Commit Graph

13873 Commits

Author SHA1 Message Date
Alexander Bokovoy
ecc0a96d16 support using trust-related operations in the server console
When using `ipa -e in_server=True console` on IPA master, the whole IPA
framework is loaded in the same process ('ipa console'). The context
defined for this configuration is 'cli'. Some trust-related operations
need to load Samba bindings and guard itself to 'lite' and 'server'
contexts.

Upon reviewing these cases I came to conclusion that these guards are
unnecessary. It is enough to require that the context is in the server
code.

Allow these operations if we are operating in server mode. This allows
to debug trust-related issued directly in the IPA console on IPA trust
controllers.

Signed-of-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Alexander Bokovoy
28389fe8af Add design page for managing IPA resources as a user from a trusted Active Directory forest
Fixes: https://pagure.io/freeipa/issue/8357
Fixes: https://pagure.io/freeipa/issue/7816

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Alexander Bokovoy
676774d3fb kdb: handle enterprise principal lookup in AS_REQ
Refactoring of the get_principal() code in commit
b5876f30d4 broke handling of enterprise
principal lookup for AS request (kinit -E user@ipa.test@IPA.TEST).

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-08 12:39:34 -04:00
Alexander Bokovoy
b9a6027410 ipa-pwd-extop: use timegm() instead of mktime() to preserve timezone offset
"Kerberos principal expiration" is set in UTC and when server is in
different timezone, the time difference between timezone is respected by
the IPA server/client for Kerberos authentication.

The problem is due to mktime() assuming default time zone but since we
parse the time using Zulu (UTC+0) timezone, mktime() forces current time
zone offset added.

The method is using mktime() and comparing to the current time obtained
with time(NULL). According to its man page, mktime is considering the
time as local time:

   The mktime() function converts a broken-down time structure,  expressed
   as  local  time, to calendar time representation.

Instead mktime() we should use timegm(). The problem is that it is
non-standard GNU extension and it is recommended (in the man page for
timegm(3)) to avoid its use. An alternative is to set TZ=UTC, call
mktime(), unset TZ, but since we are running in a multi-threaded
environment this is problematic.

On the other hand, we already rely on GNU extensions and enable them
with -D_DEFAULT_SOURCE=1, so use of timegm() is enabled already.

The fix, therefore, is to use timegm() instead of mktime() in
daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c in two places where we
first do 'strptime()' with Zulu time zone (in ipapwd_pre_bind() and
ipapwd_write_krb_keys()).

Fixes: https://pagure.io/freeipa/issue/8362

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 18:06:16 +02:00
Sergio Oliveira Campos
e071933e64
Add test for sssd ad trust lookup with dn in certmaprule
Related to https://pagure.io/SSSD/sssd/issue/3721

Signed-off-by: Sergio Oliveira Campos <seocam@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2020-06-08 10:34:18 -03:00
Christian Heimes
6e5d40e2d2 Include named config files in backup
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Peter Keresztes Schmidt
a5cbdb57e5 Split named custom config to allow changes in options stanza
Upgrade path to add additional include to named.conf is not handled.

Remove bindkeys-file directive from named config
The ISC DVL service was shut down (https://www.isc.org/bind-keys/).
BIND versions since April 2017 (i.e. 9.9.10, 9.10.5, 9.11.1 and later)
include a hard-coded copy of the root KSK which gets updates automatically
according to RFC 5011.

Move dnssec-enable directive to custom named config

Move comment named config being managed by FreeIPA to the top

Move settings which could be changed by administrators to
ipa-options-ext.conf. Settings defined there are sole responsibility of the
administrator. We do not check if they might collide with our settings in
named.conf.

Fixes: https://pagure.io/freeipa/issue/8287
Co-authored-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-08 15:53:40 +03:00
Peter Keresztes Schmidt
88d1dcc52a lite-server: Fix werkzeug deprecation warnings
Fixes: https://pagure.io/freeipa/issue/8360
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 14:23:56 +02:00
Peter Keresztes Schmidt
68af4f39c1 util: replace NSS usage with OpenSSL
Fixes: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 12:54:19 +03:00
Peter Keresztes Schmidt
f2d854886f util: add unit test for pw hashing
Related: https://pagure.io/freeipa/issue/6857
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-08 12:54:19 +03:00
Christian Heimes
d79a7a9696 Handle DatabaseError in RPC-Server connect()
DatabaseError exceptions with 'account inactivated' message are turned
into 401 Unauthorized errors. The problem occurs when a user is disabled
but has a valid cookie.

