In case an ID override was created for an Active Directory user in the
default trust view, allow mapping the incoming GSSAPI authenticated
connection to the ID override for this user.
This allows to self-manage ID override parameters from the CLI, for
example, SSH public keys or certificates. Admins can define what can be
changed by the users via self-service permissions.
Part of https://fedorahosted.org/freeipa/ticket/2149
Part of https://fedorahosted.org/freeipa/ticket/3242
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Part of https://fedorahosted.org/freeipa/ticket/5354
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
MS-ADTS spec requires that TrustPartner field should be equal to the
commonName (cn) of the trust. We used it a bit wrongly to express
trust relationship between parent and child domains. In fact, we
have parent-child relationship recorded in the DN (child domains
are part of the parent domain's container).
Remove the argument that was never used externally but only supplied by
trust-specific code inside the IPA framework.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
External trust is a trust that can be created between Active Directory
domains that are in different forests or between an Active Directory
domain. Since FreeIPA does not support non-Kerberos means of
communication, external trust to Windows NT 4.0 or earlier domains is
not supported.
The external trust is not transitive and can be established to any
domain in another forest. This means no access beyond the external
domain is possible via the trust link.
Resolves: https://fedorahosted.org/freeipa/ticket/5743
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
We cannot use set() with RRSet objects, because RRSet object is not
hashable. A set was replaced by list.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When reading the content of an invalid LDAP entry, the exception
only displays the attribute name and value, but not the DN of the entry.
Because of this, it is difficult to identify the root cause of the
problem.
The fix raises a ValueError exception which also contains the entry DN.
https://fedorahosted.org/freeipa/ticket/5434
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The new attribute of the adapter contains the name of record which will be
extracted from API call result.
Part of: https://fedorahosted.org/freeipa/ticket/5905
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There was a problem with finding correct DNS zone. It found a first substring match.
Therefore when there was location 0.10.10.in-addr.arpa. and 110.10.10.in-addr.arpa
the location for IP address 10.10.110.1 was the first one, which is incorrect. Now
it finds the second one, because it finds the longest match.
https://fedorahosted.org/freeipa/ticket/5796
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Since ipalib.plugins was split into ipaserver.plugins and
ipaclient.plugins, require python-ipaserver and/or python-ipaclient instead
of python-ipalib where appropriate.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Use the existing remote server API to create service entries instead of a
client API.
This fixes a crash during replica promotion due to unavailable schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Request specific params when getting the defaults instead of getting
defaults for all params and filtering the result.
This fixes command_defaults failing with validation errors on unrequested
params.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself. This requires a
PKIArchiveOptions format (signing key wrapped with host CA key) -
PKCS #12 cannot be used because that would require decrypting the
key in Dogtag's memory, albeit temporarily.
Add a new custodia store that executes a 'pki' command to acquire
the wrapped key.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add Dogtag ACLs that authorise the CA Agent certificate to manage
lightweight CAs.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Lightweight CAs support introduces new service principals for
Dogtag, with Custodia keys. The current Custodia key creation uses
a DN that contains only they key type and the hostname, so keys for
multiple services on the same host cannot be created.
Add the 'generate_keys' method to generate keys for a host or an
arbitrary service. When a service name is given, add the key
entries in a nested container with RDN 'cn=<service name>'. (The
container is assumed to exist).
This change does not affect searching because subtree search is
used, filtering on the ipaKeyUsage and memberPrincipal attributes.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The "dogtag/$HOSTNAME@$REALM" service principal uses Custodia to
retrieve lightweight CA signing keys, and therefore needs search and
read access to Custodia keys. Add an ACI to permit this.
Also add ACIs to allow host principals to manage Dogtag custodia
keys for the same host.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When IPA client is using Python 3, there is no str.decode() method
anymore.
ipa: ERROR: AttributeError: 'str' object has no attribute 'decode'
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1345, in run
sys.exit(api.Backend.cli.run(argv))
File "/usr/lib/python3.5/site-packages/ipalib/cli.py", line 1110, in run
rv = cmd.output_for_cli(self.api.Backend.textui, result, *args, **options)
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 103, in output_for_cli
qr = self._get_qrcode(output, uri, options['version'])
File "/usr/lib/python3.5/site-packages/ipaclient/plugins/otptoken.py", line 61, in _get_qrcode
qr_code = qr_output.getvalue().decode(encoding)
AttributeError: 'str' object has no attribute 'decode' ipa: ERROR: an internal error has occurred
Fixes https://fedorahosted.org/freeipa/ticket/5938
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The certmonger renewal helper needs to load server plugins to
operate. Initialise the API with in_server=True.
Fixes: https://fedorahosted.org/freeipa/ticket/5943
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently CustodiaClient assumes that the client is the host
principal, and it is hard-coded to read the host keytab and server
keys.
For the Lightweight CAs feature, Dogtag on CA replicas will use
CustodiaClient to retrieve signing keys from the originating
replica. Because this process runs as 'pkiuser', the host keys
cannot be used; instead, each Dogtag replica will have a service
principal to use for Custodia authentication.
Update CustodiaClient to require specifying the client keytab and
Custodia keyfile to use, and change the client argument to be a full
GSS service name (instead of hard-coding host service) to load from
the keytab. Update call sites accordingly.
Also pass the given 'ldap_uri' argument through to IPAKEMKeys
because without it, the client tries to use LDAPI, but may not have
access.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add custom_checkbox_widget on service page. The old aci.attribute_widget
now inherits from the new base class custom_checkboxes_widget and overrides
the populate method.
https://fedorahosted.org/freeipa/ticket/5872
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Generated files or paths that does not contain src files should be
skipped:
* yacctab.py - autogenerated
* lextab.py - autogenerated
* dist/* - doesn't contain usefule src files
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
For instance if /etc/nsswitch.conf contains an incorrect line
sudoers file sss
(Note the missing : after sudoers)
ipa-client-install exits with a SyntaxError traceback but does not state
which line caused the issue.
With the fix, the filename and the line are displayed in the SyntaxError
message.
https://fedorahosted.org/freeipa/ticket/5811
Reviewed-By: Martin Basti <mbasti@redhat.com>
The command for requesting certificate for hosts and services is extended.
There is added how to add DNS name as subjectAltName.
https://fedorahosted.org/freeipa/ticket/5645
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA. Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives. Remove it and update call sites.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly
https://fedorahosted.org/freeipa/ticket/5912
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
To be consistent with CLI the restoring certificate is renamed to
removing certificate hold in all WebUI components.
https://fedorahosted.org/freeipa/ticket/5878
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Locations should be removed from server by using server-mod during
location-del (future patches will handle DNS records in server-mod)
Referint plugin is configured to remove references of deleted locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
location-show returns list of servers curently assigned to the location
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Server find, server show, server mod should work with IPA locations.
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Locations use DNSNameParam as pkey_value, but implementation of searches
for members was able to use only Str param. This commit allows to use
other param classes for search.
Required for: https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previously, an offline replica would mean the RUVs cannot
be removed otherwise the task would be hanging in the DS.
This is fixed in 389-ds 1.3.5.
https://fedorahosted.org/freeipa/ticket/5396
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
