ipa help code invokes pager if help lines length is more then
current terminal height.
https://pagure.io/freeipa/issue/7225
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
When definining a topology of a forest to be visible over a cross-forest
trust, we set *.<forest name> as all-catch top level name already.
This means that all DNS subdomains of the forest will already be matched
by this top level name (TLN). If we add more TLNs for subdomains, Active
Directory will respond with NT_STATUS_INVALID_PARAMETER.
Filter out all subdomains of the forest root domain. All other realm
domains will be added with explicit TLN records.
Also filter out single label domains. These aren't possible to add as
TLNs to Windows Server 2016 as it considers them incorrect. Given that
we do not allow single lable domains as part of freeIPA installs, this
is another layer of protection here.
Fixes https://pagure.io/freeipa/issue/6666
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare CertDB and NSSDatabase to support sqlite DB format. NSSDatabase
will automatically detect and use either old DBM or new SQL format. Old
databases are not migrated yet.
https://pagure.io/freeipa/issue/7049
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* Bump PKI to 10.5.1-2, which fixes an issue with KRA under Python 3
* Correct encoding of secret
https://pagure.io/freeipa/issue/7033
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
/etc/pki/pki-tomcat/password.conf contains additional passwords like
replicadb. ipa-custodia does not need these passwords.
/etc/pki/pki-tomcat/alias/pwdfile.txt holds the passphrase for Tomcat's
NSSDB. The file also simplifies implementation because it removes
another temporary file.
pwdfile.txt is created by CAInstance.create_certstore_passwdfile()
Related: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
In "test_invalid_ds_cn" test case an old invalid http.p12 cert
is used as a leftover after previous "test_invalid_http_cn" test.
Get new valid http.p12 cert using create_pkcs12().
Also use server-badname cert instead of cert for replica.
This explicitly ensures a non-matching hostname/SAN rather than
implicitly by using a certificate for the replica.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes an error where we were getting domain_level None and after
switching to Py3 we hit TypeError because of comparing None and int.
https://pagure.io/freeipa/issue/7254
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of symlinks and build-time configuration the ipaplatform module
is now able to auto-detect platforms on import time. The meta importer
uses the platform 'ID' from /etc/os-releases. It falls back to 'ID_LIKE'
on platforms like CentOS, which has ID=centos and ID_LIKE="rhel fedora".
The meta importer is able to handle namespace packages and the
ipaplatform package has been turned into a namespace package in order to
support external platform specifications.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ignore_import_errors was added in 9b534238 to build FreeIPA ACI/API with
some dependencies missing. It turns out that the import hook doesn't
play nice with other meta importers or Cython-generated code like lxml:
./makeaci: ipaserver/plugins/dogtag.py:246: ignoring ImportError: No module named lxml.re
Traceback (most recent call last):
File "./makeaci", line 134, in <module>
main(options)
File "./makeaci", line 107, in main
api.finalize()
File "ipalib/plugable.py", line 733, in finalize
self.__do_if_not_done('load_plugins')
File "ipalib/plugable.py", line 425, in __do_if_not_done
getattr(self, name)()
File "ipalib/plugable.py", line 614, in load_plugins
self.add_package(package)
File "ipalib/plugable.py", line 641, in add_package
module = importlib.import_module(name)
File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module
__import__(name)
File "ipaserver/plugins/dogtag.py", line 246, in <module>
from lxml import etree
File "src/lxml/etree.pyx", line 93, in init lxml.etree
File "src/lxml/_elementpath.py", line 58, in init lxml._elementpath
AttributeError: 'FailedImport' object has no attribute 'compile'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use only python3 dependencies when building server-trust-ad for python3.
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When building the package with for python3, use only python3
dependencies. Changed:
python -> python2 / python3
python-gssapi -> python2-gssapi / python3-gssapi
python-ldap -> python-ldap / python3-pyldap
systemd-python -> python2-systemd / python3-systemd
Fixes: https://pagure.io/freeipa/issue/7208
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When some users are setting the umask to 0027 due to security
policies ipa-restore will result not working dirsrv.
So a fix is to temporary set umask to 0022 while ipa-restore is
running.
https://pagure.io/freeipa/issue/6844
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Move collect_logs function from util to avoid a circular import.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pytest_multihost does not support binary stdout stream yet,
https://pagure.io/python-pytest-multihost/issue/7 . Write logs to
temporary file and use host.get_file_content() to fetch them.
https://pagure.io/freeipa/issue/7131
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Change eb6d4c3037 deferred the
detailed lookup until all certs were collected but introduced
a bug where the ra backend was always retrieved. This generated a
backtrace in a CA-less install because there is no ra backend in
the CA-less case.
The deferral also removes the certificate value from the LDAP
search output resulting in only the serial number being displayed
unless --all is provided. Add a new class variable,
self.ca_enabled, to add an exception for the CA-less case.
Fixes https://pagure.io/freeipa/issue/7202
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This fix adds additional prompt which was missing previously
in test_interactive_missing_ds_pkcs_password and
test_interactive_missing_http_pkcs_password under CA-less integration
testsuite.
Fixes: https://pagure.io/freeipa/issue/7182
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.
Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bug Description:
When adding an entry, ipa-uuid plugin may generate a unique value
for some of its attribute.
If the generated attribute is part of the RDN, the target DN
is replaced on the fly and the previous one freed.
Unfortunately, previous DN may be later used instead of
the new one.
Fix Description:
Make sure to use only the current DN of the operation
https://bugzilla.redhat.com/show_bug.cgi?id=1496226https://pagure.io/freeipa/issue/7227
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.
Fixes:
https://pagure.io/freeipa/issue/7237
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.
Previously, before commit 07229c8ff6,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.
This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.
As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2] * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2] * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2] * Create and configure an instance of Directory Server
[[...].Host.master.cmd2] * Create and configure a Kerberos Key Distribution Center (KDC)
```
Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.
Related to
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin. The
plugin was removed some time ago, so remove the media type
definitions.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As man page already does it, update the help text to show REPLICA_FILE
as optional.
Fixes https://pagure.io/freeipa/issue/7223
Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).
In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.
The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.
Fixes:
https://pagure.io/freeipa/issue/7221
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