Other DatabaseErrors are turned into 503 Service Unavailable. They
usually occur when LDAP server is not available or broken.

Fixes: https://pagure.io/freeipa/issue/8352
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:33:15 +03:00
Peter Keresztes Schmidt
894b3f1d0b po: remove zanata config since translation was moved to weblate
Related: https://pagure.io/freeipa/issue/8159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:29:00 +03:00
Peter Keresztes Schmidt
0f232a3011 Remove unused support for dm_password arg from ldapupdate.connect
Related: https://pagure.io/freeipa/issue/7610
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:21:01 +03:00
Peter Keresztes Schmidt
e660364814 Use ipaldap exceptions rather than ldap error codes in LDAP updater
The code in ipaldap got changed with df4ed77 but ldapupdate was never updated.

Closes: https://pagure.io/freeipa/issue/7610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:19:47 +03:00
Christian Heimes
9dda004f27 Allow permissions with 'self' bindruletype
Make it possible to create a managed permission with
ipapermbindruletype="self". The ACI will have bind rule
'(userdn = "ldap:///self")'.

Example
-------

Allow users to modify their own fasTimezone and fasIRCNick attributes:

```
managed_permissions = {
    "System: Self-Modify FAS user attributes": {
        "ipapermright": {"write"},
        "ipapermtargetfilter": ["(objectclass=fasuser)"],
        "ipapermbindruletype": "self",
        "ipapermdefaultattr": ["fasTimezone", "fasIRCNick"],
    }
}
```

See: https://github.com/fedora-infra/freeipa-fas/pull/107
Fixes: https://pagure.io/freeipa/issue/8348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-07 10:18:03 +03:00
Peter Keresztes Schmidt
373f8cdce7 Specify min and max values for TTL of a DNS record
Fixes: https://pagure.io/freeipa/issue/8358
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:14:05 +03:00
Peter Keresztes Schmidt
5f239aebca WebUI: Add units to some DNS zone and IPA config fields
Add also tooltips to ipasearchrecordslimit and ipasearchtimelimit
to clarify the special value 0/-1.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:10:48 +03:00
Peter Keresztes Schmidt
187968d472 WebUI: Expose TTL of DNS records
Fixes: https://pagure.io/freeipa/issue/3827
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:09:35 +03:00
Peter Keresztes Schmidt
4d2cd3a273 WebUI: Refresh DNS record data correctly after mod operation
Fixes: https://pagure.io/freeipa/issue/8359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-07 10:08:19 +03:00
Christian Heimes
d20cda2189 make: serialize strip-po / strip-pot
The strip-po target modifies files in place. This sometimes creates
conflicts with other make targets when make is run in parallel mode.

* split strip-po into strip-po and strip-pot
* move strip-po[t] from dependency to explicit, serial execution
* declare dependencies on POT/POFILES
* don't run strip on clean

Fixes: https://pagure.io/freeipa/issue/8323
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-05 09:34:46 +02:00
Christian Heimes
f5964b7157 Remove obsolete BIND named.conf options
``dnssec-enable`` is obsolete in 9.16 and raises a warning. The option
defaults to ``yes`` in all supported versions of bind. The option is
removed when set to ``yes`` and a warning is emitted when the value is
``no``.

DNSSEC lookaside validation has been deprecated by RFC 8749 and the
feature removed from Bind 9.16. The only available lookaside provider
dlv.isc.org no longer provides DLV information since 2017.

