Commit Graph

4913 Commits

Author SHA1 Message Date
Rob Crittenden
1584807e02 Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.

If the user has customized the profile themselves then this won't be
applied.

https://fedorahosted.org/freeipa/ticket/2446
2012-03-15 09:55:03 +01:00
Petr Vobornik
d082b64b7b Certificate serial number in hex format - ui testing data
Updated UI static content to contain value and label for certificate serial_number_hex.

https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Petr Viktorin
e9d68a7b00 Don't crash when searching with empty relationship options
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.

These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).

https://fedorahosted.org/freeipa/ticket/2479
2012-03-13 23:28:53 -04:00
Rob Crittenden
17ba58aa4b Don't set dbdir in the connection until after the connection is created.
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.

This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.

This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.

A non-working client was doing this when calling cert-request:
 - call load_certificate_request()
 - nss.nss_nodb_init()
 - load the CSR
 - create a connection, dbdir=/etc/pki/nssdb
 - the dbdir matches within the same connection, don't call nss_shutdown()
 - connect to remote server
 - fail, untrusted CA because we are still using db from nss_nodb_init.

Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.

https://fedorahosted.org/freeipa/ticket/2498
2012-03-13 22:42:12 -04:00
Rob Crittenden
0425d09fac Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
2012-03-13 18:04:34 -04:00
Petr Vobornik
4385816dbb Fixed checkbox value in table without pkey
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).

https://fedorahosted.org/freeipa/ticket/2404
2012-03-14 09:08:01 +01:00
Petr Vobornik
6066432f0d Fixed mask validation in network_validator
Network validator allowed invalid mask format:
 * leading zeros: 192.168.0.1/0024
 * trailing chars: 192.168.0.1/24abcd

It was fixed.

https://fedorahosted.org/freeipa/ticket/2493
2012-03-14 09:07:58 +01:00
Martin Kosek
75b3755648 Fix ipa-replica-manage TLS connection error
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500
2012-03-14 08:30:51 +01:00
Rob Crittenden
f5e5bf8f82 Fix nsslapd-anonlimitsdn dn in cn=config
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.

This will replace whatever value is currently set.

https://fedorahosted.org/freeipa/ticket/2452
2012-03-13 08:34:07 +01:00
Martin Kosek
0cb9882be9 Fix migration plugin compat check
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
   and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
   raises an error and thus breaks the migration
This patch fixes both issues.

https://fedorahosted.org/freeipa/ticket/2508
2012-03-11 23:50:06 -04:00
Rob Crittenden
8b2090fae6 Set minimum version of selinux-policy to pick up memcached fix
This package version adds a boolean, httpd_manage_ipa, that enables
the ipa_memcached service to work.

https://fedorahosted.org/freeipa/ticket/2433
2012-03-11 22:36:44 -04:00
Martin Kosek
c956b3cd2b Refresh resolvers after DNS install
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.

We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.

https://fedorahosted.org/freeipa/ticket/2481
2012-03-11 22:11:41 -04:00
Petr Viktorin
79d4a34cc9 Mark most config options as required
IPA assumes most config options are present, but allowed the user
to delete them. This patch marks them as required.

https://fedorahosted.org/freeipa/ticket/2159
2012-03-12 17:16:57 +01:00
Petr Viktorin
7cfc16ca58 Enforce that required attributes can't be set to None in CRUD Update
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
2012-03-12 17:16:14 +01:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Ondrej Hamada
71d134dfa0 More exception handlers in ipa-client-install
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
2012-03-09 15:48:27 +01:00
Martin Kosek
480e1a098a Ignore case in yes/no prompts
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.

https://fedorahosted.org/freeipa/ticket/2484
2012-03-07 18:53:01 +01:00
Rob Crittenden
536bcd2666 Fix NSS no_init in the NSSHTTPS class 2012-03-04 20:03:21 -05:00
Rob Crittenden
10478ac8a1 Only warn if ipa-getkeytab doesn't get all requested enctypes.
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.

