Commit Graph

3655 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
fa4b054056 pylint: disable deprecated-module message
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
fdd3dd29b7 pylint: fix consider-iterating-dictionary
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
8e7e48dc78 pylint: fix duplicate-value
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
139038c58b pylint: disable missing-timeout message
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
d6d8319ece pylint: disable using-constant-test
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
8cd9ddfdeb pylint: remove arguments-renamed warnings
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
be7f0a6e5e pylint: disable modified-iterating-list
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
2011d1a36a pylint: disable used-before-assignment
Related: https://pagure.io/freeipa/issue/9278

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
12067297d8 pylint: remove useless suppression
The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation

Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-01-10 08:30:58 +01:00
Florence Blanc-Renaud
17a5d5bff1 FIPS setup: fix typo filtering camellia encryption
The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.

Fix the typo (camelia vs camellia) in order to filter properly.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-19 15:38:05 +01:00
Florence Blanc-Renaud
6bd9d156e0 cert utilities: MAC verification is incompatible with FIPS mode
The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-12-19 15:38:05 +01:00
Julien Rische
673d2b82d0 Generate CNAMEs for TXT+URI location krb records
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.

This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.

Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.

Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-23 20:00:17 +01:00
Francisco Trivino
93548f2569 Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
Antonio Torres
988cb5a535 doc: generate API Reference
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-16 14:46:17 -05:00
Endi S. Dewata
38728dd518 Explicitly use legacy ID generators by default
The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.

Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-03 15:18:30 -04:00
Viacheslav Sychov
d33a2523ee fix: Handle /proc/1/sched missing error
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-10 09:48:55 +02:00
Carla Martinez
c74c701cac Set 'idnssoaserial' to deprecated
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.

This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Florence Blanc-Renaud
7aeb9e5860 ipa-cacert-manage prune: remove all expired certs
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.

To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.

Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-23 09:49:06 +02:00
Rob Crittenden
36591995ac Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.

Fixes: https://pagure.io/freeipa/issue/9243

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-09-20 14:51:56 -04:00
Alexander Bokovoy
2ae316d430 fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.

Fix it by doing two things:

 - force use of canonicalization of an enterprise principal on server
   side, not just specifying that the principal is an enterprise one;

 - recognize that a principal in the whoami()-returned object can have
   aliases and the principal returned by the server in the JSON response
   may be one of those aliases.

Fixes: https://pagure.io/freeipa/issue/9226

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-08-29 17:30:22 +02:00
Rob Crittenden
0468cc6085 Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
c8955a4d0a Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
45b351f8c5 upgrades: Don't restart the CA on ACME and profile schema change
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:

* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema

None of these require a restart of the CA to be supported.

There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.

https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.

Related: https://pagure.io/freeipa/issue/9204

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 08:51:31 +02:00
Florence Blanc-Renaud
8a415ff985 check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.

Replace with direct boolean comparison.

Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-16 08:39:06 +02:00
Rob Crittenden
dc73813b8a Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.

Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.

When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.

Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci

This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.

https://pagure.io/freeipa/issue/9188

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-15 16:59:15 +02:00
Fraser Tweedale
f8da5bfbea install: suggest --skip-mem-check when mem check fails
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.

Related: https://pagure.io/freeipa/issue/8404

Signed-off-by: Fraser Tweedale <frase@frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-07-05 14:29:27 +02:00
Florence Blanc-Renaud
cbc18ff8c7 Preserve user: fix the confusing summary
When ipa user-del --preserve is called, the command output
prints a summary with:
    Deleted user: user1
although the user was preserved.
Replace the summary with
    Preserved user: user1
to reflect what was actually done.

Fixes: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-22 20:53:29 +02:00
Alexander Bokovoy
e06f0cc9b4 idviews: use cached ipaOriginalUid value when resolving ID override anchor
For ID overrides 'ipaOriginalUid' value should be the human-readable
version of the ID override anchor. Since we would have it already set in
the ID override entry, prefer using it instead of looking up the
override anchor.

This should speed up significantly operations which list all ID
overrides in the view, like Web UI views.

