Commit Graph

176 Commits

Author SHA1 Message Date
Stanislav Levin
5c907e34ae named: Allow using of a custom OpenSSL engine for BIND
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.

With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.

BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
a9334ce5e5 named: Remove no longer used paths
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Christian Heimes
02986ff42b Add ipaplatform for Fedora and RHEL container
Container platforms for Fedora and RHEL simplify FreeIPA container
effort. Paths are based on patches from
https://github.com/freeipa/freeipa-container

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-07-30 11:38:25 +02:00
Rob Crittenden
78acf0bcfc Add fips-mode-setup to ipaplatform.paths to determine FIPS status
This will be used by freeipa-healthcheck to report FIPS config
status. It is added here to avoid duplicating platform independence
in a sister project.

https://pagure.io/freeipa/issue/8429

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-07-27 09:47:27 -04:00
Fraser Tweedale
00a84464ea acme: configure engine.conf and disable by default
When deploying ACME set up configsources.conf to retrieve engine
configuration from engine.conf.  In the initial configuration, the
ACME service is disabled (i.e. it will refuse to service requests).

A subsequent commit will add command(s) for flipping the ACME
service on or off (on a per-server basis).  Later we will move to
LDAP configuration so that management of the ACME service is
deployment-wide.

The default configuration also disables issuance of wildcard
certificates.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
dd301a4535 acme: set up ACME service when configuring CA
When configuring the CA, create, configure and deploy the PKI ACME
service instance.  This includes creation (if necessary) of the LDAP
container object heirarchy in which ACME-related objects will be
stored.

Dogtag ACME RA account management will be added in a subsequent
commit, removing the use of the 'uid=admin' account (which as of
this commit just has a bogus password).

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Florence Blanc-Renaud
797a64b370 sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.

Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-07-09 14:00:29 +03:00
Florence Blanc-Renaud
3cf9979aec ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"

As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).

There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.

Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
Christian Heimes
f52a15b808 Overhaul bind upgrade process
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.

This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.

During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
François Cami
b8886c3e97 IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.

EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.

EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.

EPN does not keep state. The list of affected users is built at runtime
but never kept.

TLS/STARTTLS SMTP code is untested and unlikely to work as-is.

Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
Peter Keresztes Schmidt
a5cbdb57e5 Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.

Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.

Move dnssec-enable directive to custom named config

Move comment named config being managed by FreeIPA to the top

Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.

Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Christian Heimes
f5964b7157 Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.

DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.

Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-05 09:23:57 +02:00
Stanislav Levin
63747bc0c0 ipatests: Collect all logs on all Unix hosts
Each integration test entity sets up its own list of logfiles.
This is made by calling the callback of host's 'collect_log',
which knows nothing about the context of execution: whether it's
the test class scope or the test method one. Of course, in this
case one-time collection of test method log is not supported
because the logs tracker collects only test class logs.
    In the meantime, almost all the entities (except 'client')
collect identical logs. Besides, due to the IPA roles
transformation an each IPA host can become master, replica or
client, all of these, in turn, can have subroles. So, the
most common case is the collection of all the possible logs from
all the IPA (Unix) hosts. However, the customization of a logfiles
collection is possible.
    The collection is performed with the help of 'integration_logs'
fixture. For example, to add a logfile to list of logs on a test
completion one should add the dependency on this fixture and call
its 'collect_method_log' method.
    ```
    class TestFoo(IntegrationTest):
        def test_foo(self):
            pass

        def test_bar(self, integration_logs):
            integration_logs.collect_method_log(self.master, '/logfile')
    ```
    Collected logs:
    1) 'test_foo' - default logs
    2) 'test_bar' - default logs + /logfile
    3) 'TestFoo' - default logs

Fixes: https://pagure.io/freeipa/issue/8265
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-28 17:50:10 +02:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
Sam Morris
3985183d73 Debian: write out only one CA certificate per file
ca-certificates populates /etc/ssl/certs with symlinks to its input
files and then runs 'openssl rehash' to create the symlinks that libssl
uses to look up a CA certificate to see if it is trused.

'openssl rehash' ignores any files that contain more than one
certificate: <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945274>.

With this change, we write out trusted CA certificates to
/usr/local/share/ca-certificates/ipa-ca, one certificate per file.

The logic that decides whether to reload the store is moved up into the
original `insert_ca_certs_into_systemwide_ca_store` and
`remove_ca_certs_from_systemwide_ca_store` methods. These methods now
also handle any exceptions that may be thrown while updating the store.

