Commit Graph

1044 Commits

Author SHA1 Message Date
Nathaniel McCallum
e477130281 Fix login password expiration detection with OTP
The preexisting code would execute two steps. First, it would perform a kinit.
If the kinit failed, it would attempt to bind using the same credentials to
determine if the password were expired. While this method is fairly ugly, it
mostly worked in the past.

However, with OTP this breaks. This is because the OTP code is consumed by
the kinit step. But because the password is expired, the kinit step fails.
When the bind is executed, the OTP token is already consumed, so bind fails.
This causes all password expirations to be reported as invalid credentials.

After discussion with MIT, the best way to handle this case with the standard
tools is to set LC_ALL=C and check the output from the command. This
eliminates the bind step altogether. The end result is that OTP works and
all password failures are more performant.

https://fedorahosted.org/freeipa/ticket/4412

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2014-07-21 16:36:28 +02:00
Gabe
2afcbff133 Enable debug pid in smb.conf
https://fedorahosted.org/freeipa/ticket/3485

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-07-18 10:10:46 +02:00
Petr Viktorin
73b2d0a81d ldap2 indirect membership processing: Use global limits if greater than per-query ones
Calling an ipa *-find command with --sizelimit=1 on an entry with more
members would result in a LimitsExceeded error as the search for members
was limited to 1 entry.

For the memberof searches, only apply the global limit if it's larger than
the requested one, so decreasing limits on the individual query only
affects the query itself.

https://fedorahosted.org/freeipa/ticket/4398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-07-14 16:04:58 +02:00
Petr Viktorin
2f99140c92 ldapupdate: Restore 'replace' functionality
The replace directive was made a no-op by mistake in commit 6381d76.
Restore it.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-04 15:51:55 +02:00
Martin Basti
f8b6595f49 Restore privileges after forward zones update
Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 12:48:50 +02:00
Alexander Bokovoy
a9fe37e066 ipa-ldap-updater: make possible to use LDAPI with autobind in case of hardened LDAP configuration
When nsslapd-minssf is greater than 0, running as root
  ipa-ldap-updater [-l]
will fail even if we force use of autobind for root over LDAPI.

The reason for this is that schema updater doesn't get ldapi flag passed and
attempts to connect to LDAP port instead and for hardened configurations
using simple bind over LDAP is not enough.

Additionally, report properly previously unhandled LDAP exceptions.
https://fedorahosted.org/freeipa/ticket/3468

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-04 08:13:23 +02:00
Martin Basti
eea1015441 Fix upgrade to forward zones
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-03 14:04:57 +02:00
Martin Basti
5c2ddaf660 Allow to add non string values to named conf
Non string values should not start and end with '"' in options section
in named.conf

Required by ticket: https://fedorahosted.org/freeipa/ticket/4408

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2014-07-02 18:41:57 +02:00
Petr Viktorin
8c98561c20 Do not fail if there are multiple nsDS5ReplicaId values in cn=replication,cn=etc
On systems installed before #3394 was fixed and nsDS5ReplicaId became
single-valued, there are two replica ID values stored in cn=replication:
the default (3) and the actual value we want.
Instead of failing when multiple values are found, use the largest one.

https://fedorahosted.org/freeipa/ticket/4375

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-07-02 16:16:09 +02:00
Martin Basti
aa2ef07b8c Upgrade special master zones to forward zones
This upgrade is executed only if IPA version is older than 4.0
Requires detection if 'idnsforwardzone' objectclass is presented in
schema before schema is upgraded

Design: http://www.freeipa.org/page/V4/Forward_zones#Updates_and_Upgrades

Ticket: https://fedorahosted.org/freeipa/ticket/3210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Martin Basti
c1f3fd6831 Added upgrade step executed before schmema is upgraded
Class PreSchemaUpdate is executed before ldap schema update

This is required by ticket: https://fedorahosted.org/freeipa/ticket/3210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-27 14:54:35 +02:00
Nathaniel McCallum
14b38b7704 Add /session/token_sync POST support
This HTTP call takes the following parameters:
 * user
 * password
 * first_code
 * second_code
 * token (optional)

Using this information, the server will perform token synchronization.
If the token is not specified, all tokens will be searched for synchronization.
Otherwise, only the token specified will be searched.

https://fedorahosted.org/freeipa/ticket/4218

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-26 15:55:24 +02:00
Petr Vobornik
1c94edd3a0 rpcserver: fix local vs utc time comparison
login_password did not work properly in timezones other than +0h because
local time was compared with utc time.