https://fedorahosted.org/freeipa/ticket/2424
2012-03-04 17:42:18 -05:00
Rob Crittenden
55f89dc689 Do kinit in client before connecting to backend
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
2012-03-04 17:23:01 -05:00
Rob Crittenden
356823d270 Add --noac option to ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/2369
2012-03-04 17:17:01 -05:00
Ondrej Hamada
111ca8a482 ipa-client-install not calling authconfig
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
2012-03-05 09:46:14 -05:00
Rob Crittenden
763265f28e Fix API.txt and VERSION to reflect new sudoOrder option. 2012-03-01 22:24:26 -05:00
Martin Kosek
1d09cdf634 Improve dnsrecord interactive help
Add 2 new features to DNS record interactive help to increase its
usability and also make its behavior more consistent with standard
parameter interactive help:

1) Ask for missing DNS parts
When a required part of a newly added DNS record was missing, we
just returned a ValidationError. Now, the interactive help rather
asks for all missing required parts of all DNS records that were
being added by its parts.

2) Let user amend invalid part
When an interactive help asked for a DNS record part value and
user enters an invalid value, the entire interactive help exits
with an error. This may upset a user if he already entered several
correct DNS record part values. Now, the help rather tells user
what's wrong and give him an opportunity to amend the value.

https://fedorahosted.org/freeipa/ticket/2386
2012-03-01 22:12:25 -05:00
Martin Kosek
640dee7caa Add help for new structured DNS framework
DNS Test Day shown that the new RR specific DNS options and the
concepts behind them may not be easily understood. This patch adds
an explanation of the new DNS framework for structured options
to make it easier for the user to understand and use the new
options.

https://fedorahosted.org/freeipa/ticket/2382
2012-03-01 21:58:51 -05:00
Rob Crittenden
8fdb181c7a Make hostnames adhere to new standards in hbactest plugin tests 2012-03-01 21:53:29 -05:00
Martin Kosek
eeee8e1c6e Fix encoding for setattr/addattr/delattr
Attribute values passed by --{set,add,del}attr parameters were
normalized and validated using appropriate parameter, but were
never encoded for the backend. This make prevents manipulation
with dirsvr BOOL attributes where framework tries to pass
boolean value instead of encoded "TRUE"/"FALSE" values.

https://fedorahosted.org/freeipa/ticket/2418
2012-03-01 21:50:52 -05:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Petr Vobornik
31eebda584 Removed CSV creation from UI
Creating CSV values in UI is unnecessary and error-prone because server converts them back to list. Possible problems with values containing commas may occur.  All occurrences of CSV joining were therefore removed.

https://fedorahosted.org/freeipa/ticket/2227
2012-03-02 11:45:21 -06:00
Jan Cholasta
afad0775e1 Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
2012-03-01 18:42:56 -05:00
Petr Viktorin
be14c6609b Use reboot from /sbin
According to FHS, the reboot command should live in /sbin.
Systems may also have a symlink in /usr/bin, but they don't have to.

https://fedorahosted.org/freeipa/ticket/2480
2012-03-02 16:53:47 +01:00
Martin Kosek
b7d092a0f4 Remove memberPrincipal for deleted replicas
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.

This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.

https://fedorahosted.org/freeipa/ticket/2451
2012-03-02 16:45:35 +01:00
Rob Crittenden
d5c9f7bcaa Add status command to retrieve user lockout status
This information is not replicated so pull from all IPA masters
and display the status across all servers.

https://fedorahosted.org/freeipa/ticket/2162
2012-03-02 16:28:54 +01:00
Martin Kosek
1cc761353b Fix typos in ipa-replica-manage man page
Based on contribution by Brian Harrington.

https://fedorahosted.org/freeipa/ticket/2428
2012-03-02 14:38:45 +01:00
Petr Vobornik
c643197b19 Improved usability of login dialog
Usability was imporved in Unauthorized/Login dialog.

