get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.
This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.
https://fedorahosted.org/freeipa/ticket/2293
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.
This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.
https://fedorahosted.org/freeipa/ticket/2500
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.
This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.
https://fedorahosted.org/freeipa/ticket/2451
A number of different errors could occur when trying to handle an
error which just confused matters.
If no CCache was received then trying to retrieve context.principal
in the error message caused yet another exception to be raised.
Trying to get Command[name] if name wasn't defined in command would
raise an exception.
Trying to raise errors.CCache was failing because the response hadn't
been started.
https://fedorahosted.org/freeipa/ticket/2371
Our install tools like ipa-server-install, ipa-replica-{prepare,
install} may allow hostnames that do not match the requirements
in ipalib. This creates a disconnect and may cause issues when
user cannot delete hostnames created by install tools.
This patch makes sure that ipalib requirements are applied to
install tools hostnames as well.
https://fedorahosted.org/freeipa/ticket/2089
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'.
Current check is an equality check of content_type http header.
RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result.
This patch makes the check more benevolent to allow such values.
Patch is a fixup for:
https://fedorahosted.org/freeipa/ticket/2095
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.
* Reduced the default session_auth_duration from 1 hour to 20 minutes.
* Replaced the sesssion write_timestamp with the access_timestamp and
update the access_timestamp whenever the session data is created,
retrieved, or written.
* Modify set_session_expiration_time to handle both an inactivity
timeout and a fixed duration.
* Introduce KerberosSession as a mixin class to share session
duration functionality with all classes manipulating session data
with Kerberos auth. This is both the non-RPC login class and the RPC
classes.
* Update make-lint to handle new classes.
* Added session_auth_duration_type config item.
* Updated default.conf.5 man page for new session_auth_duration_type item.
* Removed these unused config items: mount_xmlserver,
mount_jsonserver, webui_assets_dir
https://fedorahosted.org/freeipa/ticket/2392
* Increase the session ID from 48 random bits to 128.
* Implement the sesison_logout RPC command. It permits the UI to send
a command that destroys the users credentials in the current
session.
* Restores the original web URL's and their authentication
protections. Adds a new URL for sessions /ipa/session/json. Restores
the original Kerberos auth which was for /ipa and everything
below. New /ipa/session/json URL is treated as an exception and
turns all authenticaion off. Similar to how /ipa/ui is handled.
* Refactor the RPC handlers in rpcserver.py such that there is one
handler per URL, specifically one handler per RPC and AuthMechanism
combination.
* Reworked how the URL names are used to map a URL to a
handler. Previously it only permitted one level in the URL path
hierarchy. We now dispatch on more that one URL path component.
* Renames the api.Backend.session object to wsgi_dispatch. The use of
the name session was historical and is now confusing since we've
implemented sessions in a different location than the
api.Backend.session object, which is really a WSGI dispatcher, hence
the new name wsgi_dispatch.
* Bullet-proof the setting of the KRB5CCNAME environment
variable. ldap2.connect already sets it via the create_context()
call but just in case that's not called or not called early enough
(we now have other things besides ldap which need the ccache) we
explicitly set it early as soon as we know it.
* Rework how we test for credential validity and expiration. The
previous code did not work with s4u2proxy because it assumed the
existance of a TGT. Now we first try ldap credentials and if we
can't find those fallback to the TGT. This logic was moved to the
KRB5_CCache object, it's an imperfect location for it but it's the
only location that makes sense at the moment given some of the
current code limitations. The new methods are KRB5_CCache.valid()
and KRB5_CCache.endtime().
* Add two new classes to session.py AuthManager and
SessionAuthManager. Their purpose is to emit authication events to
interested listeners. At the moment the logout event is the only
event, but the framework should support other events as they arise.
* Add BuildRequires python-memcached to freeipa.spec.in
* Removed the marshaled_dispatch method, it was cruft, no longer
referenced.
https://fedorahosted.org/freeipa/ticket/2362
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.
This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.
https://fedorahosted.org/freeipa/ticket/2419
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.
This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.
https://fedorahosted.org/freeipa/ticket/2394
force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.
This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync
https://fedorahosted.org/freeipa/ticket/2128
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.
IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.
https://fedorahosted.org/freeipa/ticket/1211
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.
Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.
https://fedorahosted.org/freeipa/ticket/2216
This is needed on F-17+, otherwise things blow up when we try to see
if we've added new schema.
Introspection is required to see if the argument check_uniqueness is
available.
https://fedorahosted.org/freeipa/ticket/2383
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.
https://fedorahosted.org/freeipa/ticket/2391
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.
https://fedorahosted.org/freeipa/ticket/2147
This is for the LDAP updater in particular. When adding new schema
order can be important when one objectclass depends on another via
SUP.
