Commit Graph

934 Commits

Author SHA1 Message Date
Stanislav Laznicka
31142ead83 Unify storing certificates in LDAP
Recent certificate refactoring left the system in a state where
the certificates are somewhere converted to DER format, somewhere
directly sent to ipaldap as IPACertificate objects. The latter
is the desirable way, make sure it's the one commonly used.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-08-25 09:40:15 +02:00
Pavel Vomacka
2a73b5d739 WebUI: Add hyphenate versions of Host(Role) Based strings
The hyphenated forms are less ambiguous and easier to read.
(For more grammar background, see for example
"Hyphenate Complex Adjectives" in http://stylepedia.net/
Grammar-Hyphenation )

https://pagure.io/freeipa/issue/6582

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-22 10:38:10 +02:00
Stanislav Laznicka
7d217c8c9b
host, service: fix adding host/svc with a cert
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.

The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.

https://pagure.io/freeipa/issue/7077

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-11 12:09:44 +02:00
Stanislav Laznicka
d147948fcc server plugin: pass bytes to ldap.modify_s
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-03 13:50:10 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Pavel Vomacka
3cac851498 WebUI: Add positive number validator
Add new validator which inherits from integer validator
and checks whether the integer is positive.

https://pagure.io/freeipa/issue/6980

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-19 09:26:40 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ffadcb0414 logging: remove object-specific loggers
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.

Deprecate object-specific loggers in `ipa_log_manager.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Fraser Tweedale
227cf8d4e9
cert-request: simplify request processing
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.

Implement the following simplifications:

- Search all user/host/service accounts at once, by krbPrincipalName
  (error if no account found).  Use principal canonical name to
  determine the type of the principal.

- Update subject principals userCertificate attribute uniformly,
  instead of dispatching to user/host/service-mod based on type of
  principal.

Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-07-14 09:24:20 +02:00
Martin Basti
041982f073
baseldap: fix format string
Fixes missing type specification in format string.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-07-14 09:19:11 +02:00
Tibor Dudlák
17f03a7952 whoami.py: Type error when running tests
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.

Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-07 14:44:42 +02:00
Martin Babinsky
f4d77533f5 *config-show: Do not show empty roles/attributes
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to  the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:42:43 +02:00
Jan Cholasta
4736fef6bb ldap2: remove URI argument from ldap2 constructor
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Jan Cholasta
e9cb74fd27 user, migration: use LDAPClient for ad-hoc LDAP connections
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-07-04 12:06:33 +02:00
Martin Basti
c422206cc7 py3: dogtag.py: fix bytes warnings
/usr/lib/python3.5/site-packages/ipaserver/plugins/dogtag.py:1438: BytesWarning: str() on a bytes instance
   "parse_result:\\n%s" % (parse_func.__name__, xml_text, result))

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
6024165101 CheckedIPAddress: remove match_local param
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Felipe Volpone
36532031cf
Changing cert-find to go through the proxy instead of using the port 8080
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.

https://pagure.io/freeipa/issue/6966

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-16 08:56:53 +02:00
Tibor Dudlák
74d36a8af6 dnsserver.py: dnsserver-find no longer returns internal server error
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.

Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:51:06 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Felipe Volpone
44bd5e358b Changing cert-find to do not use only primary key to search in LDAP.
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-02 16:45:43 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Tibor Dudlák
d73ec06cb3 user.py: replace user_mod with ldap.update_entry()
Refactoring user_add class to use 'ldap.update_entry()' call
instead of api call 'user_mod' when --noprivate option is used.

https://pagure.io/freeipa/issue/5788

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:35:41 +02:00
Martin Babinsky
99352731b4 Add pkinit-status command
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
f80553208e Add the list of PKINIT servers as a virtual attribute to global config
https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
cac7e49daa Refactor the role/attribute member reporting code
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
bddb90f38a Allow for multivalued server attributes
In order to achieve the task, the following changes were required:

* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
  accepts/returns single-value lists in order to not break Liskov
  substitution principle
* Existing attributes inherit from the child class

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Stanislav Laznicka
24099d0f80 Remove pkinit-anonymous command
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. The pkinit-anonymous command was supposed
to enable/disable anonymous pkinit by locking/unlocking the
anonymous principal. We can't allow this for FreeIPA to work
so we are removing the command as it was never supported anyway.

https://pagure.io/freeipa/issue/6936

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-23 18:05:22 +02:00
Florence Blanc-Renaud
a02a0a95f2 server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 18:45:52 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Felipe Volpone
d51af28bdb Fixing adding authenticator indicators to host
The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-05-16 10:29:00 +02:00
Felipe Volpone
d973168e89 Fixing the cert-request comparing whole email address case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-16 09:50:22 +02:00
Stanislav Laznicka
0d406fcb78 Refresh Dogtag RestClient.ca_host property
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-02 17:33:25 +02:00
Christian Heimes
5197422ef6 Vault: Explicitly default to 3DES CBC
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-04-28 08:25:03 +02:00
Gabe
38276d3473 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-26 10:20:42 +00:00
Jan Cholasta
eb6d4c3037 cert: defer cert-find result post-processing
Rather than post-processing the results of each internal search,
post-process the combined result.

This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.

https://pagure.io/freeipa/issue/6808

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-19 11:28:27 +00:00
Alexander Bokovoy
e560899cce trust: always use oddjobd helper for fetching trust information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-11 14:16:39 +02:00
Florence Blanc-Renaud
70743c8c48
idrange-add: properly handle empty --dom-name option
When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-05 10:15:51 +02:00
Christian Heimes
ae1c2086db Add an option to build ipaserver wheels
To create a wheel bundle with ipaserver and its dependencies:

    make wheel_bundle IPA_SERVER_WHEELS=1

To include additional dependencies:

    make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Christian Heimes
3064b890e2 Conditionally import pyhbac
The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Abhijeet Kasurde
a1bb442054 Hide request_type doc string in cert-request help
Fix hides description of request_type argument in cert-request
command help

Fixes https://pagure.io/freeipa/issue/6494
Fixes https://pagure.io/freeipa/issue/5734

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-03-31 12:32:51 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Fabiano Fidêncio
e03056cf34 Allow erasing ipaDomainResolutionOrder attribute
Currently when trying to erase the ipaDomainResolutionOrder attribute we
hit an internal error as the split() method is called on a None object.

By returning early in case of empty string we now allow removing the
ipaDomainResolutionOrder attribute by both calling delattr or setting
its value to an empty string.

https://pagure.io/freeipa/issue/6825

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:19:11 +02:00
Stanislav Laznicka
8c1409155e Allow renaming of the sudorule objects
The recent changes allow the sudorule objects to be renamed.

https://pagure.io/freeipa/issue/2466

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
55424c8677 Allow renaming of the HBAC rule objects
The recent changes allow HBAC rule objects to be renamed.

https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
8e4408e678 Reworked the renaming mechanism
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.

An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.

https://pagure.io/freeipa/issue/2466
https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Jan Cholasta
6de507c2ca cert: do not limit internal searches in cert-find
Instead, apply the limits on the combined result.

This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.

https://pagure.io/freeipa/issue/6716

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-27 09:02:31 +02:00
Pavel Vomacka
ceedc3f7ec WebUI: Add support for login for AD users
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.

AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".

This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.

https://pagure.io/freeipa/issue/3242

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-27 08:55:41 +02:00
Alexander Bokovoy
7324451834 ldap2: use LDAP whoami operation to retrieve bind DN for current connection
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-22 17:19:22 +01:00
Martin Babinsky
b45629fc48 check for replica's KDC entry on master before requesting PKINIT cert
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
8f4abf7bc1 check that the master requesting PKINIT cert has KDC enabled
https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
1cdd5dee00 idviews: correctly handle modification of non-existent view
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-15 09:48:12 +01:00
Martin Babinsky
4e5e3eebb2 Re-use trust domain retrieval code in certmap validators
https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
544d66b710 idview: add domain_resolution_order attribute
`idview-add` and `idview-mod` can now set and validate the attribute.
The required objectclass is added on-demand after modification

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
1b5f56d154 ipaconfig: add the ability to manipulate domain resolution order
optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Pavel Vomacka
39d7ef3de4 WebUI: add vault management
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
  are not supported in WebUI. Also retrieving or archiving data
  is not supported.
- There aren't any container support right now

Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00
Petr Vobornik
da5487c407 permissions: add permissions for read and mod of external group members
Issue: "User Administrator" role cannot add users to an External Group.

https://fedorahosted.org/freeipa/ticket/5504

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-13 18:18:31 +01:00
Stanislav Laznicka
1e8db4b5c7 Add message about last KRA to WebUI Topology view
https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-13 16:10:28 +01:00
Stanislav Laznicka
670f8fb1db Add check to prevent removal of last KRA
https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-13 16:10:28 +01:00
Jan Cholasta
8fdd7a9ffc backend plugins: fix crashes in development mode
Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.

Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.

https://pagure.io/freeipa/issue/6625

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:06:22 +01:00
Alexander Bokovoy
381c1c7a8f add whoami command
Whoami command allows to query details about currently
authenticated identity. The command returns following information:

  * object class name
  * function to call to get actual details about the object
  * arguments to pass to the function

There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:

  * users
  * staged users
  * hosts
  * Kerberos services
  * ID user override from the default trust view

The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.

The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.

Below is an example of how communication looks like for a host
principal:

   # kinit -k
   # ipa console
   (Custom IPA interactive Python console)
   >>> api.Command.whoami()
   {u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
   >>>

Fixes https://pagure.io/freeipa/issue/6643

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-09 14:10:02 +01:00
Pavel Vomacka
61cd4372e1 WebUI: Add cermapmatch module
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.

https://pagure.io/freeipa/issue/6601

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 16:22:01 +01:00
Jan Cholasta
1e912f5b83 dns: fix dnsrecord_add interactive mode
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.

Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.

https://fedorahosted.org/freeipa/ticket/6457

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:52:41 +01:00
Florence Blanc-Renaud
ea34e17a46 IdM Server: list all Employees with matching Smart Card
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.

https://fedorahosted.org/freeipa/ticket/6646

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-08 15:08:41 +01:00
Pavel Vomacka
e1dfc51e48 Add support for custom table pagination size
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.

https://fedorahosted.org/freeipa/ticket/5742

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 14:54:56 +01:00
Pavel Vomacka
19426f32ff
WebUI: Add certmap module
Add facets for certmaprule and certmapconfigure entities.

https://fedorahosted.org/freeipa/ticket/6601

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-08 10:14:21 +01:00
Pavel Vomacka
070bc48dd6
WebUI: Change structure of Identity submenu
Previously there were 'User Groups', 'Host Groups' and 'Netgroups'
separately, now these three items are grouped into one named 'Groups'
which has sidebar with three items mentioned above.

This change allows us to move ID views into Identity submenu.

https://pagure.io/freeipa/issue/6717

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-07 20:04:01 +01:00
Tomas Krizek
a06c71b126
Add SHA256 fingerprints for certs
https://fedorahosted.org/freeipa/ticket/6701

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-07 19:52:43 +01:00
Fraser Tweedale
3ba0375c83
rabase.get_certificate: make serial number arg mandatory
In rabase.get_certificate it does not make sense for the
serial_number argument to be optional.  Make it a mandatory
positional argument.

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-07 13:24:16 +01:00
Fraser Tweedale
11c9df2577
Extract method to map principal to princpal type
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-03 12:09:57 +01:00
Fraser Tweedale
2066a80be2
Remove redundant principal_type argument
Minor refactor to remove the redundant 'principal_type' argument
from 'caacl_check' and associated functions.

Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-03 12:09:57 +01:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
Fraser Tweedale
49f87f34be dogtag: remove redundant property definition
The dogtag `ra' backend defines a `ca_host' property, which is also
defined (identically) by the `RestClient' class, which recently
became a superclass of `ra'.  Remove the redundant property
definition.

Part of: https://pagure.io/freeipa/issue/3473

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-01 13:53:18 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
0a54fac02c Remove NSSConnection from Dogtag
Replaced NSSConnection with Python's httplib.HTTPSConnection.
This class is OpenSSL-based.

A client certificate with a private key is required to authenticate
against the certificate server. We facilitate the RA_AGENT_PEM which
already exists.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a1494c9ae Move RA agent certificate file export to a different location
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Fraser Tweedale
b81ac59640 ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.

These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).

Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.

https://pagure.io/freeipa/issue/6713

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 14:30:23 +00:00
Stanislav Laznicka
e2d1b21c50 Remove md5_fingerprints from IPA
MD5 is a grandpa and FIPS does not like it at all.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-23 18:59:01 +01:00
Simo Sorce
908d2eaba4 Fix session logout
There were 2 issues with session logouts, one is that the logout_cookie
was checked and acted on in the wrong place, the other is that the wrong
value was set in the IPASESSION header.

Fixes https://fedorahosted.org/freeipa/ticket/6685

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-22 10:15:50 +01:00
Simo Sorce
b895f4a34b Change session logout to kill only the cookie
Removing the ccache goes too far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-17 09:57:23 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b109f5d850 Drop use of kinit_as_http from trust code
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Gabe
a930ec824d Allow nsaccountlock to be searched in user-find command
This patch provides the ability to search and find users who are
enabled/disabled in `ipa user-find` command without breaking API compatibility.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-14 17:09:45 +01:00
Christian Heimes
3d9bec2e87 cryptography has deprecated serial in favor of serial_number
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-10 16:16:44 +01:00
Martin Basti
6bb5af7bea py3: get_memberofindirect: fix ByteWarnings
DN must be converted to bytes as other variables adn lists contain bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-08 15:41:39 +01:00
Martin Basti
a584758cfb py3: _convert_to_idna: fix bytes/unicode mistmatch
ToASCII() returns bytes, it must be decoded to unicode

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
03d0a55e8a py3: DNS: get_record_entry_attrs: do not modify dict during iteration
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
a3d3b0ad25 py3: _ptrrecord_precallaback: use bytes with labels
DNS labels are bytes so bytes must be used for comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
a93b2bea5c py3: remove_entry_from_group: attribute name must be string
Do not encode attribute names

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
Martin Basti
caa560ca79 py3: base64 encoding/decoding returns always bytes don't mix it
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-08 08:32:44 +01:00
David Kupka
7e2d185ba0 stageuser: Add stageuser-{add,remove}-principal
https://fedorahosted.org/freeipa/ticket/6623

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
David Kupka
9c0e86530e stageuser: Add stageuser-{add,remove}-cert
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
Martin Basti
d5ab0637fe py3: fix CSR encoding inside framework
csr must be in string because framework excpects only strings, so we
have to decode it back

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
b37d18288d py3: can_read: attributelevelrights is already string
Remove decode() as it causes error in py3 because the attribute is
already string not bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Martin Basti
49333058c8 py3: get_effective_rights: values passed to ldap must be bytes
Values passed to LDAP must be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-31 18:33:27 +01:00
Jan Cholasta
85834abad6 cert: fix search limit handling in cert-find
If search limits are not specified in cert-find, use the configured limits.
This applies to the certificate search in the CA as well.

Detect and report if size limit was exceeded in the certificate search in
the CA.

Do not apply limits to the internal ca-find call.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Jan Cholasta
d84edc43e5 dogtag: search past the first 100 certificates
Dogtag requires a size limit to be specified when searching for
certificates. When no limit is specified in the dogtag plugin, a limit of
100 entries is assumed. As a result, an unlimited certificate search
returns data only for a maximum of 100 certificates.

Raise the "unlimited" limit to the maximum value Dogtag accepts.

https://fedorahosted.org/freeipa/ticket/6564

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-24 13:53:07 +01:00
Martin Basti
18337bf7f7 py3: decode bytes for json.loads()
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0eb5a0e0ec dogtag.py: fix exception logging of JSON data
'read_ca' and 'create_ca' have no logging when exception happened and it
masks real reason why it failed.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
1e0f98a146 py3: convert_attribute_members: don't use bytes as parameter for DN
due perfomance improvement in e4930b3235
we have to decode value before it can be used in DN() constructor.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
0a1d7f2e01 py3: add_entry_to_group: attribute name must be string not bytes
With bytes as attribute name pyldap raises type error

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Tomas Krizek
49855ca9de Fix coverity issue
A code path exists, where principal_obj is None. Add check
principal_obj is not None to avoid dereferencing it.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-16 14:44:54 +01:00
Fraser Tweedale
09a65df684 Reuse self.api when executing ca_enabled_check
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled.  When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.

Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Pavel Vomacka
be7865bf4f Change activity text while loading metadata
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.

Part of: https://fedorahosted.org/freeipa/ticket/6144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-01-05 19:13:37 +01:00
Jan Cholasta
ceb26f5ac4 ca: fix ca-find with --pkey-only
Since commit 32b1743e5f, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.

Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.

https://fedorahosted.org/freeipa/ticket/6178

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 17:39:57 +01:00
Fraser Tweedale
bdbb1c34a2 Remove "Request Certificate with SubjectAltName" permission
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated).  Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.

Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.

So remove the permission, the associated virtual operation, and the
associated code in cert_request.

Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-21 17:04:18 +01:00
Fraser Tweedale
fec4c32ff1 certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.

Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.

https://fedorahosted.org/freeipa/ticket/6560

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-14 18:08:33 +01:00
Fraser Tweedale
74b8cf2c4a Fix regression in test suite
32b1743e5f introduced a regression in
test_serverroles.py, caused by ca_find attempting to log into the
Dogtag REST API.  (ca_find is called by cert_find which is called by
server_del during cleanup).

Avoid logging into Dogtag in cert_find unless something actually
needs to be retrieved.

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-13 17:25:59 +01:00
Ludwig Krispenz
26bd7ebfa2 Check for conflict entries before raising domain level
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere

https://fedorahosted.org/freeipa/ticket/6534

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-13 12:25:07 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Fraser Tweedale
32b1743e5f Add options to write lightweight CA cert or chain to file
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA.  Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values).  Add the `--chain' flag for including the chain in the
result (chain is also included with `--all').  Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).

Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-12-12 13:03:15 +01:00
Stanislav Laznicka
a77627dd8c Fix permission-find with sizelimit set
If permission-find is fired with an argument and sizelimit set
a message about truncation will be sent along with the result
as the search in post_callback() does general search instead
of having its filter properly set.

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-07 13:01:58 +01:00
Stanislav Laznicka
0c044cb084 Generalize filter generation in LDAPSearch
Make it easier to generate search filters properly
and in a unified way in any inheriting method

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-07 13:01:58 +01:00
Fraser Tweedale
dfbdb53238 cert-request: match names against principal aliases
Currently we do not check Kerberos principal aliases when validating
a CSR.  Enhance cert-request to accept the following scenarios:

- for hosts and services: CN and SAN dnsNames match a principal
  alias (realm and service name must be same as nominated principal)

- for all principal types: UPN or KRB5PrincipalName othername match
  any principal alias.

Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-12-06 16:13:45 +01:00
shanyin
0499ba5795 fix missing translation string
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-06 13:09:00 +01:00
Stanislav Laznicka
2663a966da permission-find: fix a sizelimit off-by-one bug
permission-find: sizelimit option set to number of permissions -1
could return all permissions anyway

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-06 11:36:46 +01:00
Stanislav Laznicka
29aa4877ee fix permission_find fail on low search size limit
permission_find() method would have failed if size_limit in config is too
small caused by a search in post_callback. This search should also
respect the passed sizelimit or the sizelimit from ipa config if no
sizelimit is passed.

https://fedorahosted.org/freeipa/ticket/5640

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-06 11:36:46 +01:00
Martin Babinsky
0ae7bebb76 Make env and plugins commands local again
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.

This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.

https://fedorahosted.org/freeipa/ticket/6490

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 13:00:06 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7b966e8577 ipautil: remove get_domain_name()
get_domain_name() and related code depends on ipaplatform.

Replace all uses of get_domain_name() with api.env.domain and remove
get_domain_name() and all of the related code.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
6bbbce4473 wrap long line
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
7fef9cbec7 Fix Python 3 bugs discovered by pylint
In Python 3 exception instances no longer have a message attribute.
For most exceptions, str(e) or string formatting give the same result.

Fix some renamed modules, module members and functions.

https://fedorahosted.org/freeipa/ticket/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-25 16:18:22 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Florence Blanc-Renaud
efb3700389 Fix ipa migrate-ds when it finds a search reference
When ipa migrate-ds finds user entries and a search reference, it complains
that the LDAP search did not return any result and does not migrate the
entries or the groups.

The issue comes from LDAPClient._convert_result which returns an empty result
list when the input is a search reference. In turn LDAPClient.find_entries
assumes that the empty result list corresponds to a Search Result Done and
returns without any entry.

The fix examines first the objtype returned by self.conn.result3. If it is
a search result done, then the loop can be exited. Otherwise (referral or
entry), _convert_result is called and the result (if not empty) is appended
to the list of returned entries.

https://fedorahosted.org/freeipa/ticket/6358

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 01:01:05 +01:00
Fraser Tweedale
e1df2e0792 cert-request: accept CSRs with extraneous data
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-11 15:42:26 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
44c2d685f0 x509: avoid use of nss.data_to_hex
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints.  Add our own helper functions to format the
fingerprints as hex (with colons).

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
66637f766d pkcs10: use python-cryptography for CSR processing
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Martin Babinsky
7a183bad66 server-del: fix incorrect check for one IPA master
https://fedorahosted.org/freeipa/ticket/6417

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-07 12:42:12 +01:00
Tomas Krizek
41098e3f7b ldap2: modify arguments for create_connection
* Remove unused and obsolete function arguments:
    * tls_certfile
    * tls_keyfile
    * debug_level
* Rename tls_cacertfile to cacert (same as name in LDAPClient)
* Set cacert to constants.CACERT by default.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
36d95472d9 ldap2: change default bind_dn
Set default bind_dn to cn=directory manager.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
e2780b2106 ldap2: change default time/size limit
* Set default time_limit and size_limit in ldap2 to unlimited.
* Set time_limit and size_limit to None in backend. This will respect
    ipaconfig values.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
60e38ecc7f ipaldap: merge external_bind into LDAPClient
* Rename do_external_bind to external_bind
* Remove user_name argument in  external_bind() and always set it
    to effective user name

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Alexander Bokovoy
e8b94ef352 trustdomain-del: fix the way how subdomain is searched
With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
Update 'ipa trustdomain-del' command to properly calculate DN to the
actual child domain and handle the case when it is missing correctly.

Fixes https://fedorahosted.org/freeipa/ticket/6445

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-01 11:24:26 +01:00
Fraser Tweedale
b6a3c9dc74 cert-show: show validity in default output
cert-show no longer shows validity dates without `--all', but this
is important information that should be shown by default.  Make it
so.

Fixes: https://fedorahosted.org/freeipa/ticket/6419
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-26 18:30:31 +02:00
Jan Cholasta
cc5ad6b3f9 pwpolicy: do not run klist on import
On pwpolicy module import, "klist -V" is run to determine if the installed
krb5 version supports account lockout (>= 1.8).

Remove the check, as we require a krb5 version which does support account
lockout (1.12).

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Jan Cholasta
16dad1c3cb cert: add revocation reason back to cert-find output
In commit c718ef0588 some param values were
accidentally removed from cert-find output.

In commit 22d5f579bb `serial_number_hex` and
`revoked` were added back.

Add back `revocation_reason` as well. Also, do not include `revoked` with
--raw, as it's a virtual attribute.

https://fedorahosted.org/freeipa/ticket/6269

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-13 21:03:46 +02:00
Martin Babinsky
71f642f751 do not use keys() method when iterating through dictionaries
pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when
building FreeIPA, we have to fix these errors

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Martin Babinsky
29829cc55a remove trailing newlines form python modules
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Pavel Vomacka
28c7644980 WebUI: fix API Browser menu label
The label of API Browser is now in translatable strings and it has
uppercase B at the beginnig of second word.

https://fedorahosted.org/freeipa/ticket/6384

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 17:24:43 +02:00
Petr Spacek
bf96b80200 DNS: Improve field descriptions for SRV records
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 16:48:47 +02:00
Petr Spacek
f363dfbeed DNS: Support URI resource record type
https://fedorahosted.org/freeipa/ticket/6344

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 16:48:47 +02:00
Fraser Tweedale
2b8163ab5d Add commentary about CA deletion to plugin doc
Add commentary to 'ca' plugin documentation to explain what happens
when a CA gets deleted - namely, that its signing cert gets revoked
and its private key deleted.

