Commit Graph

860 Commits

Author SHA1 Message Date
Martin Kosek
941d1e8701 Do not produce unindexed search on every DEL command
Every <plugin>-del command executes an "(objectclass=*)" search
to find out if a deleted node has any child nodes which would need
to be deleted first. This produces an unindexed search for every del
command which biases access log audits and may affect performance too.

Since most of the *-del commands delete just a single object (user,
group, RBAC objects, SUDO or HBAC objects, ...) and not a tree
(automount location, dns zone, ...) run a single entry delete first
and only revert to subtree search&delete when that fails.
2012-10-01 22:37:59 -04:00
Petr Viktorin
c16c257145 Fix NS records in installation
Our installation added two final dots to the NS records,
so the records were invalid, Bind ignored the entire zone,
and name resolution didn't work.

Fix this error and add a check for empty DNS labels to the validator
2012-09-27 16:01:22 +02:00
Alexander Bokovoy
fbfa3b56fa Change the way SID comparison is done for belonging to trusted domain
Fixes trust use on RHEL 6.
2012-09-27 14:00:40 +02:00
Martin Kosek
c49bc80494 Use custom zonemgr for reverse zones
When DNS is being installed during ipa-{server,dns,replica}-install,
forward and reverse zone is created. However, reverse zone was always
created with default zonemgr even when a custom zonemgr was passed
to the installer as this functionality was missing in function
creating reverse zone.

Consolidate functions creating forward and reverse zones to avoid
code duplication and errors like this one. Reverse zones are now
created with custom zonemgr (when entered by user).

https://fedorahosted.org/freeipa/ticket/2790
2012-09-26 13:44:11 +02:00
Sumit Bose
d0f672c131 Update krb5.conf during ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/2515
2012-09-19 20:47:31 -04:00
Petr Viktorin
4bb4535101 Use correct Dogtag port in ipaserver.install.certs
On an instance upgraded from Dogtag 9 to Dogtag 10,
ipa-replica-prepare used the wrong port number. Fix that.
2012-09-20 13:58:53 +02:00
Martin Kosek
ef7b8ab764 Use default reverse zone consistently
When a new reverse zone is to be generated based on an IP address without
a network prefix length, we need to use some default value. While netaddr
library default ones (32b for IPv4 and 128b for IPv6) are not very sensible
we should use the defaults already applied in installers. That is 24b for
IPv6 and 64 for IPv6.

Test case has been added to cover the new default.

https://fedorahosted.org/freeipa/ticket/2461
2012-09-19 17:32:02 +02:00
Alexander Bokovoy
7269687822 Add verification of the AD trust
Since we only can perform verification when AD admin credentials are available,
report that trust should be verified from the AD side in other cases,
including unsuccessful verification.

Once trust is added, status of it is never stored anywhere.

https://fedorahosted.org/freeipa/ticket/2763
2012-09-17 21:24:38 -04:00
Petr Viktorin
f0829efe1f Only stop the main DS instance when upgrading it
We've been stopping both DS instances (main and PKI) when upgrading.
This can happen while the CA is running. In some cases stopping the PKI
DS also killed the CA.

Only stop the specific instance for upgrades.

Also, wait for open ports after the upgrade is complete. The wait was
skipped previously. This can prevent bugs if scripts that need a DS are
run after the upgrade.

https://fedorahosted.org/freeipa/ticket/3083
2012-09-17 18:43:59 -04:00
Petr Viktorin
4f76c143d2 Use Dogtag 10 only when it is available
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.

Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.

This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:59 -04:00
Ade Lee
3dd31a8756 Modifications to install scripts for dogtag 10
Dogtag 10 uses a new installer, new directory layout and new default
ports.  This patch changes the ipa install code to integrate these changes.

https://fedorahosted.org/freeipa/ticket/2846
2012-09-17 18:43:36 -04:00
Rob Crittenden
c9c55a2845 Run the CLEANALLRUV task when deleting a replication agreement.
This adds two new commands to ipa-replica-manage: list-ruv & clean-ruv

list-ruv can be use to list the update vectors the master has
configugured

clean-ruv can be used to fire off the CLEANRUV task to remove a
replication vector. It should be used with caution.

https://fedorahosted.org/freeipa/ticket/2303
2012-09-17 17:48:25 +02:00
Martin Kosek
c0630950a1 Expand Referential Integrity checks
Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. Thus, the following
indexes are added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin is updated to enforce RI for all these
attributes. Unit tests covering RI checks for all these attributes
were added as well.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:27 -04:00
Martin Kosek
2ecfe571fa Run index task in ldap updater only when needed
When LDAP updater detected an update instruction in indexing tree, it run
an indexing task and waited until it ends. However, the task was run
regardless of the update instruction result. This lead to unnecessary
index tasks being defined and waited for which makes the whole LDAP
last longer.

Execute indexing task only when an index add/update instruction is
successful.

https://fedorahosted.org/freeipa/ticket/2866
2012-09-16 17:59:19 -04:00
Martin Kosek
edf8138568 Add attributeTypes to safe schema updater
AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.

Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.

https://fedorahosted.org/freeipa/ticket/2440
2012-09-16 17:59:06 -04:00
Rob Crittenden
0f81268ec4 Fix some restart script issues found with certificate renewal.
The restart_dirsrv script wasn't initializing the api so the
startup_timeout wasn't available.

The subsystemCert cert-pki-ca definition was missing so we didn't
know which certificate to update in CS.cfg.

Add some documentation and a pause between restarts for the
renew_ca_cert script so that when the CA subsystem certs are renewed
they don't all try to restart the CA at the same time.

https://fedorahosted.org/freeipa/ticket/3006
2012-09-06 19:09:18 -04:00
Rob Crittenden
26dfbe61dd Add version to replica prepare file, prevent installing to older version 2012-09-07 12:58:55 +02:00
Martin Kosek
917a480675 Add safe updates for objectClasses
Current objectclass updates in a form of "replace" update instruction
dependent on exact match of the old object class specification in the
update instruction and the real value in LDAP. However, this approach is
very error prone as object class definition can easily differ as for
example because of unexpected X-ORIGIN value. Such objectclass update
failures may lead to serious malfunctions later.

When comparing the objectclasses, make sure we normalize them both
before we compare them to mitigate these kinds of errors. python-ldap's
objectclass model can be utilized to do the normalization part.

One objectclass update instruction was changed to do a replace of
an objectclass separately from add update instruction so that we
really only replace what's stored in LDAP.

https://fedorahosted.org/freeipa/ticket/2440
2012-09-04 22:45:27 -04:00
Petr Viktorin
2ede70b720 Add nsds5ReplicaStripAttrs to replica agreements
Generalize the fix_replica_memberof update plugin to allow updating more
replication attributes.

Add nsds5ReplicaStripAttrs to replication agreements on update and
replica install.

https://fedorahosted.org/freeipa/ticket/2534
2012-09-04 05:30:57 -04:00
Martin Kosek
be8a9e6ddb Make replica install more robust
Under certain circumstances, replica installation may fail in
"enable GSSAPI for replication" step when it cannot sync LDAP service
principals. There is often not much we can do as Directory Server
may be in an unrecoverable state but we should at least wait longer
before we give up.

A function checking replication status was also fixed to give more
accurate results by properly comparing start/end time of the
replication process and returning an error message to calling
function. This error message is then returned to user if do not
manage to get the LDAP service principals to give him a pointer
to the actual issue.

https://fedorahosted.org/freeipa/ticket/2950
2012-09-03 21:05:16 -04:00
Petr Viktorin
a95eaeac8e Internationalization for public errors
Currently, we throw many public exceptions without proper i18n.
Wrap natural-language error messages in _() so they can be translated.

In the service plugin, raise NotFound errors using handle_not_found helper
so the error message contains the offending service.

Use ScriptError instead of NotFoundError in bindinstance install.

https://fedorahosted.org/freeipa/ticket/1953
2012-09-03 18:16:12 +02:00
John Dennis
1328f984d0 Ticket : DN objects hash differently depending on case
Because the attrs & values in DN's, RDN's and AVA's are comparison case-
insensitive the hash value between two objects which compare as equal but
differ in case must also yield the same hash value. This is critical when
these objects are used as a dict key or in a set because dicts and sets
use the object's __hash__ value in conjunction with the objects __eq__
method to lookup the object.

The defect is the DN, RDN & AVA objects computed their hash from the case-
preserving string representation thus two otherwise equal objects
incorrectly yielded different hash values.

The problem manifests itself when one of these objects is used as a key in
a dict, for example a dn.

dn1 = DN(('cn', 'Bob'))
dn2 = DN(('cn', 'bob'))

dn1 == dn2 --> True

hash(dn1) == hash(dn2) --> False

d = {}

d[dn1] = x
d[dn2] = y

len(d) --> 2

The patch fixes the above by lower casing the string representation of
the object prior to computing it's hash.

The patch also corrects a spelling mistake and a bogus return value in
ldapupdate.py which happened to be discovered while researching this
bug.
2012-08-22 17:23:12 +03:00
Rob Crittenden
e1d34638ad Convert PKCS#11 subject to string before passing to ipapython.DN 2012-08-15 08:35:36 +02:00
Alexander Bokovoy
1baac3c29e Add internationalization to DCE RPC code
https://fedorahosted.org/freeipa/ticket/2964
2012-08-14 16:51:21 +02:00
Martin Kosek
6341eff078 Fix winsync agreements creation
Due to recent addition of ID range support to DsInstance, the class
could no longer be instantiated when realm_name was passed but
ID range parameters were not. This condition broke winsync agreements
creation in ipa-replica-manage.

Make sure that ID range computation in DsInstance does not crash in
this cases so that winsync replica can be created. Also convert --binddn
option of ipa-replica-manage script to IPA native DN type so that
setup_agreement does not crash.

https://fedorahosted.org/freeipa/ticket/2987
2012-08-12 23:26:16 -04:00
John Dennis
94d457e83c Use DN objects instead of strings
* Convert every string specifying a DN into a DN object

* Every place a dn was manipulated in some fashion it was replaced by
  the use of DN operators

* Add new DNParam parameter type for parameters which are DN's

* DN objects are used 100% of the time throughout the entire data
  pipeline whenever something is logically a dn.

* Many classes now enforce DN usage for their attributes which are
  dn's. This is implmented via ipautil.dn_attribute_property(). The
  only permitted types for a class attribute specified to be a DN are
  either None or a DN object.

* Require that every place a dn is used it must be a DN object.
  This translates into lot of::

    assert isinstance(dn, DN)

  sprinkled through out the code. Maintaining these asserts is
  valuable to preserve DN type enforcement. The asserts can be
  disabled in production.

  The goal of 100% DN usage 100% of the time has been realized, these
  asserts are meant to preserve that.

  The asserts also proved valuable in detecting functions which did
  not obey their function signatures, such as the baseldap pre and
  post callbacks.

* Moved ipalib.dn to ipapython.dn because DN class is shared with all
  components, not just the server which uses ipalib.

* All API's now accept DN's natively, no need to convert to str (or
  unicode).

* Removed ipalib.encoder and encode/decode decorators. Type conversion
  is now explicitly performed in each IPASimpleLDAPObject method which
  emulates a ldap.SimpleLDAPObject method.

* Entity & Entry classes now utilize DN's

* Removed __getattr__ in Entity & Entity clases. There were two
  problems with it. It presented synthetic Python object attributes
  based on the current LDAP data it contained. There is no way to
  validate synthetic attributes using code checkers, you can't search
  the code to find LDAP attribute accesses (because synthetic
  attriutes look like Python attributes instead of LDAP data) and
  error handling is circumscribed. Secondly __getattr__ was hiding
  Python internal methods which broke class semantics.

* Replace use of methods inherited from ldap.SimpleLDAPObject via
  IPAdmin class with IPAdmin methods. Directly using inherited methods
  was causing us to bypass IPA logic. Mostly this meant replacing the
  use of search_s() with getEntry() or getList(). Similarly direct
  access of the LDAP data in classes using IPAdmin were replaced with
  calls to getValue() or getValues().

* Objects returned by ldap2.find_entries() are now compatible with
  either the python-ldap access methodology or the Entity/Entry access
  methodology.

* All ldap operations now funnel through the common
  IPASimpleLDAPObject giving us a single location where we interface
  to python-ldap and perform conversions.

* The above 4 modifications means we've greatly reduced the
  proliferation of multiple inconsistent ways to perform LDAP
  operations. We are well on the way to having a single API in IPA for
  doing LDAP (a long range goal).

