Commit Graph

3338 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
dcdcd1ce88 ipa cert-show: fix the code setting revocation reason
ipa cert-show wrongly displays all certs as Revoked.
The dogtag plugin code is checking if the JSON data received
from dogtag contains a RevocationReason with:
   if 'RevocationReason' in resp:
but the value can be None.
Replace the check with
   if 'RevocationReason' in resp and esp['RevocationReason'] is not None:
as this will execute the code only if there is a value
and it is not None.

Fixes: https://pagure.io/freeipa/issue/8394
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-07-06 17:01:54 +02:00
Fraser Tweedale
d7f3a0b2d3 ra.get_certificate: use REST API
Update ra.get_certificate to use the Dogtag REST API.  This change
is being done as part of the Dogtag GSS-API authentication effort
because the servlet-based method expects an internal Dogtag user.
It is less intrusive to just change FreeIPA to call the REST API
instead (which is also part of an existing ticket).

Depends on https://pagure.io/dogtagpki/issue/2601 (which was merged
and released long ago).

Part of: https://pagure.io/freeipa/issue/3473
Part of: https://pagure.io/freeipa/issue/5011

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-30 16:18:21 +02:00
Fraser Tweedale
0c0061babd extract virtual operation access check subroutine
Outside of virtual commands themselves there is no way to evaluate
access to perform a virtual operation.  Such a capability will be
needed for Dogtag-based certificate request validation using
Kerberos proxy credentials.

Add the 'check_operation_access' method for explicit virtual
operation access checks.  Refactor 'VirtualCommand.check_access()'
to use it.

Part of: https://pagure.io/freeipa/issue/5011
Part of: https://pagure.io/freeipa/issue/6423

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-30 11:47:29 +02:00
Alexander Bokovoy
1f6ca418ee handle Y2038 in timestamp to datetime conversions
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:

  datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)

Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.

[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp

Fixes: https://pagure.io/freeipa/issue/8378

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-25 09:18:02 +03:00
Florence Blanc-Renaud
dc11b98e4a Unify spelling of "One-Time Password" (take 2)
The previous fix for the spelling of "One-Time Password"
missed a few lines.

Fixes: https://pagure.io/freeipa/issue/8381
Related: https://pagure.io/freeipa/issue/5628
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-06-24 14:55:27 +02:00
Florence Blanc-Renaud
3cf9979aec ipa-client-install: use sshd drop-in configuration
sshd 8.2+ now supports the "Include" keyword in sshd_config and
ships by default /etc/ssh/sshd_config with
"Include /etc/ssh/sshd_config.d/*"

As fedora 32 provides a config file in that directory (05-redhat.conf) with
ChallengeResponseAuthentication no
that is conflicting with IPA client config, ipa-client-install now needs
to make its config changes in a drop-in file read before 05-redhat.conf
(the files are read in lexicographic order and the first setting wins).

There is no need to handle upgrades from sshd < 8.2: if openssh-server
detects a customisation in /etc/ssh/sshd_config, it will not update
the file but create /etc/ssh/sshd_config.rpmnew and ask the admin
to manually handle the config upgrade.

Fixes: https://pagure.io/freeipa/issue/8304
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 11:11:46 +02:00
Christian Heimes
3ec1b77f6a Terminology improvements: use block list
Some places have to use the old name because it's part of the stable API
or stable LDAP attributes.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
3ce816ba77 Terminology improvements: use allow list
See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
5c09dcdb98 Grammar: whitespace is a word
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Christian Heimes
523f70ae46 Terminology improvements: CA renewal
The term "CA renewal master" is a fixed term in FreeIPA and cannot
easily be replaced with an alternative term. At least we should use the
term consistently.

See: https://tools.ietf.org/id/draft-knodel-terminology-01.html
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:16:29 +02:00
Peter Keresztes Schmidt
ea5c0a1f7c Unify spelling of "One-Time Password"
Spelling is in accordance with the HOTP
RFC 4226 and TOTP RFC 6238.

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-23 10:11:09 +02:00
Peter Keresztes Schmidt
d63a91da4b WebUI: reword OTP info message displayed during PW reset
The message displayed before is now limited to the OTP
sync form, for which it was written originally.
A new message is introduced for the PW reset form,
which clarifies the usage of the OTP field.

Fixes: https://pagure.io/freeipa/issue/5628
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-23 10:11:09 +02:00
Alexander Scheel
3ecea7800a Configure PKI AJP Secret with 256-bit secret
By default, PKI's AJP secret is generated as a 75-bit password. By
generating it in IPA, we can guarantee the strength of the AJP secret.
It makes sense to use a stronger AJP secret because it typically
isn't rotated; access to AJP allows an attacker to impersonate an admin
while talking to PKI.

