Commit Graph

5543 Commits

Author SHA1 Message Date
Petr Vobornik
696fce5c8d Configuration pages changed to use new FF extension
browserconfig.html was changed to use new FF extension. The page is completely Firefox specific therefore the title was changed from 'Configure browser' to 'Firefox configuration'. Instruction to import CA cert in unauthorized.html are FF specific too, so they were moved to browserconfig.html. Unauthorized.html text was changed to distinguish FF config and other browsers. Now the page shows link for FF (browserconfig.html) and other browsers (ssbrowser.html). Ssbrowser.html should be enhanced by more configurations and browsers later [1].

Old configuration method was moved to ssbrowser.html.

Unauthorized dialog in Web UI now links to http://../unauthorized.html instead of https. This change is done because of FF strange handling of extension installations from https sites [2]. Firefox allows ext. installation from https sites only when the certificate is signed by some build-in CA. To allow custom CAs an option in about:config has to be changed which don't help us at all because we wants to avoid manual changes in about:config.

The design of browserconfig is inspired by Kyle Baker's design (2.1 Enhancements_v2.odt). It is not exactly the same. Highlighting of the steps wasn't used because in some cases we can switch some steps.

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://fedorahosted.org/freeipa/ticket/823
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=688383
2012-10-04 18:08:26 -04:00
Petr Vobornik
247a3a43b7 Build and installation of Kerberos authentication extension
This patch is adding a build of kerberosauth.xpi (FF Kerberos authentication extension).

Currently the build is done in install phase of FreeIPA server. It is to allow signing of the extension by singing certificate. The signing might not be necessary because the only outcome is that in extension installation FF doesn't show that the maker is not verified. It shows text: 'Object signing cert'. This might be a bug in httpinstance.py:262(db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)) The value is in place of hostname parameter.

If the extension is not signed, it can be created in rpm build phase, which should make upgrades easier. Current implementation doesn't handle upgrades yet.

In order to keep extension and config pages not dependent on a realm, a krb.js.teplate file was created. This template is used for creating a /usr/share/ipa/html/krb.js file in install phase which holds FreeIPA's realm and domain information. This information can be then used by config pages by importing this file.

Ticket: https://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:08:04 -04:00
Petr Vobornik
206b6ca04b Kerberos authentication extension makefiles
Makefiles for new FF kerberos authentication extension

ihttps://fedorahosted.org/freeipa/ticket/3094
2012-10-04 18:07:34 -04:00
Petr Vobornik
b4e19509c0 Kerberos authentication extension
The extension should replace signed code (configure.jar) used for Firefox configuration. Using privileged code is not possible since Firefox 15 [1] [2]. Extension is bootstrapped which means it can be used without browser restart on Firefox 4 and later.

How it works:
Extension listens on each page's document element for event 'kerberos-auth-config' which should be raised on custom data element. Communication data is transferred through data element's attributes [3]. The only required attribute is 'method'. Currently there are two possible values: 'configure' and 'can_configure'.
'can_configure' method serves for detecting if the extension is installed. 'configure' method does the actual configuration. Possible optional options for 'configure' can be found in kerberosauth.js:kerberosauth.config_options. Currently they are: 'referer', 'native_gss_lib', 'trusted_uris', 'allow_proxies'. Result of a method is stored in data element's 'answer' attribute. When 'configure' method is used, the extension asks the user if he wants to configure the browser, it should prevent silent configuration by malicious pages.

Possible enhancement:
* add UI for manual edit
* more configurations ie. for gss_lib, sspi (good with UI or with enhanced config page)
* introspection of client (read ipa client install config and such)

Ticket: https://fedorahosted.org/freeipa/ticket/3094

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=546848
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=757046
[3] https://developer.mozilla.org/en-US/docs/Code_snippets/Interaction_between_privileged_and_non-privileged_pages
2012-10-04 18:07:29 -04:00
Alexander Bokovoy
459c83fb75 Support python-ldap 2.3 way of making LDAP control
This strange patch is to accomodate both python-ldap 2.3 and later versions.
There was refactoring in python-ldap support for LDAP controls that split
base class into two different, changing properties and method signatures.