Also break the docstring up into smaller chunks to aid translation.

Fixes: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-06 19:24:54 +02:00
Martin Basti
135047d03c Pylint: remove unused variables in ipaserver package
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Fraser Tweedale
ff490b6c40 sudorule: add SELinux transition examples to plugin doc
It is not obvious how to add SELinux type and role transitions to a
Sudo rule.  Update the 'sudorule' plugin documentation with examples
of how to do this.

Fixes: https://fedorahosted.org/freeipa/ticket/3461
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 14:59:43 +02:00
Fraser Tweedale
97d4ffc2dc Fix cert revocation when removing all certs via host/service-mod
When removing all host/service certificates via host/service-mod
--certificate=, the removed certificates should be revoked, but they
are not.  Examine whether the --certificate option was provided to
determine whether certs should be revoked, instead of looking for a
cert list in the options (which in this case is empty).

Fixes: https://fedorahosted.org/freeipa/ticket/6305
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-23 08:10:11 +02:00
Jan Barta
568f9da331 pylint: fix redefine-in-handler
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
275e85d076 pylint: fix unneeded-not
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Pavel Vomacka
0e6d6e4032 WebUI: Change group name from 'normal' to 'Non-POSIX'
It will correspond with CLI and will be more self-explanatory.

https://fedorahosted.org/freeipa/ticket/6334

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-21 13:20:21 +02:00
Tomas Krizek
75f77e0f2a Add help info about certificate revocation reasons
Inform the user where to find additional information
about certificate revocation reasons.

https://fedorahosted.org/freeipa/ticket/6327

Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-21 13:05:13 +02:00
Martin Basti
8f8e3d008f Use constant for user and group patterns
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Martin Basti
3720080611 Fix regexp patterns in parameters to not enforce length
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Jan Cholasta
e5f7a612fb dns: re-introduce --raw in dnsrecord-del
The flag was removed in commit ff52c25ae2
because it is unused. Add it back for compatibility with old clients.

https://fedorahosted.org/freeipa/ticket/5644

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-19 17:36:20 +02:00
Martin Babinsky
f3f9087ee8 ipa passwd: use correct normalizer for user principals
Commit c2af032c03 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.

https://fedorahosted.org/freeipa/ticket/6329

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-14 13:08:53 +02:00
Martin Babinsky
b0d40b80e8 trust-fetch-domains: contact forest DCs when fetching trust domain info
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.

https://fedorahosted.org/freeipa/ticket/6328

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-14 10:38:07 +02:00
Fraser Tweedale
1f1c93d2b5 cert-request: raise error when request fails
Fix a regression in recent change to request cert via Dogtag REST
API.  'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed.  Inspect the
request result to determine if the request completed, and raise if
it did not.

Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-13 17:22:34 +02:00
Martin Babinsky
003b364c5a netgroup: avoid extraneous LDAP search when retrieving primary key from DN
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.

https://fedorahosted.org/freeipa/ticket/5855

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-09 16:27:53 +02:00
Pavel Vomacka
c3374c6e16 Add 'Restore' option to action dropdown menu
Also moving activate_action method several lines up - correcting logical order of methods.

https://fedorahosted.org/freeipa/ticket/5818

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-08 09:44:20 +02:00
Martin Basti
f3d379071a Allow multicast addresses in A/AAAA records
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Martin Basti
81d64d530c Allow network ip addresses
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 16:22:03 +02:00
Fraser Tweedale
daeaf2a823 Make host/service cert revocation aware of lightweight CAs
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted.  Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.

Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 13:21:29 +02:00
Fraser Tweedale
520ad7d865 cert-request: raise CertificateOperationError if CA disabled
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.

Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
4c35afccf3 Use Dogtag REST API for certificate requests
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409).  Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
c5cbc8de89 Add HTTPRequestError class
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError.  The exception includes no
information about the response status.

Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
2a42a7e90e Allow Dogtag RestClient to perform requests without logging in
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.

To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'.  It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Jan Cholasta
b7b6faf14a cert: fix cert-find --certificate when the cert is not in LDAP
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.

https://fedorahosted.org/freeipa/ticket/6304

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-07 12:46:35 +02:00
Fraser Tweedale
c7e0dbc4e1 Add ca-disable and ca-enable commands
We soon plan to revoke certificates upon lightweight CA deletion.
This makes it important to provide a way to prevent a CA from
issuing certificates whilst not deleting and revoking it, and
continuing to allow management of issued certs.

This commit adds the ca-disable and ca-enable commands.

Fixes: https://fedorahosted.org/freeipa/ticket/6257
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-09-07 12:37:48 +02:00
Jan Cholasta
dce95a1459 dns: prompt for missing record parts in CLI
Fix the code which determines if a record part is required and thus should
be prompted not to wrongfully consider all record parts to be optional.

https://fedorahosted.org/freeipa/ticket/6203

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-06 12:54:38 +02:00
Martin Babinsky
33f8685513 Always fetch forest info from root DCs when establishing two-way trust
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.

This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.

https://fedorahosted.org/freeipa/ticket/6057

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-05 09:20:55 +02:00
Martin Babinsky
f32e0e4e52 do not use trusted forest name to construct domain admin principal
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.

We should instead use the supplied DNS domain name (if valid) as a realm
component.

https://fedorahosted.org/freeipa/ticket/6277

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-31 15:07:09 +02:00
Simo Sorce
25ed36fda1 Fix CA ACL Check on SubjectAltNames
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-31 10:11:48 +02:00
Jan Cholasta
117274ff04 cert: include CA name in cert command output
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.

This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.

https://fedorahosted.org/freeipa/ticket/6151

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-30 12:42:12 +02:00
Jan Cholasta
22d5f579bb cert: add missing param values to cert-find output
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.

https://fedorahosted.org/freeipa/ticket/6269

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-30 12:02:17 +02:00
Martin Basti
5c50b265e6 Raise DuplicatedEnrty error when user exists in delete_container
We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.

https://fedorahosted.org/freeipa/ticket/6199

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-30 08:26:16 +02:00
Stanislav Laznicka
f0487946cd Don't ignore --ignore-last-of-role for last CA
Use a handler created for the purpose of deciding whether
to raise exception or not.

https://fedorahosted.org/freeipa/ticket/6259

Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2016-08-29 13:46:47 +02:00
David Kupka
386fdc1d77 otptoken, permission: Convert custom type parameters on server
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.

https://fedorahosted.org/freeipa/ticket/6247

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-29 10:45:12 +02:00
Fraser Tweedale
48aaf2bbf5 cert-show: show subject alternative names
Enhance the cert-show command to return subject alternative name
values.

Fixes: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
a381d888cd x509: include otherName DER value in GeneralNameInfo
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
e3acc3659c x509: use NSS enums and OIDs to identify SAN types
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
0245d2aadf Move GeneralName parsing code to ipalib.x509
GeneralName parsing code is primarily relevant to X.509.  An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Tomas Krizek
6f9a029bf5 Validate key in otptoken-add
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.

https://fedorahosted.org/freeipa/ticket/6200

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 15:16:27 +02:00
Christian Heimes
c346a2d1d1 Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:26:57 +02:00
Petr Spacek
3ac2709f4b config-mod: normalize attribute names for --usersearch/--groupsearch
https://fedorahosted.org/freeipa/ticket/6236

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:53:31 +02:00
Abhijeet Kasurde
c9419411c9 Corrected minor spell check in AD Trust information doc messages
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-22 17:15:11 +02:00
Alexander Bokovoy
62be554540 trust: make sure ID range is created for the child domain even if it exists
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.

At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).

Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Alexander Bokovoy
9b3819ea94 trust: make sure external trust topology is correctly rendered
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.

Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.

Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.

https://fedorahosted.org/freeipa/ticket/6021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:38:18 +02:00
Fraser Tweedale
cf74584d0f cert-revoke: fix permission check bypass (CVE-2016-5404)
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command.  The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue.  Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.

Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.

Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-22 07:19:03 +02:00
Martin Basti
6b7d6417d4 Fix: container owner should be able to add vault
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.

Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.

https://fedorahosted.org/freeipa/ticket/6159

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-18 13:02:38 +02:00
Tiboris
d25a0725c0 Added new authentication method
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:55:49 +02:00
Alexander Bokovoy
1c73ac91a4 service: add flag to allow S4U2Self
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-08-17 16:41:38 +02:00
Pavel Vomacka
d45b0efe5d Add warning about only one existing CA server
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.

https://fedorahosted.org/freeipa/ticket/5828

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-08-17 13:54:57 +02:00
Jan Cholasta
8ad03259fe cert: do not crash on invalid data in cert-find
https://fedorahosted.org/freeipa/ticket/6150

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Jan Cholasta
c718ef0588 cert: speed up cert-find
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.

Restructure the code to make it (hopefully) easier to follow.

https://fedorahosted.org/freeipa/ticket/6098

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-08-17 13:45:50 +02:00
Petr Spacek
b73ef3d7f9 DNS: allow to add forward zone to already broken sub-domain
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.

https://fedorahosted.org/freeipa/ticket/6062

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-17 12:28:56 +02:00
Jan Cholasta
e9c1d21b9f parameters: move the confirm kwarg to Param
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.

Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.

This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.

https://fedorahosted.org/freeipa/ticket/6174

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 08:51:39 +02:00
Tomas Krizek
af4ebaca62 Fix ipa-caalc-add-service error message
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.

https://fedorahosted.org/freeipa/ticket/6171

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 16:24:39 +02:00
Fraser Tweedale
9dac0a13f1 caacl: fix regression in rule instantiation
The Principal refactor causes service collections
('memberservice_service' attribute) to return Principal objects
where previously it returned strings, but the HBAC machinery used
for CA ACL enforcement only handles strings.  Update the code to
stringify service Principal objects when adding them to HBAC rules.

Fixes: https://fedorahosted.org/freeipa/ticket/6146
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-05 11:51:43 +02:00
Martin Basti
51ccde25f7 Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-03 15:32:41 +02:00
Martin Babinsky
1a04edd36b re-set canonical principal name on migrated users
The migration procedure has been updated to re-set `krbcanonicalname`
attribute on migrated users as well as `krbprincipalname` so that migration
from FreeIPA versions supporting principal aliases does not break subsequent
authentication of migrated users.

https://fedorahosted.org/freeipa/ticket/6101

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-08-01 17:13:13 +02:00
Martin Basti
c2edfa0adb idrange: fix unassigned global variable
Global variable '_dcerpc_bindings_installed' is in some cases used
before assigment. This patch ensures that _dcerpc_bindings_installed is
always initialized.

https://fedorahosted.org/freeipa/ticket/6082

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-29 17:09:07 +02:00
Martin Babinsky
dc62dd8c90 baseldap: Fix MidairCollision instantiation during entry modification
https://fedorahosted.org/freeipa/ticket/6097

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-27 14:11:52 +02:00
David Kupka
34767ba259 help: Add dnsserver commands to help topic 'dns'
https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 13:52:09 +02:00
Martin Basti
8aba4f6343 Host-del: fix behavior of --updatedns and PTR records
* target for ptr record must be absolute domain name
* zone is detected using DNS system instead of random splitting of
hostname

https://fedorahosted.org/freeipa/ticket/6060

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-22 13:40:05 +02:00
Martin Babinsky
2234a77441 trust-add: handle --all/--raw options properly
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.

https://fedorahosted.org/freeipa/ticket/6059

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-21 13:01:02 +02:00
Martin Babinsky
66da084453 prevent search for RADIUS proxy servers by secret
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.

https://fedorahosted.org/freeipa/ticket/6078

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-21 10:49:10 +02:00
Martin Babinsky
447feb7f37 expose --secret option in radiusproxy-* commands
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.

https://fedorahosted.org/freeipa/ticket/6078

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-21 10:49:10 +02:00
Martin Babinsky
f0a61546f5 allow 'value' output param in commands without primary key
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.

A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.

https://fedorahosted.org/freeipa/ticket/6037
https://fedorahosted.org/freeipa/ticket/6061

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-20 13:57:01 +02:00
Florence Blanc-Renaud
90704df59d Show full error message for selinuxusermap-add-hostgroup
While investigating the issue for selinuxusermap-add-hostgroup,
we discovered that other commands were missing output.
A first patch fixes most of the issues:
freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch

This patch fixes servicedelegation CLI, where
servicedelegation.takes_params was missing
ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and
memberprincipal

https://fedorahosted.org/freeipa/ticket/6026

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-20 13:13:05 +02:00
David Kupka
92dea9b186 schema: Fix subtopic -> topic mapping
https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-15 14:02:17 +02:00
Martin Babinsky
2f02ffed03 Preserve user principal aliases during rename operation
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.

This also preserves previous user logins which can be used further for
authentication as aliases.

https://fedorahosted.org/freeipa/ticket/6028

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-07-15 13:51:03 +02:00
Martin Basti
2874fdbfef host-find: do not show SSH key by default
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up

https://fedorahosted.org/freeipa/ticket/6043

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-13 18:37:15 +02:00
Fraser Tweedale
8cd87d12d5 caacl: expand plugin documentation
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-13 18:34:17 +02:00
Martin Babinsky
0ade41abba Fix incorrect check for principal type when evaluating CA ACLs
This error prevented hosts to request certificates for themselves.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-01 13:16:23 +02:00
David Kupka
d2cb9ed327 Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-07-01 11:22:02 +02:00
Fraser Tweedale
4844eaec19 Add --cn option to cert-status
Add the 'cacn' option to the cert-status command.  Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.

Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 10:05:16 +02:00
Pavel Vomacka
4bc2e3164f Add widgets for kerberos aliases
Create own custom_command_multivalued_widget for kerberos aliases.

https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Martin Babinsky
acf2234ebc Unify display of principal names/aliases across entities
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
e6ff83e361 Provide API for management of host, service, and user principal aliases
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
a28d312796 Make framework consider krbcanonicalname as service primary key
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.

https://fedorahosted.org/freeipa/ticket/1365

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
750a392fe2 Allow for commands that use positional parameters to add/remove attributes
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.

The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.

https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
c2af032c03 Migrate management framework plugins to use Principal parameter
All plugins will now use this parameter and common code for all operations on
Kerberos principals.  Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
David Kupka
e5635f7ef4 schema: Decrease schema TTL to one hour
Since checking schema is relatively cheap operation (one round-trip with
almost no data) we can do it offten to ensure schema will fetched by
client ASAP after it was updated on server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-01 09:22:57 +02:00
Yuri Chornoivan
f5eb71f75e Fix minor typo
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 08:52:37 +02:00
Fraser Tweedale
ffb1f5b1f2 Add --ca option to cert-revoke and cert-remove-hold
Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA.  Raise NotFound if the cert with the given
serial was not issued by the nominated CA.

Also default the --ca option of cert-show to the IPA CA.

Add commentary to cert-status to explain why it does not use the
--ca option.

Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 05:54:56 +02:00
Stanislav Laznicka
235b19ba7f service: Added permissions for auth. indicators read/modify
Added permissions for Kerberos authentication indicators reading and
modifying to service objects.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 16:44:56 +02:00
Stanislav Laznicka
97db87b383 host: Added permissions for auth. indicators read/modify
Added permissions for Kerberos authentication indicators reading and
modifying to host objects.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 16:44:56 +02:00
Jan Cholasta
2beb72ffa4 server: exclude Local commands from RPC
Local API commands are not supposed to be executed over RPC but only
locally on the server. They are already excluded from API schema, exclude
them also from RPC and `batch` and `json_metadata` commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
1a03bd322d cert: fix CLI output of cert_remove_hold
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
0f578ec36c user: add object plugin for user_status
Change user_status from a method of user to a method of a new userstatus
class, which defines the extra attributes returned by user_status.

