When building RPMs with Python 3 support, /usr/bin/ipa will now
use Python 3.
The in-tree ipa command will also run on Python 3.
When building with make install, $(PYTHON) is honored and it will
still default to Python 2.
Part of the work for https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Petr Spacek <pspacek@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.
https://fedorahosted.org/freeipa/ticket/5591
Reviewed-By: David Kupka <dkupka@redhat.com>
Trying to install the package depending on python-polib breaks
when the system has newer (and renamed) version python2-polib.
*This patch is an workaround* for the issue described in [1].
If a renamed package's provides is equal to an older package's
name, dnf tries to install the older package.
When the newer package is in the system, this leads to a conflict.
[1]: https://bugzilla.redhat.com/show_bug.cgi?id=1096506
Reviewed-By: Martin Basti <mbasti@redhat.com>
When generating keys for custodia service, the key material is stored in
python-cryptography's OpenSSL backend encoded as DER. This only works in
python-cryptography 0.9 and newer so we need to make sure this version pulled
in during RPM build and install.
https://fedorahosted.org/freeipa/ticket/5744
Reviewed-By: Martin Basti <mbasti@redhat.com>
Standalone instalation of python*-ipalib packages does not pull all
required packages and results into import errors.
https://fedorahosted.org/freeipa/ticket/5680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The string "wbclient" is not mentioned anywhere in
source code and there isn't any issue with building
freeipa packages without this package.
Reviewed-By: Sumit Bose <sbose@redhat.com>
Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.
slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.
https://fedorahosted.org/freeipa/ticket/4403
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: David Kupka <dkupka@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Make ipaclient a Python library like ipapython, ipalib, etc.
Use setup.py instead of autotools for installing it.
Move C client tools, Python scripts, and man pages, to client/.
Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS).
Remove /setup-client.py (ipalib/setup.py should be used instead).
Update Makefiles and the spec file accordingly.
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).
Remove the workaround and use an http request (no TLS) to check the
CA status. Also remove the now-unused unauthenticated_http_request
method, and update specfile to remove ipalib dependency on curl.
Reviewed-By: Martin Basti <mbasti@redhat.com>
noarch packages should not contain:
Requires: some-package-{?_isa}
because then they are not the same for each arch - are not noarch
https://fedorahosted.org/freeipa/ticket/5568
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Stop using rpm-python to compare package versions since the implicit NSS
initialization upon the module import breaks NSS handling in IPA code. Call
rpm-libs C-API function via CFFI instead.
Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet
that spurred this patch.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Running make with PYTHON=/usr/bin/python3 will build/install the
bits for Python 3.
Executable scripts in ipatests have symlinks Python version suffixes
as per Fedora guidelines. Suffix-less names point to the Python 2 versions.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Make the following changes in packaging:
* freeipa-server - split off python2-ipaserver and freeipa-server-common,
* freeipa-server-dns - build as noarch,
* freeipa-client - split off python2-ipaclient and freeipa-client-common,
* freeipa-admintools - build as noarch,
* freeipa-python - split into python2-ipalib and freeipa-common, provide
freeipa-python-compat for upgrades,
* freeipa-tests - rename to python2-ipatests and build as noarch.
Bump version to 4.2.91.
https://fedorahosted.org/freeipa/ticket/3197
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
/etc/ipa/dnssec is now owned by freeipa-server. The remaining files are now
owned by freeipa-client.
https://fedorahosted.org/freeipa/ticket/3197
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Use ding-libs to parse /etc/ipa/default.conf to find the IPA server
to contact by default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2203
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp. This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.
https://fedorahosted.org/freeipa/ticket/5144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Packaging of sssd was changed and more sub-packages are build
from sssd.src.rpm. Especially python bindings and development packages
are already in sub-packages. As a result of this change the meta package
sssd can be removed from BuildRequires without any problem.
FreeIPA spec file contained build requirement for latest version of
sssd even though the latest sssd was not required for building
FreeIPA rpms. In many cases, it was sufficient just to change requirements
for FreeIPA packages instead of build requirements.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Dogtag 10.2.6-12 includes automatic upgrade from Tomcat 7 to Tomcat 8.
Otherwise FreeIPA is broken after upgrades. This affects Fedora 22 to
Fedora 23 upgrades.
https://bugzilla.redhat.com/show_bug.cgi?id=1274915
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The DNA plugin needed to be fixed to deal with replica binddn groups.
