Commit Graph

3624 Commits

Author SHA1 Message Date
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Christian Heimes
f1d5ab3a03 Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-15 13:02:53 +02:00
Christian Heimes
7d12bbb99b Use python3-lesscpy 0.13.0
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.

python2-lesscpy was the last Python 2 dependency.

Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-14 09:04:06 +02:00
Rob Crittenden
f976f6cfd8 Use replace instead of add to set new default ipaSELinuxUserMapOrder
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-08 10:49:18 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Stanislav Laznicka
f47d86c719 Move config directives handling code
Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
c5ee8ae529 named.conf: Disable duplicate zone on debian, and modify data dir
zone already imported via default zones.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Christian Heimes
8e165480ac Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Aleksei Slaikovskii
b82af69882 Radius proxy multiservers fix
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).

So this kind of behaviour is a bug, as it was determined on IRC.

This patch removes possibility to add more then one radius server
into radius proxy.

Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-05-17 18:36:33 -04:00
Alexander Bokovoy
e642865717 group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Alexander Bokovoy
9e8fb94e87 service: allow creating services without a host to manage them
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Rob Crittenden
648d7c0d38 Disable message about log in ipa-backup if IPA is not configured
Introduce server installation constants similar to the client
but only tie in SERVER_NOT_CONFIGURED right now.

For the case of not configured don't spit out the "See <some log>
for more information" because no logging was actually done.

In the case of ipa-backup this could also be confusing if the
--log-file option was also passed in because it would not be
used.

https://pagure.io/freeipa/issue/6843

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-03 17:34:45 +02:00
Robbie Harwood
792adebfab Enable SPAKE support using krb5.conf.d snippet
Because krb5 silently ignores unrecognized options, this is safe on
all versions.  It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.

Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-28 16:35:16 +02:00
Alexander Bokovoy
2d6d768d1a idoverrideuser-add: allow adding ssh key in web ui
CLI already allows to pass public SSH key when creating an ID override
for a user. Web UI allows to add public SSH keys after the ID override
was created.

Add SSH key field to allow passing public SSH key in one go when
creating an ID override for a user.

Fixes: https://pagure.io/freeipa/issue/7519
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-28 08:44:25 +02:00
Christian Heimes
994f71ac8a Use single Custodia instance in installers
Installers now pass a single CustodiaInstance object around, instead of
creating new instances on demand. In case of replica promotion with CA,
the instance gets all secrets from a master with CA present. Before, an
installer created multiple instances and may have requested CA key
material from a different machine than DM password hash.

In case of Domain Level 1 and replica promotion, the CustodiaInstance no
longer adds the keys to the local instance and waits for replication to
other replica. Instead the installer directly uploads the new public
keys to the remote 389-DS instance.

Without promotion, new Custodia public keys are still added to local
389-DS over LDAPI.

Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2018-04-26 21:19:53 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Alexander Bokovoy
2de1aa27f9 ACL: Allow hosts to remove services they manage
Allow hosts to delete services they own. This is an ACL that complements
existing one that allows to create services on the same host.

Add a test that creates a host and then attempts to create and delete a
service using its own host keytab.

Fixes: https://pagure.io/freeipa/issue/7486
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-19 08:59:45 -04:00
Petr Vobornik
b43c2f8ab4 webui: refresh complex pages after modification
Details facet for user, hosts, service, user override entities require
complex reload as they gather information from multiple sources - e.g.
all of them do cert-find. On update only $entity-mod is execute and its
result doesn't have all information required for refresh of the page
therefore some fields are missing or empty.

This patch modifies the facets to do full refresh instead of default
load and thus the pages will have all required info.

https://pagure.io/freeipa/issue/5776

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
2018-04-19 12:11:26 +02:00
Tibor Dudlák
74c2b46cde Remove unnecessary option --force-chrony
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
dba87a47a7 Remove NTP server role while upgrading
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
333acf1ab6 Update man pages for FreeIPA client, replica and server install
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Alexander Bokovoy
34d06b2be7 Allow anonymous access to parentID attribute
Due to optimizations in 389-ds performed as result of
https://pagure.io/389-ds-base/issue/49372, LDAP search filter
is rewritten to include parentID information. It implies that parentID
has to be readable for a bound identity performing the search. This is
what 389-ds expects right now but FreeIPA DS instance does not allow it.

As result, searches with a one-level scope fail to return results that
otherwise are matched in a sub scope search.

