Commit Graph

4012 Commits

Author SHA1 Message Date
Peter Keresztes Schmidt
187968d472 WebUI: Expose TTL of DNS records
Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:09:35 +03:00
Peter Keresztes Schmidt
4d2cd3a273 WebUI: Refresh DNS record data correctly after mod operation
Fixes: https://pagure.io/freeipa/issue/8359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:08:19 +03:00
Christian Heimes
f5964b7157 Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.

DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.

Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-05 09:23:57 +02:00
Peter Keresztes Schmidt
517c7ab215 WebUI: Use data adapter to load facet header data
Fixes: https://pagure.io/freeipa/issue/8339
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:30:27 +02:00
Peter Keresztes Schmidt
7de1a93ce4 WebUI: Fix invalid RPC calls when link widget has no pkey passed
Fixes: https://pagure.io/freeipa/issue/8338
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:27:48 +02:00
Peter Keresztes Schmidt
1606174457 Remove remains of unused config options
Options removed:
 * ca_ee_port
 * ca_agent_install_port
 * ca_ee_install_port

Closes: https://pagure.io/freeipa/issue/6708
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-02 09:39:42 +02:00
Serhii Tsymbaliuk
bc9f3e0557 WebUI: Apply jQuery patch to fix htmlPrefilter issue
Manually backport corresponding changes from jQuery 3.5.0:
1d61fd9407

A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
with Bootstrap 3.4.1 which we currently use.

Ticket: https://pagure.io/freeipa/issue/8325

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-05-28 13:20:52 +02:00
Serhii Tsymbaliuk
7bef36de64
WebUI: Add authentication indicator specific fields to "Kerberos Ticket Policy" page
Ticket: https://pagure.io/freeipa/issue/8207

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-05-26 13:33:57 +02:00
Serhii Tsymbaliuk
33ca074558
WebUI: Add confirmation dialog for changing default user/host group
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.

Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-15 18:03:01 +02:00
Alexander Bokovoy
d986e844bb WebUI: use python3-rjsmin to minify JavaScript files
Fedora 33+ deprecated uglify-js. There are other alternatives which seem
to be fine for the minify task. Use python-rjsmin instead.

Fixes: https://pagure.io/freeipa/issue/8300
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-12 09:50:28 +02:00
Christian Heimes
aa341020c8 Disable password schema update on LDAP bind
389-DS 1.4.1+ attempts to update passwords to new schema on LDAP bind. IPA
blocks hashed password updates and requires password changes to go through
proper APIs. This option disables password hashing schema updates on bind.

See: https://pagure.io/freeipa/issue/8315
See: https://bugzilla.redhat.com/show_bug.cgi?id=1833266
See: https://pagure.io/389-ds-base/issue/49421
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-11 14:36:39 +02:00
Christian Heimes
2bfe5ff689 Use httpd 2.4 syntax for access control
The httpd options Allow, Deny, Order, and Satisfy are deprecated in
Apache httpd 2.4. These options are provided by the mod_access_compat
module and should no longer be used.

Replace "Allow from all" with "Require all granted".

Removal of "Satisfy Any" needs more investigation.

See: httpd.apache.org/docs/2.4/upgrading.html
See: httpd.apache.org/docs/2.4/mod/mod_access_compat.html
Fixes: pagure.io/freeipa/issue/8305
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-07 11:00:55 -04:00
Christian Heimes
19ea1b97a1 Simplify pki proxy conf
``pkispawn`` is being modified to use PKI CLI for installation.

Add ``/pki/rest`` to proxied routes and simplify location matching with
a prefix regular expression.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-05 11:49:10 +02:00
Viktor Ashirov
273ed1535d Update ACIs with the correct syntax
The value of the first character in target* keywords
is expected to be a double quote.

Fixes: https://pagure.io/freeipa/issue/8301

Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-04 20:49:23 +02:00
Christian Heimes
ca6d6781c7 Define default password policy for sysaccounts
cn=sysaccounts,cn=etc now has a default password policy to permit system
accounts with krbPrincipalAux object class. This allows system accounts
to have a keytab that does not expire.

The "Default System Accounts Password Policy" has a minimum password
length in case the password is directly modified with LDAP.