Fixes: https://pagure.io/freeipa/issue/8349
Fixes: https://pagure.io/freeipa/issue/8350
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-05 09:23:57 +02:00
sumenon
0d0dc73ae1 ipatests: Test to check warning state for TomcatFileCheck in ipahealthcheck.ipa.files
This testcase changes the ownership of the tomcat config files
on an IPA Master and then checks if healthcheck tools
reports the status as WARNING

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-06-04 09:01:07 -04:00
Christian Heimes
c1c6ee7d41 Add ipa-print-pac to gitignore
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-06-04 14:29:59 +02:00
Peter Keresztes Schmidt
517c7ab215 WebUI: Use data adapter to load facet header data
Fixes: https://pagure.io/freeipa/issue/8339
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:30:27 +02:00
Peter Keresztes Schmidt
7de1a93ce4 WebUI: Fix invalid RPC calls when link widget has no pkey passed
Fixes: https://pagure.io/freeipa/issue/8338
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:27:48 +02:00
Christian Heimes
ad8e0af077 Allow dnsrecord-add --force on clients
See: https://pagure.io/freeipa/issue/8317
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-06-03 09:25:12 +02:00
sumenon
ddd061c0b7 ipatests: Test for ipahealthcheck.ipa.files for TomcatFilecheck
This test checks that healthcheck tools reports correct information
when permissions of Tomcat config file are modified.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-06-03 09:21:00 +02:00
sumenon
6a7fa03f91 ipatests: Test for ipahealthcheck DogtagCertsConnectivityCheck
This test checks that when pki-tomcat service is stopped,
DogtagCertsConnectivityCheck displays the result as ERROR

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-06-02 09:53:11 -04:00
Peter Keresztes Schmidt
1606174457 Remove remains of unused config options
Options removed:
 * ca_ee_port
 * ca_agent_install_port
 * ca_ee_install_port

Closes: https://pagure.io/freeipa/issue/6708
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-06-02 09:39:42 +02:00
Serhii Tsymbaliuk
bc9f3e0557 WebUI: Apply jQuery patch to fix htmlPrefilter issue
Manually backport corresponding changes from jQuery 3.5.0:
1d61fd9407

A complete upgrade to jQuery 3.5 is impossible at the moment due incompatibility
with Bootstrap 3.4.1 which we currently use.

Ticket: https://pagure.io/freeipa/issue/8325

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-05-28 13:20:52 +02:00
Alexander Bokovoy
4ff972c23f azure: do not run test_commands due to failures in low memory cases
389-ds memory autotuning doesn't really work well in containerized
environment as it only looks into host-wide /proc/meminfo. It gets
fooled by 'missing' memory while there is still enough swap space.

This is in particular affects test_commands test suite where
ipa-adtrust-install cannot fully proceed and fails. We plan to rebalance
test containers' memory split but right now just disable test_commands
in Azure CI.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
52da0d6a28 test_smb: test S4U2Self operation by IPA service
Kerberos service might request a ticket to itself on behalf of a user
to perform protocol transition, so-called S4U2Self extension defined
in [MS-SFU] specification. Processing of this request by KDC differs for
in-realm and cross-realm configurations.

Use SMB service to test S4U2Self performed against AD and IPA users.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
b5876f30d4 ipa-kdb: refactor principal lookup to support S4U2Self correctly
Restructure logic of ipadb_get_principal() to separate retrieval of a
principal by a name and by an alias. Separate enterprise principal name
type processing into a helper function to be able to reuse it for own
aliases.

Unify code in client referrals part to do the same and use krb5 API to
deal with principals rather than parsing strings. The end result is the
same but we follow common rules in MIT Kerberos to process principals.

An enterprise principal is typically "name@SOMEREALM@REALM", but any
principal might be parsed as enterprise principal, so we could get
"name@REALM" marked as such. When unparsing the enterprise principal,
re-parse it again with default realm values, to get our realm
normalization.

This behavior would fix situations when GSSAPI calls are operating on a
non-qualified principal name that was imported as a
GSS_KRB5_NT_ENTERPRISE_NAME when calling gss_import_name().

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
ef59cb8452 ipa-kdb: cache local TGS in the driver context
For Kerberos principal lookup we always need to check whether principal
is from our realm. Keep the reference to our realm TGS handy to avoid
memory allocations on every lookup.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
3611fc5043 ipa-kdb: add primary group to list of groups in MS-PAC
Somehow, we weren't adding primary group of the user to the list of
groups in the PAC Logon Info structure.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
3e20a96c30 ipa-kdb: Always allow services to get PAC if needed
Previously, FreeIPA only allowed to issue PAC record in a ticket
for the following principal types:
   - for IPA users
   - for a host principal of one of IPA masters
   - for a cifs/ or HTTP/ service on one of IPA masters

To allow S4U2Self operations over trust to AD, an impersonating service
must have PAC record in its TGT to be able to ask AD DCs for a S4U2Self
ticket. It means any IPA service performing S4U2Self would need to have
PAC record and the constraints above prevent it from doing so.

