Commit Graph

8442 Commits

Author SHA1 Message Date
Petr Vobornik
66bd2094f9 webui: fix regressions failed auth messages
1. after logout, krb auth no longer shows "session expired" but correct
"Authentication with Kerberos failed".

2. "The password or username you entered is incorrect." is showed on
failed forms-based auth.

https://fedorahosted.org/freeipa/ticket/5163

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-29 17:13:31 +02:00
Martin Basti
cea52ce186 ULC: Fix stageused-add --from-delete command
Nonexistent method was used to move deleted user to staged area.
Minor fixes added:
 * handle not found error
 * return new DN

https://fedorahosted.org/freeipa/ticket/5145

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-29 17:06:54 +02:00
Martin Basti
45c709112d Use 'mv -Z' in specfile to restore SELinux context
There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.

https://fedorahosted.org/freeipa/ticket/4923

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-29 16:44:13 +02:00
Martin Babinsky
a2ba937307 ACI plugin: correctly parse bind rules enclosed in parentheses
Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid
statement, the ipalib ACI parser was updated to handle this case.

https://fedorahosted.org/freeipa/ticket/5037

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-29 16:40:32 +02:00
Gabe
f7dbaa6382 Fix client ca.crt to match the server's cert
https://fedorahosted.org/freeipa/ticket/3809

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 18:04:53 +02:00
Niranjan Mallapadi
7d28230405 Use Exception class instead of StandardError
In except clause, use of "," is not recommended (PEP 3110)

Signed-off-by: Niranjan Mallapadi <mrniranjan@fedoraproject.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2015-07-27 18:01:34 +02:00
Christian Heimes
3c974c157f otptoken: use ipapython.nsslib instead of Python's ssl module
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.

https://fedorahosted.org/freeipa/ticket/5068

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 17:25:57 +02:00
Christian Heimes
2596adb312 certprofile-import: improve profile format documentation
The certprofile-import plugin expects a raw Dogtag config file. The XML
format is not supported. --help gives a hint about the correct file format.

https://fedorahosted.org/freeipa/ticket/5089

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-07-27 17:21:16 +02:00
Oleg Fayans
e5acd01ed2 Added test - topology plugin is listed among DS plugins
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 17:17:33 +02:00
Martin Basti
2427b2c242 Remove ico files from Makefile
Icons were removed in a4be844809 but still
persist in Makefile. This patch fixes Makefile.

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-27 16:19:49 +02:00
Petr Vobornik
a4be844809 webui: add Kerberos configuration instructions for Chrome
* IE section moved at the end
* Chrome section added
* FF and IE icons removed

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-27 13:50:49 +02:00
Tomas Babej
5df48d74a0 replication: Fix incorrect exception invocation
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-24 11:27:22 +02:00
Tomas Babej
aa066f31a5 idviews: Enforce objectclass check in idoverride*-del
Even with anchor to sid type checking, it would be still
possible to delete a user ID override by specifying a group
raw anchor and vice versa.

This patch introduces a objectclass check in idoverride*-del
commands to prevent that.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Tomas Babej
e0d3231f07 idviews: Restrict anchor to name and name to anchor conversions
When converting the ID override anchor from AD SID representation to
the object name, we need to properly restrict the type of the object
that is being resolved.

The same restriction applies for the opposite direction, when
converting the object name to it's SID.

https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Tomas Babej
970a5535c0 dcerpc: Add get_trusted_domain_object_type method
https://fedorahosted.org/freeipa/ticket/5029

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-23 15:37:01 +02:00
Martin Babinsky
7ceaa8e26c fix broken search for users by their manager
The patch fixes incorrect construction of search filter when using `ipa
user-find` with '--manager' option.

https://fedorahosted.org/freeipa/ticket/5146

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-23 11:43:05 +02:00
Tomas Babej
cf59981cc2 dcerpc: Fix UnboundLocalError for ccache_name
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-22 14:30:22 +02:00
Tomas Babej
106e904337 tests: test_cert: Services can have multiple certificates
Old certificates of the services are no longer removed and revoked
after new ones have been issued.

Check that both old and new certificates are present.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-22 11:14:23 +02:00
Tomas Babej
d71899696a tests: test_rpc: Create connection for the current thread
Both context.xmlclient and context.xmlclient_<id> need to be created
in order to successfully call the Command.forward method.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:13:44 +02:00
Tomas Babej
8eb26e9230 tests: vault_plugin: Skip tests if KRA not available
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-22 11:13:06 +02:00
Tomas Babej
083c64eb70 tests: Version is currently generated during command call
In the previous versions, version in the response was generated
as part of the process_keyword_arguments method. This is no longer true,
and so the explicit check for it should be removed.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:11:32 +02:00
Tomas Babej
5f8fd8a8e3 tests: realmdomains_plugin: Add explanatory comment
The realmdomains_mod command will fail if the testing environment
is configured improperly and the IPA domain's NS/SOA records are
not resolvable. This can easily happen if the machine's DNS server
is not configured to the IPA server.

