Commit Graph

619 Commits

Author SHA1 Message Date
Alexander Bokovoy
051786ce37 ds: ignore time skew during initial replication step
Initial replica creation can go with ignoring time skew checks.
We should, however, force time skew checks during normal operation.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Christian Heimes
dea059d158
Block PyOpenSSL to prevent SELinux execmem in wsgi
Some dependencies like Dogtag's pki.client library and custodia use
python-requsts to make HTTPS connection. python-requests prefers
PyOpenSSL over Python's stdlib ssl module. PyOpenSSL is build on top
of python-cryptography which trigger a execmem SELinux violation
in the context of Apache HTTPD (httpd_execmem).

When requests is imported, it always tries to import pyopenssl glue
code from urllib3's contrib directory. The import of PyOpenSSL is
enough to trigger the SELinux denial.

Block any import of PyOpenSSL's SSL module in wsgi by raising an
ImportError. The block is compatible with new python-requests with
unbundled urllib3, too.

Fixes: https://pagure.io/freeipa/issue/5442
Fixes: RHBZ#1491508
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-10-18 12:09:57 +02:00
Martin Babinsky
a2de6a17c5 Move tmpfiles.d configuration handling back to spec file
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.

This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.

This partially reverts commit 38c66896de.

https://pagure.io/freeipa/issue/7053

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-08-30 13:05:23 +02:00
Fraser Tweedale
7995518921 Restore old version of caIPAserviceCert for upgrade only
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.

We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.

https://pagure.io/freeipa/issue/7097

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-08-14 19:25:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
0562359f31 wsgi, oddjob: remove needless uses of Env
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Tibor Dudlák
22b0ae440a Create indexes for 'serverhostname' attribute
IPA installation with large number of host entries gets timeout
when invoking ipaserver.plugins.host.get_dn() method.

Resolves: https://pagure.io/freeipa/issue/6939
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-04 14:40:52 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Fraser Tweedale
1a35a2e213 Add CommonNameToSANDefault to default cert profile
The CommonNameToSANDefault component was added to Dogtag 10.4.  When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).

It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only.  For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.

Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-06-27 14:25:58 +00:00
Fraser Tweedale
d7e1ab8438 Add a README to certificate profile templates directory
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load.  Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.

Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:55:09 +02:00
Tomas Krizek
a924efe847 named.conf template: add modification warning
Warn the user some modifications may break IPA setup or upgrade.
All changes the user makes should be explicitly supported and mentioned
in the documentation. Undocumented and unsupported changes, such as
renaming dyndb part from "ipa" will break IPA.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-23 12:37:48 +02:00
Jan Cholasta
f769045f0a server install: fix KDC PKINIT configuration
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
4d36cbf6ad install: introduce generic Kerberos Augeas lens
Introduce new IPAKrb5 lens to handle krb5.conf and kdc.conf changes using
Augeas. The stock Krb5 lens does not work on our krb5.conf and kdc.conf.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Stanislav Laznicka
ddbbb1c58e Move the compat plugin setup at the end of install
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Christian Heimes
2cd6788c3f Replace hard-coded kdcproxy path with WSGI script
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.

Resolves: https://pagure.io/freeipa/issue/6834

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-12 13:05:23 +02:00
Martin Basti
eeaf428b1b Set "KDC:Disable Last Success" by default
In big deployments enabled recording of the last sucesfull login
this creates a huge changelog on DS side and cause performance
issues even if this is excluded from replication.

Actually this is not used directly by FreeIPA so it is safe to remove
in new installations. User who need this must manually remove
"KDC:Disable Last Success" using `ipa config-mod` command or WebUI.

https://pagure.io/freeipa/issue/5313

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-27 18:24:05 +02:00
Fraser Tweedale
1530758475
Support 8192-bit RSA keys in default cert profile
Update the caIPAserviceCert profile to accept 8192-bit RSA keys.
Affects new installs only, because there is not yet a facility to
update included profiles.

