Commit Graph

399 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
eda831dba1 Installer: configure authselect with-sudo
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).

https://pagure.io/freeipa/issue/7562

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-19 08:51:02 +02:00
Christian Heimes
f1d5ab3a03 Increase WSGI process count to 5 on 64bit
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.

Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.

Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-15 13:02:53 +02:00
Christian Heimes
907e164958 Fedora 29 renamed fedora-domainname.service
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-15 08:30:55 +02:00
Christian Heimes
992a5f4823 Move client templates to separate directory
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.

The template is now part of a new subdirectory for client package shared
data.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-05 16:34:27 -04:00
Stanislav Laznicka
f47d86c719 Move config directives handling code
Move config directives handling code:
        ipaserver.install.installutils -> ipapython.directivesetter

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
8c0d7bb92f Fix HTTPD SSL configuration for Debian.
The site and module configs are split on Debian, server setup needs
to match that.

Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
ffdb20aeb3 ldapupdate: Add support for Debian multiarch
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.

Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
c5ee8ae529 named.conf: Disable duplicate zone on debian, and modify data dir
zone already imported via default zones.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
86ef31d760 Add mkhomedir support for Debian
Fixes: https://pagure.io/freeipa/issue/7556
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
a3a3d6da5b paths: Fix some path definitions for Debian.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Timo Aaltonen
7a27651a0a constants: Fix HTTPD_GROUP for Debian
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-29 17:03:56 +02:00
Christian Heimes
8e165480ac Use GnuPG 2 for backup/restore
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.

The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Christian Heimes
dbc3788405 Use GnuPG 2 for symmentric encryption
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.

Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-05-27 16:05:50 +02:00
Florence Blanc-Renaud
aa64ef03a0 authselect migration: use stable interface to query current config
The code currently parses the output of "authselect current" in order
to extract the current profile and options. Example:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir

It is easier to use the output of "authselect current --raw". Example:
$ authselect current --raw
sssd with-mkhomedir

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-05-03 16:39:58 +02:00
Robbie Harwood
792adebfab Enable SPAKE support using krb5.conf.d snippet
Because krb5 silently ignores unrecognized options, this is safe on
all versions.  It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.

Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-28 16:35:16 +02:00
Rob Crittenden
6856a9f46c Log service start/stop/restart message
It wasn't apparent in the logs if a service stop or restart
was complete so in the case of a hang it wasn't obvious which
service was responsible. Including start here for completeness.

https://pagure.io/freeipa/issue/7436

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-28 09:07:28 +02:00
Florence Blanc-Renaud
e442464509 Revert commit d705320ec1
Commit d705320 was temporarily disabling authconfig backup and restore
because of issue 7478.
With the migration to authselect this is not needed any more

Related to
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Florence Blanc-Renaud
1df1786b06 Migration from authconfig to authselect
The authconfig tool is deprecated and replaced by authselect. Migrate
FreeIPA in order to use the new tool as described in the design page
https://www.freeipa.org/page/V4/Authselect_migration

Fixes:
https://pagure.io/freeipa/issue/7377

Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-04-27 14:01:33 +02:00
Stanislav Laznicka
b5bdd07bc5
Add absolute_import future imports
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-04-20 09:43:37 +02:00
Tibor Dudlák
5d9c749e83 Adding method to ipa-server-upgrade to cleanup ntpd
Removing ntpd configuration files and entry from LDAP.

Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.

Remove unused path for chrony-helper.

Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
ca9c4d70a0 Replace ntpd with chronyd in installation
Completely remove ipaserver/install/ntpinstance.py

This is no longer needed as chrony client configuration
is now handled in ipa-client-install.

Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.

Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Tibor Dudlák
0090a90ba2 Add dependency and paths for chrony
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 11:00:02 -04:00
Christian Heimes
b82a2295b8 Load librpm on demand for IPAVersion
ctypes.util.find_library() is costly and slows down startup of ipa CLI.
ipaplatform.redhat.tasks now defers loading of librpm until its needed.
CFFI has been replaced with ctypes, too.

