Commit Graph

83 Commits

Author SHA1 Message Date
Rob Crittenden
ab1667f3c1 Use pyasn1-based PKCS#10 and X509v3 parsers instead of pyOpenSSL.
The pyOpenSSL PKCS#10 parser doesn't support attributes so we can't identify
requests with subject alt names.

Subject alt names are only allowed if:
  - the host for the alt name exists in IPA
  - if binding as host principal, the host is in the services managedBy attr
2009-11-30 18:10:09 -07:00
Rob Crittenden
986c4e23e7 Point to correct location of self-signed CA and set pw on 389-DS cert db
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.

The DS db wasn't getting a password set on it. Go ahead and set one.
2009-11-25 09:57:14 -07:00
John Dennis
eb5793b5ea respect debug arg during server install
The debug flag (e.g. -d) was not being respected during server install. This
patch corrects that.
2009-11-19 14:46:18 -05:00
Rob Crittenden
884301ef33 Cache installer questions for the 2-step process of an externally-signed CA
Installing a CA that is signed by another CA is a 2-step process. The first
step is to generate a CSR for the CA and the second step is to install
the certificate issued by the external CA. To avoid asking questions
over and over (and potentially getting different answers) the answers
are cached.
2009-11-18 14:28:33 -05:00
Rob Crittenden
da58b0cc75 Add SELinux policy for UI assets
This also removes the Index option of /ipa-assets as well as the
deprecated IPADebug option.

No need to build or install ipa_webgui anymore. Leaving in the code
for reference purposes for now.
2009-11-04 04:07:38 -07:00
Jason Gerard DeRose
5782b882a7 ipa-server-install now renders UI assets 2009-11-04 03:52:30 -07:00
Rob Crittenden
bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
Rob Crittenden
e4c119ed4b Use Directory String sytnax for the fqdn attribute, not DN syntax. 2009-10-28 01:07:35 -06:00
Jason Gerard DeRose
c4b7b70636 Add mod_python adapter and some UI tuning 2009-10-27 21:38:13 -06:00
Rob Crittenden
81f8c5f0db Auto-detect whether dogtag needs to be uninstalled 2009-10-21 11:14:28 -04:00
Rob Crittenden
453a19fcac First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
2009-10-21 03:22:44 -06:00
Rob Crittenden
383492866e Fix ACI for host delegation
We had changed the DN format, I must have missed these ACIs the first
go around.
2009-10-17 22:51:53 -06:00
Rob Crittenden
f838e7e18b Fix an oops where I forgot to replace a string with a template 2009-10-17 22:08:50 -06:00
Rob Crittenden
b4cef3b79b Use nestedgroup instead of groupofnames for rolegroups so we have memberof 2009-10-12 09:40:49 -04:00
Rob Crittenden
342337a893 No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
Pavel Zuna
a6eb928f98 Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
Rob Crittenden
dac224c25a Add support for per-group kerberos password policy.
Use a Class of Service template to do per-group password policy. The
design calls for non-overlapping groups but with cospriority we can
still make sense of things.

The password policy entries stored under the REALM are keyed only on
the group name because the MIT ldap plugin can't handle quotes in the
DN. It also can't handle spaces between elements in the DN.
2009-10-05 13:29:55 -06:00
Rob Crittenden
e4877c946f Only initialize the API once in the installer
Make the ldap2 plugin schema loader ignore SERVER_DOWN errors

525303
2009-09-28 22:17:01 -06:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
31ad1973c5 Better upgrade detection so we don't print spurious errors
Also add copyright

519414
2009-09-15 17:42:36 -04:00
Rob Crittenden
49b36583a5 Add external CA signing and abstract out the RA backend
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.

A run would look like:

 # ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
 # ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt  -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com

This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.

To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.

One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.

