Commit Graph

11290 Commits

Author SHA1 Message Date
Tomas Krizek
a924efe847 named.conf template: add modification warning
Warn the user some modifications may break IPA setup or upgrade.
All changes the user makes should be explicitly supported and mentioned
in the documentation. Undocumented and unsupported changes, such as
renaming dyndb part from "ipa" will break IPA.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-23 12:37:48 +02:00
Florence Blanc-Renaud
d932642475 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
ipa-ca-install currently overwrites /etc/ipa/ca.crt with the CA chain
retrieved from Dogtag. It should instead append the new certs, otherwise
the CA that signed dirsrv and httpd certificates is removed and ipa tools
fail.
A consequence is that ipa-kra-install fails.
This is a regression introduced by 5ab85b36.

https://pagure.io/freeipa/issue/6925

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-22 13:28:40 +02:00
Florence Blanc-Renaud
319a079f6d ipa-replica-manage del (dl 0): remove server from defaultServerList
ipa-replica-manage del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6946

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 19:00:48 +02:00
Florence Blanc-Renaud
a02a0a95f2 server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 18:45:52 +02:00
Stanislav Laznicka
df8205b55c Make a doctext more clear
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-19 16:49:04 +02:00
Michal Reznik
d5e84d7065 test_caless: mark TestCertinstall intermediate CA tests as xfail
mark TestCertinstall intermediate CA tests (http, ds) as xfail
until #6959 is solved

https://pagure.io/freeipa/issue/6959

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Michal Reznik
f7c4039e41 test_caless: add pkinit option and test it
change "caless-create-pki" so pkinit certificates can be
generated.

See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/pkinit.html for details.

add pkinit option to the ipa installer and test both master and replica
install with pkinit.

https://pagure.io/freeipa/issue/6854

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 12:38:54 +02:00
Jan Cholasta
96ca62f81d server certinstall: support PKINIT
Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
9ea764ecf5 cacert manage: support PKINIT
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
b3855704f4 replica install: respect --pkinit-cert-file
When --pkinit-cert-file is used, make sure the certificate and key is
actually passed to `KrbInstance`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
3b5dbf7cdb server install: fix KDC certificate validation in CA-less
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
cc572378a6 certs: do not export CA certs in install_pem_from_p12
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
0c5b2c42bf certs: do not export keys world-readable in install_key_from_p12
Make sure the exported private key files are readable only by the owner.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
David Kupka
b9fd123d61 ipapython.ipautil.run: Add option to set umask before executing command
https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f769045f0a server install: fix KDC PKINIT configuration
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
4d36cbf6ad install: introduce generic Kerberos Augeas lens
Introduce new IPAKrb5 lens to handle krb5.conf and kdc.conf changes using
Augeas. The stock Krb5 lens does not work on our krb5.conf and kdc.conf.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
52730c786f certdb: use custom object for trust flags
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
René Genz
bdd88a3eab fix spelling mistake; minor rewording
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Stanislav Laznicka
3d969d7bad Provide useful messages during cert validation
When the certificate validation was replaced, some error messages
were omitted (like "Peer's certificate expired."). Bring these back.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-05-18 17:32:59 +02:00
Florence Blanc-Renaud
c26038d24c ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
During ipa-kra-install, the installer prepares a configuration file
provided to pkispawn. This configuration file defines
pki_security_domain_hostname=(first master)

but when we are installing a clone, it should be set to the local hostname
instead, see man page pki_default.cfg:
      pki_security_domain_hostname, pki_security_domain_https_port
              Location  of  the security domain.  Required for KRA, OCSP, TKS,
              and TPS subsystems and for  CA  subsystems  joining  a  security
              domain.  Defaults to the location of the CA subsystem within the
              same instance.

When pki_security_domain_hostname points to the 1st master, and this first
master is decommissioned, ipa-kra-install fails on new replicas because pkispawn
tries to connect to this (non-existing) host.

https://pagure.io/freeipa/issue/6895

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-18 17:01:38 +02:00
David Kreitschmann
f1c6a5d8de Use os.fsync instead of os.fdatasync because macOS doesn't support fdatasync
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
David Kreitschmann
b8b28c3d09 Fix libkrb5 filename for macOS
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-17 14:07:13 +02:00
Tomas Krizek
1b1bace750 ca, kra install: validate DM password
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.

