Commit Graph

1224 Commits

Author SHA1 Message Date
Tomas Babej
00457a9c10 idviews: Fix typo in upgrade handling of the Default Trust View
Fixed missing comma. Also removes leading spaces from the ldif,
since this is not stripped by the updater.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-30 11:49:53 +02:00
Tomas Babej
2a230b6cc1 idviews: Create Default Trust View for upgraded servers
For upgraded servers with enabled AD trust support, we want to
ensure that Default Trust View entry is created.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
b9425751b4 idviews: Add Default Trust View as part of adtrustinstall
Add a Default Trust View, which is used by SSSD as default mapping for AD users.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
6a798f144f trusts: Add conversion from SID to object name
Since SID is often used as a unique identifier for AD objects, we need to convert
a SID to actual object name in the AD.

Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Tomas Babej
16f3786d25 idviews: Add necessary schema for the ID views
Part of: https://fedorahosted.org/freeipa/ticket/3979

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-09-30 10:42:06 +02:00
Jan Cholasta
b1fe42df16 Do not crash in CAInstance.__init__ when default argument values are used
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-30 10:06:48 +02:00
Jan Cholasta
da24d8a6e7 Fix certmonger search for the CA cert in ipa-certupdate and ipa-cacert-manage
The search criteria did not include the CA agent name.

https://fedorahosted.org/freeipa/ticket/3259

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
86c534df7d Move NSSDatabase from ipaserver.certs to ipapython.certdb
https://fedorahosted.org/freeipa/ticket/4416

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-09-30 10:01:38 +02:00
Jan Cholasta
83cbfa8eae Do stricter validation of CA certificates
Every CA certificate must have non-empty subject and basic constraints
extension with the CA flag set.

https://fedorahosted.org/freeipa/ticket/4477

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
3cde7e9cfd Allow choosing CA-less server certificates by name
Added new --*-cert-name options to ipa-server-install and ipa-replica-prepare
and --cert-name option to ipa-server-certinstall. The options allows choosing
a particular certificate and private key from PKCS#12 files by its friendly
name.

https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
88083887c9 CA-less installer options usability fixes
The --*_pkcs12 options of ipa-server-install and ipa-replica-prepare have
been replaced by --*-cert-file options which accept multiple files.
ipa-server-certinstall now accepts multiple files as well. The files are
accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and
raw private key and PKCS#12 formats.

The --root-ca-file option of ipa-server-install has been replaced by
--ca-cert-file option which accepts multiple files. The files are
accepted in PEM and DER certificate and PKCS#7 certificate chain formats.

The --*_pin options of ipa-server-install and ipa-replica-prepare have been
renamed to --*-pin.

https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
3aa0731fc6 External CA installer options usability fixes
The --external_cert_file and --external_ca_file options of ipa-server-install
and ipa-ca-install have been replaced by --external-cert-file option which
accepts multiple files. The files are accepted in PEM and DER certificate and
PKCS#7 certificate chain formats.

https://fedorahosted.org/freeipa/ticket/4480

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
60ecba77cd Add NSSDatabase.import_files method for importing files in various formats
The files are accepted in PEM and DER certificate, PKCS#7 certificate chain,
PKCS#8 and raw private key and PKCS#12 formats.

https://fedorahosted.org/freeipa/ticket/4480
https://fedorahosted.org/freeipa/ticket/4489

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-30 08:50:47 +02:00
Jan Cholasta
f8f3d58688 Allow specifying signing algorithm of the IPA CA cert in ipa-server-install.
This is especially useful for external CA install, as the algorithm is also
used for the CSR signature.

https://fedorahosted.org/freeipa/ticket/4447

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-29 13:40:57 +02:00
David Kupka
947c7398ed Detect and configure all usable IP addresses.
Find, verify and configure all IP addresses that can be used to reach the server
FreeIPA is being installed on. Ignore some IP address only if user specifies
subset of detected addresses using --ip-address option.
This change simplyfies FreeIPA installation on multihomed and dual-stacked servers.

