Commit Graph

184 Commits

Author SHA1 Message Date
Simon Nussbaum
fcad9c9aa7 component: mail_from_realname config setting added to IPA-EPN
Adding mail_from_realname setting to configuration so that the real name of the sender of the password expiration notification can be customized. This addition does not affect existing configurations.

Fixes: https://pagure.io/freeipa/issue/9336

Signed-off-by: Simon Nussbaum <simon.nussbaum@adfinis.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-07-26 09:01:37 -04:00
Sumit Bose
8d12d497f6 ipa-otpd: add passkey_child_debug_level option
By setting passkey_child_debug_level in default.conf the debug level for
the passkey_child helper utility can be set.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Rob Crittenden
8eeba00c4f Mention in ipa-client-install that nscd is disabled
Also warn that similar services may also need to be disabled.
An example is an nscd replacement named unscd.

Fixes: https://pagure.io/freeipa/issue/9086

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-05-24 13:29:35 +02:00
Rob Crittenden
4a2c7b311b Pass the curl write callback by name instead of address
This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.

Also change to a static function and pre-declare it to quiet a
compile-time warning.

https://pagure.io/freeipa/issue/9274

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:50:22 -05:00
Christian Heimes
dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00
Florence Blanc-Renaud
cca7a7cd77 ipa man page: format the EXAMPLES section
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.

Add .TP (tagged, indented paragraph) before each example.

Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-30 15:15:50 +02:00
Rob Crittenden
05d96e16dc Add switch for LDAP cache debug output
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.

Fixes: https://pagure.io/freeipa/issue/9180

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:56:21 +03:00
Rob Crittenden
cef6a90288 dnssec daemons: read the dns context config file for debug state
This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.

Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.

Enabling debug would involve created /etc/ipa/dns.conf:

[global]
debug = True

I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.

Fixes: https://pagure.io/freeipa/issue/9128

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-02 11:17:57 +02:00
Florence Blanc-Renaud
49ab92c5ef man pages: document the --subid installer option
Document --subid in the man pages for
- ipa-client-install
- ipa-replica-install
- ipa-server-install

Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Alexander Bokovoy
3f6656e09a ipa-otpd: add support for SSSD OIDC helper
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).

ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.

Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.

Fixes: https://pagure.io/freeipa/issue/8805

Signed-off-by: Sumit Bose <sbose@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Florence Blanc-Renaud
300f62f72b EPN: document missing option msg_subject
In /etc/ipa/epn.conf it is possible to customize the
e-mail subject by setting msg_subject=<value> but this
setting is not documented in the man page.

Add the options in epn.conf man page and in the template.

Fixes: https://pagure.io/freeipa/issue/9145
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-04-29 13:56:19 -04:00
Rob Crittenden
a283735fbf Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.

The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671

Fixes: https://pagure.io/freeipa/issue/9084

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-03-18 09:40:37 +01:00
Rob Crittenden
61650c577f Re-work the quiet option in ipa-join to not suppress errors
The quiet option was supposed to suppress unnecessary output
on successful invocations. Instead it was suppressing most
error messages as well.

Remove all the quiet checks when an error would be displayed.

Pass the quiet option to ipa-getkeytab so it honors the
request as well.

Also tidy up some of the debug output.

https://pagure.io/freeipa/issue/9105

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-02-09 10:48:06 -05:00
Rob Crittenden
3c1f4ba995 Remove ipa-join errors from behind the debug option
This brings it inline with the previous XML-RPC output which
only hid the request and response from the output and not
any errors returned.

https://pagure.io/freeipa/issue/9103

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
2022-02-04 13:28:42 -05:00
Alexander Bokovoy
9043b8d534 Fix use of comparison functions to avoid GCC bug 95189
Due to a bug in GCC 9 and GCC 10 optimizing code, all C library
comparison functions should be used with explicit result comparison in
the code to avoid problems described in

http://r6.ca/blog/20200929T023701Z.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189