Fixes https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Tomas Krizek
7a4a368c53 installutils: add DM password validator
Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Tomas Krizek
80d61c2e01 ca install: merge duplicated code for DM password
Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Martin Babinsky
89a5bb2c6b Travis CI: Add the server uninstaller as a last step of tests
The explicit uninstall will help to catch regressions
such as recently reported https://pagure.io/freeipa/issue/6950

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:28:14 +02:00
Florence Blanc-Renaud
d9ed2573fd ipa-server-install: fix uninstall
ipa-server-install --uninstall fails to stop tracking the certificates
because it assigns a tuple to the variable nicknames, then tries to
call nicknames.append(). This is a regression introduced by 21f4cbf8.

Assignment should be done using nicknames = list(self.tracking_reqs) instead.

https://pagure.io/freeipa/issue/6950

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-16 11:44:08 +00:00
Martin Basti
bea7236b9c ipasetup: fix dependencies handling based on python version
On RHEL system ipasetup is failing:
```
ValueError: (":python_version>='3'", ['pyldap'])
```

Our RHEL re-implementation of setuptools logic should ignore python3
packages when python3 is not available.

https://pagure.io/freeipa/issue/6875

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-16 11:53:33 +02:00
David Kupka
e415da22f3 otptoken-add-yubikey: When --digits not provided use default value
Since Thin client was introduced default values for options are not populated
in client side plugins. When option has default value and is needed in client
plugin it must be handled by explicitly.

https://pagure.io/freeipa/issue/6900

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-16 11:39:43 +02:00
Martin Basti
374a58fa49 ipaclient: fix missing RPM ownership
FreeIPA package should own all subdirectories to work properly with
3rd party packages/plugins.

https://pagure.io/freeipa/issue/6927

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-16 11:21:48 +02:00
Felipe Volpone
d51af28bdb Fixing adding authenticator indicators to host
The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-05-16 10:29:00 +02:00
Felipe Volpone
d973168e89 Fixing the cert-request comparing whole email address case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-16 09:50:22 +02:00
Alex Zeleznikov
8ec8e24015 Sort SRV records by priority
In some cases where multiple SRV records are present, LDAP and Kerberos records were returned in different order, causing replication issues in a multi master enviorment.

Update ipadiscovery.py

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-16 09:43:56 +02:00
Jan Cholasta
b03ede8796 ipa-cacert-manage: add --external-ca-type
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.

This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:

```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
21f4cbf8da renew agent: get rid of virtual profiles
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.

This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
0bf41e804e renew agent: always export CSR on IPA CA certificate renewal
Make sure a CSR is exported for the IPA CA whenever certmonger detects that
the CA certificate is about to expire.

This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA
instead of the `ipaCSRExport` virtual profile to export the CSR.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
25aeeaf46d renew agent: allow reusing existing certs
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.

Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.

This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
09a49ad458 cainstance: use correct profile for lightweight CA certificates
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.

The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.

Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.

Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
5abd9bb996 server upgrade: always fix certmonger tracking request
Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.

This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
ce9eefe53b renew agent: respect CA renewal master setting
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Florence Blanc-Renaud
f3e1efdcf5 ipa-kra-install manpage: document domain-level 1
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD

https://pagure.io/freeipa/issue/6922

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-05-11 17:03:00 +02:00
David Kupka
9d32e61ba5 Bump version of ipa.conf file
In commit 157831a287 the version bump was forgotten and therefore the
ipa.conf file is not replaced during upgrade and login using certificate when
single certificate is mapped to multiple users doesn't work.

https://pagure.io/freeipa/issue/6860

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-11 17:00:27 +02:00
Stanislav Laznicka
33b3d7ad7a
cert-show: writable files does not mean dirs
ipalib.util.check_writable_file didn't check whether the argument
is an actual file which is now fixed.

https://pagure.io/freeipa/issue/6883

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-10 13:16:01 +02:00
Martin Basti
6c061b6836
tests: add missing dependency iptables
KDC proxy tests are using iptables, but this is optional package in at
least Fedora cloud image, thus we must have it in dependencies

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-05-10 09:23:07 +02:00
Pavel Vomacka
e0b32dac54
Turn on NSSOCSP check in mod_nss conf
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-10 09:08:34 +02:00