When the dialog is opened a link which switches to login form is focus so user can do following:

1) press enter (login form is displayed and username field is focused )
2) type username
3) press tab
4) type password
5) press enter

this sequence will execute login request.

When filling form user can also press 'escape' to go back to previous form state. It's the same as if he would click on the 'back' button.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:05:16 +01:00
Petr Voborník
368c624a74 Forms based authentication UI
Support for forms based authentication was added to UI.

It consist of:

1) new login page
Page url is [ipa server]/ipa/ui/login.html

Page contains a login form. For authentication it sends ajax request at [ipa server]/session/json/login_password. If authentication is successfull page is redirected to [ipa server]/ipa/ui if it fails from whatever reason a message is shown.

2) new enhanced error dialog - authorization_dialog.

This dialog is displayed when user is not authorized to perform action - usually when ticket and session expires.
It is a standard error dialog which shows kerberos ticket related error message and newly offers (as a link) to use form based authentication. If user click on the link, the dialog content and buttons switch to login dialog which has same functionality as 'new login page'. User is able to return back to the error message by clicking on a back button.

login.html uses same css styles as migration page -> ipa-migration.css was merged into ipa.css.

https://fedorahosted.org/freeipa/ticket/2450
2012-03-02 11:04:33 +01:00
Rob Crittenden
95b85f6384 Fix WSGI error handling
A number of different errors could occur when trying to handle an
error which just confused matters.

If no CCache was received then trying to retrieve context.principal
in the error message caused yet another exception to be raised.

Trying to get Command[name] if name wasn't defined in command would
raise an exception.

Trying to raise errors.CCache was failing because the response hadn't
been started.

https://fedorahosted.org/freeipa/ticket/2371
2012-03-02 10:59:31 +01:00
Rob Crittenden
6c3e908232 Make hostnames adhere to new standards in HBAC tests 2012-03-01 05:16:59 -05:00
Simo Sorce
03fc5c3d73 Fix ticket checks when using either s4u2proxy or a delegated krbtgt
When using s4u2proxy the only ticket we can access via direct krb5 calls is
the HTTP/ ticket which was saved in the ccache as evidence ticket.
This ticket is later used by GSSAPI as evidence to obtain an ldap ticket.

This works by chance, we shouldn't use calls to get_credentials just to
verify ticket expiration dates, but I realize this is a limitation of the
current krbV bindings and we have no other way around at the moment.

Checking the HTTP/ ticket will fail in case a krbtgt is fully delegated to
us. In that case the ccache will contain only a krbtgt, so as a fallback
we check that.

Checking the ldap/ ticket is never really useful. When s4u2proxy is used,
trying to check the ldap/ ticket will fail because we do not have it yet
on the first authentication before a session is estalished, and doing it
later is not useful.

When we have a krbtgt we could go and grap a ldap/ ticket directy, but
again that makes little sense. In general all tickets will have the same
expiration date (which deopends on the original krbtgt) so checking one
is sufficient.

Fixes: http://fedorahosted.org/freeipa/ticket/2472
2012-03-01 00:56:01 -05:00
Martin Kosek
61af2c9b1e Improve hostname verification in install tools
Our install tools like ipa-server-install, ipa-replica-{prepare,
install} may allow hostnames that do not match the requirements
in ipalib. This creates a disconnect and may cause issues when
user cannot delete hostnames created by install tools.

This patch makes sure that ipalib requirements are applied to
install tools hostnames as well.

https://fedorahosted.org/freeipa/ticket/2089
2012-02-29 21:26:53 -05:00
Rob Crittenden
5e01ed1325 subclass HTTP_Status from plugable.Plugin, fix not_found tests
HTTP_Status needs to subclass from Plugin because it does its own logging.

Add tests for other methods of HTTP_Status
2012-02-29 21:04:10 -05:00
Ondrej Hamada
73249140fc Migration warning when compat enabled
Added check into migration plugin to warn user when compat is enabled.
If compat is enabled, the migration fails and user is warned that he
must turn the compat off or run the script with (the newly introduced)
option '--with-compat'.

