Commit Graph

8415 Commits

Author SHA1 Message Date
Tomas Babej
a487e42d3f ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:29:33 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
David Kupka
e384aad729 ipa-client-install: Do not (re)start certmonger and DBus daemons.
When DBus is present in the system it is always running.

Starting of certmomger is handled in ipapython/certmonger.py module if
necessary. Restarting is no longer needed since freeipa is not changing
certmonger's files.

https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
David Kupka
2defc486ab cermonger: Use private unix socket when DBus SystemBus is not available.
https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
Martin Babinsky
1ec174b92d enable debugging of ntpd during client installation
When installing IPA client in debug mode, the ntpd command spawned during
initial time-sync with master KDC will also run in debug mode.

https://fedorahosted.org/freeipa/ticket/4931

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-20 14:19:08 +00:00
Tomas Babej
37b1af9a7c domainlevel: Fix incorrect initializations of InvalidDomainLevelError exceptions
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-20 13:53:21 +02:00
Martin Basti
c6c84faecf Py3: replace tab with space
python3 does not allow to mix spaces and tabs

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 17:19:51 +02:00
Tomas Babej
45958d6219 trusts: Check for AD root domain among our trusted domains
Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 17:04:17 +02:00
Martin Basti
82aaa1e6d0 Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand

https://fedorahosted.org/freeipa/ticket/4988

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-17 16:47:18 +02:00
Yuri Chornoivan
75fde43491 Fix minor typos
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-17 14:33:30 +02:00
Martin Basti
9f70128353 sysrestore: copy files instead of moving them to avoind SELinux issues
Copying files restores SELinux context.

https://fedorahosted.org/freeipa/ticket/4923

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 13:46:23 +02:00
Petr Spacek
f1f3ef478d Create server-dns sub-package.
This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.

IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 10:40:44 +02:00
David Kupka
e5d179b5b9 migration: Use api.env variables.
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.

https://fedorahosted.org/freeipa/ticket/4953

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-17 10:30:42 +02:00
Martin Basti
a619a1e211 Validate adding privilege to a permission
Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-17 04:57:54 +00:00
Martin Basti
a0ce9e6b09 fix selinuxusermap search for non-admin users
Remove nonexistent attribute 'hostmembergroup' that is not in ACI nor schema.

Related to https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-07-16 15:38:47 +02:00
Petr Vobornik
2e80645ef2 fix hbac rule search for non-admin users
hbacrule has it default attributes (which are used in search) attribute
'memberhostgroup'. This attr is not in ACI nor in schema. If the search
contains an attribute which can't be read then the search won't return
anything.

Therefore all searches with filter set fail.

https://fedorahosted.org/freeipa/ticket/5130

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:37:24 +02:00
Martin Babinsky
26dee66d1b ipa-ca-install: print more specific errors when CA is already installed
This patch implements a more thorough checking for already installed CAs
during standalone CA installation using ipa-ca-install. The installer now
differentiates between CA that is already installed locally and CA installed
on one or more masters in topology and prints an appropriate error message.

https://fedorahosted.org/freeipa/ticket/4492

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:33:43 +02:00
Petr Vobornik
9083c528f7 webui: fix user reset password dialog
Could not open user password dialog.

regression introduced in ed78dcfa3a

https://fedorahosted.org/freeipa/ticket/5131

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-16 15:28:38 +02:00
Christian Heimes
0700d340c7 Fix selinux denial during kdcproxy user creation
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.

https://fedorahosted.org/freeipa/ticket/5135

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 13:45:03 +02:00
Alexander Bokovoy
c6a1bd591e oddjob: avoid chown keytab to sssd if sssd user does not exist
If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 13:41:08 +02:00
Alexander Bokovoy
706c003615 selinux: enable httpd_run_ipa to allow communicating with oddjobd services
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.

This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.

Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 12:42:43 +02:00
Petr Vobornik
9d69ad2428 do not import memcache on client
Fixes regression caused by cd3ca94ff2.

