It is not obvious how to add SELinux type and role transitions to a
Sudo rule. Update the 'sudorule' plugin documentation with examples
of how to do this.
Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not. Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).
Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
update_from_dict() method is not used anywhere in the project,
it only makes the tests fail. Removed it and its tests.
https://fedorahosted.org/freeipa/ticket/6311
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Inform the user where to find additional information
about certificate revocation reasons.
https://fedorahosted.org/freeipa/ticket/6327
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.
https://fedorahosted.org/freeipa/ticket/5791
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert
validity.
https://fedorahosted.org/freeipa/ticket/6263
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
For some reasons named may not be runnig and this cause fail of this
upgrade step. This step is not critical so only ERROR message with
recommendation is shown.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some upgrade steps require bind running, to be succesfull. Upgrader
makes sure that bind starts.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Commit c2af032c03 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.
https://fedorahosted.org/freeipa/ticket/6329
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.
https://fedorahosted.org/freeipa/ticket/6328
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix a regression in recent change to request cert via Dogtag REST
API. 'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed. Inspect the
request result to determine if the request completed, and raise if
it did not.
Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.
https://fedorahosted.org/freeipa/ticket/5855
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also moving activate_action method several lines up - correcting logical order of methods.
https://fedorahosted.org/freeipa/ticket/5818
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted. Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.
Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409). Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError. The exception includes no
information about the response status.
Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.
To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'. It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.
https://fedorahosted.org/freeipa/ticket/6304
Reviewed-By: David Kupka <dkupka@redhat.com>
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.
This commit adds the ca-disable and ca-enable commands.
Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.
https://fedorahosted.org/freeipa/ticket/6203
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.
This fixes a crash in ipa-replica-install with --setup-ca.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When a command is called on the server over RPC without its version
specified, assume version 1 instead of the highest known version.
This ensures backward compatibility with old clients, which do not support
versioned commands and understand only the first version of any given
command.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: David Kupka <dkupka@redhat.com>
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