Fixes: https://pagure.io/freeipa/issue/8276
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-28 11:28:29 +02:00
Serhii Tsymbaliuk
a0494bc3f3
Web UI: Upgrade jQuery version 2.0.3 -> 3.4.1
Ticket: https://pagure.io/freeipa/issue/8284

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-24 09:17:59 +02:00
Serhii Tsymbaliuk
10aaef031b
Web UI: Upgrade Dojo version 1.13.0 -> 1.16.2
- upgrade dojo.js bundle
- fix prepare-dojo.sh
- update Dojo version in package.json (reference purpose only)

Ticket: https://pagure.io/freeipa/issue/8222

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-04-21 19:03:23 +02:00
Florence Blanc-Renaud
7ac60a87bc Man pages: fix syntax issues
Fix the syntax in ipa-cacert-manage.1 and default.conf.5

Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-04-16 14:01:03 +02:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
François Cami
3665ba928b ipa-backup: Make sure all roles are installed on the current master.
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.

With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.

Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
Serhii Tsymbaliuk
99a62f29b2 Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1
Ticket: https://pagure.io/freeipa/issue/8239

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-24 10:19:13 +02:00
Christian Heimes
7a9ac1f586 Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.

Allow all hosts to read some entries from active DNS records.

Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-16 13:04:17 +01:00
Florence Blanc-Renaud
c2e355ae59 Remove the <Interval> from opendnssec conf
In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.

Related: https://pagure.io/freeipa/issue/8214
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-12 21:48:25 +01:00
Alexander Bokovoy
ec73de969f Secure AJP connector between Dogtag and Apache proxy
AJP implementation in Tomcat is vulnerable to CVE-2020-1938 if used
without shared secret. Set up a shared secret between localhost
connector and Apache mod_proxy_ajp pass-through.

For existing secured AJP pass-through make sure the option used for
configuration on the tomcat side is up to date. Tomcat 9.0.31.0
deprecated 'requiredSecret' option name in favor of 'secret'. Details
can be found at https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x

Fixes: https://pagure.io/freeipa/issue/8221

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 17:41:17 +01:00
Florence Blanc-Renaud
911992b8bf ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Rob Crittenden
e4966f9c3f Don't fully quality the FQDN in ssbrowser.html for Chrome
The trailing dot causes it to not function as expected, remove
it from the example.

https://pagure.io/freeipa/issue/8201

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-02-18 09:15:57 -05:00
Alexander Bokovoy
b3dbb36867 adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.

Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-02-13 21:20:13 +02:00
Alexander Bokovoy
ff547a2777 install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.

Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.

Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-02-12 11:45:39 +01:00
Fraser Tweedale
769180c2c6 Do not renew externally-signed CA as self-signed
Commit 49cf5ec64b fixed a bug that
prevented migration from externally-signed to self-signed IPA CA.
But it introduced a subtle new issue: certmonger-initiated renewal
renews an externally-signed IPA CA as a self-signed CA.

To resolve this issue, introduce the `--force-self-signed' flag for
the dogtag-ipa-ca-renew-agent script.  Add another certmonger CA
definition that calls this script with the `--force-self-signed'
flag.  Update dogtag-ipa-ca-renew-agent to only issue a self-signed
CA certificate if the existing certificate is self-signed or if
`--force-self-signed' was given.  Update `ipa-cacert-manage renew'
to supply `--force-self-signed' when appropriate.

As a result of these changes, certmonger-initiated renewal of an
externally-signed IPA CA certificate will not issue a self-signed
certificate.

Fixes: https://pagure.io/freeipa/issue/8176
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-29 21:47:14 +11:00
Rob Crittenden
acfb6191a1 Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Rob Crittenden
b5b9efeb57 Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.

This CA helper can do a number of things:

- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
  LDAP

A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.

There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
   certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
   URL to be passed to dogtag.

For the purposes of clarity "cookie" here is the value within
the JSON.

The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.

This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.

The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.

Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).

There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.

An example of a cookie when retrieving a new RA Agent certificate
is:

{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}

This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857

For a renewal, the reconstructed cookie will consist of:

{"profile": "caServerCert", "cookie": ""}

https://pagure.io/freeipa/issue/8164

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-13 10:08:38 -05:00
Florence Blanc-Renaud
8a522bed6b ipa-cacert-manage man page: fix indentation
Fix the indentation of the SYNPOSIS section

Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-12-13 17:49:22 +02:00
Florence Blanc-Renaud
2c9b212cf0 trust upgrade: ensure that host is member of adtrust agents
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn

Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-12-04 09:06:56 +01:00
Alexander Bokovoy
c5f32165d6 Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.

The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Serhii Tsymbaliuk
7f6b1c99f0
WebUI: Fix notification area layout
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.

