Commit Graph

976 Commits

Author SHA1 Message Date
Christian Heimes
2d8d5ad8d9 Remove deprecated -p option from ipa-dns-install
The option has been deprecated since at least freeIPA release 4.3.0 when
the installer was changed to use LDAPI.

See: https://pagure.io/freeipa/issue/4933
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 09:29:43 +01:00
Christian Heimes
a349629fba ipa-custodia-checker now uses python3 shebang
https://pagure.io/freeipa/issue/4985

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-16 08:31:20 +01:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Felipe Barreto
ece17cef17 Check if replication agreement exist before enable/disable it
If the replication agreement does not exist, a custom exception is
raised explaining the problem.

https://pagure.io/freeipa/issue/7201

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-09 08:30:21 +01:00
Christian Heimes
2391c75e3d Replace hard-coded paths with path constants
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

The fix simplifies Darix's port of freeIPA on openSuSE.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-08 09:32:12 +01:00
Christian Heimes
73ee9ff40e LGTM: Fix multiple use before assignment
- Move assignment before try/finally block
- Add raise to indicate control flow change
- Add default value

https://pagure.io/freeipa/issue/7344

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-01-09 07:53:28 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Fraser Tweedale
34f73b4a94 install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation.  This leads to situations where the
administrator wants a different Subject DN later.  Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.

The go/no-go prompt in ipa-ca-install is new.  It is suppressed for
unattended installations.

Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:06:28 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
97942a7c7a Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
8960141adb ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Christian Heimes
38b17e1c79 Test script for ipa-custodia
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-11-16 08:49:34 +01:00
Michal Reznik
db313da62c
manpage: ipa-replica-conncheck - fix minor typo
Fixes minor typo "Defaults t" to "Defaults to".

https://pagure.io/freeipa/issue/7250

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-13 12:14:34 +01:00
Felipe Barreto
405da071d1 Warning the user when using a loopback IP as forwarder
Changing the --forwarder option to accept a loopback IP.
Previously, an error would be raised, now we just show a
warning message.

Fixes: https://pagure.io/freeipa/issue/5801
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-11-09 09:24:03 -02:00
Florence Blanc-Renaud
d8b3e53ce1
Py3: fix ipa-replica-conncheck
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.

Related to
https://pagure.io/freeipa/issue/7131

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-03 15:10:28 +01:00
Aleksei Slaikovskii
59802d37d1
Add a notice to restart ipa services after certs are installed
Adding notice for user to restart services after
ipa-server-certinstall.

https://pagure.io/freeipa/issue/7016

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-01 12:46:57 +01:00
Rishabh Dave
d65297311d
ipa-ca-install: mention REPLICA_FILE as optional in help
As man page already does it, update the help text to show REPLICA_FILE
as optional.

Fixes https://pagure.io/freeipa/issue/7223

Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-30 10:49:13 +01:00
Fraser Tweedale
aa5ad3e2d3
Add missing space in ipa-replica-conncheck error
Fixes: https://pagure.io/freeipa/issue/7224
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-30 10:35:01 +01:00
Florence Blanc-Renaud
7b149b3c7f
Fix ipa-replica-conncheck when called with --principal
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).

In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.

The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.

Fixes:
https://pagure.io/freeipa/issue/7221

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-26 15:06:49 +02:00
Thorsten Scherf
28802b396f Add debug option to ipa-replica-manage and remove references to api_env var.
https://pagure.io/freeipa/issue/7187

Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-10-25 14:34:07 -02:00
Christian Heimes
b29db07c3b Use os.path.isfile() and isdir()
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.

The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-10-20 12:27:19 +02:00
Alexander Bokovoy
620f9653ba ipa-replica-manage: implicitly ignore initial time skew in force-sync
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.

This also changes semantics of force-sync by waiting until the end of
the initial replication.

Fixes https://pagure.io/freeipa/issue/7211

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-10-19 17:48:58 +03:00
Fraser Tweedale
29f4ec865b ipa-cacert-manage: support MS V2 template extension
Update ipa-cacert-manage to support the MS V2 certificate template
extension.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
fc7c684b12 ipa-ca-install: add --external-ca-profile option
Fixes: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
b4365e3a7f install: allow specifying external CA template
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.

Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
1699cff350 Remove duplicate references to external CA type
Part of: https://pagure.io/freeipa/issue/6858

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-10-04 10:09:18 +02:00
Fraser Tweedale
09f746f568 ipa-pki-retrieve-key: ensure we do not crash
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.

Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.

