Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.
https://fedorahosted.org/freeipa/ticket/6199
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.
https://fedorahosted.org/freeipa/ticket/6247
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.
https://fedorahosted.org/freeipa/ticket/6200
Reviewed-By: Martin Basti <mbasti@redhat.com>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.
At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).
Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.
Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.
Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.
https://fedorahosted.org/freeipa/ticket/6021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.
Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.
https://fedorahosted.org/freeipa/ticket/6159
Reviewed-By: Martin Basti <mbasti@redhat.com>
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.
Restructure the code to make it (hopefully) easier to follow.
https://fedorahosted.org/freeipa/ticket/6098
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.
https://fedorahosted.org/freeipa/ticket/6062
Reviewed-By: Martin Basti <mbasti@redhat.com>
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.
Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.
This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.
https://fedorahosted.org/freeipa/ticket/6174
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.
https://fedorahosted.org/freeipa/ticket/6171
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The Principal refactor causes service collections
('memberservice_service' attribute) to return Principal objects
where previously it returned strings, but the HBAC machinery used
for CA ACL enforcement only handles strings. Update the code to
stringify service Principal objects when adding them to HBAC rules.
Fixes: https://fedorahosted.org/freeipa/ticket/6146
Reviewed-By: Martin Basti <mbasti@redhat.com>
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The migration procedure has been updated to re-set `krbcanonicalname`
attribute on migrated users as well as `krbprincipalname` so that migration
from FreeIPA versions supporting principal aliases does not break subsequent
authentication of migrated users.
https://fedorahosted.org/freeipa/ticket/6101
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Global variable '_dcerpc_bindings_installed' is in some cases used
before assigment. This patch ensures that _dcerpc_bindings_installed is
always initialized.
https://fedorahosted.org/freeipa/ticket/6082
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* target for ptr record must be absolute domain name
* zone is detected using DNS system instead of random splitting of
hostname
https://fedorahosted.org/freeipa/ticket/6060
Reviewed-By: Petr Spacek <pspacek@redhat.com>
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.
https://fedorahosted.org/freeipa/ticket/6059
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.
A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.
https://fedorahosted.org/freeipa/ticket/6037https://fedorahosted.org/freeipa/ticket/6061
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
While investigating the issue for selinuxusermap-add-hostgroup,
we discovered that other commands were missing output.
A first patch fixes most of the issues:
freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch
This patch fixes servicedelegation CLI, where
servicedelegation.takes_params was missing
ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and
memberprincipal
https://fedorahosted.org/freeipa/ticket/6026
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.
This also preserves previous user logins which can be used further for
authentication as aliases.
https://fedorahosted.org/freeipa/ticket/6028
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up
https://fedorahosted.org/freeipa/ticket/6043
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Add the 'cacn' option to the cert-status command. Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliaseshttps://fedorahosted.org/freeipa/ticket/1365https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.
https://fedorahosted.org/freeipa/ticket/1365
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.
The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.
https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since checking schema is relatively cheap operation (one round-trip with
almost no data) we can do it offten to ensure schema will fetched by
client ASAP after it was updated on server.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA. Raise NotFound if the cert with the given
serial was not issued by the nominated CA.
Also default the --ca option of cert-show to the IPA CA.
Add commentary to cert-status to explain why it does not use the
--ca option.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added permissions for Kerberos authentication indicators reading and
modifying to host objects.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Local API commands are not supposed to be executed over RPC but only
locally on the server. They are already excluded from API schema, exclude
them also from RPC and `batch` and `json_metadata` commands.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
cert_remove_hold uses output params instead of exceptions to convey
unsuccessful result. Move the output params to the client side before
the command is fixed to use exceptions.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Change user_status from a method of user to a method of a new userstatus
class, which defines the extra attributes returned by user_status.
This fixes user_status CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move virtual attributes defined in output params of methods into params of
the related object.
This fixes the virtual attributes being ommited in CLI output.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Lightweight CA subject name collisions are prevented by Dogtag
(response code 409 Conflict), however, we do not want to expose the
Dogtag error. Perform the check in the IPA framework as well,
raising DuplicateEntry on collision.