https://fedorahosted.org/freeipa/ticket/3575

Reviewed-By: Martin Basti <mbasti@redhat.com>
2014-09-26 17:54:18 +02:00
Petr Viktorin
f866186239 ipaserver.install.service: Don't show error message on SystemExit(0)
Additional fix for: https://fedorahosted.org/freeipa/ticket/4499

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-26 16:55:54 +02:00
Martin Basti
66ce71f17a LDAP disable service
This patch allows to disable service in LDAP (ipactl will not start it)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-26 13:36:04 +02:00
Martin Basti
29ba9d9d26 Refactoring of autobind, object_exists
Required to prevent code duplications

ipaldap.IPAdmin now has method do_bind, which tries several bind methods
ipaldap.IPAClient now has method object_exists(dn)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-26 13:21:15 +02:00
Petr Viktorin
dea825fd9c ipa-restore: Set SELinux booleans when restoring
https://fedorahosted.org/freeipa/ticket/4157

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-26 12:12:59 +02:00
Petr Viktorin
c7d6fea06f Move setting SELinux booleans to platform code
Create a platform task for setting SELinux booleans.

Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.

Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.

Preparation for: https://fedorahosted.org/freeipa/ticket/4157

Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2014-09-26 12:12:59 +02:00
Martin Basti
7e24e241ba Add correct NS records during installation
All ipa-dns capable server is added to root zones as nameserver

During uninstall all NS records pointing to particular replica are
removed.

Part of ticket: https://fedorahosted.org/freeipa/ticket/4149

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 16:38:02 +02:00
Petr Viktorin
ffe4417c63 ipa-replica-prepare: Wait for the DNS entry to be resolvable
It takes some time after the DNS record is added until it propagates
to Bind. In automated installations, it might happen that
replica-install is attempted before the hostname is resolvable;
in that case the connection check would fail.

Wait for the name to be resolvable at the end of replica-prepare.
Mention that this can be interrupted (Ctrl+C).
Provide an option to skip the wait.

In case DNS is not managed by IPA, this reminds the admin of the necessary
configuration and checks their work, but it's possible to skip (either by
interrupting it interactively, or by the option).

https://fedorahosted.org/freeipa/ticket/4551

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-09-25 15:31:08 +02:00
Petr Viktorin
9a188607fc upgradeinstance: Restore listeners on failure
Allow running some installation after failure,
and use this for the upgradeinstance cleanup steps.

https://fedorahosted.org/freeipa/ticket/4499

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-25 13:23:51 +02:00
Martin Basti
c81acfff43 FIX: ldap schmema updater needs correct ordering of the updates
Required bugfix in python-ldap 2.4.15

Updates must respect SUP objectclasses/attributes and update
dependencies first

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-25 12:57:01 +02:00
Jan Cholasta
f680a63158 Fix certmonger code causing the ca_renewal_master update plugin to fail
https://fedorahosted.org/freeipa/ticket/4547

Reviewed-By: David Kupka <dkupka@redhat.com>
2014-09-23 16:25:15 +02:00
Petr Viktorin
abba25c826 ipa_backup: Log where the backup is be stored
This makes managing multiple backups & logs easier.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
06566cb62b backup,restore: Don't overwrite /etc/{passwd,group}
The /etc/passwd and /etc/group files are not saved and restored.
The DS user is always created on restore, and the PKI user is created
if a CA is being restored.

https://fedorahosted.org/freeipa/ticket/3866

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
5fef2ecb39 ipa_restore: Split the services list
Make a proper list from the comma-separated string found in
the config.

The only current use of backup_services is in run:
    if 'CA' in self.backup_services:
Without this change, this picked up the 'CA' from 'MEMCACHE'.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Petr Viktorin
5dfa1116c2 ipaserver.install: Consolidate system user creation
Sytem users and their groups are always created together.
Also, users & groups should never be removed once they exist
on the system (see comit a5a55ce).

Use a single function for generic user creation, and specific
funtions in dsinstance and cainstance.
Remove code left over from when we used to delete the DS user.

