Commit Graph

742 Commits

Author SHA1 Message Date
Sumit Bose
fe1aad7679
ipa-kdb: reinit trusted domain data for enterprise principals
While processing enterprise principals the information about trusted domains
might not be up-to-date. With this patch ipadb_reinit_mspac() is called if an
unknown domain is part of the enterprise principal.

Resolves https://pagure.io/freeipa/issue/7172

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-13 13:43:35 +02:00
Thierry Bordaz
0f0423cf53 NULL LDAP context in call to ldap_search_ext_s during search
KDC crashes on quite random interval while trying to reach LDAP
    https://pagure.io/freeipa/issue/7017

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-24 13:34:06 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
9d19654cbd logging: use the actual root logger as the root logger
Use the actual root logger (`logging.getLogger()`) rather than the `ipa`
logger (or the `root` logger in case of ipa-ods-exporter) as the root
logger.

Always configure logging on the root logger.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
464516489f logging: do not configure any handlers by default
Do not configure stderr handler by default and let the application do the
configuration.

Fix ipa-dnskeysync-replica and ipa-dnskeysyncd not to add stderr handler
twice.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Alexander Bokovoy
3ab6a68e91 ipa-sam: use smbldap_set_bind_callback for Samba 4.7 or later
Samba 4.7 tightens up smbldap API by making 'struct smbldap_state' an
opaque. This means ipa-sam module cannot anymore directly set its
LDAP bind callback.

Use new smbldap API to set the LDAP bind callback.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Alexander Bokovoy
11d43a1603 ipa-sam: use own private structure, not ldapsam_privates
With Samba 4.7 access to ldapsam internal structures will not be
available for external applications. FreeIPA's ipasam module was using
those for own needs. Now it needs to migrate to proper own private
structure.

Given that we anyway need to implement many missing functions like
pdb_update_sam_account() callback with FreeIPA-specific logic,
piggybacking on ldapsam structures is not needed anymore.

Fixes https://pagure.io/freeipa/issue/6877

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-11 15:21:35 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Sumit Bose
1f0ca6aafd ipa_pwd_extop: do not generate NT hashes in FIPS mode
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:16:41 +02:00
Sumit Bose
f169481b55 ipa-sam: replace encode_nt_key() with E_md4hash()
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:16:41 +02:00
Sumit Bose
117d6e9be0 ipa-kdb: use canonical principal in certauth plugin
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.

Resolves https://pagure.io/freeipa/issue/6993

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-07 14:00:06 +02:00
Alexander Bokovoy
e8a7e2e38a ipa-kdb: add pkinit authentication indicator in case of a successful certauth
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).

A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.

SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.

Fixes https://pagure.io/freeipa/issue/6736

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-06-05 18:35:27 +02:00
Sumit Bose
e8aed25248 ipa-kdb: reload certificate mapping rules periodically
With this patch the certificate mapping rules are reloaded every 5
minutes.

Resolves https://pagure.io/freeipa/issue/6963

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-02 16:40:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Timo Aaltonen
076eb409a0
ipa-otpd.socket.in: Use a platform specific value for KDC service file
https://pagure.io/freeipa/issue/6845

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:17:51 +02:00
Martin Basti
e8f2a415b3 Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 09:54:10 +02:00
Simo Sorce
e88d5e815e Fix s4u2self with adtrust
When ADtrust is installed we add a PAC to all tickets, during protocol
transition we need to generate a new PAC for the requested user ticket,
not check the existing PAC on the requestor ticket.

https://pagure.io/freeipa/issue/6862

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-12 09:46:43 +02:00
Florence Blanc-Renaud
e052c2dce0 ipa-sam: create the gidNumber attribute in the trusted domain entry
When a trusted domain entry is created, the uidNumber attribute is created
but not the gidNumber attribute. This causes samba to log
	Failed to find a Unix account for DOM-AD$
because the samu structure does not contain a group_sid and is not put
in the cache.
The fix creates the gidNumber attribute in the trusted domain entry,
and initialises the group_sid field in the samu structure returned
by ldapsam_getsampwnam. This ensures that the entry is put in the cache.

