Commit Graph

454 Commits

Author SHA1 Message Date
Rob Crittenden
c8846bab25 Improve some error handling in ipa-replica-manage
If you break a replica install after the agreement is created but
before it gets much further you'll be in the situation where an
agreement exists, no cn=masters entry exists, and the RUV may not
be set yet.

This adds some error handling so the broken install can be safely
removed.

https://fedorahosted.org/freeipa/ticket/3444
2013-03-14 13:52:56 -04:00
Martin Kosek
c4ab8dae35 Do not force named connections on upgrades
We used to set connections argument for bind-dyndb-ldap even when
the attribute was not in named.conf. This is not necessary as
the bind-dyndb-ldap plugin chooses a sane default instead of us.
2013-03-14 10:50:24 -04:00
Martin Kosek
7a2d3804af Use tkey-gssapi-keytab in named.conf
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.

Both new and current IPA installations are updated.

https://fedorahosted.org/freeipa/ticket/3429
2013-03-14 10:50:24 -04:00
Rob Crittenden
9005b9bc8a Extend ipa-replica-manage to be able to manage DNA ranges.
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.

If one cannot be found then it is reported as an error.

Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.

http://freeipa.org/page/V3/Recover_DNA_Ranges

https://fedorahosted.org/freeipa/ticket/3321
2013-03-13 10:32:36 -04:00
Petr Viktorin
91a63cce62 Remove ipaserver/ipaldap.py
In addition to removing the module, fix all places where it was imported.

Preparation for: https://fedorahosted.org/freeipa/ticket/3446
2013-03-13 12:36:33 +01:00
Petr Viktorin
6ff20ca2d9 Fix installing server with external CA
Reorganize ipa-server-instal so that DS (and NTP server) installation
only happens in step one.

Change CAInstance to behave correctly in two-step install.

Add an `init_info` method to DSInstance that includes common
attribute/sub_dict initialization from create_instance and create_replica.
Use it in ipa-server-install to get a properly configured DSInstance
for later tasks.

https://fedorahosted.org/freeipa/ticket/3459
2013-03-08 15:42:20 +01:00
Alexander Bokovoy
0b0af8b233 ipa-replica-manage: migrate to single_value after LDAPEntry updates 2013-03-06 16:51:18 +01:00
Jan Cholasta
61c0938c76 Remove support for DN normalization from LDAPClient. 2013-03-01 16:59:47 +01:00
Jan Cholasta
bb36683c84 Use the dn attribute of LDAPEntry to set/get DNs of entries.
Convert all code that uses the 'dn' key of LDAPEntry for this to use the dn
attribute instead.
2013-03-01 16:59:46 +01:00
Petr Viktorin
982b782777 Remove some uses of raw python-ldap
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:46 +01:00
Petr Viktorin
29a02a3530 Use IPAdmin rather than raw python-ldap in ipactl
Add a new init argument, ldap_uri, to IPAdmin to make this possible.

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:46 +01:00
Petr Viktorin
334a0cdcdc Remove IPAdmin.unbind_s(), keep unbind()
The unbind and unbind_s functions do the same thing (both are synchronous).

In the low-level IPASimpleLDAPObject, unbind_s rather than unbind is kept.

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:46 +01:00
Petr Viktorin
8f44811a95 Remove search_s and search_ext_s from IPAdmin
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:46 +01:00
Petr Viktorin
5184c312f6 replace getEntry with get_entry (or get_entries if scope != SCOPE_BASE)
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:45 +01:00
Petr Viktorin
e815c1893d Replace deleteEntry with delete_entry
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:45 +01:00
Petr Viktorin
4779865ea3 Replace getList by a get_entries method
The find_entries method is cumbersome to use: it requires keyword arguments
for simple uses, and callers are tempted to ignore the 'truncated' flag
it returns.
Introduce a simpler method, get_entries, that returns the found
list directly, and raises an errors if the list is truncated.
Replace the getList method by get_entries.

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:45 +01:00
Petr Viktorin
f5c404c65d Replace entry.getValue by entry.single_value
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:45 +01:00
Petr Viktorin
b69f6983e4 Remove IPAdmin.get_dns_sorted_by_length
A simple sort(key=len) is simpler both implementation-wise and
semantics-wise.

Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
2013-03-01 16:59:44 +01:00
Petr Viktorin
c0a89efd68 Remove some unused imports
Remove all unused LDAP-related imports, plus some other ones.

This should make it easier to quickly check what uses which LDAP wrapper
2013-03-01 16:59:42 +01:00
Petr Viktorin
1821fa0aab Check SSH connection in ipa-replica-conncheck
Since it is not really possible to separate SSH errors from
errors of the called program, add a SSH check before
calling replica-conncheck on the master.

