Commit Graph

313 Commits

Author SHA1 Message Date
Fraser Tweedale
3d4db834ca Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Alexander Bokovoy
b506fd178e adtrust: support GSSAPI authentication to LDAP as Active Directory user
In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.

This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.

Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-10 13:39:02 +02:00
Fraser Tweedale
b0d9a4728f Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade.  The
specific configuration steps are:

- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
  to invoke ipa-pki-retrieve-key for key retrieval

Also bump the minimum version of Dogtag to 10.3.2.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
b584ffa4ac Add ACIs for Dogtag custodia client
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys.  Add an ACI to permit this.

Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Martin Basti
fd2bd60383 DNS Locations: when removing location remove it from servers first
Locations should be removed from server by using server-mod during
location-del (future patches will handle DNS records in server-mod)

Referint plugin is configured to remove references of deleted locations.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Martin Basti
bae621415d DNS Locations: location-* commands
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Martin Basti
29a8615cf3 DNS Locations: Always create DNS related privileges
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Stanislav Laznicka
e9f0e9d8fa Decreased timeout for IO blocking for DS
Should fix the DS from going unresponsive in some cases

https://fedorahosted.org/freeipa/ticket/5383

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-02 20:20:28 +02:00
Petr Spacek
f750d42b6f DNS upgrade: change forwarding policy to = only for conflicting forward zones
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
321a2ba918 Add ipaDNSVersion option to dnsconfig* commands and use new attribute
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.

To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.

The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.

Command dnsconfig_show displays it only if --all option was used.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Thierry Bordaz
e1bbd90360 DS deadlock when memberof scopes topology plugin updates
Topology plugin may merge (aka DEL) segments that would trigger
internal search for groups owning that segment. The problem
is that it is searching those groups into the full suffix and
so need the schema compat map lock.

If any other operation holding schema compat map lock need to
access the page involved in the DEL, there is a deadlock.

This fix is to prevent useless group searching if the target entry
is a segment or is in compat tree.

https://fedorahosted.org/freeipa/ticket/5637

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-18 13:25:08 +01:00
Martin Basti
dd86f83c96 Configure 389ds with "default" cipher suite
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-09 10:04:58 +01:00
Alexander Bokovoy
1353847e49 slapi-nis: update configuration to allow external members of IPA groups
Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.

slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.

https://fedorahosted.org/freeipa/ticket/4403

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-01 12:40:25 +01:00
Martin Basti
bba2355631 fix permission: Read Replication Agreements
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.

As side effect, the particular ACI has not been created on all replicas.

This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.

https://fedorahosted.org/freeipa/ticket/5631

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-25 14:30:01 +01:00
Martin Basti
9818e463f5 upgrade: fix config of sidgen and extdom plugins
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.

Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).

All trusts added when plugins configuration was broken must be re-added.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-23 17:35:20 +01:00
Simo Sorce
f9ed0b6ff8 Convert ipa-sam to use the new getkeytab control
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Martin Basti
54a91c3ed3 Exclude o=ipaca subtree from Retro Changelog (syncrepl)
CA and DS have issues with Retro Changelog plugin. CA subtree should be
excluded from syncrepl.
This should improve speed of CA related operations too.

https://fedorahosted.org/freeipa/ticket/5538

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-01-21 11:28:21 +01:00
Martin Babinsky
e7a4faab81 IPA upgrade: move replication ACIs to the mapping tree entry
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.

This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.

https://fedorahosted.org/freeipa/ticket/5575

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-01-18 14:10:08 +01:00
Martin Basti
1d56665fd2 Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.

Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.

https://fedorahosted.org/freeipa/ticket/5507

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-11 09:45:54 +01:00
Jan Cholasta
6ea868e172 aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.

https://fedorahosted.org/freeipa/ticket/5399

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-14 14:40:17 +01:00
Jan Cholasta
8d7f67e08c replica install: add remote connection check over API
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.

https://fedorahosted.org/freeipa/ticket/5497

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-11 18:44:13 +01:00
Martin Babinsky
e130d35687 add ACIs for custodia container to its parent during IPA upgrade
This fixes the situation when LDAPUpdater tries to add ACIs for storing
secrets in cn=custodia,cn=ipa,cn=etc,$SUFFIX before the container is actually
created leading to creation of container without any ACI and subsequent
erroneous behavior.

https://fedorahosted.org/freeipa/ticket/5524

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-12-11 12:25:26 +01:00
Tomas Babej
dcb5c2a520 topology: Fix: Make sure the old 'realm' topology suffix is not used
The old 'realm' topology suffix is no longer used, howver, it was being
created on masters with version 4.2.3 and later. Make sure it's properly
removed.

Note that this is not the case for the 'ipaca' suffix, whic was later
removed to 'ca'.

https://fedorahosted.org/freeipa/ticket/5526

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-12-09 18:57:52 +01:00
Tomas Babej
a84b7d2117 topology: Make sure the old 'realm' topology suffix is not used
The old 'realm' topology suffix is no longer used, however, it was being
created on masters with version 4.2.3 and later. Make sure it's properly
removed.

Note that this is not the case for the 'ipaca' suffix, which was later
removed to 'ca'.

https://fedorahosted.org/freeipa/ticket/5526

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-12-09 09:42:18 +01:00
Jan Cholasta
e137f305ed aci: allow members of ipaservers to set up replication
Add ACIs which allow the members of the ipaservers host group to set up
replication. This allows IPA hosts to perform replica promotion on
themselves.

