When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.
We need to handle empty dom-name as if the option was not specified.
https://pagure.io/freeipa/issue/6404
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.
https://pagure.io/freeipa/issue/6839
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.
Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it later.
https://pagure.io/freeipa/issue/6806
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
To create a wheel bundle with ipaserver and its dependencies:
make wheel_bundle IPA_SERVER_WHEELS=1
To include additional dependencies:
make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaserver did not have extra_requires to state additional dependencies.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.
Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.
I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.
This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There was a redundant check for CA-less install certificate files
for replicas but the same check is done for all installers before
that.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.
https://pagure.io/freeipa/issue/6801
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.
https://pagure.io/freeipa/issue/6799
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The anonymous principal will now be checked for presence and created on
both server and replica install. This fixes errors caused during replica
installation against older master that do not have anonymous principal
present.
https://pagure.io/freeipa/issue/6799
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently when trying to erase the ipaDomainResolutionOrder attribute we
hit an internal error as the split() method is called on a None object.
By returning early in case of empty string we now allow removing the
ipaDomainResolutionOrder attribute by both calling delattr or setting
its value to an empty string.
https://pagure.io/freeipa/issue/6825
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.
Also host name and principal name must have the same case.
Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:
[20/21]: starting CIFS services
ipa : CRITICAL CIFS services failed to start
where samba logs have this:
[2017/03/20 06:34:27.385307, 0] ipa_sam.c:4193(bind_callback_cleanup)
kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
[2017/03/20 06:34:27.385476, 1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
Connection to LDAP server failed for the 16 try!
Fixes https://pagure.io/freeipa/issue/6786
Reviewed-By: Martin Basti <mbasti@redhat.com>
This allows for more flexibility in the whole PKINIT setup process.
https://pagure.io/freeipa/issue/6792
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.
https://pagure.io/freeipa/issue/6792
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Server installation failed when attmpting to disable module 'Root Certs' and
the module was not available in HTTP_ALIAS_DIR. When the module is not
available there's no need to disable it and the error may be treated as
success.
https://pagure.io/freeipa/issue/6803
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.
https://pagure.io/freeipa/issue/6824
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
default setting for IPA's config file. The new file also makes it
simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia
The patch addresses three issues:
* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
Use sd-notify
* https://pagure.io/freeipa/issue/6788
Prepare for separate SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
__call__ didn't return causing internal error in wsgi application. Previously
this bug was hidden by some other error and the code worked even though it
shouldn't.
https://pagure.io/freeipa/issue/6819
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.
https://pagure.io/freeipa/issue/6715
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow the sudorule objects to be renamed.
https://pagure.io/freeipa/issue/2466
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The recent changes allow HBAC rule objects to be renamed.
https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.
An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.
https://pagure.io/freeipa/issue/2466https://pagure.io/freeipa/issue/6784
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead, apply the limits on the combined result.
This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.
https://pagure.io/freeipa/issue/6716
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.
AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".
This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.
https://pagure.io/freeipa/issue/3242
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.
https://pagure.io/freeipa/issue/6748
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.
Fixes https://pagure.io/freeipa/issue/6797
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".
This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.
https://pagure.io/freeipa/issue/6777
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release, the old master denies this operations.
https://pagure.io/freeipa/issue/6549
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.
Files modified by IPA are kept with .ipasave suffix.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.
This stops the file from being created in /etc/httpd/alias during classic
replica install.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:
* CA is configured or PKCS#12 file is provided
* LDAP, KDC and Apache are configured and the master role is thus
completed and enabled
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.
The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.
https://pagure.io/freeipa/issue/6759
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.
https://pagure.io/freeipa/issue/6372
Reviewed-By: Martin Basti <mbasti@redhat.com>