Fixes: https://fedorahosted.org/freeipa/ticket/5981
Reviewed-By: Milan Kubik <mkubik@redhat.com>
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".
Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.
Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The confirmation of revoke and remove the certificate hold action is simplier
and more consistent with another parts of WebUI.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Do not initialize the plugins for all in-server API instances, as they are
used only in the server context.
This prevents code using in-server API instances from attempting to
initialize the session manager.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Removes the side effect of attempting to connect to memcached when the
session module is imported, which caused user visible warnings and/or
SELinux AVC denials.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.
https://fedorahosted.org/freeipa/ticket/5988
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Also move strings which are connected with authentication indicators to authtype dict.
This place is more general than have them in service dict. It's nicer when these strings are
not used only on service page.
Part of: https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
It is hard to translate whole dosctring again and again aftear each
minor change. This split will make life for translators easier. (Just note: dosctring was
changed and that is the reason why I'm sending this, because translators
must translate it again anyway)
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Removed old layout created using html tables. Now table layout is made by div
and modern css styling.
https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The LDAP*ReverseMember methods would always return the whole LDAP
object even though --all is not specified.
Also had to fix some tests as objectClass will not be returned by
default now.
https://fedorahosted.org/freeipa/ticket/5892
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The 'issuer' option of cert-find was recently changed from Str to
DNParam, however, 'ra.find' expects a string and throws when it
receives a DN.
When constructing the dict that gets passed to 'ra.find', turn
DNParams into strings.
Part of: https://fedorahosted.org/freeipa/ticket/5381
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Allow multiple incompatible versions of a plugin using the same name. The
current plugins are assumed to be version '1'.
The unique identifier of plugins was changed from plugin name to plugin
name and version. By default, the highest version available at build time
is used. If the plugin is an unknown remote plugin, version of '1' is used
by default.
https://fedorahosted.org/freeipa/ticket/4427
Reviewed-By: David Kupka <dkupka@redhat.com>
Move the code that generated result of the `plugins` command from API to
the command itself.
https://fedorahosted.org/freeipa/ticket/4427
Reviewed-By: David Kupka <dkupka@redhat.com>
Properly mark `cn` as primary key of `automember` object.
This fixes automember crashing on output validation expecting primary key
value of None.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Advertise param's default value even when `autofill` is False. When
`autofill` is False, set `alwaysask` to True in the schema, as it is
semantically equivallent and removes redundancy.
This fixes default value disappearing in CLI for some params.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
this is required for replica promotion to work, since the ACI allowing hosts
to add their own services uses this objectclass as target filter.
This partially reverts changes from commit
705f66f749https://fedorahosted.org/freeipa/ticket/5996
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When checking for presence of IssuerDN in certificate search result,
we mistakenly check for the presence of the SubjectDN field, then
unsafely index into the IssuerDN field. Check the presence of
IssuerDN correctly.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Statement used for detection if objeclass change is needed was logically
wrong, this fixes it.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This patch removes the ability to add segment between hosts where
either does not support the requested suffix.
https://fedorahosted.org/freeipa/ticket/5967
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
topologysuffix-verify would have checked connectivity even between hosts that
are not managed by the given suffix.
https://fedorahosted.org/freeipa/ticket/5967
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Services on replica to be removed must be deleted first, otherwise
update of system records will not take this change into account
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.
Part of https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.
https://fedorahosted.org/freeipa/ticket/5797
Reviewed-By: Martin Basti <mbasti@redhat.com>
The current implementation of check for last CA/DNS server and DNSSec key
master in `server-del` is quite fragile and wroks with quite a few assumptions
which may not be always true (CA and DNS is always configured etc.).
This patch hardens the check so that it does not break when the above
assuptions do not hold.
https://fedorahosted.org/freeipa/ticket/5960
Reviewed-By: Martin Basti <mbasti@redhat.com>
To avoid generating schema for every schema command call store schema in
api instance when first generated and reuse it in next calls.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When client requests schema it can list fingerprints of cached schemas
and server responds with SchemaUpToDate exception specifying fingeprint
of schema to use.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Calculate fingerprint for schema in deterministic way. Send fingerprint
value together with schema. Send TTL with schema to inform client about
caching interval.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
