Commit Graph

296 Commits

Author SHA1 Message Date
Petr Viktorin
5bcbe1df37 Run ntpdate in verbose mode, not debug (i.e. no-op) mode
Remove the debug argument to synconce_ntp since we always want the logs
to be verbose.

https://fedorahosted.org/freeipa/ticket/3048
2012-09-04 18:32:04 +02:00
Tomas Babej
53967f21bd Handle SSSD restart crash more gently.
In ipa-client-install, failure of restart of sssd service no longer
causes the crash of the install process. Adds a warning message to
the root logger instead.

https://fedorahosted.org/freeipa/ticket/2827
2012-08-14 15:45:32 +02:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Martin Kosek
4879c68d68 Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
2012-07-13 14:25:18 +02:00
Gowrishankar Rajaiyan
17c638b70e Adding exit status 3 & 4 to ipa-client-install man page 2012-07-12 11:42:50 +02:00
Rob Crittenden
29fd982f7f Make client server option multi-valued, allow disabling DNS discovery
Let the --server option be specified multiple times on the command line.
The first one passed in is the one we enroll against.

Do additional verification before setting dnsok so we can be sure that
the record(s) were actually discovered in DNS.

If servers are provided on the CLI and --fixed-primary is set then
_srv_ is not added to ipa_server in sssd.conf.

https://fedorahosted.org/freeipa/ticket/2841
2012-07-10 10:45:39 +02:00
Petr Viktorin
ec5115a155 Typo fixes 2012-06-25 21:35:11 -04:00
Rob Crittenden
f4d2f2a65b Configure automount using autofs or sssd.
This script edits nsswitch.conf to use either ldap (autofs) or
sss (sssd) to find automount maps.

NFSv4 services are started so Kerberos encryption and/or integrity can
be used on the maps.

https://fedorahosted.org/freeipa/ticket/1233
https://fedorahosted.org/freeipa/ticket/2193
2012-06-25 17:24:34 -04:00
Petr Viktorin
8f051c978e Improve autodiscovery logging
Track the source of discovered values (e.g. from option, interactive,
retrieved from DNS), and show it in the log in the configuration
overview and on erorrs involving the value.

Add additional log messages explaining the autodiscovery process.

For domains the discovery tries to get LDAP SRV records from, log
reasons explaining why the domain was chosen. Also, prevent the
same domain from being searched multiple times.

Add names for error codes, and show them in the log.

Also, modernize the discovery code a bit: move away from the
Java-style accessors, don't needlessly pre-declare variables, make
IPADiscovery a new-style class.

https://fedorahosted.org/freeipa/ticket/2553
2012-06-17 21:47:06 -04:00
Petr Viktorin
3e0116491f Improve ipa-client-install debug output
The client does a fair bit of work when trying to validate the hostnames,
do discovery and verify that the server it gets back is an IPA server.
The debug logging around this was horrid with very little state information,
duplicate log messages or just nothing at all.
In many cases errors were printed only to stderr/stdout.

This patch makes the logging and output go through the IPA log manager.
It sets up logging so that INFO, WARNING, and ERROR messages show up on the
console. If -d is given, DEBUG messages are also printed.
All messages also go to the log file.
The only exception is user input: prompts are only printed to the console,
but if the user provides any information it is echoed in a DEBUG-level
message.

https://fedorahosted.org/freeipa/ticket/2553
2012-06-17 21:47:06 -04:00
Rob Crittenden
55d2d92dcf Add flag to ipa-client-install to managed order of ipa_server in sssd
The --fixed-primary flag determine the order of the ipa_server directive.
When set the IPA server discovered (or passed in via --server or via
user-input) will be listed first. Otherwise _srv_ is listed first.

https://fedorahosted.org/freeipa/ticket/2282
2012-06-13 22:38:14 -04:00
Petr Viktorin
3e3ac0ebab Clean keytabs before installing new keys into them
In ipa-client-install (which is also called from server/replica
installation), call `ipa-rmkeytab -k <keytab> -r $REALM` to be
sure that there aren't any remnants from a previous install of
IPA or another KDC altogether.