Version 1.3.4.4 is needed for that.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
https://fedorahosted.org/freeipa/ticket/5297
Reviewed-By: Martin Basti <mbasti@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
python-gssapi had a bug in exception handling that caused exceptions to be
shadowed by LookupError. The new version should fix the problem.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
>>> from M2Crypto import RC4
>>> from ipaserver.dcerpc import arcfour_encrypt
>>> RC4.RC4(b'key').update(b'data')
'o\r@\x8c'
>>> arcfour_encrypt(b'key', b'data')
Traceback (most recent call last):
...
ValueError: Invalid key size (24) for RC4.
Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>>> arcfour_encrypt(b'key12', b'data')
'\xcd\xf80d'
>>> RC4.RC4(b'key12').update(b'data')
'\xcd\xf80d'
http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4https://fedorahosted.org/freeipa/ticket/5148
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.
https://fedorahosted.org/freeipa/ticket/4923
Reviewed-By: David Kupka <dkupka@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.
IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.
https://fedorahosted.org/freeipa/ticket/4058
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.
https://fedorahosted.org/freeipa/ticket/5135
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.
This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.
Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The directory was in the python subpackage, but that broke client-only
build. We don't want the directory to be installed on clients anyway,
since it is part of a server-side feature.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New schema (for LDAP-based profiles) was introduced in Dogtag, but
Dogtag does not yet have a reliable method for upgrading its schema.
Use FreeIPA's schema update machinery to add the new attributeTypes
and objectClasses defined by Dogtag.
Also update the pki dependencies to 10.2.5, which provides the
schema update file.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Commit 9f049ca144 introduced dependency on
python-setuptools on line:
from pkg_resources import parse_version
This dependency is missing on minimal installation and then ipa-server-upgrade
fails on rpm install/upgrade.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use wildcards and DN matching in an ACI to allow a host
that binds using GSSAPI to add a service for itself.
Set required version of 389-ds-base to 1.3.4.0 GA.
https://fedorahosted.org/freeipa/ticket/4567
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxyhttps://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.
Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.
Fixes https://fedorahosted.org/freeipa/ticket/4002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Install the Dogtag CA to use the LDAPProfileSubsystem instead of the
default (file-based) ProfileSubsystem.
Part of: https://fedorahosted.org/freeipa/ticket/4560
Reviewed-By: Martin Basti <mbasti@redhat.com>
Until ipa-server-install, ipa-replica-install and ipa-server-upgrade are merged
into a single code base, keep their respective bits in separate modules in the
package.
https://fedorahosted.org/freeipa/ticket/4468
Reviewed-By: Martin Basti <mbasti@redhat.com>
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: David Kupka <dkupka@redhat.com>
Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.
After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check
This reverts some changes in commit
52b7101c11
Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.
https://fedorahosted.org/freeipa/ticket/4921
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/4190
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Python modules pysss and pysss_murmur was part of package sssd-common.
Fedora 22 tries to get rid of python2 and therefore these modules were
extracted from package sssd-common to separate packages python-sss and
python-sss-murmur and python3 version of packages python3-sss
python3-sss-murmur
git grep "pysss" | grep import
ipalib/plugins/trust.py: import pysss_murmur #pylint: disable=F0401
ipaserver/dcerpc.py:import pysss
ipaserver/dcerpc.py is pacakged in freeipa-server-trust-ad
palib/plugins/trust.py is packaged in freeipa-python
Resolves:
https://fedorahosted.org/freeipa/ticket/4929
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Added dbus-python dependency to freeipa-python. This should fix
https://fedorahosted.org/freeipa/ticket/4863 and also cover dbus-python
dependencies in other freeipa-* packages.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The plugin to run tests within a class in the order they're defined
in the source was split into a separate project.
Use this project instead of a FreeIPA-specific copy.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The core integration testing functionality was split into a separate
project. Use this project, and configure it for FreeIPA.
The "mh" (multihost) fixture is made available for integration tests.
Configuration based on environment variables is moved into a separate
module, to ease eventual deprecation.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Protocols are configured as an inclusive range from SSLv3 through
TLSv1.2. The allowed values in the range are ssl3, tls1.0,
tls1.1 and tls1.2.
This is overridable per client by setting tls_version_min and/or
tls_version_max.
https://fedorahosted.org/freeipa/ticket/4653
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Gradually new arches which need a bigger stack size for web ui build appear. It's safer to increase the stack size for every architecture and avoid possible future issues.
Reason: build fail on armv7hl
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This plugin ensures that all counter/watermark operations are atomic
and never decrement. Also, deletion is not permitted.
