Commit Graph

755 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
f3cd85ea81 freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11

Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.

Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-02-25 14:42:01 +01:00
Troy Dawson
d11acaf4d3 platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-23 11:54:30 -05:00
Rob Crittenden
146db28e50 Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-18 16:41:03 +01:00
Stanislav Levin
778ef95916 rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-15 09:54:51 +02:00
Rob Crittenden
bf06579895 Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-09 09:49:22 -05:00
François Cami
fcfefe0a26 freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.

Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2021-02-04 14:28:45 +01:00
Sergey Orlov
7363c4b203 ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-02-03 09:06:12 +02:00
Rob Crittenden
767232b478 Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.

Drop it for now. It can be revived from git history in the
future if we see the need.

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Alexander Bokovoy
29f9041b1d Correct SELinux policy requirements
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.

Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-12-04 22:17:43 +02:00
Rob Crittenden
469274fafa Enable the ccache sweep systemd timer
The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Rob Crittenden
c6644b8566 Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Alexander Bokovoy
5ef2d717fc freeipa.spec.in: unify spec files across upstream RHEL, and Fedora
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.

This gives us an opportunity to:

- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
  policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
  it is better to have macro support in the common spec file.

There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2020-12-03 12:58:55 -05:00
Rob Crittenden
6816de0892 Require PKI 10.10+ for KRA profile and ACME support
https://pagure.io/freeipa/issue/8545
https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-12-01 12:56:03 +01:00
Alexander Bokovoy
39d0dd332c spec: use pkgconf to find out krb5 version
In Fedora 33 RPM migrated to use SQLITE as its database format. When
COPR builders run on Fedora 33 and build a package for older Fedora
version that uses RPM with BDB backend, RPM inside the build environment
will not be able to open its own database (SQLITE).

Replace use of RPM to discover krb5 version by use of pkgconf which
provides the same output but doesn't need to look into RPM database.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Robbie Harwood
2e382cdd02 Drop upper bound on krb5 version in freeipa.spec
This check is no longer needed now that krb5 exports the KDB version.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-17 18:48:24 +02:00
Rob Crittenden
3fc2eda4e1 Require libpwolicy and configure it in the build system
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Florence Blanc-Renaud
fbd7d77189 rpmspec: ensure ipa snippet for sshd is always included
Whn openssh-server > 8.2 is installed, ipa rpmspec moves its
configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf
but doesn't check that the 04-ipa.conf is included from
/etc/ssh/sshd_config.

The fixes ensures that the snippet is always included, either
through the line Include /etc/ssh/sshd_config.d/*.conf or
directly with Include /etc/ssh/sshd_config.d/04-ipa.conf

Fixes: https://pagure.io/freeipa/issue/8535
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-13 10:03:47 +02:00
Christian Heimes
6ba5a6a46e Require(post) systemd with resolved enabled on F33
FreeIPA's systemd-resolved integration for Fedora 33 depends on a
working and fully configured systemd-resolved service. Ensure that
systemd's post installation RPM hook runs before FreeIPA's post hook.

Note: Other systemd version numbers are current versions on Fedora 32 and
RHEL 8.2.0.

Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-08 08:32:08 +02:00
Christian Heimes
69ebe41525 Fix nsslapd-db-lock tuning of BDB backend
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-24 17:03:00 +02:00
Christian Heimes
644bd0e46b Make git a build requirement
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-09-23 14:49:56 +02:00
Rob Crittenden
84bbf68781 Require a matching server package for the selinux subpackage
Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.

https://pagure.io/freeipa/issue/8511

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-09-22 19:30:03 -04:00
Fraser Tweedale
c0461eb37c spec: require pki-acme if pki-ca >= 10.10
We can use conditional dependencies (described at [1]) to require
the pki-acme package if pki-ca >= 10.10.0 (the version at which the
ACME service was separated to a subpackage).

[1] https://rpm.org/user_doc/boolean_dependencies.html

I have tested this with repos having only pki-10.9.x (and therefore
no pki-acme package), and dnf is happy.  I have also testing package
installation with pki-10.10 packages installed, but /without/
pki-acme installed. pki-acme was seen as a missing dependency and
installed alongside the freeipa packages.  This change seems to
satisfy all the scenarios.