This fixes user_status CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
ae5f11b4de server: define missing virtual attributes
Move virtual attributes defined in output params of methods into params of
the related object.

This fixes the virtual attributes being ommited in CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Fraser Tweedale
16f33ddb51 Check for CA subject name collision before attempting creation
Lightweight CA subject name collisions are prevented by Dogtag
(response code 409 Conflict), however, we do not want to expose the
Dogtag error.  Perform the check in the IPA framework as well,
raising DuplicateEntry on collision.

Fixes: https://fedorahosted.org/freeipa/ticket/5981
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-06-30 16:03:32 +02:00
Fraser Tweedale
3fab1b6350 cert-request: better error msg when 'add' not supported
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".

Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.

Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-30 15:42:06 +02:00
Pavel Vomacka
7f4de88ea1 Add button for server-del command
WebUI counterpart of: https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 14:22:51 +02:00
Pavel Vomacka
a3c7f845e0 Simplify the confirmation messages
The confirmation of revoke and remove the certificate hold action is simplier
and more consistent with another parts of WebUI.

Part of: https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 14:18:47 +02:00
Jan Cholasta
7d9afd988a xmlserver: initialize RPC server plugins only in server context
Do not initialize the plugins for all in-server API instances, as they are
used only in the server context.

This prevents code using in-server API instances from attempting to
initialize the session manager.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-30 14:09:24 +02:00
Jan Cholasta
a901ec1ce9 session: do not initialize session manager on import
Removes the side effect of attempting to connect to memcached when the
session module is imported, which caused user visible warnings and/or
SELinux AVC denials.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-30 14:09:24 +02:00
Jan Cholasta
dcf8b47471 session: move the session module from ipalib to ipaserver
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-30 14:09:24 +02:00
Pavel Vomacka
55049fceb9 Add authentication identificator to host page
Also move strings which are connected with authentication indicators to authtype dict.
This place is more general than have them in service dict. It's nicer when these strings are
not used only on service page.

Part of: https://fedorahosted.org/freeipa/ticket/5872

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 13:42:58 +02:00
Nathaniel McCallum
0855b014b1 Add authentication indicators support to Host objects
https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-30 13:39:59 +02:00
Martin Basti
fed9d9aaa7 cert.py split module docstring to multiple ugetext string
It is hard to translate whole dosctring again and again aftear each
minor change. This split will make life for translators easier. (Just note: dosctring was
changed and that is the reason why I'm sending this, because translators
must translate it again anyway)

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-30 13:21:04 +02:00
Pavel Vomacka
31a13c9e98 Add button for dns_update_system_records command
Part of: https://fedorahosted.org/freeipa/ticket/5905

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-29 16:33:42 +02:00
Pavel Vomacka
55a0baf1c3 Add certificate widget
The certificate widget is used for each certificate in certs_widget. It allows to
view, get, download, revoke and restore certificate.

https://fedorahosted.org/freeipa/ticket/5108
https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-29 15:41:58 +02:00
Pavel Vomacka
6d3622c600 Add widget for showing multiple certificates
Certs widget is based on multivalued widget and adds ability to add new certificate
and delete it. Each line is cert_widget.

https://fedorahosted.org/freeipa/ticket/5108
https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-29 15:41:58 +02:00
Pavel Vomacka
06a9a84876 Refactored certificate view and remove hold dialog
Removed old layout created using html tables. Now table layout is made by div
and modern css styling.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-29 15:41:58 +02:00
Stanislav Laznicka
427bbf6c0d The LDAP*ReverseMember shouldn't imply --all is always specified
The LDAP*ReverseMember methods would always return the whole LDAP
object even though --all is not specified.
Also had to fix some tests as objectClass will not be returned by
default now.

https://fedorahosted.org/freeipa/ticket/5892

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 10:44:30 +02:00
Stanislav Laznicka
30d054a573 Revert "Removed dead code from LDAP{Remove,Add}ReverseMember"
While the code was really dead, it should serve a purpose elsewhere.
This reverts commit c56d65b064.

https://fedorahosted.org/freeipa/ticket/5892

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 10:44:30 +02:00
Fraser Tweedale
6e4e522e52 cert-find: fix 'issuer' option
The 'issuer' option of cert-find was recently changed from Str to
DNParam, however, 'ra.find' expects a string and throws when it
receives a DN.

When constructing the dict that gets passed to 'ra.find', turn
DNParams into strings.

Part of: https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-29 09:54:18 +02:00
Jan Cholasta
8466e94440 schema: support plugin versioning
Update API schema server and client code to support plugin versioning.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
4284d4fb4d plugable: support plugin versioning
Allow multiple incompatible versions of a plugin using the same name. The
current plugins are assumed to be version '1'.

The unique identifier of plugins was changed from plugin name to plugin
name and version. By default, the highest version available at build time
is used. If the plugin is an unknown remote plugin, version of '1' is used
by default.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
9a21964877 misc: generate plugins result directly in the command
Move the code that generated result of the `plugins` command from API to
the command itself.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
61987b66ba automember: fix automember to work with thin client
Properly mark `cn` as primary key of `automember` object.

This fixes automember crashing on output validation expecting primary key
value of None.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-27 16:42:42 +02:00
Jan Cholasta
055dfaf657 schema: do not crash in command_defaults if argument is None
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-27 16:42:42 +02:00
Jan Cholasta
ac8e8ecdd3 schema: fix param default value handling
Advertise param's default value even when `autofill` is False. When
`autofill` is False, set `alwaysask` to True in the schema, as it is
semantically equivallent and removes redundancy.

This fixes default value disappearing in CLI for some params.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-27 16:42:42 +02:00
Martin Babinsky
7b8247a485 keep setting ipakrbprincipal objectclass on new service entries
this is required for replica promotion to work, since the ACI allowing hosts
to add their own services uses this objectclass as target filter.

This partially reverts changes from commit
705f66f749

https://fedorahosted.org/freeipa/ticket/5996

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-27 13:38:07 +02:00
Fraser Tweedale
47d33f3650 Fix IssuerDN presence check in cert search result
When checking for presence of IssuerDN in certificate search result,
we mistakenly check for the presence of the SubjectDN field, then
unsafely index into the IssuerDN field.  Check the presence of
IssuerDN correctly.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-27 13:11:57 +02:00
Martin Babinsky
9392b21271 Fix incorrect construction of service principal during replica cleanup
https://fedorahosted.org/freeipa/ticket/5985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-27 12:59:48 +02:00
Martin Basti
c6f7d94d5b DNS Locations: server-mod: fix if statement
Statement used for detection if objeclass change is needed was logically
wrong, this fixes it.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-27 10:22:39 +02:00
Stanislav Laznicka
13328bc751 topo segment-add: validate that both masters support target suffix
This patch removes the ability to add segment between hosts where
either does not support the requested suffix.

https://fedorahosted.org/freeipa/ticket/5967

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-24 13:32:02 +02:00
Stanislav Laznicka
5b5258b010 Fix topologysuffix-verify failing connections
topologysuffix-verify would have checked connectivity even between hosts that
are not managed by the given suffix.

https://fedorahosted.org/freeipa/ticket/5967

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-24 13:32:02 +02:00
Martin Basti
926462d335 Server-del: fix system records removal
Services on replica to be removed  must be deleted first, otherwise
update of system records will not take this change into account

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-23 12:33:43 +02:00
Martin Babinsky
705f66f749 IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Stanislav Laznicka
9a8c5c9dfd host/service-show/find shouldn't fail on invalid certificate
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.

https://fedorahosted.org/freeipa/ticket/5797

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-22 17:43:14 +02:00
Martin Babinsky
be3ad1ed7a server-del: harden check for last roles
The current implementation of check for last CA/DNS server and DNSSec key
master in `server-del` is quite fragile and wroks with quite a few assumptions
which may not be always true (CA and DNS is always configured etc.).