See: https://pagure.io/freeipa/issue/6851
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-09 09:01:29 +02:00
Christian Heimes
d705320ec1 Temporarily disable authconfig backup and restore
The authconfig command from authselect-compat-0.3.2-1 does not support
backup and restore at all. Temporarily disable backup and restore of
auth config to fix broken ipa-backup.

Fixes: https://pagure.io/freeipa/issue/7478
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-04-03 08:07:46 +02:00
amitkuma
b0d8c6c211 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
amitkuma
ccec8c6c41 clear sssd cache when uninstalling client
The SSSD cache is not cleared when uninstalling an IPA client. For tidiness we should wipe the cache. This can be done with sssctl.
Note that this tool is in sssd-tools which is not currently a dependency.

Resolves: https://pagure.io/freeipa/issue/7376
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 15:16:54 +02:00
Stanislav Laznicka
47cf159f11 Fix upgrading of FreeIPA HTTPD
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.

This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-26 09:42:07 +02:00
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Christian Heimes
66a32d8931 NSS: Force restore of SELinux context
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
492e3c9b1e NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
b21941360c
Move HTTPD cert/key pair to /var/lib/ipa/certs
This moves the HTTPD certificates from their default location
to IPA-specific one. This should be especially helpful from
the container perspective.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00
Christian Heimes
1785a3e17b Replace wsgi package conflict with config file
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.

See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:28:11 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Michal Reznik
0cef510763 paths: add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants
Add IPA_CACERT_MANAGE and IPA_CERTUPDATE constants which will be
used in test_external_ca test suite.

https://pagure.io/freeipa/issue/7302

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-01-09 10:17:01 +01:00
Christian Heimes
929c77c784 Travis: Add workaround for missing IPv6 support
Latest Travis CI image lacks IPv6 address on localhost. Add some
diagnostics and skip IPv6 tests in ipa-server-install when TRAVIS is
detected.

The hack will be removed as soon as it is no longer required to pass
automated testing.

https://pagure.io/freeipa/issue/7323

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-12-14 14:04:19 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Christian Heimes
0071744929 Support sqlite NSSDB
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 12:17:01 +01:00
Christian Heimes
6a09704088 ipa-custodia: use Dogtag's alias/pwdfile.txt
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.

pwdfile.txt is created by CAInstance.create_certstore_passwdfile()

Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-11-16 08:48:15 +01:00
Christian Heimes
a48f6511f6 Use namespace-aware meta importer for ipaplatform
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".

The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.

https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-15 14:17:24 +01:00
Christian Heimes
8bbeedc93f
Backup ipa-custodia conf and keys
https://pagure.io/freeipa/issue/7247

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-13 18:10:54 +01:00
Fraser Tweedale
3e33857827
Remove caJarSigningCert profile and related code
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI).  We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.

Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-01 12:39:19 +01:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Stanislav Laznicka
9b8b7afeb4
p11-kit: add serial number in DER format
This causes Firefox to report our CA certificate as not-trustworthy.
We were previously doing this correctly, however it slipped as an
error due to certificate refactoring.

https://pagure.io/freeipa/issue/7210

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-10-17 16:43:15 +02:00
Rob Crittenden
acd72cc8f5 Use 389-ds provided method for file limits tuning
Previously IPA would set the LimitNOFILE value to 8192 to increase
the number of concurrent clients. 389-ds-base does this by default
as of 1.3.7.0.

Remove the IPA-specific tuning and rely on the out-of-the-box
389-ds-base tuning.

Bump the required version of 389-ds-base to 1.3.7.0.

Any other tuning added by 389-ds-base will result in a
dirsrv.systemd.rpmsave file which admins will need to merge
in manually, like typical .rpmsave config changes.

https://pagure.io/freeipa/issue/6994

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-17 14:59:06 +02:00
Petr Vobornik
b0184d10ab
browser config: cleanup after removal of Firefox extension
Firefox extension which served for configuring Kerberos auth in Firefox
until version which banned self-signed extensions was removed in commit
6c53765ac1.

