* add 'plugin' directive
* specify plugins order in update files
* remove 'run plugins' options
* use ldapupdater API instance in plugins
* add update files representing former PreUpdate and PostUpdate order of plugins
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
Preparation to moving plugins executin into update files.
* remove apply_now flag
* plugins will return only (restart, modifications)
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
Since API is not singleton anymore, ldap2 connections should not be
shared by default.
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
As --test option is not used for developing, and it is not recommended
to test if upgrade will pass, this path removes it copmletely.
https://fedorahosted.org/freeipa/ticket/3448
Reviewed-By: David Kupka <dkupka@redhat.com>
Several plugins do the LDAP data modification directly.
In test mode these plugis should not be executed.
https://fedorahosted.org/freeipa/ticket/3448
Reviewed-By: David Kupka <dkupka@redhat.com>
Dictionary replaced with list. Particular upgrades are
executed in the same order as they are specified in update
a file.
Different updates for the smae cn, are not merged into one upgrade
https://fedorahosted.org/freeipa/ticket/4904
Reviewed-By: David Kupka <dkupka@redhat.com>
* Files are sorted alphabetically, no numbering required anymore
* One file updated per time
Ticket: https://fedorahosted.org/freeipa/ticket/3560
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-dns-install now uses LDAPI/autobind to connect to DS during the setup of
DNS/DNSSEC-related service and thus makes -p option obsolete.
Futhermore, now it makes more sense to use LDAPI also for API Backend
connections to DS and thus all forms of Kerberos auth were removed.
This fixes https://fedorahosted.org/freeipa/ticket/4933 and brings us closer
to fixing https://fedorahosted.org/freeipa/ticket/2957
Reviewed-By: Martin Basti <mbasti@redhat.com>
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933
Reviewed-By: Martin Basti <mbasti@redhat.com>
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.
https://fedorahosted.org/freeipa/ticket/4896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid
* remove unneded update plugins -> update was moved to .update file
* add uniqueness-across-all-subtrees required by user lifecycle
management
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes:
dnskeysyncisntance - requires a stored state to be uninstalled
bindinstance - uninstal service only if bind was configured by IPA
Ticket:https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch adds a function which calls 'remove-ds.pl' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to https://fedorahosted.org/freeipa/ticket/4487.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The framework only shows traceback for the internal/unknown errors,
recognized PublicErrors are simply passed back to the FreeIPA
clients.
However, sometimes it would help to see a traceback of the
PublicError to for example see exactly which line returns it.
https://fedorahosted.org/freeipa/ticket/4847
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new PassSync Service privilege that have sufficient access to
let AD PassSync service search for NT users and update the password.
To make sure existing PassSync user keeps working, it is added as
a member of the new privilege.
New update plugin is added to add link to the new privilege to the
potentially existing PassSync user to avoid breaking the PassSync
service.
https://fedorahosted.org/freeipa/ticket/4837
Reviewed-By: David Kupka <dkupka@redhat.com>
Fix restore mode checks. Do some of the existing checks earlier to make them
effective. Check if --instance and --backend exist both in the filesystem and
in the backup.
Log backup type and restore mode before performing restore.
Update ipa-restore man page.
https://fedorahosted.org/freeipa/ticket/4797
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When restoring backup on master other than it was created there is high risk
of unexpected and hard-to-debug behavior. Refuse such restore.
https://fedorahosted.org/freeipa/ticket/4823
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.
Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This hasn't been used for a number of releases now, as ipa-kdb directly
fetches the key via LDAP.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
For CA certificates that are not certificates of IPA CA, we incorrectly
set the trust flags to ",,", regardless what the actual trust_flags
parameter was passed.
Make the load_cacert method respect trust_flags and make it a required
argument.
https://fedorahosted.org/freeipa/ticket/4779
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Trust validation requires AD DC to contact IPA server to verify that trust account
actually works. It can fail due to DNS or firewall issue or if AD DC was able to
resolve IPA master(s) via SRV records, it still may contact a replica that has
no trust data replicated yet.
In case AD DC still returns 'access denied', wait 5 seconds and try validation again.
Repeat validation until we hit a limit of 10 attempts, at which point raise
exception telling what's happening.
https://fedorahosted.org/freeipa/ticket/4764
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Interactive prompt callback returns list of str instead of CheckedIPAddress
instances.
Ticket: https://fedorahosted.org/freeipa/ticket/4747
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
https://fedorahosted.org/freeipa/ticket/4726
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.
https://fedorahosted.org/freeipa/ticket/4629
Reviewed-By: David Kupka <dkupka@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
We only will be changing the setting on the install.
