Commit Graph

3791 Commits

Author SHA1 Message Date
Rob Crittenden
7ab1bcb2d3 Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.

There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.

This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.

This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.

Fixes: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Mark Reynolds
efa5719363 ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.

Fixes: https://pagure.io/freeipa/issue/9620

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-11 13:59:16 +02:00
Shunsuke matsumoto
06c02f5f2c The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.

Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-11 10:30:59 +02:00
Rob Crittenden
9e364910f5 Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.

Include a test to catch any additional files that may be created
and left behind.

Fixes: https://pagure.io/freeipa/issue/8080

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-06-26 13:30:48 +02:00
Florence Blanc-Renaud
c8e3fdeb00 PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.

Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-06-26 07:36:53 +02:00
Florence Blanc-Renaud
9de053ef02 ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.

Open the keyfile in binary mode to pass the expected format.

Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-06-18 08:46:14 +02:00
Rob Crittenden
ebccaac3cf Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.

Also add a manual ACI to allow reading the min/max
domain level.

Fixes: https://pagure.io/freeipa/issue/9594

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-06-12 16:43:25 -04:00
Rob Crittenden
584d0cecbc Use a unique task name for each backend in ipa-backup
The name used to be "export_%Y_%m_%d_%H_%M_%S" so if the tasks
were added within the same second the second backend would fail.

Add the backend name to the task name to ensure uniqueness.
export_{backend}_%Y_%m_%d_%H_%M_%S

Fixes: https://pagure.io/freeipa/issue/9584

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
2024-06-10 14:59:18 -04:00
Alexander Bokovoy
5368120805 custodia: do not use deprecated jwcrypto wrappers
jwcrypto has turned JWK object into a dict-like structure in 2020 and
marked data wrappers as deprecated. The only exception for direct
foo['bar'] access is a key ID -- some keys might have no 'kid' property,
thus it is best to use jwk.get('kid') instead for those.

Fixes: https://pagure.io/freeipa/issue/9597

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-23 15:12:27 -04:00
Alexander Bokovoy
fd0f432fec ipalib: move json formatter to a separate file
To prevent cyclic imports, move JSON handling code to a separate file.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-22 17:06:23 -04:00
Alexander Bokovoy
9e861693fc
batch: add keeponly option
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.

This can be useful if you are only interested in getting names and
assigned random passwords, for example.

Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
6cc0a0b9a8
pylint: use yield_from for trivial cases
Follow pylint recommendations (turned errors in recent pylint updates)
and use PEP-380 syntax for subgenerators. This is supported by all
Python 3 versions since ~2011.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
c325f9c045
user: handle LDAP auto-bind for whoami case
In LDAP auto-bind situation we will not have a Kerberos principal
available, so we should be using a different mechanism to find the
object. Since we already have a valid bound LDAP DN, use it as a base DN
here and simply require presence of the POSIX account.

This will not match 'cn=Directory Manager' but none of the code we have
uses LDAP auto-bind as root when calling 'ipa user-find --whoami'.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
902c8b0bae
passwd: handle LDAP auto-bind use case as well
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
e386e22046
cert: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

When processing certificate issuance requests a care has to be done to
match operations done as LDAP auto-bind to actual principals for
validation. This is a tough one as we have no principal to match for
cn=Directory Manager. Use fake principal to fail validation here and
rely on LDAP ACIs instead.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
b6131b5737
trust: handle stray pylint warning
We only get to this code path when running in the server context. At
that point _bindings_installed will be defined. Pylint cannot track this
and always fails with this check.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
08f1e6f2fd
trust: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

Make sure to reject requests unless we are operating as a Directory
Manager in such cases.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
ab5465639d
server: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

Make sure to reject requests unless we are operating as a Directory
Manager in such cases.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
71d886f071
config: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

Make sure to reject requests unless we are operating as a Directory
Manager in such cases.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
3608b2b63d
batch: account for auto-binding in server context
When batch runs under server context, we have no context.principal set
because we talk directly to LDAPI endpoint and authenticate using
auto-binding, not GSSAPI. Account to that in the logger.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
295ac6385c
privilege: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.

