Commit Graph

12828 Commits

Author SHA1 Message Date
Serhii Tsymbaliuk
76437dc86c
Split test_webui_hosts PRCI tests
Web UI test_host is too heavy and causes timeout errors during night runs,
so it is moved to separate configuration.

Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-01-29 16:19:02 +01:00
Christian Heimes
6cd37542e6 Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.

See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:47:15 +01:00
Christian Heimes
ae74d348c3 Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.

The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.

See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:47:15 +01:00
Christian Heimes
2ba969da07 Add workaround for lib389 HOME bug
lib389 <= 1.4.0.20 needs HOME env var. Temporary set env var until
lib389 is fixed.

See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:44:19 +01:00
Christian Heimes
19b1eb1f5a Use expanduser instead of HOME env var
The HOME directory may not be available in containers. It's also the
wrong variable on some platforms. Use os.path.expanduser() instead of
HOME.

Fixes: https://pagure.io/freeipa/issue/7837
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-29 12:44:19 +01:00
Florence Blanc-Renaud
a91e645a14 ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.

Test added to nightly definitions.

Related to https://pagure.io/freeipa/issue/7369

Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-22 16:38:59 +01:00
Florence Blanc-Renaud
63fa87a36e replica installation: add master record only if in managed zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.

The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.

During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-22 16:38:59 +01:00
Christian Heimes
165a941109
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.

Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.

Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-01-18 11:33:11 +01:00
Sergey Orlov
49cc72d5c9 Remove unused tests
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.

Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-17 14:36:27 +01:00
Christian Heimes
256f2982ac Mark failing NTP test as expected failure
See: https://pagure.io/freeipa/issue/7719
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-01-17 14:29:34 +01:00
Stanislav Levin
e3f37960a0
Don't use cross-origin request
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.

Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.

So, just follow the Same Origin policy.

Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2019-01-16 08:57:51 +01:00
Christian Heimes
965181362a Fix systemd-user HBAC rule
2ef6e14c5a added an invalid HBAC rule that
encoded the service wrongly.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-01-15 14:29:22 -05:00
Rob Crittenden
9b90ebf4c3 Remove 389-ds templates now that lib389 is used for installs
The templates created the inf files for calling the 389-ds
installer setup-ds.pl. Now that lib389 is being used for installation
these are no longer necessary.

Related: https://pagure.io/freeipa/issue/4491

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-15 09:41:22 +01:00
Serhii Tsymbaliuk
ef7a903761
Fix "Configured size limit exceeded" warning on Web UI
Suppress size limit warning in 'refresh' command.

Ticket: https://pagure.io/freeipa/issue/7603
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-14 10:16:58 +01:00
Thomas Woerner
5ee687408b Enable firewall in the tests for PR CI
The firewall has not been enabled in the tests for PR CI so far. With these
steps this is done now:

install_packages: Install firewalld, enable and start firewalld service.

install_server: Enable firewalld services freeipa-ldap freeipa-ldaps and
dns after server installation.

run_tests: Disable firewalld services freeipa-ldap freeipa-ldaps and dns
after server uninstallation.

Related-to: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-11 20:01:54 +01:00
Christian Heimes
2ef6e14c5a Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.

Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 16:45:05 +01:00
Christian Heimes
c26cb5afde Require krb5 with fix for CVE-2018-20217
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.

1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.

See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-11 12:00:31 +01:00
Christian Heimes
8276caf865 Don't use Python dependency generator yet
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.

https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-10 12:57:14 +01:00
Alexander Bokovoy
2aa24eedf2 make sure IPA_CONFDIR is used to check that client is configured
Fixes a test ipatests/test_cmdline/test_cli.py:test_cli_fs_encoding()
which sets IPA_CONFDIR and attempts to interpret the resulting error
message. However, if the test is run on an enrolled machine (a
developer's laptop, for example), check_client_configuration() will
succeed because it ignores IPA_CONFDIR and, as result, api.finalize()
will fail later with a stacktrace.