Fixes: https://pagure.io/freeipa/issue/7115
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-09-13 13:56:59 +02:00
Stanislav Laznicka
a765746e95 pylint: fix not-context-manager false positives
threading.Lock() in ipa-replica-conncheck is an alias to
thread.allocate_lock() which creates a LockType object.
This object is an actual context manager but the alias
seems to confuse pylint a bit.

https://pagure.io/freeipa/issue/6874

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-09-08 15:42:07 +02:00
Stanislav Laznicka
e6a9de8a2e py3: remove Exception.message appearances
Exception.message is removed in Python3

https://pagure.io/freeipa/issue/4985
https://pagure.io/freeipa/issue/6874

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-08-29 12:55:25 +02:00
Stanislav Laznicka
31a5cf588e conncheck: fix progression on failure
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2017-08-17 09:56:01 +02:00
Petr Vobornik
cc72db67e2
control logging of host_port_open from caller
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.

Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.

https://pagure.io/freeipa/issue/7083

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-08-11 13:40:38 +02:00
Stanislav Laznicka
06fbf4b312 replica-conncheck: log when failed to RPC connect
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:33:58 +02:00
Tomas Krizek
fc7e2565bd ipactl: log check_version exception
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:32:07 +02:00
Stanislav Laznicka
b5732efda6 x509: Make certificates represented as objects
https://pagure.io/freeipa/issue/4985

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-27 10:28:58 +02:00
Jan Cholasta
7a482b7c72 logging: do not log into the root logger
Deprecate `ipa_log_manager.root_logger` and replace all calls to it with
module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Jan Cholasta
ab9d1e75fc logging: do not reference loggers in arguments and attributes
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-07-14 15:55:59 +02:00
Martin Basti
cb48a49c80 ipa-dns-install: remove check for local ip address
This check was forgotten and will be removed now.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Tibor Dudlák
7fd2102a78 Add --force-join into ipa-replica-install manpage
Resolves: https://pagure.io/freeipa/issue/7011
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-15 13:56:53 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Florence Blanc-Renaud
f960450820 ipa-replica-conncheck: handle ssh not installed
When ipa-replica-conncheck is run but ssh is not installed, the tool exits
with a stack trace. Properly handle the error by raising an Exception in the
SshExec constructor, and catch the exception in order to ignore the error and
skip ssh test.

The tool will exit with the following output:
[...]
Check RPC connection to remote master
trying https://master.domain.com/ipa/session/json
Forwarding 'schema' to json server 'https://master.domain.com/ipa/session/json'
Retrying using SSH...
WARNING: ssh not installed, skipping ssh test

https://pagure.io/freeipa/issue/6935

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-30 12:02:13 +02:00
Jan Cholasta
96ca62f81d server certinstall: support PKINIT
Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
9ea764ecf5 cacert manage: support PKINIT
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
René Genz
bdd88a3eab fix spelling mistake; minor rewording
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Tomas Krizek
1b1bace750 ca, kra install: validate DM password
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.

Fixes https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Tomas Krizek
80d61c2e01 ca install: merge duplicated code for DM password
Extract copy-pasted code to a single function.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Jan Cholasta
b03ede8796 ipa-cacert-manage: add --external-ca-type
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.

