Commit Graph

8373 Commits

Author SHA1 Message Date
Petr Vobornik
cf8b56cc75 webui: show multiple cert
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
7c481b1e90 webui: cert-request improvements
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-09 10:58:40 +02:00
Petr Vobornik
cd3ca94ff2 move session_logout command to ipalib/plugins directory
API refactoring caused that session_logout command was not registered.

Commands in ipalib/plugins directory are automatically registered.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:16:54 +02:00
Tomas Babej
9c5df3cf76 upgrade: Enable and start oddjobd if adtrust is available
If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Tomas Babej
675aada2e1 adtrustinstance: Enable and start oddjobd
Enable and start the oddjobd service as part of the
ipa-adtrust-install for the new IPA installations.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 17:14:56 +02:00
Fraser Tweedale
ec7e5e0cac cert-request: enforce caacl for principals in SAN
cert-request currently does not enforce caacls for principals
included in the subjectAltName requestExtension.  Enforce for any
dNSName values recognised as hosts/services known to FreeIPA.

Fixes: https://fedorahosted.org/freeipa/ticket/5096
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Fraser Tweedale
e3c225317b caacl: fix incorrect construction of HbacRequest for hosts
The _acl_make_request function is using the 'host/' prefix itself
instead of the hostname after it.  Use split_any_principal to do the
splitting correctly, also taking realm into account.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-08 17:13:25 +02:00
Petr Vobornik
f13cce2d9c webui: hide facet tab in certificate details facet
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Petr Vobornik
927391125c webui: caacl
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Petr Vobornik
a3727387ee webui: certificate profiles
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 17:12:29 +02:00
Martin Basti
e51bb1bc66 Fix logging in API
Setup log in API before first usage

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 17:11:23 +02:00
Jan Cholasta
7c0e7f7e3c spec file: Update minimal versions of required packages
https://fedorahosted.org/freeipa/ticket/5103

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-08 16:08:06 +02:00
Martin Basti
21b04769b9 Upgrade: Do not show upgrade failed message when IPA is not installed
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-08 12:58:50 +00:00
Jan Cholasta
232458a222 ipalib: Fix skip_version_check option
This reverts commit ea7f392bb9.

The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.

https://fedorahosted.org/freeipa/ticket/4768

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 12:36:19 +00:00
Endi S. Dewata
bf6df3df9b Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-08 06:30:23 +00:00
Sumit Bose
5017726eba ipa-kdb: add unit_tests for string_to_sid() and dom_sid_string()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
3f7481a220 ipa-kdb: make string_to_sid() and dom_sid_string() more robust
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
7a1b4dcafc ipa-kdb: add unit-test for filter_logon_info()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
9d026ba824 ipa-kdb: convert test to cmocka
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Sumit Bose
7b524e7835 extdom: add unit-test for get_user_grouplist()
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
2dd5b46d25 trust: support retrieving POSIX IDs with one-way trust during trust-add
With one-way trust we cannot rely on cross-realm TGT as there will be none.
Thus, if we have AD administrator credentials we should reuse them.
Additionally, such use should be done over Kerberos.

Fixes:
 https://fedorahosted.org/freeipa/ticket/4960
 https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
5025204175 trusts: add ACIs to allow AD trust agents to fetch cross-realm keytabs
Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
a9570e8ea3 ipa-pwd-extop: expand error message to tell what user is not allowed to fetch keytab
When retrieving keytab, it is useful to know what user was attempting
to fetch the keyts and failed. This is useful to debug one-way trust
where SSSD forks out a process of ipa-getkeytab and it might be using
a wrong credentials cache for authentication purposes.

Part of https://fedorahosted.org/freeipa/ticket/4959

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d5aa1ee04e trusts: add support for one-way trust and switch to it by default
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust

https://fedorahosted.org/freeipa/ticket/4959

In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.

Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.

The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.

Part of https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
14992a07fc ipa-adtrust-install: allow configuring of trust agents
Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.

Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.

Part of https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
aa21600822 ipa-sidgen: reduce log level to normal if domain SID is not available
To support AD trust agents, we need to run sidgen and extdom plugins
on every IPA master. Lack of working configuration, thus, is not a
failure so reduce log level to normal as sidgen plugin will not
be active if domain SID is missing but it can certainly be kept
enabled.

