Commit Graph

373 Commits

Author SHA1 Message Date
Rob Crittenden
ba7974bfd1 IPA-EPN: Don't treat givenname differently
This was returning givenname as a list and not as a single
string which messed up the templating.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
3b266d3957 IPA-EPN: add smtp_delay to limit the velocity of e-mails sent
Provide a knob so the mail queue doesn't get completely flooded
with new e-mails.

Default to no wait, value in milliseconds.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
a2728c758e IPA-EPN: Add mail-test option for testing sending live email
To make testing easier for administrators the --mail-test option
can be used to send live e-mail from ipa-epn. It sends mail
to the smtp_admin user processing the template with dummy data.

https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
c3cbaed9fd IPA-EPN: Fixes to starttls mode, convert some log errors to exceptions
Tested security mode with none, starttls and ssl security.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-10 11:22:58 -04:00
Rob Crittenden
03caa7f965 Add a jinja2 e-mail template for EPN
Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.

Collect first and last name as well for each user in order to
provide more options for the template engine.

Make the From address configurable, defaulting to noreply@ipa_domain
Make Subject configurable too.

Don't rely on the MTA to set Message-Id: set it using the email
module.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
François Cami
b8886c3e97 IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.

EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.

EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.

EPN does not keep state. The list of affected users is built at runtime
but never kept.

TLS/STARTTLS SMTP code is untested and unlikely to work as-is.

Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
Christian Heimes
9941c9ee95 Address issues found by new pylint 2.5.0
* fix multiple exception-escape
* fix function signatures of DsInstance start/stop/restart
* silence f-string-without-interpolation
* fix too-many-function-args in host plugin

Fixes: https://pagure.io/freeipa/issue/8297
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-04-30 09:41:41 +02:00
Julian Gethmann
273ff2708c Fix typo in idrange.py docstring
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-14 09:48:50 +02:00
François Cami
e1b6e3ba9b ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.

Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.

Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-02-14 09:33:43 +02:00
Rob Crittenden
6cb4f4bd50 ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Alexander Bokovoy
3d402b69eb ipa-client-samba: map domain sid of trust domain properly for display
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.

Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-12-13 17:33:33 +02:00
Christian Heimes
e8b98555fc Fix otptoken_sync plugin
The plugin had two bugs:

For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.

The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.

Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-28 16:09:07 +01:00
Christian Heimes
b216701d9a Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.

Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-11-20 17:08:40 +01:00
Christian Heimes
97a31e69e8 Use default ssh host key algorithms
ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.

The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-11-12 12:26:49 +01:00
Rob Crittenden
3593e53622 Conditionally restart certmonger after client installation
If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ade Lee <alee@redhat.com>
2019-11-07 13:00:15 -05:00
Stanislav Levin
c6769ad12f Fix errors found by Pylint-2.4.3
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-10-21 18:01:32 +11:00
François Cami
1ac7169de2 ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)
660c49 introduced --idmap-domain which sets the Domain option in
idmapd.conf. However the help message for that knob mentioned
idmap.conf which is wrong. Fix that.
Reported by Marc Muehlfeld <mmuehlfe@redhat.com>.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2019-10-14 11:01:40 +02:00
Rafael Guterres Jeffman
c898be1df9 Removes several pylint warnings.
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-27 09:38:32 +02:00
Stanislav Levin
d0b420f6dd Fixed errors newly exposed by pylint 2.4.0
Newest Pylint introduced additional checks [1]:

- import-outside-toplevel [2]

> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.

- no-else-continue [3]

> These checks highlight unnecessary else and elif blocks after
break and continue statements.

- unnecessary-comprehension [4]

> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.

[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905

Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-25 20:14:06 +10:00
Rafael Guterres Jeffman
9c20641f5c Re-add function façades removed by commit 2da9088.
ansible-freeipa breaks if this functions do not exist, so they will be
added back and marked as deprecated.

Related Tickets:
https://pagure.io/freeipa/issue/8062

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-20 10:12:09 -04:00
Robbie Harwood
c7b938a1d5 Enable krb5 snippet updates on client update
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Rob Critenden
41ef8fba31 Use tasks to configure automount nsswitch settings
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Rob Critenden
e5af8c19a9 Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
François Cami
b27ad6e9f9 ipa-client-automount: always restore nsswitch.conf at uninstall time
ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c
would always restore nsswitch.conf to the previous state which in some cases
was wrong.

Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
François Cami
cd2cbaecfc ipa-client-samba: remove state on uninstall
The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.

Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>

https://pagure.io/freeipa/issue/8021

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-07-26 10:49:54 +02:00
François Cami
5b65551b31 ipa-client-samba: remove and restore smb.conf only on first uninstall
Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-07-26 10:49:54 +02:00
Alexander Bokovoy
814592cf22 ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.

The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.

Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.

Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.

The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.

Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-29 11:00:28 +03:00
François Cami
b49c627aa6 ipa_client_automount.py and ipactl.py: fix codestyle
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Fraser Tweedale
854d3053e2 Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**.  This can occur in
normal operation, and should be a temporary condition.  Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.

Also update the client-side plugin that handles the
--certificate-out option.  Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.

** after the Dogtag NullPointerException gets fixed!

Part of: https://pagure.io/freeipa/issue/7964

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00
Rob Crittenden
c1c50650a7 Return 0 on uninstall when on_master for case of not installed
This is to suppress the spurious error message:

The ipa-client-install command failed.

when the client is not configured.