Related: https://github.com/dogtagpki/pki/pull/513
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-09-18 14:17:03 -04:00
Rob Crittenden
cfad7af35d Require at least 1.6Gb of available RAM to install the server
Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.

Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).

There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.

Add a switch to skip this memory test if the user is sure they
know what they are doing.

is_hidepid() contributed by Stanislav Levin <slev@altlinux.org>

https://pagure.io/freeipa/issue/8404

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2020-09-14 09:17:33 +03:00
Stanislav Levin
f3d1087130 deps: Require nss-tools for make's fasttest target
Otherwise, tests fail with:
```
E               FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/certutil'
...
=================================== short test summary info ===================================
FAILED test_ipapython/test_certdb.py::test_dbm_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_sql_tmp - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_convert_db - FileNotFoundError: [Errno 2] No such...
FAILED test_ipapython/test_certdb.py::test_convert_db_nokey - FileNotFoundError: [Errno 2] N...
FAILED test_ipapython/test_certdb.py::test_auto_db - FileNotFoundError: [Errno 2] No such fi...
FAILED test_ipapython/test_certdb.py::test_delete_cert_and_key - FileNotFoundError: [Errno 2...
FAILED test_ipapython/test_certdb.py::test_check_validity - FileNotFoundError: [Errno 2] No ...
...
```

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-31 09:46:03 +03:00
Stanislav Levin
53b341f94b spec: Bump required openssl-pkcs11 and softhsm
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
173cd9b91b spec: Require ldns-utils
drill util helps to get information about DNSSEC for testing.

Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-08-31 09:42:31 +03:00
Stanislav Levin
03a5e5f35f spec: Move ipa-cldap plugin out to freeipa-server-trust-ad package
This ns-slapd plugin is used as a CLDAP server which responses to
AD DCs with an information about IPA domain. So, logically it
belongs to freeipa-server-trust-ad package.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:46:23 +02:00
Stanislav Levin
777147e051 rpm-spec: Don't fail on missing /etc/ssh/ssh_config
openssh-clients is not a strict requirement of freeipa-client
package and if it's missing then this case should be handled in
post scriptlet of freeipa-client package. Otherwise, the remaining
part of that scriptlet will not be run at all.

Fixes: https://pagure.io/freeipa/issue/8459
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-08-17 10:40:44 +02:00
Stanislav Levin
2b85bfb030 Azure: Switch to dockerhub provider
`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.

registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.

Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-07 17:49:31 +03:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Stanislav Levin
c81cac70ac pylint: Fix warning and error
- fixed W0612(unused-variable)
- added missing dependency on python-yaml

Fixes: https://pagure.io/freeipa/issue/8442
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-08-04 13:47:28 -04:00
Fraser Tweedale
a83eaa8b6d acme: add certbot dns script
Add a script to use as a certbot hook for satisfying the dns-01
challenge.  It will be used during testing, and may be useful or
instructive for users of FreeIPA.

It is installed as part of the freeipa-client package under
/usr/libexec/ipa/acme.  Future ACME-related scripts can be added in
the same place.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Fraser Tweedale
083c6aedc6 acme: add ipa-acme-manage command
Add the ipa-acme-manage command which can be used to enable or
disable the IPA ACME service.  It must be used on each server.  In
the future we will implement deployment-wide configuration
(including enable/disable) of the ACME service via IPA API, with
configuration stored in and replicated by LDAP.  But until then, we
need a simple command for administrators to use.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Peter Keresztes Schmidt
f6940772dd ipa-join: select {JSON,XML}-RPC at build time
Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Peter Keresztes Schmidt
25205f44a1 ipa-join: switch to jansson for json handling
Additionally JSON-RPC should bail out if host is already joined.
Check HTTP status of JSON-RPC request and report 401 Unauthorized error explicitly.

Related: https://pagure.io/freeipa/issue/7966
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-09 14:17:47 +03:00
Alexander Scheel
a087d82e78 Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.

Point to IPA CA certificate during pkispawn

Bump pki_version to 10.9.0-0.4 (aka -b2)

Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-07-08 11:50:37 +02:00
Florence Blanc-Renaud
9858e8636f Bump requires for selinux-policy
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-07-01 08:14:17 +02:00
François Cami
6efe991797 EPN: ship the configuration file.
Ship and install /etc/ipa/epn.conf.
Minor fixes to the associated man page.