Which caused:
* client installation failure (missing memcache)
* invalid warning in CLI on server

https://fedorahosted.org/freeipa/ticket/5133

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-16 11:23:40 +02:00
Jan Cholasta
d6e701a793 spec file: Update minimum required version of krb5
Automatically require the krb5 version used at build time.

https://fedorahosted.org/freeipa/ticket/5132

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-15 11:02:32 +00:00
Jan Cholasta
ba31b41569 spec file: Move /etc/ipa/kdcproxy to the server subpackage
The directory was in the python subpackage, but that broke client-only
build. We don't want the directory to be installed on clients anyway,
since it is part of a server-side feature.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2015-07-15 10:46:18 +00:00
Martin Basti
8bc0e9693b copy-schema-to-ca: allow to overwrite schema files
If content of source and target file differs, the script will ask user
for permission to overwrite target file.

https://fedorahosted.org/freeipa/ticket/5034

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-15 07:11:21 +00:00
Martin Basti
c144ea6fef Stageusedr-activate: show username instead of DN
If activate user already exists, show name of this user in error message
instead of user DN.
Error message reworder to keep the same format as stageuser-add,
user-add.

https://fedorahosted.org/freeipa/ticket/5038

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-15 07:08:02 +00:00
Christian Heimes
18d417e981 Replace file() with open()
The open() function is the recommended way to open a file. In Python 3
the file type is gone, but open() still works the same.

The patch is related to https://fedorahosted.org/freeipa/ticket/5127

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-14 13:59:31 +02:00
Christian Heimes
35e219f996 Remove tuple unpacking from except clause ipaserver/dcerpc.py
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.

https://fedorahosted.org/freeipa/ticket/5120

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-14 13:43:50 +02:00
Christian Heimes
4677ea29be Remove tuple unpacking from except clause ipalib/plugins/hbactest.py
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.

https://fedorahosted.org/freeipa/ticket/5120

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-14 13:43:50 +02:00
Christian Heimes
feb8891dd0 Remove tuple unpacking from except clause ipa-client/ipaclient/ipachangeconf.py
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.

https://fedorahosted.org/freeipa/ticket/5120

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-14 13:43:50 +02:00
Christian Heimes
334be8c9cc Remove tuple unpacking from except clause contrib/RHEL4/ipachangeconf.py
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.

https://fedorahosted.org/freeipa/ticket/5120

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-14 13:43:50 +02:00
Milan Kubík
3459607410 spec file: update the python package names for libipa_hbac and libsss_nss_idmap
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-14 10:57:36 +00:00
Simo Sorce
ca6947da6f Fix DNS records installation for replicas
Ticket: https:/fedorahosted.org/freeipa/ticket/5116

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-14 10:50:36 +00:00
Christian Heimes
c701ab612d Start dirsrv for kdcproxy upgrade
The kdcproxy upgrade step in ipa-server-upgrade needs a running dirsrv
instance. Under some circumstances the dirsrv isn't running. The patch
rearranges some upgrade steps and starts DS before enable_kdcproxy().

https://fedorahosted.org/freeipa/ticket/5113

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-14 10:37:43 +00:00
Tomas Babej
5106421961 Revert "Hide topology and domainlevel features"
This reverts commit 62e8002bc4.

Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-10 15:26:50 +02:00
Milan Kubík
61f41df949 ipalib: pass api instance into textui in doctest snippets
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-10 15:05:19 +02:00
Tomas Babej
8a4e79c9e6 ipalib: Fix missing format for InvalidDomainLevelError
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-10 15:01:22 +02:00
Martin Basti
67b2b34085 Prevent to rename certprofile profile id
https://fedorahosted.org/freeipa/ticket/5074

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-10 09:01:05 +00:00
Petr Vobornik
0569910fea Bump 4.3 development version to 4.2.90
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-09 13:07:35 +02:00
Petr Vobornik
218de5bff7 Become IPA 4.2.0 2015-07-09 12:11:56 +02:00
Petr Vobornik
f0e88e9b13 fix error message when certificate CN is invalid
The error message was probably copied from mail address check below.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-09 11:58:30 +02:00
Petr Vobornik
0b943f3ce9 webui: remove cert manipulation actions from host and service
Remove
* cert_view
* cert_get
* cert_revoke
* cert_restore

These actions require serial number which is not provided to Web UI if
multiple certificates are present.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
cf8b56cc75 webui: show multiple cert
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
7c481b1e90 webui: cert-request improvements
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
cd3ca94ff2 move session_logout command to ipalib/plugins directory
API refactoring caused that session_logout command was not registered.

Commands in ipalib/plugins directory are automatically registered.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:16:54 +02:00
Tomas Babej
9c5df3cf76 upgrade: Enable and start oddjobd if adtrust is available
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Tomas Babej
675aada2e1 adtrustinstance: Enable and start oddjobd
Enable and start the oddjobd service as part of the
ipa-adtrust-install for the new IPA installations.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Fraser Tweedale
ec7e5e0cac cert-request: enforce caacl for principals in SAN
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension.  Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.

Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Fraser Tweedale
e3c225317b caacl: fix incorrect construction of HbacRequest for hosts
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it.  Use split_any_principal to do the
splitting correctly, also taking realm into account.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Petr Vobornik
f13cce2d9c webui: hide facet tab in certificate details facet
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00