The code below is affected:

```
    if (strcmp(a, b) || !strcmp(c, d)) ...
```

while the code below is not affected:

```
    if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```

for all C library cmp functions and related:

 - strcmp(), strncmp()
 - strcasecmp(), strncasecmp()
 - stricmp(), strnicmp()
 - memcmp()

This PR idea is based on the pull request by 'Nicolas Williams <nico@twosigma.com>'
to Heimdal Kerberos: https://github.com/heimdal/heimdal/pull/855

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-23 10:31:34 +01:00
Rob Crittenden
b842b825ab Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-03 10:59:10 +01:00
Rob Crittenden
fece03d446 ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.

Use correct datatype of return value for ber_scanf to
correct different signedness comparision.

Fixed while working on https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-30 08:45:08 -04:00
Rob Crittenden
ae05970ea7 ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:

- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
  the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-07-30 08:45:08 -04:00
François Cami
2e31e8479a ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-28 11:41:07 +03:00
MIZUTA Takeshi
e357153e57 Fix the option to match in the ipa-client-automount usage and man-page
The command usage and man-page options may not match.
In ipa-client-automount, fix to match usage and man-page.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-18 15:02:59 +02:00
MIZUTA Takeshi
4148167777 man: fix typos in ipa-epn.1
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-05-18 14:59:10 +02:00
Rob Crittenden
3539857ecb Add LDAP cache options to the default.conf man page
https://pagure.io/freeipa/issue/8798

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2021-05-12 10:45:57 -04:00
Thorsten Scherf
84f52ea8fc man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 10:04:55 +02:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Peter Keresztes Schmidt
a355646c37 build: Unify compiler warning flags used
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-01-15 14:11:56 +01:00
Rob Crittenden
f3f9672d52 ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
The return value of functions managing the cursor in the keytab
were not checked or reported in a consistent way. This should
assure a reasonable error message in case something goes wrong.

https://pagure.io/freeipa/issue/8658

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 14:06:53 +01:00
Rob Crittenden
90eef4f565 ipa-rmkeytab: convert numeric return values to #defines
This makes it clearer what the return value means.

Replace closing of keytab based on the numeric return value
and do it based on whether the keytab was opened at all.

https://pagure.io/freeipa/issue/8658

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-15 14:06:53 +01:00
Alexander Bokovoy
38a86e3367 systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.

When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:

locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE

Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.

Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2020-12-10 14:38:05 +02:00
Antonio Torres Moríñigo
f777314e5c ipa-client-install manpage: add ipa.p11-kit to list of files created
Add missing ipa.p11-kit file to list of files created in
ipa-client-install manpage.

https://pagure.io/freeipa/issue/8424

Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-26 14:12:16 +01:00
Rob Crittenden
15b30e15a4 Create IPA ssh client configuration and move ProxyCommand
The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.

https://pagure.io/freeipa/issue/7676

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-23 09:04:27 +01:00
Stanislav Levin
17f430efc4 EPN: Allow authentication by SMTP client's certificate
SMTP server may ask or require client's certificate for verification.
To support this the underlying Python's functionality is used [0].

Added 3 new options(corresponds to `load_cert_chain`):
- smtp_client_cert - the path to a single file in PEM format containing the
  certificate.
- smtp_client_key - the path to a file containing the private key in.
- smtp_client_key_pass - the password for decrypting the private key.

[0]: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain

Fixes: https://pagure.io/freeipa/issue/8580
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-11-17 14:25:39 +02:00
Christian Heimes
727a2ffb93 Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
5d4ed65b83 Replace nodename with ipa_gethostfqdn()
ipa_kdb and ipa-join now use ipa_gethostfqdn() instead of uname()'s nodename.

The code for hostname in ipa-join is simplified. Now the hostname is
auto-detected and verified in main(). All sub functions can now use the
hostname without additional checks. This removes a bunch of strdup(),
NULL checks, and free() calls.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Stanislav Levin
49e643783d dnspython: Add compatibility shim
`dnspython` 2.0.0 has many changes and several deprecations like:

```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.

> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```

The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
  system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
  to spend trying to get an answer to the question)

Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
François Cami
3bd03ea9d1 IPA-EPN: fix configuration file typo
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-07 17:14:24 -04:00
Rob Crittenden
28caa22a8e Don't delegate the TGT in ipa-join
Pre 3.0.0 IPA delegated the TGT to enforce access control in
389-ds. At the point that S4U2Proxy support was added there
were still IPA 2.0.x servers in use so this delegation was
left in place in ipa-join so that enrollment would work.

Those days are long gone, remove that support in the XML and
JSON RPC requests.

https://pagure.io/freeipa/issue/8405

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-17 14:49:41 -04:00
Peter Keresztes Schmidt
6dfefc9745 ipa-join: handle JSON-RPC error codes
Error code 2100 (ACIError) is handled explicitly to match XML-RPC behaviour.

Fixes: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-07-15 14:19:18 +02:00
Peter Keresztes Schmidt
4696644f3f ipa-join: extract common JSON-RPC response parsing to common function
In preparation for handling JSON-RPC error codes.

Related: https://pagure.io/freeipa/issue/8408
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-07-15 14:19:18 +02:00
Fraser Tweedale
a83eaa8b6d acme: add certbot dns script
Add a script to use as a certbot hook for satisfying the dns-01
challenge.  It will be used during testing, and may be useful or
instructive for users of FreeIPA.

It is installed as part of the freeipa-client package under
/usr/libexec/ipa/acme.  Future ACME-related scripts can be added in
the same place.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Peter Keresztes Schmidt
7cc977b993 ipa-join: Generalize XML-RPC references in man page
The used RPC protocol (JSON or XML) is defined
at build time.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
a1b117a28b ipa-join: Use bool type where appropriate
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
f6940772dd ipa-join: select {JSON,XML}-RPC at build time
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
62503e4fd0 ipa-join: implement JSON-RPC based unenrollment
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
677659c8da ipa-join: extract unenrollment code common to JSON and XML-RPC to separate function
Also fix some some memleaks on the way.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
25205f44a1 ipa-join: switch to jansson for json handling
Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
c905f94f9b ipa-join: buffer curl response before parsing json
CURLOPT_WRITEFUNCTION is not guaranteed to be called only
once per request and receive all data at once.
Use a dynamic buffer to cope with that case.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
c197918e8d ipa-join: improve curl error handling in JSON-RPC code
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
5e7e4f0e26 ipa-join: don't set TLS related curl options for JSON-RPC
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Alexandre Mulatinho
6e414d2291 ipa-join: allowing call with jsonrpc into freeipa API
Adding JSON-C and LibCURL library into configure.ac and Makefile.am

Creating a API call with option '-j' or '--jsonrpc' to make host join
on FreeIPA with JSONRPC and libCURL.

Related: https://pagure.io/freeipa/issue/7966
Signed-off-by: Alexandre Mulatinho <alex@mulatinho.net>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Florence Blanc-Renaud
797a64b370 sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.

Fixes: https://pagure.io/freeipa/issue/8400
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-07-09 14:00:29 +03:00