* All certificate subject bases are now DN's

* DN objects were enhanced thusly:
  - find, rfind, index, rindex, replace and insert methods were added
  - AVA, RDN and DN classes were refactored in immutable and mutable
    variants, the mutable variants are EditableAVA, EditableRDN and
    EditableDN. By default we use the immutable variants preserving
    important semantics. To edit a DN cast it to an EditableDN and
    cast it back to DN when done editing. These issues are fully
    described in other documentation.
  - first_key_match was removed
  - DN equalty comparison permits comparison to a basestring

* Fixed ldapupdate to work with DN's. This work included:
  - Enhance test_updates.py to do more checking after applying
    update. Add test for update_from_dict(). Convert code to use
    unittest classes.
  - Consolidated duplicate code.
  - Moved code which should have been in the class into the class.
  - Fix the handling of the 'deleteentry' update action. It's no longer
    necessary to supply fake attributes to make it work. Detect case
    where subsequent update applies a change to entry previously marked
    for deletetion. General clean-up and simplification of the
    'deleteentry' logic.
  - Rewrote a couple of functions to be clearer and more Pythonic.
  - Added documentation on the data structure being used.
  - Simplfy the use of update_from_dict()

* Removed all usage of get_schema() which was being called prior to
  accessing the .schema attribute of an object. If a class is using
  internal lazy loading as an optimization it's not right to require
  users of the interface to be aware of internal
  optimization's. schema is now a property and when the schema
  property is accessed it calls a private internal method to perform
  the lazy loading.

* Added SchemaCache class to cache the schema's from individual
  servers. This was done because of the observation we talk to
  different LDAP servers, each of which may have it's own
  schema. Previously we globally cached the schema from the first
  server we connected to and returned that schema in all contexts. The
  cache includes controls to invalidate it thus forcing a schema
  refresh.

* Schema caching is now senstive to the run time context. During
  install and upgrade the schema can change leading to errors due to
  out-of-date cached schema. The schema cache is refreshed in these
  contexts.

* We are aware of the LDAP syntax of all LDAP attributes. Every
  attribute returned from an LDAP operation is passed through a
  central table look-up based on it's LDAP syntax. The table key is
  the LDAP syntax it's value is a Python callable that returns a
  Python object matching the LDAP syntax. There are a handful of LDAP
  attributes whose syntax is historically incorrect
  (e.g. DistguishedNames that are defined as DirectoryStrings). The
  table driven conversion mechanism is augmented with a table of
  hard coded exceptions.

  Currently only the following conversions occur via the table:

  - dn's are converted to DN objects

  - binary objects are converted to Python str objects (IPA
    convention).

  - everything else is converted to unicode using UTF-8 decoding (IPA
    convention).

  However, now that the table driven conversion mechanism is in place
  it would be trivial to do things such as converting attributes
  which have LDAP integer syntax into a Python integer, etc.

* Expected values in the unit tests which are a DN no longer need to
  use lambda expressions to promote the returned value to a DN for
  equality comparison. The return value is automatically promoted to
  a DN. The lambda expressions have been removed making the code much
  simpler and easier to read.

* Add class level logging to a number of classes which did not support
  logging, less need for use of root_logger.

* Remove ipaserver/conn.py, it was unused.

* Consolidated duplicate code wherever it was found.

* Fixed many places that used string concatenation to form a new
  string rather than string formatting operators. This is necessary
  because string formatting converts it's arguments to a string prior
  to building the result string. You can't concatenate a string and a
  non-string.

* Simplify logic in rename_managed plugin. Use DN operators to edit
  dn's.

* The live version of ipa-ldap-updater did not generate a log file.
  The offline version did, now both do.

https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
2012-08-12 16:23:24 -04:00
Alexander Bokovoy
1be46b322f Handle exceptions when establishing trusts
Translate exceptions produced by DCERPC bindings when establishing trusts.
There are two types of errors that may be produced by DCERPC bindings:
- RuntimeError with a text (RuntimeError('NT_STATUS_OBJECT_NAME_NOT_FOUND')
- RuntimeError with a numeric code and 'friendly' message

Error codes could have two prefixes:
  - NT error codes, start with NT_STATUS_ prefix
  - Windows error codes, start with WERR_ prefix

Full list of errors is available in Samba source code:
  libcli/util/ntstatus.h: NT_STATUS error codes
  libcli/util/werror.h: Windows error codes

Majority of errors returned when dealing with trusts are of NT_STATUS type,
these also include all typical POSIX errors mapped to corresponding NT errors.

Unfortunately, in the textual RuntimeError case very little can be done to
get better clarification of the error. More error paths will need to be added
as they will be discovered -- DCERPC error messaging is complex.

https://fedorahosted.org/freeipa/ticket/2868
2012-08-03 11:00:54 +02:00
Martin Kosek
79a427277a Avoid redundant info message during RPM update
A change to ipa-ldap-updater (and thus an RPM update %post scriptlet)
avoiding redundat "IPA is not configured" message in stderr introdocued
in c20d4c71b8 was reverted in another
patch (b5c1ce88a4).

Return the change back to avoid this message during every RPM update
when IPA is not configured. admintool framework was also fixed to
avoid print an empty line when an exception without an error message
is raised.

https://fedorahosted.org/freeipa/ticket/2892
2012-08-02 16:14:40 +02:00
Alexander Bokovoy
68d5fe1ec7 Ensure ipa-adtrust-install is run with Kerberos ticket for admin user
When setting up AD trusts support, ipa-adtrust-install utility
needs to be run as:
   - root, for performing Samba configuration and using LDAPI/autobind
   - kinit-ed IPA admin user, to ensure proper ACIs are granted to
     fetch keytab

As result, we can get rid of Directory Manager credentials in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/2815
2012-07-31 17:44:35 +02:00
Rob Crittenden
03837bfd6d Use certmonger to renew CA subsystem certificates
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.

A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.

The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.

The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.

On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.

https://fedorahosted.org/freeipa/ticket/2803
2012-07-30 13:39:08 +02:00
Alexander Bokovoy
cc42d19e35 Rework task naming in LDAP updates to avoid conflicting names in certain cases
There are two problems in task naming in LDAP updates:

1. Randomness may be scarce in virtual machines
2. Random number is added to the time value rounded to a second

The second issue leads to values that may repeat themselves as time
only grows and random number is non-negative as well, so
t2+r2 can be equal to t1+t2 generated earlier.

Since task name is a DN, there is no strict requirement to use an integer value.
Instead, we generate an UUID and use its 60-bit time, 14-bit sequential number,
and attribute name.

https://fedorahosted.org/freeipa/ticket/2942
2012-07-24 16:17:03 -04:00
Petr Viktorin
b5c1ce88a4 Framework for admin/install tools, with ipa-ldap-updater
Currently, FreeIPA's install/admin scripts are long pieces of code
that aren't very reusable, importable, or testable.
They have been extended over time with features such as logging and
error handling, but since each tool was extended individually, there
is much inconsistency and code duplication.
This patch starts a framework which the admin tools can use, and
converts ipa-ldap-updater to use the framework.

Common tasks the tools do -- option parsing, validation, logging
setup, error handling -- are represented as methods. Individual
tools can extend, override or reuse the defaults as they see fit.

The ipa-ldap-updater has two modes (normal and --upgrade) that
don't share much functionality. They are represented by separate
classes. Option parsing, and selecting which class to run, happens
before they're instantiated.

All code is moved to importable modules to aid future testing. The
only thing that remains in the ipa-ldap-updater script is a two-line
call to the library.

First part of the work for:
https://fedorahosted.org/freeipa/ticket/2652
2012-07-22 23:17:56 -04:00
Rob Crittenden
67dbde0156 Don't hardcode serial_autoincrement to True.
https://fedorahosted.org/freeipa/ticket/2554
2012-07-17 17:18:53 -04:00
Alexander Bokovoy
dadfbf9d15 Handle various forms of admin accounts when establishing trusts
Realm administrator account may be specified using different form:
Administrator, DOM\Administrator, Administrator@DOMAIN

This patch introduces handling of the second two forms:
- In DOM\Administrator only user name is used, short domain name
  is then taken from a discovered record from the AD DC
- In Administrator@DOMAIN first DOMAIN is verified to be the same
  as the domain we are establishing trust to, and then user name
  is taken, together with short domain name taken from a discovered
  record from the AD DC

Note that we do not support using to-be-trusted domain's trusted domains'
accounts to establish trust as there is basically zero chance to verify
that things will work with them. In addition, in order to establish trust
one needs to belong to Enterprise Admins group in AD or have specially
delegated permissions. These permissions are unlikely delegated to the
ones in already trusted domain.

https://fedorahosted.org/freeipa/ticket/2864
2012-07-18 16:55:57 +03:00
Martin Kosek
378238b14e Warn user if an ID range with incorrect size was created
IPA 3.0 introduced range ID objects in replicated space which specify
a range of IDs assigned via DNA plugin. ipa-ldap-updater generates the
default ID range which should correspond with IDs assigned to IPA
users.

However, since correct range size is not known, we should at least
warn that a range with invalid size was created so that user can
amend it.

https://fedorahosted.org/freeipa/ticket/2892
2012-07-13 16:18:39 +02:00
Martin Kosek
9d69db80a3 Enable SOA serial autoincrement
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".

From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.

Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.

https://fedorahosted.org/freeipa/ticket/2554
2012-07-13 16:03:58 +02:00
Martin Kosek
4879c68d68 Improve address family handling in sockets
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.

Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.

bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).

nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.

https://fedorahosted.org/freeipa/ticket/2913
https://fedorahosted.org/freeipa/ticket/2695
2012-07-13 14:25:18 +02:00
Rob Crittenden
e5b6260008 Centralize timeout for waiting for servers to start.
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.

A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.

https://fedorahosted.org/freeipa/ticket/2375
https://fedorahosted.org/freeipa/ticket/2610
2012-07-02 17:08:58 -04:00
Sumit Bose
06b298e93a Use DN objects instead of strings in adtrustinstance 2012-07-01 17:41:57 -04:00
Martin Kosek
d5fe02999c Create default range entry after upgrade
Create default range both on new install and on upgrades. Also make
sure that all range object classes are present for upgraded machines.

Default range LDIF entry for new install was fixed so that new
installation does not crash.

https://fedorahosted.org/freeipa/ticket/2891
2012-07-02 16:27:33 +02:00
Sumit Bose
bdb995194c Add range check preop plugin
To make sure that ID ranges do not overlap this plugin checks new
additions and changes for conflicts with existing ranges.

https://fedorahosted.org/freeipa/ticket/2185
2012-06-29 18:00:58 -04:00
Sumit Bose
e809802aed Set RID bases for local domain during ipa-adtrust-install 2012-06-29 16:21:23 -04:00
Sumit Bose
0350b5e8a1 Add objects for initial ID range 2012-06-29 16:21:20 -04:00
Alexander Bokovoy
a6ff85f425 Add support for external group members
When using ipaExternalGroup/ipaExternalMember attributes it is
possible to add group members which don't exist in IPA database.
This is primarily is required for AD trusts support and therefore
validation is accepting only secure identifier (SID) format.

https://fedorahosted.org/freeipa/ticket/2664
2012-06-28 16:53:33 +02:00
Martin Kosek
52f69aaa8a Per-domain DNS record permissions
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
Sumit Bose
316aac5a8d Add external domain extop DS plugin
This extop can be used by clients of the IPA domain, e.g. sssd, to
retrieve data from trusted external domains. It can be used e.g. to map
Windows SIDs to user or groups names and back.
2012-06-28 13:08:26 +02:00
Sumit Bose
65ad261663 Add sidgen postop and task
A postop plugin is added to create the SID for new created users and
groups. A directory server task allows to set the SID for existing
users and groups.