This patch hardens the check so that it does not break when the above
assuptions do not hold.

https://fedorahosted.org/freeipa/ticket/5960

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-22 17:26:56 +02:00
David Kupka
a5f48476ad schema: return fingerprint as unicode text
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 16:23:43 +02:00
David Kupka
d0e708cba2 schema: Cache schema in api instance
To avoid generating schema for every schema command call store schema in
api instance when first generated and reuse it in next calls.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 15:11:19 +02:00
David Kupka
4b97cabb52 schema: Add known_fingerprints option to schema command
When client requests schema it can list fingerprints of cached schemas
and server responds with SchemaUpToDate exception specifying fingeprint
of schema to use.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 15:11:19 +02:00
David Kupka
034a111972 schema: Add fingerprint and TTL
Calculate fingerprint for schema in deterministic way. Send fingerprint
value together with schema. Send TTL with schema to inform client about
caching interval.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 15:11:19 +02:00
Pavel Vomacka
f85c347f4d Add placeholder to add segment dialog
'Autogenerated' placeholder is shown when adding new segment.

https://fedorahosted.org/freeipa/ticket/5867

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-21 14:15:56 +02:00
Petr Spacek
22f4045f72 DNS: Fix realm domains integration with DNS zone add.
Realmdomains integration into DNS commands pre-dates split of DNS forward zones
and DNS master zones into two distinct commands.

There was an forgotten condition in dnszone_add command which caused omission
of DNS master zones with non-empty forwarders from realmdomain list.

https://fedorahosted.org/freeipa/ticket/5980

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 13:46:15 +02:00
Martin Babinsky
702ab0008b Do not update result of *-config-show with empty server attributes
If a server attribute such as DNSSec Key master is unset, None is passed as
the attribute value into the upper API layers and displayed in the output of
`dnsconfig-show` et al. We should not show this and leave the attribute empty
instead.

https://fedorahosted.org/freeipa/ticket/5960

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 13:07:24 +02:00
Jan Cholasta
894be1bd50 dns: fix dns_update_system_records to work with thin client
https://fedorahosted.org/freeipa/ticket/2008
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 13:03:14 +02:00
Petr Spacek
f2974b8d96 DNS: Warn about restart when default TTL setting DNS is changed
bind-dyndb-ldap 10.0 has to be restarted after each change to default
TTL.

https://fedorahosted.org/freeipa/ticket/2956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 12:38:00 +02:00
Petr Spacek
eefdcc6b07 DNS: Support default TTL setting for master DNS zones
https://fedorahosted.org/freeipa/ticket/2956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 12:38:00 +02:00
Jan Cholasta
b00dbca98f cert: allow search by certificate
Allow search by certificate data or file in cert-find.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Jan Cholasta
9b2146be40 cert: add owner information
Get owner information from LDAP in cert-show and cert-find. Allow search by
owner in cert-find.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Jan Cholasta
d44ffdad42 cert: add object plugin
Implement cert as an object with methods rather than a bunch of loosely
related commands.

https://fedorahosted.org/freeipa/ticket/5381

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-21 09:45:20 +02:00
Jan Cholasta
8cc8b6fb10 schema: remove no_cli from command schema
Instead, support excluding commands from specified contexts and exclude
commands with NO_CLI set from the 'cli' context.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
cbe73c6d28 schema: remove redundant information
Remove the `autofill` kwarg from param schema. On the server, include
default value only if autofill is set. On the client, set autofill if param
has a default value.

Remove the `deprecated_cli_aliases`, `hint` and `sortorder` kwargs, and the
`dnsrecord_extra`, `dnsrecord_part` and `suppress_empty` flags from param
schema, as they are now handled exclusively on the client.

Replace the `no_option` and `no_output` flags in param schema with
exclusion of the param in 'cli' and 'webui' contexts.

Remove the `no_display` flag from output schema, as it is now handled
exclusively on the client.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
d0cfe37a7e schema: merge command args and options
Rather than having args and options separately in command schema, merge
them together and use new `positional` param flag to differentiate between
them.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
91faf3ecd7 schema: remove output_params
Since output params are copied from object plugins, remove them from
command schema and include object name instead.

One exception to this are the output params used for failed members in
member add/remove commands. Move these to the client side, as they will
be replaced by warnings.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
ec1b3e71b2 schema: add object class schema
Support object classes defined by object plugins in API schema.

Added new commands `class-show` and `class-find` to retrieve information
about object classes. `param-show` and `param-find` now support both
commands and classes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
3ec7a52aea permission: handle ipapermright deprecated CLI alias on the client
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
71de8878bd passwd: handle sort order of passwd argument on the client
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
234270dc75 dns: do not rely on custom param fields in record attributes
Obtain the information provided by the `hint` kwarg and `dnsrecord_part`
and `dnsrecord_extra` flags by other means.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
ade8d42525 automember: add object plugin for automember_rebuild
Change automember_rebuild into a method of a new automember_task object.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
f554078291 frontend: don't copy command arguments to output params
Use only object params and params defined in has_output_params as output
params. This removes unnecessary duplication of params defined both in
object plugins and as command arguments.

This requires all command output params to be properly defined in either
the object plugins or the command's has_output_params. Fix the plugins
where this wasn't true.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Yuri Chornoivan
a95e0777ac Fix minor typos
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 13:49:32 +02:00
Martin Babinsky
a540c909a7 Fix listing of enabled roles in server-find
The roles can be thought of as membership attributes so we should only
list
them if `--all` is specified and `--no-members` is not.

Also do not show them if `--raw` is passed in.

https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 19:00:14 +02:00
Martin Babinsky
a6eb87bd68 server-del: perform full master removal in managed topology
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.

`server-del` nows performs these actions:
  * check topology connectivity
  * check that at least one CA/DNS server and DNSSec masters are left
    after removal
  * cleanup all LDAP entries/attributes exposing information about the master
  * cleanup master DNS records
  * remove master and service principals
  * remove master entry from LDAP
  * check that all segments pointing to the master were removed

  `server-del` now accepts the following options:
  * `--force`: force master removal even if it doesn't exist
  * `--ignore-topology-disconnect`: ignore errors arising from disconnected
    topology before and after master removal
  * `--ignore-last-of-role`: remove master even if it is last DNS server,
    and DNSSec key master. The last CA will *not* be removed regardless of
    this option.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Babinsky
d8ae2b4055 ipaserver module for working with managed topology
This module should aggregate common functionality utilized in the commands
managing domain-level 1 topology.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Basti
8253727de1 DNS Locations: dnsserver: print specific error when DNS is not installed
Print 'DNS is not configured' if there is no IPA DNS in domain

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
e82ce439c4 DNS Location: add list of roles and DNS servers to location-show
Add to output list of DNS servers which advertise location and list fo
roles per server

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
4155eb7b13 DNS Locations: Rename ipalocationweight to ipaserviceweight
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
3c50e42036 DNS Locations: location-del: remove location record
Remove unused location records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
b2931210eb DNS Locations: prevent to remove used locations
User should be notified that location is used by IPA server(s) and
deletion should be aborted.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
8dde1201ed DNS Locations: show warning if there is no DNS servers in location
DNS servers must be in each location, otherwise DNS location without DNS
server assigned will not work.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
1997733cdf DNS Locations: require to restart named-pkcs11 affter location change
Send a warning message that named-pkcs11 service must be restarted after
changes related to locations or server weight

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
ef12cad30b DNS Locations: set proper substitution variable
DNS Server (bind-dyndb-ldap) needs to have set
'idnsSubstitutionVariable;ipalocation' in ldap to the proper location

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
2157ea0e6d DNS Locations: dnsserver-* commands
New commands for manipulation with DNS server configuration were added:
 * dnsserver-show
 * dnsserver-mod
 * dnsserver-find

https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
4076e8e4e5 DNS Locations: server-mod: add automatic records update
For any location or server weight change is required to update records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
e23159596e DNS Locations: command dns-update-system-records
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
cf634a4ff8 DNS Locations: add ACI for template attribute
DNS Servers and DNS Administrators must have access to
'idnsTemplateAttribute' to be able set/read template
for generating CNAME records pointing to proper location records.

