Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.
When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.
Fixes: https://pagure.io/freeipa/issue/9165
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Vagrant templates for `pki-`, `389ds-` and `testing-` are no longer
needed after feature added by https://github.com/freeipa/freeipa-pr-ci/pull/463.
This updates the test definitions to use PR-CI's custom arguments with
standard `ci-master-f36` vagrant box.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Check and skip dnssec-enable-related issues in 9.18+ where dnssec-enable
option was removed completely.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
In bind 9.17.2+ all dnssec utilities were moved to /usr/bin with
commit 4419606c9d2a52536a6dd0882ac0c7068ac27f30.
Since we only use those utilities in the specialized tool, do a fixup of
the paths in the tool.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
There are some references and thoughts on expanding the
current migrate-ds plugin as well.
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new test for ipa-client-install --subid
Add a new test for ipa-server-install --subid
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Document --subid in the man pages for
- ipa-client-install
- ipa-replica-install
- ipa-server-install
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.
The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Otherwise the resulting value could be outside the valid
bounds of the time value.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes: https://pagure.io/freeipa/issue/9121
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
So that it prints out a valid command:
- replace "ipa-replica-manage del" by "ipa server-del" (only domain-level1 is now supported)
- the commands needs to be run on a working server, not on the host where ipa-replica-install failed
Fixes: https://pagure.io/freeipa/issue/9162
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Moving 'latest' to Fedora 36 and 'previous' to Fedora 35.
Update Rawhide template.
The following templates are updated:
- gating
- nightly_latest
- nightlñy_latest_selinux
- nightly_previous
- nightly_rawhide
- temp_commit
These are not updated as they will receive a new update after
"custom COPR" feature in PR-CI is merged:
- nightly_latest_389ds
- nightly_latest_pki
- nightly_latest_testing
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
If the client was installed with authconfig, with
automount configured to use ldap (--no-sssd), and later
updated to a version using authselect, the uninstaller
tries to disable the authselect feature with-custom-automount
but fails because there is no authselect profile in use.
(Upgrade of a client does not transform authconfig settings
into authselect settings because we don't have any client
upgrader, as opposed to the ipa-server-upgrade for the
servers).
To avoid uninstallation failure, ignore the error and log a
warning.
The second part of the commit leverages the "complete" state
stored in the statestore, in order to fix issues when
a client installation fails and the installation is reverted
by the ipa-client-install tool itself.
The fix checks if the statestore shows an incomplete
installation. If the install was incomplete and failed before
any attempt to configure authselect, then unconfigure doesn't
need to do anything. In the other cases, unconfigure needs
to revert to the pre-ipa state.
Fixes: https://pagure.io/freeipa/issue/9147
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.
SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.
SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.
Fixes:https://pagure.io/freeipa/issue/9155
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
When IdP configuration is provided, take it into account:
- idp-specific Kerberos ticket policy would be applied
- Presence of IdP link in a Kerberos principal entry would cause KDB to
enable `idp` pre-authentication method on KDC side.
The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.
Fixes: https://pagure.io/freeipa/issue/8804
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).
ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.
Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Sumit Bose <sbose@redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
RTD default theme removes discs from the section list items which makes
design pages look strange. Add them back via small CSS override.
Also, add 1em on the left side of the disc to provide visual cue that
this is a list item.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.
Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.
Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function
https://pagure.io/freeipa/issue/9151
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.
This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.
Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
subid range management does not allow to delete ranges
If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.
In Web UI a button to remove the range should not be shown.
Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.
Fixes: https://pagure.io/freeipa/issue/9150
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)
Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id
Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ReadTheDocs somehow caches requirements and insists in using old
version of Sphinx (1.8). We have to force using newer one (4.5)
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
One-liner rule to update ipasphinx dependency as we are using m2r2
package which is compatible with newer Sphinx.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
We need to install additional plantuml package before the build
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.
The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
m2r project was forked to m2r2 which is actively developed.
m2r2 works with new Sphinx versions.
Update our list of documentation requirements and add support for
plantuml to be able to integrate diagrams.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.
The expected checksum needs to be updated.
Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In /etc/ipa/epn.conf it is possible to customize the
e-mail subject by setting msg_subject=<value> but this
setting is not documented in the man page.
Add the options in epn.conf man page and in the template.
Fixes: https://pagure.io/freeipa/issue/9145
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).
Remove the wrong condition so that the test is always expected to fail.
Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore@redhat.com>