Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Change eb6d4c3037 deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If we issue pkinit-status after an upgrade from a pre-4.5 ipa
version, it would have failed with KeyError since the
pkinit_server_server of IPA config was never initialized.
https://pagure.io/freeipa/issue/7144
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The consider-iterating-dictionary check disable never worked before
(notice the missing comma in pylintrc). Fix the rest of the dict
iteration.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
commit bddb90f38a added the support for
multivalued server attributes (for pkinit_server_server), but this
introduced an API change where the setter and getter of ServerAttribute
are expecting list of values.
When a SingleValuedServerAttribute is used, we need to convert one elem
into a list containing this elem and vice-versa, so that the ipa config-mod
and ipa config_show APIs are not modified.
https://pagure.io/freeipa/issue/7120
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The schema RPC response can include a bytes value for the
'topic_topic' field (when the server is running in Python 2).
In this case, a Python 3 client fails to initialise the API
when a schema fetch is required, because it cannot serialise
the bytes values in the schema object to JSON.
Ensure the 'topic_topic' value is unicode.
Part of: https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When uninstalling, if server does not have all roles, exception
is thrown as the role is not found. `member_principal` variable
has to be string here, otherwise we're using str on bytes.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.
The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.
https://pagure.io/freeipa/issue/7077
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.
This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.
This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.
Implement the following simplifications:
- Search all user/host/service accounts at once, by krbPrincipalName
(error if no account found). Use principal canonical name to
determine the type of the principal.
- Update subject principals userCertificate attribute uniformly,
instead of dispatching to user/host/service-mod based on type of
principal.
Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
https://pagure.io/freeipa/issue/6966
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.
https://pagure.io/freeipa/issue/6948
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
