Forward policy defaults to 'first' if no IP address belonging to a private
or reserved ranges is detected on local interfaces (RFC 6303).
Defaults to only if a private IP address is detected.
This prevents problems with BIND automatic empty zones because
conflicting zones cannot be disabled unless forwarding policy == only.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-replica-prepare could crash during addition of replica's PTR records if
there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone'
returns an unhandled None. The code will now issue a warning and skip the PTR
record addition in this case.
https://fedorahosted.org/freeipa/ticket/5740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.
https://fedorahosted.org/freeipa/ticket/5712
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
Fixes current reimports and enables pylint check for them
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Global variables should be defined in the outer space, not just marked
as global inside functions.
Removes unused global variables
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Bind DN is not used for client certificate authentication so they can be
safely removed.
https://fedorahosted.org/freeipa/ticket/5298
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The 'net' command fails unless smb.conf exists. Touch
the file prior to any 'net' call to make sure we do not crash
for this very reason.
https://fedorahosted.org/freeipa/ticket/5687
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
The deployment descriptor used during CA/KRA install was modified to use LDAPS
to communicate with DS backend. This will enable standalone CA/KRA
installation on top of hardened directory server configuration.
https://fedorahosted.org/freeipa/ticket/5570
Reviewed-By: Tomas Babej <tbabej@redhat.com>
PTR records are not mandratory for IPA, result fo checks should be only
warning not hard error.
https://fedorahosted.org/freeipa/ticket/5686
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: David Kupka <dkupka@redhat.com>
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.
As side effect, the particular ACI has not been created on all replicas.
This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.
https://fedorahosted.org/freeipa/ticket/5631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
DS restart executed by upgrade plugin causes that upgrade framework
is waiting for the improper socket. It leads to TimeoutError because
DS is not listening on 389 port during upgrade. This commit fixes the issue.
Required for: https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.
Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).
All trusts added when plugins configuration was broken must be re-added.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.
https://fedorahosted.org/freeipa/ticket/5682
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Message was printed only to stdout and leaves ipaupgrade.log without any
record that ipa-server-upgrade failed because ipa server is not
installed.
Now error is passed to logger which prints meassage to stderr and
ipaupgrade.log.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The list of supported TLS cipher suites in /etc/httpd/conf.d/nss.conf
has been modernized. Insecure or less secure algorithms such as RC4,
DES and 3DES are removed. Perfect forward secrecy suites with ephemeral
ECDH key exchange have been added. IE 8 on Windows XP is no longer
supported.
The list of enabled cipher suites has been generated with the script
contrib/nssciphersuite/nssciphersuite.py.
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
https://fedorahosted.org/freeipa/ticket/5589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch fixes a regression introduced by commit
bef0f4c5c3. Instead of checking whether
there is CA installed in the topology, we should always start certmonger
service during upgrade regardless when CA was configured.
https://fedorahosted.org/freeipa/ticket/5655
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When promoting a client to replica reset openldap client config so that it no
longer uses remote master as default LDAP hosts but uses local connection to
replica. Also make sure that the behavior regarding editing of user-customized
config is consistent with the client installer.
https://fedorahosted.org/freeipa/ticket/5488
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Validate the DS and HTTP certificates from the replica info file early in
ipa-replica-install to prevent crashes later.
https://fedorahosted.org/freeipa/ticket/5598
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There is no point in setting 'enable_ra' to True in IPA config when the
replica is promoted from CA-less master. The installer should set
'enable_ra' to False and unset 'ra_plugin' directive in this case.
https://fedorahosted.org/freeipa/ticket/5626
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config'
entry on remote master during replica installation, the 'nsds5replicabinddn'
and 'nsds5replicabinddngroup' attributes are not correctly updated when this
entry already existed on the master (e.g. when existing domain-level 0
topology was promoted to domain level 1). This patch ensures that these
attributes are always set correctly regardless of existence of the replica
entry.
https://fedorahosted.org/freeipa/ticket/5412
Reviewed-By: Martin Basti <mbasti@redhat.com>
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.
https://fedorahosted.org/freeipa/ticket/5584
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