Leave a explanatory note in the class.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:10:49 +02:00
Tomas Babej
12395a94f3 tests: service_plugin: Make sure the cert is decoded from base64
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-22 11:09:59 +02:00
Tomas Babej
a76c92ccd4 idviews: Check for the Default Trust View only if applying the view
Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-22 11:06:41 +02:00
Tomas Babej
1299c60a83 dcerpc: Expand explanation for WERR_ACCESS_DENIED
It's possible for AD to contact a wrong IPA server in case the DNS
SRV records on the AD sides are not properly configured.

Mention this case in the error message as well.

https://fedorahosted.org/freeipa/ticket/5013

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-21 19:10:06 +02:00
Tomas Babej
705603a396 tests: user_plugin: Add preserved flag when --all is used
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-21 18:59:40 +02:00
Martin Basti
92828d3cf5 DNS: check if DNS package is installed
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-21 17:30:10 +02:00
Tomas Babej
a487e42d3f ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:29:33 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
David Kupka
e384aad729 ipa-client-install: Do not (re)start certmonger and DBus daemons.
When DBus is present in the system it is always running.

Starting of certmomger is handled in ipapython/certmonger.py module if
necessary. Restarting is no longer needed since freeipa is not changing
certmonger's files.

https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
David Kupka
2defc486ab cermonger: Use private unix socket when DBus SystemBus is not available.
https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
Martin Babinsky
1ec174b92d enable debugging of ntpd during client installation
When installing IPA client in debug mode, the ntpd command spawned during
initial time-sync with master KDC will also run in debug mode.

https://fedorahosted.org/freeipa/ticket/4931

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-20 14:19:08 +00:00
Tomas Babej
37b1af9a7c domainlevel: Fix incorrect initializations of InvalidDomainLevelError exceptions
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-20 13:53:21 +02:00
Martin Basti
c6c84faecf Py3: replace tab with space
python3 does not allow to mix spaces and tabs

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 17:19:51 +02:00
Tomas Babej
45958d6219 trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 17:04:17 +02:00
Martin Basti
82aaa1e6d0 Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand

https://fedorahosted.org/freeipa/ticket/4988

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-17 16:47:18 +02:00
Yuri Chornoivan
75fde43491 Fix minor typos
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 14:33:30 +02:00
Martin Basti
9f70128353 sysrestore: copy files instead of moving them to avoind SELinux issues
Copying files restores SELinux context.

https://fedorahosted.org/freeipa/ticket/4923

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 13:46:23 +02:00
Petr Spacek
f1f3ef478d Create server-dns sub-package.
This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.

IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 10:40:44 +02:00
David Kupka
e5d179b5b9 migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.

https://fedorahosted.org/freeipa/ticket/4953

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 10:30:42 +02:00
Martin Basti
a619a1e211 Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-17 04:57:54 +00:00
Martin Basti
a0ce9e6b09 fix selinuxusermap search for non-admin users
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.

Related to https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-16 15:38:47 +02:00
Petr Vobornik
2e80645ef2 fix hbac rule search for non-admin users
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.

Therefore all searches with filter set fail.

https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:37:24 +02:00
Martin Babinsky
26dee66d1b ipa-ca-install: print more specific errors when CA is already installed
This patch implements a more thorough checking for already installed CAs
during standalone CA installation using ipa-ca-install. The installer now
differentiates between CA that is already installed locally and CA installed
on one or more masters in topology and prints an appropriate error message.

https://fedorahosted.org/freeipa/ticket/4492

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:33:43 +02:00
Petr Vobornik
9083c528f7 webui: fix user reset password dialog
Could not open user password dialog.

regression introduced in ed78dcfa3a

https://fedorahosted.org/freeipa/ticket/5131

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:28:38 +02:00
Christian Heimes
0700d340c7 Fix selinux denial during kdcproxy user creation
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.

https://fedorahosted.org/freeipa/ticket/5135

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 13:45:03 +02:00
Alexander Bokovoy
c6a1bd591e oddjob: avoid chown keytab to sssd if sssd user does not exist
If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 13:41:08 +02:00
Alexander Bokovoy
706c003615 selinux: enable httpd_run_ipa to allow communicating with oddjobd services
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.

This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.

Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 12:42:43 +02:00
Petr Vobornik
9d69ad2428 do not import memcache on client
Fixes regression caused by cd3ca94ff2.

Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server

https://fedorahosted.org/freeipa/ticket/5133

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 11:23:40 +02:00
Jan Cholasta
d6e701a793 spec file: Update minimum required version of krb5
Automatically require the krb5 version used at build time.

https://fedorahosted.org/freeipa/ticket/5132

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-15 11:02:32 +00:00