Commit Graph

14450 Commits

Author SHA1 Message Date
Rob Crittenden
c8f13cd855 ipatests: Add tests for requiring ipa-ca SAN when ACME is enabled
Test that:

1. With ACME enabled, SAN is required
2. With ACME disabled, SAN is not required

Also verify the ipa-acme-manage status command.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
e0ff82c884 Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
2768b0dbaf Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Mark Reynolds
9c4785f042 Reorder creation of the CA mapping tree and database backend
New validation efforts in 389-ds-base require that the backend entry for
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.

For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()

Fixes: https://pagure.io/freeipa/issue/8558
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-02 13:42:37 -05:00
Sudhir Menon
43ea80ae91 ipatests: Fix for test_ipahealthcheck_ds_encryption
Nightly test failure was seen for test_ipahealthcheck_ds_encryption
The test was failing since @pytest.fixture was not specified before
the function modify_tls

Ref: https://pagure.io/freeipa/issue/8560
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-11-02 17:34:38 +01:00
Rob Crittenden
d4ef64b229 ipatests: Collect the let's encrypt log
Collect the let's encrypt client log for any potential
debug purposes.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Mohammad Rizwan
e7fd791579 ipatests: Check if ACME is enabled on all CA servers
Test if ACME service is enabled on replica if eabled on
server. This is to check the centralize enable/disable
from single host.

ipatests: Test if ACME is enabled on replica when converted from CA-less to CA-full

Deployment where one server is deployed as CA-less and acme is enabled, when converted
to CA full, should have ACME enabled by default.

ipatests: Test ACME with CA-less replica when converted to CA-full

Deployment have one ca-less replica and ACME is not enabled.
After converting ca-less replica to ca-full, ACME can be
enabled or disabled.

related:
https://pagure.io/freeipa/issue/8524

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
69ae48c8b6 Add a status option to ipa-acme-manage
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
92c3ea4e29 Don't install ACME if full support is not available
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.

Parse the VERSION file shipped with PKI to determine the version.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
c0d55ce6de Centralize enable/disable of the ACME service
The initial implementation of ACME in dogtag and IPA required
that ACME be manually enabled on each CA.

dogtag added a REST API that can be access directly or through
the `pki acme` CLI tool to enable or disable the service.

It also abstracted the database connection and introduced the
concept of a realm which defines the DIT for ACME users and
groups, the URL and the identity. This is configured in realm.conf.

A new group was created, Enterprise ACME Administrators, that
controls the users allowed to modify ACME configuration.

The IPA RA is added to this group for the ipa-acme-manage tool
to authenticate to the API to enable/disable ACME.

Related dogtag installation documentation:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Database.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Installing_PKI_ACME_Responder.md

ACME REST API:
https://github.com/dogtagpki/pki/wiki/PKI-ACME-Enable-REST-API

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
e13d058a06 Let dogtag.py be imported if the api is not initialized
This allows non-plugin components to import the RestClient
classes.

Removed code that only imported pki if in_server was True. This
was legacy code from when the plugins were also loaded in the
client.

Left the ra_plugin stanza for now. This is part of the old
abstraction that allowed for different CA plugins.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Rob Crittenden
2ef53196c6 Enable importing LDIF files not shipped by IPA
This is to be able to import ACME schema provided by dogtag.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Sudhir Menon
686414d201 ipatests: ipa-healthcheck test for DS RIPluginCheck
This testcase modifies the update value set on RI Plugin
to -1 as a result checks that RIPluginCheck reports warning message

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-11-02 11:24:12 +01:00
Sudhir Menon
b8a2a0f301 ipatests: ipa-healthcheck test for EncryptionCheck
This testcase checks that EncryptionCheck reports ERROR status when DS tls version is
modified to TLS1.0

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 15:24:03 -04:00
Alexander Bokovoy
563d0a0729 rpcserver: fix exception handling for FAST armor failure
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-30 19:06:11 +02:00
Sudhir Menon
9a41966a25 ipatests: ipa-healthcheck test for DS BackendsCheck
This testcase checks that the BackendsCheck reports
the CRITICAL status when dse.ldif present in the
DS instance directory is renamed/moved.