Given that configure.jar, even older Firefox config tool, was removed
sometime before that, there is no use for signtool tool. It is good
because it is removed from Fedora 27 anyway. So removing last unused
function which calls it.

The removal of FF extension was not exactly clean so removing also
browserconfig.html which only purpose was to use the extension. Therefore
also related JS files are removed. This removal requires unauthorized.html
to be updated so that it doesn't point to non-existing page. And given that
it now points only to single config page, we can change link in UI login page
to this page (ssbrowser.html). While at it, improving buttons in ssbrowser.html.

Btw, commit 6c53765ac1 removed also generation of
krb.js. It had one perk - with that info ssbrowser.html could display real
Kerberos domain instead of only 'example.com'.  I don't have time to revert this
change so removing traces of krb.js as well.

https://pagure.io/freeipa/issue/7135

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:27:14 +02:00
Felipe Barreto
bf0b74bec4
Checks if Dir Server is installed and running before IPA installation
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.

https://pagure.io/freeipa/issue/6611

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-21 10:24:06 +02:00
Alexander Bokovoy
dc47a4b85f
Make sure upgrade also checks for IPv6 stack
- Add check for IPv6 stack to upgrade process
 - Change IPv6 checker to also check that localhost resolves to ::1

Part of fixes https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-09-19 17:33:24 +02:00
Stanislav Laznicka
e537686bcc Don't write p11-kit EKU extension object if no EKU
b5732efd introduced a regression because it tries to write EKU
that's actually in the CA cert instead of using the LDAP information.
However, when no EKU is available,
IPACertificate.extended_key_usage_bytes still returned at least
EKU_PLACEHOLDER OID to keep the behavior the same as in previous
versions. This caused the EKU_PLACEHOLDER to be written in the
ipa.p11-kit file which made Firefox report FreeIPA Web UI as
improperly configured.

https://pagure.io/freeipa/issue/7119

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-09-19 09:42:07 +02:00
Felipe Volpone
0b7d9c5a7b
Removing part of circular dependency of ipalib in ipaplaform
After commit cac3475, ipa-backup is broken due to circular
dependencies. This fixes it, removing circular dependency
of ipalib. The ipalib.constants.IPAAPI_USER is now passed
as parameter to the function that use it.

https://pagure.io/freeipa/issue/7108

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-08-30 15:51:39 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Stanislav Laznicka
6f8d90d97a client: make ipa-client-install py3 compatible
This commit enables ipa-client-install to be installable in
Python 3 and makes it run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-02 16:13:18 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
07229c8ff6 logging: do not use ipa_log_manager to create module-level loggers
Replace all `ipa_log_manager.log_mgr.get_logger` calls to create
module-level loggers with `logging.getLogger` calls and deprecate
`ipa_log_manager.log_mgr.get_logger`.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Martin Basti
663f227a5c adtrust: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Martin Basti
1a6de32c9e httpd: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Petr Vobornik
3a4c8e39c3
restore: restart/reload gssproxy after restore
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-28 14:56:02 +02:00
Martin Babinsky
68c6a4d4e1 Stop requesting anonymous keytab and purge all references of it
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Stanislav Laznicka
ddbbb1c58e Move the compat plugin setup at the end of install
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Michal Reznik
2493f81204 - added krb5kdc.log to pytest logging
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py

Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-12 17:34:32 +02:00
David Kupka
a726e98f03 Create system users for FreeIPA services during package installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 17:51:49 +02:00
Martin Basti
fd597f83ae collect audit.log for easier selinux investigation
Audit log contains useful information about selinux issues

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2017-04-06 10:08:54 +02:00
Jan Cholasta
3de09709cc tasks: run systemctl daemon-reload after httpd.service.d updates
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.