Preparation for: https://fedorahosted.org/freeipa/ticket/3866

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-09-23 12:29:37 +02:00
Ade Lee
9ca5a4e420 Re-enable uninstall feature for ipa-kra-install
The underlying Dogtag issue (Dogtag ticket 1113) has been fixed.
We can therefore re-enable the uninstall option for ipa-kra-install.
Also, fixes an incorrect path in the ipa-pki-proxy.conf, and adds
a debug statement to provide status to the user when an uninstall
is done.  Also, re-added the no_host_dns option which is used when
unpacking a replica file.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-15 10:58:29 +02:00
Petr Viktorin
4fac4f4cf6 Allow deleting obsolete permissions; remove operational attribute permissions
https://fedorahosted.org/freeipa/ticket/4534

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-09-12 18:22:17 +02:00
Ludwig Krispenz
ab196220fd Update SSL ciphers configured in 389-ds-base
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later

https://fedorahosted.org/freeipa/ticket/4395

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-09-12 16:42:09 +02:00
Petr Vobornik
4e6a3c69b0 install: create ff krb extension on every install, replica install and upgrade
We don't want to copy the extension from master to replica because the
replica may use newer version of FreeIPA and therefore the extension
code might be obsolete. Same reason for upgrades.

https://fedorahosted.org/freeipa/ticket/4478

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-09-11 09:41:51 +02:00
Jan Cholasta
3acec1267e Use autobind when updating CA people entries during certificate renewal
Requires fix for <https://bugzilla.redhat.com/show_bug.cgi?id=1122110>, bump
selinux-policy in the spec file.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-09 10:36:50 +02:00
Ana Krivokapic
d2793a3ca5 Remove internaldb password from password.conf
Remove internaldb password from password.conf after switching over to
client certificate authentication. The password is no longer needed.

https://fedorahosted.org/freeipa/ticket/4005

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-09 10:36:50 +02:00
Jan Cholasta
2ed6fb092e Backup CS.cfg before modifying it
https://fedorahosted.org/freeipa/ticket/4166

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-05 16:10:49 +02:00
Petr Viktorin
68d656f80a Fix: Add managed read permissions for compat tree and operational attrs
This is a fix for an earlier version, which was committed by mistake as:
master: 418ce870bf
ipa-4-0: 3e2c86aeab
ipa-4-1: 9bcd88589e

Thanks to Alexander Bokovoy for contributions

https://fedorahosted.org/freeipa/ticket/4521
2014-09-05 15:40:13 +02:00
Jan Cholasta
6ad8c464a4 Make CA-less ipa-server-install option --root-ca-file optional.
The CA cert specified by --root-ca-file option must always be the CA cert of
the CA which issued the server certificates in the PKCS#12 files. As the cert
is not actually user selectable, use CA cert from the PKCS#12 files by default
if it is present.

Document --root-ca-file in ipa-server-install man page.

https://fedorahosted.org/freeipa/ticket/4457

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-05 13:59:04 +02:00
David Kupka
6d94cdf250 Use certmonger D-Bus API instead of messing with its files.
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.

>=certmonger-0.75.13 is needed for this to work.

https://fedorahosted.org/freeipa/ticket/4280

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-09-05 10:51:42 +02:00
Jan Cholasta
93346b1cf9 Normalize external CA cert before passing it to pkispawn
https://fedorahosted.org/freeipa/ticket/4019

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-04 12:13:11 +02:00
David Kupka
8aa01e24a1 Add record(s) to /etc/host when IPA is configured as DNS server.
This is to avoid chicken-egg problem when directory server fails to start
without resolvable hostname and named fails to provide hostname without
directory server.

https://fedorahosted.org/freeipa/ticket/4220

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-09-03 16:03:31 +02:00
Alexander Bokovoy
90227f817e ipaserver/dcerpc.py: Make sure trust is established only to forest root domain
Part of https://fedorahosted.org/freeipa/ticket/4463

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Alexander Bokovoy
d16b471cea ipaserver/dcerpc.py: be more open to what domains can be seen through the forest trust
https://fedorahosted.org/freeipa/ticket/4463

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Alexander Bokovoy
1fd3a23884 ipaserver/dcerpc.py: Avoid hitting issue with transitive trusts on Windows Server prior to 2012
http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Alexander Bokovoy
23e0bc411e ipaserver/dcerpc.py: make PDC discovery more robust
Certain operations against AD domain controller can only be done if its
FSMO role is primary domain controller. We need to use writable DC and
PDC when creating trust and updating name suffix routing information.