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:52:01 -04:00
Sudhir Menon
abefd6e19b ipatests: ipa-healthcheck fixes for tests running on RHEL
Below tests have been modified accordingly

TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_group
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_too_restrictive
TestIpaHealthCheckFileCheck::test_ipa_filecheck_too_permissive
TestIpaHealthCheckFileCheck::test_nssdb_filecheck_bad_owner
TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
TestIpaHealthCheckWithExternalCA::test_nsschainvalidation_ipa_invalid_chain
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent_bad_serial

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:50:22 -04:00
Alexander Bokovoy
b8b46779dc rpcserver: fallback to non-armored kinit in case of trusted domains
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.

FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.

[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.

[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.

Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.

In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:48:22 -04:00
Alexander Bokovoy
9ba0494c26 pylint: remove unused variable
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-10-30 12:48:22 -04:00
Rob Crittenden
2f8eb73f58 Use a state to determine if a 389-ds upgrade is in progress
When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.

We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.

What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.

Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.

The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.

https://pagure.io/freeipa/issue/7534

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-27 15:50:19 -04:00
Alexander Bokovoy
8b6d1ab854 ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.

It means that if list of UPN suffixes contains the following top level
names (TLNs):

  fabrikam.com
  sub.fabrikam.com

then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.

IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.

Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.

Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.

Fixes: https://pagure.io/freeipa/issue/8554

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2020-10-26 15:55:02 -04:00
Fraser Tweedale
3f59118ffc ipa_sam: do not modify static buffer holding fqdn
ipa_sam was modifying the buffer returned by ipa_gethostfqdn().
Subsequent calls to ipa_gethostfqdn() returned the corrupt data,
causing other operations to fail.

Update ipa_sam to copy the string and modify the copy.  Also
document this characteristic of ipa_gethostfqdn() and explain that
callers must not modify the returned data.

Part of: https://pagure.io/freeipa/issue/8501

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
727a2ffb93 Easier to use ipa_gethostfqdn()
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.

Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().

Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
3d796a7e51 Update debug strings to reflect new calls
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
b66b961fdd Remove problematic optimization from gethostfqdn()
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
5d4ed65b83 Replace nodename with ipa_gethostfqdn()
ipa_kdb and ipa-join now use ipa_gethostfqdn() instead of uname()'s nodename.

The code for hostname in ipa-join is simplified. Now the hostname is
auto-detected and verified in main(). All sub functions can now use the
hostname without additional checks. This removes a bunch of strdup(),
NULL checks, and free() calls.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Rob Crittenden
5155280bb4 ipatests: Add test_pwpolicy to nightly runs
389ds testing is included since this exercises LDAP password
policy. pki testing is skipped since this is unrelated to
whether there is a CA or not.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
f602da4b28 Requirements and design for libpwquality integration
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
68aa7c0554 Add SELinux policy so kadmind can read the crackdb dictionary
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
fe44835970 ipatests: add test for password policies
Primarily testing integration of libpwpolicy but it also
exercises some of the existing policy.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
be2efc12d3 Add a raiseonerr option to ldappasswd_user_change
This is so on tests for bad password one can catch the error
message.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
6da070e655 Pass the user to the password policy check in the kdb driver
If the entry contains a uid then pass that into the policy checker
for the usercheck policy check.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
46d0096218 Add a unit test for libpwquality-based password policy
- with all policies disabled passwords are not evaluated
- the pwpolicy minimum overrides the existing IPA minimum
- max character repeats
- max character sequences (12345)
- palindrome
- dictionary check
- user name in the password check

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
c4cca53e88 Extend password policy to evaluate passwords using libpwpolicy
Enable checking:

maxrepeat - reject passwrods which contain more than N consecutive
            characters.
maxsequence - rejected passwords which contain character sequences
              (abcde).
dictcheck - check passwords using cracklib
usercheck - check whether the password contains the user name.

The class checking provided by libpwpolicy is not used because this
overlaps with the existing IPA checking. This includes the options
dcredit, ucredit, lcredit, ocredit, minclass and maxclassrepeat.