Because this plugin also ensures internal operations behave properly,
this also gives ipa-pwd-extop the appropriate behavior for OTP
authentication.
https://fedorahosted.org/freeipa/ticket/4493https://fedorahosted.org/freeipa/ticket/4494
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Added a new option --external-ca-type which specifies the type of the
external CA. It can be either "generic" (the default) or "ms-cs". If "ms-cs"
is selected, the CSR generated for the IPA CA will include MS template name
extension (OID 1.3.6.1.4.1.311.20.2) with template name "SubCA".
https://fedorahosted.org/freeipa/ticket/4496
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The file was used by previous versions of IPA to provide the IPA CA certificate
to p11-kit and has since been obsoleted by ipa.p11-kit, a file which contains
all the CA certificates and associated trust policy from the LDAP certificate
store.
Since p11-kit is hooked into /etc/httpd/alias, ipa-ca.crt must be removed to
prevent certificate import failures in installer code.
Also add ipa.p11-kit to the files owned by the freeipa-python package.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the new default NSS database for IPA.
/etc/pki/nssdb is still maintained for backward compatibility.
https://fedorahosted.org/freeipa/ticket/3259
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Required bugfix in python-ldap 2.4.15
Updates must respect SUP objectclasses/attributes and update
dependencies first
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
use configuration parameters to enable ciphers provided by NSS
and not considered weak.
This requires 389-ds version 1.3.3.2 or later
https://fedorahosted.org/freeipa/ticket/4395
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This substantially reduces the FreeIPA dependencies and allows
QR codes to fit in a standard terminal.
https://fedorahosted.org/freeipa/ticket/4430
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
FreeIPA certmonger module changed to use D-Bus to communicate with certmonger.
Using the D-Bus API should be more stable and supported way of using cermonger than
tampering with its files.
>=certmonger-0.75.13 is needed for this to work.
https://fedorahosted.org/freeipa/ticket/4280
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch adds an explicit build dependency to
python-backports-ssl_match_hostname.
Without it, the build-time lint would fail.
https://fedorahosted.org/freeipa/ticket/4515
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Without python-backports-ssl_match_hostname installed, an ipa-client
installation could have failed with:
from backports.ssl_match_hostname import match_hostname
ImportError: No module named ssl_match_hostname
This patch adds an explicit dependency to
python-backports-ssl_match_hostname.
https://fedorahosted.org/freeipa/ticket/4515
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class dogtagintance.py has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
subsystems.
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
functions.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3872
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Requiring a specific version of Java leads to breakages, like the
one happening on nightly builds in Fedora Rawhide right now.
We should use the more generic 'java' BuildRequires instead of the
versioned one.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Without nsslapd-allow-hashed-passwords being turned on, user password
migration fails.
https://fedorahosted.org/freeipa/ticket/4450
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Theme package is contains resources for PKI web interface. This interface
is not needed by FreeIPA as it rather utilizes it's API. As recommended in
https://bugzilla.redhat.com/show_bug.cgi?id=1068029#c5, remove this hard
dependency.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previous versions of libkrb5 can't handle expired passwords
inside the FAST tunnel. This breaks the password change UI
in FreeIPA.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
- Bump 389-ds-base requires to fix the deref call with new ACIs:
https://fedorahosted.org/freeipa/ticket/4389
- Bump bind-dyndb-ldap Conflicts to fetch the DNSSEC capability
- Bump selinux-policy to fix the CRL retrieval:
https://fedorahosted.org/freeipa/ticket/4369
- Remove conditionals for Fedora < 20 as FreeIPA 4.0 is not planned
to be released on these platforms.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The code has been moved to its own, separate repository at
git://git.fedorahosted.org/git/freeipa-foreman-smartproxy.git
Reviewed-By: Martin Kosek <mkosek@redhat.com>
standalone page for OTP token synchronization. It reuses SyncOTPScreen
widget instead of reimplementing the logic as in other standalone pages.
https://fedorahosted.org/freeipa/ticket/4218
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
Current compiled Web UI layer (app.js) contains every FreeIPA plugin and
not just the UI framework. It's not possible to start just a simple facet.
This commit creates a basis for a layer (core.js) which contains only
framework code and not entity related code.
Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
This command behaves almost exactly like otptoken-add except:
1. The new token data is written directly to a YubiKey
2. The vendor/model/serial fields are populated from the YubiKey
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The newly created ipaplatform subdirectories base and fedora were
mentioned multiple times in the specfile, which produced build
warnings.
Part of: https://fedorahosted.org/freeipa/ticket/4052
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.
This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.
https://fedorahosted.org/freeipa/ticket/4261
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This will allow us to make vendors' lives easier by embedding a
vendor tag to installation logs.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Drop the logrotate file because Apache manages the logs
Drop the systemd configuration because we run in Apache
Import json_encode_binary from ipalib
Fix Requires
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
This currently server supports only host and hostgroup commands for
retrieving, adding and deleting entries.
The incoming requests are completely unauthenticated and by default
requests must be local.
Utilize GSS-Proxy to manage the TGT.