However, depending on whether the service or host principal belongs to
one of IPA masters, we need to set proper primary RID to 516 (domain
controllers) or 515 (domain computers).

Fixes: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
015ae27598 ipa-kdb: add asserted identity SIDs
Depending on whether identity of a principal was asserted by the KDC or
by a service doing protocol transition (S4U2Self), AD DCs add a
special extra SID to a PAC record:

 - S-1-18-1 is a SID for an Authentication Authority Asserted Identity
 - S-1-18-2 is a SID for a Service Asserted Identity

This behavior is governed by [MS-SFU] 3.2.5.1.2 "KDC replies with Service
Ticket".

In order to add an asserted identity SID, we need to pass down the
client flags as set by the KDC and check for a protocol transition bit.

Fixes: https://pagure.io/freeipa/issue/8319
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
44a255d423 kdb: add minimal server referrals support for enterprise principals
Implement minimal server referrals support for enterprise principals as
defined in RFC 6806.

Use krb5_pac_verify_ext() and krb5_pac_sign_ext() to support cross-realm
S4U extensions. We have to verify/sign PAC and take the realm into
account for S4U in these cases.

The use of extended functions require krb5 1.17+.

For PAC verification, we have to filter existing PAC CLIENT-INFO
structure in cross-realm S4U case because otherwise old CLIENT-INFO
would change the PAC principal due to adding or ommiting the realm in
transition.  Since a new PAC CLIENT-INFO will be provided by
k5_insert_client_info() anyway, we can filter it in all cases.

Generate PAC only for the first S4U2Self request to the client realm
(client != NULL). Otherwise, use the PAC from the cross-realm ticket.
The latter PAC belongs to the impersonated user.

Foreign (inner) principal look up in non-AS request returns
KRB5_KDB_NOENTRY.

Finally, in PAC signing we have to take the realm into account as well
for S4U2Self cross-realm operation. This does not work when compiling
against krb5 1.17 at the moment because sign_authdata() callback does
not know whether we are dealing with an issuing referral or not. In 1.18
a KDC will set a special client flag to signify this when asking KDB
driver to sign a PAC record.

Fixes: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
0f881ca0f2 ipa-tests: add a test to make sure MS-PAC is produced by KDC
When ipa-adtrust-install is used, IPA KDC will be configured to issue
tickets with MS-PAC record in them for users and services that have
ipaNTSecurityIdentifier (SID) attribute in the LDAP record.

Test that a newly added user can kinit and obtain a ticket that has
a PAC structure.

Test that a service can impersonate a user and the resulting S4U2Self
requested service ticket also has PAC structure.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
23a49538f1 ipa-print-pac: acquire and print PAC record for a user
Helper utility to investigate PAC content of users in trusted
environments. Supports direct ticket acquisition and S4U2Self protocol
transition.

1. Direct ticket acquisition

In direct ticket acquisition mode the utility first does one of the
following actions:
 - obtain a TGT ticket for a user principal using supplied password
 - import existing TGT from a default credentials cache

Once a user TGT is available, the utility will attempt to acquire a service
ticket to a service which key is specified in a keytab (default or
passed with --keytab option) and simulate establishing context to the
service application.

If establishing context succeeds, MS-PAC content of the service ticket
will be printed out.

2. S4U2Self protocol transition

In protocol transition case a service application obtains own TGT using
a key from the keytab and then requests a service ticket to itself in
the name of the user principal, performing S4U2Self request.

If accepting this service ticket succeeds, MS-PAC content of the service
ticket will be printed out.

If KDC does not support or rejects issuing MS-PAC record for a user, an
error message 'KDC has no support for padata type' will be printed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Alexander Bokovoy
0317255b53 ipa-kdb: add UPN_DNS_INFO PAC structure
UPN_DNS_INFO structure contains the client's user principal name (UPN)
and a fully qualified domain name. It is used to provide the UPN and the
FQDN that corresponds to the client of the ticket.

