ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes@redhat.com>
If the replication agreement does not exist, a custom exception is
raised explaining the problem.
https://pagure.io/freeipa/issue/7201
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
KRA installer restarts 389-DS, which disrupts named-pkcs11
bind-dyndb-ldap for a short while. Restart named-pkcs11 to fix DNS
resolver.
Fixes: https://pagure.io/freeipa/issue/5813
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
389-DS >= 1.4.0 on Fedora 28 has a default entry for
cn=RSA,cn=encryption,cn=config. The installer now updates the entry in
case it already exists. This ensures that token and personality are
correct for freeIPA
Fixes: https://pagure.io/freeipa/issue/7393
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When renewing externally-signed CA or when switching from
externally-signed to self-signed CA, the Issuer DN can change.
Update the ipaCaIssuerDn field of the IPA CA entry upon renewal, to
keep it in sync.
Fixes: https://pagure.io/freeipa/issue/7316
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ipa-server-upgrade command now checks for presence of ipa-custodia's
config and server keys. In case any of the files is missing, it
re-creates both files.
Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does
not auto-detect broken or mismatching keys yet.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace assert with proper check and exception.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
hexlify returns bytes and needs to be casted to string before
printing it out.
Related: https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
LDAP client returns values as bytes, thus bindmgr must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In py3 iteration over bytes returns integers, in py2 interation over
bytes returns string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
LDAP client returns values as bytes, thus ipa-dnskeysyncd must work with
bytes properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
f51869bf52
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Present Situation:
Logging is a bit incomplete when using a custom CA subject passed in via --ca-subject.
If there is a problem finding the IPA CA certificate then the installer will log:
ERROR IPA CA certificate not found in /tmp/servercert.pem, /tmp/cacert.pem
After the Fix this sort of log is seen:
ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): DEBUG The ipa-server-install command failed, exception: ScriptError: IPA CA certificate with subject 'CN=Certificate Authority,O=GSSLAB.PNQ2.REDHAT.COM' was not found in /root/ipa.cert, /root/rootCA.crt.
Resolves: https://pagure.io/freeipa/issue/7245
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Mistake in recent fixes made the ipa-replica-prepare include
some extra files in the info file should the legacy format of
NSS databases be used.
https://pagure.io/freeipa/issue/7049
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Implicit string concatenation is technically correct, too. But when
combined in list, it's confusing for both human eye and static code
analysis.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Replace exit() with sys.exit(). exit() or quit() may fail if the interpreter
is run with the -S option.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The Custodia instance is removed when LDAP is already shut down. Don't
fail and only remove the key files from disk. The server_del command
takes care of all Custodia keys in LDAP.
https://pagure.io/freeipa/issue/7318
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Rather than passing around the path to CS.cfg for the CA and KRA
set it at object creation and use everywhere.
Make update_cert_config() a real class method instead of a static
method. It wasn't being called that way in any case and makes it
possible to use the class config file.
Related: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of: https://pagure.io/freeipa/issue/7287
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
installutils.set_directive() is both inefficient and potentially
dangerous. It does not ensure that the whole file is written and
properly synced to disk. In worst case it could lead to partially
written or destroyed config files.
The new DirectiveSetter context manager wraps everything under an easy
to use interface.
https://pagure.io/freeipa/issue/7312
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
To separate concerns and make it easier to test set_directive,
extract function ``set_directive_lines`` to do the line-wise
search/replace, leaving ``set_directive`` to deal with the file
handling.
Part of: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`set_directive` only looks for a prefix of the line matching the
given directive (key). If a directive is encountered for which the
given key is prefix, it will be vanquished.
This occurs in the case of `{ca,kra}.sslserver.cert[req]`; the
`cert` directive gets updated after certificate renewal, and the
`certreq` directive gets clobbered. This can cause failures later
on during KRA installation, and possibly cloning.
Match the whole directive to avoid this issue.
Fixes: https://pagure.io/freeipa/issue/7288
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.
This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.
The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.
Fixes: https://pagure.io/freeipa/issue/6968
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Keys are removed from disk and LDAP
https://pagure.io/freeipa/issue/7253
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In structured mode, dict size is modified by del record[attr].
https://pagure.io/freeipa/issue/7275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.
The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
Fixes:
https://pagure.io/freeipa/issue/7274
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.
Fixes https://pagure.io/freeipa/issue/6666
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.
pwdfile.txt is created by CAInstance.create_certstore_passwdfile()
Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When some users are setting the umask to 0027 due to security
policies ipa-restore will result not working dirsrv.
So a fix is to temporary set umask to 0022 while ipa-restore is
running.
https://pagure.io/freeipa/issue/6844
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Change eb6d4c3037 deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.
Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
User would like to see CA installation command in KRA installation
warning message.
This makes warning message similar to other installer messages where it
does suggests a command to run.
https://pagure.io/freeipa/issue/6952
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.
Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.
Bump the required version of 389-ds-base to 1.3.7.0.
Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.
https://pagure.io/freeipa/issue/6994
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Now, the criteria option is working for both commands
and the commands are able to handle with wrong input values.
https://pagure.io/freeipa/issue/7134
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This is causing python2 tests print ugly warnings about the
deprecation of the `message` attribute in python2.6.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If the # of group memberships exceeded the search size limit
then SizeLimitExceeded was raised. Being in too many groups
should not cause a *_show to fail.
https://pagure.io/freeipa/issue/7112
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For an externally-signed CA, if an earlier run of ipa-cacert-manage
was interrupted, the CA name in the IPA CA tracking request may have
been left as "dogtag-ipa-ca-renew-agent-reuse" (it gets reverted to
"dogtag-ipa-ca-renew-agent" at the end of the CSR generation
procedure). `ipa-cacert-manage renew` currently only looks for a
tracking request with the "dogtag-ipa-ca-renew-agent" CA, so in this
scenario the program fails with message "CA certificate is not
tracked by certmonger".
To handle this scenario, if the IPA CA tracking request is not
found, try once again but with the "dogtag-ipa-ca-renew-agent-renew"
CA name.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Update ipa-cacert-manage to support the MS V2 certificate template
extension.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.
Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.
The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.
Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'. I don't have time to revert this
change so removing traces of krb.js as well.
https://pagure.io/freeipa/issue/7135
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The goal is to avoid using HTTP where possible and use TLS everywhere.
This provides not only privacy protection but also integrity protection.
We should consider any network except localhost as untrusted.
Switch from using urllib.request to dogtag.https_request.
https://pagure.io/freeipa/issue/7027
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
requests.packages contains but a weird backward compatibility fix
for its presumed urllib3 submodule but pylint does not approve.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Refactor convertHashName() method to accept hash names prefixed with
HMAC- or any other prefix. Extending the method should be easier in
future.
Add tests proposed by Rob Crittenden to make sure we don't regress
with expected behavior of convertHashName().
Fixes https://pagure.io/freeipa/issue/7146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
