This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.
This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.
Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys. Add an ACI to permit this.
Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Locations should be removed from server by using server-mod during
location-del (future patches will handle DNS records in server-mod)
Referint plugin is configured to remove references of deleted locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Should fix the DS from going unresponsive in some cases
https://fedorahosted.org/freeipa/ticket/5383
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.
To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.
The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.
Command dnsconfig_show displays it only if --all option was used.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Topology plugin may merge (aka DEL) segments that would trigger
internal search for groups owning that segment. The problem
is that it is searching those groups into the full suffix and
so need the schema compat map lock.
If any other operation holding schema compat map lock need to
access the page involved in the DEL, there is a deadlock.
This fix is to prevent useless group searching if the target entry
is a segment or is in compat tree.
https://fedorahosted.org/freeipa/ticket/5637
Reviewed-By: Martin Basti <mbasti@redhat.com>
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.
slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.
https://fedorahosted.org/freeipa/ticket/4403
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.
As side effect, the particular ACI has not been created on all replicas.
This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.
https://fedorahosted.org/freeipa/ticket/5631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).
All trusts added when plugins configuration was broken must be re-added.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
CA and DS have issues with Retro Changelog plugin. CA subtree should be
excluded from syncrepl.
This should improve speed of CA related operations too.
https://fedorahosted.org/freeipa/ticket/5538
Reviewed-By: Christian Heimes <cheimes@redhat.com>
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.
This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.
https://fedorahosted.org/freeipa/ticket/5575
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.
https://fedorahosted.org/freeipa/ticket/5399
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This fixes the situation when LDAPUpdater tries to add ACIs for storing
secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually
created leading to creation of container without any ACI and subsequent
erroneous behavior.
https://fedorahosted.org/freeipa/ticket/5524
Reviewed-By: David Kupka <dkupka@redhat.com>
The old 'realm' topology suffix is no longer used, howver, it was being
created on masters with version 4.2.3 and later. Make sure it's properly
removed.
Note that this is not the case for the 'ipaca' suffix, whic was later
removed to 'ca'.
https://fedorahosted.org/freeipa/ticket/5526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The old 'realm' topology suffix is no longer used, however, it was being
created on masters with version 4.2.3 and later. Make sure it's properly
removed.
Note that this is not the case for the 'ipaca' suffix, which was later
removed to 'ca'.
https://fedorahosted.org/freeipa/ticket/5526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.
A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.
Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance
https://fedorahosted.org/freeipa/ticket/5418
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Limit max age of replication changelog to seven days, instead of grow to
unlimited size.
https://fedorahosted.org/freeipa/ticket/5086
Reviewed-By: David Kupka <dkupka@redhat.com>
When ipa-getkeytab is used to fetch trusted domain object credentials,
the fetched entry has always kvno 1. ipa-getkeytab always adds a key to
keytab which means older key versions will be in the SSSD keytab and
will confuse libkrb5 ccache initialization code as all kvno values are
equal to 1. Wrong key is picked up then and kinit fails.
To solve this problem, always remove existing
/var/lib/sss/keytabs/forest.keytab before retrieving a new one.
To make sure script's input cannot be used to define what should be
removed (by passing a relative path), make sure we retrieve trusted
forest name from LDAP. If it is not possible to retrieve, the script
will issue an exception and quit. If abrtd is running, this will be
recorded as a 'crash' and an attempt to use script by malicious user
would be recorded as well in the abrtd journal.
Additionally, as com.redhat.idm.trust-fetch-domains will create
ID ranges for the domains of the trusted forest if they don't exist,
it needs permissions to do so. The permission should be granted only
to cifs/ipa.master@IPA.REALM services which means they must have
krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of
cn=adtrust agents,cn=sysaccounts,... group.
Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190
Ticket https://fedorahosted.org/freeipa/ticket/5182
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.
Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.
Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.
* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema
* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)
https://fedorahosted.org/freeipa/ticket/4934https://fedorahosted.org/freeipa/ticket/5055
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.
Set required version of 389-ds-base to 1.3.4.0 GA.
https://fedorahosted.org/freeipa/ticket/4567
Reviewed-By: Martin Basti <mbasti@redhat.com>
'eq' and 'pres' indices for userCertificate attribute allow for more efficient
lookup and matching of binary certificates assigned to users, hosts, and
services.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Martin Basti <mbasti@redhat.com>