Fixes https://fedorahosted.org/freeipa/ticket/2825
2012-06-28 08:02:05 +02:00
Petr Viktorin
ec5115a155 Typo fixes 2012-06-25 21:35:11 -04:00
Alexander Bokovoy
0e3d064ac1 restart dirsrv as part of ipa-adtrust-install
We should restart Directory Server when performing AD trusts configuration
to enable new CLDAP plugin and force KDC to notice MS PAC is now available.
Previously we only restarted KDC but if dirsrv is restarted, KDC will notice
its socket disappeared and will refresh itself

http://fedorahosted.org/freeipa/ticket/2862
2012-06-22 08:45:55 +02:00
Rob Crittenden
54135ecd9a Store session cookie in ccache for cli users
Try to use the URI /ipa/session/xml if there is a key in the kernel
keyring. If there is no cookie or it turns out to be invalid (expired,
whatever) then use the standard URI /ipa/xml. This in turn will create
a session that the user can then use later.

https://fedorahosted.org/freeipa/ticket/2331
2012-06-14 14:02:26 +02:00
Martin Kosek
d1e695b5d0 Password change capability for form-based auth
IPA server web form-based authentication allows logins for users
which for some reason cannot use Kerberos authentication. However,
when a password for such users expires, they are unable change the
password via web interface.

This patch adds a new WSGI script attached to URL
/ipa/session/change_password which can be accessed without
authentication and which provides password change capability
for web services.

The actual password change in the script is processed by LDAP
password change command.

Password result is passed both in the resulting HTML page, but
also in HTTP headers for easier parsing in web services:
  X-IPA-Pwchange-Result: {ok, invalid-password, policy-error, error}
  (optional) X-IPA-Pwchange-Policy-Error: $policy_error_text

https://fedorahosted.org/freeipa/ticket/2276
2012-06-11 23:07:03 -04:00
Martin Kosek
34a1dee934 Only set sebools when necessary
setsebool -P was run for every package upgrade or server
installation even though the sebools were already set to the new
value.

Only set sebools which are different from current system values.
This speeds up ipa-upgradeconfig or package update by 150 seconds.
2012-06-10 21:23:23 -04:00
Martin Kosek
1d44aba89b Enable psearch on upgrades
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).

Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.

ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
2012-06-10 21:23:19 -04:00
Martin Kosek
ce97d6f8e7 Enable persistent search by default
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.

Make this mechanism default in ipa-server-install and ipa-dns-istall.

https://fedorahosted.org/freeipa/ticket/2524
2012-06-10 21:23:15 -04:00
Martin Kosek
c856fb6073 Add sysupgrade state file
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.

This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
2012-06-10 21:23:10 -04:00
Petr Viktorin
4507dcda58 Fix update plugin order
Sort a filtered list in the update plugin ordering method.

Unlike the previous algorithm, this always gives a correct order.
It should also be faster and more readable.

https://fedorahosted.org/freeipa/ticket/2820
2012-06-10 20:40:00 -04:00
Petr Viktorin
6f1baf8b16 Only allow root to run update plugins
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.

This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.

https://fedorahosted.org/freeipa/ticket/2621
2012-06-07 05:02:22 -04:00
sbose
e6d638b6cf Set samba_portmapper SELinux boolean during ipa-adtrust-install 2012-06-07 09:39:11 +02:00
Alexander Bokovoy
4c92d0e729 get_fqdn() moved to ipaserver.installutils 2012-06-07 09:39:10 +02:00
Alexander Bokovoy
bd0d858043 Add trust-related ACIs
A high-level description of the design and ACIs for trusts is available at
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00224.html
and
https://www.redhat.com/archives/freeipa-devel/2011-December/msg00248.html

Ticket 
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
ae2d5edd1a Restart KDC after installing trust support to allow MS PAC generation
Also make sure all exceptions are captured when creating CIFS service
record. The one we care about is duplicate entry and we do nothing
in that case anyway.

Also make uniform use of action descriptors.
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
cbb1d626b9 Perform case-insensitive searches for principals on TGS requests
We want to always resolve TGS requests even if the user mistakenly sends a
request for a service ticket where the fqdn part contain upper case letters.

The actual implementation follows hints set by KDC. When AP_REQ is done, KDC
sets KRB5_FLAG_ALIAS_OK and we obey it when looking for principals on TGS requests.

https://fedorahosted.org/freeipa/ticket/1577
2012-06-07 09:39:10 +02:00
Alexander Bokovoy
27517c2008 Use fully qualified PDC name when contacting for extended DN information 2012-06-07 09:39:09 +02:00
Alexander Bokovoy
a7420c1e83 Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
Alexander Bokovoy
dd244c02dd Use dedicated keytab for Samba
Samba just needs the cifs/ key on the ipa server. Configure samba to use a
different keytab file so that we do not risk samba commands (net, or similar)
to mess up the system keytab.

https://fedorahosted.org/freeipa/ticket/2168
2012-06-07 09:39:09 +02:00
Alexander Bokovoy
b32204fccc Add separate attribute to store trusted domain SID
We need two attributes in the ipaNTTrustedDomain objectclass to store different
kind of SID. Currently ipaNTSecurityIdentifier is used to store the Domain-SID
of the trusted domain. A second attribute is needed to store the SID for the
trusted domain user. Since it cannot be derived safely from other values and
since it does not make sense to create a separate object for the user a new
attribute is needed.

https://fedorahosted.org/freeipa/ticket/2191
2012-06-07 09:39:09 +02:00
Martin Kosek
c06cbb12ac Fill new DNS zone update policy by default
For security reasons, dynamic updates are not enabled for new DNS
zones. In order to enable the dynamic zone securely, user needs to
allow dynamic updates and create a zone update policy.

The policy is not easy to construct for regular users, we should
rather fill it by default and let users just switch the policy
on or off.

https://fedorahosted.org/freeipa/ticket/2441
2012-06-05 08:41:46 +02:00
Petr Viktorin
0ca29fac9a Move install script error handling to a common function
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.

Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.

https://fedorahosted.org/freeipa/ticket/2071
2012-05-31 14:37:27 +02:00
Martin Kosek
f1ed123cad Replace DNS client based on acutil with python-dns
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
  but but rather C-like interface based on functions and
  structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
  authconfig and thus can break without notice

Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
  in installutils to make the whole DNS check simpler and
  less error-prone. Logging was improves for the remaining
  checks
- improved logging for ipa-client-install DNS discovery

https://fedorahosted.org/freeipa/ticket/2730
https://fedorahosted.org/freeipa/ticket/1837
2012-05-24 13:55:56 +02:00
Rob Crittenden
6bb462e26a Retry retrieving ldap principals when setting up replication.
We've seen on a few occassions where one side or the other is missing
the ldap principal. This causes replication to fail when trying to
convert to using GSSAPI. If this happens force a synchronization again
and try the retrieval again, up to 10 times.

This should also make the error report clearer if even after the retries
one of the principals doesn't exist.

https://fedorahosted.org/freeipa/ticket/2737
2012-05-22 20:57:02 -04:00
Martin Kosek
9a5c2090eb Remove LDAP limits from DNS service
bind-dyndb-ldap persistent search queries LDAP for all DNS records.
The LDAP connection must have no size or time limits to work
properly.

This patch updates limits both for existing service principal
on updated machine and for new service principals added
as a part of DNS installation.

https://fedorahosted.org/freeipa/ticket/2531
2012-05-22 12:28:21 +02:00
Martin Kosek
aa9ea477af Remove ipa-server-install LDAP update errors
python-ldap add_s method raises a NO_SUCH_OBJECT exception when
a parent entry of the entry being added does not exist. This may
not be an error, for example NIS entries are only added when NIS
is enabled and thus the NIS entry container exists.

The exception raised by python-ldap is also incorrectly processed
in ipaldap's addEntry function and an irrelevant exception is
re-raised instead.

Fix LDAP updater to just log an information when an object cannot
be added due to missing parent object. Also make sure that the
addEntry function exception processing provides the right exception
with a useful description.

https://fedorahosted.org/freeipa/ticket/2520
https://fedorahosted.org/freeipa/ticket/2743
2012-05-17 21:21:47 -04:00
Rob Crittenden
eef056165f Include more information when IP address is not local during installation.
Provide the IP address we resolved when displaying the exception.

Also handle the exception ourselves with sys.exit().

https://fedorahosted.org/freeipa/ticket/2654
2012-05-17 07:54:46 +02:00
Petr Viktorin
f19218f7d8 Remove duplicate and unused utility code
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
2012-05-09 11:54:20 +02:00
Jan Cholasta
d9d1967989 Redo boolean value encoding.
Move the code for encoding boolean values to LDAP boolean syntax from the
Parameter class to the Encoder class, where the rest of LDAP encoding takes
place. Remove encoding code from the Parameter class altogether, as all LDAP
encoding should be done in the Encoder class.
2012-05-09 09:43:35 +02:00
Rob Crittenden
4416c185de Revert "Search allowed attributes in superior objectclasses"
This reverts commit a58cbb985e.

We are going to take another approach to this. Instead of erroring
out on attributes that don't seem to be allowed we are going to
eventually return a warning.
2012-04-29 17:39:42 -04:00
Rob Crittenden
0423213148 Use mixed-case for Read DNS Entries permission
https://fedorahosted.org/freeipa/ticket/2569
2012-04-23 10:00:40 +02:00
Martin Kosek
a663e83cb2 Raise proper exception when LDAP limits are exceeded
ldap2 plugin returns NotFound error for find_entries/get_entry
queries when the server did not manage to return an entry
due to time limits. This may be confusing for user when the
entry he searches actually exists.

This patch fixes the behavior in ldap2 plugin to
1) Return even a zero search results + truncated bool set in
   ldap2.find_entries
2) Raise LimitsExceeded in ldap2.get_entry and
   ldap2.find_entry_by_attr instead of NotFound error

This changed several assumptions about ldap2.find_entries
results. Several calls accross IPA code base had to be
amended.

https://fedorahosted.org/freeipa/ticket/2606
2012-04-16 23:23:57 -04:00
Rob Crittenden
7b515bddbc Return consistent expiration message for forms-based login
We need to inform users when a forms-based login fails due to the
password needing to be reset. Currently there is no way to distinguish
a reset case vs an incorrect password.

This will bind the user using a simple LDAP bind over ldapi (by default)
and if that is successful, check the expiration date against the current
time.

The UI portion of this that uses this message will come later.

https://fedorahosted.org/freeipa/ticket/2608
2012-04-16 21:53:01 -04:00
Rob Crittenden
9c39f95f21 Remove the running state when uninstalling DS instances.
We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637
2012-04-17 11:25:41 +02:00
Rob Crittenden
717bbcd2bf Configure certmonger to execute restart scripts on renewal.
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
2012-04-10 01:08:41 -04:00
Martin Kosek
184a066f4a Fix installation when server hostname is not in a default domain
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602
2012-04-08 20:35:10 -04:00
John Dennis
af0ac845ff improve handling of ds instances during uninstall
Ticket 

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".
2012-04-04 22:47:08 -04:00
Martin Kosek
17a0738d2d Configure SELinux for httpd during upgrades
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603
2012-04-03 18:20:51 -04:00
Martin Kosek
df13cdcb97 Forbid public access to DNS tree
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569
2012-04-01 21:17:04 -04:00
Endi Sukma Dewata
874a298b07 Fixed boot.ldif permission.
The server installation failed on F17 due to permission problem.
The /var/lib/dirsrv/boot.ldif was previously owned and only readable
by root. It is now owned by DS user dirsrv.

Ticket 
2012-04-01 16:54:55 -04:00
Rob Crittenden
16b38d39b3 Handle updating replication agreements that lack nsDS5ReplicatedAttributeList
When updating from 2.x we need to add nsDS5ReplicatedAttributeList and
nsDS5ReplicatedAttributeListTotal if they aren't present.

If nsDS5ReplicatedAttributeList is present and doesn't contain memberof
then we want to add it.

https://fedorahosted.org/freeipa/ticket/2594
2012-04-02 10:49:20 +02:00
Jan Cholasta
a2299070c8 Change parameters to use only default_from for dynamic default values.
Replace all occurences of create_default with equivalent default_from
and remove create_default from the framework. This is needed for
proper parameter validation, as there is no way to tell which
parameters to validate prior to calling create_default, because
create_default does not provide information about which parameters are
used for generating the default value.
2012-03-28 14:04:31 +02:00
Martin Kosek
52aa008b87 Improve user awareness about dnsconfig
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.

