipa/issue/9586

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-07 14:33:04 +02:00
Pavel Březina
9e1e22d46b ipaserver: fix incorrect double negative in exception message
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-06 17:10:18 -04:00
Rafael Guterres Jeffman
6c6b9354b5 Replace netifaces with ifaddr
Python netifaces has been unmaintained and its main repository has been
archived since June, 2021.

Python ifaddr is an alternative to netifaces, is currently maintained,
and provides an API which requires little change for FreeIPA current
usage.

This patch modifies FreeIPA to rely on ifaddr instead of neitfaces, due
to its current maintainance status.

Fixes: https://pagure.io/freeipa/issue/9555

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-03 16:35:19 -04:00
Mark Reynolds
cce8dc4da8 Issue 9579 - Remove bash_completions_dir for RHEL
RHEL 9 does not support the bach_completions_dir macro, but it is still
needed for Fedora builds

Fixes: https://pagure.io/freeipa/issue/9579

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-04-30 14:26:55 -04:00
Mark Reynolds
f9f96ac4a8 Issue 9570 - migrate nsaccountlock
IPA migration tool, when retrieving a remote entry from the
source/remote server request the operational attribute 'nsaccountlock'

Fixes: https://pagure.io/freeipa/issue/9570

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-04-15 16:06:23 +02:00
Rob Crittenden
f78d25fc97 ipa-crlgen-manage: manage the cert status task execution time
ca.certStatusUpdateInterval manages how frequently to update
the certificate status in LDAP (expired, etc).

By default this is not set on the initial master and pkispawn sets
it to 0 on replicas. This can lead to no server running this
task and therefore the status attribute not reflecting the current
state.

On enabling CRL generation remove any value which will cause PKI
to use its default. On disabling set it to 0.

Only one server should run the update status task to prevent
unnecessary replication.

Fixes: https://pagure.io/freeipa/issue/9569

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-15 16:03:10 +02:00
Florence Blanc-Renaud
dda223668a webui test: Update message for admin disable
An admin can be disabled if he is not the last member of the
admins group. Update the expecrted error message.

Fixes: https://pagure.io/freeipa/issue/9574
Related: https://pagure.io/freeipa/issue/9489

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-12 15:59:04 +02:00
Alexander Bokovoy
d16c34997f internal: fix 'tokensfor' typo and regenerate pot file
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-10 09:30:53 +02:00
Rob Crittenden
6b0f6ff19e Allow the admin user to be disabled
A previous change made it not possible to remove the admin
user. This also included disabling the admin user. The user can
be disabled, just not deleted because it is required.

Move the test test_ipa_cacert_manage_prune to the end of the
class because it changes time which can break replication.

Fixes: https://pagure.io/freeipa/issue/9489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-10 09:26:47 +02:00
Thomas Woerner
182dca38c2 principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.

A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.

principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.

Fixes: https://pagure.io/freeipa/issue/9542

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-05 10:05:56 +02:00
Mark Reynolds
8084b94c17 Issue 9568 - Update IPA to IPA migration design doc
The usage for migrating DNS changed. It went from "--skip-dns",
to "--migrate-dns"

Fixes: https://pagure.io/freeipa/issue/9568

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-04 17:25:04 -04:00
Rob Crittenden
6294b93e14 ipatests: Ignore spacing in OpenSSL validation error message
The error message format changed between releases of OpenSSL.
The updated version has dropped spaces around equal signs
between RDN elements in the subject.

e.g. In 3.1.1 it reports O = EXAMPLE.TEST, CN = IPA RA
and in 3.2.1 reports O=EXAMPLE.TEST, CN=IPA RA

So ignore all spacing in the error message so it works on all
versions.

I saw this in openssl-3.1.1-4.fc39.x86_64 vs
openssl-3.2.1-3.fc41.x86_64

Fixes: https://pagure.io/freeipa/issue/9567

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-04-04 16:30:09 -04:00
Mark Reynolds
cbe1873591 IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet

Fixes: https://pagure.io/freeipa/issue/3656

signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 15:49:42 -04:00
Stanislav Levin
1df2abbd5f ap: Migrate to docker compose V2
Azure Pipelines started to roll 20240401.4 Ubuntu image that doesn't
include docker-compose v1:

https://github.com/actions/runner-images/blob/ubuntu20/20240401.4/images/ubuntu/Ubuntu2004-Readme.md

See https://github.com/actions/runner-images/issues/9557

Compose V1 to V2 migration guide:

https://docs.docker.com/compose/migrate/

Fixes: https://pagure.io/freeipa/issue/9566
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 11:42:24 -04:00
Erik Belko
fc7c2cb624 xmlrpc tests: Create user with manager option set using user-add
Related: https://pagure.io/freeipa/issue/9515

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-04-04 15:56:25 +01:00
Alexander Bokovoy
ca6604b58b Use raw strings for Python 3 compatibility in old API client code
Python 3 enforces checks on \ sequences in strings. Instead of copying
over the new mix of normal and raw strings from the server side, turn
those strings in the remote plugins to raw mode.