While 389-ds developers are working on the fix for issue
https://pagure.io/389-ds-base/issue/49617, we can fix it by adding an
explicit ACI to allow reading parentID attribute at the suffix level.

Fixes: https://pagure.io/freeipa/issue/7466
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-28 15:29:00 +02:00
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Takeshi MIZUTA
ce0b87e9a6
Fix some typos in man page
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-21 08:41:34 +01:00
Alexey Slaykovsky
c450e2dc8f Make WebUI unit tests to generate results as JUnit
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.

This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 14:26:48 +01:00
Brian J. Murrell
d7c23a3ba6 Move ETag disabling to /ipa virtual server
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.

This enables better co-existence with other virtual servers that want ETags.

Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 08:01:53 +01:00
Rob Crittenden
bfd1170118 Redirect CRL requests to the http port, not the https port
https://pagure.io/freeipa/issue/7433

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-16 07:42:07 +01:00
amitkuma
e6ca3b0c73 Removing extra spaces present in man ipa-server-install
There are extras space present in man page. PR removes
identified extra spaces.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-06 10:11:52 +01:00
Christian Heimes
2d8d5ad8d9 Remove deprecated -p option from ipa-dns-install
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.

See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 09:29:43 +01:00
Petr Vobornik
f7b2342426 webui: hbactest: add tooltips to 'enabled' and 'disabled' checkboxes
"Include enabled" and "Include disabled" checkboxes on "Rules" tab
of HBAC Test Web UI page don't have any descriptions. It is not
clear what they do from only the labels.

This patch adds tooltips with metadata doc text of respected API
options. I.e. in practice it adds the same as CLI help when user
hovers over the checkbox label.

  --enabled        Include all enabled IPA rules into test [default]
  --disabled       Include all disabled IPA rules into test

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2018-02-22 16:27:11 -03:00
Stanislav Laznicka
b21941360c
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
5c64e28512
Convert ipa-pki-proxy.conf to use mod_ssl directives
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Florence Blanc-Renaud
d647072642
ACI: grant access to admins group instead of admin user
The ACI needed for staged users and deleted users were granted
only to the uid=admin user. They should rather be granted to
cn=admins group, to make sure that all members of the admins
group are able to call the command ipa user-del --preserve.

This commit also adds integration test for non-regression.

https://pagure.io/freeipa/issue/7342

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 15:51:44 +01:00
Christian Heimes
a349629fba ipa-custodia-checker now uses python3 shebang
https://pagure.io/freeipa/issue/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-16 08:31:20 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Timo Aaltonen
1adb3edea9 Move config templates from install/conf to install/share
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Felipe Barreto
ece17cef17 Check if replication agreement exist before enable/disable it
If the replication agreement does not exist, a custom exception is
raised explaining the problem.

https://pagure.io/freeipa/issue/7201

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:30:21 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
amitkuma
5c361f5450 Documenting kinit_lifetime in /etc/ipa/default.conf
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.

Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-01-12 20:33:20 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
François Cami
6f5042cd87 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"

Fixes: https://pagure.io/freeipa/issue/7341

Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.

Fix suggested by Florence Blanc-Renaud.

Signed-off-by: François Cami <fcami@fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-04 16:36:54 +01:00
Pavel Vomacka
cf2d171d0c WebUI: make keytab tables on service and host pages writable
There is no object class before adding the first item into tables,
therefore there are no ACI and WebUI is not able to figure out
whether table is writable or not. Adding flag 'w_if_no_aci'
tells "make it writable even if we have not ACIs and try to do
the API call.

https://pagure.io/freeipa/issue/7111

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-04 16:24:42 +01:00
Pavel Vomacka
0f28c7e32e Include npm related files into Makefile and .gitignore
Extedned Makefile in install/ui
 - $ make clean-local removes npm related files in the install/ui directory
Add node_modules and package-lock.json into .gitignore

Fixes: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
8aca1fe72a Update jsl.conf in tests subfolder
- to know QUnit, it is global object provided by QUnit.js library
- remove not-existing test navigation_tests.js

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
905a0abfd6 Update README about WebUI unit tests
Add information how to run tests from command line

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
2dd7741075 Update tests
With newer QUnit the API has changed, therefor there are necesary changes
in tests. QUnit methods does not pollute global workspace they use global
QUnit object or assert object passed as argument to test method.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c47784dc9f Create symlink to qunit.js
Base path for all unit tests is install/ui/js. This path is also used
by PhantomJS when runnig unit tests from command line. PhantomJS then
tries to find qunit.js therefor symlink in install/ui/js is needed.