The check also adds the master to a temporary known_hosts file,
so suppressing SSH's warning about unknown host is no longer
necessary. If the "real" connection fails despite the check,
any SSH errors will be included in the output.

https://fedorahosted.org/freeipa/ticket/3402
2013-02-19 17:04:10 -05:00
Jakub Hrozek
d73dd4b683 Allow ipa-replica-conncheck and ipa-adtrust-install to read krb5 includedir
https://fedorahosted.org/freeipa/ticket/3132
2013-02-18 16:50:28 +01:00
Martin Kosek
45c0dd7448 ipa-adtrust-install should ask for SID generation
When ipa-adtrust-install is run, check if there are any objects
that need have SID generated. If yes, interactively ask the user
if the sidgen task should be run.

https://fedorahosted.org/freeipa/ticket/3195
2013-02-12 17:28:42 +01:00
Rob Crittenden
cbb262dc07 Add LDAP server fallback to client installer
Change the discovery code to validate all servers, regardless of where
the originated (either via SRV records or --server). This will prevent
the client installer from failing if one of those records points to a
server that is either not running or is not an IPA server.

If a server is not available it is not removed from the list of configured
servers, simply moved to the end of the list.

If a server is not an IPA server it is removed.

https://fedorahosted.org/freeipa/ticket/3388
2013-02-07 16:49:31 -05:00
Ana Krivokapic
076775a0f8 Take into consideration services when deleting replicas
When deleting a replica from IPA domain:
* Abort if the installation is about to be left without CA
* Warn if the installation is about to be left without DNS

Ticket: https://fedorahosted.org/freeipa/ticket/2879
2013-02-06 16:20:37 -05:00
Petr Viktorin
26c498736e Port ipa-replica-prepare to the admintool framework
Break the script into several smaller methods.

Use modern idioms: os.path.join instead of string addition; the with statement
for closing files.

Add --quiet, --verbose, and --log-file options. Use logging instead of print
statements. (http://freeipa.org/page/V3/Logging_and_output)

Part of: https://fedorahosted.org/freeipa/ticket/2652
Fixes: https://fedorahosted.org/freeipa/ticket/3285
2013-02-01 13:44:59 -05:00
Martin Kosek
893064f613 Use fully qualified CCACHE names
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache object or when it is used in KRB5CCNAME
environmental variable, it fails for new DIR type of CCACHE.

We should always use both CCACHE type and name when referring to
them to avoid these crashes. ldap2 backend was also updated to
accept directly krbV.CCache object which contains everything we need
to authenticate with ccache.

https://fedorahosted.org/freeipa/ticket/3381
2013-02-01 08:13:50 +01:00
Martin Kosek
3ad8d7c1fb Remove unused krbV imports
https://fedorahosted.org/freeipa/ticket/3381
2013-02-01 08:13:17 +01:00
Tomas Babej
0beaad9686 Fix a typo in ipa-adtrust-install help
"Add SIDs for existing users andgroups as the final step" changed
to "Add SIDs for existing users and groups as the final step".
2013-01-31 14:11:30 +01:00
Rob Crittenden
045b6e6ed9 Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
2013-01-29 11:16:38 -05:00
Petr Viktorin
b382a77fc3 Add the CA cert to LDAP after the CA install
The DS is installed before the CA cert is generated. Trying to
add the cert to LDAP before it exists resulted in a nasty-looking
error message.

This moves the cert upload to after the CA cert is ready and the
certdb is created.

Move the cert upload to after thecertdb is generated.

https://fedorahosted.org/freeipa/ticket/3375
2013-01-29 15:42:24 +01:00
Martin Kosek
476aacd699 Upgrade process should not crash on named restart
When either dirsrv or krb5kdc is down, named service restart in
ipa-upgradeconfig will fail and cause a crash of the whole upgrade
process.

Rather only report a failure to restart the service and continue
with the upgrade as it does not need the named service running. Do
the same precaution for pki-ca service restart.

https://fedorahosted.org/freeipa/ticket/3350
2013-01-15 16:35:41 +01:00
Martin Kosek
79bcf904a5 Avoid CRL migration error message
When CRL files are being migrated to a new directory, the upgrade
log may contain an error message raised during MasterCRL.bin symlink
migration. This is actually being caused by `chown' operation which
tried to chown a symlinked file that was not migrated yet.

Sort migrated files before the migration process and put symlinks
at the end of the list. Also do not run chown on the symlinks as
it is a redundant operation since the symlinked file will be
chown'ed on its own.

https://fedorahosted.org/freeipa/ticket/3336
2013-01-11 10:54:10 +01:00
Lynn Root
c481e40d78 Fixed the catch of the hostname option during ipa-server-install
Originally ipa-server-install would still prompt for the hostname even if it's supplied in the initial installation command.

Ticket: https://fedorahosted.org/freeipa/ticket/2692
2012-12-11 11:04:02 +01:00
Martin Kosek
211f6c9046 Stop and disable conflicting time&date services
Fedora 16 introduced chrony as default client time&date synchronization
service:
http://fedoraproject.org/wiki/Features/ChronyDefaultNTP
Thus, there may be people already using chrony as their time and date
synchronization service before installing IPA.