Fixes: https://pagure.io/freeipa/issue/9565

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-03 10:43:55 -04:00
Rob Crittenden
5d3c6b761b Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.

The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.

With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.

Related: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Rob Crittenden
a9bb811296 Check for file permissions after the ca/cert-show is complete
The commands ca-show and cert-show provide the ability to direct
the certificate output to a file. If the requested object was
not present then this resulted in a zero-length file.

This is because the check to determine if the file was writable,
by opening it, was done prior to the operation to retrieve
the entry.

So move the check after the data retrieval.

Also convert cert-show to be more consistent with ca-show.

I considered cleaning up the empty file afterward but IMHO we
shouldn't touch the file until we're ready to write. This
costs an API roundtrip but its a small price to pay for
potentially protecting existing data.

Fixes: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Christian Heimes
38d0e74b6d Move ipalib.install.kinit to ipalib
- kinit helpers are now in `ipalib.kinit`.
- helpers can now use default ccache locations like many other similar
  helpers
- helpers return the result from `run` for debugging
- constants are now in `krb_utils`
- helpers pass `KRB5*` and `GSS*` env vars along, so `KRB5_TRACE` works
- document how to kinit for `ipalib.api`

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-27 18:07:17 +01:00
Florence Blanc-Renaud
6cc668ffeb xmlrpc: adapt range plugin test
A warning is added in ipa idrange-add/mod/del for
local ranges. Adapt the test expectation.

Related: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Alexander Bokovoy
a57b665be0 idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.

Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.

Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Sudhir Menon
adf95dcf86 ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.

[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.

Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-03-25 12:27:43 +01:00
Florence Blanc-Renaud
64861a0cf9 idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.

Fixes: https://pagure.io/freeipa/issue/9558

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-20 13:59:21 +01:00
Alexander Bokovoy
f9a1d74f5e dcerpc: invalidate forest trust info cache when filtering out realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
domain controllers are assuming subdomains already covered by the main
domain namespace.

[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
method of validating the forest trust information. They are the same as
rules in [MS-ADTS] section 6.1.6. Specifically,

  - A top-level name must not be superior to an enabled top-level name
    for another trusted domain object, unless the current trusted domain
    object has a corresponding exclusion record.

In practice, we filtered those subdomains already but the code wasn't
invalidating a previously retrieved forest trust information.

Fixes: https://pagure.io/freeipa/issue/9551

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-19 15:20:39 +01:00
Mark Reynolds
557f0a5639 Issue 9547 - Update IPA to IPA migration design doc
Update the ipa to ipa migration doc in regards to the new IPA migration tool

Fixes: https://pagure.io/freeipa/issue/9547

Signed-off-by: Mark Reynolds <mreynolds@redhatr.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-14 13:59:48 +01:00
Alexander Bokovoy
e431ce0ce7 ipa-pwd-extop: declare operation notes support from 389-ds locally
The function slapi_pblock_set_flag_operation_notes(); is defined in
ldap/servers/slapd/pblock.c in 389-ds but is only available through
slapi-private.h header, not through slapi-plugin.h public API.

It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.

Since we only use it with an MFA note, all versions of the 389-ds that
will support MFA note will have this function.

Fixes: https://pagure.io/freeipa/issue/9554

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-14 13:53:16 +01:00
Alexander Bokovoy
23b224d7ad ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP
In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00
Alexander Bokovoy
1d2897e3d7 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).

This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.

Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.

Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00
Rob Crittenden
c3d228d4a3 Vault: add additional fallback to RSA-OAEP wrapping algo
There is a fallback when creating the wrapping key but one was missing
when trying to use the cached transport_cert.

This allows, along with forcing keyWrap.useOAEP=true, vault creation
on an nCipher HSM.

This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.

Related: https://pagure.io/freeipa/issue/9191

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-03-05 15:46:01 -05:00
Weblate Translation Memory
ca776b6a9c Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-04 08:44:31 +01:00
김인수
bf5c9892e9 Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-04 08:44:31 +01:00
Weblate Translation Memory
05f1bf9e2c Translated using Weblate (Korean)
Currently translated at 18.4% (899 of 4877 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-04 08:44:31 +01:00