This patch adds more information about global DNS configuration
options in install scripts and DNS module help.

https://fedorahosted.org/freeipa/ticket/2525
2012-03-26 00:33:45 -04:00
Martin Kosek
b944ad44b5 Amend permissions for new DNS attributes
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510
2012-03-25 23:58:24 -04:00
Rob Crittenden
a735420a9b Set nsslapd-minssf-exclude-rootdse to on so the DSE is always available.
If minssf is set in configuration and this is not set then clients won't
be able to detect the available namingContexts, defaultNamingContext,
capabilities, etc.

https://fedorahosted.org/freeipa/ticket/2542
2012-03-26 14:26:10 +02:00
Alexander Bokovoy
f6077c46b3 When changing multiple booleans with setsebool, pass each of them separately.
Fixes SELinux configuration for ipa-server-install with selinux-policy 3.10.0-104.fc17.
2012-03-23 10:19:47 +02:00
Martin Kosek
2d460003b9 Fix LDAP effective rights control with python-ldap 2.4.x
The new version of python-ldap changed the way it created LDAPv3
extended controls. The API used in 2.4.x can no longer be used
because it does not send the bind DN with effective rights
control and LDAP server thus rejects it.

This patch implements the new API in a backward compatible way
so that it works both with python-ldap versions 2.3.x and 2.4.x.

https://fedorahosted.org/freeipa/ticket/2565
2012-03-22 00:54:57 -04:00
Ondrej Hamada
a58cbb985e Search allowed attributes in superior objectclasses
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.

This fixes the regression caused by patch for ticket . Test-case
for unit-test was also created.

https://fedorahosted.org/freeipa/ticket/2293
2012-03-22 17:13:39 +01:00
Rob Crittenden
8f71f42ef7 No longer shell escape the DM password when calling pkisilent.
pkisilent was modified to handle escaping characters itself in
BZ https://bugzilla.redhat.com/show_bug.cgi?id=769388

This removes the workaround from ticket 1636.

https://fedorahosted.org/freeipa/ticket/2529
2012-03-21 10:08:43 +01:00
Rob Crittenden
1584807e02 Add subject key identifier to the dogtag server cert profile.
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.

If the user has customized the profile themselves then this won't be
applied.

https://fedorahosted.org/freeipa/ticket/2446
2012-03-15 09:55:03 +01:00
Rob Crittenden
d4a80dbe52 Display serial number as HEX (DECIMAL) when showing certificates.
https://fedorahosted.org/freeipa/ticket/1991
2012-03-14 04:40:35 -04:00
Rob Crittenden
0425d09fac Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
2012-03-13 18:04:34 -04:00
Martin Kosek
75b3755648 Fix ipa-replica-manage TLS connection error
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.

This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.

https://fedorahosted.org/freeipa/ticket/2500
2012-03-14 08:30:51 +01:00
Rob Crittenden
f5e5bf8f82 Fix nsslapd-anonlimitsdn dn in cn=config
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.

This will replace whatever value is currently set.

https://fedorahosted.org/freeipa/ticket/2452
2012-03-13 08:34:07 +01:00
Petr Viktorin
1dc11a01d7 Allow removing sudo commands with special characters from command groups
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.

https://fedorahosted.org/freeipa/ticket/2483
2012-03-12 16:02:29 +01:00
Rob Crittenden
d55d8bfa7e Add support for sudoOrder
Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.

The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.

https://fedorahosted.org/freeipa/ticket/1314
2012-03-01 21:02:33 -05:00
Martin Kosek
b7d092a0f4 Remove memberPrincipal for deleted replicas
When a replica is deleted, its memberPrincipal entries in
cn=s4u2proxy,cn=etc,SUFFIX were not removed. Then, if the replica
is reinstalled and connected again, the installer would report
an error with duplicate value in LDAP.

This patch extends replica cleanup procedure to remove replica
principal from s4u2proxy configuration.

https://fedorahosted.org/freeipa/ticket/2451
2012-03-02 16:45:35 +01:00
Rob Crittenden
95b85f6384 Fix WSGI error handling
A number of different errors could occur when trying to handle an
error which just confused matters.

If no CCache was received then trying to retrieve context.principal
in the error message caused yet another exception to be raised.

Trying to get Command[name] if name wasn't defined in command would
raise an exception.

Trying to raise errors.CCache was failing because the response hadn't
been started.

https://fedorahosted.org/freeipa/ticket/2371
2012-03-02 10:59:31 +01:00
Martin Kosek
61af2c9b1e Improve hostname verification in install tools
Our install tools like ipa-server-install, ipa-replica-{prepare,
install} may allow hostnames that do not match the requirements
in ipalib. This creates a disconnect and may cause issues when
user cannot delete hostnames created by install tools.

This patch makes sure that ipalib requirements are applied to
install tools hostnames as well.

https://fedorahosted.org/freeipa/ticket/2089
2012-02-29 21:26:53 -05:00
Rob Crittenden
5e01ed1325 subclass HTTP_Status from plugable.Plugin, fix not_found tests
HTTP_Status needs to subclass from Plugin because it does its own logging.

Add tests for other methods of HTTP_Status
2012-02-29 21:04:10 -05:00
Rob Crittenden
a5a55ceff3 Don't delete system users that are added during installation.
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.

https://fedorahosted.org/freeipa/ticket/2423
2012-02-29 22:36:13 +01:00
Petr Vobornik
610420bd2a Fixed content type check in login_password
login_password is expecting that request content_type will be 'application/x-www-form-urlencoded'.

Current check is an equality check of content_type http header.

RFC 3875 defines that content type can contain parameters separated by ';'. For example: when firefox is doing ajax call it sets the request header to 'application/x-www-form-urlencoded; charset=UTF-8' which leads to negative result.

This patch makes the check more benevolent to allow such values.

Patch is a fixup for:
https://fedorahosted.org/freeipa/ticket/2095
2012-02-28 23:25:38 -05:00
John Dennis
3cd0217b30 Log a message when returning non-success HTTP result
The routines used to return a non-success HTTP result from
WSGI failed to log the aberrant event, this corrects that omission.
2012-02-28 23:15:41 -05:00
John Dennis
ee780df13c Implement password based session login
* Adjust URL's
  - rename /ipa/login -> /ipa/session/login_kerberos
  - add /ipa/session/login_password

* Adjust Kerberos protection on URL's in ipa.conf

* Bump VERSION in httpd ipa.conf to pick up session changes.

* Adjust login URL in ipa.js

* Add InvalidSessionPassword to errors.py

* Rename krblogin class to login_kerberos for consistency with
  new login_password class

* Implement login_password.kinit() method which invokes
  /usr/bin/kinit as a subprocess

* Add login_password class for WSGI dispatch, accepts POST
  application/x-www-form-urlencoded user & password
  parameters. We form the Kerberos principal from the server's
  realm.

* Add function  krb5_unparse_ccache()

* Refactor code to share common code

* Clean up use of ccache names, be consistent

* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
  with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
  bind_ipa_ccache() now sets environment KRB5CCNAME variable.
  release_ipa_ccache() now clears environment KRB5CCNAME variable.

* ccache names should now support any ccache storage scheme,
  not just FILE based ccaches

* Add utilies to return HTTP status from wsgi handlers,
  use constants for HTTP status code for consistency.
  Use utilies for returning from wsgi handlers rather than
  duplicated code.

* Add KerberosSession.finalize_kerberos_acquisition() method
  so different login handlers can share common code.

* add Requires: krb5-workstation to server (server now calls kinit)

* Fix test_rpcserver.py to use new dispatch inside route() method

https://fedorahosted.org/freeipa/ticket/2095
2012-02-27 05:57:43 -05:00
John Dennis
059a90702e Implement session activity timeout
Previously sessions expired after session_auth_duration had elapsed
commencing from the start of the session. We new support a "rolling"
expiration where the expiration is advanced by session_auth_duration
everytime the session is accessed, this is equivalent to a inactivity
timeout. The expiration is still constrained by the credential
expiration in all cases. The session expiration behavior is
configurable based on the session_auth_duration_type.

* Reduced the default session_auth_duration from 1 hour to 20 minutes.

* Replaced the sesssion write_timestamp with the access_timestamp and
  update the access_timestamp whenever the session data is created,
  retrieved, or written.

* Modify set_session_expiration_time to handle both an inactivity
  timeout and a fixed duration.

* Introduce  KerberosSession as a mixin class to share session
  duration functionality with all classes manipulating session data
  with Kerberos auth. This is both the non-RPC login class and the RPC
  classes.

* Update make-lint to handle new classes.

* Added session_auth_duration_type config item.

* Updated default.conf.5 man page for new session_auth_duration_type item.

* Removed these unused config items: mount_xmlserver,
  mount_jsonserver, webui_assets_dir

https://fedorahosted.org/freeipa/ticket/2392
2012-02-27 05:55:15 -05:00
John Dennis
9753fd4230 Tweak the session auth to reflect developer consensus.
* Increase the session ID from 48 random bits to 128.

* Implement the sesison_logout RPC command. It permits the UI to send
  a command that destroys the users credentials in the current
  session.

* Restores the original web URL's and their authentication
  protections. Adds a new URL for sessions /ipa/session/json. Restores
  the original Kerberos auth which was for /ipa and everything
  below. New /ipa/session/json URL is treated as an exception and
  turns all authenticaion off. Similar to how /ipa/ui is handled.

* Refactor the RPC handlers in rpcserver.py such that there is one
  handler per URL, specifically one handler per RPC and AuthMechanism
  combination.

* Reworked how the URL names are used to map a URL to a
  handler. Previously it only permitted one level in the URL path
  hierarchy. We now dispatch on more that one URL path component.

* Renames the api.Backend.session object to wsgi_dispatch. The use of
  the name session was historical and is now confusing since we've
  implemented sessions in a different location than the
  api.Backend.session object, which is really a WSGI dispatcher, hence
  the new name wsgi_dispatch.

* Bullet-proof the setting of the KRB5CCNAME environment
  variable. ldap2.connect already sets it via the create_context()
  call but just in case that's not called or not called early enough
  (we now have other things besides ldap which need the ccache) we
  explicitly set it early as soon as we know it.

* Rework how we test for credential validity and expiration. The
  previous code did not work with s4u2proxy because it assumed the
  existance of a TGT. Now we first try ldap credentials and if we
  can't find those fallback to the TGT. This logic was moved to the
  KRB5_CCache object, it's an imperfect location for it but it's the
  only location that makes sense at the moment given some of the
  current code limitations. The new methods are KRB5_CCache.valid()
  and KRB5_CCache.endtime().

* Add two new classes to session.py AuthManager and
  SessionAuthManager. Their purpose is to emit authication events to
  interested listeners. At the moment the logout event is the only
  event, but the framework should support other events as they arise.

* Add BuildRequires python-memcached to freeipa.spec.in

* Removed the marshaled_dispatch method, it was cruft, no longer
  referenced.

https://fedorahosted.org/freeipa/ticket/2362
2012-02-27 05:54:29 -05:00
Petr Viktorin
a09063cbb8 Make sure the nolog argument to ipautil.run is not a bare string
ipautil.run expects a tuple of passwords for nolog; passing a
single string causes all individual letters from that string to
be replaced by Xes.

This fixes such a call, and adds a sanity check to ipautil.run
that prevents lone strings from being used in nolog.

https://fedorahosted.org/freeipa/ticket/2419
2012-02-26 23:26:54 -05:00
Martin Kosek
7fe63f8233 Add SSHFP update policy for existing zones
SSH public key support includes a feature to automatically add/update
client SSH fingerprints in SSHFP records. However, the update won't
work for zones created before this support was added as they don't
allow clients to update SSHFP records in their update policies.

This patch lets dns upgrade module extend the original policy
to allow the SSHFP dynamic updates. It updates only original
policy, we don't want it to overwrite custom user policies.

https://fedorahosted.org/freeipa/ticket/2394
2012-02-27 18:04:19 +01:00
Rob Crittenden
31f00f90f1 Fix managing winsync replication agreements with ipa-replica-manage
force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.

This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync

https://fedorahosted.org/freeipa/ticket/2128
2012-02-27 14:38:21 +01:00
Rob Crittenden
b241e828a9 Catch public exceptions when creating the LDAP context in WSGI.
Made specifically for the case where S4U2Proxy delegation fails.

https://fedorahosted.org/freeipa/ticket/2414
2012-02-24 16:53:24 +01:00
Martin Kosek
8605790225 Query and transfer ACLs for DNS zones
Provide a way to specify BIND allow-query and allow-transfer ACLs
for DNS zones.

IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To
avoid zone information leaks to unintended places, allow-transfer
ACL for every zone is by default set to none and has to be
explicitly enabled by an Administrator. This is done both for new
DNS zones and old DNS zones during RPM update via new DNS upgrade
plugin.

https://fedorahosted.org/freeipa/ticket/1211
2012-02-24 09:40:43 +01:00
Martin Kosek
2cf5893761 Global DNS options
Implement API for DNS global options supported in bind-dyndb-ldap.
Currently, global DNS option overrides any relevant option in
named.conf. Thus they are not filled by default they are left as
a possibility for a user.

