Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
Signed-off-by: Simo Sorce <>
Reviewed-By: Jan Cholasta <>
ipa-backup now backs up /root/kracert.p12. The file contains the
certs and encrypted private keys for KRA transport, storage and audit.
Signed-off-by: Christian Heimes <>
Reviewed-By: Stanislav Laznicka <>
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.
The special contexts are:
* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates
The patch also corrects the context of the ipa-httpd-kdcproxy script to
Signed-off-by: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
CACERT depends on ipaplatform.
Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.
Reviewed-By: Stanislav Laznicka <>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
Reviewed-By: Martin Basti <>
Reviewed-By: Jan Cholasta <>
* Rename do_external_bind to external_bind
* Remove user_name argument in external_bind() and always set it
to effective user name
Reviewed-By: Martin Basti <>
Reviewed-By: Jan Cholasta <>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
Reviewed-By: Petr Spacek <>
Reviewed-By: Martin Basti <>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <>
Reviewed-By: Stanislav Laznicka <>
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.
Reviewed-By: Petr Spacek <>
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.
Reviewed-By: Martin Babinsky <>
Fixes current reimports and enables pylint check for them
Reviewed-By: Petr Spacek <>
Reviewed-By: Lukas Slebodnik <>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
Reviewed-By: David Kupka <>
Without calling os.chmod(), umask is effective and may cause that
directory is created with permission that causes failure.
This can be related to
Reviewed-By: Tomas Babej <>
The function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to
Reviewed-By: Jan Cholasta <>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
Reviewed-By: David Kupka <>
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <>
Reviewed-By: Jan Cholasta <>
Reviewed-By: Martin Basti <>
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
Reviewed-By: Martin Basti <>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
Reviewed-By: Jan Cholasta <>
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Reviewed-By: Nathaniel McCallum <>
Reviewed-By: Simo Sorce <>
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.
Reviewed-By: Martin Basti <>
To avoid cyclic imports realm_to_serverid function had to be moved to
installutils from dsinstance.
Required for:
Reviewed-By: Martin Babinsky <>
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
Reviewed-By: Petr Viktorin <>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
Reviewed-By: Petr Viktorin <>
Add files from /etc/ipa/nssdb (IPA_NSSDB_DIR), which now used
instead of /etc/pki/nssdb (NSS_DB_DIR).
The old location is still supported.
Reviewed-By: Jan Cholasta <>
The /etc/passwd and /etc/group files are not saved and restored.
The DS user is always created on restore, and the PKI user is created
if a CA is being restored.
Reviewed-By: Tomas Babej <>
This patch adds the capability of installing a Dogtag KRA
to an IPA instance. With this patch, a KRA is NOT configured
by default when ipa-server-install is run. Rather, the command
ipa-kra-install must be executed on an instance on which a Dogtag
CA has already been configured.
The KRA shares the same tomcat instance and DS instance as the
Dogtag CA. Moreover, the same admin user/agent (and agent cert) can
be used for both subsystems. Certmonger is also confgured to
monitor the new subsystem certificates.
To create a clone KRA, simply execute ipa-kra-install <replica_file>
on a replica on which a Dogtag CA has already been replicated.
ipa-kra-install will use the security domain to detect whether the
system being installed is a replica, and will error out if a needed
replica file is not provided.
The install scripts have been refactored somewhat to minimize
duplication of code. A new base class has
been introduced containing code that is common to KRA and CA
installs. This will become very useful when we add more PKI
The KRA will install its database as a subtree of o=ipaca,
specifically o=ipakra,o=ipaca. This means that replication
agreements created to replicate CA data will also replicate KRA
data. No new replication agreements are required.
Added dogtag plugin for KRA. This is an initial commit providing
the basic vault functionality needed for vault. This plugin will
likely be modified as we create the code to call some of these
Part of the work for:
The uninstallation option in ipa-kra-install is temporarily disabled.
Reviewed-By: Rob Crittenden <>
Reviewed-By: Petr Viktorin <>
Differences in the python byte code fails in a build validation
(rpmdiff) done on difference architecture of the same package.
This patch:
1) Ensures that timestamps of generated *.pyo and *.pyc files match
2) Python integer literals greater or equal 2^32 and lower than 2^64
are converted to long right away to prevent different type of
the integer on architectures with different size of int