Commit Graph

9547 Commits

Author SHA1 Message Date
Martin Basti
45a9326574 DNS Locations: use dns_update_service_records in installers
use the dns_update_system_records command to set proper DNS records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
e23159596e DNS Locations: command dns-update-system-records
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
cf634a4ff8 DNS Locations: add ACI for template attribute
DNS Servers and DNS Administrators must have access to
'idnsTemplateAttribute' to be able set/read template
for generating CNAME records pointing to proper location records.

Also user must be able to add objectclass for idnsTemplateAttribute

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
394b094fc2 DNS Locations: permission: allow to read status of services
New permission was added: "System: Read Status of Services on IPA Servers"
This permission is needed for detection which records should be created
on which servers.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
87c23ba029 DNS Locations: DNS data management
Adding module that allows to work with IPA DNS system records:
* getting system records
* updating system records
* work with DNS locations

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
745a2e6471 DNS Locations: add idnsTemplateObject objectclass
The objectclass and its related is used for generating cname records
inside bind-dyndb-ldap, see design for more details
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
d7671ee667 DNS Locations: fix location-del
The wrong option was used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
0f5cca0e45 DNS Locations: add index for ipalocation attribute
For performace ipalocation should be indexed because it is used by
referint plugin

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Petr Spacek
85d083c366 Require 389-ds-base >= 1.3.5.6
Old DS handles LDAP filters incorrectly and breaks bind-dyndb-ldap.
See https://www.redhat.com/archives/freeipa-devel/2016-June/msg00477.html

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-16 15:02:15 +02:00
Abhijeet Kasurde
6873ac5b03 Added missing translation to automount.py method
Fixes: https://fedorahosted.org/freeipa/ticket/5920

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-16 08:57:55 +02:00
Yuri Chornoivan
dd6645afa9 Fix minor typos
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-16 08:47:20 +02:00
Stanislav Laznicka
8e3b7b24c1 Increase nsslapd-db-locks to 50000
Sometimes the lock table would run out of available locks. This should
improve the lock table default configuration.

https://fedorahosted.org/freeipa/ticket/5914

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-06-15 18:14:02 +02:00
Stanislav Laznicka
fb4e19713d Fixes CA always being presented as running
Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.

https://fedorahosted.org/freeipa/ticket/5898

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-15 18:11:28 +02:00
Fraser Tweedale
01795fca83 upgrade: do not try to start CA if not configured
The upgrade script always attempts to start the CA, even on
instances where the CA is not configured.  Add guards.

Fixes: https://fedorahosted.org/freeipa/ticket/5958
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-15 17:17:22 +02:00
Jan Cholasta
d26e42ffb0 schema: fix client-side dynamic defaults
Call command_defaults with properly typed arguments.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
a64aba36a4 schema: exclude local commands
Commands inherited from Local can't be executed remotely, so exclude them
from API schema.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
f7240c6df8 frontend: call execute rather than forward in Local
This allows properly subclassing from both Local and other Command classes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
448af06234 dns, passwd: fix outputs of dns_resolve and passwd commands
Use proper output type for the `value` output of the commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
365d973763 misc: fix empty CLI output of env and plugins commands
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
e2a8290af1 batch, schema: use Dict instead of Any
Add new Dict parameter class and use it in the batch and command_defaults
plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
3ac2215ddb schema: generate client-side commands on demand
Instead of pre-generating all command classes from API schema on API
initialization and using them as plugins, use placeholder objects which
generate the classes on demand.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
4128c565ea plugable: initialize plugins on demand
Use a new API namespace class which does not initialize plugins until they
are accessed.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
bebdce89b6 plugable: allow plugins to be non-classes
Allow registering any object that is callable and has `name` and `bases`
attributes as a plugin.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Martin Babinsky
3e6af238bb Introduce "NTP server" role
This makes IPA servers that publish their NTP services in LDAP searchable by
`server-role-find` and `server-find` command.

The list of active IPA NTP servers will be displayed in to output of `ipa
config-show` command.

https://fedorahosted.org/freeipa/ticket/5815

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-15 13:51:48 +02:00
Martin Babinsky
567f00a59c Add NTP to the list of services stored in IPA masters LDAP subtree
IPA masters can be configured as NTP servers but the status of this service
can not be determined centrally from querying relevant LDAP subtree. This
patch makes IPA master and replica publish the newly configured NTP service in
their service container during installation.

If the master was configured as NTP server, the NTP service entry will be
created upon upgrade.

https://fedorahosted.org/freeipa/ticket/5815
https://fedorahosted.org/freeipa/ticket/5826

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-15 13:51:48 +02:00
Alexander Bokovoy
905db92e61 adtrust: optimize forest root LDAP filter
`ipa trust-find' command should only show trusted forest root domains

The child domains should be visible via

   ipa trustdomain-find forest.root

The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.

Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.

Fixes https://fedorahosted.org/freeipa/ticket/5942

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 10:02:33 +02:00
Pavel Vomacka
5e5df4abf0 Extend caacl entity
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.