Lots of general fixes were also made in ipaserver.install.certs including:
 - better handling when multiple CA certificates are in a single file
 - A temporary directory for request certs is not always created when the
   class is instantiated (you have to call setup_cert_request())
2009-09-15 10:01:08 -04:00
Pavel Zuna
db7e0802fa Fix incorrect imports in ipa-server-certinstall. 2009-09-11 09:19:41 -04:00
Rob Crittenden
0c28978a8d Ensure that dnaMaxValue is higher than dnaNextValue at install time
Resolves 522179
2009-09-09 22:05:24 -04:00
Martin Nagy
b519b87ea4 Add forgotten chunks from commit 4e5a68397a
I accidentally pushed the older patch that didn't contain bits for
ipa-replica-install.
2009-09-08 22:48:34 +02:00
Jason Gerard DeRose
391b1f2b88 Fixed dns_forwarders not being defined when options.setup_dns is False 2009-09-08 13:09:05 +02:00
Martin Nagy
205a41205b Add A and PTR records of ourselves during installation
If the DNS zones already exist but don't contain our own records, add
them. This patch introduces the ipalib.api into the installers. For now,
the code is still little messy. Later patches will abandon the way we
create zones now and use ipalib.api exclusively.
2009-09-02 22:04:25 +02:00
Martin Nagy
b07d1b54f9 Remove old --setup-bind option
Since we are changing the behaviour of the --setup-dns option
substantially, we might as well remove the old --setup-bind option.
2009-09-02 22:04:25 +02:00
Martin Nagy
fbda06269d Setup bind only after restarting kdc and dirsrv
BIND starting before we apply LDAP updates and restart kdc and directory
server causes trouble. We resolve this for now by postponing BIND setup
to the end of installation. Another reason is that we will be using
xml-rpc during the setup in the future.
2009-09-02 22:04:25 +02:00
Martin Nagy
4e5a68397a Use DNS forwarders in /etc/named.conf
This patch adds options --forwarder and --no-forwarders. At least one of
them must be used if you are doing a setup with DNS server. They are
also mutually exclusive. The --forwarder option can be used more than
once to specify more servers. If the installer runs in interactive mode,
it will prompt the user if none of these option was given at the command
line.
2009-09-02 19:09:28 +02:00
Rob Crittenden
aafdb755a3 Install the ldapi ldif file 2009-08-28 08:46:54 -04:00
Rob Crittenden
559c76f761 Add option to the installer for uid/gid starting numbers.
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.

The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
2009-08-27 14:15:26 -04:00
Rob Crittenden
cab5525076 Enable ldapi connections in the management framework.
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
2009-08-27 13:36:58 -04:00
Rob Crittenden
08fc563212 Generate CRLs and make them available from the IPA web server 2009-08-26 09:51:19 -04:00
Rob Crittenden
c781e8a57d Add a new objectclass, ipaObject, that will add a UUID to many IPA objects
ipaObject is defined as an auxiliary objectclass so it is up to the
plugin author to ensure that the objectclass is included an a UUID generated.
ipaUniqueId is a MUST attribute so if you include the objectclass you must
ensure that the uuid is generated.

This also fixes up some unrelated unit test failures.
2009-08-10 16:38:42 -06:00
Rob Crittenden
dbeb409ebd Include schema for key escrow management
https://fedoraproject.org/wiki/Disk_encryption_key_escrow_in_IPA
2009-08-10 16:38:18 -06:00
Martin Nagy
de53d0a26e Make --setup-dns work on replica installation
The ipa-replica-install script will setup the DNS if user specifies the
--setup-dns option. It will only add the zone into LDAP if the
cn=dns,$SUFFIX container doesn't exist. For now, however, we do not add
the records.
2009-07-22 18:02:22 +02:00
Martin Nagy
a09d2c3498 Add a reverse zone with server's PTR record
Also, small cosmetic change in dns.ldif.
2009-07-22 18:02:22 +02:00
Martin Nagy
296ffe6c61 Add --setup-dns option. It will replace --setup-bind 2009-07-22 18:02:22 +02:00
Rob Crittenden
8d164569d0 Allow replicas of an IPA server using an internal dogtag server as the CA
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.

Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
2009-07-15 09:00:01 -04:00
Martin Nagy
017f236d6a Use uppercase boolean values in dns.ldif
The newest 389 server implements syntax checking and causes problems if
the boolean attribute is set to "True". The correct value should be
"TRUE".
2009-07-15 07:34:28 +02:00
Rob Crittenden
c21e003cdf Let anonymous users browse the VLV index
This is needed for automount support on Solaris

http://docs.sun.com/app/docs/doc/819-5201/6n7a588i7?l=en&a=view
2009-07-10 16:45:45 -04:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00
Martin Nagy
5149803873 Configure BIND LDAP driver to use SASL authentication
We use /etc/named.keytab generated by ipa-server-install to authenticate
against the LDAP server. Also tidy up /etc/named.conf since we're there.
2009-07-10 09:55:29 -04:00
Simo Sorce
9fe707a3f2 Basic changes to get a default principal for DNS
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>
2009-07-10 09:42:22 -04:00
Pavel Zuna
94181d54fe Make object classes of automatically created entries lowercase.
This makes them more consistent with entries created by plugins.
It's a cosmetic thing, not that useful.
2009-07-10 08:58:44 -04:00
Martin Nagy
8345e8e1f1 Use root.$HOST.$DOMAIN. instead of root.$DOMAIN. 2009-06-02 12:32:06 +02:00
Martin Nagy
1bc786e379 Use LDAP instead of flat file for zone storage 2009-06-02 12:32:01 +02:00
Martin Nagy
1893a802c7 Change DNS LDAP attributes
Removes two unneeded attributes and adds one attribute for specifying
DNS update policy. Additionally, use different namespace for them: 5.x
for attribute types and 6.x for object classes.
2009-06-02 12:30:59 +02:00
Rob Crittenden
e396cc26bf Add memberOf as a MAY to ipaHost
499731
2009-05-26 14:26:49 -04:00
Rob Crittenden
7da22cf8c7 Enable the portmap or rpcbind service if the NIS service is enabled 2009-05-21 14:51:04 -06:00