Bool encoding had to be fixed so that Bool LDAP attribute can also
be deleted and not just set to True or False.

https://fedorahosted.org/freeipa/ticket/2216
2012-02-24 09:40:40 +01:00
Rob Crittenden
7aeae93c34 Don't check for schema uniqueness when comparing in ldapupdate.
This is needed on F-17+, otherwise things blow up when we try to see
if we've added new schema.

Introspection is required to see if the argument check_uniqueness is
available.

https://fedorahosted.org/freeipa/ticket/2383
2012-02-22 18:16:13 -05:00
Rob Crittenden
ecf544ea0b Make sure memberof is in replication attribute exclusion list.
A previous bug caused this attribute to not be added which would lead
to unnecessary replication. This runs as an updater plugin.

https://fedorahosted.org/freeipa/ticket/2223
2012-02-23 15:54:59 +01:00
Rob Crittenden
b9e3685534 Add the -v option to sslget to provide more verbose errors
I noticed a couple of bad references in ipapython/dogtag.py and
fixed those as well. We used to call sslget for all our SSL client
needs before python-nss was written.

https://fedorahosted.org/freeipa/ticket/2391
2012-02-23 11:26:06 +01:00
Rob Crittenden
65f40aeb8d Use FQDN in place of FQHN for consistency in sub_dict.
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
2012-02-15 20:27:34 -05:00
Rob Crittenden
b9bc99e43a Enable ipa_memcached when upgrading
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.

Also uninstall ipa_memcached when uninstalling the server.

https://fedorahosted.org/freeipa/ticket/2399
2012-02-16 14:43:08 +01:00
Rob Crittenden
08413612d4 Remove Apache ccache on upgrade.
Make this removal a common function that can be shared between installer
and upgrade tool.

https://fedorahosted.org/freeipa/ticket/2395
2012-02-15 17:31:24 +01:00
Rob Crittenden
f2da73e367 Correct update syntax in 30-s4u2proxy.update
Always have FQDN available in the update dictionary. There were cases
where it would contain the ldapi socket path and not the FQDN.

https://fedorahosted.org/freeipa/ticket/2147
2012-02-15 17:27:05 +01:00
Rob Crittenden
af52c4d31e Update S4U2proxy delegation list when creating replicas 2012-02-15 17:24:16 +01:00
Rob Crittenden
431286a0f6 Don't use sets when calculating the modlist so order is preserved.
This is for the LDAP updater in particular. When adding new schema
order can be important when one objectclass depends on another via
SUP.

This calculation will preserve the order of changes in the update file.

Discovered trying to add SSH schema.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:58 -05:00
Jan Cholasta
6488378764 Move the compat module from ipalib to ipapython.
Fixes import problems trying to import just ipalib/compat.py.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:22:49 -05:00
Jan Cholasta
c34f5fbc88 Update host SSH public keys on the server during client install.
This is done by calling host-mod to update the keys on IPA server and nsupdate
to update DNS SSHFP records. DNS update can be disabled using --no-dns-sshfp
ipa-client-install option.

https://fedorahosted.org/freeipa/ticket/1634
2012-02-13 22:21:43 -05:00
Jan Cholasta
3c2b0fc28a Add support for SSH public keys to user and host objects.
This patch adds a new multivalue param "sshpubkey" for specifying SSH public
keys to both user and host objects. The accepted value is base64-encoded
public key blob as specified in RFC4253, section 6.6.

Additionaly, host commands automatically update DNS SSHFP records when
requested by user.

https://fedorahosted.org/freeipa/ticket/754
2012-02-13 22:21:27 -05:00
Petr Viktorin
90d99f6017 Clean up i18n strings
This patch switches to named ("%(name)s") instead of positional ("%s")
substitutions for internationalized strings, so translators can
reorder the words.
This fixes https://fedorahosted.org/freeipa/ticket/2179 (xgettext no
longer gives warnings).

Also, some i18n calls are rewritten to translate the template before
substitutions, not after.
2012-02-10 11:53:40 +01:00
John Dennis
bba4ccb3a0 add session manager and cache krb auth
This patch adds a session manager and support for caching
authentication in the session. Major elements of the patch are:

* Add a session manager to support cookie based sessions which
  stores session data in a memcached entry.

* Add ipalib/krb_utils.py which contains functions to parse ccache
  names, format principals, format KRB timestamps, and a KRB_CCache
  class which reads ccache entry and allows one to extract information
  such as the principal, credentials, credential timestamps, etc.

* Move krb constants defined in ipalib/rpc.py to ipa_krb_utils.py so
  that all kerberos items are co-located.

* Modify javascript in ipa.js so that the IPA.command() RPC call
  checks for authentication needed error response and if it receives
  it sends a GET request to /ipa/login URL to refresh credentials.

* Add session_auth_duration config item to constants.py, used to
  configure how long a session remains valid.

* Add parse_time_duration utility to ipalib/util.py. Used to parse the
  session_auth_duration config item.

* Update the default.conf.5 man page to document session_auth_duration
  config item (also added documentation for log_manager config items
  which had been inadvertantly omitted from a previous commit).

* Add SessionError object to ipalib/errors.py

* Move Kerberos protection in Apache config from /ipa to /ipa/xml and
  /ipa/login

* Add SessionCCache class to session.py to manage temporary Kerberos
  ccache file in effect for the duration of an RPC command.

* Adds a krblogin plugin used to implement the /ipa/login
  handler. login handler sets the session expiration time, currently
  60 minutes or the expiration of the TGT, whichever is shorter. It
  also copies the ccache provied by mod_auth_kerb into the session
  data.  The json handler will later extract and validate the ccache
  belonging to the session.

* Refactored the WSGI handlers so that json and xlmrpc could have
  independent behavior, this also moves where create and destroy
  context occurs, now done in the individual handler rather than the
  parent class.

* The json handler now looks up the session data, validates the ccache
  bound to the session, if it's expired replies with authenicated
  needed error.

* Add documentation to session.py. Fully documents the entire process,
  got questions, read the doc.

* Add exclusions to make-lint as needed.
2012-02-09 13:20:45 -06:00
John Dennis
d1e0c1b606 Add ipa_memcached service
* Adds ipa_memcached SystemV initscript

* Adds ipa_memcached service file and tmpfiles.d/ipa.conf
  to recreate /var/run/ipa_memcached on reboot.

* Adds ipa_memcached config file

* Adds memcacheinstnace.py to manage ipa_memcaced as
  as SimpleService object.

* Updates the IPA service list to include ipa_memcached,
  at service positon 39, httpd is position 40

* Updates the spec file:
  - requires the memcached daemon and python client
  - installs service or initscripts depending on OS
  - installs config file
  - creates /var/run/ipa_memcached directory

* Modifies ipa-server-install to install ipa_memcached
2012-02-09 13:20:28 -06:00
Alexander Bokovoy
af187713e7 Adopt to python-ldap 2.4.6 by removing unused references which are not available in python-ldap anymore 2012-02-08 20:13:21 -05:00
Rob Crittenden
e6cdcad8df Require minimum SSF 56, confidentially. Also ensure minssf <= maxssf.
This ensures a correct configuration in case a user has created their
own openldap config file and set SASL_SECPROPS to something bad.

Note that this doesn't modify the 389-ds setting which by default is 0.

https://fedorahosted.org/freeipa/ticket/2021
2012-02-05 19:01:34 -05:00
Rob Crittenden
7a1399bee1 Check for the existence of a replication agreement before deleting it.
When using ipa-replica-manage or ipa-csreplica-manage to delete an
agreement with a host we would try to make a connection to that host
prior to tryign to delete it. This meant that the trying to delete
a host we don't have an agreement with would return a connection
error instead of a "no agreement with host foo" error.

Also display a completed message when an agreement is removed.

https://fedorahosted.org/freeipa/ticket/2048
https://fedorahosted.org/freeipa/ticket/2125
2012-01-30 17:27:55 +01:00
Rob Crittenden
ce360f37f8 Don't try to bind on TLS failure
We have bind code that can handle the case where a server hasn't
come up yet. It needs to handle a real connection failure such
as the TLS hostname not matching. If we try to bind anyway we end
up with a segfault in openldap.

https://fedorahosted.org/freeipa/ticket/2301
2012-01-30 10:33:41 +01:00
Martin Kosek
4277253b83 Fix ldap2 combine_filters for ldap2.MATCH_NONE
"!" is a unary LDAP filter operator and cannot be treated in the
same way as binary operators ("&", "|"). Otherwise, an invalid
LDAP filter is created.

https://fedorahosted.org/freeipa/ticket/1675
2012-01-26 10:17:35 -06:00
Ondrej Hamada
ed061ce910 Leave nsds5replicaupdateschedule parameter unset
The nsDS5ReplicaUpdateSchedule parameter is omited what results in
replication being run all the time. The parameter is still used for
forcing replica update but after that action it is always deleted.

https://fedorahosted.org/freeipa/ticket/1482
2012-01-24 22:00:36 -05:00
Martin Kosek
6141919fba Fix ipa-server-install for dual NICs
A server may have 2 or more NICs and its hostname may thus resolve
to 2 and more forward addresses. IP address checks in install
scripts does not expect this setup and may fail or crash.

This script adds a support for multiple forward addresses for
a hostname. The install scripts do not crash now. When one IP
address is needed, user is asked to choose from all detected
server IP addresses.

https://fedorahosted.org/freeipa/ticket/2154
2012-01-22 23:01:42 -05:00
Martin Kosek
092dd8db12 Replace float with Decimal
Having float type as a base type for floating point parameters in
ipalib introduces several issues, e.g. problem with representation
or value comparison. Python language provides a Decimal type which
help overcome these issues.

This patch replaces a float type and Float parameter with a
decimal.Decimal type in Decimal parameter. A precision attribute
was added to Decimal parameter that can be used to limit a number
of decimal places in parameter representation. This approach fixes
a problem with API.txt validation where comparison of float values
may fail on different architectures due to float representation error.

In order to safely transfer the parameter value over RPC it is
being converted to string which is then converted back to
decimal.Decimal number on a server side.

https://fedorahosted.org/freeipa/ticket/2260
2012-01-20 08:13:44 +01:00
Simo Sorce
0d3cd4c384 Fix replication setup
Changes to add a cs-replication management tool mistakenly always set a flag
that caused replicas to not add the list of attribute we exclude from
replication.
2012-01-13 10:22:38 -05:00
Martin Kosek
95f3ec5d70 Let replicas install without DNS
Let ipa-replica-prepare and ipa-replica-install work without
proper DNS records as records in /etc/hosts are sufficient for
DS replication.

  1) ipa-replica-prepare now just checks if the replica hostname
     is resolvable (DNS records are not required). It is now able
     to prepare a replica file even when the replica IP address is
     present in /etc/hosts only.
  2) ipa-replica-install is now able to proceed when the hostname
     is not resolvable. It uses an IP address passed in a new
     option --ip-address to create a record in /etc/hosts in the
     same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2139
2012-01-13 09:11:05 +01:00
Martin Kosek
5550ee1607 Fix LDAP add calls in replication module
Replace conn.add_s(entry) with conn.addEntry(entry) to avoid
function calls with an invalid number of parameters.

https://fedorahosted.org/freeipa/ticket/2139
2012-01-13 09:10:50 +01:00
Rob Crittenden
c08296adff Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
2012-01-10 22:39:26 -05:00
Jan Cholasta
9beb467d98 Fix attempted write to attribute of read-only object.
Add new class "cachedproperty" for creating property-like attributes
that cache the return value of a method call.

Also fix few issues in the unit tests to enable them to succeed.

ticket 1959
2012-01-02 11:51:26 +03:00
Endi Sukma Dewata
46d3abc450 Reload UI on server upgrade.
The JSON server has been modified to return the version number
in all responses. The UI has been modified to keep the version
obtained during env operation and check the version returned
in subsequent operations. If the version changes the UI will
reload itself.

Ticket 
2011-12-21 13:23:08 -06:00
Endi Sukma Dewata
edd37d2019 Reload UI when the user changes.
The JSON server has been modified to return the principal name
in all responses. The UI has been modified to keep the principal
obtained during whoami operation and check the principal returned
in subsequent operations. If the principal changes the UI will
reload itself.