Ticket: https://pagure.io/freeipa/issue/8120

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-11-21 16:44:11 +01:00
Serhii Tsymbaliuk
c0b0c6b4b5
WebUI: Fix adding member manager for groups and host groups
- fix API method call for adding member manager
- fix regressions in host group associated tables

Ticket: https://pagure.io/freeipa/issue/8123

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-19 13:31:08 +01:00
Cédric Jeanneret
6c27104467 Prevents DNS Amplification Attack and allow to customize named
While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] 5f4c75eb28

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2019-11-12 10:49:49 +02:00
Christian Heimes
f0a1f084b6 Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Christian Heimes
bc56642bf9 Block camellia in krbenctypes update in FIPS
Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-05 11:48:28 -05:00
Rob Crittenden
09d5b938c1 Enable AES SHA 256 and 384-bit enctypes in Kerberos
https://pagure.io/freeipa/issue/8110

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-11-04 09:45:07 -05:00
Fraser Tweedale
7ea50ff76d upgrade: fix ipakra people entry 'description' attribute
Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-10-17 08:17:46 +02:00
Florence Blanc-Renaud
0fc8562b24 ipa-server-certinstall manpage: add missing options
Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE

Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-17 08:11:45 +02:00
Fraser Tweedale
bfead9ce66 ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Christian Heimes
90f7232454 Don't create log files from help scripts
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.

This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.

Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-24 15:23:30 +02:00
Florence Blanc-Renaud
802e54dd0e replica install: enforce --server arg
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2019-09-23 14:36:10 +02:00
Serhii Tsymbaliuk
4dbc6926b1 WebUI: Fix new test initialization on "HBAC Test" page
"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.

New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.

Ticket: https://pagure.io/freeipa/issue/8031

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 18:12:43 -03:00
Serhii Tsymbaliuk
755154318a
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages
No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.

Ticket: https://pagure.io/freeipa/issue/7961

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-17 08:35:32 +02:00
Alexander Bokovoy
0be9888499 adtrust: add default read_keys permission for TDO objects
If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-12 17:17:53 +03:00
Serhii Tsymbaliuk
123c93f92c WebUI: Make 'Unlock' option is available only on locked user page
The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-09-11 18:26:34 +02:00
Changmin Teng
b66e8a1ee2 Modify webUI to adhere to new IPA server API
Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Robbie Harwood
179c8f4009 Add a skeleton kdcpolicy plugin
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Robbie Harwood
39e3704a06 Move certauth configuration into a server krb5.conf template
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Changmin Teng
9c0a35f1e7 Add new authentication indicators in kdc.conf.template
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Rob Crittenden
65d38af9e2 Skip lock and fork in ipa-server-guard on unsupported ops
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-09-06 10:29:43 -04:00
Rob Crittenden
0770254ce3 Defer initializing the API in dogtag-ipa-ca-renew-agent-submit
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-09-06 10:29:43 -04:00
Rob Critenden
e5af8c19a9 Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Timo Aaltonen
0000fe0502 install: Add missing scripts to app_DATA.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-11 11:37:29 +03:00
Theodor van Nahl
adcf04255c Fix UnboundLocalError in ipa-replica-manage on errors
If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-08-06 07:13:37 +02:00
Serhii Tsymbaliuk
6af723c0c3 WebUI: Add PKINIT status field to 'Configuration' page
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'

Ticket: https://pagure.io/freeipa/issue/7305

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-26 18:10:02 +02:00
Fraser Tweedale
1fb6fda01f dogtag-ipa-ca-renew-agent: always use profile-based renewal
Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request".  The
latter is brittle in the face of:

- missing certificate record in database

- missing original request record in database (pointed to by
  certificate record)

- "mismatched" certificate or request records (there have been many
  cases of this; it is suspected that request/serial range conflicts,
  or something similar, may be the cause)

The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
858ef59948 certmonger: use long options when invoking dogtag-ipa-renew-agent
To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.

  -N -> --force-new
  -O -> --approval-option

Part of: https://pagure.io/freeipa/issue/7991

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-07-22 13:33:24 +10:00
Fraser Tweedale
21a9a7107a install: fix --external-ca-profile option
Commit dd47cfc75a removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).

Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini.  This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it).  It also allows users to
override the pki_req_ext_* settings.

Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Fraser Tweedale
130e1dc343 move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
Alexander Bokovoy
725899595f Create indexes for altSecurityIdentities and ipaCertmapData attributes
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.

This is then basically a full-table scan, which applies the filter test
to the contained members.

Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:50:07 +03:00
Alexander Bokovoy
5a83eea20b Add altSecurityIdentities attribute from MS-WSPP schema definition
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.

FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.

Define altSecurityIdentities attribute to allow specifying indexing
rules for it.

Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:50:07 +03:00
Stanislav Levin
ac1ea0ec67 Fix test_webui.test_selinuxusermap
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.

Actually, '.ldif' and '.update' files are passed through
Python template string substitution:

> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"

This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.

Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-15 14:41:23 +03:00
Rob Crittenden
dd9fd0971f Remove DES3 and RC4 enctypes from Kerberos
These are already marked as deprecated by the KDC.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-02 10:35:00 +03:00
Rob Crittenden
a43100badc Don't configure disabled krb5 enctypes in FIPS mode
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).

DES, RC4, and Camellia are not permitted in FIPS mode.  While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.

This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-02 10:35:00 +03:00
Stanislav Levin
b2acd65013 Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00
Stanislav Levin
215e8f768c Fix a typo in replace rule of 50-ipaconfig.update
According to ipaserver/install/ldapupdate.py, the format of `replace`
action (during a parsing of update files) should be `old::new`.

By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...',
while it should be 'guest_u$$...'.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 14:44:57 +03:00
Tibor Dudlák
c18ee9b641
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.

Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes

Related: https://pagure.io/freeipa/issue/3999

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-01 13:21:21 +02:00
Serhii Tsymbaliuk
dd7198acec
WebUI: Fix automount maps pagination
Apply pagination filter for cases when all table data is already loaded.

Ticket: https://pagure.io/freeipa/issue/6627

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 09:10:01 +02:00
Serhii Tsymbaliuk
93dc2d569d
WebUI: Disable 'Unlock' action for users with no password
Administrator should reset user password to make the unlock option available.

Ticket: https://pagure.io/freeipa/issue/5062

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-07-01 09:05:07 +02:00
Alexander Bokovoy
d631e008cc adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.

In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.

Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.

As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Alexander Bokovoy
6c9fcccfbc trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-06-28 13:30:59 +02:00
François Cami
37ab150cc7 Introduce minimal ipa-client-automount.in and ipactl.in
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Serhii Tsymbaliuk
881ec5a317
WebUI: Fix 'user not found' traceback on user ID override details page
Disable link to user page from user ID override in case it is in 'Default Trust View'

Ticket: https://pagure.io/freeipa/issue/7139

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-27 10:10:40 +02:00
Christian Heimes
6d02eddd3e Replace PYTHONSHEBANG with valid shebang
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.

The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.

Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 09:35:57 +02:00
Stanislav Levin
d86b57c057 Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.

The single configuration point for the shell of users and admin is
added to overcome this limitation.

Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-19 11:39:51 +02:00
Christian Heimes
c027b9334b Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.

Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Fraser Tweedale
a9f09fee56 ipa-cert-fix: add man page
Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
09aa3d1f76 Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions.  In particular:

- Run cert-fix with arguments particular to the IPA deployment.

- Update IPA RA certificate in the ipara user entry (if renewed).

- Add shared certificates (if renewed) to the ca_renewal LDAP
  container for replication.

- Become the CA renewal master if shared certificates were renewed.
  This ensures other CA replicas, including the previous CA renewal
  master if not the current host, pick up those new certificates
  when Certmonger attempts to renew them.

Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
c28a42e27e cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates.  Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
Fraser Tweedale
a2a006c746 Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see.  The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too.  Extract it to a subroutine in the
cainstance module.

Part of: https://pagure.io/freeipa/issue/7885

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-29 12:49:27 +10:00
German Parente
ef324a7f13 ipa-replica-manage: remove "last init status" if it's None.
we remove the "last init status" section in the output of
ipa-replica-manage to avoid confusion and show epoch date
when status is None

Fixes: https://pagure.io/freeipa/issue/7716

Signed-off-by: German Parente <gparente@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-28 09:47:55 +02:00
Alexander Bokovoy
b5fbbd1957 Keytab retrieval: allow requesting arcfour-hmac for SMB services
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.

Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.

While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.

Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-28 09:55:51 +03:00
Thierry Bordaz
67490acb04 Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed.  Else the attribute is set to 'nolog'

https://pagure.io/freeipa/issue/4812

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-24 12:42:51 +02:00
Serhii Tsymbaliuk
6a9c20a87c
Fix occasional 'whoami.data is undefined' error in FreeIPA web UI
'Metadata' phase (Web UI initialization flow) doesn't wait "whoami" response.
It causes the error when on the next phase "whoami" data is undefined.
To avoid this "whoami" request now has flag async = false,
so init_metadata waits until it will be completed.