This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:

```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Florence Blanc-Renaud
f3e1efdcf5 ipa-kra-install manpage: document domain-level 1
ipa-kra-install man page was missing a specific section for domain level 1.
This commits also fixes a wrong option short name (for --log-file) and
indents the text corresponding to -p DM_PASSWORD

https://pagure.io/freeipa/issue/6922

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-05-11 17:03:00 +02:00
Stanislav Laznicka
6522c4a837
fix managed-entries printing IPA not installed
ipa-managed-entries would print "IPA is not configured on this system."
even though this is not true if run as a normal user. Add check for
root running the script.

https://pagure.io/freeipa/issue/6928

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-10 08:57:24 +02:00
realsobek
298f725e5b fix minor typos in ipa-adtrust-install.1
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-25 12:20:45 +02:00
Stanislav Laznicka
0c0af8cf7a compat-manage: behave the same for all users
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Abhijeet Kasurde
cb86931472
Minor typo fixes
Fixes https://pagure.io/freeipa/issue/6865

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 15:42:17 +02:00
Florence Blanc-Renaud
b96a942cdc ipa-ca-install man page: Add domain level 1 help
In domain level 1 ipa-ca-install does not require a replica-file. Update the
man page to distinguish the domain level 0 or 1 usage.

https://pagure.io/freeipa/issue/5831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-31 12:16:58 +02:00
Stanislav Laznicka
8af884d048 replica-prepare man: remove pkinit option refs
Remove the references to the pkinit options which was forgotten
about in 46d4d534c0

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
9e3ae785ac Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Christian Heimes
f5bf5466ed Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 15:02:06 +02:00
Florence Blanc-Renaud
3ea2834b76
man ipa-cacert-manage install needs clarification
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.

https://pagure.io/freeipa/issue/6795

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-22 10:13:56 +01:00
Christian Heimes
602b395cf1 Fix Python 3 pylint errors
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 19:11:32 +01:00
Stanislav Laznicka
5d3a0e6758 Don't allow standalone KRA uninstalls
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-13 16:27:23 +01:00
Martin Babinsky
5cb98496aa
ipa-managed-entries: only permit running the command on IPA master
https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-09 10:31:43 +01:00
Martin Babinsky
715367506b
ipa-managed-entries: use server-mode API
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.

https://pagure.io/freeipa/issue/6735

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-09 10:31:43 +01:00
Martin Basti
4006cbbc02 KRA: add --setup-kra to ipa-server-install
This patch allows to install KRA on first IPA server in one step using
ipa-server-install

This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.

Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block

https://pagure.io/freeipa/issue/6731

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-08 15:50:30 +01:00
Martin Basti
6c95f33d37 man: add missing --setup-adtrust option to manpage
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options

https://pagure.io/freeipa/issue/6630

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-08 12:57:53 +01:00
Tomas Krizek
223a48b6d9
man: update ipa-cacert-manage
Make it clear this command is used to only renew certificate for
the CA and provide guidance on how to renew other certificates.

https://pagure.io/freeipa/issue/6648

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-02 17:02:25 +01:00
Martin Babinsky
23cebe1356 Update server/replica installer man pages
Since AD trust installer is now a part of composite installers, their
man pages were updated with separate section documenting relevant AD
trust-related option descriptions.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
f62f0b7485 Fix erroneous short name options in ipa-adtrust-install man page
`--rid-base` and `--secondary-rid-base` had `-U` option assigned
by error in the man page. Remove it as these options have not short
alias.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Martin Babinsky
ef37c42ab9 print the installation info only in standalone mode
There is no point in emitting this message during server/replica
install.

https://fedorahosted.org/freeipa/ticket/6630

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-01 15:55:45 +01:00
Thorsten Scherf
573a0f1ffe added help about default value for --external-ca-type option
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-23 18:54:53 +01:00
Jan Cholasta
fe6f2b6f6e scripts, tests: explicitly set confdir in the rest of server code
Commit 1e6a204b43 added explicit confdir
setting to api.bootstrap() calls of a randomly selected portion of
server-side scripts and tests. This commit adds it to the rest of
server-side code for consistency.

https://fedorahosted.org/freeipa/ticket/6389

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-22 08:07:48 +00:00
Martin Babinsky
98bf0cc966 Move AD trust installation code to a separate module
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-17 13:34:35 +01:00
Stanislav Laznicka
ca457eb5ce Add password to certutil calls in NSSDatabase
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-17 10:14:23 +01:00
Abhijeet Kasurde
08b8bfa9b5 Update man page of ipa-server-install
This fix adds information about --ignore-last-of-role in
ipa-server-install man page

Fixes https://fedorahosted.org/freeipa/ticket/6634

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-02-17 08:54:10 +01:00
Simo Sorce
d124e307f3 Separate RA cert store from the HTTP cert store
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-02-15 07:13:37 +01:00
Stanislav Laznicka
08c71703a4 Remove is_fips_enabled checks in installers and ipactl
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-02-13 18:10:55 +01:00
Martin Babinsky
d7cfbb870f Replace exit() calls with exceptions
In order to enable correct handling of hard errors from within the
composite installer code, all calls to `sys.exit` have to be replaced
with raising ScriptError.

https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Martin Babinsky
e27f6bfdc3 Remove unused variables in exception handling
https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Martin Babinsky
847be3a8a8 ipa-adtrust-install: format the code for PEP-8 compliance
https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-02-09 14:05:22 +01:00
