Since OpenSSL 1.1.0 the `req_info` field of X509_REQ structure is
no longer a pointer to X509_REQ_INFO. This results in a crash of
`build_requestinfo` in environments having OpenSSL1.1.0+ (libcrypto).
With this patch, the X509_REQ definition becomes the version dependent.
Both OpenSSL1.0.x and OpenSSL1.1.x are supported.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For debugging and testing make it possible to run a simple domain
discovery from the command line
```
$ python3 -m ipaclient.discovery demo1.freeipa.org
realm DEMO1.FREEIPA.ORG (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
domain demo1.freeipa.org (Discovered LDAP SRV records from demo1.freeipa.org)
basedn dc=demo1,dc=freeipa,dc=org (From IPA server ldap://ipa.demo1.freeipa.org:389)
server ipa.demo1.freeipa.org (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
servers ['ipa.demo1.freeipa.org']
Success
$ python3 -m ipaclient.discovery freeipa.org
realm None
domain None
basedn None
server None
servers []
NO_LDAP_SERVER
```
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipaclient.discover.IPADiscovery skips LDAP discovery when python-ldap is
not present.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.
A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.
Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As the FreeIPA server is no longer a NTP service
providing instance its clients and replicas
configuration of time service can not be handled
as it was before change to chrony. Configuration
using master FQDN or autodiscovery for DNS record
would make no difference because every FreeIPA
instance is only chrony client now and does not
update DNS _ntp._udp record.
FreeIPA now asks user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.
Resolves: https://pagure.io/freeipa/issue/7747
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.
Fixes: https://pagure.io/freeipa/issue/7598
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since the moved code is detected as new/modified code, make fastlint is
complaining about PEP 8 violations.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ipaclient PyPI package does not ship the ipaclient.install
subpackage. The ipaclient.install.ipadiscovery module with IPADiscovery
is now available as ipaclient.discovery, so it can be used by consumers
of PyPI packages.
The module ipaclient.install.ipadiscovery provides a backwards
compatibility shim with deprecation warning.
Fixes: https://pagure.io/freeipa/issue/7861
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.
Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option). This regression was introduced in the
'cert' plugin in commit 5a44ca6383,
and reflected in the 'ca' plugin in commit
c7064494e5.
The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field. Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.
Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).
Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
There is no need to set replica_file to None for client installations.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca6383.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Client installation fails if '/etc/krb5.keytab' exists as a zero-length
file. Deleting empty keytab before proceeding with the installation
fixes the problem.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The subject base is used as a fallback to find the available
CA certificates during client enrollment if the LDAP connection
fails (e.g. due to new client connecting to very old server) and
for constructing the subject if a certificate is requested.
raw=True is passed to config-show in order to avoid parsing
the server roles which will fail because the services aren't
marked as enabled until after the client installation is
successful on a master.
ipa-join providing the subject base via stderr was fragile and
would cause client enrollment to fail if any other output was
included in stderr.
https://pagure.io/freeipa/issue/7674
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Regression caused by 947ac4bc1f when
trying to fix a similar issue for clients running Python 3. However,
that fix broke Python 2 clients.
Issue: https://pagure.io/freeipa/issue/7626
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix the following violations aiming to support Pylint 2.0
- `unneeded-not` (C0113):
Consider changing "not item in items" to "item not in items" used
when a boolean expression contains an unneeded negation.
- `useless-import-alias` (C0414):
Import alias does not rename original package Used when an import
alias is same as original package.e.g using import numpy as numpy
instead of import numpy as np
- `raising-format-tuple` (W0715):
Exception arguments suggest string formatting might be intended Used
when passing multiple arguments to an exception constructor, the
first of them a string literal containing what appears to be
placeholders intended for formatting
- `bad-continuation` (C0330):
This was already included on the disable list, although with current
version of pylint (2.0.0.dev2) violations at the end of the files
are not being ignored.
See: https://github.com/PyCQA/pylint/issues/2278
- `try-except-raise` (E0705):
The except handler raises immediately Used when an except handler
uses raise as its first or only operator. This is useless because it
raises back the exception immediately. Remove the raise operator or
the entire try-except-raise block!
- `consider-using-set-comprehension` (R1718):
Consider using a set comprehension Although there is nothing
syntactically wrong with this code, it is hard to read and can be
simplified to a set comprehension.Also it is faster since you don't
need to create another transient list
- `dict-keys-not-iterating` (W1655):
dict.keys referenced when not iterating Used when dict.keys is
referenced in a non-iterating context (returns an iterator in
Python 3)
- `comprehension-escape` (W1662):
Using a variable that was bound inside a comprehension Emitted when
using a variable, that was bound in a comprehension handler, outside
of the comprehension itself. On Python 3 these variables will be
deleted outside of the comprehension.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In order to support pylint 2.0 the following violations must be fixed:
- `chained-comparison` (R1716):
Simplify chained comparison between the operands This message is
emitted when pylint encounters boolean operation like
"a < b and b < c", suggesting instead to refactor it to "a < b < c".