Ticket: https://pagure.io/freeipa/issue/7917

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-21 14:45:27 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00
Florence Blanc-Renaud
161008d5ca ipactl restart: fix wrong logic when checking service list
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.

Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.

Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-26 17:26:00 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
Alexander Bokovoy
b2c5691e73 Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.

There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Alexander Bokovoy
4ba888694b Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.

Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.

Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Christian Heimes
dd58a705e5 Fix and extend pki config override test
* override ipa_ca_key_size
* test with SHA512withRSA

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 17:08:24 +02:00
Christian Heimes
81d0108afc Debian: auto-generate config files for oddjobd
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
d796c37f17 Debian: use -m lesscpy instead of hard-coded name
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
3f9e23f125 Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Christian Heimes
45b8cc1d83 Increase default key size for CA to 3072 bits
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.

According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.

Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-16 16:51:40 +02:00
Christian Heimes
2b2c5d6c93 Add --pki-config-override to man pages
Mention the new option in the man pages for CA, KRA, replica, and server
installation. The documentation must be improved once we have figured
out which options are going to be supported.

Fixes: pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
94937424b1 Simplify and consolidate ipaca.ini
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
dd47cfc75a Add pki.ini override option
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
f847d7756f Use new pki_ipaca.ini to spawn instances
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
70beccada2 Add IPA specific vars to ipaca_default.ini
Common settings like "pki_*_signing_key_algorithm" now use an IPA
specific template variable. The approach makes it easier to change all
signing parameters to use a different algorithm.

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
0a2b02fc62 Simplify and slim down ipaca_default.ini
* Remove internal stuff from DEFAULT section
* Remove all non-user modifiable paths
* Remove OCSP, RA, TKS, TPS sections
* Remove deprecated options and replace them with current options

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Christian Heimes
8c4d75fd2e Add current default.cfg from Dogtag
base/server/etc/default.cfg from commit
b93183406c

Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-10 13:43:23 +02:00
Alexander Bokovoy
cb0f24bfe2 Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.

Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).

To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].

Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-04-08 17:51:38 +02:00
Christian Heimes
3509545897
Require a minimum SASL security factor of 56
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.

Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.

Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-04-03 15:16:21 +02:00
Christian Heimes
1dfac4f5b7 Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.

Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Christian Heimes
3cb1ccb3b0 Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.

Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-02 19:35:38 +02:00
Alexander Bokovoy
de4a9875d4 oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 13:27:41 +02:00
Christian Heimes
8b1bb211c4 Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
025facb85c Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>:
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Alexander Bokovoy
dca901c05e upgrade: add trust upgrade to actual upgrade code
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-28 14:08:19 +01:00
Alexander Bokovoy
120bab0d9c trust: allow trust agents to read POSIX identities of trust
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.

We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.

Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-28 14:08:19 +01:00
Florence Blanc-Renaud
6e8d38caa8 ipa-replica-manage: fix force-sync
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".

force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).

In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.

The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.

Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-03-25 09:46:36 +01:00
Serhii Tsymbaliuk
133b199f61
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
It allows to avoid confusion with identical short hostnames.

There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone

https://pagure.io/freeipa/issue/7206

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-03-21 16:01:11 +01:00
Florence Blanc-Renaud
0d23fa9278 CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-03-14 09:39:55 +01:00
Christian Heimes
d87a3b01e0 Let 389-DS configure LDAPI for us
The new lib389 installer configures LDAPI with correct socket path by
default. Use LDAPI to boot strap the IPA domain and autobind.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
a3934a211d Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().

Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.

The simple_bind() method also prevents the caller from sending a
password over an insecure line.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
5be9341fba Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.

The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.

LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
d5d9233b7c Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Stanislav Levin
e3f37960a0
Don't use cross-origin request
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.

Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.

So, just follow the Same Origin policy.

Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2019-01-16 08:57:51 +01:00
Christian Heimes
965181362a Fix systemd-user HBAC rule
2ef6e14c5a added an invalid HBAC rule that
encoded the service wrongly.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-15 14:29:22 -05:00
Serhii Tsymbaliuk
ef7a903761
Fix "Configured size limit exceeded" warning on Web UI
Suppress size limit warning in 'refresh' command.

Ticket: https://pagure.io/freeipa/issue/7603
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-14 10:16:58 +01:00
Christian Heimes
2ef6e14c5a Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 16:45:05 +01:00
Christian Heimes
7688808d1f Add index on idnsName
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.