Part of https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
47e1de7604 trusts: pass AD DC hostname if specified explicitly
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
03c2d76186 ipa-adtrust-install: add IPA master host principal to adtrust agents
Fixes https://fedorahosted.org/freeipa/ticket/4951

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
785f6593ca add one-way trust support to ipasam
When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
d3ccfefaa4 ipa-kdb: filter out group membership from MS-PAC for exact SID matches too
When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Alexander Bokovoy
88c10dd975 ipa-kdb: use proper memory chunk size when moving sids
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
Tomas Babej
e8ff6a3ef6 dcerpc: Raise ACIError correctly
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 01:56:52 +02:00
David Kupka
6a91893ff5 ipa-replica-prepare: Do not create DNS zone it automatically.
When --ip-address is specified check if relevant DNS zone exists
in IPA managed DNS server, exit with error when not.

https://fedorahosted.org/freeipa/ticket/5014

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:37:42 +02:00
Martin Babinsky
ea7f392bb9 add option to skip client API version check
This can be either set in IPA config file or specified as
'ipa --skip-version-check [COMMAND]'.

part of https://fedorahosted.org/freeipa/ticket/4768

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:35:05 +02:00
Martin Basti
1d9bdb2409 Fix regression: ipa-dns-install will add CA records if required
https://fedorahosted.org/freeipa/ticket/5101

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-07-08 00:32:05 +02:00
Fraser Tweedale
462e0b9eb1 certprofile: add ability to update profile config in Dogtag
Add the `--file=FILENAME' option to `certprofile-mod' which, when
given, will update the profile configuration in Dogtag to the
contents of the file.

Fixes: https://fedorahosted.org/freeipa/ticket/5093
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:25:46 +02:00
Fraser Tweedale
bed6f402e2 certprofile: add option to export profile config
Add the `--out=FILENAME' option to `certprofile-show'.  When given,
it exports the profile configuration from Dogtag and writes it to
the named file.

Fixes: https://fedorahosted.org/freeipa/ticket/5091
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:25:46 +02:00
Tomas Babej
62e8002bc4 Hide topology and domainlevel features
* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-08 00:09:09 +02:00
Christian Heimes
25d1afdc54 Improve error handling in ipa-httpd-kdcproxy
The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles
connection and authentication errors more gracefully. If the script is
not able to conenct to LDAP, it only prints a warning and exits with
status code 0. All other errors are still reported as fatal error and
result in a non-zero exit code.

This fixes a problem with offline RPM updates. A restart of Apache no
longer fails when LDAP is not running.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-07-07 16:31:04 +02:00
Martin Basti
6fa123447f FIX: Clear SSSD caches when uninstalling the client
https://fedorahosted.org/freeipa/ticket/5049

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-07-07 16:27:24 +02:00
Tomas Babej
12b053df30 l10n: Update translation strings
* Generate new l10n strings
* Include newly created python implicit files
* Merges already translated strings from Zanata

https://fedorahosted.org/freeipa/ticket/4832

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-07 12:07:15 +02:00
Tomas Babej
c6e6b216e9 l10n: Add configuration file for Zanata
Zanata cliens require the presence of a XML configuration file
inside the git repository of the project.

https://fedorahosted.org/freeipa/ticket/4832

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-07-07 12:07:15 +02:00
Endi S. Dewata
475ade4bec Added ipaVaultPublicKey attribute.
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Endi S. Dewata
fc5c614950 Added symmetric and asymmetric vaults.
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Petr Spacek
8ee975b276 DNSSEC: Detect attempt to install & disable master at the same time.
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Petr Spacek
c0271b9c87 DNSSEC: ipa-dns-install: Detect existing master server sooner.
User should get the error before he installs missing packages etc.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Martin Basti
f7c98c650a Allow to run subprocess with suplementary groups
Param suplementary_groups allows to specify list of group names to be
used for subprocess.
suplementary_groups param requires runas param to be specified.

Required for ticket: https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Martin Basti
2e4e8d759d DNSSEC: update message
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Martin Basti
e151492560 DNSSEC: allow to disable/replace DNSSEC key master
This commit allows to replace or disable DNSSEC key master

Replacing DNSSEC master requires to copy kasp.db file manually by user

ipa-dns-install:
--disable-dnssec-master  DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE  This configure new DNSSEC master server,  kasp.db from old server is required for sucessful replacement
--force Skip checks

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-07 08:37:15 +02:00
Petr Vobornik
b258bcee83 webui: add mangedby tab to otptoken
Added managedby_user tab to manage users who can manage the token.

https://fedorahosted.org/freeipa/ticket/5003

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-07-07 05:51:28 +02:00