- check only IPv6 address of local NS if specified
- increase request timeout(2sec is too small, BIND resolver's
default 10sec)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.
Fixes: https://pagure.io/freeipa/issue/8794
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.
Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the system lacks DBM support and an older database is
opened then an exception is raised. Include the directory in
the exception so it is clearer which database cannot be opened.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.
Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.
One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.
'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.
With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.
Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.
Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.
Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp. Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.
Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In ipa-healthcheck ds-related tests i.e
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipahealthcheck_ds_configcheck
there exists a scenario of modifying the "nsslapd-logging-hr-timestamps-enabled" attribute to off
The tests are failing with the below error
"ipalib.errors.MidairCollision: change collided with another change"
The test audit log displays that the attribute is deleted first and then added.
changetype: modify
delete: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: on
-
add: nsslapd-logging-hr-timestamps-enabled
nsslapd-logging-hr-timestamps-enabled: off
Adding the nsslapd-logging-hr-timestamps-enabled attribute in _SINGLE_VALUE_OVERRIDE table
to check if we generate a replace instead of add and delete.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
ipa_gethostfqdn() now returns a pointer to a statically allocated buffer
or NULL in case of an error. The caller no longer has to supply a
correctly allocated buffer.
Rename IPA_HOST_HOST to_LEN IPA_HOST_FQDN_LEN and use IPA_HOST_FQDN_LEN
wherever code copies a hostname supplied from ipa_gethostfqdn().
Clarify that MAXHOSTNAMELEN and MAXHOSTFQDNLEN are different things.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The extended sleep feature is not used at the moment.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The Sleeper class is a helper that makes poll/sleep loops with timeout
easier to write. It takes care of edge cases and does not oversleep
timeout deadline.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.
Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.
Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.
Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.
get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.
get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.
get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.
Also fixes setup.py to include D-Bus for ipalib instead of ipapython.
See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
User and Group now return unmodified instance when they are called with
an instance of themselves: User(user) is user.
run_command() and Service class accept either names or User object.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For now, `resolve_address` for dnspython < 2.0.0 is actually
the instance method of the global DNSResolver object and is not
the instance method of the corresponding object from which it was
called. This can result in unexpected behavior.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`dnspython` 2.0.0 has many changes and several deprecations like:
```
> dns.resolver.resolve() has been added, allowing control of whether
search lists are used. dns.resolver.query() is retained for backwards
compatibility, but deprecated. The default for search list behavior can
be set at in the resolver object with the use_search_by_default
parameter. The default is False.
> dns.resolver.resolve_address() has been added, allowing easy
address-to-name lookups.
```
The new class `DNSResolver`:
- provides the compatibility layer
- defaults the previous behavior (the search list configured in the
system's resolver configuration is used for relative names)
- defaults lifetime to 15sec (determines the number of seconds
to spend trying to get an answer to the question)
Fixes: https://pagure.io/freeipa/issue/8383
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now FreeIPA handles explicit migration of NSS DB (dbm->sql).
But Mozilla's NSS can be built without the support of legacy database
(DBM). This implies that neither implicit nor explicit DB migration
to SQL will work. So, eventually, this support will be removed from
FreeIPA.
With this patch, the instantiation of NSS with legacy db(if not
supported by NSS) is forbidden.
Fixes: https://pagure.io/freeipa/issue/8474
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a default certificate profile to be used with the ACME service.
The profile requires the (Dogtag) user interacting with the CA to be
a member of the (Dogtag) "ACME Agents" group. For each CA server we
create a dedicated ACME agent account, make it a member of this
group, and configure the ACME issuer component to use that account.
Part of: https://pagure.io/freeipa/issue/4751
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
According to datetime.utcfromtimestamp() method documentation[1],
this and similar methods fail for dates past 2038 and can be replaced by
the following expression on the POSIX compliant systems:
datetime(1970, 1, 1, tzinfo=timezone.utc) + timedelta(seconds=timestamp)
Make sure to use a method that at least allows to import the timestamps
properly to datetime objects on 32-bit platforms.
[1] https://docs.python.org/3/library/datetime.html#datetime.datetime.utcfromtimestamp
Fixes: https://pagure.io/freeipa/issue/8378
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
OpenLDAP 2.4 sets minimum version with SSL_CTX_set_options(). The
system-wide crypto-policies for TLS minimum version are applied
with SSL_CTX_set_min_proto_version(). The set_option() call cannot
not enable lower versions than allowed by crypto-policy, e.g.
openssl.cnf MinProtocol=TLS1.2 + OPT_X_TLS_PROTOCOL_MIN=TLS1.0
result in TLS 1.2 as minimum protocol version.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add whitespaces around assignment operator and use consistent double
quotes.
https://pagure.io/freeipa/issue/8306
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This worked for now, but is SyntaxError in Python 3.9.0a6:
File "/usr/lib/python3.9/site-packages/ipapython/cookie.py", line 222
return'/'
^
SyntaxError: invalid string prefix
(The Python change might actually be reverted before 3.9 final,
but this can be fixed anyway.)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
W1661(exception-escape), RPCClient.forward]
Using an exception object that was bound by an except handler)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
``__getnewargs__()`` must return a tuple.
Fixes ``E0312(invalid-getnewargs-returned), APIVersion.__getnewargs__]
__getnewargs__ does not return a tuple)``.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.
list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)
list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel
Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
ipautil.run() now only installs a preexec_fn when it is actually needed.
This addresses a compatibility issue with mod_wsgi subinterpreters under
Python 3.8.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
See: https://bugs.python.org/issue37951
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850
Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This will let us call it from ipaplatform.
Mark the original location as deprecated.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.
Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There are cases when output from a utility run contains sensitive
content that is better to avoid logging. For example, klist can be told
to show actual encryption keys with -K option. Redacting them out with
nolog option to ipapython.ipautil.run() is not possible because
replacement routine expects exact matches.
Introduce two boolean options that allow to skip printing output from
the utility being run:
-- nolog_output: skip printing captured stdout
-- nolog_error: skip printing captured stderr
These options default to False (thus, stdout/stderr content will
continue to be printed). In case they were set to True, corresponding
line will contain
stdout=<REDACTED>
or
stderr=<REDACTED>
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The admintool will display the message when something goes wrong:
See %s for more information" % self.log_file_name
This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.
This can happen if validation catches and raises an exception.
Fixes: https://pagure.io/freeipa/issue/7952
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is to suppress the spurious error message:
The ipa-client-install command failed.
when the client is not configured.
This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