This might be automated in the future.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c50092c3b5 Update jsl to not warn about module in Gruntfile
Gruntfile uses module keyword which is not known by our JSLint.
Adding it into known keywords fix the warning.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c48ac2819b Add Gruntfile and package.json to ui directory
Those files are used when running WebUI unit tests from command line.

- Gruntfile specifies grunt task which can run the webui tests.
- symlink to src/freeipa/package.json where are specified npm packages
  which are required for running those test.
  There is only symlink to not duplicite package.json file

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
8b25ac88e1 Update QUnit CSS file to 2.4.1
Update QUnit CSS to correspond with QUnit JS library

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
68540856cf Update qunit.js to version 2.4.1
It provides more functions, bug fixes, but mainly better error handling
therefore it is easier to debug errors while tests are automatically
run.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Alexander Koksharov
fbb1889766 ensuring 389-ds plugins are enabled after install
To avoid problems caused by desabled plugins on 389-ds side
explicitly enable plugins required by IPA

https://pagure.io/freeipa/issue/7271

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-14 16:41:01 +01:00
Fraser Tweedale
0e9ce73a52 Add uniqueness constraint on CA ACL name
It is possible to add caacl entries with same "name" (cn).  The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.

Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.

Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 14:36:44 +01:00
Christian Heimes
b32a4aef86 More log in verbs
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
dca9f84961 Address more 'to login'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
ae3160fdd7 Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
3756dbf964 Fix grammar in login screen
https://pagure.io/freeipa/issue/7263

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Fraser Tweedale
34f73b4a94 install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation.  This leads to situations where the
administrator wants a different Subject DN later.  Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.

The go/no-go prompt in ipa-ca-install is new.  It is suppressed for
unattended installations.

Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:06:28 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
97942a7c7a Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
8960141adb ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
3eb3844353 renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object.  Apply to correct type.

Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-07 17:28:12 +01:00
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Pavel Vomacka
04da856256 WebUI: make Domain Resolution Order writable
Objectclass which defines the Domain Resolution Order is added to
the object only after modification. Therefore before modification of
object the attributelevelrights does not contain the 'domainresolutionorder'
attribute and the WebUI evaluates field as not writable.

'w_if_no_aci' flag was designed to make writable those fields
for which we don't have attributelevelrights.

https://pagure.io/freeipa/issue/7169

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-11-16 19:54:49 +02:00
Christian Heimes
38b17e1c79 Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:49:34 +01:00
Christian Heimes
8bbeedc93f
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-13 18:10:54 +01:00
Michal Reznik
db313da62c
manpage: ipa-replica-conncheck - fix minor typo
Fixes minor typo "Defaults t" to "Defaults to".

https://pagure.io/freeipa/issue/7250

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-13 12:14:34 +01:00
Felipe Barreto
405da071d1 Warning the user when using a loopback IP as forwarder
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.

Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-11-09 09:24:03 -02:00
Felipe Barreto
b84e8be5ac Removing replica-s4u2proxy.ldif since it's not used anymore
Since commit 23a0453c4d, the
replica-s4u2proxy.ldif file it's not used anymore.

https://pagure.io/freeipa/issue/7174

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-09 09:05:39 -02:00
Stanislav Laznicka
5458bb506f
Add indexing to improve host-find performance
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.

https://pagure.io/freeipa/issue/6371

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-07 16:49:36 +01:00
Stanislav Laznicka
c99b37737a
Add the sub operation for fqdn index config
This should improve performance of the host-find command.

https://pagure.io/freeipa/issue/6371

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-07 16:49:36 +01:00
Florence Blanc-Renaud
d8b3e53ce1
Py3: fix ipa-replica-conncheck
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.

Related to
https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-03 15:10:28 +01:00
Aleksei Slaikovskii
59802d37d1
Add a notice to restart ipa services after certs are installed
Adding notice for user to restart services after
ipa-server-certinstall.

https://pagure.io/freeipa/issue/7016

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-01 12:46:57 +01:00
Fraser Tweedale
3e33857827
Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI).  We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.

Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Fraser Tweedale
260db9dece
Remove XPI and JAR MIME types from httpd config
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin.  The
plugin was removed some time ago, so remove the media type
definitions.