Note that this is only a partial fix for 6660 as it does not prevent
_netr_ServerAuthenticate3 from failing with the log
	_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com.

https://pagure.io/freeipa/issue/6827

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-07 12:38:35 +02:00
Sumit Bose
6c2772dde5 IPA-KDB: use relative path in ipa-certmap config snippet
Architecture specific paths should be avoided in the global Kerberos
configuration because it is read e.g. by 32bit and 64bit libraries they
are installed in parallel.

Resolves https://pagure.io/freeipa/issue/6833

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-05 07:30:41 +00:00
Sumit Bose
8960398a57
extdom: improve cert request
Certificates can be assigned to multiple user so the extdom plugin must
use sss_nss_getlistbycert() instead of sss_nss_getnamebycert() and
return a list of fully-qualified user names.

Due to issues on the SSSD side the current version of lookups by
certificates didn't work at all and the changes here won't break
existing clients.

Related to https://pagure.io/freeipa/issue/6826

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-28 18:21:18 +02:00
Sumit Bose
ee455f163d
extdom: do reverse search for domain separator
To avoid issues which @-signs in the short user or group names it is
better to search for the domain separator starting at the end of the
fully-qualified name.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-28 18:21:18 +02:00
Sumit Bose
0ba0c07813 ipa-kdb: do not depend on certauth_plugin.h
Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-27 17:57:28 +02:00
Sumit Bose
c4156041fe IPA certauth plugin
This patch add a certauth plugin which allows the IPA server to support
PKINIT for certificates which do not include a special SAN extension
which contains a Kerberos principal but allow other mappings with the
help of SSSD's certmap library.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-27 09:52:57 +02:00
Sumit Bose
da880decfe ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
Additionally make ipadb_find_principal public.

Related to https://pagure.io/freeipa/issue/4905

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-27 09:52:57 +02:00
Timo Aaltonen
44a3e0fe1d configure: Use ODS_USER and NAMED_GROUP in daemons/dnssec/*.service.in
These are platform specific, add values for Debian and default values
for Fedora/RHEL.

Also, use prettier output when checking the extra python install options.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-22 13:39:18 +01:00
Jan Cholasta
b7329e31f5 slapi plugins: fix CFLAGS
Add explicit NSPR_CFLAGS and NSS_CFLAGS where NSPR_LIBS and NSS_LIBS is
used.

Use DIRSRV_CFLAGS rather than hardcode -I/usr/include/dirsrv.

Append NSPR_CFLAGS to DIRSRV_CFLAGS in ./configure as slapi-plugin.h
includes nspr.h.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-15 08:55:12 +00:00
Simo Sorce
2e5cc369fd Add support for searching policies in cn=accounts
Use the new multibase search to collect policies from multiple subtrees.
The 'any' parameter is set to 'true' so the search stop when the first result
is found in any of the bases.

https://fedorahosted.org/freeipa/ticket/6568

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-10 09:17:28 +01:00
Simo Sorce
9f13b330aa Add code to retrieve results from multiple bases
Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-10 09:17:28 +01:00
Nathaniel McCallum
d05d1115e4 Use RemoveOnStop to cleanup systemd sockets
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-17 15:19:07 +01:00
Alexander Bokovoy
593ea7da9a ipa-kdb: support KDB DAL version 6.1
DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-02-15 14:24:05 +01:00
Christian Heimes
d8343a96dd Clean / ignore make check artefact
In tree runs of make check leave some artifacts around. The patch adds
them to make clean and .gitignore.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-18 09:19:15 +01:00
Alexander Bokovoy
73f33569c8 ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.

Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.