Luckily, we don't use any values passed to encodeControlValue.
2012-10-04 17:00:56 +02:00
Sumit Bose
a72064c377 ipa-adtrust-install: remove wrong check for dm_password
Additionally this patch removes a comment which makes no sense at this
place anymore.

Fixes https://fedorahosted.org/freeipa/ticket/3023
2012-10-04 13:05:48 +02:00
Rob Crittenden
5bf1cee702 Clear kernel keyring in client installer, save dbdir on new connections
This patch addresses two issues:

1. If a client is previously enrolled in an IPA server and the server
   gets re-installed then the client machine may still have a keyring
   entry for the old server. This can cause a redirect from the
   session URI to the negotiate one. As a rule, always clear the keyring
   when enrolling a new client.

2. We save the NSS dbdir in the connection so that when creating a new
   session we can determine if we need to re-initialize NSS or not. Most
   of the time we do not. The dbdir was not always being preserved between
   connections which could cause an NSS_Shutdown() to happen which would
   fail because of existing usage. This preserves the dbdir information when
   a new connection is created as part of the session mechanism.

https://fedorahosted.org/freeipa/ticket/3108
2012-10-03 19:22:00 +02:00
Petr Viktorin
9c0426c3ed Wait for secure Dogtag ports when starting the pki services
Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
2012-10-03 17:38:42 +02:00
Martin Kosek
0c2d0bb2b0 Fill ipakrbprincipalalias on upgrades
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, services created in previous version do not have
this objectclass (and attribute) and thus case-insensitive searches
may return inconsistent results.

Fill ipakrbprincipalalias on upgrades for all 2.x services. Also treat
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command if the upgrade fails for any reason.

https://fedorahosted.org/freeipa/ticket/3106
2012-10-02 15:17:42 -04:00
Tomas Babej
682edbf215 Restrict admins group modifications
Group-mod command no longer allows --rename and/or --external
changes made to the admins group. In such cases, ProtectedEntryError
is being raised.

https://fedorahosted.org/freeipa/ticket/3098
2012-10-03 13:22:46 +02:00
Sumit Bose
bdf5f464d7 Add --rid-base and --secondary-rid-base to ipa-adtrust-install man page
Fixes https://fedorahosted.org/freeipa/ticket/3038
2012-10-03 10:14:00 +02:00
Sumit Bose
e15a1c627d Enhance description of --no-msdcs in man page
Fixes https://fedorahosted.org/freeipa/ticket/2972
2012-10-03 10:14:00 +02:00
Sumit Bose
029300db79 Add man page paragraph about running ipa-adtrust-install multiple times
Fixes https://fedorahosted.org/freeipa/ticket/2967
2012-10-03 10:14:00 +02:00
Tomas Babej
0edeb9b01d Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.

https://fedorahosted.org/freeipa/ticket/3097
2012-10-03 09:39:15 +02:00
Martin Kosek
43f4ca710b Only use service PAC type as an override
PAC type (ipakrbauthzdata attribute) was being filled for all new
service automatically. However, the PAC type attribute was designed
to serve only as an override to default PAC type configured in
IPA config. With PAC type set in all services, users would have
to update all services to get new PAC types configured in IPA config.

Do not set PAC type for new services. Add new NONE value meaning that
we do not want any PAC for the service (empty/missing attribute means
that the default PAC type list from IPA config is read).

https://fedorahosted.org/freeipa/ticket/2184
2012-10-03 08:53:41 +02:00
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Martin Kosek
0e432d33fc Index ipakrbprincipalalias and ipaautomountkey attributes
An unindexed search for ipakrbprincipalalias is fired for every ipa
command (and other authentication events) which would degrade IPA
server performance if not indexed. ipaautomountkey unindexed searches
are hit when new key entries are being added.