In principal_has_privilege() we can take None principal object as a sign
that currently bound LDAP DN has to be checked for the privilege. This
allows to match any type of account to the privilege, with exception of
the cn=Directory Manager which is never added to privileges explicitly.

cn=Directory Manager will be allowed any privilege because it already
can write to any LDAP entry.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Rob Crittenden
6fc35156d9
Add permissions for topologysegment
I don't know why these weren't added originally when the
topology plugin was created.

Add them all to the 'Replication Administrators' privilege

Fixes: https://pagure.io/freeipa/issue/9594

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-05-22 10:00:39 +02:00
Thomas Woerner
9dc57ef77e
idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors
SID anchors are only resolvable on servers with DCERPC bindings
installed. On non agent replica these bindings are not installed and
therefore group and role management if there are AD user idoverride
members.

If there is an ipaUserOverride for the anchor, the ipaoriginaluid is
returned.

Fixes: https://pagure.io/freeipa/issue/9544

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-05-22 09:59:34 +02:00
Rob Crittenden
f225b3df17 Don't try to validate the HSM arguments on a non-HSM installation
If there is no token name it is safe to assume that an HSM
installation is not requested. The validator assumes that if
there is a token name then the library and password are also
provided.

Fixes: https://pagure.io/freeipa/issue/9593

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-20 14:46:55 -04:00
Rob Crittenden
c861ce5a16 Add SELinux module checking to hsm_validator
Don't blow up if the expected module is not installed but warn
about it. Hopefully users will actually read the output and/or the
installation log.

This is done by looking for strings in the path. Not great but
it's at least something.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
6b6c1879c5 Call hsm_validator on KRA installs and validate the HSM password
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.

Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.

Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.

Remove an unused arguments to hsm_version and hsm_validator.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
ea0bf4020c After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.

Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.

Also ensure that the CA certificate has the correct nickname.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
b9ec2fb0a9 KRA: force OAEP for some HSM-based installations
Not all HSMs support PKCS#1 v1.5. The nShield nFast is one we know
of so force the KRA to use OAEP in this case..

This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.

There is currently no good way to test for this capability in
advance of configuration. Testing for mechanisms alone is
insufficient. The only real way to test would be to attempt a
wrap/unwrap but it is very complex.

If the list of affected HSMs increases we can use a table
instead based on "best guess" of some sort of property but
looking for a unique string inside the library path is a
pretty straigthforward way.

Note that this doesn't preclude someone from wanting to require
OAEP directly by modifying the KRA CS.cfg and it won't impact
FIPs mode which requires OAEP.

Related: https://pagure.io/freeipa/issue/9191

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
31fda79a0e Prompt for token password if not provided in replica/ipa-ca-install
If the password wasn't provided by --token-password then an empty
value would be passed into the CA installer which promptly failed.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
31d66bac64 Validate the HSM token library path and name during installation
It would fail eventually with the output in the CA logs but it
wasn't always very obvious and you had to wait a while to find
out about a typo.

Scraping modutil output is a bit ugly but it is guaranteed
to be installed and this should work both with p11-kit and
without.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
d0c489e282 If HSM is configured add the token name to config-show output
A token can only be set in an HSM installation so this is implicit:
if a token exists then HSM is enabled, if not then it isn't.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
a99091adc0 Add attribute ipacahsmconfiguration to the "Read CAs" ACI
This will allow the HSM stored configuration to be read.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
82c0b19acc Add HSM configuration options to installer scripts
The bulk of the installer effort to enable HSM support without
having to provide an override file.

This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
e3234708ac Don't move KRA keys when key backup is disabled
The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.

With an HSM you don't export private keys.

Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
73d52a6135 Only generate kracert.p12 when not installing with HSM
The private keys are not retrievable from an HSM by
design so don't try during KRA install.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
34f28f06db Add token support to installer certificate handling
Pass along the user-provided password file, if any, to the
underlying NSS database. This will provide for per-token
passwords.