The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.

Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-01-03 12:44:10 +01:00
Christian Heimes
ed436e4b62 Add more LDAP indices
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.

* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq

automountMapKey and autoMountMapName filters are used for automount.

Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.

SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.

ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.

Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
39eaf2fab5 Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.

This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.

A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.

Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 12:16:00 +01:00
Christian Heimes
bb4b558164 Address misc pylint issues in CLI scripts
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.

* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio

See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00
François Cami
dd0490e1d8 Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-21 15:41:00 +01:00
Christian Heimes
8decef33d3 Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-21 08:57:08 +01:00
sudharsanomprakash
0c0a392dd0 Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.

Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-15 17:52:10 -05:00
Christian Heimes
85286beb5b Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.

See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 13:37:58 +01:00
William Brown
f7511edbfb Support the 1.4.x python installer tools in 389-ds
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-13 12:07:27 +01:00
Rob Crittenden
35d1d345c1 Add support for multiple certificates/formats to ipa-cacert-manage
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7579

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-13 10:44:14 +01:00
François Cami
044ffe0dd0 Add sysadm_r to default SELinux user map order
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.

Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-09 17:16:19 -05:00
Serhii Tsymbaliuk
33a74fb2c4
UI tests for "Automember": check setting default user/host group
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Rob Crittenden
2fba5acc52 Handle NTP configuration in a replica server installation
There were two separate issues:

1. If not enrolling on a pre-configured client then the ntp-server and
   ntp-pool options are not being passed down to the client installer
   invocation.
2. If the client is already enrolled then the ntp options are ignored
   altogether.

In the first case simply pass down the options to the client
installer invocation.

If the client is pre-enrolled and NTP options are provided then
raise an exception.

https://pagure.io/freeipa/issue/7723

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-19 11:53:32 -04:00
Christian Heimes
15d5e44ee8 Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.

Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-10-05 12:06:19 +02:00
Stanislav Levin
0f30fd8345 Add title to 'add' dialog for 'association_table' widget of Topology entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
29ca7bf308 Add title to 'add' dialog for 'association_table' widget of Vaults entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
073eac085a Add title to 'add' dialog for 'association_table' widget of Certificates entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
0e1accdab4 Add title to 'add' dialog for 'association_table' widget of SELinux User Maps entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
2ea8f088ba Add title to 'add' dialog for 'association_table' widget of Sudo entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
1ccafd4870 Add title to 'add' dialog for 'association_table' widget of HBAC entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
c14ef57307 Add title to 'add' dialog for 'association_table' widget of Groups entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
20688f0fa7 Add title to 'add' dialog for 'association_table' widget of Services entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
3c81e170f9 Add title to 'add' dialog for 'association_table' widget of Hosts entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
171c6a01d8 Drop concatenated title of add dialog for association_table widget
As for now the default title of add dialogs, which are
initialized from 'association_table' widget, is set to something
like 'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'create_add_dialog' of
'association_table' widget for the all 'Add' actions within
details of entities.

Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
b3ac230418 Add title to 'add' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
958b105761 Add title to 'add' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
35b1b65a54 Add title to 'add' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
30094d8212 Add title to 'add' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
01eba53c80 Add title to 'add' dialog for details of 'ID Views' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
9e4de506cb Add title to 'add' dialog for details of 'Groups' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
ac52facac2 Add title to 'add' dialog for details of 'Services' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
dc9e5c57d5 Add title to 'add' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
d588d3e9e4 Add title to 'add' dialog for details of 'Users' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
dda488efc2 Add title to 'add' dialog for details of 'Certificate' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
a502fa939f Drop concatenated title of 'Add' dialog for details of entity
As for now the 'Add' dialog title, which is initialized within
details of the entity, contains translated concatenated texts,
like:
    'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_add_dialog' of
association_facet for the all 'Add' actions within details
of entities.
The concatenation leads to a bad quality translation and
should be changed to an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-02 16:37:17 +02:00
Stanislav Levin
e89493e260 Add title to 'add' dialog for 'Topology' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
e3c0c4d752 Add title to 'add' dialog for 'Trusts' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
f349479f5c Add title to 'add' dialog for 'ID Ranges' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
16fed6e97a Add title to 'add' dialog for 'RBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
f3584661b4 Add title to 'add' dialog for 'Vault' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
8dddc003bd Add title to 'add' dialog for 'DNS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
bafa0d5f4a Add title to 'add' dialog for 'Automount' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
98c290e403 Add title to 'add' dialog for 'Certificate Identity' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
38ea2dae2d Add title to 'add' dialog for 'RADIUS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
c38aab1045 Add title to 'add' dialog for 'Certificates' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
4bd03e4723 Add title to 'add' dialog for 'Password Policies' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
e506f266ef Add title to 'add' dialog for 'SELinux' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
8655c9beb0 Add title to 'add' dialog for 'Sudo' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
fd732aaafe Add title to 'add' dialog for 'HBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
e363fb3ebc Add title to 'add' dialog for 'Automember' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
bf49664ddd Drop concatenated title of 'add' dialog for 'attribute_table' widget
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
348e813b65 Add title to 'add' dialog for 'ID Views' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
794a51ea93 Add title to 'add' dialog for 'Groups' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
8a834cdaa0 Add title to 'add' dialog for 'Service' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
6881bf8d74 Add title to 'add' dialog for 'Host' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
70cb5ba095 Add title to 'add' dialog for 'OTP' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
c6221a5104 Add title to 'add' dialog for 'Users' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
234c71ca81 Drop concatenated title of 'add' dialog
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.

