Commit Graph

164 Commits

Author SHA1 Message Date
Simo Sorce
d2f5fc304f Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
b6741d81e1 Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
38c66896de Generate tmpfiles config at install time
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Simo Sorce
c894ebefc5 Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Tomas Krizek
e8a2abd548 named.conf template: update API for bind 9.11
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.

This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 16:34:53 +01:00
Ben Lipton
10ef594786 csrgen: Add code to generate scripts that generate CSRs
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-31 10:20:28 +01:00
Timo Aaltonen
e04b75cb9e ipaplatform: Add Debian platform module.
v2:
- use redhat_services.redhat_system_units.copy
- don't use wildcard imports
- add some empty lines to make pep8 happy

v3:
- make parse_ipa_version static

v4:
- make more methods static

v5:
- fix pylint issues
- use syntax that doesn't break with python3

v6:
- remove IPA_GETKEYTAB from paths, it's the same across distros

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-19 16:45:42 +01:00
Abhijeet Kasurde
6d52c0fe6a Fix for handling CalledProcessError in authconfig
NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-01-18 08:51:38 +01:00
Timo Aaltonen
0ff12de338 client, platform: Use paths.SSH* instead of get_config_dir().
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-01-05 17:50:03 +01:00
Simo Sorce
ca4e6c1fdf Configure Anonymous PKINIT on server install
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-12-12 13:39:44 +01:00
Christian Heimes
3e3b5462b2 Remove BIN_FALSE and BIN_TRUE
https://fedorahosted.org/freeipa/ticket/6474

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-02 09:02:07 +01:00
Christian Heimes
ed9645b2ac Adjustments for setup requirements
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.

ipatests is now installable. Tests need further changes to be runable.

https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-30 13:32:30 +01:00
Jan Cholasta
a260fd8058 ipaclient: remove hard dependency on ipaplatform
Hard-code the user cache directory path in ipaclient.remote_plugins.schema.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
528012fe8a ipapython: remove hard dependency on ipaplatform
Use hard-coded paths to certutil, pk12util and openssl in certdb if
ipaplatform is not available.

Hard-coded the path to setpasswd in ipautil.run() doc string.

Remove ipaplatform dependency from ipapython's setup.py and add ipapython
dependency to ipaplatform's setup.py.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
75b70e3f0d ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
d6b755e3fc ipautil: remove SHARE_DIR and PLUGIN_SHARE_DIR
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.

Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
f919ab4ee0 certdb: use a temporary file to pass password to pk12util
Currently the PKCS#12 file password is passed via stdin and pk12util reads
it from /dev/stdin, which is platform-specific.

Use a temporary file instead.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
9117a5d5a6 paths: remove DEV_NULL
The platform-specific path to /dev/null is provided by the Python standard
library in os.devnull.

Replace all uses of paths.DEV_NULL with os.devnull and remove DEV_NULL.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Christian Heimes
6409abf1a6 Break ipaplatform / ipalib import cycle of hell
Here is an attempt to break the import cycle of hell between ipaplatform
and ipalib. All services now pass an ipalib.api object to
services.service(). RedHatServices.__init__() still needs to do a local
import because it initializes its wellknown service dict with service
instances.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-24 16:30:32 +01:00
Christian Heimes
29947fe1a3 Minor fixes for IPAVersion class
Py3: classes with __eq__ must provide __hash__ function or set __hash__
to None.
Comparison function like __eq__ must signal unsupported types by
returning NotImplemented. Python turns this in a proper TypeError.
Make the version member read-only and cache _bytes represention.

https://fedorahosted.org/freeipa/ticket/6473

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-22 17:44:27 +01:00
Fraser Tweedale
687ebd18a1 Remove references to ds_newinst.pl
ds_newinst.pl was removed from 389 DS over 9 years ago. Remove
references to it.

Fixes: https://fedorahosted.org/freeipa/ticket/6496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-21 18:03:52 +01:00
Christian Heimes
8346e1b067 Add install requirements to Python packages
https://fedorahosted.org/freeipa/ticket/6468

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-16 22:58:39 +01:00
Christian Heimes
94a9dfb9d7 Don't modify redhat_system_units
ipaplatform.fedora.services used to modify the redhat_system_units dict.
It now creates a proper shallow copy.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-16 14:43:53 +01:00
Petr Spacek
8de11b091f Build: Makefiles for Python packages
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.

dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.

Currently VPATH builds do not work for various reasons.
This should be fixed later on.

Most credit goes to these guys:
 Christian Heimes <cheimes@redhat.com>
 Petr Viktorin <pviktori@redhat.com>
 Kevin Brown <kevin@kevin-brown.com>

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Christian Heimes
91920e7cb4 Add __name__ == __main__ guards to setup.pys
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-10-25 18:11:31 +02:00
Petr Spacek
c70a2873f8 Build: replace ipaplatform magic with symlinks generated by configure
The original approach with __path__ implemented
by 8f98fa1bd5 broke Pylint:
We decided to resort back to symlinks as it is easiest solution
which does not break pylint in weird ways.

