If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.
This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.
Fixes: https://pagure.io/freeipa/issue/9195
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.
This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.
Random Serial Numbers v3 must be enabled for this to work.
Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.
Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.
A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.
The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.
No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.
Fixes: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.
Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.
msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.
To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.
Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The installer is currently creating the samba domain object
before it adds the RID base and secondary RID base. As a consequence,
there is a window during which the sidgen plugin is active but
unable to generate SIDs (it requires the samba domain object to
find the domain SID and RID base to know where to start from).
There is no direct impact except the error log of 389ds that reports
ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
This fix configures the RID base and secondary RID base before the
domain object is created, thus removing this window.
Fixes: https://pagure.io/freeipa/issue/9309
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html:
> Used when a lambda expression is assigned to variable rather than
defining a standard function with the "def" keyword.
https://peps.python.org/pep-0008/#programming-recommendations:
> Always use a def statement instead of an assignment statement that
binds a lambda expression directly to an identifier:
def f(x): return 2*x
f = lambda x: 2*x
The first form means that the name of the resulting function object is
specifically ‘f’ instead of the generic ‘<lambda>’. This is more useful
for tracebacks and string representations in general. The use of the
assignment statement eliminates the sole benefit a lambda expression can
offer over an explicit def statement (i.e. that it can be embedded
inside a larger expression)
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
`pipes` module is deprecated as of Python 3.11.
https://docs.python.org/3/library/pipes.html#module-pipes:
> Deprecated since version 3.11, will be removed in version 3.13: The
pipes module is deprecated (see PEP 594 for details).
IPA code used only `quote` function from `pipes` that in turn is
the alias for `shlex.quote` since Python 3.3:
9bce311ea4
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Most of `cyclic-import` issues reported by Pylint are false-positive
and they are already handled in the code, but several ones are the
actual errors.
Fixes: https://pagure.io/freeipa/issue/9232
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.
Fix the typo (camelia vs camellia) in order to filter properly.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.
This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.
Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.
Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.
Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.
This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.
To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.
Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.
Fixes: https://pagure.io/freeipa/issue/9243
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:
* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema
None of these require a restart of the CA to be supported.
There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.
https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.
Related: https://pagure.io/freeipa/issue/9204
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.
Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.
When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.
Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci
This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.
https://pagure.io/freeipa/issue/9188
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase@frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When ipa user-del --preserve is called, the command output
prints a summary with:
Deleted user: user1
although the user was preserved.
Replace the summary with
Preserved user: user1
to reflect what was actually done.
Fixes: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For ID overrides 'ipaOriginalUid' value should be the human-readable
version of the ID override anchor. Since we would have it already set in
the ID override entry, prefer using it instead of looking up the
override anchor.
This should speed up significantly operations which list all ID
overrides in the view, like Web UI views.
Fixes: https://pagure.io/freeipa/issue/9178
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.
Fixes: https://pagure.io/freeipa/issue/9180
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version. It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.
PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.
Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.
Fixes: https://pagure.io/freeipa/issue/9176
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
nsds5replicaUpdateInProgress is defined in LDAP schema as a boolean.
Now that IPA API is able to properly map booleans to the python
bool type, this attribute is not a string any more and
comparisons can be done directly based on its real type.
The code in ipa-replica-install was reading nsds5replicaUpdateInProgress
and calling value.tolower() == 'true' but should now use
value == True instead.
Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like
Bool('idnsallowdynupdate?',
cli_name='dynamic_update',
label=_('Dynamic update'),
doc=_('Allow dynamic updates.'),
attribute=True,
default=False,
autofill=True
),
in 'ipa dnszone-show':
> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']
This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.
When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:
"idnsallowdynupdate": [
"TRUE"
],
Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.
Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:
- if output is from a command with --raw option, 'TRUE' or 'FALSE'
should be expected
- if output if from a normal (non-raw) command, True or False would be
returned
Fixes: https://pagure.io/freeipa/issue/9171
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).
Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.
Fixes: https://pagure.io/freeipa/issue/2016
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Don't assume that all objectclasses are lower-case. Some are
camel-cased.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.
Loading a new plugin requires a restart. Do so if a
new one is configured.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Treat this like other failed login attributes and don't
replicate them.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>