Part of: https://pagure.io/freeipa/issue/7226

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Rishabh Dave
d65297311d
ipa-ca-install: mention REPLICA_FILE as optional in help
As man page already does it, update the help text to show REPLICA_FILE
as optional.

Fixes https://pagure.io/freeipa/issue/7223

Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-30 10:49:13 +01:00
Fraser Tweedale
aa5ad3e2d3
Add missing space in ipa-replica-conncheck error
Fixes: https://pagure.io/freeipa/issue/7224
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-30 10:35:01 +01:00
Florence Blanc-Renaud
7b149b3c7f
Fix ipa-replica-conncheck when called with --principal
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).

In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.

The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.

Fixes:
https://pagure.io/freeipa/issue/7221

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-26 15:06:49 +02:00
Tomas Krizek
624b34ab2b
ldap: limit the retro changelog to dns subtree
The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.

Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-26 12:40:28 +02:00
Thorsten Scherf
28802b396f Add debug option to ipa-replica-manage and remove references to api_env var.
https://pagure.io/freeipa/issue/7187

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-10-25 14:34:07 -02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Alexander Bokovoy
620f9653ba ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.

This also changes semantics of force-sync by waiting until the end of
the initial replication.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Alexander Bokovoy
051786ce37 ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Florence Blanc-Renaud
49cf5ec64b
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.

When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.

https://pagure.io/freeipa/issue/7173

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-18 12:34:03 +02:00
Christian Heimes
dea059d158
Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).

When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.

Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.

Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-18 12:09:57 +02:00
Fraser Tweedale
29f4ec865b ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
fc7c684b12 ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
b4365e3a7f install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
1699cff350 Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Petr Vobornik
b0184d10ab
browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.

Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.

The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.

Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'.  I don't have time to revert this
change so removing traces of krb.js as well.

https://pagure.io/freeipa/issue/7135

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:27:14 +02:00
Fraser Tweedale
09f746f568 ipa-pki-retrieve-key: ensure we do not crash
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.

Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.

Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-13 13:56:59 +02:00
Stanislav Laznicka
a765746e95 pylint: fix not-context-manager false positives
threading.Lock() in ipa-replica-conncheck is an alias to
thread.allocate_lock() which creates a LockType object.
This object is an actual context manager but the alias
seems to confuse pylint a bit.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Pavel Vomacka
a7ab63b84c WebUI: Fix calling undefined method during reset passwords
When calling reset password the whoami command is not called in batch
command, therefore the result is different then in calling
during reset password operation. That needs to be handled to properly
set entity_show method which needs to be called after to gather
data about logged in entity.

https://pagure.io/freeipa/issue/7143

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-07 08:08:17 +02:00
Pavel Vomacka
755a50044c WebUI: remove unused parameter from get_whoami_command
The batch param is not used anywhere therefore we can remove it.

https://pagure.io/freeipa/issue/7143

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-07 08:08:17 +02:00
Pavel Vomacka
45bd31b436
Adds whoami DS plugin in case that plugin is missing
When first installation of IPA has been done when whoami
plugin was not enabled in DS by default and then IPA was
upgraded to newer versions, then after upgrade to IPA 4.5
WebUI stops working. This is caused by new requirement on
whoami DS plugin which is used to obtain information about
logged in entity.

This fix adds the whoami plugin during update in case that the plugin
is not enabled.

https://pagure.io/freeipa/issue/7126

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-09-05 14:07:02 +02:00
Fraser Tweedale
504c303ec4
Fix external renewal for CA with non-default subject DN
When running ``ipa-cacert-manage renew --external-ca`` with an IPA
CA having a subject DN that does not correspond to ``CN=Certificate
Authority, {subject-base}``, the CSR for submission to the external
CA does not generated.  dogtag-ipa-ca-renew-agent-submit is wrongly
assuming the default form of the CA subject DN.

Update dogtag-ipa-ca-renew-agent-submit to look up the actual
subject DN.

Fixes: https://pagure.io/freeipa/issue/7123
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-09-01 11:46:49 +02:00
Pavel Vomacka
76f217b289
Fixes bug in actions creating for search facet
In case that there are no actions specified in spec object, the concatenation
of arrays causes that 'undefined' item is added into the array.

https://pagure.io/freeipa/issue/7052

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-09-01 11:43:52 +02:00
Pavel Vomacka
d5ef1a7fd0
WebUI: fix showing required asterisk '*'
There was a bug that when user switch between two facets where is
required field and in one of them is writable and in second one
is not writable, then the asterisk which marks required field is
not shown. i.e. admin vs. user details page or global_passwd_policy
vs. other_passwd_policy details page.

