Commit Graph

1014 Commits

Author SHA1 Message Date
Petr Viktorin
acb2ca47d6 Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:17 +02:00
Martin Basti
b964d2130a Modified dns related global functions
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Gabe
9f2c4705d7 ipa recursively adds old backups
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-30 08:15:22 +02:00
Petr Viktorin
4f89decc9a ldap2.has_upg: Raise an error if the UPG definition is not found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-29 16:22:37 +02:00
Adam Misnyovszki
71c6d2f1eb Call generate-rndc-key.sh during ipa-server-install
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-27 13:05:53 +02:00
Petr Vobornik
1e96475a77 rpcserver: login_password datetime fix in expiration check
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.

https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-26 13:08:34 +02:00
Petr Viktorin
988b2cebf4 ldap2.find_entries: Do not modify attrs_list in-place
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-26 12:39:33 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
63becae88c Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
993c1c8557 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Adam Misnyovszki
fa7057b727 Trust add datetime fix
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 19:14:45 +03:00
Thorsten Scherf
3f3c8eee24 Fixed typo how to create an example gpg key
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 13:20:17 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Jan Cholasta
8b6dc819d5 Support API version-specific RPC marshalling.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Viktorin
81b0e7466d Do not ask for memberindirect when updating managed permissions
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 10:04:16 +02:00
Jan Cholasta
50c7f3b236 Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 16:40:10 +02:00
Petr Viktorin
41607774bc Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 14:49:16 +02:00
Petr Viktorin
c58d6b2689 Allow overriding all attributes of default permissions
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Petr Viktorin
fb2f0ae8d5 Document the managed permission updater operation
The method was explained on the [Design] page, but as the updater
is extended the design page would become obsolete.
Document the operation in the docstring of the plugin itself.

Design: http://www.freeipa.org/page/V3/Managed_Read_permissions#Default_Permission_Updater
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00
Jan Cholasta
915cd6942c Fix upload of CA certificate to LDAP in CA-less install.
https://fedorahosted.org/freeipa/ticket/4300

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-08 14:04:40 +02:00
Jan Cholasta
0497d163d9 Remove unused method is_master of CAInstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:56 +01:00
Jan Cholasta
fd5ef28bf2 Use the same certmonger configuration for both CA masters and clones.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
fac6bf30b6 Merge restart_httpd functionality to renew_ra_cert.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
2c466b79e8 Merge restart_pkicad functionality to renew_ca_cert and remove restart_pkicad.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
b5d082ec4d Make the default dogtag-ipa-ca-renew-agent behavior depend on CA setup.
On CA masters, a certificate is requested and stored to LDAP. On CA clones,
the certificate is retrieved from LDAP.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
c3169add3b Store information about which CA server is master for renewals in LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
6a19738a45 Use dogtag-ipa-ca-renew-agent to track certificates on master CA.
Before, dogtag-ipa-renew-agent was used to track the certificates and the
certificates were stored to LDAP in renew_ca_cert and renew_ra_cert. Since
dogtag-ipa-ca-renew-agent can store the certificates itself, the storage code
was removed from renew_ca_cert and renew_ra_cert.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
babddaaee8 Use dogtag-ipa-ca-renew-agent to retrieve renewed certificates from LDAP.
Before, this was done by dogtag-ipa-retrieve-agent-submit.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:55 +01:00
Jan Cholasta
57f0be7b5d Use certmonger D-Bus API to configure certmonger in CA install.
Before, certmonger was configured by modifying its internal database directly.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
def727ce56 Show progress when enabling SSL in DS in ipa-server-install output.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
51caf48ed9 Remove unused method export_ca_cert of dsinstance.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
9b3055ca41 Upload CA certificate from DS NSS database in CA-less server install.
Before, the file provided in the --root-ca-file option was used directly for
the upload. However, it is the same file which is imported to the NSS
database, so the second code path is not necessary.

Also removed now unused upload_ca_dercert method of dsinstance.

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
48539b35d7 Use LDAP API to upload CA certificate instead of ldapmodify command.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
fea7163e87 Move CACERT definition to a single place.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Jan Cholasta
4c761108e8 Fix certificate renewal scripts to work with separate CA DS instance.
https://fedorahosted.org/freeipa/ticket/3805

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-25 16:54:54 +01:00
Petr Viktorin
f4de4a2aa7 Add Object metadata and update plugin for managed permissions
The default read permission is added for Netgroup as an example.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-25 14:18:12 +01:00
Petr Viktorin
7c9fa8fad9 ipaserver.install.service: Fix estimated time display
Use basic math rather than timezone conversion to get
minutes and seconds.
Break out the message generation into a small tested function.

https://fedorahosted.org/freeipa/ticket/4242

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2014-03-13 18:15:43 +01:00
Alexander Bokovoy
6195870e82 ipaserver/dcerpc: make sure to always return unicode SID of the trust domain
Trusted domain SID could be obtained through different means. When it is
fetched from the AD DC via LDAP, it needs to be extracted from a default
context and explicitly converted to unicode.

https://fedorahosted.org/freeipa/ticket/4246

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-03-12 18:16:52 +01:00
Petr Vobornik
723166aebe Support OTP in form based auth
OTP requires to use kerberos FAST channel. Ccache with ticket obtained using ipa.keytab is used as an armor.

https://fedorahosted.org/freeipa/ticket/3369

Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
2014-03-12 17:29:28 +01:00
Martin Kosek
0be66e9a67 ipa-replica-install never checks for 7389 port
When creating replica from a Dogtag 9 based IPA server, the port 7389
which is required for the installation is never checked by
ipa-replica-conncheck even though it knows that it is being installed
from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
firewall, installation would stuck with no hint to user.

Make sure that the port configuration parsed from replica info file
is used consistently in the installers.

https://fedorahosted.org/freeipa/ticket/4240

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-03-11 17:10:28 +01:00
Alexander Bokovoy
e99fa380af adtrustinstance: make sure to stop and disable winbind in uninstall()
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-28 09:50:14 +01:00
Alexander Bokovoy
3a7ba6013f ipaserver/dcerpc: catch the case of insuffient permissions when establishing trust
We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.

https://fedorahosted.org/freeipa/ticket/4202

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-02-27 14:33:15 +01:00
Tomas Babej
96f87e548a trusts: Remove usage of deprecated LDAP API
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.

https://fedorahosted.org/freeipa/ticket/4204

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-27 12:54:37 +01:00
Alexander Bokovoy
090a9669d8 bindinstance: make sure zone manager is initialized in add_master_dns_records
Bind instance is configured using a short-circuited way when replica is set up.
Make sure required properties are in place for that.

https://fedorahosted.org/freeipa/ticket/4186

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-26 12:44:56 +01:00
Jan Cholasta
792c3f9c8c Always use real entry DNs for memberOf in ldap2.
https://fedorahosted.org/freeipa/ticket/4192

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-24 14:30:23 +01:00
Petr Spacek
dd55e13aa9 Clarify error message about missing DNS component in ipa-replica-prepare.
https://fedorahosted.org/freeipa/ticket/4188

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-02-21 16:04:20 +01:00
Nathaniel McCallum
49038cda9f Add OTP last token plugin
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.

Thanks to Mark Reynolds for helping me with this patch.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00
Nathaniel McCallum
abb63ed9d1 Add HOTP support
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-02-21 10:26:02 +01:00