Commit Graph

442 Commits

Author SHA1 Message Date
Alexander Bokovoy
9e861693fc
batch: add keeponly option
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.

This can be useful if you are only interested in getting names and
assigned random passwords, for example.

Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.

Fixes: https://pagure.io/freeipa/issue/9583

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-05-22 10:03:38 +02:00
Alexander Bokovoy
1d2897e3d7 ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).

This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.

Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.

Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.

Fixes: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-03-12 13:53:11 +01:00
Florence Blanc-Renaud
0075c8b8f6 passkeyconfig: require-user-verification is a boolean
ipa passkeyconfig-mod now accepts Boolean values for
--require-user-verification

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
7911b2466d CLI: add support for passkey authentication type
Add a new authentication type for Passkey in the following commands:

ipa user-add --user-auth-type=AUTHTYPE
ipa user-mod --user-auth-type=AUTHTYPE
ipa config-mod --user-auth-type=AUTHTYPE
ipa service-add --auth-ind=AUTHTYPE
ipa service-mod --auth-ind=AUTHTYPE
ipa host-add --auth-ind=AUTHTYPE
ipa host-mod --auth-ind=AUTHTYPE
ipa krbtpolicy-mod --passkey-maxlife=INT --passkey-maxrenew=INT

Fixes: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
a21214cb9e API: add new commands for passkey mappings
- ipa user-add-passkey
- ipa user-remove-passkey
- ipa stageuser-add-passkey
- ipa stageuser-remove-passkey

Fixes: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Florence Blanc-Renaud
4bd1be9e90 API: add new commands for ipa passkeyconfig-show | mod
Currently supports a single parameter:
--require-user-verification [ 'on', 'off', 'default']

Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-06-01 08:20:37 +02:00
Alexander Bokovoy
4239b77a6d IPA API changes to support RBCD
IPA API commands to manage RBCD access controls.

Fixes: https://pagure.io/freeipa/issue/9354

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-05 14:55:22 -04:00
Francisco Trivino
93548f2569 Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
Carla Martinez
55ef0008b8 Update API and VERSION
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Rob Crittenden
c8955a4d0a Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
beaa0562dc Add support for Random Serial Numbers v3
Dogtag has implemented a new random serial number scheme
they are calling RSNv3.

https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

Given the known issues reported this will be supported in IPA for
new installations only.

There is no mixing of random servers and non-random servers
allowed.

Instructions for installing a CA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc

Instructions for installing a KRA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc

The version of random serial numbers is stored within the CA entry
of the server. It is stored as a version to allow for future upgrades.

If a CA has RSN enabled then any KRA installed will also have it
enabled for its identifiers.

A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA
entry to track the version number in case PKI has future major
revisions. This can also be used to determine if RSN is enabled or not.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
83be923ac5 Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).

Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
deb0c76556 Set default LDAP password grace period to -1
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-06 11:24:21 -04:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Alexander Bokovoy
10e18c3dc7 external-idp: add support to manage external IdP objects
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Francisco Trivino
b8f45fc689 Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Christian Heimes
40c362e1ee Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Florence Blanc-Renaud
189d090d29 automember default group: remove --desc parameter
The automember-default-group commands inherit from
the automember commands but should not provide the
--desc parameter.
Remove 'description' from the list of parameters.

Fixes: https://pagure.io/freeipa/issue/9068
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-01-13 14:12:49 -05:00
Florence Blanc-Renaud
ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Rob Crittenden
47fbe05f7f Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.

This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:

Added option "('one', 'two')" to Sudo Rule "test"

or

Added option "(u'one', u'Two')" to Sudo Rule "test"

instead of with this change:

Added option "one,two" to Sudo Rule "test"

Removing an option works in a similar way.

The value is normalized on the client side in order to ensure that
the option value is always a tuple.

https://pagure.io/freeipa/issue/2278

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-08 10:47:58 +02:00
Christian Heimes
c78d1341ad Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Rob Crittenden
09426f8ed5 Add ability to search on certificate revocation status
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.

Related: https://pagure.io/freeipa/issue/7835

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-04-22 09:19:21 +02:00
Florence Blanc-Renaud
ba7ab24b29 Trust: add auto private groups option
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.

Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-04-19 17:14:23 +02:00
Rob Crittenden
6b452e5404 Extend IPA pwquality plugin to include libpwquality support
Add options to support maxrepeat, maxsequence, dictcheck and
usercheck pwquality options.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Petr Vobornik
3912e8e673 baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.