Fixes: https://pagure.io/freeipa/issue/6319
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-22 12:29:23 +01:00
Simo Sorce
4ee7e4ee6d Add options to allow ticket caching
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6771

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-16 13:10:37 +01:00
Pavel Vomacka
f4cd61f301 Remove allow_constrained_delegation from gssproxy.conf
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-03-14 18:56:03 +01:00
Martin Babinsky
594c87daf8 Short name resolution: introduce the required schema
Add ipaDomainResolutionOrder and ipaNameResolutionData to IPAv3 schema.
Extend ipaConfig object with ipaNameResolutionData objectclass during
update.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Basti
f4c7f1dd8a Remove copy-schema-to-ca.py from master branch
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 15:16:20 +01:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Christian Heimes
80be181629 Move csrgen templates into ipaclient package
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-08 15:59:26 +01:00
Florence Blanc-Renaud
9e24918c89 Support for Certificate Identity Mapping
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping

https://fedorahosted.org/freeipa/ticket/6542

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-02 15:09:42 +01:00
Florence Blanc-Renaud
c49320435d Define template version in certmap.conf
A previous commit (ffb9a09a0d) removed the
definition of VERSION 2 in certmap.conf.template.

ipa-server-upgrade tool compares the template version with the version in
certmap.conf. As VERSION is not defined in either file, it concludes that
version = 0 for both and does not make a backup of certmap.conf even though
it prints that it will.

The fix re-defines VERSION in the template and adapts the code because the
template has changed (it is using $ISSUER_DN instead of
CN=Certificate Authority,$SUBJECT_BASE).

The fix also logs an error when a template file is not versioned.

https://fedorahosted.org/freeipa/ticket/6354

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-01 12:46:50 +01:00
Ben Lipton
ada91c2058 csrgen: Support encrypted private keys
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-28 09:02:49 +00:00
Simo Sorce
b8f304c669 Remove non-sensical kdestroy on https stop
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-02-22 15:50:48 +01:00
Simo Sorce
4fd89833ee Add a new user to run the framework code
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
38c66896de Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Tomas Krizek
e8a2abd548 named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.

This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 16:34:53 +01:00
Ben Lipton
afd7c05d11 csrgen: Use data_sources option to define which fields are rendered
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
f1a1c6eca1 csrgen: Add a CSR generation profile for user certificates
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
fc58eff6a3 csrgen: Add CSR generation profile for caIPAserviceCert
https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Fraser Tweedale
f54df62aba dsinstance: extract function for writing certmap.conf
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.

Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.

Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Alexander Bokovoy
38cc01b1c9 adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

    net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 16:39:32 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Martin Babinsky
6086a6dbad Revert "upgrade: add replica bind DN group check interval to CA topology config"
This reverts commit 8c6a10cedd since it
leads to errors in upgrade of first master.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-12-09 15:47:13 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00
Martin Babinsky
73d0d03891 upgrade: add replica bind DN group check interval to CA topology config
Without this attribute explicitly set the replication plugin won't recognize
updates from members of 'replication managers' sysaccount group, leading to
stuck replica CA installation.

https://fedorahosted.org/freeipa/ticket/6508

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-29 16:09:59 +01:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a1f260d021 ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
8e5d2c7014 custodiainstance: automatic restart on config file update
Automatically restart Custodia during IPA server upgrade if custodia.conf
was updated.

Use the new store class name in custodia.conf.template.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
a8376a2447 Add main guards to a couple of Python scripts
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:35:43 +01:00
Petr Spacek
d5683726d2 Build: remove incorrect use of MAINTAINERCLEANFILES
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-16 09:12:07 +01:00
Stanislav Laznicka
7279ef1d0f Moved update of DNA plugin among update plugins
To make the code more general, moved the update_dna_shared_config
among other update plugins.