The structure is defined in MS-PAC section 2.10. MS-KILE specification
says in the section 3.3.5.6.4.5 that KDCs should return this buffer. It
further clarifies in section 3.3.5.2 that if the user account object has no
userPrincipalName attribute, UPN_DNS_INFO should be constructed by
concatenating user name, the "@" symbol, and the DNS name of the domain.

IPA users don't really have userPrincipalName attribute. Instead, we
always construct their account names in LOGON Info3 structure by
unparsing the canonical principal name without realm, meaning that user
principal can be recovered by concatenating the account name and the
realm (domain).

Unless the account name and unparsed client principal name are different
or the primary Info3 gid (group RID) is the one for machine accounts,
mark the UPN as constructed.

Related: https://pagure.io/freeipa/issue/8319

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Isaac Boukris <iboukris@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-27 17:57:39 +03:00
Serhii Tsymbaliuk
e668b61fd2
WebUI tests: Test all available fields on "Kerberos Ticket Policy" page
Ticket: https://pagure.io/freeipa/issue/8207

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-05-26 13:33:57 +02:00
Serhii Tsymbaliuk
7bef36de64
WebUI: Add authentication indicator specific fields to "Kerberos Ticket Policy" page
Ticket: https://pagure.io/freeipa/issue/8207

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2020-05-26 13:33:57 +02:00
Stanislav Levin
26f96595b0 Azure: Make dnf repos consistent
Build container(image registry.fedoraproject.org/f32/fedora-toolbox)
has two more dnf repos enabled compared to Tests container(image
fedora:32). This results in the packages built within the Build
container can have dependencies which are unresolvable(missing)
within Tests container.

This enables updates-testing and updates-testing-modular,
disables fedora-cisco-openh264 for Tests container.

Fixes: https://pagure.io/freeipa/issue/8330
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-05-22 21:12:03 +03:00
Florence Blanc-Renaud
3dd5053cdd ipatests: Check if user with 'User Administrator' role can delete group.
Test scenario:
- create a test user with the 'User Administrator' role
- as this test user, create a new group
- as this test user, delete the new group

Related: https://pagure.io/freeipa/issue/6884

Co-authored-by: Nikhil Dehadrai <ndehadra@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-05-20 09:23:11 +02:00
Alexander Bokovoy
32c6b02eed baseldap: de-duplicate passed attributes when checking for limits
LDAP attribute options aren't enforced in the schema, thus we strip them
when checking attribute conformance with the schema. This, however, can
leave us with a situation when multiple base LDAP attribute names are
present in the list of attribute names to check.

Use set of attribute names to deduplicate the list.

Fixes: https://pagure.io/freeipa/issue/8328

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-05-19 11:58:56 -04:00
Sumedh Sidhaye
47bddf4f45 Test for removing a subgroup
Problem description:
Removing an IPA sub-group should NOT remove the members
from indirect parent that also belong to other subgroups

The test:
A user and three groups are created groupa,groupb,groupc
'groupc' should be a child of 'groupb' so that you have groupa->groupb->groupc

user is direct member of 'groupa' and as a result member of 'groupb'
and 'groupc'. Now when one adds a direct membership to 'groupb' nothing will
change.

If one removes the direct membership to 'groupb' again,
nothing should change as well

Pagure Link: https://pagure.io/SSSD/sssd/issue/3636

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-19 15:11:54 +02:00
Christian Heimes
f3e1171564 Explain the effect of OPT_X_TLS_PROTOCOL_MIN
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-05-18 14:45:31 +02:00
Serhii Tsymbaliuk
3645854c11
WebUI tests: Add confirmation step after changing default group in automember tests
Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-15 18:03:01 +02:00
Serhii Tsymbaliuk
33ca074558
WebUI: Add confirmation dialog for changing default user/host group
Changing default group on automember rules page is too easy.
Add a confirmation dialog to avoid misclick in the case.

Ticket: https://pagure.io/freeipa/issue/8322

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-05-15 18:03:01 +02:00