- `consider-using-in` (R1714):
Consider merging these comparisons with "in" to %r To check if a
variable is equal to one of many values,combine the values into a
tuple and check if the variable is contained "in" it instead of
checking for equality against each of the values.This is faster
and less verbose.
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:
- `useless-return` (R1711):
Useless return at end of function or method Emitted when a single
"return" or "return None" statement is found at the end of function
or method definition. This statement can safely be removed because
Python will implicitly return None
- `inconsistent-return-statements` (R1710):
Either all return statements in a function should return an
expression, or none of them should. According to PEP8, if any return
statement returns an expression, any return statements where no value
is returned should explicitly state this as return None, and an
explicit return statement should be present at the end of the
function (if reachable)
Issue: https://pagure.io/freeipa/issue/7614
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.
The --request-cert option also ensures that certmonger is enabled and
running.
See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.
Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.
However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.
Issue: https://pagure.io/freeipa/issue/7251
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.
It's frown upon to have executable library files in site-packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.
The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.
Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.
IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.
New settings will be added without any note.
Issue: https://pagure.io/freeipa/issue/5202
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called
Fixes:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:
The ipa-client-install command was successful
This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.
In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.
Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.
https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Pylint3 falsely reports warning W1662: using a variable that was bound
inside a comprehension for the cases where the same name is reused for a
loop after the comprehension in question.
Rename the variable in a loop to avoid it.
If the code looks like the following:
arr = [f for f in filters if callable(f)]
for f in arr:
result = result + f()
pylint3 would consider 'f' used outside of comprehension. Clearly, this
is a false-positive warning as the second 'f' use is completely
independent of the comprehension's use of 'f'.
Reviewed-By: Aleksei Slaikovskii <aslaikov@redhat.com>
ipa-client-automount now returns CLIENT_NOT_CONFIGURED when it is
not configured. Handle this in uninstall().
https://pagure.io/freeipa/issue/7396
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration
Fixes:
https://pagure.io/freeipa/issue/7377
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OpenSSL requires attribute short names ("CN", "O", etc) to be in
upper case, otherwise it fails to add the attribute. This can be
triggered when FreeIPA has been installed with --subject-base
containing a lower-case attribute shortname (e.g.
--subject-base="o=Red Hat").
Explicitly convert the attribute type string to an OID
(ASN1_OBJECT *). If that fails, upper-case the type string and try
again.
Add some tests for the required behaviour.
Fixes: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As a convenience for using it with the test suite, update the csrgen
OpenSSLAdaptor class to support initialisation with a
python-cryptography key object, rather than reading the key from a
file.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
csrgen error handling marshalls an error string from libcrypto.
This is not handled correctly under python3. Fix the error
handling.
Part of: https://pagure.io/freeipa/issue/7496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA. It currently sets:
URI
BASE
TLS_CACERT
This PR makes ipa-client to add this AV pair:
SASL_MECH GSSAPI
Resolves: https://pagure.io/freeipa/issue/7366
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The modules ipaclient.csrgen and ipaclient.csrgen_ffi are expensive to load,
but rarely used. On demand loading speeds up ipa CLI by about 200ms.
Fixes: https://pagure.io/freeipa/issue/7484
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Moves chrony enablement and sync attempt to new method
so chrony will be enabled even when not configured.
Add logger info about skipping configuration to client's
installation when not on master and -N is used.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA Server and Client now support option for chrony
configuration --ntp-pool.
This option may be used with option --ntp-server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.
Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
`data` is bytes but we were opening the "--out" file as
a text.
https://pagure.io/freeipa/issue/7430
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since mod_ssl is using the /etc/ipa/ca.crt for its source
of the CA chain, we don't need to update the HTTPD NSS
database anymore (since it does not really exist).
https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.
The fix simplifies Darix's port of freeIPA on openSuSE.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This will show the status of the files during an installation.
This is particularly important during a replica install where
default.conf gets written several times.
Fixes: https://pagure.io/freeipa/issue/7218
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Vault's encrypt and decrypt helper function take either symmetric or
public/private key. Raise an exception if either both or none of them
are passed down.
See https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Add consistent return to all functions and methods that are covered by
tox -e pylint[23]. I haven't checked if return None is always a good
idea or if we should rather raise an error.
See: https://pagure.io/freeipa/issue/7326
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.
This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install). Refactor
ipa_certupdate.CertUpdate to make it easy to do that. In
particular, make it possible to use an already-initialised API
object.
Part of: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.
https://pagure.io/freeipa/issue/7131
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.
https://pagure.io/freeipa/issue/7131
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text
This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.
https://pagure.io/freeipa/issue/7185
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We're applying bytes regex on the result of a command but were
using decoded stdout instead of raw.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
RawConfigParser.readfp() method is deprecated and throws
DeprecationWarning in python 3 during uninstall.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The `module.register` member is added just a few lines
before pylint warns there's none such thing.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Support both openssl 1.0 and 1.1 APIs where sk_* functions got prefixed
with OPENSSL_ in the latter version.
Since referencing a symbol from a dynamically loaded library generates
exception, use the AttributeError exception to catch it and fall back to
the older method.
Fixes https://pagure.io/freeipa/issue/7110
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