Fixes https://fedorahosted.org/freeipa/ticket/6561

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-15 17:32:33 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00
Petr Spacek
ba6ae666ac Build: properly integrate ipa-version.h.in into build system
AC_CONFIG_FILES in configure.ac works well only with Makefiles.
Other files have to be handled by Makefile.am so depedencies
are tracked properly.

https://fedorahosted.org/freeipa/ticket/6498

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-29 15:28:24 +01:00
Jan Cholasta
7d5c680ace ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a1f260d021 ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Thierry Bordaz
c223130d5f IPA Allows Password Reuse with History value defined when admin resets the password.
When admin reset a user password, history of user passwords is
preserved according to its policy.

https://fedorahosted.org/freeipa/ticket/6402

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-24 17:01:02 +01:00
Christian Heimes
a8376a2447 Add main guards to a couple of Python scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:35:43 +01:00
Petr Spacek
5862eaa1a0 Build: fix path in ipa-ods-exporter.socket unit file
This fixes regression caused by incorrect
daemons/dnssec/ipa-ods-exporter.socket.in path template introduced
in commit 312e780041.

https://fedorahosted.org/freeipa/ticket/6495

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-21 17:24:58 +01:00
Petr Spacek
d5683726d2 Build: remove incorrect use of MAINTAINERCLEANFILES
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-16 09:12:07 +01:00
Simo Sorce
2775042787 Support DAL version 5 and version 6
https://fedorahosted.org/freeipa/ticket/6466

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2016-11-10 13:25:51 +01:00
Petr Spacek
312e780041 Build: integrate daemons/dnssec into build system
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
f229bb56b7 Build: fix distribution of daemons/ipa-slapi-plugins/topology files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
39b17ef2ab Build: fix distribution of daemons/ipa-slapi-plugins/ipa-winsync files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
74820fe3d8 Build: fix distribution of daemons/ipa-slapi-plugins/ipa-sidgen files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
53cd71a63c Build: fix distribution of daemons/ipa-slapi-plugins/ipa-pwd-extop files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
278cda7ede Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-lasttoken files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
c1652f92af Build: fix distribution of daemons/ipa-slapi-plugins/ipa-otp-counter files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
14bce67cf0 Build: fix distribution of daemons/ipa-slapi-plugins/ipa-exdom-extop files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
4fb2f535ca Build: fix distribution of daemons/ipa-slapi-plugins/ipa-cldap files
All the headers are now listed in _SOURCES variable.
It seems weird but this is what GNU Automake manual suggests in section
9.2 Header files:
  Headers used by programs or convenience libraries are not installed.
  The noinst_HEADERS variable can be used for such headers.
  However when the header actually belongs to a single convenience library
  or program, we recommend listing it in the program’s or library’s
  _SOURCES variable (see Program Sources) instead of in noinst_HEADERS.
  This is clearer for the Makefile.am reader.
  noinst_HEADERS would be the right variable to use in a directory containing
  only headers and no associated library or program.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
684a2c6a58 Build: fix distribution of ipa-slapi-plugins/common files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
125bf25577 Build: fix distribution of daemon/ipa-kdb files
https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b8d81ba3a1 Build: remove non-existing README files from Makefile.am
Some Makefile.am files were apparently created by copy-pasting other
files. As a result, some Makefiles require non-existing README files.
Remove this to fix dist target.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
24feae47f2 Build: fix Makefile.am files to separate source and build directories
This is step forward working VPATH builds which cleanly separate sources
and build artifacts. It makes the system cleaner and easier to
understand.

Python and web UI likely require more work to make VPATH builds working.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
c48e5fd811 Build: move version handling from Makefile to configure
Version information is now in VERSION.m4 instead of VERSION.
Makefile target version-update was minimized and configure can be run
before make. Makefile temporarily contains hardcoded version which has
to match the one specified in VERSION.m4.