Fixes: https://pagure.io/freeipa/issue/8372
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849146
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1845447
Related: https://github.com/dogtagpki/pki/pull/437

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 09:20:24 +02:00
Alexander Scheel
c5e9bd61d6 Clarify AJP connector creation process
We do two things:

 1. Fix the xpath for AJP connector verification. An AJP connector is
    one which has protocol="AJP/1.3", NOT one that has port="8009". An
    AJP connector can exist on any port and port 8009 can have any
    protocol. Secrets only make sense on AJP connectors, so make the
    xpath match the existing comment.

 2. Add some background in-line documentation about AJP secret
    provisioning. This should help future developers understand why this
    was added to IPA and what limitations there are in what PKI or IPA
    can do. Most notably, explain why Dogtag can't upgrade the AJP
    connector to have a secret in the general case.

Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-23 09:20:24 +02:00
Fraser Tweedale
68ada5f204 fix iPAddress cert issuance for >1 host/service
The 'cert_request' command accumulates DNS names from the CSR,
before checking that all IP addresses in the CSR are reachable from
those DNS names.  Before adding a DNS name to the set, we check that
that it corresponds to the FQDN of a known host/service principal
(including principal aliases).  When a DNS name maps to a
"alternative" principal (i.e.  not the one given via the 'principal'
argument), this check was not being performed correctly.
Specifically, we were looking for the 'krbprincipalname' field on
the RPC response object directly, instead of its 'result' field.

To resolve the issue, dereference the RPC response to its 'result'
field before invoking the '_dns_name_matches_principal' subroutine.

Fixes: https://pagure.io/freeipa/issue/8368
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-23 10:22:38 +10:00
Serhii Tsymbaliuk
c2ba333b96
WebUI: Fix "IPA Error 3007: RequirmentError" while adding idoverrideuser association
Add builder for association adder dialog which allows to override behavior of the component.
Replace default implementation with a custom one for idoverrideuser.
Replace text filter with 'ID view' select box in the idoverrideuser dialog.

Ticket: https://pagure.io/freeipa/issue/8335

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-22 09:31:34 +02:00
Petr Vobornik
3912e8e673 baseuser: fix ipanthomedirectorydrive option name
It should be ipanthomedirectorydrive and not ipanthomedirectoryrive.

This fixes showing the field in Web UI and also should fix CLI as it
probably never worked.

Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-16 19:06:02 -04:00
Fraser Tweedale
19544d53ae fix cert-find errors in CA-less deployment
Under some search conditions (in particular, when user is
specified), the CA sub-search of cert-find command throws an error
on CA-less deployments.  Do not execute the CA sub-search on CA-less
deployments.

Fixes: https://pagure.io/freeipa/issue/8369
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-16 15:37:08 -04:00
Christian Heimes
4911a3f055 Prevent local account takeover
It was found that if an account was created with a name corresponding to
an account local to a system, such as 'root', was created via IPA, such
account could access any enrolled machine with that account, and the local
system privileges. This also bypass the absence of explicit HBAC rules.

root principal alias
-------------------

The principal "root@REALM" is now a Kerberos principal alias for
"admin". This prevent user with "User Administrator" role or
"System: Add User" privilege to create an account with "root" principal
name.

Modified user permissions
-------------------------

Several user permissions no longer apply to admin users and filter on
posixaccount object class. This prevents user managers from modifying admin
acounts.

- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user

``System: Unlock User`` is restricted because the permission also allow a
user manager to lock an admin account. ``System: Modify Users`` is restricted
to prevent user managers from changing login shell or notification channels
(mail, mobile) of admin accounts.

New user permission
-------------------

- System: Change Admin User password

The new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify
admin user password fields.

Modified group permissions
--------------------------

Group permissions are now restricted as well. Group admins can no longer
modify the admins group and are limited to groups with object class
``ipausergroup``.

- System: Modify Groups
- System: Remove Groups

The permission ``System: Modify Group Membership`` was already limited.

Notes
-----

Admin users are mostly unaffected by the new restrictions, except for
the fact that admins can no longer change krbPrincipalAlias of another
admin or manipulate password fields directly. Commands like ``ipa passwd
otheradmin`` still work, though. The ACI ``Admin can manage any entry``
allows admins to modify other entries and most attributes.

