Commit Graph

9794 Commits

Author SHA1 Message Date
Martin Babinsky
a1a7ecdc7b vault-add: set the default vault type on the client side if none was given
`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.

https://fedorahosted.org/freeipa/ticket/6047

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-13 18:46:31 +02:00
Stanislav Laznicka
6c74bd2bcc Removed unused method parameter from migrate-ds
An extra parameter on client side command override of migrate-ds output
was causing errors.

https://fedorahosted.org/freeipa/ticket/6034

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-13 18:40:22 +02:00
Martin Basti
2874fdbfef host-find: do not show SSH key by default
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up

https://fedorahosted.org/freeipa/ticket/6043

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-13 18:37:15 +02:00
Fraser Tweedale
8cd87d12d5 caacl: expand plugin documentation
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.

Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-13 18:34:17 +02:00
Martin Basti
9feeaca9fb Enable vault-* commands on client
Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967

Removed NO_CLI=True from client side plugins for vault.

https://fedorahosted.org/freeipa/ticket/6035

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-12 16:03:07 +02:00
Sumit Bose
6d6da6b281 kdb: check for local realm in enterprise principals
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-07-12 12:26:28 +02:00
Martin Babinsky
c1d8629b74 ipa-advise: correct handling of plugin namespace iteration
The API object namespace iterators now yield plugin classes themselves
instead of their names as strings. The method enumerating through available
plugins needs to be made aware of this change.

https://fedorahosted.org/freeipa/ticket/6044

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-12 11:02:52 +02:00
Martin Babinsky
a5efeb449b ipa-compat-manage: use server API to retrieve plugin status
https://fedorahosted.org/freeipa/ticket/6033

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-12 10:59:59 +02:00
Milan Kubík
0277a89825 ipatests: remove ipacertbase option from test CSR configuration
The issue was found during test review. If the cert base contains
spaces, openssl req fails.

https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-07-12 10:55:50 +02:00
Milan Kubík
d88a12f1f5 ipatests: Test Sub CA with CAACL and certificate profile
Test the Sub CA feature by signing a CSR with custom
certificate profile.

The test also covers 'cert-request' fallback behaviour
for missing 'cacn' and 'profile-id' options by reusing
the fixtures from the module.

https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-07-12 10:55:50 +02:00
Milan Kubík
5b37aaad77 ipatests: Extend CAACL suite to cover Sub CA members
https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-07-12 10:55:50 +02:00
Milan Kubík
ea9b15f435 ipatests: Tracker implementation for Sub CA feature
The patch implements Tracker subclass for CA plugin
and the basic CRUD tests for the plugin entries.

https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-07-12 10:55:50 +02:00
Martin Babinsky
c5cc79f1ad ipa-nis-manage: Use server API to retrieve plugin status
https://fedorahosted.org/freeipa/ticket/6027

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-07-12 10:53:03 +02:00
Fraser Tweedale
88841a5619 uninstall: untrack lightweight CA certs
Fixes: https://fedorahosted.org/freeipa/ticket/6020
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-12 10:50:52 +02:00
Oleg Fayans
f784532d4e Test for incorrect client domain
https://fedorahosted.org/freeipa/ticket/5976

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 17:59:27 +02:00
Petr Spacek
dc5b2eaa77 client-install: log exceptions from certmonger.request_cert
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 13:33:49 +02:00
Martin Babinsky
0ade41abba Fix incorrect check for principal type when evaluating CA ACLs
This error prevented hosts to request certificates for themselves.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-01 13:16:23 +02:00
Petr Vobornik
4c1d737656 Become IPA 4.4.0 2016-07-01 11:39:29 +02:00
Martin Basti
3f26702981 IPA 4.4.0 Translations
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-01 11:24:53 +02:00
David Kupka
d2cb9ed327 Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-07-01 11:22:02 +02:00
Fraser Tweedale
3691e39a62 Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-01 11:09:53 +02:00
Petr Spacek
5e78b54d7c Fix internal errors in host-add and other commands caused by DNS resolution
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Petr Spacek
ce1f9ca51b Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
All these were unused so I'm removing them to keep the code clean and
easier to read. At this point it is clear that only difference between
netaddr.IPAddress and CheckedIPAddress is prefixlen attribute.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 10:35:39 +02:00
Martin Basti
a635135ba3 Bump SSSD version in requires
This is required by commit aa734da494 for
function sss_nss_getnamebycert()

https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-01 10:20:36 +02:00
David Kupka
cea1f33606 schema: Perform the check for schema update when force_schema_check is True
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 10:12:34 +02:00
Fraser Tweedale
4844eaec19 Add --cn option to cert-status
Add the 'cacn' option to the cert-status command.  Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.

Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 10:05:16 +02:00
Pavel Vomacka
2ec59b7f23 Add widget for kerberos aliases to service page
Also changes the name of option which is send during adding new service from
'krbprincipalname' to 'krbcanonicalname'.

https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Pavel Vomacka
62c4e15d16 Add widget for kerberos aliases to hosts page
https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Pavel Vomacka
2da3090a97 Add widget for kerberos aliases to user page
https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Pavel Vomacka
4bc2e3164f Add widgets for kerberos aliases
Create own custom_command_multivalued_widget for kerberos aliases.

https://fedorahosted.org/freeipa/ticket/5927

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Pavel Vomacka
2232a5bb09 Set default confirmation button label to 'Remove'
Part of: https://fedorahosted.org/freeipa/ticket/5831

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Pavel Vomacka
df56fd3371 Change error handling in custom_command_multivalued_widget
The custom_command_multivalued_widget now handles remove and add commands errors
correctly and shows error message.

Part of: https://fedorahosted.org/freeipa/ticket/5381

add_error

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-07-01 09:39:49 +02:00
Martin Babinsky
acf2234ebc Unify display of principal names/aliases across entities
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
e6ff83e361 Provide API for management of host, service, and user principal aliases
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
a28d312796 Make framework consider krbcanonicalname as service primary key
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.

https://fedorahosted.org/freeipa/ticket/1365

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
750a392fe2 Allow for commands that use positional parameters to add/remove attributes
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.

The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.

https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
7e803aa462 replace an ACI relying on presence of deprecated objectclass
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
d1517482b5 Add ACI for admins to modify principal attributes
This is required for admins to utilize the APIs that enable them to add/remove
principal aliases to entities.

https://fedorahosted.org/freeipa/ticket/3864
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
c2af032c03 Migrate management framework plugins to use Principal parameter
All plugins will now use this parameter and common code for all operations on
Kerberos principals.  Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
974eb7b5ef ipalib: introduce Principal parameter
This patch introduces a separate Principal parameter that allows the framework
to syntactically validate incoming/outcoming principals by using a single
shared codebase.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
e6fc8f84d3 Test suite for ipapython/kerberos.py
Low-level unittests checking the correctness principal parsing.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
de6abc7af2 ipapython module for Kerberos principal manipulation and parsing
This module implements a shared codebase to handle various types of Kerberos
principal names encountered during management of users, hosts nad services.
Common codebase aims to replace various ad-hoc functions and routines
scattered along the management framework.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Jan Cholasta
2cf7c7b4ac client: add support for pre-schema servers
Bundle remote plugin interface definitions for servers which lack API
schema support. These server API versions are included:
* 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+,
* 2.114: IPA 4.1.4 on Fedora 22,
* 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23,
* 2.164: IPA 4.3.1 on Fedora 23.

For servers with other API versions, the closest lower API version is used.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00
Jan Cholasta
cf713ac283 client: do not crash when overriding remote command as method
Do not crash during API initialization when overriding remote command that
is not a method with MethodOverride.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00
David Kupka
e5635f7ef4 schema: Decrease schema TTL to one hour
Since checking schema is relatively cheap operation (one round-trip with
almost no data) we can do it offten to ensure schema will fetched by
client ASAP after it was updated on server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-07-01 09:22:57 +02:00
Martin Basti
08fcc7e25a Do not log to file in remote conncheck side
https://fedorahosted.org/freeipa/ticket/5757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-01 09:05:33 +02:00
Martin Basti
4ce0258c23 Add option --no-log for ipa-replica-conncheck script
When option is sued, ipa-replica-conncheck will not log into file

https://fedorahosted.org/freeipa/ticket/5757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-01 09:05:33 +02:00
Florence Blanc-Renaud
d9ae9ee1b5 Do not log error when removing a non-existing file
When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and
the file does not exist, only log to debug instead of error.

https://fedorahosted.org/freeipa/ticket/6012

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 09:01:21 +02:00
Fraser Tweedale
3ac3882631 Fix migration from pre-lightweight CAs master
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.

Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-01 08:56:26 +02:00
Fraser Tweedale
0334693cfc Split CA replica installation steps for domain level 0
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up.  To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.

Part of: https://fedorahosted.org/freeipa/ticket/5963

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-07-01 08:56:26 +02:00