Fixes: https://pagure.io/freeipa/issue/8374
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-25 15:20:21 +02:00
Christian Heimes
1144da5d94 RHEL 8.3 has KRB5 1.18 with KDB 8.0
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-24 13:49:14 +02:00
Florence Blanc-Renaud
511f5194dc client install: fix broken sshd config
If ipa client was installed with openssh-server >= 8.2, the
configuration parameters for sshd were put in /etc/ssh/sshd_config
instead of in a snippet in /etc/ssh/sshd_config.d.
Upgrade to this new ipa version fixes the sshd conf by
moving the params to the snippet.

Related: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
Christian Heimes
6e3346f0a7 Use old uglifyjs on RHEL 8
RHEL 8 buildroot does not have python3-rjsmin yet. Fall back to
uglifyjs.

See: https://pagure.io/freeipa/issue/8300
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-19 08:40:15 +02:00
Christian Heimes
5a3b5f3aff Build ipa-selinux package on RHEL 8
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-17 13:38:59 +02:00
Christian Heimes
a18d406b56 Move ipa-epn systemd files and run RPM hooks
The init/systemd directory is for server only and not part of
CLIENT_ONLY builds.

It's necesary to run pre/post installation hooks to make systemd aware
of new files.

Fixes: https://pagure.io/freeipa/issue/8367
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-11 17:27:31 +02:00
Christian Heimes
f52a15b808 Overhaul bind upgrade process
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.

This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.

During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Rob Crittenden
03caa7f965 Add a jinja2 e-mail template for EPN
Add options for character set (default utf8) and message
subtype (default plain). This will allow for more control
for users to do either HTML mail or use ascii for the character
set so the attachment is not base64-encoded to make it easier
for all mail clients.

Collect first and last name as well for each user in order to
provide more options for the template engine.

Make the From address configurable, defaulting to noreply@ipa_domain
Make Subject configurable too.

Don't rely on the MTA to set Message-Id: set it using the email
module.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
François Cami
b8886c3e97 IPA-EPN: First version.
EPN stands for Expiring Password Notification. It is a standalone
tool designed to build a list of users whose password would expire
in the near future, and either display the list in a machine-readable
format, or send email notifications to these users.

EPN provides command-line options to display the list of affected users.
This provides data introspection and helps understand how many emails
would be sent for a given day, or a given date range.
The command-line options can also be used by a monitoring system to alert
whenever a number of emails over the SMTP quota would be sent.

EPN is meant to be launched once a day from an IPA client (preferred)
or replica from a systemd timer.

EPN does not keep state. The list of affected users is built at runtime
but never kept.

TLS/STARTTLS SMTP code is untested and unlikely to work as-is.

Parts of code contributed by Rob Crittenden.
Ideas and feedback contributed by Christian Heimes and Michal Polovka.

Fixes: https://pagure.io/freeipa/issue/3687
Signed-off-by: François Cami <fcami@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-09 08:43:45 +02:00
Christian Heimes
be47ec9799 libotp: Replace NSS with OpenSSL HMAC
Use OpenSSL's HMAC API instead of NSS.

Fixes: Fixes: https://pagure.io/freeipa/issue/6857
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 20:04:18 +03:00
Peter Keresztes Schmidt
a5cbdb57e5 Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.

Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.

Move dnssec-enable directive to custom named config

Move comment named config being managed by FreeIPA to the top

Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.

Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Alexander Bokovoy
23a49538f1 ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.

1. Direct ticket acquisition

In direct ticket acquisition mode the utility first does one of the
following actions:
 - obtain a TGT ticket for a user principal using supplied password
 - import existing TGT from a default credentials cache

Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.

If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.

2. S4U2Self protocol transition

In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.

If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.

If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
d986e844bb WebUI: use python3-rjsmin to minify JavaScript files
Fedora 33+ deprecated uglify-js. There are other alternatives which seem
to be fine for the minify task. Use python-rjsmin instead.

Fixes: https://pagure.io/freeipa/issue/8300
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-12 09:50:28 +02:00