This is preparatory step which will allow us to replace hand-made
Makefile with one generated by Automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
b0cb6afa23 Build: transform util directory to libutil convenience library
This is autoconf way of doing things. It should allow us to enable
subdir-objects automake option and stay compatible with future versions
of automake.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
25dab77301 Build: promote daemons/configure.ac to top-level configure.ac
Top-level Makefile is still not managed by Automake (e.g. hand-made).
This is preparatory work. Other configure.ac files will be gradually
merged into the top-level one. After that we will be able to throw-away
the hand-made top-level Makefile and use Automake for everything.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
41da873205 Build: adjust include paths in daemons/ipa-kdb/tests/ipa_kdb_tests.c
Fix include paths to prevent breakage when we move configure.ac from
daemons to the top-level.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Petr Spacek
7de597425f Build: remove deprecated AC_STDC_HEADERS macro
Interestingly, the new macro AC_HEADER_STDC is alredy present.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
8b458ce4de Build: require Python >= 2.7
The Python detection logic will be improved later when we start to use
top-level configure.ac to manage build completely. For now simple bump
is enough.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
2ea6648379 Build: remove traces of mozldap library
Mozldap is not used for some time now. We can remove
all traces of it.

AFAIK the complex logic for OpenLDAP detection should not be
necessary and -lldap_r -llber options should suffice.

Unfortunatelly OpenLDAP package does not ship
package config files so we have to hardcode flags.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
01072fc8f2 Build: modernize crypto library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
7b801682a6 Build: modernize UUID library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
651f1acac8 Build: modernize Kerberos library detection
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.

libkrad does not have package config file so we keep the old way here.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Petr Spacek
152ed75ff6 Build: add missing KRB5_LIBS to daemons/ipa-otpd
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-18 10:47:59 +02:00
Timo Aaltonen
6c09d6f878 Move ipa-otpd to $libexecdir/ipa
This is more consistent with the other daemons.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Martin Basti
d937588146 Pylint: remove unused variables from installers and scripts
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-10-06 10:43:36 +02:00
Nathaniel McCallum
0756ce7d53 Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.

To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.

https://bugzilla.redhat.com/show_bug.cgi?id=1377858
https://fedorahosted.org/freeipa/ticket/6368

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-06 10:35:25 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
9b68d2a1f8 Pylint: enable global-variable-not-assigned check
the global keyword should be used only when variable from outside is
assigned inside, otherwise it has no effect and just confuses developers

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2016-09-23 09:23:41 +02:00
Thierry Bordaz
b942b00ac7 ipa-pwd-extop memory leak during passord update
During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-31 12:08:03 +02:00
Alexander Bokovoy
a14ebbea89 ipa-kdb: simplify trusted domain parent search
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.

In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.

For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.

Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.

Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 14:03:00 +02:00
Lukas Slebodnik
e7480bed27 ipa-kdb: Allow to build with samba 4.5
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_group_dom_sid'
     if (info->info->res_group_dom_sid != NULL &&
                   ^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
  has no member named 'res_groups'; did you mean 'resource_groups'?
         info->info->res_groups.count != 0) {
                   ^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....

Related change in samba
4406cf792a

Resolves:
https://fedorahosted.org/freeipa/ticket/6173

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-08-09 14:37:49 +02:00
Lukas Slebodnik
50c53395de ipa-pwd-extop: Fix warning assignment discards ‘const’ qualifier from pointer
ipa_pwd_extop.c: In function ‘ipapwd_chpwop’:
ipa_pwd_extop.c:337:13: warning: assignment discards ‘const’ qualifier
  from pointer target type [-Wdiscarded-qualifiers]
   target_dn = slapi_sdn_get_ndn(target_sdn);
             ^

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:35:11 +02:00
Lukas Slebodnik
7e1898bd01 ipa_pwd_extop: Fix warning declaration shadows previous local
ipa_pwd_extop.c:397:19: warning: declaration of ‘target_sdn’
  shadows a previous local [-Wshadow]
         Slapi_DN *target_sdn;
                   ^~~~~~~~~~
ipa_pwd_extop.c:212:16: note: shadowed declaration is here
  Slapi_DN     *target_sdn = NULL;
                ^~~~~~~~~~

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-08-08 14:33:39 +02:00
Simo Sorce
ab4fcb0fe2 Simplify date manipulation in pwd plugin
Use a helper function to perform operations on dates in LDAP attributes.