https://fedorahosted.org/freeipa/ticket/2698
2012-06-11 14:42:52 +02:00
Sumit Bose
ee936431c8 Move some krb5 keys related functions from ipa-client to util 2012-06-11 12:04:05 +02:00
Rob Crittenden
9e877585e2 If SELinux is enabled ensure we also have restorecon.
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368
2012-05-31 14:07:05 +02:00
Jan Cholasta
d62b2d9be5 SSH configuration fixes.
Use GlobalKnownHostsFile instead of GlobalKnownHostsFile2 in ssh_config, as the
latter has been deprecated in OpenSSH 5.9.

If DNS host key verification is enabled, restrict the set of allowed host
public key algorithms to ssh-rsa and ssh-dss, as DNS SSHFP records support only
these algorithms.

Make sure public key user authentication is enabled in both ssh and sshd.

ticket 2769
2012-05-30 07:47:27 +02:00
Ondrej Hamada
bdc80fe372 Always set ipa_hostname for sssd.conf
ipa-client-install will always set ipa_hostname for sssd.conf in order
to prevent the client from getting into weird state.

https://fedorahosted.org/freeipa/ticket/2527
2012-05-28 17:09:22 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Martin Kosek
b8f30bce77 Make ipa 2.2 client capable of joining an older server
IPA server of version 2.2 and higher supports Kerberos S4U2Proxy
delegation, i.e. ipa command no longer forwards Kerberos TGT to the
server during authentication. However, when IPA client of version
2.2 and higher tries to join an older IPA server, the installer
crashes because the pre-2.2 server expects the TGT to be forwarded.

This patch adds a fallback to ipa-client-install which would detect
this situation and tries connecting with TGT forwarding enabled
again. User is informed about this incompatibility.

Missing realm was also added to keytab kinit as it was reported to
fix occasional install issues.

https://fedorahosted.org/freeipa/ticket/2697
2012-05-01 20:38:43 -04:00
Jan Cholasta
6569f355b6 Set the "KerberosAuthentication" option in sshd_config to "no" instead of "yes".
Setting it to "yes" causes sshd to handle kinits itself, bypassing SSSD.

ticket 2689
2012-04-29 19:45:13 -04:00
Martin Kosek
4d66cc07dc Fix help of --hostname option in ipa-client-install
Replace word "server" with "machine" to clearly distinguish between
IPA server and other machines (clients) and to also match the help
with ipa-client-install man pages.

https://fedorahosted.org/freeipa/ticket/1967
2012-04-19 19:55:44 +02:00
John Dennis
b8f1292e86 Use indexed format specifiers in i18n strings
Translators need to reorder messages to suit the needs of the target
language. The conventional positional format specifiers (e.g. %s %d)
do not permit reordering because their order is tied to the ordering
of the arguments to the printf function. The fix is to use indexed
format specifiers.

https://fedorahosted.org/freeipa/ticket/2596
2012-04-10 18:07:10 -04:00
Simo Sorce
735618a1c6 Fix memleak and silence Coverity defects
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.

One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c

Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0

Fixes: https://fedorahosted.org/freeipa/ticket/2488
2012-03-22 17:33:13 +01:00
Lars Sjostrom
96390ca3e5 Add disovery domain if client domain is different from server domain
https://fedorahosted.org/freeipa/ticket/2209
2012-03-14 22:06:26 -04:00
Rob Crittenden
14975cdcdd Configure a basic ldap.conf for OpenLDAP in /etc/openldap/ldap.conf
Set URI, BASE and TLS_CACERT

Also update the man page to include a list of files that the client
changes.

https://fedorahosted.org/freeipa/ticket/1810
2012-03-14 21:28:52 -04:00
Ondrej Hamada
71d134dfa0 More exception handlers in ipa-client-install
Added exception handler to certutil operation of adding CA to the
default NSS database. If operation fails, installation is aborted and
changes are rolled back.

https://fedorahosted.org/freeipa/ticket/2415

If obtaining host TGT fails, the installation is aborted and changes are
rolled back.

https://fedorahosted.org/freeipa/ticket/1995
2012-03-09 15:48:27 +01:00
Rob Crittenden
10478ac8a1 Only warn if ipa-getkeytab doesn't get all requested enctypes.
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.

https://fedorahosted.org/freeipa/ticket/2424
2012-03-04 17:42:18 -05:00
Rob Crittenden
55f89dc689 Do kinit in client before connecting to backend
The client installer was failing because a backend connection could be
created before a kinit was done.

Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.

Add additional logging to client installer.

https://fedorahosted.org/freeipa/ticket/2478
2012-03-04 17:23:01 -05:00
Rob Crittenden
356823d270 Add --noac option to ipa-client-install man page
https://fedorahosted.org/freeipa/ticket/2369
2012-03-04 17:17:01 -05:00
Ondrej Hamada
111ca8a482 ipa-client-install not calling authconfig
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.

https://fedorahosted.org/freeipa/ticket/2369
2012-03-05 09:46:14 -05:00
Jan Cholasta
afad0775e1 Configure SSH features of SSSD in ipa-client-install.
OpenSSH server (sshd) is configured to fetch user authorized keys from
SSSD and OpenSSH client (ssh) is configured to use and trigger updates
of the SSSD-managed known hosts file.

This requires SSSD 1.8.0.
2012-03-01 18:42:56 -05:00
Petr Viktorin
be14c6609b Use reboot from /sbin
According to FHS, the reboot command should live in /sbin.
Systems may also have a symlink in /usr/bin, but they don't have to.

https://fedorahosted.org/freeipa/ticket/2480
2012-03-02 16:53:47 +01:00
Rob Crittenden
e889b82599 Add support defaultNamingContext and add --basedn to migrate-ds
There are two sides to this, the server and client side.

On the server side we attempt to add a defaultNamingContext on already
installed servers. This will fail on older 389-ds instances but the
failure is not fatal. New installations on versions of 389-ds that
support this attribute will have it already defined.

On the client side we need to look for both defaultNamingContext and
namingContexts. We still need to check that the defaultNamingContext
is an IPA server (info=IPAV2).

The migration change also takes advantage of this and adds a new
option which allows one to provide a basedn to use instead of trying
to detect it.

https://fedorahosted.org/freeipa/ticket/1919
https://fedorahosted.org/freeipa/ticket/2314
2012-02-29 15:28:13 +01:00
John Dennis
059a90702e Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.

* Reduced the default session_auth_duration from 1 hour to 20 minutes.

* Replaced the sesssion write_timestamp with the access_timestamp and
  update the access_timestamp whenever the session data is created,
  retrieved, or written.

* Modify set_session_expiration_time to handle both an inactivity
  timeout and a fixed duration.

* Introduce  KerberosSession as a mixin class to share session
  duration functionality with all classes manipulating session data
  with Kerberos auth. This is both the non-RPC login class and the RPC
  classes.

* Update make-lint to handle new classes.

* Added session_auth_duration_type config item.

* Updated default.conf.5 man page for new session_auth_duration_type item.

* Removed these unused config items: mount_xmlserver,
  mount_jsonserver, webui_assets_dir

https://fedorahosted.org/freeipa/ticket/2392
2012-02-27 05:55:15 -05:00
Martin Kosek
dc47f77dc1 Add client hostname requirements to man
Changing a client hostname after ipa-client-install would break
the enrollment on IPA server. Update relevant man pages to contain
such information.

https://fedorahosted.org/freeipa/ticket/1967
2012-02-27 17:50:46 +01:00
Jan Cholasta
c00bf9e38a Configure ssh and sshd during ipa-client-install.
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.

For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).

ticket 1634
2012-02-13 22:21:47 -05:00
Jan Cholasta
c34f5fbc88 Update host SSH public keys on the server during client install.
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:43 -05:00
Jan Cholasta
9b6649a1ce Move the nsupdate functionality to separate function in ipa-client-install.
Done as part of adding SSH support.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:38 -05:00
Jan Cholasta
04b8575c52 Add API initialization to ipa-client-install.
This change makes it possible to call IPA commands from ipa-client-install.