Bugfix: DNA shared config connection protocol was compared to a
method string which would result in a try to always update it
even if there was no need to.

https://fedorahosted.org/389/ticket/48373 causes that two
shared DNA config entries are created instead of one.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-11 12:13:56 +01:00
Petr Spacek
75a944e980 Build: fix KDC proxy installation and remove unused kdcproxy.conf
The only useful file is /etc/ipa/kdcproxy/kdcproxy.conf so I've removed
the other copy of the file in /usr.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
a125370bec Build: Remove spurious EXTRA_DIST from install/share/Makefile.am
dist_ prefix can be used instead of EXTRA_DIST magic.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Petr Spacek
deec97abae Build: cleanup unused LDIFs from install/share
Unused LDIF files were packaged in old tarballs but unused for a long time.
Remove them - git log can be used for archaeology if needed.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Timo Aaltonen
6c53765ac1 Purge obsolete firefox extension
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Petr Spacek
f363dfbeed DNS: Support URI resource record type
https://fedorahosted.org/freeipa/ticket/6344

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-11 16:48:47 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Martin Babinsky
807702c986 Create indexes for krbCanonicalName attribute
krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.

https://fedorahosted.org/freeipa/ticket/6100

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2016-07-27 19:25:29 +02:00
Stanislav Laznicka
f3858be6e3 Fix wrong imports in copy-schema-to-ca.py
Some imports were not possible in old versions of IPA. This caused
import exceptions on the script start.

https://fedorahosted.org/freeipa/ticket/6003

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-30 14:28:14 +02:00
Martin Basti
104040cf36 DNS Locations: cleanup of bininstance
We don't need anymore:
* sample of zone file - list of all records required by IPa will be
provided

* NTP related params - DNS records will be updated automatically,
based on LDAP values

* CA related params - DNS records will be updated automatically based
* on LDAP values

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-28 15:23:51 +02:00
Martin Babinsky
3f93f80557 add krbCanonicalName to attributes watched by MODRDN plugin
https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
229ab40dd3 add case-insensitive matching rule to krbprincipalname index
Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Martin Babinsky
5f963e1ad1 mark 'ipaKrbPrincipalAlias' attribute as deprecated in schema
part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Petr Spacek
eefdcc6b07 DNS: Support default TTL setting for master DNS zones
https://fedorahosted.org/freeipa/ticket/2956

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-21 12:38:00 +02:00
Thierry Bordaz
8192e2f8c1 Make sure ipapwd_extop takes precedence over passwd_modify_extop
DS core server provides a default plugin (passwd_modify_extop) to handle
1.3.6.1.4.1.4203.1.11.1 extended op (https://www.ietf.org/rfc/rfc3062.txt)

IPA delivers ipa_pwd_extop plugin that should take precedence over
the default DS plugin (passwd_modify_extop)

In addition make sure that slapi-nis has a low precedence

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-20 19:09:45 +02:00
Martin Basti
4155eb7b13 DNS Locations: Rename ipalocationweight to ipaserviceweight
Service weight explains better meaning of attribute than location
weight, because location itself have no weight only services have.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
08265f1e92 DNS Locations: dnsserver: use the newer config way in installer
Store some parts of DNS configuration in LDAP tree instead of named.conf

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
52590d6fa5 DNS Locations: dnsserver: put server_id option into named.conf
The option server_id is required for DNS location feature, otherwise it
will not work.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
2157ea0e6d DNS Locations: dnsserver-* commands
New commands for manipulation with DNS server configuration were added:
 * dnsserver-show
 * dnsserver-mod
 * dnsserver-find

https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
88a0952f26 DNS Locations: dnsservers: add required objectclasses
Objectclass: idnsServerConfigObject - stores configuration values for
DNS servers

Attributetype: idnsServerId - identifier of dns server (server hostname)

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
745a2e6471 DNS Locations: add idnsTemplateObject objectclass
The objectclass and its related is used for generating cname records
inside bind-dyndb-ldap, see design for more details
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/RecordGenerator

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
0f5cca0e45 DNS Locations: add index for ipalocation attribute
For performace ipalocation should be indexed because it is used by
referint plugin

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Fraser Tweedale
3d4db834ca Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Alexander Bokovoy
bb75f5a583 adtrust: support UPNs for trusted domain users
Add support for additional user name principal suffixes from
trusted Active Directory forests. UPN suffixes are property
of the forest and as such are associated with the forest root
domain.

