Commit Graph

146 Commits

Author SHA1 Message Date
Petr Viktorin
55cfd06e3a Better logging for AdminTool and ipa-ldap-updater
- Automatically add a "Logging and output options" group with the --quiet,
    --verbose, --log-file options.
- Set up logging based on these options; details are in the setup_logging
    docstring and in the design document.
- Don't bind log methods as individual methods of the class. This means one
    less linter exception.
- Make the help for command line options consistent with optparse's --help and
    --version options.

Design document: http://freeipa.org/page/V3/Logging_and_output
2013-02-01 13:44:55 -05:00
Rob Crittenden
045b6e6ed9 Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
2013-01-29 11:16:38 -05:00
Rob Crittenden
41d11f443b Make certmonger a (pre) requires on server, restart it before upgrading
certmonger may provide new CAs, as in the case from upgrading IPA 2.2
to 3.x. We need these new CAs available during the upgrade process.

The certmonger package does its own condrestart as part of %postun
which runs after the %post script of freeipa-server, so we need to
restart it ourselves before upgrading.

https://fedorahosted.org/freeipa/ticket/3378
2013-01-25 10:08:37 +01:00
Petr Vobornik
69c2f077df Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
Rhino is needed for Web UI build. Rhino needs java, but from package perspective
java-1.7.0-openjdk requires rhino. So the correct BuildRequires is
java-1.7.0-openjdk.
2013-01-22 17:05:29 +01:00
Petr Vobornik
c71937fc0c Updated makefiles to build FreeIPA Web UI layer
Updated makefiles to comply to new directory structure and also to use builder
for building Web UI.

FreeIPA package spec is modified to use the output of the builder.

https://fedorahosted.org/freeipa/ticket/112
2013-01-18 15:10:37 +01:00
Timo Aaltonen
ed84963927 convert the base platform modules into packages 2013-01-14 14:39:54 +01:00
Endi Sukma Dewata
dae4ea4c7e Configuring CA with ConfigParser.
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.

PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
2012-12-10 10:27:54 -05:00
Martin Kosek
6cb7441d15 Bump 389-ds-base minimum in our spec file
Our code needs both Requires and BuildRequires set to 389-ds-base
which supports transactions. Also add the requires to configure.ac.
2012-12-07 13:59:59 +01:00
Rob Crittenden
e05a720b12 Set min for selinux-policy to 3.11.1-60
This fixes errors including sssd domain mapping in krb5.conf (#873429)

https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:54:42 -05:00
Jakub Hrozek
a35d4dcbfd Add the includedir to krb5.conf on upgrades
https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:54:29 -05:00
Jakub Hrozek
b64dc9362d Specify includedir in krb5.conf on new installs
https://fedorahosted.org/freeipa/ticket/3132
2012-12-06 10:53:22 -05:00
Martin Kosek
3896bf370a Change network configuration file
Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279
2012-12-05 13:30:31 +01:00
Petr Viktorin
1d3ddeff54 Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
2012-11-23 12:19:19 +01:00
Ade Lee
18a210996d Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
2012-11-23 12:19:19 +01:00
Alexander Bokovoy
7960b5c67f trusts: replace use of python-crypto by m2crypto
python-crypto package is not available everywhere, use m2crypto instead.

Originally we thought to extend python-krbV to provide krb5_c_encrypt()
wrapper but m2crypto is readily available.

https://fedorahosted.org/freeipa/ticket/3271
2012-11-21 11:57:15 -05:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Martin Kosek
dce53e455f Prepare spec file for Fedora 18
FreeIPA 3.0 is being released to Fedora 18 only. Since we only support
Fedora 17 and Fedora 18 in FreeIPA 3.0+, compatibility code for older
Fedoras can be dropped. This should clean up the spec file and make it
more readable.

Dogtag10 Requires were fixed. Without this patch, there is a conflict
on dogtag-pki-common-theme.

Tar requirement was added to avoid crashes in ipa-replica-prepare on
some minimal Fedora composes.

https://fedorahosted.org/freeipa/ticket/2748
https://fedorahosted.org/freeipa/ticket/3237
2012-11-15 13:32:02 +01:00
Martin Kosek
610594156e Disable global forwarding per-zone
bind-dyndb-ldap allows disabling global forwarder per-zone. This may
be useful in a scenario when we do not want requests to delegated
sub-zones (like sub.example.com. in zone example.com.) to be routed
through global forwarder.

Few lines to help added to explain the feature to users too.

https://fedorahosted.org/freeipa/ticket/3209
2012-11-09 15:37:23 +01:00
Simo Sorce
7f272a39b6 Get list of service from LDAP only at startup
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).

This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
2012-11-01 10:58:19 -04:00
Sumit Bose
fe66fbe637 Restart httpd if ipa-server-trust-ad is installed or updated
If ipa-server-trust-ad is installed after the ipa server is installed
and configured, httpd needs a restart for additional python modules to
be loaded into httpd on IPA initialization.

Fixes https://fedorahosted.org/freeipa/ticket/3185
2012-10-31 08:48:25 +01:00
Martin Kosek
1ed8ba6a75 Avoid uninstalling dependencies during package lifetime
Requires(pre) only guarantees that package will be present before
package scriptlets are run. However, the package can be removed
after installation is finished without removing also IPA. Add
standard Requires for these dependencies.