Add both indexes to new and updated IPA installs.

https://fedorahosted.org/freeipa/ticket/3020
https://fedorahosted.org/freeipa/ticket/3025
2012-10-01 22:37:59 -04:00
Martin Kosek
1a740176ca Improve DN usage in ipa-client-install
A hotfix pushed in a scope of ticket 3088 forced conversion of DN
object (baseDN) in IPA client discovery so that ipa-client-install
does not crash when creating an IPA default.conf. Since this is not
a preferred way to handle DN objects, improve its usage:

- make sure, that baseDN retrieved by client discovery is always
  a DN object
- update ipachangeconf.py code to handle strings better and instead
  of concatenating objects, make sure they are converted to string
  first

As a side-effect of ipachangeconf changes, default.conf config file
generated by ipa-client-install has no longer empty new line at the
end of a file.

Whole ipachangeconf.py has been modified to be compliant with PEP8.

https://fedorahosted.org/freeipa/ticket/3088
2012-10-02 13:39:11 +02:00
Martin Kosek
63c7f61501 Add support for unified samba packages
Fedora 18 and later has moved unified samba and samba4 packages. Update
Requires and BuildRequires in spec file to require correct versions.

Also require libwbclient-devel which now provides libwbclient.h instead
of samba4-devel package.

https://fedorahosted.org/freeipa/ticket/3118
2012-10-01 17:32:02 +02:00
Martin Kosek
988ea36827 Improve StrEnum validation error message
Do not print list of possible values as "%r" but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.

https://fedorahosted.org/freeipa/ticket/2869
2012-10-01 13:39:22 +02:00
Petr Viktorin
c16c257145 Fix NS records in installation
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.

Fix this error and add a check for empty DNS labels to the validator
2012-09-27 16:01:22 +02:00
Petr Viktorin
ebfda866dd Don't use bare except: clauses in ipa-client-install
Instead of `except:`, use `except Exception:`. This means that errors
like KeyboardInterrupt are not handled, letting them terminate the
script as expected.

https://fedorahosted.org/freeipa/ticket/2941
2012-09-27 14:43:01 +02:00
Alexander Bokovoy
fbfa3b56fa Change the way SID comparison is done for belonging to trusted domain
Fixes trust use on RHEL 6.
2012-09-27 14:00:40 +02:00
Martin Kosek
256024db0a Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.

https://fedorahosted.org/freeipa/ticket/2993
2012-09-27 10:43:39 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Alexander Bokovoy
ba5248135c Make sure external group members are listed for the external group
https://fedorahosted.org/freeipa/ticket/2975
2012-09-25 08:21:22 +02:00
Rob Crittenden
17016750f4 Fix python syntax in ipa-client-automount
https://fedorahosted.org/freeipa/ticket/3081
2012-09-24 18:00:36 +02:00
Petr Viktorin
0b254e8b1e Always handle NotFound error in dnsrecord-mod
When there were no updated attrs when modifying a nonexistent DNS record,
the error was not handled and caused an internal server error later (old_entry
was used uninitialized).

https://fedorahosted.org/freeipa/ticket/3055
2012-09-24 13:55:17 +02:00
Petr Viktorin
230261a1a5 Check direct/reverse hostname/address resolution in ipa-replica-install
Forward and reverse resolution of the newly created replica is already
checked via get_host_name (which calls verify_fqdn).
Add the same check for the existing master.

Additionally, if DNS is installed on the remote host, check forward
and reverse resolution of both replicas using that DNS only
(ignoring /etc/hosts). These checks give only warnings and, in interactive
installs, a "Continue?" prompt.

https://fedorahosted.org/freeipa/ticket/2845
2012-09-20 16:02:17 -04:00
Sumit Bose
d0f672c131 Update krb5.conf during ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/2515
2012-09-19 20:47:31 -04:00
Sumit Bose
0d31833317 Set master_kdc and dns_lookup_kdc to true
https://fedorahosted.org/freeipa/ticket/2515
2012-09-19 20:47:12 -04:00
Tomas Babej
dd72ed6212 Improves sssd.conf handling during ipa-client uninstall
The sssd.conf file is no longer left behind in case sssd was not
configured before the installation. However, the patch goes behind
the scope of this ticked and improves the handling of sssd.conf
during the ipa-client-install --uninstall in general.