This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-07 11:24:45 +02:00
Rob Crittenden
1284bf1588 Drop list of return values to be ignored in AdminTool
This was an attempt to suppress client uninstallation failure
messages in the server uninstallation script. This method
inadvertently also suppressed client uninstallation messages and
was generally confusing.

This reverts part of b96906156b

https://pagure.io/freeipa/issue/7836

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-06-07 11:24:45 +02:00
Rob Crittenden
21777e4ba0 When reading SSH pub key don't assume last character is newline
The code was attempting to strip off any trailing newline and then
calling lstrip() on the rest.

This assumes that the key has a trailing newline. At best this
can cause the last character of the comment to be lost. If there
is no comment it will fail to load the key because it is invalid.

Patch by Félix-Antoine Fortin <felix-antoine.fortin@calculquebec.ca>

https://pagure.io/freeipa/issue/7959

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-06-05 15:28:57 -04:00
Tibor Dudlák
e3f35843dc
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.

Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
2019-05-22 18:20:22 +02:00
Rob Crittenden
6662e99e17 Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN

Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).

Add a knob to allow configuring the maximum hostname length (FQDN)

The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.

The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.

https://pagure.io/freeipa/issue/2018

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-16 14:38:43 -04:00
Stanislav Levin
7b8a2af219 Fix build_requestinfo in LibreSSL environments
`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.

Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-14 15:58:40 +02:00
Stanislav Levin
ac6568dcf5 Fix build_requestinfo in OpenSSL1.1.0+ environments
Since OpenSSL 1.1.0 the `req_info` field of X509_REQ structure is
no longer a pointer to X509_REQ_INFO. This results in a crash of
`build_requestinfo` in environments having OpenSSL1.1.0+ (libcrypto).

With this patch, the X509_REQ definition becomes the version dependent.
Both OpenSSL1.0.x and OpenSSL1.1.x are supported.

Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-05-12 23:49:07 +02:00
Christian Heimes
e73fdcf8ba Import urllib submodules
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-30 10:32:43 -04:00
Christian Heimes
bdce9164a1 Make ipaclient.discovery usable from command line
For debugging and testing make it possible to run a simple domain
discovery from the command line

```
$ python3 -m ipaclient.discovery demo1.freeipa.org
realm    DEMO1.FREEIPA.ORG                      (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
domain   demo1.freeipa.org                      (Discovered LDAP SRV records from demo1.freeipa.org)
basedn   dc=demo1,dc=freeipa,dc=org             (From IPA server ldap://ipa.demo1.freeipa.org:389)
server   ipa.demo1.freeipa.org                  (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
servers  ['ipa.demo1.freeipa.org']
Success
$ python3 -m ipaclient.discovery freeipa.org
realm    None
domain   None
basedn   None
server   None
servers  []
NO_LDAP_SERVER
```

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
d59f155e52 Make IPADiscovery work without ldap
ipaclient.discover.IPADiscovery skips LDAP discovery when python-ldap is
not present.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
2a459ce0f2 Make python-ldap optional for PyPI packages
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.

A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.

Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
411e6c37fb Deprecate ipa-client-install --request-cert
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.

Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 16:23:17 +02:00
Tibor Dudlák
536e7da6d2 Support interactive prompt for ntp options
As the FreeIPA server is no longer a NTP service
providing instance its clients and replicas
configuration of time service can not be handled
as it was before change to chrony. Configuration
using master FQDN or autodiscovery for DNS record
would make no difference because every FreeIPA
instance is only chrony client now and does not
update DNS _ntp._udp record.

FreeIPA now asks user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.

Resolves: https://pagure.io/freeipa/issue/7747
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-11 10:19:32 +02:00
Florence Blanc-Renaud
f2826da24b ipa-client-install: autodiscovery must refuse single-label domains
Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.

Fixes: https://pagure.io/freeipa/issue/7598
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-10 14:54:43 -04:00
Christian Heimes
b5f1d33fb3 Reformat and PEP8 ipaclient.discovery
Since the moved code is detected as new/modified code, make fastlint is
complaining about PEP 8 violations.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-01 11:44:27 +01:00
Christian Heimes
e6d560af66 Make IPADiscovery available in PyPI packages
The ipaclient PyPI package does not ship the ipaclient.install
subpackage. The ipaclient.install.ipadiscovery module with IPADiscovery
is now available as ipaclient.discovery, so it can be used by consumers
of PyPI packages.

The module ipaclient.install.ipadiscovery provides a backwards
compatibility shim with deprecation warning.

Fixes: https://pagure.io/freeipa/issue/7861
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-03-01 11:44:27 +01:00
Christian Heimes
a3934a211d Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().

Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.

The simple_bind() method also prevents the caller from sending a
password over an insecure line.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-02-05 08:39:13 -05:00
Christian Heimes
917d81b832 Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.

Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.

See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-11 13:46:52 +01:00
Fraser Tweedale
8a835daf47 certupdate: add commentary about certmonger behaviour
It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate.  Add some commentary to explain this behaviour.

Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-12-03 10:32:36 +01:00
Christian Heimes
533a5b2633 pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.

Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2018-11-26 16:54:43 +01:00