This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-16 19:06:02 -04:00
Alexander Bokovoy
bee4204039 Support adding user ID overrides as group and role members
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.

Treat user ID overrides as members of groups and roles.

For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.

We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.

With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.

Fixes: https://pagure.io/freeipa/issue/7255

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Christian Heimes
9dda004f27 Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-07 10:18:03 +03:00
Alexander Bokovoy
6472a107d6 Allow rename of a host group
RN: host groups can now be renamed with IPA CLI:
RN: 'ipa hostgroup-mod group-name --rename new-name'.
RN: Protected hostgroups ('ipaservers') cannot be renamed.

Fixes: https://pagure.io/freeipa/issue/6783
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-31 09:21:37 +03:00
Florence Blanc-Renaud
911992b8bf ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.

With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/libexec/ipa/oddjob/org.freeipa.server.trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.

If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).

Fixes: https://pagure.io/freeipa/issue/7600
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Alexander Bokovoy
c5f32165d6 Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.

The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-11-21 11:13:12 -05:00
Christian Heimes
f0a1f084b6 Add group membership management
A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-11 09:31:14 +01:00
Rob Crittenden
48a3f4af46 Don't log host passwords when they are set/modified
The host password was defined as a Str type so would be
logged in cleartext in the Apache log.

A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.

The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.

This also removes the search option from passwords.

https://pagure.io/freeipa/issue/8017

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-09-19 10:11:52 -04:00
Changmin Teng
d0570404ef Extend the list of supported pre-auth mechanisms in IPA server API
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Tibor Dudlák
c18ee9b641
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.

Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes

Related: https://pagure.io/freeipa/issue/3999

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2019-07-01 13:21:21 +02:00
Alexander Bokovoy
afb8305ada ipaserver.plugins.service: add service-add-smb to set up an SMB service
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.

Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.

Most controversial would probably be a lack of the authentication
indicator that could be associated with the service.  However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.

Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Alexander Bokovoy
de4a9875d4 oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-01 13:27:41 +02:00
Christian Heimes
94b86354b5 Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Christian Heimes
025facb85c Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.

Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>:
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-03-28 17:57:58 +01:00
Thomas Woerner
7f507519d4 Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.

A new command has been added to the ipa tool:

  ipa automember-find-orphans --type={hostgroup,group} [--remove]

This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.

The IPA API version has been increased and a test case has been added.

Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com>

See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-10-10 09:56:40 +02:00
Christian Heimes
7c2ca14118 Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Aleksei Slaikovskii
b82af69882 Radius proxy multiservers fix
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).

So this kind of behaviour is a bug, as it was determined on IRC.

This patch removes possibility to add more then one radius server
into radius proxy.

Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-05-17 18:36:33 -04:00
Alexander Bokovoy
e642865717 group: allow services as members of groups
Allow services to be members of the groups, like users and other groups
can already be.

This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Alexander Bokovoy
9e8fb94e87 service: allow creating services without a host to manage them
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.

Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-08 16:39:22 -04:00
Christian Heimes
8ffa33c24e Generate same API.txt under Python 2 and 3
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 09:41:30 +01:00
Stanislav Laznicka
61605d28d8 parameters: introduce CertificateSigningRequest
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.

https://pagure.io/freeipa/issue/7131
2017-10-25 09:44:37 +02:00
Stanislav Laznicka
5a44ca6383 Create a Certificate parameter
Up until now, Bytes parameter was used for certificate parameters
throughout the framework. However, the Bytes parameter does nothing
special for certificates, like validation, so this had to be done
for each of the parameters which were supposed to represent a
certificate.

This commit introduces a special Certificate parameter which takes
care of certificate validation so this does not have to be done
separately. It also makes sure that the certificates represented by
this parameter are always converted to DER format so that we can work
with them in a unified manner throughout the framework.

This commit also makes it possible to pass bytes directly during
instantiation of the Certificate parameter and they are still
represented correctly after their conversion in the _convert_scalar()
method.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Tibor Dudlák
17f03a7952 whoami.py: Type error when running tests
While test run the TypeError occured in whoami.validate_output().
There should be 'tuple' type in output too.

Fixes: https://pagure.io/freeipa/issue/7050
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-07 14:44:42 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00