The current behaviour (well documented in source code) is as follows:
  - In general, the IPA domain is simply removed from the sssd.conf
    file, instead of sssd.conf being rewritten from the backup. This
    preserves any domains added after installation.

  - If sssd.conf existed before the installation, it is restored to
    sssd.conf.bkp. However, any IPA domains from pre-installation
    sssd.conf should have been merged during the installation.

  - If sssd.conf did not exist before the installation, and no other
    domains than IPA domain exist in it, the patch makes sure that
    sssd.conf is moved to sssd.conf.deleted so user experiences no
    crash during any next installation due to its existence.

https://fedorahosted.org/freeipa/ticket/2740
2012-09-20 16:57:13 +02:00
Alexander Bokovoy
26baae1fe9 Document use of external group membership 2012-09-20 14:58:32 +02:00
Alexander Bokovoy
21ecf2f287 Add documentation for 'ipa trust' set of commands 2012-09-20 14:57:49 +02:00
Alexander Bokovoy
9d84a3cf49 Fix error messages and use proper ImportError for dcerpc import 2012-09-20 14:57:07 +02:00
Alexander Bokovoy
87a37c8e2f validate SID for trusted domain when adding/modifying ID range
https://fedorahosted.org/freeipa/ticket/3087
2012-09-20 14:55:34 +02:00
Petr Viktorin
4bb4535101 Use correct Dogtag port in ipaserver.install.certs
On an instance upgraded from Dogtag 9 to Dogtag 10,
ipa-replica-prepare used the wrong port number. Fix that.
2012-09-20 13:58:53 +02:00
Jan Cholasta
9a167d667c SSHPublicKey.fingerprint_dns_sha1 should return unicode value. 2012-09-20 10:44:28 +02:00
Martin Kosek
459016d12b Fix idrange plugin help
range plugin was renamed to idrange. Update plugin help to reflect
this change.
2012-09-20 10:36:13 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Petr Vobornik
26166deb0c Fix integer validation when boundary value is empty string
There was an error in number validation check. If boundary value was an empty string, validation of a number always failed. This patch fixes the problem by not performing the check in these cases.

https://fedorahosted.org/freeipa/ticket/3066
2012-09-19 11:09:09 +02:00
Petr Vobornik
e39a109060 Show trust status in add success notification
Web UI notification of 'Add verification step after trust creation'

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Petr Viktorin
f0829efe1f Only stop the main DS instance when upgrading it
We've been stopping both DS instances (main and PKI) when upgrading.
This can happen while the CA is running. In some cases stopping the PKI
DS also killed the CA.

Only stop the specific instance for upgrades.

Also, wait for open ports after the upgrade is complete. The wait was
skipped previously. This can prevent bugs if scripts that need a DS are
run after the upgrade.

https://fedorahosted.org/freeipa/ticket/3083
2012-09-17 18:43:59 -04:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Ade Lee
3dd31a8756 Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:36 -04:00
Martin Kosek
79b89f4196 Properly convert DN in ipa-client-install
ipa-client-install crashed when IPA server anonymous access was
disabled and base DN was thus generated via realm_to_suffix
function which, however, returns a DN object and not string.

DN was converted to string, ipa-client-install no longer crashes
in this scenario.

https://fedorahosted.org/freeipa/ticket/3088
2012-09-18 11:11:48 +02:00
Yuri Chornoivan
8bbb42b410 Fix various typos.
https://fedorahosted.org/freeipa/ticket/3089
2012-09-18 08:45:28 +02:00
Rob Crittenden
f695f79748 When deleting a master, try to prevent orphaning other servers.
If you have a replication topology like A <-> B <-> C and you try
to delete server B that will leave A and C orphaned. It may also
prevent re-installation of a new master on B because the cn=masters
entry for it probably still exists on at least one of the other masters.

Check on each master that it connects to to ensure that it isn't the
last link, and fail if it is. If any of the masters are not up then
warn that this could be a bad thing but let the user continue if
they want.

Add a new option to the del command, --cleanup, which runs the
replica_cleanup() routine to completely clean up references to a master.

https://fedorahosted.org/freeipa/ticket/2797
2012-09-17 17:57:27 +02:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00