Ticket 
2011-12-21 13:22:45 -06:00
Rob Crittenden
2d6eeb205e Require an HTTP Referer header in the server. Send one in ipa tools.
This is to prevent a Cross-Site Request Forgery (CSRF) attack where
a rogue server tricks a user who was logged into the FreeIPA
management interface into visiting a specially-crafted URL where
the attacker could perform FreeIPA oonfiguration changes with the
privileges of the logged-in user.

https://bugzilla.redhat.com/show_bug.cgi?id=747710
2011-12-12 17:36:45 -05:00
Martin Kosek
8526f65f59 Add connection failure recovery to IPAdmin
Recover from connection failures in IPAdmin LDAP bind functions and
rather try reconnect in scope of a given timeout instead of giving
up after the first failed connection.

The recovery fixes ipa-ldap-updater on F-16 which always failed
because of a missing dirsrv socket.

https://fedorahosted.org/freeipa/ticket/2175
2011-12-08 14:58:18 +01:00
Sumit Bose
3de257fe54 activate CLDAP 2011-12-06 08:29:53 -05:00
Sumit Bose
7c3e5f1be5 Fix some pylint warnings 2011-12-06 08:29:53 -05:00
Sumit Bose
0945e46845 Use new objectclasses and attributes for trust 2011-12-06 08:29:53 -05:00
Sumit Bose
9a14fa6c2f Move our own domain info into cn=etc
https://fedorahosted.org/freeipa/ticket/2001
2011-12-06 08:29:53 -05:00
Sumit Bose
2ac9d4816a Add DNS service records for Windows
https://fedorahosted.org/freeipa/ticket/1939
2011-11-30 11:28:39 +01:00
Martin Kosek
6d97444620 Change default DNS zone manager to hostmaster
Change our default zone manager to hostmaster@<domain> (as per
RFC 2142 recommendation).

https://fedorahosted.org/freeipa/ticket/1981
2011-11-29 17:16:32 +01:00
Martin Kosek
3f0eb1417c Improve zonemgr validator and normalizer
The validator has been improved to support better both SOA format
(e-mail address in a domain name format, without '@') and standard
e-mail format. Allow '\.' character in a SOA format encoding the
standard '.' in the local-part of an e-mail. Normalization code
has been moved to one common function.

https://fedorahosted.org/freeipa/ticket/2053
2011-11-29 17:14:28 +01:00
Martin Kosek
ac45a5eee8 Revert "Add DNS service records for Windows"
A wrong version of the patch has been pushed.

This reverts commit d24dda2fe3.
2011-11-29 14:13:58 +01:00
John Dennis
39adb6d3a8 ticket - subclass SimpleLDAPObject
We use convenience types (classes) in IPA which make working with LDAP
easier and more robust. It would be really nice if the basic python-ldap
library understood our utility types and could accept them as parameters
to the basic ldap functions and/or the basic ldap functions returned our
utility types.

Normally such a requirement would trivially be handled in an object-
oriented language (which Python is) by subclassing to extend and modify
the functionality. For some reason we didn't do this with the python-ldap
classes.

python-ldap objects are primarily used in two different places in our
code, ipaserver.ipaldap.py for the IPAdmin class and in
ipaserver/plugins/ldap2.py for the ldap2 class's .conn member.

In IPAdmin we use a IPA utility class called Entry to make it easier to
use the results returned by LDAP. The IPAdmin class is derived from
python-ldap.SimpleLDAPObject. But for some reason when we added the
support for the use of the Entry class in SimpleLDAPObject we didn't
subclass SimpleLDAPObject and extend it for use with the Entry class as
would be the normal expected methodology in an object-oriented language,
rather we used an obscure feature of the Python language to override all
methods of the SimpleLDAPObject class by wrapping those class methods in
another function call. The reason why this isn't a good approach is:

* It violates object-oriented methodology.

* Other classes cannot be derived and inherit the customization (because
the method wrapping occurs in a class instance, not within the class
type).

* It's non-obvious and obscure

* It's inefficient.

Here is a summary of what the code was doing:

It iterated over every member of the SimpleLDAPObject class and if it was
callable it wrapped the method. The wrapper function tested the name of
the method being wrapped, if it was one of a handful of methods we wanted
to customize we modified a parameter and called the original method. If
the method wasn't of interest to use we still wrapped the method.

It was inefficient because every non-customized method (the majority)
executed a function call for the wrapper, the wrapper during run-time used
logic to determine if the method was being overridden and then called the
original method. So every call to ldap was doing extra function calls and
logic processing which for the majority of cases produced nothing useful
(and was non-obvious from brief code reading some methods were being
overridden).

Object-orientated languages have support built in for calling the right
method for a given class object that do not involve extra function call
overhead to realize customized class behaviour. Also when programmers look
for customized class behaviour they look for derived classes. They might
also want to utilize the customized class as the base class for their use.

Also the wrapper logic was fragile, it did things like: if the method name
begins with "add" I'll unconditionally modify the first and second
argument. It would be some much cleaner if the "add", "add_s", etc.
methods were overridden in a subclass where the logic could be seen and
where it would apply to only the explicit functions and parameters being
overridden.

Also we would really benefit if there were classes which could be used as
a base class which had specific ldap customization.

At the moment our ldap customization needs are:

1) Support DN objects being passed to ldap operations

2) Support Entry & Entity objects being passed into and returned from
ldap operations.

We want to subclass the ldap SimpleLDAPObject class, that is the base
ldap class with all the ldap methods we're using. IPASimpleLDAPObject
class would subclass SimpleLDAPObject class which knows about DN
objects (and possilby other IPA specific types that are universally
used in IPA). Then  IPAEntrySimpleLDAPObject would subclass
IPASimpleLDAPObject which knows about Entry objects.

The reason for the suggested class hierarchy is because DN objects will be
used whenever we talk to LDAP (in the future we may want to add other IPA
specific classes which will always be used). We don't add Entry support to
the the IPASimpleLDAPObject class because Entry objects are (currently)
only used in IPAdmin.

What this patch does is:

* Introduce IPASimpleLDAPObject derived from
  SimpleLDAPObject. IPASimpleLDAPObject is DN object aware.

* Introduce IPAEntryLDAPObject derived from
  IPASimpleLDAPObject. IPAEntryLDAPObject is Entry object aware.

* Derive IPAdmin from IPAEntryLDAPObject and remove the funky method
  wrapping from IPAdmin.

* Code which called add_s() with an Entry or Entity object now calls
  addEntry(). addEntry() always existed, it just wasn't always
  used. add_s() had been modified to accept Entry or Entity object
  (why didn't we just call addEntry()?). The add*() ldap routine in
  IPAEntryLDAPObject have been subclassed to accept Entry and Entity
  objects, but that should proably be removed in the future and just
  use addEntry().

* Replace the call to ldap.initialize() in ldap2.create_connection()
  with a class constructor for IPASimpleLDAPObject. The
  ldap.initialize() is a convenience function in python-ldap, but it
  always returns a SimpleLDAPObject created via the SimpleLDAPObject
  constructor, thus ldap.initialize() did not allow subclassing, yet
  has no particular ease-of-use advantage thus we better off using the
  obvious class constructor mechanism.

* Fix the use of _handle_errors(), it's not necessary to construct an
  empty dict to pass to it.

If we follow the standard class derivation pattern for ldap we can make us
of our own ldap utilities in a far easier, cleaner and more efficient
manner.
2011-11-29 13:31:18 +01:00
John Dennis
e1c1fcf543 Ticket - IPAdmin undefined anonymous parameter lists
The IPAdmin class in ipaserver/ipaldap.py has methods with anonymous
undefined parameter lists.

For example:

    def getList(self,*args):

In Python syntax this means you can call getList with any positional
parameter list you want.

This is bad because:

1) It's not true, *args gets passed to an ldap function with a well
defined parameter list, so you really do have to call it with a
defined parameter list. *args will let you pass anything, but once it
gets passed to the ldap function it will blow up if the parameters do
not match (what parameters are those you're wondering? see item 2).

2) The programmer does not know what the valid parameters are unless
they are defined in the formal parameter list.

3) Without a formal parameter list automatic documentation generators
cannot produce API documentation (see item 2)

4) The Python interpreter cannot validate the parameters being passed
because there is no formal parameter list. Note, Python does not
validate the type of parameters, but it does validate the correct
number of postitional parameters are passed and only defined keyword
parameters are passed. Bypassing the language support facilities leads
to programming errors.

5) Without a formal parameter list program checkers such as pylint
cannot validate the program which leads to progamming errors.

6) Without a formal parameter list which includes default keyword
parameters it's not possible to use keyword arguments nor to know what
their default values are (see item 2). One is forced to pass a keyword
argument as a positional argument, plus you must then pass every
keyword argument between the end of the positional argument list and
keyword arg of interest even of the other keyword arguments are not of
interest. This also demands you know what the default value of the
intermediate keyword arguments are (see item 2) and hope they don't
change.

Also the *args anonymous tuple get passed into the error handling code
so it can report what the called values were. But because the tuple is
anonymous the error handler cannot not describe what it was passed. In
addition the error handling code makes assumptions about the possible
contents of the anonymous tuple based on current practice instead of
actual defined values. Things like "if the number of items in the
tuple is 2 or less then the first tuple item must be a dn
(Distinguished Name)" or "if the number of items in the tuple is
greater than 2 then the 3rd item must be an ldap search filter". These
are constructs which are not robust and will fail at some point in the
future.

This patch also fixes the use of IPAdmin.addEntry(). It was sometimes
being called with (dn, modlist), sometimes a Entry object, or
sometimes a Entity object. Now it's always called with either a Entry
or Entity object and IPAdmin.addEntry() validates the type of the
parameter passed.
2011-11-29 13:30:57 +01:00
Sumit Bose
d24dda2fe3 Add DNS service records for Windows
https://fedorahosted.org/freeipa/ticket/1939
2011-11-23 00:24:07 -05:00
Rob Crittenden
fbdeda1da0 Fix some issues introduced when rebasing update patch 2011-11-23 00:21:03 -05:00
Rob Crittenden
2f4b3972a0 Add plugin framework to LDAP updates.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
   to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.

There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.

A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.

Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.

Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.

https://fedorahosted.org/freeipa/ticket/1789
https://fedorahosted.org/freeipa/ticket/1790
https://fedorahosted.org/freeipa/ticket/2032
2011-11-22 23:57:10 -05:00
John Dennis
56401c1abe ticket 2022 - modify codebase to utilize IPALogManager, obsoletes logging
change default_logger_level to debug in configure_standard_logging

add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.

change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.

add missing import for parse_log_level()
2011-11-23 09:36:18 +01:00
Jan Cholasta
e7a6d10555 Finalize plugin initialization on demand.
This patch changes the way plugins are initialized. Instead of
finalizing all the plugins at once, plugins are finalized only after
they are accessed (currently applies to Command, Object and
Attribute subclasses, only in CLI by default).

This change provides significant performance boost, as only the
plugins that are actually used are finalized.

ticket 1336
2011-11-22 00:52:24 -05:00
Rob Crittenden
8be0d84a59 Don't check for 389-instances.
We no longer need to enforce that no 389-ds instances exist on an IPA
server. Checking that the ports exist should be enough.

This used to be one mechanism we used to check to see if IPA was already
installed. We have a better mechanism now.

https://fedorahosted.org/freeipa/ticket/1735
2011-11-16 10:26:35 +01:00
JR Aquino
714b0d11ec Replication: Adjust replica installation to omit processing memberof computations
https://fedorahosted.org/freeipa/ticket/1794

If the master does not yet support the total update list feature we still
run the memberof fixup task and not fail to replicate due to the new
attribute not being settable.

Jointly-developed-with: Simo Sorce <ssorce@redhat.com>
Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
2011-11-14 05:30:06 -05:00
Rob Crittenden
97660ac4d5 Remove calls to has_managed_entries()
At one point in time we couldn't depend on the 389-ds having
the managed entries plugin so this code was added to support
both versions. It is no longer needed.

https://fedorahosted.org/freeipa/ticket/1242
2011-11-11 08:40:02 +01:00
Martin Kosek
b5c049ae2e Allow custom server backend encoding
Server framework does not support encoding of native Python type
values stored in Param classes and sub-classes. When backend (LDAP)
value encoding differs from Python type value representation user
has to has to hard-code the encoders in his processing.

