This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.
Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.
Enabling debug would involve created /etc/ipa/dns.conf:
[global]
debug = True
I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.
Fixes: https://pagure.io/freeipa/issue/9128
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Include functions to manage IdM service using ipactl, in particular
starting, stopping and restarting the service.
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Test for RFE: Improve error message with more detail for
ipa-replica-install command. If the replication agreement already
exists, check if the error message contains
a particular command needed to delete it.
Related: https://pagure.io/freeipa/issue/9162
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
These pre-existed in ipaserver/install/replication.py.
The constants were only originally used in ldapupdate.py
but have subsequently been switched to the replication.py
versions so they are not used anywhere in the code.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.
When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.
Fixes: https://pagure.io/freeipa/issue/9165
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In bind 9.17.2+ all dnssec utilities were moved to /usr/bin with
commit 4419606c9d2a52536a6dd0882ac0c7068ac27f30.
Since we only use those utilities in the specialized tool, do a fixup of
the paths in the tool.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.
The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
So that it prints out a valid command:
- replace "ipa-replica-manage del" by "ipa server-del" (only domain-level1 is now supported)
- the commands needs to be run on a working server, not on the host where ipa-replica-install failed
Fixes: https://pagure.io/freeipa/issue/9162
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
If the client was installed with authconfig, with
automount configured to use ldap (--no-sssd), and later
updated to a version using authselect, the uninstaller
tries to disable the authselect feature with-custom-automount
but fails because there is no authselect profile in use.
(Upgrade of a client does not transform authconfig settings
into authselect settings because we don't have any client
upgrader, as opposed to the ipa-server-upgrade for the
servers).
To avoid uninstallation failure, ignore the error and log a
warning.
The second part of the commit leverages the "complete" state
stored in the statestore, in order to fix issues when
a client installation fails and the installation is reverted
by the ipa-client-install tool itself.
The fix checks if the statestore shows an incomplete
installation. If the install was incomplete and failed before
any attempt to configure authselect, then unconfigure doesn't
need to do anything. In the other cases, unconfigure needs
to revert to the pre-ipa state.
Fixes: https://pagure.io/freeipa/issue/9147
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.
SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.
SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.
Fixes:https://pagure.io/freeipa/issue/9155
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
RTD default theme removes discs from the section list items which makes
design pages look strange. Add them back via small CSS override.
Also, add 1em on the left side of the disc to provide visual cue that
this is a list item.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 79a4073730)
When IdP configuration is provided, take it into account:
- idp-specific Kerberos ticket policy would be applied
- Presence of IdP link in a Kerberos principal entry would cause KDB to
enable `idp` pre-authentication method on KDC side.
The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.
Fixes: https://pagure.io/freeipa/issue/8804
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).
ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.
Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Sumit Bose <sbose@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
Update instructions on how to build images starting with Fedora 34 using
kickstart files used by Fedora to build its cloud images.
Change vagrant provisioning steps to support both prebuilt and default
cloud images, removing the burden of maintaining boxes up-to-date, but
also providing a way to build fresh images without external packer
templates.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.
Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.
Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function
https://pagure.io/freeipa/issue/9151
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.
This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.
Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
subid range management does not allow to delete ranges
If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.
In Web UI a button to remove the range should not be shown.
Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.
Fixes: https://pagure.io/freeipa/issue/9150
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)
Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id
Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ReadTheDocs somehow caches requirements and insists in using old
version of Sphinx (1.8). We have to force using newer one (4.5)
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.
The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