The functions that actually manipulate the store are factored out into
new `platform_{insert,remove}_ca_certs` methods, which implementations
must override.

These new methods also orchestrate the cleanup of deprecated files (such
as `/etc/pki/ca-trust/source/anchors/ipa-ca.crt`), rather than having
the cleanup code be included in the same method that creates
`/etc/pki/ca-trust/source/ipa.p11-kit`.

As well as creating `/usr/local/share/ca-certificates/ipa-ca`, Debian
systems will now also have
`/usr/local/share/ca-certificates/ipa.p11-kit` be created. Note that
`p11-kit` in Debian does not use this file.

Fixes: https://pagure.io/freeipa/issue/8106
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-08 14:17:31 +03:00
Florence Blanc-Renaud
7ae1352c72 Support opendnssec 2.1.6
The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.

The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.

This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.

Fixes: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-12 21:48:25 +01:00
Alexander Bokovoy
ec73de969f Secure AJP connector between Dogtag and Apache proxy
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.

For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x

Fixes: https://pagure.io/freeipa/issue/8221

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 17:41:17 +01:00
Florence Blanc-Renaud
911992b8bf ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Stanislav Levin
19462788f1 ipatests: Properly kill gpg-agent
There is a race condition exposed in 'test_gpg_asymmetric'.
The teardown of 'tempdir' fixture and gpg-agent being called
from the teardown of 'gpgkey' fixture could simultaneously
remove the gnugpg's socket files.

This results in an error like:
```

================= ERRORS ===================
_ ERROR at teardown of test_gpg_asymmetric __
...

>  os.unlink(entry.name, dir_fd=topfd)
E  FileNotFoundError: [Errno 2] No such file or directory: 'S.gpg-agent.extra'

/usr/lib64/python3.7/shutil.py:450: FileNotFoundError

```

The problem is that the agent is not terminated properly.
Instead, gpgconf could be used to kill daemonized gpg-agent.

Related: https://pagure.io/freeipa/issue/7989
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-12 18:08:32 +02:00
Cédric Jeanneret
6c27104467 Prevents DNS Amplification Attack and allow to customize named
While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] 5f4c75eb28

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2019-11-12 10:49:49 +02:00
Florence Blanc-Renaud
a2313114fb ipatests: enable 389-ds audit log and collect audit file
In test_integration, enable 389-ds audit log and auditfail log by setting
nsslapd-auditlog-logging-enabled: on
nsslapd-auditfaillog-logging-enabled: on

and collect the generated audit file. This will help troubleshoot failures
related to DS.

Fixes: https://pagure.io/freeipa/issue/8064
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-20 13:14:18 -04:00
Robbie Harwood
39e3704a06 Move certauth configuration into a server krb5.conf template
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Alexander Bokovoy
814592cf22 ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
d631e008cc adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
cdb94e0ff2 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.

Move them to ipapython.ipautil and update references as well.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
Rob Crittenden
f606d82024 Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.

https://pagure.io/freeipa/issue/7965

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-05 13:18:45 -04:00
Adam Williamson
78652a52f0 Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-02 09:36:54 -04:00
Christian Heimes
c314411130 Correct path to systemd-detect-virt
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
5d4a8017f4 Add helper to look for missing binaries
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.

A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Christian Heimes
74e09087ed Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 12:53:08 +02:00
Christian Heimes
d703f3dbcb Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
edaea8865f Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.

Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
750e658dba Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
3f9e23f125 Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Robbie Harwood
5ecede781b Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.

On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-17 13:56:05 +02:00
Christian Heimes
80928ba6f5 Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.

On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.

On systems without NM, fall back to create /etc/resolv.conf directly.

Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-04-16 10:45:59 +02:00
Christian Heimes
1dfac4f5b7 Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.

Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Stanislav Levin
e5244fbeda Completely drop /var/cache/ipa/sessions
This directory has been already dropped in @6d66e826c,
but not entirely.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-25 09:49:45 +01:00
Christian Heimes
165a941109
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.

Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.

Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-01-18 11:33:11 +01:00
Oleg Kozlov
0e5a8fbb9b Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.

Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-21 15:54:00 +01:00
Stanislav Laznicka
ed955d14d3 Move lib389 imports to module scope
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
William Brown
f7511edbfb Support the 1.4.x python installer tools in 389-ds
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Stanislav Levin
531eca4308 Move ipa's systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.

Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-15 10:04:33 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Timo Aaltonen
8c0d7bb92f Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
ffdb20aeb3 ldapupdate: Add support for Debian multiarch
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.

Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00