Commit dd47cfc75a removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.
This is then basically a full-table scan, which applies the filter test
to the contained members.
Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.
FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.
Define altSecurityIdentities attribute to allow specifying indexing
rules for it.
Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
These are already marked as deprecated by the KDC.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.
This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed. Else the attribute is set to 'nolog'
https://pagure.io/freeipa/issue/4812
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN
Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).
Add a knob to allow configuring the maximum hostname length (FQDN)
The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.
The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.
https://pagure.io/freeipa/issue/2018
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This reverts commit 3509545897.
We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.
The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.
We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.
Reviewed-By: François Cami <fcami@redhat.com>
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.
There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.
Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.
Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.
Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Common settings like "pki_*_signing_key_algorithm" now use an IPA
specific template variable. The approach makes it easier to change all
signing parameters to use a different algorithm.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.
Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The new lib389 installer configures LDAPI with correct socket path by
default. Use LDAPI to boot strap the IPA domain and autobind.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user@.service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.
The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.
Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.
* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq
automountMapKey and autoMountMapName filters are used for automount.
Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.
SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.
ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.
Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash@yahoo.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For now JSON service is not available without authentication
to IPA. But some of Web UI pages expect translations before
or without Login process.
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Because krb5 silently ignores unrecognized options, this is safe on
all versions. It lands upstream in krb5-1.17; in Fedora, it was added
in krb5-1.6-17.
Upstream documentation can be found in-tree at
https://github.com/krb5/krb5/blob/master/doc/admin/spake.rst
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This moves the ETag disabling so that it's specific to the /ipa
virtual server rather than being applied to all virtual servers on the machine.
This enables better co-existence with other virtual servers that want ETags.
Signed-off-by: Brian J. Murrell <brian@interlinx.bc.ca>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/7247
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