This patch introduces a method Param.encode which is used in server
context to encode native Python Param values. The new encode method
is used for Bool parameter to convert native Python bool type value
(True, False) to LDAP value ("TRUE", "FALSE").

https://fedorahosted.org/freeipa/ticket/2039
2011-11-09 15:31:19 +01:00
Martin Kosek
b26d0dcc04 Add --zonemgr/--admin-mail validator
Do at least a basic validation of DNS zone manager mail address.

Do not require '@' to be in the mail address as the SOA record
stores this value without it and people may be used to configure
it that way. '@' is always removed by the installer/dns plugin before
the DNS zone is created.

https://fedorahosted.org/freeipa/ticket/1966
2011-10-26 08:52:50 +02:00
Alexander Bokovoy
9bdbdbc0f3 Quote multiple workers option
https://fedorahosted.org/freeipa/ticket/2023
2011-10-25 18:11:00 +02:00
Alexander Bokovoy
109571d384 Spin for connection success also when socket is not (yet) available
We were spinning for socket connection if attempt to connect returned errno 111
(connection refused). However, it is not enough for local AF_UNIX sockets as
heavy applications might not be able to start yet and therefore the whole path
might be missing. So spin for errno 2 (no such file or directory) as well.

Partial fix for
  https://fedorahosted.org/freeipa/ticket/1990
2011-10-24 15:10:45 +02:00
Alexander Bokovoy
25d5d7ed93 Add support for systemd environments and use it to support Fedora 16
https://fedorahosted.org/freeipa/ticket/1192
2011-10-24 15:10:11 +02:00
Martin Kosek
363c23a37c Check /etc/hosts file in ipa-server-install
There may already be a record in /etc/hosts for chosen IP address
which may not be detected under some circumstances. Make sure
that /etc/hosts is checked properly.

https://fedorahosted.org/freeipa/ticket/1923
2011-10-13 00:54:45 -04:00
Martin Kosek
77cc5e0246 Hostname used by IPA must be a system hostname
Make sure that the hostname IPA uses is a system hostname. If user
passes a non-system hostname, update the network settings and
system hostname in the same way that ipa-client-install does.

This step should prevent various services failures which may not
be ready to talk to IPA with non-system hostname.

https://fedorahosted.org/freeipa/ticket/1931
2011-10-13 00:54:41 -04:00
Martin Kosek
9bff6cb8a9 Check hostname resolution sanity
Always check (even with --setup-dns or --no-host-dns) that if the
host name or ip address resolves, it resolves to sane value. Otherwise
report an error. Misconfigured /etc/hosts causing these errors could
harm the installation later.

https://fedorahosted.org/freeipa/ticket/1923
2011-10-13 00:54:37 -04:00
Rob Crittenden
9a4fd254ff Work around limits not being updatable in 389-ds.
The bug to fix updates, BZ 741744, isn't working. For the short
term add the attributes we want to update to the REPLACE
whitelist so rather than using an ADD and DEL operation it will
use a REPLACE.

https://fedorahosted.org/freeipa/ticket/1888
2011-10-12 22:42:07 -04:00
Rob Crittenden
197b1acfe4 Fix has_upg() to work with relocated managed entries configuration.
https://fedorahosted.org/freeipa/ticket/1964
2011-10-13 21:38:03 +02:00
Martin Kosek
e5389ffd51 Optimize member/memberof searches in LDAP
When investigating if member/memberof attribute is direct/indirect
we do a lot of LDAP SCOPE_SUBTREE searches when we actually search
just for one item. Make sure we search only with SCOPE_BASE to improve
the performance.

One not so efficient iteration was also changed to list comprehension
to speed things up a tiny bit.

https://fedorahosted.org/freeipa/ticket/1885
2011-10-12 06:31:16 -04:00
Jan Cholasta
0d823ddc4e Don't leak passwords through kdb5_ldap_util command line arguments.
ticket 1948
2011-10-11 21:25:17 -04:00
Alexander Bokovoy
498311d2ef Write KRB5REALM to /etc/sysconfig/krb5kdc and make use of common backup_config_and_replace_variables() tool
systemd service unit for krb5kdc in Fedora 16 uses KRB5REALM variable of
/etc/sysconfig/krb5kdc to start krb5kdc for the default realm. Thus, we
need to make sure it is always existing and pointing to our realm.

Partial fix for:
   https://fedorahosted.org/freeipa/ticket/1192
2011-10-11 18:21:48 -04:00
Martin Kosek
070bc7f725 Fix dnszone-add name_from_ip server validation
Ticket 1627 contained a (temporary hack-ish) fix for dnszone-add
name_from_ip validation which works fine for CLI. However, when
the command is not proceeded via CLI and sent directly to the
RPC server, the server throws Internal Server Error.

Make sure that the server returns a reasonable error. Also implement
2 unit cases testing this option

https://fedorahosted.org/freeipa/ticket/1941
2011-10-11 15:15:15 +02:00
Martin Kosek
88e693a1a5 Improve default user/group object class validation
When user/group default object class is being modified via
ipa config-mod, no validation check is run. Check at least
the following:

- all object classes are known to LDAP
- all default user/group attributes are allowed under the new
  set of default object classes

https://fedorahosted.org/freeipa/ticket/1893
2011-10-11 14:49:36 +02:00
Rob Crittenden
7bd3b3e121 Fix DNS permissions and membership in privileges
This resolves two issues:

1. The DNS acis lacked a prefix so weren't tied to permissions
2. The permissions were added before the privileges so the member
   values weren't calculated properly

For updates we need to add in the members and recalculate memberof via
a DS task.

https://fedorahosted.org/freeipa/ticket/1898
2011-10-09 23:44:22 -04:00
Adam Young
f3ca0618c2 Make mod_nss renegotiation configuration a public function 2011-10-09 23:32:55 -04:00
Rob Crittenden
03c8a34cb3 When calculating indirect membership don't test nesting on users and hosts.
Members are dereferenced when calculating indirect membership. We don't
need to check hosts and users for members.

This significantly reduces the number of queries required for large groups.

https://fedorahosted.org/freeipa/ticket/1885
2011-10-06 17:06:14 -04:00
Martin Kosek
5b968f9632 Improve ipa-replica-prepare DNS check
Currently, verify_fqdn() function raises RuntimeError for every
problem with the hostname. This makes it difficult for tools
like ipa-replica-prepare to behave differently for a subset of
raised errors (for example to be able to create a DNS record for
new replica when verify_fqdn() reports a lookup error).

Implement own exceptions for verify_fqdn() that they can be safely
used to distinguish the error type.

https://fedorahosted.org/freeipa/ticket/1899
2011-10-06 11:27:50 +02:00
Simo Sorce
652d315b3e replica-prepare: anonymous binds may be disallowed
Fixes: https://fedorahosted.org/freeipa/ticket/1900
2011-10-06 08:41:27 +02:00
Martin Kosek
185ca8f6fc Install tools crash when password prompt is interrupted
When getpass.getpass() function is interrupted via CTRL+D, EOFError
exception is thrown. Most of the install tools are not prepared for
this event and crash with this exception. Make sure that it is
handled properly and nice error message is printed.

https://fedorahosted.org/freeipa/ticket/1916
2011-10-06 08:28:15 +02:00
Jan Cholasta
209bcb0b98 Work around pkisilent bugs.
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)

Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)

ticket 1636
2011-10-04 20:12:58 -04:00
Jan Cholasta
12bfed37d4 Add a function for formatting network locations of the form host:port for use in URLs.
If the host part is a literal IPv6 address, it must be enclosed in square
brackets (RFC 2732).

ticket 1869
2011-10-05 10:58:25 +02:00
Rob Crittenden
bd227b3562 Require current password when using passwd to change your own password.
Add a new required parameter, current_password. In order to ask this
first I added a new parameter option, sortorder. The lower the value the
earlier it will be prompted for.

I also changed the way autofill works. It will attempt to get the default
and if it doesn't get anything will continue prompting interactively.

Since current_password is required I'm passing a magic value that
means changing someone else's password. We need to pass something
since current_password is required.

The python-ldap passwd command doesn't seem to use the old password at
all so I do a simple bind to validate it.

https://fedorahosted.org/freeipa/ticket/1808
2011-10-04 15:16:15 +02:00
Rob Crittenden
a41457ec3a Detect CA installation type in ipa-replica-prepare and ipa-ca-install.
ipa-ca-install can only add a dogtag CA to an IPA install.

ipa-replica-prepare can only be run on the initial master with a
selfsign backend.

https://fedorahosted.org/freeipa/ticket/1756
https://fedorahosted.org/freeipa/ticket/1757
2011-09-27 17:50:46 +02:00
Jan Cholasta
5cd121d6dd Fix ipa-replica-prepare always warning the user about not using the system hostname.
ticket 1717
2011-09-26 17:11:09 +02:00
Sumit Bose
f323d818b9 Add admin SIDs
The admin SID DOMAIN-SID-500 will be assigned to the IPA admin user and the
admin group SID DOMAIN-SID-512 to the admins group.
2011-09-23 19:25:45 -04:00
Martin Kosek
9ccd979f02 Remove checks for ds-replication plugin
The replication plugin is no longer shipped as a separate package.
Remove the code checking its existence.

https://fedorahosted.org/freeipa/ticket/1815
2011-09-22 13:14:23 +02:00
Sumit Bose
0ebe23dc96 Fix ACIs in ipa-adtrust-install 2011-09-20 17:27:40 -04:00
Jan Cholasta
b43a38e9cb Check that install hostname matches the server hostname.
ticket 1717
2011-09-14 22:42:05 -04:00
Sumit Bose
29a7a7e8ce Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
2011-09-14 18:45:13 -04:00
Rob Crittenden
4fd20966f6 Improved handling for ipa-pki-proxy.conf
- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs

https://fedorahosted.org/freeipa/ticket/1771
2011-09-13 16:09:15 +02:00
Jr Aquino
8b3336ef55 Move Managed Entries into their own container in the replicated space.
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils

https://fedorahosted.org/freeipa/ticket/1708
2011-09-12 16:28:27 -04:00
Alexander Bokovoy
1362202653 Introduce platform-specific adaptation for services used by FreeIPA.
Refactor FreeIPA code to allow abstracting all calls to external processes and
dependencies on modification of system-wide configuration. A platform provider
would give its own implementation of those methods and FreeIPA would use it
based on what's built in packaging process.

https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:25:58 +02:00
Alexander Bokovoy
a02e0514f6 Convert server install code to platform-independent access to system services
https://fedorahosted.org/freeipa/ticket/1605
2011-09-13 11:14:18 +02:00
Martin Kosek
ba2a3ff44e Fix configure.jar permissions
Remove executable bit added by /usr/bin/signtool

https://fedorahosted.org/freeipa/ticket/1644
2011-09-07 13:11:13 +02:00
Martin Kosek
d0ce604b4d Fix permissions in installers
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.

https://fedorahosted.org/freeipa/ticket/1644
2011-09-07 13:02:43 +02:00
Simo Sorce
801dc97adb install: We do not need a kpasswd keytab anymore
We now use MIT's kadmin instead of our old ipa_kpasswd daemon.
kadmind knows how to fetch the keys directly from the database and doesn't need
a keytab on the filesystem.
2011-08-31 16:27:20 -04:00
Simo Sorce
096cc43fe6 install: We do not need a ldap password anymore
Our new ipa-kdb driver access ldap via ldapi:// and EXTERNAL auth and doesn't
need a bind password anymore.

Fixes: https://fedorahosted.org/freeipa/ticket/1743
2011-08-31 16:27:20 -04:00
Rob Crittenden
f8d0688178 Use the IPA server cert profile in the installer.
We were still using the caRAserverCert profile during installation.

https://fedorahosted.org/freeipa/ticket/1744
2011-08-30 20:17:57 -04:00
Martin Kosek
6a2dfde086 Let Bind track data changes
Integrate new bind-dyndb-ldap features to automatically track
DNS data changes:

 1) Zone refresh
    Set --zone-refresh in installation to define number of seconds
    between bind-dyndb-ldap polls for new DNS zones. User now
    doesn't have to restart name server when a new zone is added.

 2) New zone notifications
    Use LDAP persistent search mechanism to immediately get
    notification when any new DNS zone is added. Use --zone-notif
    install option to enable. This option is mutually exclusive
    with Zone refresh.