This calculation will preserve the order of changes in the update file.
Discovered trying to add SSH schema.
https://fedorahosted.org/freeipa/ticket/754
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.
https://fedorahosted.org/freeipa/ticket/1634
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.
Additionaly, host commands automatically update DNS SSHFP records when
requested by user.
https://fedorahosted.org/freeipa/ticket/754
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).
Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:
* Add a session manager to support cookie based sessions which
stores session data in a memcached entry.
* Add ipalib/krb_utils.py which contains functions to parse ccache
names, format principals, format KRB timestamps, and a KRB_CCache
class which reads ccache entry and allows one to extract information
such as the principal, credentials, credential timestamps, etc.
* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
that all kerberos items are co-located.
* Modify javascript in ipa.js so that the IPA.command() RPC call
checks for authentication needed error response and if it receives
it sends a GET request to /ipa/login URL to refresh credentials.
* Add session_auth_duration config item to constants.py, used to
configure how long a session remains valid.
* Add parse_time_duration utility to ipalib/util.py. Used to parse the
session_auth_duration config item.
* Update the default.conf.5 man page to document session_auth_duration
config item (also added documentation for log_manager config items
which had been inadvertantly omitted from a previous commit).
* Add SessionError object to ipalib/errors.py
* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
/ipa/login
* Add SessionCCache class to session.py to manage temporary Kerberos
ccache file in effect for the duration of an RPC command.
* Adds a krblogin plugin used to implement the /ipa/login
handler. login handler sets the session expiration time, currently
60 minutes or the expiration of the TGT, whichever is shorter. It
also copies the ccache provied by mod_auth_kerb into the session
data. The json handler will later extract and validate the ccache
belonging to the session.
* Refactored the WSGI handlers so that json and xlmrpc could have
independent behavior, this also moves where create and destroy
context occurs, now done in the individual handler rather than the
parent class.
* The json handler now looks up the session data, validates the ccache
bound to the session, if it's expired replies with authenicated
needed error.
* Add documentation to session.py. Fully documents the entire process,
got questions, read the doc.
* Add exclusions to make-lint as needed.
* Adds ipa_memcached SystemV initscript
* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
to recreate /var/run/ipa_memcached on reboot.
* Adds ipa_memcached config file
* Adds memcacheinstnace.py to manage ipa_memcaced as
as SimpleService object.
* Updates the IPA service list to include ipa_memcached,
at service positon 39, httpd is position 40
* Updates the spec file:
- requires the memcached daemon and python client
- installs service or initscripts depending on OS
- installs config file
- creates /var/run/ipa_memcached directory
* Modifies ipa-server-install to install ipa_memcached
This ensures a correct configuration in case a user has created their
own openldap config file and set SASL_SECPROPS to something bad.
Note that this doesn't modify the 389-ds setting which by default is 0.
https://fedorahosted.org/freeipa/ticket/2021
When using ipa-replica-manage or ipa-csreplica-manage to delete an
agreement with a host we would try to make a connection to that host
prior to tryign to delete it. This meant that the trying to delete
a host we don't have an agreement with would return a connection
error instead of a "no agreement with host foo" error.
Also display a completed message when an agreement is removed.
https://fedorahosted.org/freeipa/ticket/2048https://fedorahosted.org/freeipa/ticket/2125
We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.
https://fedorahosted.org/freeipa/ticket/2301
"!" is a unary LDAP filter operator and cannot be treated in the
same way as binary operators ("&", "|"). Otherwise, an invalid
LDAP filter is created.
https://fedorahosted.org/freeipa/ticket/1675
The nsDS5ReplicaUpdateSchedule parameter is omited what results in
replication being run all the time. The parameter is still used for
forcing replica update but after that action it is always deleted.
https://fedorahosted.org/freeipa/ticket/1482
A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.
This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.
https://fedorahosted.org/freeipa/ticket/2154
Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.
This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.
In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.
https://fedorahosted.org/freeipa/ticket/2260
Changes to add a cs-replication management tool mistakenly always set a flag
that caused replicas to not add the list of attribute we exclude from
replication.
Let ipa-replica-prepare and ipa-replica-install work without
proper DNS records as records in /etc/hosts are sufficient for
DS replication.
1) ipa-replica-prepare now just checks if the replica hostname
is resolvable (DNS records are not required). It is now able
to prepare a replica file even when the replica IP address is
present in /etc/hosts only.
2) ipa-replica-install is now able to proceed when the hostname
is not resolvable. It uses an IP address passed in a new
option --ip-address to create a record in /etc/hosts in the
same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2139