FreeIPA stores UPN suffixes as ipaNTAdditionalSuffixes multi-valued
attribute of ipaNTTrustedDomain object class.

In order to look up UPN suffixes, netr_DsRGetForestTrustInformation
LSA RPC call is used instead of netr_DsrEnumerateDomainTrusts.

For more details on UPN and naming in Active Directory see
https://technet.microsoft.com/en-us/library/cc739093%28v=ws.10%29.aspx

https://fedorahosted.org/freeipa/ticket/5354

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-11 17:25:50 +02:00
Fraser Tweedale
b0d9a4728f Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade.  The
specific configuration steps are:

- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
  to invoke ipa-pki-retrieve-key for key retrieval

Also bump the minimum version of Dogtag to 10.3.2.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Stanislav Laznicka
2026677635 Added krb5.conf.d/ to included dirs in krb5.conf
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-05 09:47:13 +02:00
Martin Basti
bae621415d DNS Locations: location-* commands
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Martin Basti
180d7458de DNS Locations: add new attributes and objectclasses
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Martin Basti
29a8615cf3 DNS Locations: Always create DNS related privileges
DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Stanislav Laznicka
f0160a2ed2 Added <my_hostname>=<IPA REALM> mapping to krb5.conf
https://fedorahosted.org/freeipa/ticket/5903

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-02 20:09:36 +02:00
Petr Spacek
f750d42b6f DNS upgrade: change forwarding policy to = only for conflicting forward zones
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.

This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
321a2ba918 Add ipaDNSVersion option to dnsconfig* commands and use new attribute
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.

To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.

The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.

Command dnsconfig_show displays it only if --all option was used.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
ea794f3dec Remove unused file install/share/fedora-ds.init.patch
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-11 09:57:05 +02:00
Tomas Babej
6adf863781 idviews: Add user certificate attribute to user ID overrides
https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-05-06 07:12:01 +02:00
Matt Rogers
8a2afcafee ipa_kdb: add krbPrincipalAuthInd handling
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.

https://fedorahosted.org/freeipa/ticket/5782

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-05-02 19:15:45 +02:00
Petr Spacek
8997454889 Extend installers with --forward-policy option
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 18:46:06 +02:00
Martin Basti
586fee293f Configure httpd service from installer instead of directly from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).

With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.

https://fedorahosted.org/freeipa/ticket/5681

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-04-22 10:19:25 +02:00
David Kupka
03a697489a Look up HTTPD_USER's UID and GID during installation.
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.

https://fedorahosted.org/freeipa/ticket/5712

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-23 17:15:25 +01:00
Timo Aaltonen
b793c9049e Fix kdc.conf.template to use ipaplatform.paths.
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-23 13:35:29 +01:00
Timo Aaltonen
f761051411 Use ODS_USER/ODS_GROUP in opendnssec_conf.template
https://fedorahosted.org/freeipa/ticket/5343

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-23 13:32:55 +01:00
Christian Heimes
49be6c8d3c Move user/group constants for PKI and DS into ipaplatform
https://fedorahosted.org/freeipa/ticket/5619

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-22 10:40:44 +01:00
Martin Basti
e0b9afded5 krb5conf: use 'true' instead of 'yes' for forwardable option
'yes' is also valid value in krb5.conf but we should be consistent and
use only 'true' as we do for other options.

https://fedorahosted.org/freeipa/ticket/5518

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-09 19:04:19 +01:00
Simo Sorce
7a20fc671b Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 19:00:43 +01:00
Martin Basti
bba2355631 fix permission: Read Replication Agreements
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.

As side effect, the particular ACI has not been created on all replicas.

This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.

https://fedorahosted.org/freeipa/ticket/5631

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-25 14:30:01 +01:00
Simo Sorce
58ab032f1a Use only AES enctypes by default
Remove des3 and arcfour from the defaults for new installs.

NOTE: the ipasam/dcerpc code sill uses arcfour

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-13 15:24:53 +01:00
Martin Basti
1d56665fd2 Upgrade: Fix upgrade of NIS Server configuration
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.

Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.

https://fedorahosted.org/freeipa/ticket/5507

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-01-11 09:45:54 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Jan Cholasta
6ea868e172 aci: merge domain and CA suffix replication agreement ACIs
Merge the two identical sets of replication agreement permission ACIs for
the domain and CA suffixes into a single set suitable for replication
agreements for both suffixes. This makes the replication agreement
permissions behave correctly during CA replica install, so that any
non-admin user with the proper permissions (such as members of the
ipaservers host group) can set up replication for the CA suffix.

https://fedorahosted.org/freeipa/ticket/5399

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-14 14:40:17 +01:00
Jan Cholasta
7b9a97383c aci: replace per-server ACIs with ipaserver-based ACIs
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Jan Cholasta
a8d7ce5cf1 aci: add IPA servers host group 'ipaservers'
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Petr Vobornik
517aa84569 rename topology suffixes to "domain" and "ca"
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-04 12:59:21 +01:00
Simo Sorce
5ed1b844dc Sync kerberos LDAP schema with upstream.
All the new attributes are unused for now, but this allows us to keep tailing
upstream in case of other useful changes later on.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2086
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-03 16:02:55 +01:00
Fraser Tweedale
620036d26e Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-24 10:12:24 +01:00
Martin Basti
19044e87ac Drop configure.jar
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.

https://fedorahosted.org/freeipa/ticket/5144

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-11-13 14:02:45 +01:00
Simo Sorce
2606f5aecd Allow to setup the CA when promoting a replica
This patch makes --setup-ca work to set upa clone CA while creating
a new replica. The standalone ipa-ca-install script is not converted
yet though.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Ludwig Krispenz
fcb9854dcb handle multiple managed suffixes
trigger topology updaet if suffix entry is added
    trigger topology update if managedSuffix is modified in host entry

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Petr Vobornik
fff31ca220 topology: manage ca replication agreements
Configure IPA so that topology plugin will manage also CA replication
agreements.

upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Simo Sorce
463dda3067 Add ipa-custodia service
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-10-15 14:24:33 +02:00
Jan Cholasta
275e1482de schema: do not derive ipaVaultPublicKey from ipaPublicKey
This is a workaround for DS bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1267782

https://fedorahosted.org/freeipa/ticket/5359

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-10-12 15:48:42 +02:00
Robert Kuska
01da4a8de3 Replace StandardError with Exception
StandardError was removed in Python3 and instead
Exception should be used.

Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-09-30 10:51:36 +02:00
Jan Cholasta
5137478fb8 install: support KRA update
https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Jan Cholasta
d3503043c4 vault: update access control
Do not allow vault and container owners to manage owners. Allow adding vaults
and containers only if owner is set to the current user.

https://fedorahosted.org/freeipa/ticket/5250

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-09-17 14:55:54 +02:00
Endi S. Dewata
0dd95a19ee Added CLI param and ACL for vault service operations.
The CLIs to manage vault owners and members have been modified
to accept services with a new parameter.

A new ACL has been added to allow a service to create its own
service container.

https://fedorahosted.org/freeipa/ticket/5172

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-08-17 08:10:59 +02:00
Petr Viktorin
27dabb4528 Modernize 'except' clauses
The 'as' syntax works from Python 2 on, and Python 3 will
drop the "comma" syntax.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-08-12 18:17:23 +02:00
Fraser Tweedale
812ab600a3 Add profile for DNP3 / IEC 62351-8 certificates
The DNP3 smart-grid standard uses certificate with the IEC 62351-8
IECUserRoles extension.  Add a profile for DNP3 certificates which
copies the IECUserRoles extension from the CSR, if present.

Also update cert-request to accept CSRs containing this extension.

