Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.
https://fedorahosted.org/freeipa/ticket/4477
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.
The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.
The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.
https://fedorahosted.org/freeipa/ticket/4489
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.
https://fedorahosted.org/freeipa/ticket/4480
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.
https://fedorahosted.org/freeipa/ticket/4447
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.
https://fedorahosted.org/freeipa/ticket/3575
Reviewed-By: Martin Basti <mbasti@redhat.com>
Required to prevent code duplications
ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Create a platform task for setting SELinux booleans.
Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.
Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.
Preparation for: https://fedorahosted.org/freeipa/ticket/4157
Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
All ipa-dns capable server is added to root zones as nameserver
During uninstall all NS records pointing to particular replica are
removed.
Part of ticket: https://fedorahosted.org/freeipa/ticket/4149
Reviewed-By: Petr Spacek <pspacek@redhat.com>
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.
Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.
In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).
https://fedorahosted.org/freeipa/ticket/4551
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow running some installation after failure,
and use this for the upgradeinstance cleanup steps.
https://fedorahosted.org/freeipa/ticket/4499
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The /etc/passwd and /etc/group files are not saved and restored.
The DS user is always created on restore, and the PKI user is created
if a CA is being restored.
https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Make a proper list from the comma-separated string found in
the config.
The only current use of backup_services is in run:
if 'CA' in self.backup_services:
Without this change, this picked up the 'CA' from 'MEMCACHE'.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).
Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.
Preparation for: https://fedorahosted.org/freeipa/ticket/3866
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done. Also, re-added the no_host_dns option which is used when
unpacking a replica file.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.
https://fedorahosted.org/freeipa/ticket/4478
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.
https://fedorahosted.org/freeipa/ticket/4005
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.
Document --root-ca-file in ipa-server-install man page.
https://fedorahosted.org/freeipa/ticket/4457
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This is to avoid chicken-egg problem when directory server fails to start
without resolvable hostname and named fails to provide hostname without
directory server.
https://fedorahosted.org/freeipa/ticket/4220
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Certain operations against AD domain controller can only be done if its
FSMO role is primary domain controller. We need to use writable DC and
PDC when creating trust and updating name suffix routing information.
https://fedorahosted.org/freeipa/ticket/4479
Reviewed-By: Sumit Bose <sbose@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.
Make the installer more robust by being able to fix the inconsistency.
https://fedorahosted.org/freeipa/ticket/4464
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Record that pkicreate/pkispawn has been executed to allow cleanup even if the
installation did not finish correctly.
https://fedorahosted.org/freeipa/ticket/2796
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.
However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.
After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.
https://fedorahosted.org/freeipa/ticket/4412
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.
For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.
https://fedorahosted.org/freeipa/ticket/4398
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When nsslapd-minssf is greater than 0, running as root
ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.
The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.
Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Non string values should not start and end with '"' in options section
in named.conf
Required by ticket: https://fedorahosted.org/freeipa/ticket/4408
Reviewed-By: Petr Spacek <pspacek@redhat.com>
On systems installed before #3394 was fixed and nsDS5ReplicaId became
single-valued, there are two replica ID values stored in cn=replication:
the default (3) and the actual value we want.
Instead of failing when multiple values are found, use the largest one.
https://fedorahosted.org/freeipa/ticket/4375
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Class PreSchemaUpdate is executed before ldap schema update
This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This HTTP call takes the following parameters:
* user
* password
* first_code
* second_code
* token (optional)
Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
login_password did not work properly in timezones other than +0h because
local time was compared with utc time.
Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin created permissions that the managed permission
updater would remove right away.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.
Add a mechanism for the updater to replace old SYSTEM permissions.
This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').
Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346
Reviewed-By: Martin Kosek <mkosek@redhat.com>
* Modified functions to use DNSName type
* Removed unused functions
Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.
Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.
Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.
Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
requiring entropy
- slightly reworded the warning message
https://fedorahosted.org/freeipa/ticket/4210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.
https://fedorahosted.org/freeipa/ticket/4339
Reviewed-By: Tomas Babej <tbabej@redhat.com>
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.
Create a copy of the list instead.
https://fedorahosted.org/freeipa/ticket/4349
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.
Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.
This assumes that the anonymous read ACI will be removed in a "new" IPA.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.
A dict is added to hold templates for the non-plugin permissions.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.
Do not ask for memberindirect when retrieving the entry.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.
https://fedorahosted.org/freeipa/ticket/4294
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.
Also, do not reset ipapermbindruletype when updating an existing
managed permission.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.
Also removed now unused upload_ca_dercert method of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Use basic math rather than timezone conversion to get
minutes and seconds.
Break out the message generation into a small tested function.
https://fedorahosted.org/freeipa/ticket/4242
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.
https://fedorahosted.org/freeipa/ticket/4246
Reviewed-By: Martin Kosek <mkosek@redhat.com>
OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.
https://fedorahosted.org/freeipa/ticket/3369
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.
Make sure that the port configuration parsed from replica info file
is used consistently in the installers.
https://fedorahosted.org/freeipa/ticket/4240
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
https://fedorahosted.org/freeipa/ticket/4202
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.
https://fedorahosted.org/freeipa/ticket/4204
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bind instance is configured using a short-circuited way when replica is set up.
Make sure required properties are in place for that.
https://fedorahosted.org/freeipa/ticket/4186
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The logging level for these messages was decreaed so that they
do not show up in ipa-advise output.
Reset the log level to INFO and configure ipa-advise to not display
INFO messages from xmlclient by default.
Partially reverts commit efe5a96725https://fedorahosted.org/freeipa/ticket/4135
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
The two classes had very similar __call__ methods, but the JSON
server lacked error handling.
Create a common class for the __call__ method.
https://fedorahosted.org/freeipa/ticket/4069
Use "kdestroy -A" command to destroy all CCACHEs, both the primary
and the non-primary ones to make sure that the non-primary ones are
not used later.
https://fedorahosted.org/freeipa/ticket/4084
Stock httpd no longer uses systemd EnvironmentFile option which is
making FreeIPA's KRB5CCNAME setting ineffective. This can lead in hard
to debug problems during subsequent ipa-server-install's where HTTP
may use a stale CCACHE in the default kernel keyring CCACHE.
Avoid forcing custom CCACHE and switch to system one, just make sure
that it is properly cleaned by kdestroy run as "apache" user during
FreeIPA server installation process.
https://fedorahosted.org/freeipa/ticket/4084
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
Fix both the service restart procedure and registration of old
pki-cad well known service name.
This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.
https://fedorahosted.org/freeipa/ticket/4092
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
Add the server class name, such as [xmlserver] or [jsonserver_kerb] to
the server logs. This will allow easier debugging of problems specific
to a protocol or server class.
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
The new updater is run as part of `ipa-ldap-updater --upgrade`
and `ipa-ldap-updater --schema` (--schema is a new option).
The --schema-file option to ipa-ldap-updater may be used (multiple
times) to select a non-default set of schema files to update against.
The updater adds an X-ORIGIN tag with the current IPA version to
all elements it adds or modifies.
https://fedorahosted.org/freeipa/ticket/3454
When we get NT_STATUS_INVALID_PARAMETER in response to establish
DCE RPC pipe with Kerberos, the most likely reason is clock skew.
Suggest that it is so in the error message.
https://fedorahosted.org/freeipa/ticket/4024
Server installer does not properly recognize a situation when server
fqdn is not in a subdomain of the IPA domain, but shares the same
suffix.
For example, if server FQDN is ipa-idm.example.com and domain
is idm.example.com, server's FQDN is not in the main domain, but
installer does not recognize that. proper Kerberos realm-domain
mapping is not created in this case and server does not work
(httpd reports gssapi errors).
https://fedorahosted.org/freeipa/ticket/4012