A number of checks which need read access to certain LDAP entries is done
during replica promotion. Add ACIs to allow these checks to be done using
any valid IPA host credentials.

https://fedorahosted.org/freeipa/ticket/5401

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:14:13 +01:00
Jan Cholasta
7b9a97383c aci: replace per-server ACIs with ipaserver-based ACIs
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Jan Cholasta
a8d7ce5cf1 aci: add IPA servers host group 'ipaservers'
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Petr Vobornik
517aa84569 rename topology suffixes to "domain" and "ca"
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-04 12:59:21 +01:00
Fraser Tweedale
620036d26e Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-24 10:12:24 +01:00
Gabe
1e91ef33b5 custodia: ipa-upgrade failed on replica
- Add 73-custodia.update to install/updates/Makefile.am

https://fedorahosted.org/freeipa/ticket/5374

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-05 11:46:48 +01:00
Gabe
7ef827eeb6 Remove 50-lockout-policy.update file
Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.

Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance

https://fedorahosted.org/freeipa/ticket/5418

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-10-30 14:20:16 +01:00
Petr Vobornik
80e11d2469 topology plugin configuration workaround
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
834b5fd513 enable topology plugin on upgrade
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
fff31ca220 topology: manage ca replication agreements
Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
463dda3067 Add ipa-custodia service
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
ba22999cef topology: add realm suffix to master entry on update
Realm suffix was set only during installation but not on update.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:08:47 +02:00
Jan Cholasta
2f3450249d vault: fix private service vault creation
https://fedorahosted.org/freeipa/ticket/5361

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-10-13 14:34:00 +02:00
Martin Basti
a4b1bb25c9 Limit max age of replication changelog
Limit max age of replication changelog to seven days, instead of grow to
unlimited size.

https://fedorahosted.org/freeipa/ticket/5086

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-09-21 12:04:12 +02:00
Jan Cholasta
5137478fb8 install: support KRA update
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Jan Cholasta
0dfcf1d9db vault: add permissions and administrator privilege
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Tomas Babej
73c82d0073 winsync: Add inetUser objectclass to the passsync sysaccount
https://bugzilla.redhat.com/show_bug.cgi?id=1262315

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-16 17:13:42 +02:00
Alexander Bokovoy
3692a1c57f trusts: harden trust-fetch-domains oddjobd-based script
When ipa-getkeytab is used to fetch trusted domain object credentials,
the fetched entry has always kvno 1. ipa-getkeytab always adds a key to
keytab which means older key versions will be in the SSSD keytab and
will confuse libkrb5 ccache initialization code as all kvno values are
equal to 1. Wrong key is picked up then and kinit fails.

To solve this problem, always remove existing
/var/lib/sss/keytabs/forest.keytab before retrieving a new one.

To make sure script's input cannot be used to define what should be
removed (by passing a relative path), make sure we retrieve trusted
forest name from LDAP. If it is not possible to retrieve, the script
will issue an exception and quit. If abrtd is running, this will be
recorded as a 'crash' and an attempt to use script by malicious user
would be recorded as well in the abrtd journal.

Additionally, as com.redhat.idm.trust-fetch-domains will create
ID ranges for the domains of the trusted forest if they don't exist,
it needs permissions to do so. The permission should be granted only
to cifs/ipa.master@IPA.REALM services which means they must have
krbprincipalname=cifs/*@IPA.REALM,cn=services,... DN and be members of
cn=adtrust agents,cn=sysaccounts,... group.

Solves https://bugzilla.redhat.com/show_bug.cgi?id=1250190

Ticket https://fedorahosted.org/freeipa/ticket/5182

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-18 18:48:12 +02:00
Fraser Tweedale
6fa14fd21e Add permission for bypassing CA ACL enforcement
Add the "Request Certificate ignoring CA ACLs" permission and
associated ACI, initially assigned to "Certificate Administrators"
privilege.

Update cert-request command to skip CA ACL enforcement when the bind
principal has this permission.

Fixes: https://fedorahosted.org/freeipa/ticket/5099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-14 14:02:05 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
Tomas Babej
9c5df3cf76 upgrade: Enable and start oddjobd if adtrust is available
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Alexander Bokovoy
5025204175 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Rob Crittenden
ce50630d5e Add ACI to allow hosts to add their own services
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.

Set required version of 389-ds-base to 1.3.4.0 GA.

https://fedorahosted.org/freeipa/ticket/4567

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 13:41:52 +02:00
Martin Basti
16f47ed452 Fix indicies ntUserDomainId, ntUniqueId
ntUserDomainId and ntUniqueId  contained "eq,pres" index value, which is
not valid.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-29 13:40:29 +02:00
Martin Basti
20ffd4b614 Server Upgrade: create default config for NIS Server plugin
Plugin is disabled by default.

This commit prevents false positive upgrade errors.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-18 17:48:36 +02:00
Martin Babinsky
3bea441808 add DS index for userCertificate attribute
'eq' and 'pres' indices for userCertificate attribute allow for more efficient
lookup and matching of binary certificates assigned to users, hosts, and
services.

Part of http://www.freeipa.org/page/V4/User_Certificates

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-18 15:42:03 +02:00