Fixes: https://fedorahosted.org/freeipa/ticket/4752
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-08-11 14:57:41 +02:00
Petr Viktorin
b8c46f2a32 Modernize number literals
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-31 15:22:19 +02:00
Martin Basti
5ea41abe98 DNS: Consolidate DNS RR types in API and schema
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-07-21 17:18:29 +02:00
Martin Basti
8bc0e9693b copy-schema-to-ca: allow to overwrite schema files
If content of source and target file differs, the script will ask user
for permission to overwrite target file.

https://fedorahosted.org/freeipa/ticket/5034

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-07-15 07:11:21 +00:00
Endi S. Dewata
bf6df3df9b Added vault access control.
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-08 06:30:23 +00:00
Endi S. Dewata
475ade4bec Added ipaVaultPublicKey attribute.
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Endi S. Dewata
fc5c614950 Added symmetric and asymmetric vaults.
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-07-07 07:44:56 +00:00
Martin Basti
16f47ed452 Fix indicies ntUserDomainId, ntUniqueId
ntUserDomainId and ntUniqueId  contained "eq,pres" index value, which is
not valid.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-06-29 13:40:29 +02:00
Christian Heimes
495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00
Martin Babinsky
3bea441808 add DS index for userCertificate attribute
'eq' and 'pres' indices for userCertificate attribute allow for more efficient
lookup and matching of binary certificates assigned to users, hosts, and
services.

Part of http://www.freeipa.org/page/V4/User_Certificates

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-18 15:42:03 +02:00
Martin Basti
3ababb763b DNS: add UnknownRecord to schema
defintion of UnknownRecord attributetype

https://fedorahosted.org/freeipa/ticket/4939

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-06-18 14:37:28 +02:00
Fraser Tweedale
bc0c606885 Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.

At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.

Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.

Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-11 10:50:31 +00:00
Jan Cholasta
81729e22d3 vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-06-10 16:17:34 +00:00
Fraser Tweedale
979947f7f2 Add usercertificate attribute to user plugin
Part of: https://fedorahosted.org/freeipa/tickets/4938

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Fraser Tweedale
b24fe0eb73 Import included profiles during install or upgrade
Add a default service profile template as part of FreeIPA and format
and import it as part of installation or upgrade process.

Also remove the code that modifies the old (file-based)
`caIPAserviceCert' profile.

Fixes https://fedorahosted.org/freeipa/ticket/4002

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Fraser Tweedale
3d15f2966b Add schema for certificate profiles
The certprofile object class is used to track IPA-managed
certificate profiles in Dogtag and store IPA-specific settings.

Part of: https://fedorahosted.org/freeipa/ticket/57

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-06-04 08:27:33 +00:00
Tomas Babej
f3010498af Add Domain Level feature
https://fedorahosted.org/freeipa/ticket/5018

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-05-26 11:59:47 +00:00
Ludwig Krispenz
4bcc2546d5 install part - manage topology in shared tree
https://fedorahosted.org/freeipa/ticket/4302

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-05-26 10:43:50 +02:00
Ludwig Krispenz
25bf0c6e78 ds plugin - manage replication topology in the shared tree
Implementation of ticket: https://fedorahosted.org/freeipa/ticket/4302
        Design page: http://www.freeipa.org/page/V4/Manage_replication_topology

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2015-05-26 10:40:29 +02:00
Endi S. Dewata
fde21adcbd Added vault plugin.
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.

https://fedorahosted.org/freeipa/ticket/3872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-25 06:17:09 +00:00
Martin Basti
96f6d6ca09 DNSSEC: update OpenDNSSEC KASP configuration
* remove unneeded parts
* increase KSK key length to 3072
* increase KSK key lifetime to 2 years (see NIST SP 800-81-2 section 11.2)

Update is not required, as template contains just recommended values
which should by reviewed by administrators.

https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-05-19 12:50:56 +00:00
Martin Basti
fbdfd688b9 Server Upgrade: Fix uniqueness plugins
Due previous changes (in master branch only) the uniqueness plugins
became misconfigured.