Managed permissions don't install ``obj.permission_filter_objectclasses``
when ``ipapermtargetfilter`` is set. Group and user objects now have a
``permission_filter_objectclasses_string`` attribute that is used
by new target filters.

Misc changes
------------

Also add new exception AlreadyContainsValueError. BaseLDAPAddAttribute
was raising a generic base class for LDAP execution errors.

Fixes: https://pagure.io/freeipa/issue/8326
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1810160
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-06-15 22:44:42 +03:00
Florence Blanc-Renaud
51cb631db3 ipa-replica-install: --setup-ca and *-cert-file are mutually exclusive
ipa-replica-install currently accepts both --setup-ca and *-cert-file
even though the options should be mutually exclusive (either install
CA-less with *-cert-file options or with a CA).

Add a check enforcing the options are mutually exclusive.

Fixes: https://pagure.io/freeipa/issue/8366
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-12 08:34:51 +02:00
Christian Heimes
f52a15b808 Overhaul bind upgrade process
/etc/named.conf is now owned by IPA. The file is overwritten on
installation and all subsequent updates. All user modification will be
lost. Config file creation and update use the same code paths.

This simplifies upgrade process a lot. There is no errprone fiddling
with config settings any more.

During upgrade there is a one-time backup of named.conf to
named.conf.ipa-backup. It allows users to salvage their customization
and move them to one of two user config files which are included by
named.conf.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Christian Heimes
43dd1e8a65 More upgrade tests
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Christian Heimes
996a220900 Fix named.conf named_conf_include_re
Actually match one or more characters

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Christian Heimes
cddd07f68a Remove named_validate_dnssec update step
The upgrade step used to add "dnssec-validation no" to named.conf IFF
named.conf did not contain "dnssec-validation" option at all. The
option has been moved to 'ipa-options-ext.conf' in IPA 4.8.7. The function
only removes the upgrade state.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Christian Heimes
379b560c75 Fix named.conf update bug NAMED_DNSSEC_VALIDATION
Commit a5cbdb57e5 introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.

Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-10 16:07:07 +02:00
Fraser Tweedale
e6fda6f0fb upgrade: avoid stopping certmonger when fixing requests
During upgrade, if discrepancies are detected in Certmonger tracking
request configuration we remove and re-create tracking requests.
The default behaviour of the CAInstance and KRAInstance
stop_tracking_certificates() method is to stop certmonger after the
requests have been removed.  This behaviour results in an
unnecessary restart of certmonger and has also been observed to
cause problems.  For example, subsequent certmonger operations have
to start the certmonger process and can fail because certmonger is
not yet properly initialised (manifesting as D-Bus errors).

Suppress the unnecessary restart(s) of certmonger during tracking
request update.

Related: https://pagure.io/freeipa/issue/8186
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-10 22:27:26 +10:00
Fraser Tweedale
9d9012f682 httpinstance: retry request without ipa-ca.$DOMAIN dnsName on failure
In the migration case of replica installation, if the CA server is
an older version it may not support the ipa-ca.$DOMAIN dnsName in
the HTTP cert (it is a special case in the cert_request command).
Therefore if the request fails, try it again without the
ipa-ca.$DOMAIN dnsName.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-10 22:27:26 +10:00
Alexander Bokovoy
bee4204039 Support adding user ID overrides as group and role members
Second part of adding support to manage IPA as a user from a trusted
Active Directory forest.

Treat user ID overrides as members of groups and roles.

For example, adding an Active Directory user ID override as a member of
'admins' group would make it equivalent to built-in FreeIPA 'admin'
user.

We already support self-service operations by Active Directory users if
their user ID override does exist. When Active Directory user
authenticates with GSSAPI against the FreeIPA LDAP server, its Kerberos
principal is automatically mapped to the user's ID override in the
Default Trust View. LDAP server's access control plugin uses membership
information of the corresponding LDAP entry to decide how access can be
allowed.

With the change, users from trusted Active Directory forests can
manage FreeIPA resources if the groups are part of appropriate roles or
their ID overrides are members of the roles themselves.

Fixes: https://pagure.io/freeipa/issue/7255

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Alexander Bokovoy
973e0c04e4 idviews: handle unqualified ID override lookups from Web UI
First part of the required changes to merge a plugin to manage IPA as
a trusted Active Directory user.

It is not possible to omit ID view in IPA API but a client might specify
empty ID view. Up right now the empty view was considered an error. This
prevented Web UI from resolving ID overrides in a group member adder
dialog.

Default to 'Default Trust View' if the ID view is None or empty string
(''). Do this only for user ID overrides, as we do not support adding
group ID overrides as group members in a plugin to manage IPA as a
trusted Active Directory user[1].