Bug introduced in:
https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:40 +02:00
Petr Vobornik
896920ed12 rpcserver: add otp support to change_password handler
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Petr Vobornik
7fca783ec5 ldap2: add otp support to modify_password
https://fedorahosted.org/freeipa/ticket/4262

Reviewed-By: Endi Sukma Dewata <edewata@redhat.com>
2014-06-26 12:37:38 +02:00
Tomas Babej
e5e42fc83a ipaplatform: Move paths from installers to paths module
Part of: https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-26 09:22:21 +02:00
Nathaniel McCallum
5baa941317 Implement OTP token importing
This patch adds support for importing tokens using RFC 6030 key container
files. This includes decryption support. For sysadmin sanity, any tokens
which fail to add will be written to the output file for examination. The
main use case here is where a small subset of a large set of tokens fails
to validate or add. Using the output file, the sysadmin can attempt to
recover these specific tokens.

This code is implemented as a server-side script. However, it doesn't
actually need to run on the server. This was done because importing is an
odd fit for the IPA command framework:
1. We need to write an output file.
2. The operation may be long-running (thousands of tokens).
3. Only admins need to perform this task and it only happens infrequently.

https://fedorahosted.org/freeipa/ticket/4261

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2014-06-25 12:55:02 +02:00
Jan Cholasta
8b8774d138 Remove GetEffectiveRights control when ldap2.get_effective_rights fails.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Jan Cholasta
e675e427c7 Allow SAN in IPA certificate profile.
https://fedorahosted.org/freeipa/ticket/3977

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-24 12:10:01 +02:00
Petr Viktorin
02b5074d84 permission plugin: Join --type objectclass filters with OR
For groups, we will need to filter on either posixgroup (which UPGs
have but non-posix groups don't) and groupofnames/nestedgroup
(which normal groups have but UPGs don't).
Join permission_filter_objectclasses with `|` and add them as
a single ipapermtargetfilter value.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-23 10:54:43 +02:00
Petr Viktorin
83cb982858 Add $REALM to variables supported by the managed permission updater
This will allow converting password policy permissions

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:56:42 +02:00
Petr Viktorin
700ac6c116 Remove the update_dns_permissions plugin
This plugin created permissions that the managed permission
updater would remove right away.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:51 +02:00
Petr Viktorin
16ee6847e4 managed permission updater: Add mechanism to replace SYSTEM permissions
The "Read DNS Entries" permission, which was marked SYSTEM (no associated
ACI), can now be converted to a regular managed permission.

Add a mechanism for the updater to replace old SYSTEM permissions.

This cannot be done in an update file because we do not want to replace
V2 permissions with the same name.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-18 14:45:50 +02:00
Tomas Babej
4d2ef43f28 ipaplatform: Move all filesystem paths to ipaplatform.paths module
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
c7edd7b68c ipaplatform: Remove redundant imports of ipaservices
Also fixes few incorrect imports.

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:20 +02:00
Tomas Babej
49fcd42f8f ipaplatform: Change service code in freeipa to use ipaplatform services
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Tomas Babej
926f8647d2 ipaplatform: Change platform dependant code in freeipa to use ipaplatform tasks
https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
2014-06-16 19:48:19 +02:00
Petr Viktorin
2f3cdba546 Make 'permission' the default bind type for managed permissions
This reduces typing (or copy/pasting), and draws a bit of attention
to any non-default privileges (currently 'any' or 'anonymous').

Leaving the bindtype out by mistake isn't dangerous: by default
a permission is not granted to anyone, since it is not included in
any priviliges.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
13bcd03fcf Add method to enumerate managed permission templates
This will ease writing audit and management scripts for managed permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-11 13:21:29 +02:00
Petr Viktorin
e0cafea374 managed perm updater: Handle case where we changed default ACIs in the past
This handles the case where IPA's default ACIs changed in something else
than just attribute lists.
In this case we can narrow the set of ACIs we think the user might be
upgrading from.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-10 13:55:56 +02:00
Petr Viktorin
acb2ca47d6 Add mechanism for updating permissions to managed
Part of the work for: https://fedorahosted.org/freeipa/ticket/4346

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-06-04 17:34:17 +02:00
Martin Basti
b964d2130a Modified dns related global functions
* Modified functions to use DNSName type
* Removed unused functions

Part of ticket:
IPA should allow internationalized domain names
https://fedorahosted.org/freeipa/ticket/3169

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-06-03 15:55:32 +02:00
Gabe
9f2c4705d7 ipa recursively adds old backups
- Added exclude for the ipa backup folder to the files tar

https://fedorahosted.org/freeipa/ticket/4331

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-30 08:15:22 +02:00
Petr Viktorin
4f89decc9a ldap2.has_upg: Raise an error if the UPG definition is not found
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.

Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-29 16:22:37 +02:00
Adam Misnyovszki
71c6d2f1eb Call generate-rndc-key.sh during ipa-server-install
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.

Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.

Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
  requiring entropy
- slightly reworded the warning message

https://fedorahosted.org/freeipa/ticket/4210

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-27 13:05:53 +02:00
Petr Vobornik
1e96475a77 rpcserver: login_password datetime fix in expiration check
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.

https://fedorahosted.org/freeipa/ticket/4339

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-05-26 13:08:34 +02:00
Petr Viktorin
988b2cebf4 ldap2.find_entries: Do not modify attrs_list in-place
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
    ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.

Create a copy of the list instead.

https://fedorahosted.org/freeipa/ticket/4349

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2014-05-26 12:39:33 +02:00
Petr Viktorin
193ced0bd7 Remove the global anonymous read ACI
Also remove
- the deny ACIs that implemented exceptions to it:
  - no anonymous access to roles
  - no anonymous access to member information
  - no anonymous access to hbac
  - no anonymous access to sudo (2×)
- its updater plugin

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:14:55 +02:00
Petr Viktorin
63becae88c Set user addressbook/IPA attribute read ACI to anonymous on upgrades from 3.x
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.

Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.

This assumes that the anonymous read ACI will be removed in a "new" IPA.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
993c1c8557 update_managed_permissions: Pass around anonymous ACI rather than its blacklist
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-26 12:12:35 +02:00
Petr Viktorin
86f943ca18 Replace "replica admins read access" ACI with a permission
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.

https://fedorahosted.org/freeipa/ticket/3829

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-05-21 09:57:16 +02:00
Adam Misnyovszki
fa7057b727 Trust add datetime fix
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 19:14:45 +03:00
Thorsten Scherf
3f3c8eee24 Fixed typo how to create an example gpg key
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2014-05-06 13:20:17 +02:00
Petr Viktorin
d893b77fb6 Add several managed read permissions under cn=etc
This adds permissions to:
- cn=masters,cn=ipa (with new privilege)
- cn=dna,cn=ipa (authenticated users)
- cn=ca_renewal,cn=ipa (authenticated users)
- cn=CAcert,cn=ipa (anonymous)
- cn=replication (authenticated users)
- cn=ad (authenticated users)

Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Petr Viktorin
af3a4adc46 Add support for non-plugin default permissions
Add support for managed permissions that are not tied to an object
class and thus can't be defined in an Object plugin.

A dict is added to hold templates for the non-plugin permissions.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-24 14:36:41 +02:00
Jan Cholasta
8b6dc819d5 Support API version-specific RPC marshalling.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2014-04-18 14:59:20 +02:00
Petr Viktorin
81b0e7466d Do not ask for memberindirect when updating managed permissions
One of the default_attributes of permission is memberofindirect,
a virtual attribute manufactured by ldap2, which is set when a permission
is part of a role.
When update_entry is called on an entry with memberofindirect,
ipaldap tries to add the attribute to LDAP and fails with an objectclass
violation.

Do not ask for memberindirect when retrieving the entry.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-17 10:04:16 +02:00
Jan Cholasta
50c7f3b236 Fix update_ca_renewal_master plugin on CA-less installs.
This also fixes updates from ancient versions of IPA which did not have
automatic CA subsystem certificate renewal.

https://fedorahosted.org/freeipa/ticket/4294

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 16:40:10 +02:00
Petr Viktorin
41607774bc Add mechanism for adding default permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-10 14:49:16 +02:00
Petr Viktorin
c58d6b2689 Allow overriding all attributes of default permissions
Allow overriding ipapermtarget, ipapermtargetfilter, ipapermlocation,
objectclass of default managed permissions.
This allows defining permissions that are not tied to an object type.
Default values are same as before.

Also, do not reset ipapermbindruletype when updating an existing
managed permission.

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2014-04-09 13:40:42 +02:00