Related to #2795

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
2016-07-25 05:08:55 -04:00
Thierry Bordaz
b04f617803 Heap corruption in ipapwd plugin
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.

allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL

https://fedorahosted.org/freeipa/ticket/6030

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-07-19 13:17:37 +02:00
Sumit Bose
6d6da6b281 kdb: check for local realm in enterprise principals
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-07-12 12:26:28 +02:00
David Kupka
d2cb9ed327 Allow unexpiring passwords
Treat maxlife=0 in password policy as "never expire". Delete
krbPasswordExpiration in user entry when password should never expire.

https://fedorahosted.org/freeipa/ticket/2795

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-07-01 11:22:02 +02:00
Martin Basti
a635135ba3 Bump SSSD version in requires
This is required by commit aa734da494 for
function sss_nss_getnamebycert()

https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-01 10:20:36 +02:00
Thierry Bordaz
1ce8d32fd6 ipapwd_extop should use TARGET_DN defined by a pre-extop plugin
ipapwd_extop allows to update the password on a specific entry, identified by its DN.
It can be usefull to support virtual DN in the extop so that update of a virtual entry
would land into the proper real entry.

If a pre-extop sets the TARGET_DN, ipapwd_extop sets ORIGINAL_DN with the value
of TARGET_DN, instead of using the original one (in the ber req)
There is a dependency on slapi-nis >= 0.56-0.1 (https://fedorahosted.org/freeipa/ticket/5955)

https://fedorahosted.org/freeipa/ticket/5946

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-24 14:51:15 +02:00
Martin Babinsky
b169a72735 ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
7ed7a86511 ipa-kdb: set krbCanonicalName when creating new principals
Additionally, stop setting ipakrbprincipalalias attribute during principal
creation.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
e43231456d perform case-insensitive principal search when canonicalization is requested
When canonicalization is requested, the krbprincipalname attribute is searched
for case-insensitively.

In the case that krbcanonicalname is not set, the matched alias is returned
with the casing stored in backend, not the one input by client.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
root
a76d4402a6 Topology plugins sigsev/heap corruption when adding a managed host
A managed host may handle several ipaReplTopoManagedSuffix.
Removing (from the topology) such host, loops over the replicated
suffixes array to retrieve, in the hosts list, the host record and delete it.
The problem is that a variable used to manage a hosts list is not reset
when looking at the next suffix. That will messup the lists, keeping
freed elements in the lists.

The fix is to reset the variable inside the replicated suffix loop

https://fedorahosted.org/freeipa/ticket/5977

Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
2016-06-22 17:51:53 +02:00
David Kupka
45bb2ad045 Remove unused locking "context manager"
Class ods_db_lock is unused since August 2015.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:27:22 +02:00
Ludwig Krispenz
0b11b36bf2 v2 - avoid crash in topology plugin when host list contains host with no hostname
ticket #5928

prevent a crash when dereferncing a NULL hostnam, log an error to help debugging
fix an incorrect order of statement when freeing a host list

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-06-13 16:25:03 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Sumit Bose
aa734da494 extdom: add certificate request
Related to https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
2016-06-09 14:28:47 +02:00
Nathaniel McCallum
4bafba06f2 Migrate from #ifndef guards to #pragma once
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.

This patch does not change the autogenerated files: asn1/asn1c/*.h.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-05-29 14:04:45 +02:00
Nathaniel McCallum
8f356a4305 Enable authentication indicators for OTP and RADIUS
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
204200d73b Return password-only preauth if passwords are allowed
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
168a6c7d47 Ensure that ipa-otpd bind auths validate an OTP
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.

However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.

To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Nathaniel McCallum
cd9bc84240 Rename syncreq.[ch] to otpctrl.[ch]
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.