To enable this functionality in existing IPA installations,
update a list of arguments for bind-dyndb-ldap in /etc/named.conf.
An example when zone refresh is disabled and DNS data change
notifications (argument psearch of bind-dyndb-ldap) are enabled:

dynamic-db "ipa" {
...
        arg "zone_refresh 0";
        arg "psearch yes";
};

This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later.

https://fedorahosted.org/freeipa/ticket/826
2011-08-31 16:46:12 +02:00
Jr Aquino
d05ace8fba 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember

https://fedorahosted.org/freeipa/ticket/1272
2011-08-31 09:49:43 +02:00
Rob Crittenden
d7618acb73 Add common is_installed() fn, better uninstall logging, check for errors.
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.

When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.

Add wrappers for removing files and directories to log failures.

https://fedorahosted.org/freeipa/ticket/1715
2011-08-29 16:50:43 -04:00
Adam Young
5ee93349f6 enable proxy for dogtag
Dogtag is going to be proxied through httpd.  To make this work, it has to support renegotiation of the SSL
connection.  This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to  renegotiate.

The IPA install uses the internal ports instead of proxying through
httpd since  httpd is not set up yet.

IPA needs to Request the certificate through a port that uses authentication.  On the Dogtag side, they provide an additional mapping for this:   /ca/eeca/ca as opposed tp /ca/ee/ca  just for this purpose.

https://fedorahosted.org/freeipa/ticket/1334

add flag to pkicreate in order to enable using proxy.

add the proxy file in  /etc/http/conf.d/

Signed-off-by: Simo Sorce <ssorce@redhat.com>
2011-08-29 17:54:49 -04:00
Rob Crittenden
e4b62d0529 Remove 389-ds upgrade state during uninstall
When we perform an upgrade 389-ds is set to listen only on its
ldapi port. Theoretically it should be restored to the previous
state regardless of whether the upgrades were successful or not.

To be sure that a subsequent re-install will be successful go ahead
and remove the state for these options. Think of it as wearing a
belt and suspenders. Otherwise a re-install could return an error
message that IPA is already configured.

https://fedorahosted.org/freeipa/ticket/1667
2011-08-25 20:52:46 -04:00
Rob Crittenden
de83684c75 Remove more 389-ds files/directories on uninstallation.
We were orphaning a few files/directories when uninstalling 389-instances
both for IPA and dogtag. This should remove everything but the logs.

ticket https://fedorahosted.org/freeipa/ticket/1700
2011-08-25 20:49:23 -04:00
Simo Sorce
586e2eaf6c v3-schema: Add new ipaExternalGroup objectclass
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).

It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
2011-08-26 08:26:13 -04:00
Simo Sorce
19cb08e579 schema: Split ipadns definitions from basev2 ones 2011-08-26 08:26:13 -04:00
Simo Sorce
dfa944da24 daemons: Remove ipa_kpasswd
Now that we have our own database we can properly enforce stricter constraints
on how the db can be changed. Stop shipping our own kpasswd daemon and instead
use the regular kadmin daemon.
2011-08-26 08:26:08 -04:00
Simo Sorce
8cb2aee626 install: Remove uid=kdc user
The ipadb DAL driver gets access to the ldap server as Directory Manager now so
this user is not needed anymore.
2011-08-26 08:24:50 -04:00
Simo Sorce
195a65d5c2 ipa-kdb: Change install to use the new ipa-kdb kdc backend
Use ipakdb instead of kldap and change install procedures accordingly
Note that we do not need to store the master key in a keytab as we can
read it off of ldap in our driver.
2011-08-26 08:24:50 -04:00
Simo Sorce
f2c39b1a30 krbinstance: use helper function to get realm suffix 2011-08-26 08:24:49 -04:00
Rob Crittenden
92780658b8 Log each command in a batch separately.
This also fixes command logging in general, it wasn't working in most
cases as a regression in ticket 1322.

https://fedorahosted.org/freeipa/ticket/1598
2011-08-19 01:21:22 -04:00
Jan Cholasta
b8d4f8ad9f Add option to install without the automatic redirect to the Web UI.
ticket 1570
2011-08-18 23:24:29 -04:00
Jan Cholasta
1ec531469e Make sure messagebus is running prior to starting certmonger.
ticket 1580
2011-08-18 20:15:48 -04:00
Martin Kosek
bc6e128426 Fix idnsUpdatePolicy for reverse zone record
Make sure that idnsUpdatePolicy for reverse zone does not contain
double trailing "dot" after server installation.

https://fedorahosted.org/freeipa/ticket/1591
2011-08-09 12:51:56 +02:00
Rob Crittenden
8495af1a50 Re-arrange CA configuration code to reduce the number of restarts.
Ade Lee from the dogtag team looked at the configuration code and
determined that a number of restarts were not needed and recommended
re-arranging other code to reduce the number of restarts to one.

https://fedorahosted.org/freeipa/ticket/1555
2011-08-03 20:38:07 -04:00
John Dennis
442973edc5 Clean up existing DN object usage 2011-07-29 13:13:55 +02:00
Jan Cholasta
9e7a3e7f3c Make sure that hostname specified by user is not an IP address.
ticket 1375
2011-07-25 01:47:52 -04:00
Jakub Hrozek
1554c9da68 Remove wrong kpasswd sysconfig 2011-07-21 00:41:50 -04:00
Jan Cholasta
c09f116f43 Clean up of IP address checks in install scripts.
Fixes ipa-dns-install incorrect warning.

ticket 1486
2011-07-19 12:30:47 +02:00
Jr Aquino
9869b0971d 35 remove escapes from the cvs parser in ipaserver/install/ldapupdate https://fedorahosted.org/freeipa/ticket/1472 2011-07-19 09:44:04 +02:00
Rob Crittenden
f7f03183df Specify the package name when the replication plugin is missing.
ticket https://fedorahosted.org/freeipa/ticket/1155
2011-07-18 02:55:50 -04:00
Rob Crittenden
d43ba5316a Generate a database password by default in all cases.
If the password passed in when creating a NSS certificate database is None
then a random password is generated. If it is empty ('') then an empty
password is set.

Because of this the HTTP instance on replicas were created with an empty
password.

https://fedorahosted.org/freeipa/ticket/1407
2011-07-17 22:26:01 -04:00
Rob Crittenden
bfee87dced Set nickname of the RA to 'IPA RA' to avoid confusion with dogtag RA
The old nickname was 'RA Subsystem' and this may confuse some users
with the dogtag RA subsystem which we do not use.

This will only affect new installs. Existing installations will
continue to work fine.

https://fedorahosted.org/freeipa/ticket/1236
2011-07-17 22:22:21 -04:00
Rob Crittenden
3fdca99c48 Create tool to manage dogtag replication agreements
For the most part the existing replication code worked with the
following exceptions:

- Added more port options
- It assumed that initial connections were done to an SSL port. Added
  ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
  In dogtag one is marked as master and one as clone. A new option is
  added, master, the determines which side we're working on or None
  if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
  by 389-ds). This causes problems when doing a force-sync though so
  if one is done we set a schedule to run all the time. Otherwise the
  temporary schedule can't be removed (LDAP operations error).

https://fedorahosted.org/freeipa/ticket/1250
2011-07-17 22:16:32 -04:00
Rob Crittenden
2f650b60a4 Use information from the certificate subject when setting the NSS nickname.
There were a few places in the code where certs were loaded from a
PKCS#7 file or a chain in a PEM file. The certificates got very
generic nicknames.

We can instead pull the subject from the certificate and use that as
the nickname.

https://fedorahosted.org/freeipa/ticket/1141
2011-07-17 22:14:24 -04:00
Martin Kosek
50a2c45760 Check IPA configuration in install tools
Install tools may fail with unexpected error when IPA server is not
installed on a system. Improve user experience by implementing
a check to affected tools.

https://fedorahosted.org/freeipa/ticket/1327
https://fedorahosted.org/freeipa/ticket/1347
2011-07-18 09:36:43 +02:00
Martin Kosek
d802aa57f1 Fix self-signed replica installation
When a replica for self-signed server is being installed, the
installer crashes with "Not a dogtag CA installation". Make sure
that installation is handled correctly for both dogtag and
self-signed replicas.

https://fedorahosted.org/freeipa/ticket/1479
2011-07-14 22:36:53 -04:00
Jan Cholasta
881df73568 Fix creation of reverse DNS zones.
Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by
default instead of using the netmask from the --ip-address option.

Custom reverse DNS zone can be specified using new --reverse-zone
option, which replaces the old --ip-address netmask way of creating
reverse zones.

The reverse DNS zone name is printed to the user during the install.

ticket 1398
2011-07-15 16:42:16 +02:00
Rob Crittenden
37e3bf2a60 Disallow direct modifications to enrolledBy.
This fixes a regression.

We don't need to allow enrolledBy to be modified because it gets
written in the ipa_enrollment plugin which does internal operations
so bypasses acis.

https://fedorahosted.org/freeipa/ticket/302
2011-07-14 19:11:49 -04:00
Martin Kosek
02520ab98c Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.

https://fedorahosted.org/freeipa/ticket/1378
2011-07-13 15:16:24 +02:00
Martin Kosek
0cb65fd9f6 Filter reverse zones in dnszone-find
Implements a new option to filter out reverse zones.

This patch also do some clean up in dns plugin - debug prints were
accidentally left here in the last dns patch.

https://fedorahosted.org/freeipa/ticket/1471
2011-07-13 15:06:13 +02:00
Alexander Bokovoy
b93e0b8bbf Convert nsaccountlock to always work as bool towards Python code
https://fedorahosted.org/freeipa/ticket/1259

Python code will see nsaccountlock as bool. JavaScript code will also see it as bool.

This allows native boolean operations with the lock field. Passes both CLI and WebUI tests.
2011-07-13 12:02:46 +02:00
Rob Crittenden
d9627ab165 find_entry_by_attr() should fail if multiple entries are found
It will only ever return one entry so if more than one are found
then we raise an exception. This is most easily seen in the host
plugin where we search on the server shortname which can be the
same across sub-domains (e.g. foo.example.com &
foo.lab.example.com).

https://fedorahosted.org/freeipa/ticket/1388
2011-07-11 18:45:49 -04:00
Alexander Bokovoy
716a25a784 Convert Bool to TRUE/FALSE when working with LDAP backend https://fedorahosted.org/freeipa/ticket/1259
According to RFC4517 the only valid values for a boolean in LDAP are TRUE or FALSE.
This commit adds support to recognize TRUE and FALSE as valid Bool constants when converting from LDAP attribute values
and enforces TRUE or FALSE string for account locking.
2011-06-27 23:03:23 -04:00
Rob Crittenden
8a32bb3746 Make dogtag an optional (and default un-) installed component in a replica.
A dogtag replica file is created as usual. When the replica is installed
dogtag is optional and not installed by default. Adding the --setup-ca
option will configure it when the replica is installed.

A new tool ipa-ca-install will configure dogtag if it wasn't configured
when the replica was initially installed.

This moves a fair bit of code out of ipa-replica-install into
installutils and cainstance to avoid duplication.

https://fedorahosted.org/freeipa/ticket/1251
2011-06-23 19:04:33 -04:00
Rob Crittenden
8810758c11 Let the framework be able to override the hostname.
The hostname is passed in during the server installation. We should use
this hostname for the resulting server as well. It was being discarded
and we always used the system hostname value.

Important changes:
- configure ipa_hostname in sssd on masters
- set PKI_HOSTNAME so the hostname is passed to dogtag installer
- set the hostname when doing ldapi binds

This also reorders some things in the dogtag installer to eliminate an
unnecessary restart. We were restarting the service twice in a row with
very little time in between and this could result in a slew of reported
errors, though the server installed ok.

ticket 1052
2011-06-23 02:11:34 -04:00
John Dennis
032b77ac23 Add backslash escape support for cvs reader 2011-06-22 01:20:27 -04:00
Martin Kosek
b227208d01 Fix IPA install for secure umask
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282
2011-06-21 23:45:00 -04:00
Rob Crittenden
dd69c7dbe6 Make data type of certificates more obvious/predictable internally.
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().

This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.

This also tries to use variable names to indicate what format the certificate
is in at any given point:

dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format

ticket 32
2011-06-21 19:09:50 -04:00
Martin Kosek
ceb7c9cf4b DNS installation fails when domain and host domain mismatch
Create DNS domain for IPA server hostname first so that it's forward
record can be added. This results in 2 forward DNS zones created
when server hostname doesn't equal server domain.

https://fedorahosted.org/freeipa/ticket/1194
2011-06-19 23:36:28 -04:00