This commit introduces configure --with-ipaplatform option.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-10-24 13:30:12 +02:00
Christian Heimes
4cd83fb51c Port all setup.py to setuptools
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-20 18:43:37 +02:00
Christian Heimes
8f98fa1bd5 Replace ipaplatform's symlinks with a meta importer
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-10-20 10:42:00 +02:00
Timo Aaltonen
6c53765ac1 Purge obsolete firefox extension
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-13 20:55:14 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Cholasta
984ae3858d client: remove hard dependency on pam_krb5
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.

https://fedorahosted.org/freeipa/ticket/5557

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-19 08:01:26 +02:00
Alexander Bokovoy
7bec8a246d support schema files from third-party plugins
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.

The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.

Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-19 15:34:26 +02:00
Petr Spacek
80e544e7a9 install: Call hostnamectl set-hostname only if --hostname option is used
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.

https://fedorahosted.org/freeipa/ticket/6071

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-10 10:48:05 +02:00
Martin Basti
148e021ac1 ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.

https://fedorahosted.org/freeipa/ticket/6165

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-08-09 18:29:21 +02:00
Christian Heimes
1de92b1326 RedHatCAService should wait for local Dogtag instance
RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
returns OK. The ca_status() function defaults to api.env.ca_host as
host.

On a replica without CA ca_host is a remote host (e.g. master's
FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.

https://fedorahosted.org/freeipa/ticket/6016

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-03 19:20:42 +02:00
David Kupka
229e2a1ed9 compat: Save server's API version in for pre-schema servers
When client comunicates with server that doesn't support 'schema'
command it needs to determine its api version to be able to use the
right compat code. Storing information about server version reduces the
need to call 'env' or 'ping' command only to first time the server is
contacted.

https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
Christian Heimes
64db059249 Correct path to HTTPD's systemd service directory
Ticket #5681 and commit 586fee293f changed
the location of the ipa.conf for Apache HTTPD. The variables
SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to
the wrong directory /etc/systemd/system/httpd.d/. The path is corrected
to  /etc/systemd/system/httpd.service.d/.

https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
2016-08-02 17:21:16 +02:00
Martin Basti
f05615bb83 CI tests: improve log collecting
We should collect as much as possible relevant logs to be able do better
investigation from test automation

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-07-26 15:34:07 +02:00
Petr Vobornik
1b8a36d134 unite log file name of ipa-ca-install
ipa-ca-install said that it used
  /var/log/ipareplica-ca-install.log
but in fact it used
  /var/log/ipaserver-ca-install.log

This patch unites it to ipareplica-ca-install.log

It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.

https://fedorahosted.org/freeipa/ticket/6086

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-07-21 18:37:05 +02:00
Florence Blanc-Renaud
d9ae9ee1b5 Do not log error when removing a non-existing file
When the uninstaller tries to remove /etc/systemd/system/httpd.d/ipa.conf and
the file does not exist, only log to debug instead of error.

https://fedorahosted.org/freeipa/ticket/6012

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-01 09:01:21 +02:00
Florence Blanc-Renaud
3c40d3aa9e Do not allow installation in FIPS mode
https://fedorahosted.org/freeipa/ticket/5761

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2016-06-29 16:17:27 +02:00
Stanislav Laznicka
fb4e19713d Fixes CA always being presented as running
Even after manually stopping the pki-tomcatd service instance the
service's is_running() method would still return True.

https://fedorahosted.org/freeipa/ticket/5898

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-15 18:11:28 +02:00
Fraser Tweedale
4660bb7ff0 Add custodia store for lightweight CA key replication
Due to limitations in Dogtag's use of NSSDB, importing private keys
must be done by the Dogtag Java process itself.  This requires a
PKIArchiveOptions format (signing key wrapped with host CA key) -
PKCS #12 cannot be used because that would require decrypting the
key in Dogtag's memory, albeit temporarily.

Add a new custodia store that executes a 'pki' command to acquire
the wrapped key.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Stanislav Laznicka
2026677635 Added krb5.conf.d/ to included dirs in krb5.conf
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly

https://fedorahosted.org/freeipa/ticket/5912

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-05 09:47:13 +02:00
Petr Viktorin
743828b0f4 ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 16:44:08 +02:00
Martin Basti
813aab1b8e Tasks: raise NotImplementedError for not implemented methods
Is safer to raise error than trying to find what is wrong with method
that is not correctly overriden

The new method set_hostname has been added which should be overriden on other
platforms.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
5e10b2eed2 Log errors from backup_and_replace hostname to logger
Without logging errors to logger  is hard to debug issue from logfile.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
30f3d198d0 Remove deprecated hostname restoration from Fedora18
This is not needed on new Fedora, because restore will not be effective.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
c5686295f1 Always set hostname
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.

This commit ensures that all hostnames are set properly.

https://fedorahosted.org/freeipa/ticket/5794

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-26 14:01:42 +02:00
Martin Basti
586fee293f Configure httpd service from installer instead of directly from RPM
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).

With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.

https://fedorahosted.org/freeipa/ticket/5681

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-04-22 10:19:25 +02:00