Commit Graph

294 Commits

Author SHA1 Message Date
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Stanislav Laznicka
ddbbb1c58e Move the compat plugin setup at the end of install
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
David Kupka
a726e98f03 Create system users for FreeIPA services during package installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 17:51:49 +02:00
Jan Cholasta
181cb94e74 install: request service certs after host keytab is set up
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.

Make sure all certmonger requests in the installer are done after the host
keytab is set up.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
ec52332229 dsinstance, httpinstance: consolidate certificate request code
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.

Consolidate the non-promotion and promotion code paths into one.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
b189be12ec dsinstance: reconnect ldap2 after DS is restarted by certmonger
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.

Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
bbd18cf10f certs: do not implicitly create DS pin.txt
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
Tomas Krizek
09c6b75780 installer: update time estimates
Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.

https://pagure.io/freeipa/issue/6596

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-10 15:46:34 +01:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Martin Babinsky
6c0baa6208 Make request_service_keytab into a public method
a cosmetic change: we had private method comprising of calls to public
ones, which did not make much sense in our case

https://fedorahosted.org/freeipa/ticket/6638

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-02-22 18:50:30 +01:00
Simo Sorce
c2b1b2a362 Always use /etc/ipa/ca.crt as CA cert file
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Martin Basti
69072cb80f py3: change_admin_password: use textual mode
Convert function to NamedTemporaryFile with textual mode, because
passwords are text. Using `with` and NamedTemporaryFile gives more
security agains leaking password from tempfiles.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-10 14:03:04 +01:00
Martin Basti
63b5d4a859 py3: open temporary ldif file in text mode
ldif parser uses file in text mode, so we have to open it in text mode
in py3

Also values passed to parser should be bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-24 13:25:47 +01:00
Martin Basti
083b4241d2 Remove duplicated step from DS install
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-12 11:15:14 +01:00
Fraser Tweedale
3d01ec14c6 Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
f54df62aba dsinstance: extract function for writing certmap.conf
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.

Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.

Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
6f3eb85c30 Extract function for computing default subject base
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Stanislav Laznicka
8db5b277a0 Unify password generation across FreeIPA
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2017-01-06 09:26:56 +01:00
Fraser Tweedale
a5fb5f2da1 dsinstance: minor string fixes
Fixes: https://fedorahosted.org/freeipa/ticket/6586
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-05 10:17:00 +01:00
Fraser Tweedale
6f7d982fe2 Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-01-05 10:17:00 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a2c5888973 ipalib: move certstore to the install subpackage
The certstore module depends on ipaplatform.

Move it to ipalib.install, as it is used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Tomas Krizek
68295bf8cf services: replace admin_conn with api.Backend.ldap2
Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 16:17:27 +01:00
Fraser Tweedale
687ebd18a1 Remove references to ds_newinst.pl
ds_newinst.pl was removed from 389 DS over 9 years ago. Remove
references to it.

Fixes: https://fedorahosted.org/freeipa/ticket/6496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-21 18:03:52 +01:00
Martin Babinsky
ce2bb47cca Use common procedure to setup initial replication in both domain levels
Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.

This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.

https://fedorahosted.org/freeipa/ticket/6406

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-17 00:39:17 +01:00
Martin Babinsky
3129b874a2 dsinstance: use keytab retrieval method from parent class
DS replica can now use remote API and ipa-getkeytab to create service
principal and fetch the keytab in both domain levels. There is no need to use
KDC installer to do it.