However, installing IPA server or client on such machine may lead to
unexpected behavior, as the IPA installer would configure ntpd and leave
the machine with both ntpd and chronyd enabled. However, since the OS
does not allow both chronyd and ntpd to be running concurrently and chronyd
has the precedence, ntpd would not be run on that system at all.

Make sure, that user is warned when trying to install IPA on such
system and is given a possibility to either not to let IPA configure
ntpd at all or to let the installer stop and disable chronyd.

https://fedorahosted.org/freeipa/ticket/2974
2012-12-07 13:07:36 -05:00
Martin Kosek
867f7691e9 Add OCSP and CRL URIs to certificates
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.

Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.

The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.

https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
2012-12-07 11:00:17 -05:00
Martin Kosek
152585e731 Improve ipa-replica-prepare error message
When DNS zone/record manipulation commands fails for example due to
a ValidationError, ipa-replica-prepapre reports a whole traceback
which is difficult to read. Make sure our error error is more
readable.

https://fedorahosted.org/freeipa/ticket/3283
2012-12-06 08:00:27 +01:00
Rob Crittenden
62e7053a12 Only update the list of running services in the installer or ipactl.
The file is only present in the case of a server installation.

It should only be touched by the server installer and ipactl.

https://fedorahosted.org/freeipa/ticket/3277
2012-12-05 10:44:44 -05:00
Martin Kosek
3896bf370a Change network configuration file
Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details.

Change Fedora platform files to store the hostname to /etc/hostname
instead.

https://fedorahosted.org/freeipa/ticket/3279
2012-12-05 13:30:31 +01:00
Petr Viktorin
bef251a13c Make ipa-csreplica-manage work with both merged and non-merged DBs
The ipa-csreplica-manage tool often assumed that the port numbers are the
same on both sides of a replication agreement.
This assumption doesn't hold in a cluster with both old-style hosts and
ones with merged DBs.

When managing agreements, determine the port with the PKI (or merged) DS
on each master, and use it.

Also, in CSReplicationManager, always use starttls rather than ldaps://.
2012-11-23 12:19:20 +01:00
Martin Kosek
83ef2e251f Filter suffix in replication management tools
With the new unified Dogtag10 LDAP database, PKI-CA data and the
agreements themselves are now in the main LDAP instance.

Replication management tools now need to properly filter replication
agreements based on the suffix to avoid clashing of agreements of
different types.
2012-11-23 12:19:20 +01:00
Petr Viktorin
17f91dac55 Properly stop tracking certificates on uninstall
Stopping certificate tracking was done as part of the PKI DS uninstall.
Since with the merged DB, thePKI DS is not used any more, this step
was skipped.
Move certificate untracking to a separate step and call it separately.

Also, the post-uninstall check for tracked certificates used the wrong
set of Dogtag constants. Fix the issue.
2012-11-23 12:19:19 +01:00
Petr Viktorin
5fa3455764 Update certmap.conf on IPA upgrades
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.

This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
2012-11-23 12:19:19 +01:00
Petr Viktorin
1d3ddeff54 Fix schema replication from old masters
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
2012-11-23 12:19:19 +01:00
Ade Lee
18a210996d Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes.  Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag  suffix only.
This user will authenticate using client auth using the subsystem cert
for the instance.

This patch includes changes to allow the creation of masters and clones
with single ds instances.
2012-11-23 12:19:19 +01:00
Rob Crittenden
f1f1b4e7f2 Enable transactions by default, make password and modrdn TXN-aware
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
2012-11-21 14:55:12 +01:00
Sumit Bose
b204881ab9 ipa-adtrust-install: allow to reset te NetBIOS domain name
Fixes https://fedorahosted.org/freeipa/ticket/3192
2012-11-08 08:18:14 +01:00
Rob Crittenden
23cfc9bd11 Handle the case where there are no replicas with list-ruv
This assumed that at least was returned by LDAP. This is not the case
if no replicas have ever been created.

https://fedorahosted.org/freeipa/ticket/3229
2012-11-07 10:01:04 +01:00
Jan Cholasta
85a0cdeb69 Reword description of the --passsync option of ipa-replica-manage.
https://fedorahosted.org/freeipa/ticket/3208
2012-11-02 10:12:00 -04:00
Simo Sorce
7f272a39b6 Get list of service from LDAP only at startup
We check (possibly different) data from LDAP only at (re)start.
This way we always shutdown exactly the services we started even if the list
changed in the meanwhile (we avoid leaving a service running even if it was
removed from LDAP as the admin decided it should not be started in future).

This should also fix a problematic deadlock with systemd when we try to read
the list of service from LDAP at shutdown.
2012-11-01 10:58:19 -04:00
Rob Crittenden
3d7ff982ec After unininstall see if certmonger is still tracking any of our certs.
Rather than providing a list of nicknames I'm going to look at the NSS
databases directly. Anything in there is suspect and this will help
future-proof us.

certmonger may be tracking other certificates but we only care about
a subset of them, so don't complain if there are other tracked certificates.

This reads the certmonger files directly so the service doesn't need
to be started.

https://fedorahosted.org/freeipa/ticket/2702
2012-11-01 10:52:36 -04:00