The pwquality min length is fixed at 6 so if there is a conflict between
the system policy and pwquality log that length is enforced at 6.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
3fc2eda4e1 Require libpwolicy and configure it in the build system
https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
c03b4862b8 Add new pwpolicy objectclass to test_xmprpc/objectclasses.py
This defines the expected set of objectclasses in the XMLRPC
tests.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
6b452e5404 Extend IPA pwquality plugin to include libpwquality support
Add options to support maxrepeat, maxsequence, dictcheck and
usercheck pwquality options.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
41021c278a Add LDAP schema for new libpwquality attributes
Add new attributes for the maxrepeat, maxsequence, dictcheck and
usercheck features of libpwquality.

https://pagure.io/freeipa/issue/6964
https://pagure.io/freeipa/issue/5948
https://pagure.io/freeipa/issue/2445
https://pagure.io/freeipa/issue/298

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-10-23 09:32:52 -04:00
Rob Crittenden
139d60d747 Don't restart certmonger after stopping tracking in uninstall
certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.

certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.

https://pagure.io/freeipa/issue/8533

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 12:56:22 -04:00
Christian Heimes
fa58071221 Reuse main LDAP connection
cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.

Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 09:53:29 +02:00
Christian Heimes
a9d34c8e66 Speed up cainstance.migrate_profiles_to_ldap
The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.

Skip all profiles that have been imported by Dogtag already.

Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-19 09:53:29 +02:00
Florence Blanc-Renaud
cb7d096422 ipatests: properly handle journalctl return code
The test test_installation.py::TestInstallMaster::test_selinux_avcs
is failing when no AVCs are detected because it is calling
journalctl --full --grep=AVC--since=yesterday
and the command exits with return code 1.

Call the command with raiseonerr=False to support this case.

Fixes: https://pagure.io/freeipa/issue/8541
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-10-13 16:51:32 +02:00
François Cami
5de67028d0 ipatests: run freeipa-healthcheck on hidden replica
Run freeipa-healthcheck on a FreeIPA clusters with a
hidden replica to make sure a hidden replica is considered
fully healthy.

Fixes: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-10-13 10:07:45 +02:00
François Cami
7bbb997150 ipatests: tasks: add user_del
Add an "ipa user-del" frontend to tasks.py.

Related: https://pagure.io/freeipa/issue/8536
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-10-13 10:07:45 +02:00
Florence Blanc-Renaud
fbd7d77189 rpmspec: ensure ipa snippet for sshd is always included
Whn openssh-server > 8.2 is installed, ipa rpmspec moves its
configuration directives to /etc/ssh/sshd_config.d/04-ipa.conf
but doesn't check that the 04-ipa.conf is included from
/etc/ssh/sshd_config.

The fixes ensures that the snippet is always included, either
through the line Include /etc/ssh/sshd_config.d/*.conf or
directly with Include /etc/ssh/sshd_config.d/04-ipa.conf

Fixes: https://pagure.io/freeipa/issue/8535
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-13 10:03:47 +02:00
Florence Blanc-Renaud
58d8af0433 ipatests: add tests to 389ds regression
The following tests can be used to detect regressions with 389-ds:
- test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion
- test_integration/test_dns_locations.py

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-13 09:57:32 +02:00
Christian Heimes
731c5b2110 Lookup ipa-ca record with NSS
DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.

Reduce timeout to 15 seconds and tighten timeout loop.

The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.

Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-10-10 12:54:06 +02:00
François Cami
5d95794edf ipatests: kinit_as_user improvements
Use get_kdcinfo before and after kinit if krb5_trace in kinit_as_user.
This will help determine how SSSD was selecting which KRB5KDC to use.

Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-10-09 08:51:02 +02:00
François Cami
e0586f33a6 ipatests: create_active_user improvements
Use get_kdcinfo before and after kinit if krb5_trace in create_active_user.
This will help determine how SSSD was selecting which KRB5KDC to use.

Fixes: https://pagure.io/freeipa/issue/8510
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-10-09 08:51:02 +02:00