After this patch:
* whole $SUFFIX will be checked by unique plugins
* just staged users are exluded from check

This reverts some changes in commit
52b7101c11

Since 389-ds-base 1.3.4.a1 new attribute 'uniqueness-exclude-subtrees'
can be used.

https://fedorahosted.org/freeipa/ticket/4921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-05-19 12:45:41 +00:00
Thierry Bordaz
273fd057a3 User life cycle: Add 'Stage User Provisioning' permission/priviledge
Add the ability for 'Stage user provisioning' priviledge to add
stage users.

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Thierry Bordaz
51937cc571 User life cycle: Stage user Administrators permission/priviledge
Creation of stage user administrator

https://fedorahosted.org/freeipa/ticket/3813

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-05-18 09:37:21 +02:00
Martin Basti
5783d0c832 Server Upgrade: remove CSV from upgrade files
CSV values are not supported in upgrade files anymore

Instead of

   add:attribute: 'first, part', second

please use

  add:attribute: firts, part
  add:attribute: second

Required for ticket: https://fedorahosted.org/freeipa/ticket/4984

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-05-11 16:08:01 +00:00
Martin Basti
a695f33989 Remove unused disable-betxn.ldif file
Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-09 14:45:16 +01:00
Martin Basti
52b7101c11 Fix uniqueness plugins
* add uniqueness-subtree-entries-oc:posixAccount to ensure idviews users
will not be forced to have unique uid

* remove unneded update plugins -> update was moved to .update file

* add uniqueness-across-all-subtrees required by user lifecycle
management

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Basti
4b2ec5468f Migrate uniquess plugins configuration to new style
New configuration style contains options required for user lifecycle
management.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-05 12:43:35 +01:00
Martin Kosek
ffb9a09a0d Remove references to GPL v2.0 license
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:

- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c

Remove GPL v2.0 license files from LDIFs or template to keep
consistency.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-20 15:40:42 +01:00
Jan Cholasta
fe4b3190e9 Revert "Make all ipatokenTOTP attributes mandatory"
This prevents schema replication conflicts which cause replication failures
with older versions of IPA. Details in
https://bugzilla.redhat.com/show_bug.cgi?id=1176995#c7

This reverts commit adcd373931.

https://fedorahosted.org/freeipa/ticket/4833

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-01-21 09:20:15 +01:00
Martin Basti
bb405bd972 Fix: Upgrade forwardzones zones after adding newer replica
Patch fixes issue, when forwardzones has not been upgraded after adding
replica >=4.0 into topology with IPA 3.x servers.

Ticket: https://fedorahosted.org/freeipa/ticket/4818
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-01-09 13:30:37 +01:00
Petr Vobornik
489dfe6468 revert removal of cn attribute from idnsRecord
The removal, which was done in IPA-3.2, causes replication issues between IPA < 3.2 and IPA 4.1. Because IPA 4.1 adds two more attributes.

https://fedorahosted.org/freeipa/ticket/4794

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-12-09 20:39:56 +00:00
Nathaniel McCallum
7ad9f5d3d5 Prefer TCP connections to UDP in krb5 clients
In general, TCP is a better fit for FreeIPA due to large packet sizes.

However, there is also a specific need for TCP when using OTP. If a UDP
packet is delivered to the server and the server takes longer to process
it than the client timeout (likely), the OTP value will be resent.
Unfortunately, this will cause failures or even lockouts. Switching to
TCP avoids this problem altogether.

https://fedorahosted.org/freeipa/ticket/4725

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-12-08 10:56:06 +01:00
Nathaniel McCallum
9baa93da1c Make token auth and sync windows configurable
This introduces two new CLI commands:
  * otpconfig-show
  * otpconfig-mod

https://fedorahosted.org/freeipa/ticket/4511

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-12-05 13:42:19 +01:00
Petr Viktorin
e57b7b5e87 copy_schema_to_ca: Fallback to old import location for ipaplatform.services
This file is copied to older servers that might not have the ipaplatform
refactoring.
Import from the old location if the new one is not available.

https://fedorahosted.org/freeipa/ticket/4763

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-11-25 09:20:28 +01:00
Martin Basti
a7162e7766 Fix: DNS installer adds invalid zonemgr email
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.

Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
2014-11-13 10:36:28 +00:00