'--with-compat' is new flag. If it is set, the compat status is ignored.

https://fedorahosted.org/freeipa/ticket/2274
2012-02-29 18:30:03 -05:00
Rob Crittenden
0099ccbea8 Only apply validation rules when adding and updating.
There may be cases, for whatever reason, that an otherwise illegal
entry gets created that doesn't match the criteria for a valid
user/host/group name. If this happens (i.e. migration) there is no way
to remove this using the IPA tools because we always applied the name
pattern. So you can't, for example, delete a user with an illegal name.

Primary keys are cloned with query=True in PKQuery which causes no
rules to be applied on mod/show/find. This reverts a change from commit
3a5e26a0 which applies class rules when query=True (for enforcing no
white space).

Replace rdnattr with rdn_is_primary_key. This was meant to tell us when
an RDN change was necessary to do a rename. There could be a disconnect
where the rdnattr wasn't the primary key and in that case we don't
need to do an RDN change, so use a boolean instead so that it is
clear that RDN == primary key.

Add a test to ensure that nowhitespace is actually enforced.

https://fedorahosted.org/freeipa/ticket/2115

Related: https://fedorahosted.org/freeipa/ticket/2089

Whitespace tickets:
https://fedorahosted.org/freeipa/ticket/1285
https://fedorahosted.org/freeipa/ticket/1286
https://fedorahosted.org/freeipa/ticket/1287
2012-02-29 18:00:45 -05:00
Petr Voborník
87901ed709 Added logout button
Logout button was added to Web UI.

Click on logout button executes session_logout command. If command succeeds or xhr stutus is 401 (unauthorized - already logged out) page is redirected to logout.html.

logout.html is a simple page with "You have been logged out" text and a link to return back to main page.

https://fedorahosted.org/freeipa/ticket/2363
2012-02-28 23:58:51 -05:00
Rob Crittenden
a5a55ceff3 Don't delete system users that are added during installation.
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.

https://fedorahosted.org/freeipa/ticket/2423
2012-02-29 22:36:13 +01:00
Petr Vobornik
610420bd2a Fixed content type check in login_password
login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'.

Current check is an equality check of content_type http header.

RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result.

This patch makes the check more benevolent to allow such values.

Patch is a fixup for:
https://fedorahosted.org/freeipa/ticket/2095
2012-02-28 23:25:38 -05:00
John Dennis
3cd0217b30 Log a message when returning non-success HTTP result
The routines used to return a non-success HTTP result from
WSGI failed to log the aberrant event, this corrects that omission.
2012-02-28 23:15:41 -05:00
Martin Kosek
fab033b949 Improve FQDN handling in DNS and host plugins
DNS and host plugin does not work well with domain names ending
with dot. host plugin creates a record with two fqdn attributes
when such hostname is created which then has to be manually fixed.
DNS plugin handled zones with and without trailing dot as two
distinct zones, which may lead to issues when both zones are
created.

This patch sanitizes approach to FQDNs in both DNS and host plugin.
Hostnames are now always normalized to the form without trailing
dot as this form did not work before and it would keep hostname
form consistent without changes in our server/client enrollment
process.

As DNS zones always worked in both forms this patch rather makes
sure that the plugin works with both forms of one zone and prevents
creating 2 identical zones with just different format.

https://fedorahosted.org/freeipa/ticket/2420
2012-02-29 19:06:18 +01:00
Martin Kosek
7db1da1d65 Improve hostname and domain name validation
DNS plugin did not check DNS zone and DNS record validity and
user was thus able to create domains like "foo bar" or other
invalid DNS labels which would really confuse both user and
bind-dyndb-ldap plugin.

This patch at first consolidates hostname/domain name validators
so that they use common functions and we don't have regular
expressions and other checks defined in several places. These
new cleaned validators are then used for zone/record name
validation.

https://fedorahosted.org/freeipa/ticket/2384
2012-02-29 18:52:58 +01:00