Configuration information is in the ipa-smartproxy man page.
Design: http://www.freeipa.org/page/V3/Smart_Proxyhttps://fedorahosted.org/freeipa/ticket/4128
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reimplementation of unauthorized dialog into separate widget. It uses RCUE
design.
New features compared to unauthorized dialog:
- reflects auth methods from `auth` module
- validation summary
- differentiates Kerberos auth failure with session expiration
- Caps Lock warning
- form based method doesn't allow password only submission
https://fedorahosted.org/freeipa/ticket/4017https://fedorahosted.org/freeipa/ticket/3903
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
389-ds-base 1.3.2.16 implements reordering of sub-plugins based on the
ordering of the main plugin. We need it to make OTP working over
compat tree.
selinux-polic 3.12.1-135 fixes issues which prevented httpd to work
with kernel keyring-based credentials caches.
This change is Fedora 20+.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
python-pyasn1 and python-qrcode were imported by ipalib but not
required by python subpackage.
https://fedorahosted.org/freeipa/ticket/4275
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
We use Java classes which are bundled with rhino when uglifying
Javascript sources at build-time, so we need rhino at build-time.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit changes how fonts are used.
- remove usage of bundled fonts and only system fonts are used instead
- by using alias in httpd conf
- by using local("Font Name") directive in font-face
- removed usage of overpass font
- redefined Open Sans font-face declarations. Note: upstream is doing the
same change so we will be fine on upgrade.
- introduce variable.less for variable definitions and overrides. This file
will be very useful when we upgrade to newer RCUE so we will be able to
redefine their and bootstrap's variables.
Fixes: https://fedorahosted.org/freeipa/ticket/2861
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.
Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.
https://fedorahosted.org/freeipa/ticket/3967
The project's history is kept in Git. We used the spec changelog
for changes to the spec itself, which doesn't make much sense.
Downstreams like Fedora use their own changelog anyway.
A single entry is left for tools that expect a changelog.
Since mod_nss-1.0.8-24, mod_nss and mod_ssl can co-exist on one
machine (of course, when listening to different ports).
To make sure that mod_ssl is not configured to listen on 443
(default mod_ssl configuration), add a check to the installer checking
of either mod_nss or mod_ssl was configured to listen on that port.
https://fedorahosted.org/freeipa/ticket/3974
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.
Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
The integration testing framework used Paramiko SFTP files as
context managers. This feature is only available in Paramiko 1.10+.
Use an explicit context manager so that we don't rely on the feature.
This patch fixes:
- too long description for server-trust-ad subpackage
- adds (noreplace) flag %{_sysconfdir}/tmpfiles.d/ipa.conf to avoid
overwriting potential user changes
- changes permissions on default_encoding_utf8.so to prevent it
pollute python subpackage Provides.
- wrong address in GPL v2 license preamble in 2 distributed files
https://fedorahosted.org/freeipa/ticket/3855
Drops the code from ipa-server-install, ipa-dns-install and the
BindInstance itself. Also changed ipa-upgradeconfig script so
that it does not set zone_refresh to 0 on upgrades, as the option
is deprecated.
https://fedorahosted.org/freeipa/ticket/3632
Old versions of SSSD do not directly support cross-realm trusts between IPA
and AD. This patch introduces plugins for the ipa-advise tool, which should
help with configuring an old version of SSSD (1.5-1.8) to gain access to
resources in trusted domain.
Since the configuration steps differ depending on whether the platform includes
the authconfig tool, two plugins are needed:
* config-redhat-sssd-before-1-9 - provides configuration for Red Hat based
systems, as these system include the autconfig utility
* config-generic-sssd-before-1-9 - provides configuration for other platforms
https://fedorahosted.org/freeipa/ticket/3671https://fedorahosted.org/freeipa/ticket/3672
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.
Properly freeing the NSS objects avoid this crash.
https://fedorahosted.org/freeipa/ticket/3773
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.
Both freeipa-server and freeipa-client require freeipa-python.
https://fedorahosted.org/freeipa/ticket/3808
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
SELinux upgrade issues
https://fedorahosted.org/freeipa/ticket/3788
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.
Creates a new ipa-advise command, available to root user
on the IPA server.
Also provides an example configuration plugin,
config-fedora-authconfig.
https://fedorahosted.org/freeipa/ticket/3670
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.
Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.
Part of the work for https://fedorahosted.org/freeipa/ticket/3621
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).
https://fedorahosted.org/freeipa/ticket/3739
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.
https://fedorahosted.org/freeipa/ticket/3366http://freeipa.org/page/V3/OTP
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.
The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.
Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.
Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.
https://fedorahosted.org/freeipa/ticket/3302