https://fedorahosted.org/freeipa/ticket/6405

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:17:25 +01:00
Martin Babinsky
32599987fd Turn Kerberos-related properties to Service class members
The Service class now accepts keytab path and service name part of Kerberos
principal as members. Kerberos principal is turned into a property computed
from service prefix, FQDN and realm. the handling of Kerberos principals and
keytabs in service installers was changed to use class members instead of
copy-pasted constants. This shall aid in the future refactoring of
principal/keytab handling code.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:17:25 +01:00
Martin Babinsky
81bf72dc35 Make service user name a class member of Service
This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:17:25 +01:00
Martin Babinsky
15f282cf2c service installers: clean up the inheritance
Instead of delegating handling of some parameters like fstore to the parent
class, the *Instance installers had the logic copy-pasted in their
constructors. Some other members were also moved to the Service class and the
parent class constructors in children were fixed to modern standards of
initializing parent class in Python.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:17:25 +01:00
Martin Babinsky
8e36e03091 certs: do not re-create NSS database when requesting service cert
`CertDB.request_service_cert` could re-create NSSDB files if the supplied CA
certificate was not found in database. This could cause subtle bugs since the
files were recreated with wrong permissions. This behavior was removed so that
there are no destructive operations performed by the method.

https://fedorahosted.org/freeipa/ticket/6429

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-11 12:13:56 +01:00
Stanislav Laznicka
7279ef1d0f Moved update of DNA plugin among update plugins
To make the code more general, moved the update_dna_shared_config
among other update plugins.

Bugfix: DNA shared config connection protocol was compared to a
method string which would result in a try to always update it
even if there was no need to.

https://fedorahosted.org/389/ticket/48373 causes that two
shared DNA config entries are created instead of one.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-11 12:13:56 +01:00
Stanislav Laznicka
83e72d7046 Move ds.replica_populate to an update plugin
Replica populate can be applied with other update plugins.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-11 12:13:56 +01:00
Fraser Tweedale
cdd41e06e6 Ensure correct IPA CA nickname in DS and HTTP NSSDBs
During replica installation, if the IPA deployment has a custom
subject_base, the routines that create the DS and HTTP NSSDBs
erroneously compare the subject of CA certs to the *default* subject
base. This causes the IPA CA cert to be added to the NSSDBs with a
nickname derived from the subject name, instead of "{REALM} IPA CA".

At a later stage of installation, the `upload_cacrt` plugin reads
certs from the HTTP NSSDB in order to update the cn=certificates
LDAP certstore.  The NSSDB nickname of the cert is used as the CN
for the entry.  Because the IPA CA cert was not installed in the
HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
for the IPA CA to be added to the certstore.

To avoid this scenario, use the deployment's actual subject base
when deciding if a cert is the IPA CA cert.

Fixes: https://fedorahosted.org/freeipa/ticket/6415
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-11-11 07:05:14 +01:00
Florence Blanc-Renaud
808b1436b4 Refactor installer code requesting certificates
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-11-10 14:15:57 +01:00
Tomas Krizek
03d113cdd7 install: remove adhoc dis/connect from services
Remove ldap_connect and ldap_disconnect from services. admin_conn is
just an alias to api.Backend.ldap2 and therefore the connection should
be managed elsewhere.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
a77469f598 install: remove adhoc api.Backend.ldap2 (dis)connect
Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
8934d03b3b dsinstance: conn management
Connect and/or disconnect api.Backend.ldap2 connection when directory
server is stopped/restarted. Checking is ldap2 connection is connected
is neccesary for edge cases during ds installation (initial start).

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
24baccbd6a dsinstance: enable ldapi and autobind in ds
* enable ldapi and root autobind early during the ds installation
* perform these changes using simple_bind with dm_password

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
9340a1417a install: remove dirman_pw from services
Remove directory manager's password from service's constructors

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
5b81dbfda1 ipaldap: merge IPAdmin to LDAPClient
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
    IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
    enable_replication_version_checking()

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
4f1a6a1776 ipaldap: merge gssapi_bind to LDAPClient
* Rename do_sasl_gssapi_bind to gssapi_bind

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
60e38ecc7f ipaldap: merge external_bind into LDAPClient
* Rename do_external_bind to external_bind
* Remove user_name argument in  external_bind() and always set it
    to effective user name

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Tomas Krizek
de58a5c605 ipaldap: merge simple_bind into LDAPClient
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00