The issue was found during test review. If the cert base contains
spaces, openssl req fails.
https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Test the Sub CA feature by signing a CSR with custom
certificate profile.
The test also covers 'cert-request' fallback behaviour
for missing 'cacn' and 'profile-id' options by reusing
the fixtures from the module.
https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The patch implements Tracker subclass for CA plugin
and the basic CRUD tests for the plugin entries.
https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.
https://fedorahosted.org/freeipa/ticket/2795
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.
Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.
Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.
Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.
From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.
This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
All these were unused so I'm removing them to keep the code clean and
easier to read. At this point it is clear that only difference between
netaddr.IPAddress and CheckedIPAddress is prefixlen attribute.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add the 'cacn' option to the cert-status command. Right now there
is nothing we need to (or can) do with it, but we add it anyway for
future use.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also changes the name of option which is send during adding new service from
'krbprincipalname' to 'krbcanonicalname'.
https://fedorahosted.org/freeipa/ticket/5927
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The custom_command_multivalued_widget now handles remove and add commands errors
correctly and shows error message.
Part of: https://fedorahosted.org/freeipa/ticket/5381
add_error
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Since now users, hosts, and service all support assigning multiple principal
aliases to them, the display of kerberos principal names should be consistent
across all these objects. Principal aliases and canonical names will now be
displayed in all add, mod, show, and find operations.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.
'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
e-mail) do not overlap with those of trusted AD domains
If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.
'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.
See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliaseshttps://fedorahosted.org/freeipa/ticket/1365https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The framework does not allow single param to appear as both positional
argument and option in a single command, or to represent two different
positional arguments for that matter. Since principal aliases shall go to
krbprincipalname attribute, the framework has to be tricked to believe
krbcanonicalname is the service's primary key. The entry DN stored in LDAP
remains the same.
https://fedorahosted.org/freeipa/ticket/1365
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Commands that modify a single multivalued attribute of an entry should use
positional parameters to specify both the primary key and the values to
add/remove. Named options are redundant in this case.
The `--certificate option` of `*-add/remove-cert` commands was turned
mandatory to avoid EmptyModlist when it is omitted.
https://fedorahosted.org/freeipa/ticket/3961https://fedorahosted.org/freeipa/ticket/5413
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
All plugins will now use this parameter and common code for all operations on
Kerberos principals. Additional semantic validators and normalizers were
added to determine or append a correct realm so that the previous behavior is
kept intact.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch introduces a separate Principal parameter that allows the framework
to syntactically validate incoming/outcoming principals by using a single
shared codebase.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Low-level unittests checking the correctness principal parsing.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This module implements a shared codebase to handle various types of Kerberos
principal names encountered during management of users, hosts nad services.
Common codebase aims to replace various ad-hoc functions and routines
scattered along the management framework.
https://fedorahosted.org/freeipa/ticket/3864
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Bundle remote plugin interface definitions for servers which lack API
schema support. These server API versions are included:
* 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+,
* 2.114: IPA 4.1.4 on Fedora 22,
* 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23,
* 2.164: IPA 4.3.1 on Fedora 23.
For servers with other API versions, the closest lower API version is used.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Do not crash during API initialization when overriding remote command that
is not a method with MethodOverride.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Since checking schema is relatively cheap operation (one round-trip with
almost no data) we can do it offten to ensure schema will fetched by
client ASAP after it was updated on server.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and
the file does not exist, only log to debug instead of error.
https://fedorahosted.org/freeipa/ticket/6012
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.
Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up. To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.
Part of: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Web UI has inbuilt mechanism to reload in case response from a server
contains a different principal than the one loaded during Web UI
startup.
see rpc.js:381
With kerberos aliases support the loaded principal could be different
because krbprincipalname contained multiple values.
In such case krbcanonicalname should be used - it contains the same
principal as the one which will be in future API responses.
https://fedorahosted.org/freeipa/ticket/5927
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Implement the --ca option for cert-revoke and cert-remove-hold.
Defaults to the IPA CA. Raise NotFound if the cert with the given
serial was not issued by the nominated CA.
Also default the --ca option of cert-show to the IPA CA.
Add commentary to cert-status to explain why it does not use the
--ca option.
Fixes: https://fedorahosted.org/freeipa/ticket/5999
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added permissions for Kerberos authentication indicators reading and
modifying to host objects.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Local API commands are not supposed to be executed over RPC but only
locally on the server. They are already excluded from API schema, exclude
them also from RPC and `batch` and `json_metadata` commands.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add placeholders for remote plugins which are required by client-side
commands. They are used when the remote plugins are not available.
This fixes API initialization error when the remote server does not have
the plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