Also user must be able to add objectclass for idnsTemplateAttribute

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
394b094fc2 DNS Locations: permission: allow to read status of services
New permission was added: "System: Read Status of Services on IPA Servers"
This permission is needed for detection which records should be created
on which servers.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
87c23ba029 DNS Locations: DNS data management
Adding module that allows to work with IPA DNS system records:
* getting system records
* updating system records
* work with DNS locations

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
d7671ee667 DNS Locations: fix location-del
The wrong option was used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Yuri Chornoivan
dd6645afa9 Fix minor typos
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-16 08:47:20 +02:00
Jan Cholasta
a64aba36a4 schema: exclude local commands
Commands inherited from Local can't be executed remotely, so exclude them
from API schema.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
448af06234 dns, passwd: fix outputs of dns_resolve and passwd commands
Use proper output type for the `value` output of the commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
e2a8290af1 batch, schema: use Dict instead of Any
Add new Dict parameter class and use it in the batch and command_defaults
plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Martin Babinsky
3e6af238bb Introduce "NTP server" role
This makes IPA servers that publish their NTP services in LDAP searchable by
`server-role-find` and `server-find` command.

The list of active IPA NTP servers will be displayed in to output of `ipa
config-show` command.

https://fedorahosted.org/freeipa/ticket/5815

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-15 13:51:48 +02:00
Alexander Bokovoy
905db92e61 adtrust: optimize forest root LDAP filter
`ipa trust-find' command should only show trusted forest root domains

The child domains should be visible via

   ipa trustdomain-find forest.root

The difference between forest root (or external domain) and child
domains is that root domain gets ipaIDObject class to allow assigning a
POSIX ID to the object. This POSIX ID is used by Samba when an Active
Directory domain controller connects as forest trusted domain object.

Child domains can only talk to IPA via forest root domain, thus they
don't need POSIX ID for their TDOs. This allows us a way to
differentiate objects for the purpose of 'trust-find' /
'trustdomain-find' commands.

Fixes https://fedorahosted.org/freeipa/ticket/5942

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 10:02:33 +02:00
Pavel Vomacka
5e5df4abf0 Extend caacl entity
There is new checkbox in adding new caacl which can set whether the ACL applies on all
CAs or not. Also there is a new table with CAs on which is current ACL applied. User
can add and remove CAs from this table.

Part of: https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-15 09:59:50 +02:00
Pavel Vomacka
f4dd2446cd Extend certificate entity page
Add field for choosing CA when issuing new certificate. Add new item to action menu
on cert details page which allows user to download the certificate as file.

Part of: https://fedorahosted.org/freeipa/ticket/5939

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-15 09:59:50 +02:00
Fraser Tweedale
08e0aa23b0 Add issuer options to cert-show and cert-find
Add options to cert-show and cert-find for specifying the issuer as
a DN, or a CA name.

Also add the issuer DN to the output of cert-find.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
ae6d5b79fb Update cert-request to allow specifying CA
Add the '--ca' option to the 'ipa cert-request' command, for
specifying the CA to which to direct the request.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
0b0c07858a Add CA argument to ra.request_certificate
Add the optional 'ca_id' argument to ra.request_certificate(), for
passing an Authority ID to Dogtag.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
9c93015e78 Update 'caacl' plugin to support lightweight CAs
For backwards compatibility, an ACL that has no CAs and no CA
category allows access to the IPA CA (host authority) only.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Fraser Tweedale
3d4db834ca Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Pavel Vomacka
1eb5760018 Add server roles on topology page
Adds new tab on topology page which shows server roles. Also extends
server details page and server config page (setting of ca renewal server).

https://fedorahosted.org/freeipa/ticket/5906

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-14 18:27:31 +02:00
Florence Blanc-Renaud
2c7ec27ad9 batch command can be used to trigger internal errors on server
In ipalib, the batch command expects a specific format for arguments.
The code did not check the format of the parameters, which could trigger
internal errors on the server.
With this fix:
- a ConversionError is raised if the arg passed to batch() is not a list of
dict
- the result appended to the batch results is a ConversionError if the
'params' does not contain a tuple(list,dict)

https://fedorahosted.org/freeipa/ticket/5810

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-06-14 09:26:15 +02:00
Martin Babinsky
21def4fde0 Server Roles: provide an API for setting CA renewal master
`ipa config-mod` gained '--ca-renewal-master' options which can be used to
set CA renewal master to a different server. Obviously, this server has to
have CA role enabled.

https://fedorahosted.org/freeipa/ticket/5689
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
5f7086e718 Server Roles: make *config-show consume relevant roles/attributes
This patch modifies config objects so that the roles/attributes relevant to
the configuration are shown in the output:

* config-{show,mod} will show list of all IPA masters, CA servers and CA
  renewal master

* dnsconfig-{show,mod} will list all DNS server and DNS key master

* trustconfig-{show,mod} will list all AD trust controllers and agents

* vaultconfig-show will list all Key Recovery Agents

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
b9aa31191b Server Roles: make server-{show,find} utilize role information
server-show command will now display list of roles enabled on the master
(unless `--raw` is given).

server-find gained `--servroles` options which facilitate search for server
having one or more enabled roles.

http://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
80cbddaa37 Server Roles: public API for server roles
This patch implements the `serverroles` API plugin which introduces the
following commands:

    * server-role-show SERVER ROLE: show status of a single role on a server
    * server-role-find [--server SERVER [--role SERVROLE [--status=STATUS]]]:
      find role(s) SERVROLE and return their status on IPA
      masters. If --server option is given, the query is limited to this
      server. --status options filters the output by status [enabled vs.
      configurer vs. absent]

https://fedorahosted.org/freeipa/ticket/5181
http://www.freeipa.org/page/V4/Server_Roles

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Martin Babinsky
d07b7e0f6f Server Roles: Backend plugin to query roles and attributes
`serverroles` backend consumes the role/attribute instances defined in
`ipaserver/servroles.py` module to provide low-level API for querying
role/attribute status in the topology. This plugin shall be used to implement
higher-level API commands.

https://www.freeipa.org/page/V4/Server_Roles
https://fedorahosted.org/freeipa/ticket/5181

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-13 17:50:54 +02:00
Alexander Bokovoy
5b0dbe7e59 webui: show UPN suffixes in trust properties
https://fedorahosted.org/freeipa/ticket/5937

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-06-11 17:28:25 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Alexander Bokovoy
a0f953e0ff adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Part of https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 12:24:00 +02:00
Martin Basti
478017357b Revert "adtrust: remove nttrustpartner parameter"
This reverts commit 185806432d.

The wrong version of patch has been pushed.

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-10 12:20:17 +02:00
Alexander Bokovoy
185806432d adtrust: remove nttrustpartner parameter
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).

Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 09:58:43 +02:00
Alexander Bokovoy
8ca7a4c947 trusts: Add support for an external trust to Active Directory domain
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.

The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.

Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-09 21:04:31 +02:00
Jan Cholasta
585e0d1b8c schema: fix topic command output
Return topic names as text instead of binary blob.

This fixes ipa help topic display.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
3157eec28f replica install: use remote server API to create service entries
Use the existing remote server API to create service entries instead of a
client API.

This fixes a crash during replica promotion due to unavailable schema.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Jan Cholasta
9c19dd3506 schema: do not validate unrequested params in command_defaults
Request specific params when getting the defaults instead of getting
defaults for all params and filtering the result.

This fixes command_defaults failing with validation errors on unrequested
params.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Pavel Vomacka
afededacb9 Auth Indicators WebUI part
Add custom_checkbox_widget on service page. The old  aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.

https://fedorahosted.org/freeipa/ticket/5872

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-07 19:30:07 +02:00
Pavel Vomacka
91ac959fe5 Extend the certificate request dialog
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.

https://fedorahosted.org/freeipa/ticket/5645

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-06 18:34:33 +02:00
Stanislav Laznicka
c56d65b064 Removed dead code from LDAP{Remove,Add}ReverseMember
https://fedorahosted.org/freeipa/ticket/5892

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-06 18:26:14 +02:00
Fraser Tweedale
fa149cff86 Remove service and host cert issuer validation
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-06 08:58:01 +02:00
Pavel Vomacka
fdd2265bc4 Change 'Restore' to 'Remove Hold'
To be consistent with CLI the restoring certificate is renamed to
removing certificate hold in all WebUI components.

https://fedorahosted.org/freeipa/ticket/5878

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-03 16:29:54 +02:00