Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Lightweight CAs support introduces new service principals for
Dogtag, with Custodia keys. The current Custodia key creation uses
a DN that contains only they key type and the hostname, so keys for
multiple services on the same host cannot be created.
Add the 'generate_keys' method to generate keys for a host or an
arbitrary service. When a service name is given, add the key
entries in a nested container with RDN 'cn=<service name>'. (The
container is assumed to exist).
This change does not affect searching because subtree search is
used, filtering on the ipaKeyUsage and memberPrincipal attributes.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys. Add an ACI to permit this.
Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When IPA client is using Python 3, there is no str.decode() method
anymore.
ipa: ERROR: AttributeError: 'str' object has no attribute 'decode'
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run
sys.exit(api.Backend.cli.run(argv))
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli
qr = self._get_qrcode(output, uri, options['version'])
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode
qr_code = qr_output.getvalue().decode(encoding)
AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred
Fixes https://fedorahosted.org/freeipa/ticket/5938
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The certmonger renewal helper needs to load server plugins to
operate. Initialise the API with in_server=True.
Fixes: https://fedorahosted.org/freeipa/ticket/5943
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.
For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica. Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.
Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab. Update call sites accordingly.
Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add custom_checkbox_widget on service page. The old aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.
https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Generated files or paths that does not contain src files should be
skipped:
* yacctab.py - autogenerated
* lextab.py - autogenerated
* dist/* - doesn't contain usefule src files
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
For instance if /etc/nsswitch.conf contains an incorrect line
sudoers file sss
(Note the missing : after sudoers)
ipa-client-install exits with a SyntaxError traceback but does not state
which line caused the issue.
With the fix, the filename and the line are displayed in the SyntaxError
message.
https://fedorahosted.org/freeipa/ticket/5811
Reviewed-By: Martin Basti <mbasti@redhat.com>
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.
https://fedorahosted.org/freeipa/ticket/5645
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly
https://fedorahosted.org/freeipa/ticket/5912
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To be consistent with CLI the restoring certificate is renamed to
removing certificate hold in all WebUI components.
https://fedorahosted.org/freeipa/ticket/5878
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Locations should be removed from server by using server-mod during
location-del (future patches will handle DNS records in server-mod)
Referint plugin is configured to remove references of deleted locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
location-show returns list of servers curently assigned to the location
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Server find, server show, server mod should work with IPA locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Locations use DNSNameParam as pkey_value, but implementation of searches
for members was able to use only Str param. This commit allows to use
other param classes for search.
Required for: https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previously, an offline replica would mean the RUVs cannot
be removed otherwise the task would be hanging in the DS.
This is fixed in 389-ds 1.3.5.
https://fedorahosted.org/freeipa/ticket/5396
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
Deletion of a replica would fail should there
be no RUVs on the server.
Also removed some dead code in del_master_managed which might
cause premature exit if RuntimeError occurs.
https://fedorahosted.org/freeipa/ticket/5307
Reviewed-By: Martin Basti <mbasti@redhat.com>
Thin client always respects API schema of the server, even when it is newer
that the server. Remove the API minor version check done on the server, as
it is no longer necessary.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Dynamically create plugin package for the remote server with modules and
commands based on the API schema when client API is finalizes. For in-tree
API instances, use ipalib.plugins directly.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
File arguments are relevant only on the client, on the server they are the
same as Str. Specify the arguments as Str in ipalib.plugins and override
them with File in ipaclient.plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This is required for the finalize call to be able connect to the server to
retrieve API schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
The validation is already done on the server.
This allows manually forwarding commands unknown to the client but known
to the server.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Speed up JSON-RPC response handling by putting received response data
fragments in a list and joining them at once instead of concatenating
each fragment one by one.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add new `nss_dir` API config option to allow rpcclient to use a non-default
NSS DB for the connection.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When connecting rpcclient, get the default values of the `verbose`,
`fallback` and `delegate` options from API config rather than hard-code
them.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add a set of plugins for API schema introspection. This includes:
* a set of commands for command introspection
(`command_find`, `command_show`, `command_defaults`),
* a set of commands for command param introspection
(`param_find`, `param_show`),
* a set of commands for command output introspection
(`output_find`, `output_show`),
* a set of commands for help topic introspection
(`topic_find`, `topic_show`),
* a command to get the full API schema in one call (`schema`).
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Introduce new `deprecated` Param keywork argument. Setting it to True on a
param has the same effect as using DeprecatedParam. This allows deprecating
params while retaining their type information.
Revert all DeprecatedParam params back to their original definition and set
`deprecated` to True.
Remove the now unused DeprecatedParam class.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When set to true, the argument causes params to not convert unicode values
to the param type.
This will allow thin client to properly handle params which can be
converted from unicode to the param type only on the server, e.g. because
of a normalizer.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Add new Param keyword argument cli_metavar to specify the stand-in for CLI
option arguments in command help text. Uppercase class name is used by
default.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Provide client-side overrides for command plugins which implement any of
the client-side `interactive_prompt_callback`, `forward` or
`output_for_cli` methods and move the methods from the original plugins to
the overrides.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This adds a new ipaclient.frontend module with two classes, CommandOverride
and MethodOverride, which can be used to implement additional client-side
functionality on top of server-side Command and Method plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