Done to support adding SSH host keys to DNS.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:35 -05:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
Ondrej Hamada
f7b4eb6a09 localhost.localdomain clients refused to join
Machines with hostname 'localhost' or 'localhost.localdomain' are
refused from joining IPA domain and proper error message is shown.
The hostname check is done both in 'ipa-client-install' script and in
'ipa-join'.

https://fedorahosted.org/freeipa/ticket/2112
2012-01-22 22:01:40 -05:00
Rob Crittenden
2d6eeb205e Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
2011-12-12 17:36:45 -05:00
Alexander Bokovoy
790ffc42a8 Check through all LDAP servers in the domain during IPA discovery
When discovering IPA LDAP servers through DNS records, look through all
servers found until first success. A master might be not available or
denied access but replica may succeed.

Ticket #1827
https://fedorahosted.org/freeipa/ticket/1827
2011-12-09 00:19:57 -05:00
Ondrej Hamada
005b74d869 Client install checks for nss_ldap
In order to check presence of nss_ldap or nss-pam-ldapd when installing
client with '--no-sssd' option there was added code into ipa-client-install.
Checking is based on existence of one of nss_ldap configuration files.
This configuration could be in 'etc/ldap.conf', '/etc/nss_ldap.conf' or
'/etc/libnss_ldap.conf'. Optionaly the nss_ldap could cooperate with
pam_ldap module and hence the presence of it is checked by looking for
'pam_ldap.conf' file. Existence of nss-pam-ldapd is checked against
existence of 'nslcd.conf' file. All this checking is done by function
nssldap_exists(). Because both modules are maintained by two different
functions, the function returns tuple containing return code and dictionary
structure - its key is name of target function and value is list of existing
configuration files. Files to check are specified inside the
nssldap_exists() function. nssldap_exists() also returns True if any of
the mandatory files was found, otherwise returns False.

In order to fit the returned values, the functions
configure_{ldap|nslcd}_conf() were slightly modified. They accept one more
parameter which is list of existing files.  They are not checking existence
of above mentioned files anymore.

https://fedorahosted.org/freeipa/ticket/2063
2011-12-05 22:53:04 -05:00
Martin Kosek
216505d2a0 Fix coverity issues in client CLI tools
This patch fixes 2 coverity issues:
 * ipa-client/config.c: CID 11090: Resource leak
 * ipa-client/ipa-getkeytab.c: CID 11018: Unchecked return value

https://fedorahosted.org/freeipa/ticket/2035
2011-11-23 00:30:41 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Ondrej Hamada
bf57388e54 Client install root privileges check
ipa-client-install was failing and returning traceback when
wasn't run by root. It was caused by logging initialization that
was taking part before the root privileges check. To correct it,
the check was moved before the logging initialization.

https://fedorahosted.org/freeipa/ticket/2123
2011-11-21 09:39:37 +01:00
Alexander Bokovoy
1f9ab4283c Add configure check for libintl.h
There are some distributions which do not provide gettext support within
libc.

For these cases checking for libintl is required.

https://fedorahosted.org/freeipa/ticket/1840
2011-11-16 18:35:19 -05:00
Martin Kosek
bb6e720393 Fix client krb5 domain mapping and DNS
Add Kerberos mapping for clients outside of server domain. Otherwise
certmonger had problems issuing the certificate. Also make sure that
client DNS records on the server are set before certmonger is started
and certificate is requested.

Based on Lars Sjostrom patch.

https://fedorahosted.org/freeipa/ticket/2006
2011-10-21 14:53:12 +02:00
Rob Crittenden
470576a832 If our domain is already configured in sssd.conf start with a new config.
https://fedorahosted.org/freeipa/ticket/1989
2011-10-13 21:24:07 -04:00
Rob Crittenden
814a424a37 Update all LDAP configuration files that we can.
LDAP can be configured in any number of places, we need to update everything
we find.

https://fedorahosted.org/freeipa/ticket/1986
2011-10-13 20:45:06 -04:00