For modifying existing configurations please follow instructions
at https://access.redhat.com/solutions/1232413
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Permissions with member attrs pointing to privileges are created before the privileges.
Run memberof plugin task to fix other ends of the relationships.
https://fedorahosted.org/freeipa/ticket/4637
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Modifying CS.cfg when dogtag is running may (and does) result in corrupting
this file.
https://fedorahosted.org/freeipa/ticket/4569
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.
https://fedorahosted.org/freeipa/ticket/4597
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For upgraded servers with enabled AD trust support, we want to
ensure that Default Trust View entry is created.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a Default Trust View, which is used by SSSD as default mapping for AD users.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since SID is often used as a unique identifier for AD objects, we need to convert
a SID to actual object name in the AD.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.
https://fedorahosted.org/freeipa/ticket/4477
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.
https://fedorahosted.org/freeipa/ticket/3575
Reviewed-By: Martin Basti <mbasti@redhat.com>
Required to prevent code duplications
ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Create a platform task for setting SELinux booleans.
Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.
Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.
Preparation for: https://fedorahosted.org/freeipa/ticket/4157
Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
All ipa-dns capable server is added to root zones as nameserver
During uninstall all NS records pointing to particular replica are
removed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow running some installation after failure,
and use this for the upgradeinstance cleanup steps.
https://fedorahosted.org/freeipa/ticket/4499
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The /etc/passwd and /etc/group files are not saved and restored.
The DS user is always created on restore, and the PKI user is created
if a CA is being restored.
https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Make a proper list from the comma-separated string found in
the config.
The only current use of backup_services is in run:
if 'CA' in self.backup_services:
Without this change, this picked up the 'CA' from 'MEMCACHE'.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done. Also, re-added the no_host_dns option which is used when
unpacking a replica file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.
https://fedorahosted.org/freeipa/ticket/4478
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.
https://fedorahosted.org/freeipa/ticket/4005
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is to avoid chicken-egg problem when directory server fails to start
without resolvable hostname and named fails to provide hostname without
directory server.
https://fedorahosted.org/freeipa/ticket/4220
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Certain operations against AD domain controller can only be done if its
FSMO role is primary domain controller. We need to use writable DC and
PDC when creating trust and updating name suffix routing information.
https://fedorahosted.org/freeipa/ticket/4479
Reviewed-By: Sumit Bose <sbose@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.
Make the installer more robust by being able to fix the inconsistency.
https://fedorahosted.org/freeipa/ticket/4464
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Record that pkicreate/pkispawn has been executed to allow cleanup even if the
installation did not finish correctly.
https://fedorahosted.org/freeipa/ticket/2796
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.
However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.
After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.
https://fedorahosted.org/freeipa/ticket/4412
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.
For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.
https://fedorahosted.org/freeipa/ticket/4398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When nsslapd-minssf is greater than 0, running as root
ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.
The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.
Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Non string values should not start and end with '"' in options section
in named.conf
Required by ticket: https://fedorahosted.org/freeipa/ticket/4408
Reviewed-By: Petr Spacek <pspacek@redhat.com>
On systems installed before #3394 was fixed and nsDS5ReplicaId became
single-valued, there are two replica ID values stored in cn=replication:
the default (3) and the actual value we want.
Instead of failing when multiple values are found, use the largest one.
https://fedorahosted.org/freeipa/ticket/4375
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Class PreSchemaUpdate is executed before ldap schema update
This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This HTTP call takes the following parameters:
* user
* password
* first_code
* second_code
* token (optional)
Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
login_password did not work properly in timezones other than +0h because
local time was compared with utc time.
Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin created permissions that the managed permission
updater would remove right away.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.
Add a mechanism for the updater to replace old SYSTEM permissions.
This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Modified functions to use DNSName type
* Removed unused functions
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.
Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.
Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.
Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
requiring entropy
- slightly reworded the warning message
https://fedorahosted.org/freeipa/ticket/4210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.
https://fedorahosted.org/freeipa/ticket/4339
Reviewed-By: Tomas Babej <tbabej@redhat.com>
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.
Create a copy of the list instead.
https://fedorahosted.org/freeipa/ticket/4349
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.
Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.
This assumes that the anonymous read ACI will be removed in a "new" IPA.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.
A dict is added to hold templates for the non-plugin permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.
Do not ask for memberindirect when retrieving the entry.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.
https://fedorahosted.org/freeipa/ticket/4294
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.
Also, do not reset ipapermbindruletype when updating an existing
managed permission.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