Jan Cholasta
87400cdec1 ipa-ca-install: do not fail without --subject-base and --ca-subject
When --subject-base and --ca-subject are not specified in ipa-ca-install,
default values are used. DN objects are used as the default values in
ipa-ca-install, but the CA installer expects the values to be strings. This
causes ipa-ca-install to fail unless both --subject-base and --ca-subject
are specified.

Convert the DN objects to strings to fix the issue.

https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-31 07:18:39 +01:00
Abhijeet Kasurde
c56e02b3c5 Remove deprecated ipa-upgradeconfig command
Fixes https://fedorahosted.org/freeipa/ticket/6620

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-01-24 09:51:39 +01:00
Fraser Tweedale
0c95a00147 Add sanity checks for use of --ca-subject and --subject-base
Print an error and terminate if --ca-subject or --subject-base are
used when installing a CA-less master or when performing standalone
installation of a CA replica.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:28:50 +01:00
Fraser Tweedale
3f56609732 Indicate that ca subject / subject base uses LDAP RDN order
Update man pages and help output to indicate that --subject-base and
--ca-subject options interpret their arguments in LDAP order.

Fixes: https://fedorahosted.org/freeipa/ticket/6455
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-01-11 15:27:55 +01:00
Fraser Tweedale
3d01ec14c6 Allow full customisability of IPA CA subject DN
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option.  The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.

Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.

This patch adds full customisability of the CA subject DN.
Specifically:

- Add the --ca-subject option for specifying the full IPA CA subject
  DN.  Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".

- ipa-ca-install, when installing a CA in a previous CA-less
  topology, updates DS certmap.conf with the new new CA subject DN.

- DsInstance.find_subject_base no longer looks in certmap.conf,
  because the CA subject DN can be unrelated to the subject base.

Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
46bf0e89ae ipa-ca-install: add missing --subject-base option
Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Fraser Tweedale
c6db493b06 installer: rename --subject to --subject-base
The --subject option is actually used to provide the "subject base".
We are also going to add an option for fully specifying the IPA CA
subject DN in a subsequent commit.  So to avoid confusion, rename
--subject to --subject-base, retaining --subject as a deprecated
alias.

Part of: https://fedorahosted.org/freeipa/ticket/2614

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-11 15:26:20 +01:00
Stanislav Laznicka
25a6ddcce8 Clarify meaning of --domain and --realm in installers
Man pages need bigger overhaul. Take this as hot-fix for FAQ.

https://fedorahosted.org/freeipa/ticket/6574

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-01-05 09:47:25 +01:00
Abhijeet Kasurde
80c0e5cb8d Enumerate available options in IPA installer
Fix adds enumerated list of available options in IPA server
installer and IPA CA installer help options

Fixes https://fedorahosted.org/freeipa/ticket/5435

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-01-03 13:00:36 +01:00
Martin Basti
15351ab6e7 ipactl: pass api as argument to services
Commit 6409abf1 removes hard dependency of ipalib in ipalatform to avoid
cyclic dependenies, this commit updates ipactl accordingly

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-12 14:19:42 +01:00
Tomas Krizek
a24cd01304 ipautil: check for open ports on all resolved IPs
When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.

https://fedorahosted.org/freeipa/ticket/6522

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-07 16:32:09 +01:00
Tomas Krizek
de981d348e replica-conncheck: improve message logging
Make sure all messages displayed on screen to the user can be found
in the log as well. The messages are also logged if the script is ran
in quiet mode.

https://fedorahosted.org/freeipa/ticket/6497

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-12-06 13:05:29 +01:00
Tomas Krizek
a44974cdf8 ipa-replica-conncheck: fix race condition
When the thread that opens ports would execute notify() before the
original thread could call wait(), the original thread would wait
indefinitely for a notify() call.

https://fedorahosted.org/freeipa/ticket/6487

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-06 12:47:33 +01:00
Christian Heimes
1e6a204b43 Set explicit confdir option for global contexts
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-12-02 09:14:35 +01:00
Tomas Krizek
af0ba66188 ipa-replica-conncheck: do not close listening ports until required
Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.

Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.

Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.

https://fedorahosted.org/freeipa/ticket/6487

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-12-01 15:20:21 +01:00
Jan Cholasta
70c3cd7f48 ipaclient: move install modules to the install subpackage
The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend
on ipaplatform.

Move them to ipaclient.install as they are used only from the client
installer.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
977050c66b constants: remove CACERT
CACERT depends on ipaplatform.

Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7d5c680ace ipautil: move kinit functions to ipalib.install
kinit_password() depends on ipaplatform.

Move kinit_password() as well as kinit_keytab() to a new
ipalib.install.kinit module, as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
75b70e3f0d ipautil: move is_fips_enabled() to ipaplatform.tasks
The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
7b966e8577 ipautil: remove get_domain_name()
get_domain_name() and related code depends on ipaplatform.

Replace all uses of get_domain_name() with api.env.domain and remove
get_domain_name() and all of the related code.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
26c46a447f ipapython: move certmonger and sysrestore to ipalib.install
The certmonger and sysrestore modules depend on ipaplatform.

Move them to ipalib.install as they are used only from installers.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00
Jan Cholasta
a1f260d021 ipapython: move dnssec, p11helper and secrets to ipaserver
The dnssec and secrets subpackages and the p11helper module depend on
ipaplatform.

Move them to ipaserver as they are used only on the server.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-11-29 14:50:51 +01:00