https://fedorahosted.org/freeipa/ticket/4479

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Alexander Bokovoy
3a8eeefe03 ipaserver/dcerpc.py: if search of a closest GC failed, try to find any GC
https://fedorahosted.org/freeipa/ticket/4458

Reviewed-By: Sumit Bose <sbose@redhat.com>
2014-09-01 08:42:52 +02:00
Ade Lee
a25fe00c62 Add a KRA to IPA
This patch adds the capability of installing a Dogtag KRA
to an IPA instance.  With this patch,  a KRA is NOT configured
by default when ipa-server-install is run.  Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.

The KRA shares the same tomcat instance and DS instance as the
Dogtag CA.  Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems.  Certmonger is also confgured to
monitor the new subsystem certificates.

To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.

The install scripts have been refactored somewhat to minimize
duplication of code.  A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs.  This will become very useful when we add more PKI
subsystems.

The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca.  This means that replication
agreements created to replicate CA data will also replicate KRA
data.  No new replication agreements are required.

Added dogtag plugin for KRA.  This is an initial commit providing
the basic vault functionality needed for vault.  This plugin will
likely be modified as we create the code to call some of these
functions.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3872

The uninstallation option in ipa-kra-install is temporarily disabled.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-22 09:59:31 +02:00
Jan Cholasta
359dfe58b9 Convert external CA chain to PKCS#7 before passing it to pkispawn.
https://fedorahosted.org/freeipa/ticket/4397

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-14 10:06:27 +02:00
Jan Cholasta
6bb240fa2c Fix parsing of long nicknames in certutil -L output.
https://fedorahosted.org/freeipa/ticket/4453

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-08-07 15:07:39 +02:00
Martin Kosek
7caed6ecfb ipa-adtrust-install does not re-add member in adtrust agents group
When a CIFS service exists and adtrust agents group does not
have it as a member attribute (for whatever reason), re-running
ipa-adtrust-install does not fix the inconsistency.

Make the installer more robust by being able to fix the inconsistency.

https://fedorahosted.org/freeipa/ticket/4464

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-08-07 11:12:04 +02:00
Jan Cholasta
044c5c833a Enable NSS PKIX certificate path discovery and validation for Dogtag.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
d27e77adc5 Allow upgrading CA-less to CA-full using ipa-ca-install.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
8bbdfff102 Allow adding CA certificates to certificate store in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
18aa3216e0 Allow changing chaining of the IPA CA certificate in ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
f39c6ee544 Add new NSSDatabase method get_cert for getting certs from NSS databases.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
987bf3fbf0 Allow multiple CA certificates in replica info files.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
6870eb909e Add function for writing list of certificates to a PEM file to ipalib.x509.
Also rename load_certificate_chain_from_file to
load_certificate_list_from_file.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
6f01499419 Import CA certs from certificate store to HTTP NSS database on server install.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
82d682fa64 Import CA certs from certificate store to DS NSS database on replica install.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
88706c5674 Add new add_cert method for adding certificates to NSSDatabase and CertDB.
Replace all uses of NSSDatabase method add_single_pem_cert with add_cert and
remove add_single_pem_cert.

Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
feecdb4cdc Rename CertDB method add_cert to import_cert.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
5f29a71bd7 Upload CA chain from DS NSS database to certificate store on server update.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
05212a17a9 Upload CA chain from DS NSS database to certificate store on server install.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
586373cf07 Add permissions for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
25c10bc161 Add LDAP schema for certificate store.
Part of https://fedorahosted.org/freeipa/ticket/3259
Part of https://fedorahosted.org/freeipa/ticket/3520

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
d2bf0b8b54 Fix trust flags in HTTP and DS NSS databases.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
9d4eeeda55 Allow specifying trust flags in NSSDatabase and CertDB method trust_root_cert.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
52f72ec058 Do not treat the IPA RA cert as CA cert in DS NSS database.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
1778f0ebc9 Allow IPA master hosts to read and update IPA master information.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
7086183519 Do not use ldapi in certificate renewal scripts.
This prevents SELinux denials when accessing the ldapi socket.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
e16d2623ae Remove master ACIs when deleting a replica.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
baa665fe40 Load sysupgrade.state on demand.
This prevents SELinux denials when the sysupgrade module is imported in a
confined process.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
ba3c7b4a89 Add CA certificate management tool ipa-cacert-manage.
Part of https://fedorahosted.org/freeipa/ticket/3737

