Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove all object-specific loggers, with the exception of `Plugin.log`,
which is now deprecated. Replace affected logger calls with module-level
logger calls.
Deprecate object-specific loggers in `ipa_log_manager.get_logger`.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.
Always configure logging on the root logger.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the standard `logging` module to configure logging instead of the
in-house `ipapython.log_manager` module and remove `ipapython.log_manager`.
Disable the logging-not-lazy and logging-format-interpolation pylint
checks.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently the cert-request execution is complicated and cannot
handle aliases in the --principal argument.
Implement the following simplifications:
- Search all user/host/service accounts at once, by krbPrincipalName
(error if no account found). Use principal canonical name to
determine the type of the principal.
- Update subject principals userCertificate attribute uniformly,
instead of dispatching to user/host/service-mod based on type of
principal.
Fixes: https://fedorahosted.org/freeipa/ticket/6531
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.
Ticket #6838
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
If the setting of server attribute fails (e.g. due to master not having
the associated role enabled) the error would pop up *after* the old
values were cleared from LDAP. Fix this behavior so that all checks are
performed before manipulating any data.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
If the role or attribute is empty (i.e. no server provides the role or
the caller has no read access to the required information) do not
return empty attributes. This is consistent with other behavior
displayed by optional multivalued Params.
https://pagure.io/freeipa/issue/7029
Reviewed-By: Martin Basti <mbasti@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
this simplifies handling compound statements using _AdviceOutput class.
The necessary statements are exposed as context managers and API for
most common constructs is provided.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We have only one debug log level and it causes issues with py3.
...
File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.
Ticket #7037
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.
https://pagure.io/freeipa/issue/6966
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.
https://pagure.io/freeipa/issue/7002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.
https://pagure.io/freeipa/issue/7020
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