Being a group member means an object in LDAP must have an object class
that allows 'memberOf' attribute because 389-ds 'memberof' plugin will
attempt to link back to the object from the group. Allow use of
'nsMemberOf' object class in ID overrides.

Fixes: https://pagure.io/freeipa/issue/7255

[1] https://github.com/abbra/freeipa-adusers-admins

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Alexander Bokovoy
ecc0a96d16 support using trust-related operations in the server console
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.

Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.

Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.

Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Christian Heimes
6e5d40e2d2 Include named config files in backup
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Peter Keresztes Schmidt
a5cbdb57e5 Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.

Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.

Move dnssec-enable directive to custom named config

Move comment named config being managed by FreeIPA to the top

Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.

Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Christian Heimes
d79a7a9696 Handle DatabaseError in RPC-Server connect()
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.

Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.

Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:33:15 +03:00
Peter Keresztes Schmidt
0f232a3011 Remove unused support for dm_password arg from ldapupdate.connect
Related: https://pagure.io/freeipa/issue/7610
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:21:01 +03:00
Peter Keresztes Schmidt
e660364814 Use ipaldap exceptions rather than ldap error codes in LDAP updater
The code in ipaldap got changed with df4ed77 but ldapupdate was never updated.

Closes: https://pagure.io/freeipa/issue/7610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:19:47 +03:00
Christian Heimes
9dda004f27 Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-07 10:18:03 +03:00
Peter Keresztes Schmidt
373f8cdce7 Specify min and max values for TTL of a DNS record
Fixes: https://pagure.io/freeipa/issue/8358
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:14:05 +03:00
Peter Keresztes Schmidt
187968d472 WebUI: Expose TTL of DNS records
Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:09:35 +03:00
Christian Heimes
f5964b7157 Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.

DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.

Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-05 09:23:57 +02:00
Christian Heimes
ad8e0af077 Allow dnsrecord-add --force on clients
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:25:12 +02:00
Alexander Bokovoy
32c6b02eed baseldap: de-duplicate passed attributes when checking for limits
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.

Use set of attribute names to deduplicate the list.

Fixes: https://pagure.io/freeipa/issue/8328

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-19 11:58:56 -04:00
Serhii Tsymbaliuk
33ca074558
WebUI: Add confirmation dialog for changing default user/host group
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.

Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-15 18:03:01 +02:00
Christian Heimes
8de73c1590 Check for freeipa-server-dns package early
The ``--setup-dns`` knob and interactive installer now check for
presence of freeipa-server-dns early and stop the installer with an
error.

```
$ ipa-server-install
...
Do you want to configure integrated DNS (BIND)? [no]: yes
Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```

```
$ ipa-server-install --setup-dns
Usage: ipa-server-install [options]

ipa-server-install: error: option setup-dns: Integrated DNS requires 'freeipa-server-dns' package
The ipa-server-install command failed.
```

Fixes: https://pagure.io/freeipa/issue/7577
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-15 14:24:00 +02:00
Alexander Bokovoy
1f82d281cc service delegation: allow to add and remove host principals
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.

Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.

To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.

The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.

RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.

Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-14 21:47:17 +03:00
Mohammad Rizwan Yusuf
0cadf40f23 Display principal name while del required principal
Fix is to display the proper principal in error message
while attempting to delete required principal.

related: https://pagure.io/freeipa/issue/7695

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-05 15:56:03 +02:00
Florence Blanc-Renaud
edcfba6010 ipa-advise: fallback to /usr/libexec/platform-python if python3 not found
when ipa-advise generates a script to configure a client for smart card
auth, the script calls python3 to configure SSSD. The issue happens
if the server (when ipa-advise is run) and the client do not have
the same path for python3 command.

By default, try to use python3 but if the command is not found, fallback
to /usr/libexec/platform-python (which is the python3 path on RHEL8).

Fixes: https://pagure.io/freeipa/issue/8311
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-05 11:50:01 +02:00
Christian Heimes
fefd1153d5 Make check_required_principal() case-insensitive
service-del deletes services by DN and LDAP DNs are compared
case-insensitive. Make check_required_principal() compare the
service name case insensitive.

Fixes: https://pagure.io/freeipa/issue/8308
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-05 11:48:04 +02:00
Christian Heimes
186d739d7f Fix E722 do not use bare 'except'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
8c9bba8e1a Fix E714 test for object identity should be 'is not'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00
Christian Heimes
d0818e1809 Fix E713 test for membership should be 'not in'
Related: https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-05 10:42:46 +02:00