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
2870db7913 Add permissions for CA certificate renewal.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
031b281921 Add method for verifying CA certificates to NSSDatabase.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
2c43a3d0d5 Move external cert validation from ipa-server-install to installutils.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
9e188574a5 Add method for setting CA renewal master in LDAP to CAInstance.
Allow checking and setting CA renewal master for non-local CA instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Jan Cholasta
2f6990c256 Track CA certificate using dogtag-ipa-ca-renew-agent.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-07-30 16:04:21 +02:00
Martin Basti
00309f8e42 Fix DNS upgrade plugin should check if DNS container exists
Fortunately this cause no error, because dnszone-find doesnt raise
exception if there is no DNS container

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-07-28 17:42:38 +02:00
David Kupka
41b057e387 Always record that pkicreate has been executed.
Record that pkicreate/pkispawn has been executed to allow cleanup even if the
installation did not finish correctly.

https://fedorahosted.org/freeipa/ticket/2796

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-22 09:03:56 +02:00
Nathaniel McCallum
e477130281 Fix login password expiration detection with OTP
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.

After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.

https://fedorahosted.org/freeipa/ticket/4412

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-21 16:36:28 +02:00
Gabe
2afcbff133 Enable debug pid in smb.conf
https://fedorahosted.org/freeipa/ticket/3485

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-07-18 10:10:46 +02:00
Petr Viktorin
73b2d0a81d ldap2 indirect membership processing: Use global limits if greater than per-query ones
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.

For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.

https://fedorahosted.org/freeipa/ticket/4398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-14 16:04:58 +02:00
Petr Viktorin
2f99140c92 ldapupdate: Restore 'replace' functionality
The replace directive was made a no-op by mistake in commit 6381d76.
Restore it.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-04 15:51:55 +02:00
Martin Basti
f8b6595f49 Restore privileges after forward zones update
Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 12:48:50 +02:00
Alexander Bokovoy
a9fe37e066 ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration
When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 08:13:23 +02:00
Martin Basti
eea1015441 Fix upgrade to forward zones
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-03 14:04:57 +02:00
Martin Basti
5c2ddaf660 Allow to add non string values to named conf
Non string values should not start and end with '"' in options section
in named.conf

Required by ticket: https://fedorahosted.org/freeipa/ticket/4408

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-02 18:41:57 +02:00
Petr Viktorin
8c98561c20 Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etc
On systems installed before #3394 was fixed and nsDS5ReplicaId became
single-valued, there are two replica ID values stored in cn=replication:
the default (3) and the actual value we want.
Instead of failing when multiple values are found, use the largest one.

https://fedorahosted.org/freeipa/ticket/4375

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-02 16:16:09 +02:00
Martin Basti
aa2ef07b8c Upgrade special master zones to forward zones
This upgrade is executed only if IPA version is older than 4.0
Requires detection if 'idnsforwardzone' objectclass is presented in
schema before schema is upgraded

Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Martin Basti
c1f3fd6831 Added upgrade step executed before schmema is upgraded
Class PreSchemaUpdate is executed before ldap schema update

This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Nathaniel McCallum
14b38b7704 Add /session/token_sync POST support
This HTTP call takes the following parameters:
 * user
 * password
 * first_code
 * second_code
 * token (optional)

Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.

https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 15:55:24 +02:00
Petr Vobornik
1c94edd3a0 rpcserver: fix local vs utc time comparison
login_password did not work properly in timezones other than +0h because
local time was compared with utc time.

Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:40 +02:00
Petr Vobornik
896920ed12 rpcserver: add otp support to change_password handler
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Petr Vobornik
7fca783ec5 ldap2: add otp support to modify_password
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Nathaniel McCallum
5baa941317 Implement OTP token importing
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.