Pass an environment object and test an overridden config file existence
in this case to fail with a proper and expected message.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-10 11:24:08 +01:00
Alexander Bokovoy
3c38aea6fc ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
When looking through the topology of a trusted forest, we should support
all types of forest trust records. Since Samba Python bindings parse the
data into a typed structure, a type of the record has to be taken into
account or there will be type mismatch when accessing elements of the
union:

        typedef [switch_type(lsa_ForestTrustRecordType)] union {
                [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
                [case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
                [case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
                [default] lsa_ForestTrustBinaryData data;
        } lsa_ForestTrustData;

        typedef struct {
                lsa_ForestTrustRecordFlags flags;
                lsa_ForestTrustRecordType type;
                NTTIME_hyper time;
                [switch_is(type)] lsa_ForestTrustData forest_trust_data;
        } lsa_ForestTrustRecord;

        typedef [public] struct {
                [range(0,4000)] uint32 count;
                [size_is(count)] lsa_ForestTrustRecord **entries;
        } lsa_ForestTrustInformation;

Each entry in the lsa_ForestTrustInformation has forest_trust_data
member but its content depends on the value of a type member
(forest_trust_data is a union of all possible structures).

Previously we assumed only TLN or TLN exclusion record which were
of the same type (lsa_StringLarge). Access to forest_trust_data.string
fails when forest_trust_data's type is lsa_ForestTrustDomainInfo as it
has no string member.

Fix the code by properly accessing the dns_domain_name from the
lsa_ForestTrustDomainInfo structure.

Fixes: https://pagure.io/freeipa/issue/7828
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-01-10 11:24:08 +01:00
Christian Heimes
3bed3d4ddb Use debug logger in ntpd_cleanup()
ipa-server-update shows spurious warnings when updating a server, e.g.

  No such file name in the index

  Warning: NTP service entry was not found in LDAP.

Lower all log levels in ntpd_cleanup() to debug to not confuse the user.

Fixes: https://pagure.io/freeipa/issue/7829
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-01-09 11:15:35 +01:00
Florence Blanc-Renaud
64be3141da ipatests: add integration test for pkinit enable on replica
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA

Related to https://pagure.io/freeipa/issue/7795

Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-09 09:51:31 +01:00
Florence Blanc-Renaud
7785210533 pkinit enable: use local dogtag only if host has CA
ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.

Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-01-09 09:51:31 +01:00
Christian Heimes
e5be409245 Make conftest compatible with pytest 4.x
pytest 3.6 has deprecated get_marker in 3.6. The method was removed in 4.x
and replaced with get_closest_marker.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-01-08 17:25:56 +01:00
Christian Heimes
670bcc0113 Require 389-DS = 1.4.0.16
CI is failing with 389-DS 1.4.0.20-1. Pin dependency to 1.4.0.16 for
now.

Note: RPM/DNF don't like a pin with dash. Therefore I had to change
ds_version from 1.4.0.16-1 to 1.4.0.16.

Fixes: https://github.com/freeipa/freeipa/pull/2731
See: https://pagure.io/389-ds-base/pull-request/50121
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-01-08 17:25:56 +01:00
Christian Heimes
7688808d1f Add index on idnsName
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.

The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.

Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-01-03 12:44:10 +01:00
Oleg Kozlov
0e5a8fbb9b Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.

Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-21 15:54:00 +01:00
Florence Blanc-Renaud
c0fd5e39c7 replica install: set the same master as preferred source for domain and CA
During ipa-replica-install, the installer creates a ReplicaConfig
object that contains a config.ca_host_name attribute, built from
api.env.ca_host.
This attribute is used as preferred source when asking the DNS for a CA
master from which to initialize the CA instance
(see commit 8decef33 for master selection and preferred host).

In most of the cases, /etc/ipa/default.conf does not contain any
definition for ca_host. In this case, api.env.ca_host is set to
the local hostname.
As a consequence, replica install is trying to use the local host
as preferred source (which does not have any CA yet), and the method
to find the CA source randomly picks the CA in the DNS.

With the fix, the master picked for domain replication is also used as
preferred source for CA/KRA.

Fixes: https://pagure.io/freeipa/issue/7744
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-19 14:19:46 +01:00
Christian Heimes
d710734247 Require 3.41.0-3 on Fedora 28
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.

nss-3.41.0-1.fc29 is available in F29 stable.

