Commit Graph

3481 Commits

Author SHA1 Message Date
François Cami
6f5042cd87 10-config.update: remove nsslapd-sasl-max-buffer-size override as https://pagure.io/389-ds-base/issue/47457 was fixed directly in 389 Directory Server.
The patch addresses:
https://bugzilla.redhat.com/show_bug.cgi?id=1527020
"nsslapd-sasl-max-buffer-size is hardcoded to '2097152' during
install even if another value was provided in an LDIF
( --dirsrv-config-file )"

Fixes: https://pagure.io/freeipa/issue/7341

Tested against RHEL 7.4, the nsslapd-sasl-max-buffer-size parameter
is still 2097152 after this change and the change allows overriding
its value using --dirsrv-config-file properly.

Fix suggested by Florence Blanc-Renaud.

Signed-off-by: François Cami <fcami@fedoraproject.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-04 16:36:54 +01:00
Pavel Vomacka
cf2d171d0c WebUI: make keytab tables on service and host pages writable
There is no object class before adding the first item into tables,
therefore there are no ACI and WebUI is not able to figure out
whether table is writable or not. Adding flag 'w_if_no_aci'
tells "make it writable even if we have not ACIs and try to do
the API call.

https://pagure.io/freeipa/issue/7111

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-01-04 16:24:42 +01:00
Pavel Vomacka
0f28c7e32e Include npm related files into Makefile and .gitignore
Extedned Makefile in install/ui
 - $ make clean-local removes npm related files in the install/ui directory
Add node_modules and package-lock.json into .gitignore

Fixes: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
8aca1fe72a Update jsl.conf in tests subfolder
- to know QUnit, it is global object provided by QUnit.js library
- remove not-existing test navigation_tests.js

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
905a0abfd6 Update README about WebUI unit tests
Add information how to run tests from command line

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
2dd7741075 Update tests
With newer QUnit the API has changed, therefor there are necesary changes
in tests. QUnit methods does not pollute global workspace they use global
QUnit object or assert object passed as argument to test method.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c47784dc9f Create symlink to qunit.js
Base path for all unit tests is install/ui/js. This path is also used
by PhantomJS when runnig unit tests from command line. PhantomJS then
tries to find qunit.js therefor symlink in install/ui/js is needed.

This might be automated in the future.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c50092c3b5 Update jsl to not warn about module in Gruntfile
Gruntfile uses module keyword which is not known by our JSLint.
Adding it into known keywords fix the warning.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
c48ac2819b Add Gruntfile and package.json to ui directory
Those files are used when running WebUI unit tests from command line.

- Gruntfile specifies grunt task which can run the webui tests.
- symlink to src/freeipa/package.json where are specified npm packages
  which are required for running those test.
  There is only symlink to not duplicite package.json file

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
8b25ac88e1 Update QUnit CSS file to 2.4.1
Update QUnit CSS to correspond with QUnit JS library

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Pavel Vomacka
68540856cf Update qunit.js to version 2.4.1
It provides more functions, bug fixes, but mainly better error handling
therefore it is easier to debug errors while tests are automatically
run.

Related: https://pagure.io/freeipa/issue/7278
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-14 18:57:37 +01:00
Alexander Koksharov
fbb1889766 ensuring 389-ds plugins are enabled after install
To avoid problems caused by desabled plugins on 389-ds side
explicitly enable plugins required by IPA

https://pagure.io/freeipa/issue/7271

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-14 16:41:01 +01:00
Fraser Tweedale
0e9ce73a52 Add uniqueness constraint on CA ACL name
It is possible to add caacl entries with same "name" (cn).  The
command is supposed to prevent this but direct LDAP operations allow
it and doing that will cause subsequent errors.

Enable the DS uniqueness constraint plugin for the cn attribute in
CA ACL entries.

Fixes: https://pagure.io/freeipa/issue/7304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-12 14:36:44 +01:00
Christian Heimes
b32a4aef86 More log in verbs
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
dca9f84961 Address more 'to login'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
ae3160fdd7 Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
3756dbf964 Fix grammar in login screen
https://pagure.io/freeipa/issue/7263

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Fraser Tweedale
34f73b4a94 install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation.  This leads to situations where the
administrator wants a different Subject DN later.  Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.

The go/no-go prompt in ipa-ca-install is new.  It is suppressed for
unattended installations.

Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:06:28 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
97942a7c7a Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
8960141adb ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
3eb3844353 renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object.  Apply to correct type.

Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-07 17:28:12 +01:00
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Pavel Vomacka
04da856256 WebUI: make Domain Resolution Order writable
Objectclass which defines the Domain Resolution Order is added to
the object only after modification. Therefore before modification of
object the attributelevelrights does not contain the 'domainresolutionorder'
attribute and the WebUI evaluates field as not writable.

'w_if_no_aci' flag was designed to make writable those fields
for which we don't have attributelevelrights.

https://pagure.io/freeipa/issue/7169

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-11-16 19:54:49 +02:00
Christian Heimes
38b17e1c79 Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:49:34 +01:00
Christian Heimes
8bbeedc93f
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-13 18:10:54 +01:00
Michal Reznik
db313da62c
manpage: ipa-replica-conncheck - fix minor typo
Fixes minor typo "Defaults t" to "Defaults to".

https://pagure.io/freeipa/issue/7250

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-13 12:14:34 +01:00
Felipe Barreto
405da071d1 Warning the user when using a loopback IP as forwarder
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.

Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-11-09 09:24:03 -02:00
Felipe Barreto
b84e8be5ac Removing replica-s4u2proxy.ldif since it's not used anymore
Since commit 23a0453c4d, the
replica-s4u2proxy.ldif file it's not used anymore.

https://pagure.io/freeipa/issue/7174

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-09 09:05:39 -02:00
Stanislav Laznicka
5458bb506f
Add indexing to improve host-find performance
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.

https://pagure.io/freeipa/issue/6371

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-07 16:49:36 +01:00
Stanislav Laznicka
c99b37737a
Add the sub operation for fqdn index config
This should improve performance of the host-find command.

https://pagure.io/freeipa/issue/6371

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-07 16:49:36 +01:00
Florence Blanc-Renaud
d8b3e53ce1
Py3: fix ipa-replica-conncheck
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.

Related to
https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-03 15:10:28 +01:00
Aleksei Slaikovskii
59802d37d1
Add a notice to restart ipa services after certs are installed
Adding notice for user to restart services after
ipa-server-certinstall.

https://pagure.io/freeipa/issue/7016

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-01 12:46:57 +01:00
Fraser Tweedale
3e33857827
Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI).  We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.

Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Fraser Tweedale
260db9dece
Remove XPI and JAR MIME types from httpd config
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin.  The
plugin was removed some time ago, so remove the media type
definitions.

Part of: https://pagure.io/freeipa/issue/7226

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Rishabh Dave
d65297311d
ipa-ca-install: mention REPLICA_FILE as optional in help
As man page already does it, update the help text to show REPLICA_FILE
as optional.

Fixes https://pagure.io/freeipa/issue/7223

Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-30 10:49:13 +01:00
Fraser Tweedale
aa5ad3e2d3
Add missing space in ipa-replica-conncheck error
Fixes: https://pagure.io/freeipa/issue/7224
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-30 10:35:01 +01:00
Florence Blanc-Renaud
7b149b3c7f
Fix ipa-replica-conncheck when called with --principal
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).

In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.

The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.

Fixes:
https://pagure.io/freeipa/issue/7221

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-26 15:06:49 +02:00
Tomas Krizek
624b34ab2b
ldap: limit the retro changelog to dns subtree
The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.

Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-26 12:40:28 +02:00
Thorsten Scherf
28802b396f Add debug option to ipa-replica-manage and remove references to api_env var.
https://pagure.io/freeipa/issue/7187

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-10-25 14:34:07 -02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Alexander Bokovoy
620f9653ba ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.

This also changes semantics of force-sync by waiting until the end of
the initial replication.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Alexander Bokovoy
051786ce37 ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Florence Blanc-Renaud
49cf5ec64b
ipa-cacert-manage renew: switch from ext-signed CA to self-signed
The scenario switching from externally signed CA to self-signed CA is
currently failing because the certmonger helper goes through the wrong
code path when the cert is not self-signed.

When the cert is not self-signed but the admin wants to switch to self-signed
a new cert needs to be requested, not retrieved from LDAP.

https://pagure.io/freeipa/issue/7173

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-10-18 12:34:03 +02:00
Christian Heimes
dea059d158
Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).

When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.

Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.

Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-18 12:09:57 +02:00
Fraser Tweedale
29f4ec865b ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
fc7c684b12 ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
b4365e3a7f install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
1699cff350 Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00