Commit Graph

1035 Commits

Author SHA1 Message Date
Martin Basti
aa2ef07b8c Upgrade special master zones to forward zones
This upgrade is executed only if IPA version is older than 4.0
Requires detection if 'idnsforwardzone' objectclass is presented in
schema before schema is upgraded

Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Martin Basti
c1f3fd6831 Added upgrade step executed before schmema is upgraded
Class PreSchemaUpdate is executed before ldap schema update

This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Nathaniel McCallum
14b38b7704 Add /session/token_sync POST support
This HTTP call takes the following parameters:
 * user
 * password
 * first_code
 * second_code
 * token (optional)

Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.

https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 15:55:24 +02:00
Petr Vobornik
1c94edd3a0 rpcserver: fix local vs utc time comparison
login_password did not work properly in timezones other than +0h because
local time was compared with utc time.

Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:40 +02:00
Petr Vobornik
896920ed12 rpcserver: add otp support to change_password handler
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Petr Vobornik
7fca783ec5 ldap2: add otp support to modify_password
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Nathaniel McCallum
5baa941317 Implement OTP token importing
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.

This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.

https://fedorahosted.org/freeipa/ticket/4261

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 12:55:02 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Jan Cholasta
e675e427c7 Allow SAN in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:51 +02:00
Petr Viktorin
16ee6847e4 managed permission updater: Add mechanism to replace SYSTEM permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.

Add a mechanism for the updater to replace old SYSTEM permissions.

This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
926f8647d2 ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Petr Viktorin
2f3cdba546 Make 'permission' the default bind type for managed permissions
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
13bcd03fcf Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
e0cafea374 managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
acb2ca47d6 Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:17 +02:00
Martin Basti
b964d2130a Modified dns related global functions
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Gabe
9f2c4705d7 ipa recursively adds old backups
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-30 08:15:22 +02:00
Petr Viktorin
4f89decc9a ldap2.has_upg: Raise an error if the UPG definition is not found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-29 16:22:37 +02:00
Adam Misnyovszki
71c6d2f1eb Call generate-rndc-key.sh during ipa-server-install
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-27 13:05:53 +02:00
Petr Vobornik
1e96475a77 rpcserver: login_password datetime fix in expiration check
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.

https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-26 13:08:34 +02:00
Petr Viktorin
988b2cebf4 ldap2.find_entries: Do not modify attrs_list in-place
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-26 12:39:33 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
63becae88c Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
993c1c8557 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Adam Misnyovszki
fa7057b727 Trust add datetime fix
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 19:14:45 +03:00
Thorsten Scherf
3f3c8eee24 Fixed typo how to create an example gpg key
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 13:20:17 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Jan Cholasta
8b6dc819d5 Support API version-specific RPC marshalling.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Viktorin
81b0e7466d Do not ask for memberindirect when updating managed permissions
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 10:04:16 +02:00
Jan Cholasta
50c7f3b236 Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 16:40:10 +02:00
Petr Viktorin
41607774bc Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 14:49:16 +02:00
Petr Viktorin
c58d6b2689 Allow overriding all attributes of default permissions
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Petr Viktorin
fb2f0ae8d5 Document the managed permission updater operation
The method was explained on the [Design] page, but as the updater
is extended the design page would become obsolete.
Document the operation in the docstring of the plugin itself.

Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Jan Cholasta
915cd6942c Fix upload of CA certificate to LDAP in CA-less install.
https://fedorahosted.org/freeipa/ticket/4300

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-08 14:04:40 +02:00
Jan Cholasta
0497d163d9 Remove unused method is_master of CAInstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:56 +01:00
Jan Cholasta
fd5ef28bf2 Use the same certmonger configuration for both CA masters and clones.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
fac6bf30b6 Merge restart_httpd functionality to renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
2c466b79e8 Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
b5d082ec4d Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
c3169add3b Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
6a19738a45 Use dogtag-ipa-ca-renew-agent to track certificates on master CA.
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00