https://pagure.io/freeipa/issue/6773

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-21 16:38:06 +01:00
Timo Aaltonen
e20ad9c251 ipaplatform/debian/paths: Add some missing values.
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 09:53:08 +01:00
Jan Cholasta
f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
Timo Aaltonen
c194f74b12 ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
71db8c264e ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Timo Aaltonen
1a47fcd3ee ipaplatform/debian/services: Fix is_running arguments.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:10 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Jan Cholasta
5d489ac560 pylint_plugins: add forbidden import checker
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-10 13:04:59 +01:00
Tomas Krizek
ecb450308d
server install: require IPv6 stack to be enabled
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-09 16:50:21 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Christian Heimes
88fd936a76 Remove NSPRError exception from platform tasks
ipalib.x509 no longer raises NSPRError. PyCA cryptography raises
ValueError for invalid certs.

https://fedorahosted.org/freeipa/ticket/5695

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-01 15:58:59 +01:00
Stanislav Laznicka
5ab85b365a Moving ipaCert from HTTPD_ALIAS_DIR
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Stanislav Laznicka
2a1494c9ae Move RA agent certificate file export to a different location
HTTPS connection to certificate server requires client authentication
so we need a file with client certificate and private key prior to
its first occurence which happens during migration of certificate
profiles to LDAP.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 09:43:41 +00:00
Simo Sorce
b8f304c669 Remove non-sensical kdestroy on https stop
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-22 15:50:48 +01:00
Jan Cholasta
0862e32091 server upgrade: always upgrade KRA agent PEM file
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/6675

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-20 13:00:50 +00:00
Simo Sorce
4fd89833ee Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c2b1b2a362 Always use /etc/ipa/ca.crt as CA cert file
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
38c66896de Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Tomas Krizek
e8a2abd548 named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.

This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 16:34:53 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Timo Aaltonen
e04b75cb9e ipaplatform: Add Debian platform module.
v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static

v5:
- fix pylint issues
- use syntax that doesn't break with python3

v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-19 16:45:42 +01:00
Abhijeet Kasurde
6d52c0fe6a Fix for handling CalledProcessError in authconfig
NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-18 08:51:38 +01:00
Timo Aaltonen
0ff12de338 client, platform: Use paths.SSH* instead of get_config_dir().
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 17:50:03 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Christian Heimes
3e3b5462b2 Remove BIN_FALSE and BIN_TRUE
https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Christian Heimes
ed9645b2ac Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-30 13:32:30 +01:00
Jan Cholasta
a260fd8058 ipaclient: remove hard dependency on ipaplatform
Hard-code the user cache directory path in ipaclient.remote_plugins.schema.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
528012fe8a ipapython: remove hard dependency on ipaplatform
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.

Hard-coded the path to setpasswd in ipautil.run() doc string.

Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
75b70e3f0d ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
f919ab4ee0 certdb: use a temporary file to pass password to pk12util
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.

Use a temporary file instead.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
9117a5d5a6 paths: remove DEV_NULL
The platform-specific path to /dev/null is provided by the Python standard
library in os.devnull.

Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Christian Heimes
29947fe1a3 Minor fixes for IPAVersion class
Py3: classes with __eq__ must provide __hash__ function or set __hash__
to None.
Comparison function like __eq__ must signal unsupported types by
returning NotImplemented. Python turns this in a proper TypeError.
Make the version member read-only and cache _bytes represention.

https://fedorahosted.org/freeipa/ticket/6473

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 17:44:27 +01:00
Fraser Tweedale
687ebd18a1 Remove references to ds_newinst.pl
ds_newinst.pl was removed from 389 DS over 9 years ago. Remove
references to it.

Fixes: https://fedorahosted.org/freeipa/ticket/6496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-21 18:03:52 +01:00
Christian Heimes
8346e1b067 Add install requirements to Python packages
https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-16 22:58:39 +01:00
Christian Heimes
94a9dfb9d7 Don't modify redhat_system_units
ipaplatform.fedora.services used to modify the redhat_system_units dict.
It now creates a proper shallow copy.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-16 14:43:53 +01:00
Petr Spacek
8de11b091f Build: Makefiles for Python packages
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.

dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.

Currently VPATH builds do not work for various reasons.
This should be fixed later on.