Part of: https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-15 09:59:50 +02:00
Pavel Vomacka
f4dd2446cd Extend certificate entity page
Add field for choosing CA when issuing new certificate. Add new item to action menu
on cert details page which allows user to download the certificate as file.

Part of: https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-15 09:59:50 +02:00
Pavel Vomacka
6e78169e3b Add new webui plugin - ca
Whole new entity for CAs.

https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-15 09:59:50 +02:00
Fraser Tweedale
f0915e6198 replica-install: configure key retriever before starting Dogtag
After installing a replica, Dogtag's Lightweight CA key retrieval
fails until Dogtag is restarted, because the already-running
instance doesn't pick up the changes to CS.cfg.  Configure the key
retriever before the instance is started.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
08e0aa23b0 Add issuer options to cert-show and cert-find
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.

Also add the issuer DN to the output of cert-find.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
ae6d5b79fb Update cert-request to allow specifying CA
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
0b0c07858a Add CA argument to ra.request_certificate
Add the optional 'ca_id' argument to ra.request_certificate(), for
passing an Authority ID to Dogtag.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
9c93015e78 Update 'caacl' plugin to support lightweight CAs
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
7d8699580d Add IPA CA entry on install / upgrade
In addition to user-created lightweight CAs, CA ACLs need to be able
to refer to the "main" CA.  Add an entry for the IPA CA on
installation and upgrade.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
3d4db834ca Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Pavel Vomacka
8135651abb Add ability to review cert request dialog
The request dialog is not closed directly after clicking 'Issue' button, but only
after successful issuing or after clicking 'Close' button. So, the user can check
inputed data.

https://fedorahosted.org/freeipa/ticket/5652

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:35:31 +02:00
Pavel Vomacka
31faf1c21d Search facet can be without search field
Add attribute 'disable_search_field' which hides search field on search or
nested_search facet.

Part of: https://fedorahosted.org/freeipa/ticket/5906

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:27:31 +02:00
Pavel Vomacka
1eb5760018 Add server roles on topology page
Adds new tab on topology page which shows server roles. Also extends
server details page and server config page (setting of ca renewal server).

https://fedorahosted.org/freeipa/ticket/5906

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:27:31 +02:00
Pavel Vomacka
72fe7e3294 Extend table facet
There is new attribute of table facet which allows to set which column of
table will be its primary key. This patch also move some code into separate
method - it will be easier to overide some functionality in child classes.

Part of: https://fedorahosted.org/freeipa/ticket/5906

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:27:31 +02:00
Pavel Vomacka
95c61c6a0b Association table can be read only
When it is read only it does not show Add and Delete buttons.

Part of: https://fedorahosted.org/freeipa/ticket/5906

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:27:31 +02:00
Martin Basti
5760cc9182 Use python2 for ipa cli
Switch 'ipa' command to py3 has been done prematurely, this commit sets python2 as interpreter for ipa cli.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-14 13:07:04 +02:00
Martin Basti
ee08f3e237 Revert "Switch /usr/bin/ipa to Python 3"
This reverts commit 1ebd8334bc.

Switch 'ipa' command to py3 has been done prematurely, thus this commit
reverts it from IPA 4.3.2 and temporarily from master because it is
blocker for developing of the new features.

https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-14 13:07:04 +02:00
Florence Blanc-Renaud
2c7ec27ad9 batch command can be used to trigger internal errors on server
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)

https://fedorahosted.org/freeipa/ticket/5810

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-14 09:26:15 +02:00
David Kupka
9f48c39649 installer: index() raises ValueError
Expecting IndexError instead of ValueError led to traceback instead of correctly
reporting the error situation.

https://fedorahosted.org/freeipa/ticket/5945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 18:04:40 +02:00
David Kupka
54318d1a2c installer: positional_arguments must be tuple or list of strings
Setting string here was causing search for substring instead of search for value
in tuple or list.

https://fedorahosted.org/freeipa/ticket/5945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 18:04:40 +02:00
Martin Babinsky
21def4fde0 Server Roles: provide an API for setting CA renewal master
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.

https://fedorahosted.org/freeipa/ticket/5689
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
5f7086e718 Server Roles: make *config-show consume relevant roles/attributes
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:

* config-{show,mod} will show list of all IPA masters, CA servers and CA
  renewal master

* dnsconfig-{show,mod} will list all DNS server and DNS key master

* trustconfig-{show,mod} will list all AD trust controllers and agents

* vaultconfig-show will list all Key Recovery Agents

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
b9aa31191b Server Roles: make server-{show,find} utilize role information
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).

server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
80cbddaa37 Server Roles: public API for server roles
This patch implements the `serverroles` API plugin which introduces the
following commands:

    * server-role-show SERVER ROLE: show status of a single role on a server
    * server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
      find role(s) SERVROLE and return their status on IPA
      masters. If --server option is given, the query is limited to this
      server. --status options filters the output by status [enabled vs.
      configurer vs. absent]

https://fedorahosted.org/freeipa/ticket/5181
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00