This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.

https://fedorahosted.org/freeipa/ticket/4261

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 12:55:02 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Jan Cholasta
e675e427c7 Allow SAN in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:51 +02:00
Petr Viktorin
16ee6847e4 managed permission updater: Add mechanism to replace SYSTEM permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.

Add a mechanism for the updater to replace old SYSTEM permissions.

This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
926f8647d2 ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Petr Viktorin
2f3cdba546 Make 'permission' the default bind type for managed permissions
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
13bcd03fcf Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
e0cafea374 managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
acb2ca47d6 Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:17 +02:00
Martin Basti
b964d2130a Modified dns related global functions
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Gabe
9f2c4705d7 ipa recursively adds old backups
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-30 08:15:22 +02:00
Petr Viktorin
4f89decc9a ldap2.has_upg: Raise an error if the UPG definition is not found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-29 16:22:37 +02:00
Adam Misnyovszki
71c6d2f1eb Call generate-rndc-key.sh during ipa-server-install
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-27 13:05:53 +02:00
Petr Vobornik
1e96475a77 rpcserver: login_password datetime fix in expiration check
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.

https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-26 13:08:34 +02:00
Petr Viktorin
988b2cebf4 ldap2.find_entries: Do not modify attrs_list in-place
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-26 12:39:33 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
63becae88c Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
993c1c8557 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Adam Misnyovszki
fa7057b727 Trust add datetime fix
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 19:14:45 +03:00
Thorsten Scherf
3f3c8eee24 Fixed typo how to create an example gpg key
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 13:20:17 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Jan Cholasta
8b6dc819d5 Support API version-specific RPC marshalling.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Viktorin
81b0e7466d Do not ask for memberindirect when updating managed permissions
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 10:04:16 +02:00
Jan Cholasta
50c7f3b236 Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 16:40:10 +02:00
Petr Viktorin
41607774bc Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 14:49:16 +02:00
Petr Viktorin
c58d6b2689 Allow overriding all attributes of default permissions
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Petr Viktorin
fb2f0ae8d5 Document the managed permission updater operation
The method was explained on the [Design] page, but as the updater
is extended the design page would become obsolete.
Document the operation in the docstring of the plugin itself.

Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Jan Cholasta
915cd6942c Fix upload of CA certificate to LDAP in CA-less install.
https://fedorahosted.org/freeipa/ticket/4300

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-08 14:04:40 +02:00
Jan Cholasta
0497d163d9 Remove unused method is_master of CAInstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:56 +01:00
Jan Cholasta
fd5ef28bf2 Use the same certmonger configuration for both CA masters and clones.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
fac6bf30b6 Merge restart_httpd functionality to renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
2c466b79e8 Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
b5d082ec4d Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
c3169add3b Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
6a19738a45 Use dogtag-ipa-ca-renew-agent to track certificates on master CA.
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
babddaaee8 Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.
Before, this was done by dogtag-ipa-retrieve-agent-submit.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
57f0be7b5d Use certmonger D-Bus API to configure certmonger in CA install.
Before, certmonger was configured by modifying its internal database directly.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
def727ce56 Show progress when enabling SSL in DS in ipa-server-install output.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
51caf48ed9 Remove unused method export_ca_cert of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
9b3055ca41 Upload CA certificate from DS NSS database in CA-less server install.
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.

Also removed now unused upload_ca_dercert method of dsinstance.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
48539b35d7 Use LDAP API to upload CA certificate instead of ldapmodify command.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
fea7163e87 Move CACERT definition to a single place.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
4c761108e8 Fix certificate renewal scripts to work with separate CA DS instance.
https://fedorahosted.org/freeipa/ticket/3805

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Petr Viktorin
f4de4a2aa7 Add Object metadata and update plugin for managed permissions
The default read permission is added for Netgroup as an example.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
7c9fa8fad9 ipaserver.install.service: Fix estimated time display
Use basic math rather than timezone conversion to get
minutes and seconds.
Break out the message generation into a small tested function.

https://fedorahosted.org/freeipa/ticket/4242

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-03-13 18:15:43 +01:00
Alexander Bokovoy
6195870e82 ipaserver/dcerpc: make sure to always return unicode SID of the trust domain
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-12 18:16:52 +01:00