See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-12-17 13:35:13 +01:00
Alexander Bokovoy
e62eb0007b ipa-sidgen: make internal fetch_attr helper really internal
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.

Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.

Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-14 14:04:02 +01:00
Christian Heimes
caffe2e8dd Fix test_advise in nightly runs
test_advise now needs one client, too.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-12-14 13:44:28 +01:00
François Cami
7c0b0f3471 ipatests: add a test for ipa-client-automount
Add an automount location then configure a client
to use it. Only runs nightly.

Related-to: https://pagure.io/freeipa/issue/7780
Related-to: https://pagure.io/freeipa/issue/7781
Related to: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-14 10:15:04 +01:00
François Cami
6a56aa6d49 ipa-client-automount: use nfs-utils unit
- remove nfs-idmapd from units we enable & start as:
  - it is not used on NFS clients anymore
  - it is a static unit
- remove rpc-gssd as well as it is a static unit
- restart nfs-utils and rpc-gssd
- manage systemctl-related exceptions during uninstall

Fixes: https://pagure.io/freeipa/issue/7780
Fixes: https://pagure.io/freeipa/issue/7781
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-14 10:15:04 +01:00
François Cami
97f87513ef Fix NFS unit names
NFS unit names were renamed.
Compatibility was maintained with older unit names
through symlinks. When these symlinks are removed
only new unit names work, so changing to using non-
symlink unit names is required.

Fixes: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-14 10:15:04 +01:00
Oleg Kozlov
f28a8177a9 Replace nss.conf with zero-length file instead of removing
Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag.

Fixes: https://pagure.io/freeipa/issue/7745
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-14 09:15:42 +01:00
Serhii Tsymbaliuk
18cac46092
WebUI: Temporary fix for UnexpectedAlertPresentException
It is regression in Firefox 55
Fixed in Firefox 65:
https://bugzilla.mozilla.org/show_bug.cgi?id=1503015

https://pagure.io/freeipa/issue/7809

Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2018-12-13 21:14:57 +01:00
Florence Blanc-Renaud
faa122a8b8 replication: check remote ds version before editing attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.

Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).

Fixes https://pagure.io/freeipa/issue/7796

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-12-13 20:29:41 +01:00
Christian Heimes
a34d92d25c Create reindex task for ipaca DB
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.

See: https://pagure.io/dogtagpki/issue/3083
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
ed436e4b62 Add more LDAP indices
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.

* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq

automountMapKey and autoMountMapName filters are used for automount.

Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.

SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.

ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.

Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
0fb87bfe82 LDAPUpdate: Batch index tasks
The LDAPUpdate framework now keeps record of all changed/added indices
and batches all changed attribute in a single index task. It makes
updates much faster when multiple indices are added or modified.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-13 17:04:00 +01:00
Christian Heimes
18f610caea Always collect test logs
mh.install() is the default multi host installer. Most integration test
classes use it to install master, replicas, and clients. In case of a
failed installation, the test collector step is skipped.

Guard log collection with a try/finally block so logs are always
collected.

Also collect journald output for mh.install() steps. The journal output
was missing from installation logs and were only available in each test
step.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-12-13 16:55:41 +01:00
Christian Heimes
a9f34c7605 Disable nss-p11-kit crypto policy for tests
NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all
PKCS#11 providers including the default SoftHSM2 token. On Fedora 28
OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is
protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because
it is waiting for PIN.

Delete the p11-kit policy and regenerate crypto policy.

OpenLDAP debug output:

ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
   ***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2018-12-13 14:53:38 +01:00
Christian Heimes
f330c59dd8 Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
f0e11dac2d Test smart card advise scripts
Create and execute the server and client smart card advise scripts.

See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
a86abd37e9 Log stderr in run_command
pytest_multihost's run_command() does not log stderr when a command
fails. Wrap the function call to log stderr so it's easier to debug
failing tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
0a2222ea26 Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
917d81b832 Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
d6fd2ad4f2 Remove dead code
set_sssd_domain_option() is no longer used. Changes are handled by
sssd_update().

See: https://pagure.io/freeipa/issue/7751
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Christian Heimes
39eaf2fab5 Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.

This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.

A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.

Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 12:16:00 +01:00
Christian Heimes
c09927d16a Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.

check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.

Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 12:14:32 +01:00