If a token is in a nickname then break it out and pass it to
certutil separately.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
e6078c639c Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Rob Crittenden
cba3094c9a Support the certmonger nss-user option
Some certificate operations need to be executed as a specific
user so that underlying files will have the correct ownership.
certmogner normally runs as root. The nss-user option defines
a user to switch to when saving NSS certifciates so if a
software token (e.g. SoftHSM) then the files created will be
owned by the token owner.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
Pavel Březina
9e1e22d46b ipaserver: fix incorrect double negative in exception message
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-05-06 17:10:18 -04:00
Mark Reynolds
f9f96ac4a8 Issue 9570 - migrate nsaccountlock
IPA migration tool, when retrieving a remote entry from the
source/remote server request the operational attribute 'nsaccountlock'

Fixes: https://pagure.io/freeipa/issue/9570

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2024-04-15 16:06:23 +02:00
Rob Crittenden
f78d25fc97 ipa-crlgen-manage: manage the cert status task execution time
ca.certStatusUpdateInterval manages how frequently to update
the certificate status in LDAP (expired, etc).

By default this is not set on the initial master and pkispawn sets
it to 0 on replicas. This can lead to no server running this
task and therefore the status attribute not reflecting the current
state.

On enabling CRL generation remove any value which will cause PKI
to use its default. On disabling set it to 0.

Only one server should run the update status task to prevent
unnecessary replication.

Fixes: https://pagure.io/freeipa/issue/9569

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-15 16:03:10 +02:00
Alexander Bokovoy
d16c34997f internal: fix 'tokensfor' typo and regenerate pot file
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-04-10 09:30:53 +02:00
Rob Crittenden
6b0f6ff19e Allow the admin user to be disabled
A previous change made it not possible to remove the admin
user. This also included disabling the admin user. The user can
be disabled, just not deleted because it is required.

Move the test test_ipa_cacert_manage_prune to the end of the
class because it changes time which can break replication.

Fixes: https://pagure.io/freeipa/issue/9489

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-10 09:26:47 +02:00
Thomas Woerner
182dca38c2 principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.

A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.

principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.

Fixes: https://pagure.io/freeipa/issue/9542

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-05 10:05:56 +02:00
Mark Reynolds
cbe1873591 IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet

Fixes: https://pagure.io/freeipa/issue/3656

signed-off: Mark Reynolds (mreynolds@redhat.com)
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-04-04 15:49:42 -04:00
Rob Crittenden
5d3c6b761b Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.

The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.

With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.

Related: https://pagure.io/freeipa/issue/9562

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-04-02 23:06:43 +02:00
Christian Heimes
38d0e74b6d Move ipalib.install.kinit to ipalib
- kinit helpers are now in `ipalib.kinit`.
- helpers can now use default ccache locations like many other similar
  helpers
- helpers return the result from `run` for debugging
- constants are now in `krb_utils`
- helpers pass `KRB5*` and `GSS*` env vars along, so `KRB5_TRACE` works
- document how to kinit for `ipalib.api`

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-27 18:07:17 +01:00
Alexander Bokovoy
a57b665be0 idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.

Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.

Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-27 18:04:26 +01:00
Florence Blanc-Renaud
64861a0cf9 idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.

Fixes: https://pagure.io/freeipa/issue/9558

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-03-20 13:59:21 +01:00
Alexander Bokovoy
f9a1d74f5e dcerpc: invalidate forest trust info cache when filtering out realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
domain controllers are assuming subdomains already covered by the main
domain namespace.

[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
method of validating the forest trust information. They are the same as
rules in [MS-ADTS] section 6.1.6. Specifically,

  - A top-level name must not be superior to an enabled top-level name
    for another trusted domain object, unless the current trusted domain
    object has a corresponding exclusion record.

In practice, we filtered those subdomains already but the code wasn't
invalidating a previously retrieved forest trust information.

Fixes: https://pagure.io/freeipa/issue/9551

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-19 15:20:39 +01:00