That was caused by incorrect evaluation of required state of field.
Evaluation works that way: evaluate old required state, then evaluate
current required state and if states has changed then emit change event.
The evaluation depends on writable and read_only state of field.
Those two states are set before evaluation of required state, but
their old values (for evaluating previous required stated) were
not stored anywhere.

This commit adds two attributes which stores old writable
and read_only states. The required asterisk is then shown correctly.

https://pagure.io/freeipa/issue/6849

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-09-01 11:42:08 +02:00
Pavel Vomacka
8c2dbece59 WebUI: Update unit test README
Update link to our FreeIPA wiki page where unit tests are described.
The description of how to run those test was also updated.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
6b70b91de4 Fixes details_test.js
Adds missing import which extends jquery's element with alert method.
Also fixes setting of breadcrumb and tabs in details spec - the code changes
behavior.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
bb5582d52b Fixes for widget_tests.js
Link widget creates only one <label> and one <a> element not more as before.
Test changed accordingly.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
63f7575cb3 Fixes for aci_tests.js
Aci_widget doesn't use table elements anymore. Whole widget is created from
list element. Change in tests needed.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
11e19cd5d5 Fixes for entity_tests.js
Register also details module to provide all objects from that module.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
4fb52371f2 Fixes for ipa_test.js
Basically add API version into the API request. The API version was not
required before.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
9e0db0759a Add up to date JSON files
All files are up to date and there are only files which are needed for unit tests.

https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
46fba2128f Add loader.js into requirements of all HTML unit test files
https://pagure.io/freeipa/issue/6974

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-31 10:35:03 +02:00
Pavel Vomacka
0ee7db75e4 WebUI: Remove plugins symlink as it is unused
The plugins symlink points to non-existing directory and is currently
not used. It also causes errors in freeipa-pr-ci during creating
tarball.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
41a18bbbc8 Remove all old JSON files
JSON files were used as source of information for offline WebUI.

https://pagure.io/freeipa/issue/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Pavel Vomacka
6ad92d3a4f Revert "Web UI: Remove offline version of Web UI"
This reverts commit 24525fd086.
The reverted commit removed symlinks which allowed unit tests to
access FreeIPA code.

https://pagure.io/freeipa/issues/6447

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-08-30 16:15:57 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Florence Blanc-Renaud
ee5345ac05 Fix Certificate renewal (with ext ca)
Fix certificate renewal scripts that use IPACertificate object:
- renew_ca_cert adds the C flag to the trust flags and needs to
be adapted to IPACertificate object
- ipa-cacert-manage: fix python3 encoding issue

https://pagure.io/freeipa/issue/7106

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-08-30 12:58:58 +02:00
Stanislav Laznicka
170f7a778b certmonger: remove temporary workaround
During recent refactoring, a workaround was added to make it
possible for OpenSSL backend of python-cryptography to read PEM
certificates returned by dogtag-ipa-renew-agent-submit. This was
fixed in latest certmonger version.

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:55:59 +02:00
Florence Blanc-Renaud
69bda6b440 Fix ipa-server-upgrade: This entry already exists
ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin
finds all CA certificates in /etc/httpd/alias and uploads them in LDAP
below cn=certificates,cn=ipa,cn=etc,$BASEDN.
The issue happens because there is already an entry in LDAP for IPA CA, but
with a different DN. The nickname in /etc/httpd/alias can differ from
$DOMAIN IPA CA.