Most credit goes to these guys:
 Christian Heimes <cheimes@redhat.com>
 Petr Viktorin <pviktori@redhat.com>
 Kevin Brown <kevin@kevin-brown.com>

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Christian Heimes
91920e7cb4 Add __name__ == __main__ guards to setup.pys
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-10-25 18:11:31 +02:00
Petr Spacek
c70a2873f8 Build: replace ipaplatform magic with symlinks generated by configure
The original approach with __path__ implemented
by 8f98fa1bd5 broke Pylint:
We decided to resort back to symlinks as it is easiest solution
which does not break pylint in weird ways.

This commit introduces configure --with-ipaplatform option.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Christian Heimes
4cd83fb51c Port all setup.py to setuptools
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-20 18:43:37 +02:00
Christian Heimes
8f98fa1bd5 Replace ipaplatform's symlinks with a meta importer
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-10-20 10:42:00 +02:00
Timo Aaltonen
6c53765ac1 Purge obsolete firefox extension
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Cholasta
984ae3858d client: remove hard dependency on pam_krb5
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.

https://fedorahosted.org/freeipa/ticket/5557

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-19 08:01:26 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Martin Basti
148e021ac1 ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.

https://fedorahosted.org/freeipa/ticket/6165

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 18:29:21 +02:00
Christian Heimes
1de92b1326 RedHatCAService should wait for local Dogtag instance
RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
returns OK. The ca_status() function defaults to api.env.ca_host as
host.

On a replica without CA ca_host is a remote host (e.g. master's
FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.

https://fedorahosted.org/freeipa/ticket/6016

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-03 19:20:42 +02:00
David Kupka
229e2a1ed9 compat: Save server's API version in for pre-schema servers
When client comunicates with server that doesn't support 'schema'
command it needs to determine its api version to be able to use the
right compat code. Storing information about server version reduces the
need to call 'env' or 'ping' command only to first time the server is
contacted.

https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
Christian Heimes
64db059249 Correct path to HTTPD's systemd service directory
Ticket #5681 and commit 586fee293f changed
the location of the ipa.conf for Apache HTTPD. The variables
SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to
the wrong directory /etc/systemd/system/httpd.d/. The path is corrected
to  /etc/systemd/system/httpd.service.d/.

https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
2016-08-02 17:21:16 +02:00
Martin Basti
f05615bb83 CI tests: improve log collecting
We should collect as much as possible relevant logs to be able do better
investigation from test automation

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-26 15:34:07 +02:00
Petr Vobornik
1b8a36d134 unite log file name of ipa-ca-install
ipa-ca-install said that it used
  /var/log/ipareplica-ca-install.log
but in fact it used
  /var/log/ipaserver-ca-install.log

This patch unites it to ipareplica-ca-install.log

It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.

https://fedorahosted.org/freeipa/ticket/6086

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-07-21 18:37:05 +02:00
Florence Blanc-Renaud
d9ae9ee1b5 Do not log error when removing a non-existing file
When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and
the file does not exist, only log to debug instead of error.

https://fedorahosted.org/freeipa/ticket/6012

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 09:01:21 +02:00
Florence Blanc-Renaud
3c40d3aa9e Do not allow installation in FIPS mode
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2016-06-29 16:17:27 +02:00
Stanislav Laznicka
fb4e19713d Fixes CA always being presented as running
Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.

https://fedorahosted.org/freeipa/ticket/5898

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-15 18:11:28 +02:00
Fraser Tweedale
4660bb7ff0 Add custodia store for lightweight CA key replication
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself.  This requires a
PKIArchiveOptions format (signing key wrapped with host CA key) -
PKCS #12 cannot be used because that would require decrypting the
key in Dogtag's memory, albeit temporarily.

Add a new custodia store that executes a 'pki' command to acquire
the wrapped key.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Stanislav Laznicka
2026677635 Added krb5.conf.d/ to included dirs in krb5.conf
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-05 09:47:13 +02:00
Petr Viktorin
743828b0f4 ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 16:44:08 +02:00
Martin Basti
813aab1b8e Tasks: raise NotImplementedError for not implemented methods
Is safer to raise error than trying to find what is wrong with method
that is not correctly overriden

The new method set_hostname has been added which should be overriden on other
platforms.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
5e10b2eed2 Log errors from backup_and_replace hostname to logger
Without logging errors to logger  is hard to debug issue from logfile.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
30f3d198d0 Remove deprecated hostname restoration from Fedora18
This is not needed on new Fedora, because restore will not be effective.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
c5686295f1 Always set hostname
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.

