"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.
Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.
https://fedorahosted.org/freeipa/ticket/6584
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.
Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ca_enabled_check function is a wrapper around
api.Command.ca_is_enabled. When using remote_api (e.g. during
installer), ca_enabled_check invokes the *global* api instead of the
remote_api.
Update ca_enabled_check to explicitly receive an api object from the
caller and invoke Command.ca_is_enabled through it.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.
Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.
Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit. So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`. In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Refactor set_subject_base_in_config to use api.Backend.ldap2 instead
of a manually created LDAP connection.
Also rename the function to have a more accurate name, and move it
to 'ipaserver.install.ca' to avoid cyclic import (we will eventually
need to use it from within that module).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The original code did not actually propagate the test runner exit status
to parent process so Travis CI job was always green.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.
https://fedorahosted.org/freeipa/ticket/6578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
in Py2 to_text method returns Py2 non-unicode string, but in Py3 to_text method
returns Py3 default (unicode) string. So only in Py2 we have to decode
str to unicode.
https://fedorahosted.org/freeipa/ticket/5935
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.
This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
After log in into webui there was 'Authenticating' sign even during loading metadata.
Now while data are loading there is 'Loading data' text. This change requires new global
topic 'set-activity' of activity widget. So for now there is possibility to change
every activity string during running phase just by publishing 'set-activity' topic
and setting new text as first parameter.
Part of: https://fedorahosted.org/freeipa/ticket/6144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The rpc module is now separated from display layer.
There are two new global topics:
- 'rpc-start' for showing the widget which indicates execution of rpc calls
- 'rpc-end' for hiding the widget which indicates execution of rpc calls.
These two global topics replace the original methods IPA.display_activity_icon() and
IPA.hide_activity_icon().
There is also new property of a command (notify_globally), which allows to turn off the widget
which indicates network activity. Instead of classic activity indicator there can be
called custom function at the beginning and at the end of network activity.
There are also changes in internal communication in rpc.js module. There are four new
events, two for calling on_success and on_error methods and two for calling custom functions
at the beginning and at the end of network activity.
https://fedorahosted.org/freeipa/ticket/6144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Since commit 32b1743e5f, ca-find will fail
with internal error if --pkey-only is specified, because the code to
look up the CA certificate and certificate chain assumes that the ipaCAId
attribute is always present in the result.
Fix this by not attempting to lookup the certificate / chain at all when
--pkey-only is specified.
https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Let's replace some ugly hacks with proper pytest conftest.py hooks.
Test initialization of ipalib.api is now handled in
pytest_cmdline_main(). Pytest plugins, markers and ignores are also
moved into conftest.py. Additional guards make it possible to run tests
without ipaserver installed.
I added confcutdir to ensure that pytest does not leave our project
space. Pytest used pytest.ini or setup.py before but pytest.ini is gone.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
If we get to the `run-tests` phase, we no longer care about messages
from previous steps so we can truncate the log output to only show
pytest failures/errors, reducing log size.
As a fallback, the previous behaviour to print last 5000 log lines was
kept in the case the CI tests fail during setup.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This is a preparatory work for the future requirement of running
Python2/3 jobs simultaneously.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In order to speed our Travis CI gating even further, the lint step has
been split to a separate job that can be run in parallel with the test
runs. The test runs are in turn launched in developer mode to speed them
up.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
this script is intended only for use in Travis CI and contains
configuration of the test run requested:
* it can run linter step separately by specifying TASK_TO_RUN="lint"
environment variable in .travis.yml. In this case it also runs
pep8 checker on the commits in PR.
* other steps are run in developer mode in order to skip pylint run
and speed up the task
* in all cases the CI result log is populated and can be displayed
if the job fails
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This prevents Travis log collector to add separate expansion marks to
the echo output and the actuall log output.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Distribution packaged ntpd has servers preconfigured in ntp.conf so
there's no point in trying to add them again during FreeIPA server
installation.
Also fix the code to always put fudge line right after the local server
line as required by ntpd.
https://fedorahosted.org/freeipa/ticket/6486
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options
Fixes https://fedorahosted.org/freeipa/ticket/5435
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Revert from the current Release tag value `upstream` to the previously used
`0%{?dist}`, because:
* `0` sorts before `1`, which is usually used as the initial release number
in downstream packages,
* the information provided by `%{?dist}` is useful, as packages built on
one OS are not always installable on another OS.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use PyASN1 with the PKCS#7 definitions from `pyasn1_modules` to parse
PKCS#7 in `pkcs7_to_pems()` instead of calling `openssl pkcs7` in a
subprocess.
https://fedorahosted.org/freeipa/ticket/6550
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
subjectAltName is required or relevant in most certificate use cases
(esp. TLS, where carrying DNS name in Subject DN CN attribute is
deprecated). Therefore it does not really make sense to have a
special permission for this, over and above "request certificate"
permission.
Furthermore, we already do rigorously validate SAN contents again
the subject principal, and the permission is waived for self-service
requests or if the operator is a host principal.
So remove the permission, the associated virtual operation, and the
associated code in cert_request.
Fixes: https://fedorahosted.org/freeipa/ticket/6526
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is necessary to be able to successfully build archives in
environments controlled by an IPA domain which may have large uidNumbers
for user accounts.
tar-ustar allows UID/GID numbers only up to 2 million and by default a
new IPA installation can assigne UIDs in the billion range.
https://fedorahosted.org/freeipa/ticket/6418
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In commit 822e1bc82a the call to create the
KRA agent PEM file was accidentally removed from the server installer.
Call into the KRA installer from the server installer to create the file
again.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Commit dbb98765d7 changed certmonger
requests for DS and HTTP certificates during installation to raise
on error (https://fedorahosted.org/freeipa/ticket/6514).
This introduced a regression in DL1 replica installation in CA-less
topology. A certificate was requested, but prior to the
aforementioned commit this would fail silently and installation
continued, whereas now installation fails.
Guard the certificate request with a check that the topology is
CA-ful.
Fixes: https://fedorahosted.org/freeipa/ticket/6573
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
