Commit Graph

21 Commits

Author SHA1 Message Date
Nathaniel McCallum
d498d7272d Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a4.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.

https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Christian Heimes
f60b2c5906 LGTM: raise handle_not_found()
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.

It's OK to raise here because handle_not_found() always raises an
exception.

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Stanislav Laznicka
16a952a0a4
Don't allow OTP or RADIUS in FIPS mode
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-08 08:32:00 +01:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Stanislav Laznicka
4375ef860f Split x509.load_certificate() into PEM/DER functions
Splitting the load_certificate() function into two separate helps
us word the requirements for the input explicitly. It also makes
our backend similar to the one of python-cryptography so eventually
we can swap python-cryptography for IPA x509 module.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Stanislav Laznicka
8e4408e678 Reworked the renaming mechanism
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.

An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.

https://pagure.io/freeipa/issue/2466
https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
David Kupka
9c0e86530e stageuser: Add stageuser-{add,remove}-cert
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.

https://fedorahosted.org/freeipa/ticket/6623

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-07 13:58:48 +01:00
Petr Spacek
fb7c111ac1 ipa_generate_password algorithm change
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Martin Basti
8f8e3d008f Use constant for user and group patterns
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Martin Basti
3720080611 Fix regexp patterns in parameters to not enforce length
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Martin Basti
51ccde25f7 Increase default length of auto generated passwords
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation

Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.

https://fedorahosted.org/freeipa/ticket/6116

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-03 15:32:41 +02:00
Martin Babinsky
2f02ffed03 Preserve user principal aliases during rename operation
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.

This also preserves previous user logins which can be used further for
authentication as aliases.

https://fedorahosted.org/freeipa/ticket/6028

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-07-15 13:51:03 +02:00
Martin Babinsky
acf2234ebc Unify display of principal names/aliases across entities
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
e6ff83e361 Provide API for management of host, service, and user principal aliases
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
c2af032c03 Migrate management framework plugins to use Principal parameter
All plugins will now use this parameter and common code for all operations on
Kerberos principals.  Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Jan Cholasta
0f578ec36c user: add object plugin for user_status
Change user_status from a method of user to a method of a new userstatus
class, which defines the extra attributes returned by user_status.

This fixes user_status CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Jan Cholasta
ae5f11b4de server: define missing virtual attributes
Move virtual attributes defined in output params of methods into params of
the related object.

This fixes the virtual attributes being ommited in CLI output.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Martin Babinsky
705f66f749 IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00