This leads to a bad quality translation and should be changed to
an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-10-01 10:28:14 +02:00
Stanislav Levin
5476547416 Fix javascript 'errors' found by jslint
There are several JavaScript errors, which have come with PRs:
2362, 2371, 2372.

JavaScript code have to follow jsl requires.

Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-09-27 16:33:25 +02:00
Christian Heimes
b431e9b684 Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.

See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-09-27 11:49:04 +02:00
Stanislav Levin
6b27c20326 Add title to 'unprovision' dialog
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
57e65a5c9f Add title to 'Remove' dialog for 'association_table' widget of 'Vault' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
6eed677614 Add title to 'Remove' dialog for 'association_table' widget of 'Topology' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
ea115bf898 Add title to 'Remove' dialog for 'association_table' widget of 'CA' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
c115efd1e8 Add title to 'Remove' dialog for 'association_table' widget of 'SELinux' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
c2eebee3b3 Add title to 'Remove' dialog for 'association_table' widget of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
1fd6817b6b Add title to 'Remove' dialog for 'association_table' widget of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
8657b57a04 Add title to 'Remove' dialog for 'association_table' widget of 'Automember' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
c2e6e010b9 Allow having a custom title of 'Remove' dialog for 'attribute_table' widget
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
79aa59205a Add title to 'remove' dialog for 'association_table' widget of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
0825170a58 Add title to 'remove' dialog for 'association_table' widget of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
4b8509f9cd Add title to 'remove' dialog for 'association_table' widget of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
43d9eda919 Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association_table' facet, is set to something
like 'Remove ${other_entity} from ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association_table' widget for the all 'Delete' actions within
details of entities.

Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:56:53 +02:00
Stanislav Levin
f658a3d107 Fix loading 'freeipa/text' at production mode
As for now 'ssbrowser.html' and 'unauthorized.html' pages are
loaded without JS error at development mode only.

There is no standalone 'freeipa/text' module as source at
production mode. Thus 'core' one have to be loaded first and
then 'text'.

Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:50:11 +02:00
Rob Crittenden
4460cc5e9f Fix identifier typo in UI
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-26 13:26:42 +02:00
Alexander Bokovoy
703497532a Support Samba 4.9
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.

Add a default mapping of the nobody group to BUILTIN\Guests.

BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.

For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.

This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.

Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-09-26 11:40:19 +02:00
Stanislav Levin
9cbf16a790 Add a title to 'remove' dialog for details of 'Trusts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
715944665c Add a title to 'remove' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
f741c62f59 Add a title to 'remove' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
db6462b826 Add a title to 'remove' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
ea0e6a3663 Add a title to 'remove' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
6e839f91fa Add a title to 'remove' dialog for details of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
c4729e1155 Add a title to 'remove' dialog for details of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
d97ff69ed1 Add a title to 'remove' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
35fa528cdf Add a title to 'remove' dialog for details of 'Users' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Stanislav Levin
ca68848ea4 Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.

Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-25 15:16:05 +02:00
Rob Crittenden
e3820682c7 Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.

Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.

https://pagure.io/freeipa/issue/7528

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-19 11:42:49 -04:00
Stanislav Levin
3e1a4a1d05 Add title to remove dialog of 'Trusts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
291ea453b8 Add title to remove dialog of 'Topology' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
1f391b7c3c Add title to remove dialog of 'ID Ranges' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
855e138a66 Add title to remove dialog of 'RBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
d5979fb24f Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
a863cec392 Add title to remove dialog of 'Automount Locations' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
dcd9034332 Add title to remove dialog of 'Certificate Identity Mapping Rules' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
36bfd1f802 Add title to remove dialog of 'RADIUS Servers' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
93eebdb581 Add title to remove dialog of 'OTP Tokens' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
dfd22e7497 Add title to remove dialog of 'Certificates' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
8d13d4efca Add title to remove dialog of 'Password Policies' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
772e096de0 Add title to remove dialog of 'SELinux User Maps' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
b5073e9670 Add title to remove dialog of 'Sudo' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
460186806b Add title to remove dialog of 'HBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
2d9cdd924d Add title to remove dialog of 'Automember' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
d23376f54f Add title to remove dialog of 'ID Views' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
d06f4984be Add title to remove dialog of 'Groups' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
3c26a3b850 Add title to remove dialog of 'Services' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
3921210d46 Add title to remove dialog of 'Hosts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
5eea5354ca Add title to remove dialog of 'Users' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Stanislav Levin
09750589f5 Drop concatenated title of remove dialog
As for now the default title of remove dialogs is set to
'Remove ${entity}', where 'entity' is also translatable text.
This construction is used via method 'create_remove_dialog'
of Search facet for the all association 'Delete' actions of
entities.

The such concatenation leads to a bad quality translation and
should be changed to an entire sentence.

From now a mentioned title is taken from a spec and should be
specified explicitly.

Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-18 13:51:51 +02:00
Thomas Woerner
418da605c9 Remove DL0 specific code from ipa-ca-install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed. An additional check for the new minimal
domain level has been added.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-12 13:11:21 +02:00
Thomas Woerner
167791f370 Remove ipa-replica-prepare script and man page
This is part of the DL0 code removal. As ipa-replica-prepare is only needed
and useful for domain level 0, the script can be removed.

See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-09-12 13:11:21 +02:00
Stanislav Levin
5c32ac3e59 Add "bounce" logic from "reset_password.js"
This should add support for https://pagure.io/freeipa/issue/4440

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
d5c0bae9f4 Fix translations of messages in LoginScreen widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
30bcad4ce3 Clean up reset_password.js file from project
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
3a43bf886b Use "login" plugin instead of standalone JS file
Plugin "login" already has the same functionality as a JS code in
separated javascript file. There is no need to duplicate it.

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
4da736e7bc Add "reset_and_login" view to LoginScreen widget
Previous "reset" view is splitted to "reset" and "reset_and_login"
ones. "reset" is used to render "just reset password" logic. And
"reset_and_login" - "reset password and then log in".

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
0ed3dfb44c Replace the direct URL with config's one
To be customizable URL should be placed to "config"

Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 12:41:19 +02:00
Stanislav Levin
c66cdf0b60 Fix translation of "ssbrowser.html" Web page
Make this page message translatable as other parts of IPA framework.

Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 10:44:37 +02:00
Stanislav Levin
6f386f2e24 Fix translation of "unauthorized.html" Web page
Make this page message translatable as other parts of IPA framework.

Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-12 10:44:37 +02:00
Stanislav Levin
1857dc9db0 Fix render validation items on keypress event at login form
There are many no needed render callings which are performed
on each keypress event at login form. It is enough to update
validation items on "CapsLock" state change.

Fixes: https://pagure.io/freeipa/issue/7679
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-09-06 08:22:57 +02:00
Stanislav Levin
0dcce426a4 Reindex 'key_indicies' after item delete
The "keys.splice(i, 1)" removes one item at the specified position
from an array. Thus hashes which are stored at "that._key_indicies"
are no longer valid and should be reindexed.

Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-08-28 10:17:26 +02:00
Stanislav Levin
c3f23da49d Fix "get_key_index" to fit caller's expectations
The clients of "get_key_index" expect index of key in matching case
otherwise -1. But instead of this function returns the "undefined"
value.

Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-08-28 10:17:26 +02:00
Petr Vobornik
28f4e0e0ec webui: redable color of invalid fields on login-screen-like pages
Pages with widgets like LoginScreen, MigrateScreen use login-pf styling.
This page has dark background instead of light. Thus styling for labels
for fields with error has color which makes the label hard to read or
almost invisible.

Change it to white so it is still readable.

Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
2018-08-27 17:10:32 +02:00