These changes are preparatory for the subsequent patches.

https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-26 18:47:05 +02:00
Matt Rogers
8a2afcafee ipa_kdb: add krbPrincipalAuthInd handling
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.

https://fedorahosted.org/freeipa/ticket/5782

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-02 19:15:45 +02:00
Lukas Slebodnik
dbc3a75110 BUILD: Remove detection of libcheck
The unit test framework check has not been used in freeipa for long time
(if ever) but there was still conditional check for this framework.
It just produced confusing warning:
    Without the 'CHECK' library, you will be unable
    to run all tests in the 'make check' suite

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-22 13:21:26 +02:00
Alexander Bokovoy
3208a09384 extdom: do not fail to process error case when no request is specified
Coverity CID 13130

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-03-10 19:24:55 +01:00
Simo Sorce
7a20fc671b Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 19:00:43 +01:00
Lukas Slebodnik
0906cc28b8 ipa-sam: Do not redefine LDAP_PAGE_SIZE
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
 #define LDAP_PAGE_SIZE 1024

In file included from /usr/include/samba-4.0/smbldap.h:24:0,
                 from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
 #define LDAP_PAGE_SIZE 1000

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 18:59:29 +01:00
Lukas Slebodnik
ebbb2eba5b CONFIGURE: Replace obsolete macros
The AC_PROG_LIBTOOL macro is obsoleted by since libtool-2.0
which is already in rhel6+

https://fedorahosted.org/FedoraReview/wiki/AutoTools

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-08 20:02:27 +01:00
Simo Sorce
3e45c9be0a Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-08 18:48:40 +01:00
Lukas Slebodnik
017b343e13 IPA-SAM: Fix build with samba 4.4
samba_util.h is not shipped with samba-4.4
and it was indirectly included by "ndr.h"

Some functions have prototypes in different header file
"util/talloc_stack.h" and other does not have declarations
in other header file. But they are still part of libsamba-util.so

sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
0000000000022200 g    DF .text  000000000000001f  SAMBA_UTIL_0.0.1 smb_xstrdup
00000000000223b0 g    DF .text  000000000000019d  SAMBA_UTIL_0.0.1 trim_string

ipa_sam.c: In function 'ldapsam_uid_to_sid':
ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
                  [-Wimplicit-function-declaration]
  TALLOC_CTX *tmp_ctx = talloc_stackframe();
                        ^
ipa_sam.c: In function 'pdb_init_ipasam':
ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
                  [-Wimplicit-function-declaration]
  trim_string( uri, "\"", "\"" );
  ^
ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
                   [-Wimplicit-function-declaration]
  ldap_state->domain_dn = smb_xstrdup(dn);
                          ^

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:32:47 +01:00
Sumit Bose
348c400484 ipa-kdb: map_groups() consider all results
Resolves https://fedorahosted.org/freeipa/ticket/5573

Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-02 18:15:19 +01:00
Simo Sorce
f9ed0b6ff8 Convert ipa-sam to use the new getkeytab control
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/5495
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Simo Sorce
e011b376a5 Improve keytab code to select the right principal.
Whe requesting a keytab the salt used is the NORMAL type (for backwards and AD
compatibility), however since we added alias support we need to search for the
krbCanonicalName in preference, hen nothing is specified, and for the requested
principal name when a getkeytab operation is performed. This is so that the
correct salt can be applied. (Windows AD uses some peculiar aliases for some
special accounts to generate the salt).