This commit ensures that all hostnames are set properly.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
586fee293f Configure httpd service from installer instead of directly from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).

With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.

https://fedorahosted.org/freeipa/ticket/5681

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-04-22 10:19:25 +02:00
Martin Basti
70fd78928c Use netifaces module instead of 'ip' command
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.

https://fedorahosted.org/freeipa/ticket/5591

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-14 13:53:27 +02:00
Timo Aaltonen
b793c9049e Fix kdc.conf.template to use ipaplatform.paths.
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-23 13:35:29 +01:00
Timo Aaltonen
2a2d63669d ipaplatform: Move remaining user/group constants to ipaplatform.constants.
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.

https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-23 13:32:55 +01:00
Christian Heimes
49be6c8d3c Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticket/5619

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-22 10:40:44 +01:00
Martin Basti
491447cc5a pylint: remove bare except
Bare except should not be used.

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
fb3a5d5a9c Use platform path constant for SSSD log dir
The path to SSSD log directory is platform specific and should be in
ipaplatform module.

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:31:02 +01:00
Timo Aaltonen
872d5903d0 Move freeipa certmonger helpers to libexecdir.
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).

https://fedorahosted.org/freeipa/ticket/5586

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-02-26 08:29:44 +01:00
Fraser Tweedale
fd7ea2c939 Remove workaround for CA running check
A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).

Remove the workaround and use an http request (no TLS) to check the
CA status.  Also remove the now-unused unauthenticated_http_request
method, and update specfile to remove ipalib dependency on curl.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-21 14:09:44 +01:00
Martin Babinsky
7cd99e8520 use FFI call to rpmvercmp function for version comparison
Stop using rpm-python to compare package versions since the implicit NSS
initialization upon  the module import breaks NSS handling in IPA code. Call
rpm-libs C-API function via CFFI instead.

Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet
that spurred this patch.

https://fedorahosted.org/freeipa/ticket/5572

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-01-11 17:54:36 +01:00
Martin Basti
1d56665fd2 Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.

Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.

https://fedorahosted.org/freeipa/ticket/5507

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-11 09:45:54 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
fba70a0346 Use module variables for timedate_services
Explicitly store timedate services in module variable is safer than
doind just unused import.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:57:55 +01:00
Martin Basti
403652b5b9 Fix: replace mkdir with chmod
In original patches, extra mkdir has been added instead of chmod.

https://fedorahosted.org/freeipa/ticket/5520

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-22 16:40:45 +01:00
Martin Basti
91913c5ba7 Fix version comparison
Use RPM library to compare vendor versions of IPA for redhat platform

https://fedorahosted.org/freeipa/ticket/5535

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-22 14:08:41 +01:00
Martin Basti
4272ba40ea Explicitly call chmod on newly created directories
Without calling os.chmod(), umask is effective and may cause that
directory is created with permission that causes failure.

This can be related to https://fedorahosted.org/freeipa/ticket/5520

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-14 14:57:26 +01:00
Fraser Tweedale
38861428e7 dogtaginstance: remove unused function 'check_inst'
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-14 14:32:36 +01:00
Petr Viktorin
099cf98307 Refactor ipautil.run
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.

The stdout and stderr of all commands are logged (unless skip_output is given).

The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.

The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.

All calls are changed to reflect this.

A use of Popen in cainstance is changed to ipautil.run.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-14 10:54:23 +01:00
Gabe
5c9b9089b7 Migrate wget references and usage to curl
https://fedorahosted.org/freeipa/ticket/5458

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-11 18:46:10 +01:00
Jan Cholasta
aeffe2da42 install: drop support for Dogtag 9
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.