Remove PRE version number from VERSION. This update and following
is done on a top of IPA 3.0.0 GA.

https://fedorahosted.org/freeipa/ticket/3189
2012-10-25 15:35:58 -04:00
Martin Kosek
a5ec992ed9 Report ipa-upgradeconfig errors during RPM upgrade
Report errors just like with ipa-ldap-updater. These messages should warn
user that some parts of the upgrades may have not been successful and
he should follow up on them. Otherwise, user may not notice them at all.

ipa-upgradeconfig now has a new --quiet option to make it output only error
level log messages or higher. ipa-upgradeconfig run without options still
pring INFO log messages as it can provide a clean overview about its
actions (unlike ipa-ldap-updater).

https://fedorahosted.org/freeipa/ticket/3157
2012-10-18 21:10:17 -04:00
Simo Sorce
f1ce31486c Use stricter requirement for krb5-server
Our code strictly depends on 1.10 as the KDC DAL plugin interface is not
guaranteed stable and indeed is different in 1.9 and will be different
in 1.11
So we cannot allow upgrades to 1.11 until we can provide a plugin that matches
1.11's interface.
2012-10-10 17:08:03 -04:00
Alexander Bokovoy
9cd0b7b498 Make sure samba{,4}-winbind-krb5-locator package is not used with trusts
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, use alternatives mechanism
to turn off the locator plugin by symlinking it to /dev/null.

https://fedorahosted.org/freeipa/ticket/3102
2012-10-09 22:24:34 -04:00
Petr Viktorin
1dd103bc8c Create Firefox extension on upgrade and replica-install
If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
2012-10-10 17:34:19 +02:00
Martin Kosek
74ebd0fd75 Move CRL publish directory to IPA owned directory
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
2012-10-09 16:00:01 +02:00
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Petr Vobornik
247a3a43b7 Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.

In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:08:04 -04:00
Petr Vobornik
206b6ca04b Kerberos authentication extension makefiles
Makefiles for new FF kerberos authentication extension

ihttps://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:07:34 -04:00
Martin Kosek
63c7f61501 Add support for unified samba packages
Fedora 18 and later has moved unified samba and samba4 packages. Update
Requires and BuildRequires in spec file to require correct versions.

Also require libwbclient-devel which now provides libwbclient.h instead
of samba4-devel package.

https://fedorahosted.org/freeipa/ticket/3118
2012-10-01 17:32:02 +02:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00
Sumit Bose
d491ba0289 ipasam: Fixes build with samba4 rc1 2012-09-14 16:50:52 +02:00
Rob Crittenden
a01fbb91e8 Set minimum of 389-ds-base to 1.2.11.8 to pick up cache warning.
If the DB is bigger than nsslapd-cachememsize then a warning will be
logged by 389-ds-base.

https://fedorahosted.org/freeipa/ticket/2739
2012-09-05 15:52:51 -04:00
Tomas Babej
f397db79dd Adds dependency on samba4-winbind.
Dependency on samba4-winbind has been added to the package
freeipa-server-trust-ad.
2012-08-22 17:22:48 +03:00
Sumit Bose
e8d4cc65f8 Use libsamba-security instead of libsecurity
In samba4-beta6 the name of a library was changed from libsecurity to
libsamba-security.
2012-08-22 17:18:07 +03:00
Martin Kosek
af4d534428 Fix client-only build
Client-only build unconditionally touched some files from freeipa-server
package and thus the installation crashed. Fix spec file to enable
client-only builds like "make client-rpms".
2012-08-17 14:24:15 +02:00
Martin Kosek
adc2f77a39 Bump bind-dyndb-ldap version in spec file
The updated version of the BIND LDAP plugin includes completed
support of DNS zone transfers. With the new version, users will be
able to configure slave DNS servers for IPA master DNS server.
2012-08-17 12:07:25 +02:00
Martin Kosek
8c7556db83 Bump bind-dyndb-ldap version for F18
bind-dyndb-ldap with SOA serial autoincrement was released. Bump
the package version in the spec file. The version is bumped for
F18 only as it was released only to rawhide and we don't want to
break development on F17.

https://fedorahosted.org/freeipa/ticket/2554
2012-08-02 17:22:19 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Simo Sorce
cc466e98ff Add all external samba libraries to BuildRequires
Also move them in the right spot (if ! only client) so that they are required
only when building the server.
2012-07-25 13:34:49 -04:00
Simo Sorce
dedb180ddc Add libtalloc-devel as spec file BuildRequire 2012-07-24 14:25:43 -04:00
Alexander Bokovoy
61b2f0a5d0 Follow change in samba4 beta4 for sid_check_is_domain to sid_check_is_our_sam
With c43505b621725c9a754f0ee98318d451b093f2ed in samba git master
the function sid_check_is_domain() was renamed to sid_check_is_our_sam().

https://fedorahosted.org/freeipa/ticket/2929
2012-07-18 16:56:04 +03:00
Martin Kosek
c20d4c71b8 Print ipa-ldap-updater errors during RPM upgrade
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.

Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.

Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:45 +02:00
Rob Crittenden
a4d2bcde33 Fix compatibility with Fedora 18.
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.

https://fedorahosted.org/freeipa/ticket/2839
2012-07-02 15:20:13 +02:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Martin Kosek
302d5afe8b Add missing libsss_idmap Requires on freeipa-server-trust-ad 2012-06-28 13:48:45 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Rob Crittenden
f4d2f2a65b Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
2012-06-25 17:24:34 -04:00