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-01 13:28:39 +01:00
Lukas Slebodnik
4bef7577b7 extdom: Remove unused macro
Last usage of the macre SSSD_SYSDB_SID_STR was removed
in the commit 0ee8fe11ae

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-01-29 16:04:59 +01:00
Sumit Bose
45b0148fcc ipa-kdb: get_authz_data_types() make sure entry can be NULL
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-01-27 16:03:03 +01:00
Ludwig Krispenz
c152e10075 prevent moving of topology entries out of managed scope by modrdn operations
Ticket: https://fedorahosted.org/freeipa/ticket/5536
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-01-21 12:52:08 +01:00
Simo Sorce
2144b1eeb7 Always verify we have a valid ldap context.
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.

https://fedorahosted.org/freeipa/ticket/5577

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-01-13 16:09:38 +01:00
Simo Sorce
58ab032f1a Use only AES enctypes by default
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-13 15:24:53 +01:00
Nathaniel McCallum
563bddce6d Don't error when find_base() fails if a base is not required
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-12 12:28:44 +01:00
Petr Spacek
ae2462738b DNSSEC: Log debug messages at log level DEBUG
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9fbbe3e574 DNSSEC: ipa-ods-exporter: add ldap-cleanup command
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.

ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
ddf7397a4b DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.

https://fedorahosted.org/freeipa/ticket/5334

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
6bdc18d0c5 DNSSEC: logging improvements in ipa-ods-exporter
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9ff1c0ac29 DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.

Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.

Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
  though it should not happen because OpenDNSSEC is not available
  (i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
  though it should stay signed with the old keys.

https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Petr Spacek
9bcb9887ea DNSSEC: Improve error reporting from ipa-ods-exporter
https://fedorahosted.org/freeipa/ticket/5348

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-07 14:13:23 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
21f7584f9f FIX: ipa_kdb_principals: add missing break statement
Needs a 'break' otherwise prevents correct reporting of data and it always overrides
it with the placeholder data.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-11-30 17:34:02 +01:00
Simo Sorce
0f52eddd1d Return default TL_DATA is krbExtraData is missing
Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/937
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-25 14:12:11 +01:00
Sumit Bose
657cf958c6 ipasam: fix a use-after-free issue
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
99cfc979d5 ipasam: use more restrictive search filter for group lookup
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.

Related to https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Sumit Bose
3d6fdab904 ipasam: fix wrong usage of talloc_new()
Fixes https://fedorahosted.org/freeipa/ticket/5457

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-11-23 14:45:54 +01:00
Lukas Slebodnik
73058af717 ipa_kdb_tests: Fix test with default krb5.conf
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:55:42 +01:00
Lukas Slebodnik
75c26f9ec8 cmocka_tests: Do not use deprecated cmocka interface
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-18 12:54:43 +01:00
Lukas Slebodnik
be6ecac220 ipa-extdom-extop: Fix warning Wformat
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
                          but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
     LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
         ^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
                     fmt, ##__VA_ARGS__)
                     ^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
08d65f54e7 topology: Fix warning Wshadow
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
         char *errtxt;
               ^
topology_pre.c:494:11: note: shadowed declaration is here
     char *errtxt  = NULL;
           ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
2735db0d0e ipa_kdb_tests: Fix warning Wmissing-braces
tests/ipa_kdb_tests.c:254:9: warning: missing braces around initializer [-Wmissing-braces]
         {3, {BLACKLIST_SID"-1000", BLACKLIST_SID"-1001", BLACKLIST_SID"-1002"},
         ^
tests/ipa_kdb_tests.c:254:9: note: (near initialization for ‘test_data[6]’)
tests/ipa_kdb_tests.c:256:9: warning: missing braces around initializer [-Wmissing-braces]
         {0, NULL, 0 , NULL}
         ^
tests/ipa_kdb_tests.c:256:9: note: (near initialization for ‘test_data[7]’)
tests/ipa_kdb_tests.c:234:21: warning: missing braces around initializer [-Wmissing-braces]
     } test_data[] = {
                     ^

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Lukas Slebodnik
681afc4914 ipa_kdb_tests: Remove unused variables
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-11-13 18:37:23 +01:00
Ludwig Krispenz
3f70c9aed7 update list of managed servers when a suffix becomes managed
when a suffix becomes managed for a host, the host needs to
    be added to the managed servers, otherwise connectivity check would fail

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-30 13:47:25 +01:00
Ludwig Krispenz
22a999267c reject agreement only if both ends are managed
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-30 13:47:25 +01:00
Ludwig Krispenz
26bfc914d9 handle cleaning of RUV in the topology plugin
After removing a server the replicaid needs to be cleared in the ruv entry and
    in the changelog.
    This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
    but the removal of a master already triggers a cleanup of segments and replication
    agreement by the topology plugin, so this could be handled by the plugin as well.