Creating a replica of a Dogtag 9 IPA master is still supported.

https://fedorahosted.org/freeipa/ticket/5197

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-11-25 09:12:25 +01:00
Martin Basti
19044e87ac Drop configure.jar
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-11-13 14:02:45 +01:00
Timo Aaltonen
43654c973c ipaplatform: Add NTPD_OPTS_VAR and NTPD_OPTS_QUOTE to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
24ebdf90a5 ipaplatform: Add SECURE_NFS_VAR to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
489c24837c ipaplatform: Add NAMED_USER to constants
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Timo Aaltonen
874b6d9f28 ipaplatform: Add HTTPD_USER to constants, and use it.
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-11-04 13:12:12 +01:00
Petr Viktorin
eab334dde8 Handle binascii.Error from base64.b64decode()
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.

Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).

In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
  handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError

In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate

Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-10-22 18:34:46 +02:00
Petr Vobornik
fff31ca220 topology: manage ca replication agreements
Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
d03619fff3 Implement replica promotion functionality
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.

The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.

Therefore this feature is marked to work only with domain level 1 and above
servers.

Ticket: https://fedorahosted.org/freeipa/ticket/2888

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
463dda3067 Add ipa-custodia service
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Viktorin
70b37a956c Use six.moves.urllib instead of urllib/urllib2/urlparse
In Python 3, these modules are reorganized.

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Timo Aaltonen
7059117ec3 paths: Add GENERATE_RNDC_KEY.
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-05 17:45:51 +02:00
Milan Kubík
c22c60b87c ipatests: configure Network Manager not to manage resolv.conf
For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.

https://fedorahosted.org/freeipa/ticket/5331

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-02 14:01:50 +02:00
Martin Babinsky
14977b5d84 do not overwrite files with local users/groups when restoring authconfig
the patch fixes regression in ipa-restore caused by overwriting /etc/passwd,
/etc/shadow and fiends during restore of authconfig configuration files. These
files are now excluded from authconfig backup dir.

https://fedorahosted.org/freeipa/ticket/5328

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-10-02 12:45:26 +02:00
Jan Cholasta
4c39561261 install: fix kdcproxy user home directory
https://fedorahosted.org/freeipa/ticket/5314

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-09-23 16:29:49 +02:00
Jan Cholasta
859590337a platform: add option to create home directory when adding user
https://fedorahosted.org/freeipa/ticket/5314

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-09-23 16:29:49 +02:00
Tomas Babej
cfeea91828 ipa-backup: Add mechanism to store empty directory structure
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.

This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.

https://fedorahosted.org/freeipa/ticket/5297

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-22 13:17:25 +02:00
Jan Cholasta
5137478fb8 install: support KRA update
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Endi S. Dewata
72cfcfa0bd Using LDAPI to setup CA and KRA agents.
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.

https://fedorahosted.org/freeipa/ticket/5257

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-07 18:01:13 +02:00
Martin Basti
e7a876d88a DNSSEC: remove ccache and keytab of ipa-ods-exporter
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-09-03 18:15:58 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
5a9141dc40 Replace filter() calls with list comprehensions
In Python 3, filter() returns an iterator.
Use list comprehensions instead.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Endi S. Dewata
8676364ae8 Removed clear text passwords from KRA install log.
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.

https://fedorahosted.org/freeipa/ticket/5246

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-08-26 13:49:57 +02:00
David Kupka
db88985c0d Backup/resore authentication control configuration
https://fedorahosted.org/freeipa/ticket/5071

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-19 14:13:00 +02:00
Martin Babinsky
83db1de096 fix typo in BasePathNamespace member pointing to ods exporter config
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-17 18:46:30 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Martin Basti
92828d3cf5 DNS: check if DNS package is installed
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.

https://fedorahosted.org/freeipa/ticket/4058

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-21 17:30:10 +02:00
Tomas Babej
a487e42d3f ipaplatform: Add constants submodule
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:29:33 +02:00
David Kupka
2defc486ab cermonger: Use private unix socket when DBus SystemBus is not available.
https://fedorahosted.org/freeipa/ticket/5095

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-20 14:28:09 +00:00
Martin Basti
e151492560 DNSSEC: allow to disable/replace DNSSEC key master
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Tomas Babej
ccbf267872 ipaplatform: Remove redundant definitions
The variables path_namespace and task_namespace in the base platform
are not used anywhere in the rest of the codebase and are just
debris from previous implementation.