To avoid the issue:
1/ during upgrade, run a new plugin that removes duplicates and restarts ldap
(to make sure that uniqueness attr plugin is working after the new plugin)
2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of
cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA.

https://pagure.io/freeipa/issue/7125

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-30 12:47:53 +02:00
Stanislav Laznicka
e6a9de8a2e py3: remove Exception.message appearances
Exception.message is removed in Python3

https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
7ef6de931b python3: port certmonger requests script
This commit fixes requesting certificates via certmonger in Python 3.
This includes dogtag-ipa-ca-renew-agent-submit script and scripts
used during the scripts restarting.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
a3c11b01af crtmgr: fix bug if CERTMONGER_CERTIFICATE not set
If CERTMONGER_CERTIFICATE is not set in certain scenario, the
code would fail since None cannot be passed to loading certificates.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
0412625a2b certmonger: finish refactoring for request script
The recent certificate refactoring assures that ipaldap operations
are able to work with IPACertificate values when communication with
the LDAP server. Use these capabilities and prevent possible bugs.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Stanislav Laznicka
32be3ef622 certmonger: fix storing retrieved certificates
This was a forgotten part from previous certificate refactoring which
would cause issues since the second part of results throughout the
dogtag-ipa-ca-renew-agent-submit is expected to be a string.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-22 10:53:39 +02:00
Pavel Vomacka
ed7de96648 WebUI: fix incorrectly shown links in association tables
Previously all columns was shown as links, that was caused by setting
link attribute of each column to true. This true value was there because
of possibility to turn off links in whole table on self-service pages.

Now only column which is primary key is set to be shown as link.

https://pagure.io/freeipa/issue/7066

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 10:10:21 +02:00
Stanislav Laznicka
31a5cf588e conncheck: fix progression on failure
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 09:56:01 +02:00
Fraser Tweedale
7995518921 Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.

We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.

https://pagure.io/freeipa/issue/7097

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-14 19:25:59 +02:00
Petr Vobornik
cc72db67e2
control logging of host_port_open from caller
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.

Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.

https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 13:40:38 +02:00
Stanislav Laznicka
06fbf4b312 replica-conncheck: log when failed to RPC connect
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:33:58 +02:00
Tomas Krizek
fc7e2565bd ipactl: log check_version exception
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:32:07 +02:00
Stanislav Laznicka
e1f88c844e Fixup of not-so-good PEM certs
certmonger returns PEM certificates with an additional newline
after the base64 encoded cert, remove it

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Pavel Vomacka
0b8d460191 WebUI: fix jslint error
jslint warned about parsing string to integer without explicit radix.
This error was introduced in commit 3cac851 .

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 14:20:36 +02:00
Pavel Vomacka
cfa157c1e5 WebUI: change validator of page size settings
Previously, this configuration field was validated by integer_validator
which only checks that the input is number.
Now new positive_integer_validator can also check that
the inputed number positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
0562359f31 wsgi, oddjob: remove needless uses of Env
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
22b0ae440a Create indexes for 'serverhostname' attribute
IPA installation with large number of host entries gets timeout
when invoking ipaserver.plugins.host.get_dn() method.

Resolves: https://pagure.io/freeipa/issue/6939
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:40:52 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Stanislav Laznicka
db4d0998fd wsgi plugins: mod_wsgi expects bytes as an output
python3-mod_wsgi expects that the application() method returns
bytes otherwise it breaks.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-27 16:48:21 +02:00
Fraser Tweedale
1a35a2e213 Add CommonNameToSANDefault to default cert profile
The CommonNameToSANDefault component was added to Dogtag 10.4.  When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).

It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only.  For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.

Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-06-27 14:25:58 +00:00
Martin Basti
cb48a49c80 ipa-dns-install: remove check for local ip address
This check was forgotten and will be removed now.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Felipe Volpone
36532031cf
Changing cert-find to go through the proxy instead of using the port 8080
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.

https://pagure.io/freeipa/issue/6966

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-16 08:56:53 +02:00
Tibor Dudlák
7fd2102a78 Add --force-join into ipa-replica-install manpage
Resolves: https://pagure.io/freeipa/issue/7011
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-15 13:56:53 +02:00
Fraser Tweedale
d7e1ab8438 Add a README to certificate profile templates directory
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load.  Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.

Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:55:09 +02:00
Pavel Vomacka
b25412f988 WebUI: add support for changing trust UPN suffixes
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.

https://pagure.io/freeipa/issue/7015

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-14 16:55:15 +02:00
Tibor Dudlák
468eb3c712 Add Role 'Enrollment Administrator'
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.

Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:37:40 +02:00
Simo Sorce
c52ca92cda Revert setting sessionMaxAge for old clients
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-07 15:36:26 +02:00
Pavel Vomacka
566361e63d Turn off OCSP check
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:33:54 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Alexander Bokovoy
49ce395b90 Fix index definition for ipaAnchorUUID
Fixes https://pagure.io/freeipa/issue/6975

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:32:34 +02:00