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-10-26 18:11:32 +01:00
Ludwig Krispenz
102651b10a prevent operation on tombstones
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Ludwig Krispenz
fcb9854dcb handle multiple managed suffixes
trigger topology updaet if suffix entry is added
    trigger topology update if managedSuffix is modified in host entry

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
80e11d2469 topology plugin configuration workaround
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Alexander Bokovoy
766438aba0 client referral support for trusted domain principals
https://fedorahosted.org/freeipa/ticket/3559

Reviewed-By: Sumit Bose <sbose@redhat.com>
2015-10-08 13:52:16 +02:00
Petr Spacek
0b797da560 Avoid ipa-dnskeysync-replica & ipa-ods-exporter crashes caused by exceeding LDAP limits
ldap2 internally does LDAP search to find out what LDAP search limits
should be used (!). The problem is that this internal search has hardcoded
limits and throws LimitExceeded exception when DS is too slow.

DNSSEC daemons do not need any abstractions from ldap2 so we are going
to use ipaldap directly. This will avoid the unnecessary search and
associated risks.

https://fedorahosted.org/freeipa/ticket/5342

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 14:28:50 +02:00
Petr Viktorin
65e3b9edc6 Use six.Stringio instead of StringIO.StringIO
The StringIO class was moved to the io module.
(In Python 2, io.StringIO is available, but is Unicode-only.)

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-10-07 10:27:20 +02:00
Nathaniel McCallum
9e3eeadeb3 Fix an integer underflow bug in libotp
Temporarily storing the offset time in an unsigned integer causes the
value of the offset to underflow when a (valid) negative offset value
is generated. Using a signed variable avoids this problem.

https://fedorahosted.org/freeipa/ticket/5333

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-09-29 15:16:09 +02:00
Petr Spacek
ecf796e9c0 DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5.
https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-09-03 18:22:53 +02:00
Petr Spacek
e840061176 DNSSEC: Fix key metadata export
Incorrect SQL join condition could lead to situation where metadata from
ZSK and KSK were interchanged.

https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Petr Spacek
d24db5d921 DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction
https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Petr Spacek
f1436c4ed8 DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart
It might happen that systemd will restart the service even if there is
no incomming connection to service socket. In that case we want to exit
because HSM synchronization is done before socket.accept() and we want
to synchronize HSM and DNS zones at the same time.

https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
2015-09-03 18:20:36 +02:00
Martin Basti
e7a876d88a DNSSEC: remove ccache and keytab of ipa-ods-exporter
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.

Related to ticket: https://fedorahosted.org/freeipa/ticket/5273

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-09-03 18:15:58 +02:00
Petr Viktorin
8de13bd7dd Use the print function
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Petr Viktorin
3bf91eab25 Use Python3-compatible dict method names
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.

Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.

When iterating through the entire dict, without modifying the dict,
 the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.

In other cases, helpers like six.itervalues are used.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-01 11:42:01 +02:00
Michael Simacek
aad73fad60 Port from python-krbV to python-gssapi
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.

- Removed Backend.krb and KRB5_CCache classes
  They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
  in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
  Using api.env.realm instead of krbV call

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-08-26 09:41:36 +02:00
Martin Babinsky
3506938a75 improve the handling of krb5-related errors in dnssec daemons
ipa-dnskeysync* and ipa-ods-exporter handle kerberos errors more gracefully
instead of crashing with tracebacks.

https://fedorahosted.org/freeipa/ticket/5229

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-08-18 21:11:58 +02:00