This patch removes them.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-02 13:04:23 +02:00
Jan Cholasta
e9c9e3f009 ipaplatform: Do not use MagicDict for KnownServices
https://fedorahosted.org/freeipa/ticket/3090

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-01 13:05:30 +00:00
Gabe
37729936dd Clear SSSD caches when uninstalling the client
https://fedorahosted.org/freeipa/ticket/5049

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2015-06-30 12:59:19 +02:00
Petr Spacek
ee84c6ae78 Rate-limit while loop in SystemdService.is_active().
Previously is_active() was frenetically calling systemctl is_active in
tight loop which in fact made the process slower.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-29 13:39:07 +02:00
Christian Heimes
495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00
David Kupka
4d05b5d18d Use 389-ds centralized scripts.
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.

https://fedorahosted.org/freeipa/ticket/4051

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-11 13:16:06 +02:00
Jan Cholasta
e7ac57e139 vault: Fix ipa-kra-install
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Martin Basti
f903c2d5bf Fix: use DS socket check only for upgrade
To detect if DS server is running, use the slapd socket for upgrade, and the LDAP port
for installation.

Without enabled LDAPi socket checking doesnt work.

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-05-26 11:30:15 +00:00
Martin Basti
3d17bf8e63 Server Upgrade: wait until DS is ready
During server upgrade we should wait until DS is ready after restart, otherwise
connection error is raised.

Instead of 389 port, the DS socket is checked.

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-05-22 15:51:05 +02:00
Martin Babinsky
5a741b614f explicitly destroy httpd service ccache file during httpinstance removal
during IPA server uninstall, the httpd service ccache is not removed from
runtime directory. This file then causes server-side client install to fail
when performing subsequent installation without rebooting/recreating runtime
directories.

This patch ensures that the old httpd ccache is explicitly destroyed during
uninstallation.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-19 12:59:18 +00:00
Martin Basti
3c86b0ef3e Dont use the proxy to check CA status
Checking status of the CA via proxy cause issues when httpd instance is
down.

To check status of CA we do not need proxy.

https://fedorahosted.org/freeipa/ticket/4994

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-15 10:22:28 +00:00
Martin Basti
9f049ca144 Server Upgrade: Verify version and platform
Verify version and platform before upgrade or ipactl start|restart

Upgrade:
* do not allow upgrade on different platforms
* do not allow upgrade data with higher version than build has

Start:
* do not start services if platform mismatch
* do not start services if upgrade is needed
* do not start services if data with higher version than build has

New ipactl options:
--skip-version-check: do not validate IPA version
--ignore-service-failures (was --force): ignore if a service start fail
      and continue with starting other services
--force: combine --skip-version-check and --ignore-service-failures

https://fedorahosted.org/freeipa/ticket/4904

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-04 11:16:26 +00:00
Martin Basti
0a1a3d7312 DNSSEC CI tests
Tests:
* install master, replica, then instal DNSSEC on master
  * test if zone is signed (added on master)
  * test if zone is signed (added on replica)

* install master with DNSSEC, then install replica
  * test if root zone is signed
  * add zone, verify signatures using our root zone

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2015-04-14 19:29:36 +02:00
Martin Babinsky
e8d4f6dba1 show the exception message thrown by dogtag._parse_ca_status during install
https://fedorahosted.org/freeipa/ticket/4885

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-03-26 14:46:56 +01:00
Nathan Kinder
a58b77ca9c Timeout when performing time sync during client install
We use ntpd now to sync time before fetching a TGT during client
install.  Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.

This patch adds the ability for commands run via ipautil.run() to
have an optional timeout.  This capability is used by the NTP sync
code that is run during ipa-client-install.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-03-16 15:55:26 +01:00