Fixes: https://pagure.io/freeipa/issue/9178
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-06-14 15:58:55 +03:00
Rob Crittenden
05d96e16dc Add switch for LDAP cache debug output
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.

Fixes: https://pagure.io/freeipa/issue/9180

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:56:21 +03:00
Rob Crittenden
7572174175 Remove extraneous AJP secret from server.xml on upgrades
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version.  It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.

PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.

Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.

Fixes: https://pagure.io/freeipa/issue/9176

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-14 15:54:50 +03:00
Florence Blanc-Renaud
8a4ad65936 ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean
nsds5replicaUpdateInProgress is defined in LDAP schema as a boolean.
Now that IPA API is able to properly map booleans to the python
bool type, this attribute is not a string any more and
comparisons can be done directly based on its real type.

The code in ipa-replica-install was reading nsds5replicaUpdateInProgress
and calling value.tolower() == 'true' but should now use
value == True instead.

Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-13 09:07:38 +02:00
Alexander Bokovoy
6c5f2bcb30 ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like

        Bool('idnsallowdynupdate?',
            cli_name='dynamic_update',
            label=_('Dynamic update'),
            doc=_('Allow dynamic updates.'),
            attribute=True,
            default=False,
            autofill=True
        ),

in 'ipa dnszone-show':

> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']

This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.

When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:

            "idnsallowdynupdate": [
                "TRUE"
            ],

Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.

Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:

 - if output is from a command with --raw option, 'TRUE' or 'FALSE'
   should be expected

 - if output if from a normal (non-raw) command, True or False would be
   returned

Fixes: https://pagure.io/freeipa/issue/9171

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-06-10 09:25:27 +02:00
Rob Crittenden
beaa0562dc Add support for Random Serial Numbers v3
Dogtag has implemented a new random serial number scheme
they are calling RSNv3.

https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3

Given the known issues reported this will be supported in IPA for
new installations only.

There is no mixing of random servers and non-random servers
allowed.

Instructions for installing a CA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc

Instructions for installing a KRA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc

The version of random serial numbers is stored within the CA entry
of the server. It is stored as a version to allow for future upgrades.

If a CA has RSN enabled then any KRA installed will also have it
enabled for its identifiers.

A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA
entry to track the version number in case PKI has future major
revisions. This can also be used to determine if RSN is enabled or not.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
83be923ac5 Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).

Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.

Fixes: https://pagure.io/freeipa/issue/2016

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-06-09 08:35:15 +02:00
Rob Crittenden
420344ed49 graceperiod: ignore case when checking for missing objectclass
Don't assume that all objectclasses are lower-case. Some are
camel-cased.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-06 11:24:21 -04:00
Rob Crittenden
deb0c76556 Set default LDAP password grace period to -1
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-06 11:24:21 -04:00
Rob Crittenden
773d3cb45d Configure and enable the graceperiod plugin on upgrades
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.

Loading a new plugin requires a restart. Do so if a
new one is configured.

Fixes: https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-06-02 15:24:22 -04:00
Rob Crittenden
aefa5f2252 Exclude passwordgraceusertime from replication
Treat this like other failed login attributes and don't
replicate them.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Rob Crittenden
f347c3f230 Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06

389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.

passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.

passwordGraceUserTime is a count per-user of the number of binds.

When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.

If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.

Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.

Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.

The passwordGraceUserTime attribute is reset to 0 upon a password
reset.

user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.

Note that passwordGraceUserTime is an operational attribute.

https://pagure.io/freeipa/issue/1539

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-30 17:24:22 +03:00
Florence Blanc-Renaud
571b6b81c3 Installer: add --subid option to select the sssd profile with-subid
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-05-25 08:11:39 +03:00
Francisco Trivino
5457fb7f7e
Update ipa-replica-install replication agreement error message
So that it prints out a valid command:
- replace "ipa-replica-manage del" by "ipa server-del" (only domain-level1 is now supported)
- the commands needs to be run on a working server, not on the host where ipa-replica-install failed

Fixes: https://pagure.io/freeipa/issue/9162
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-05-24 13:12:56 +02:00
Alexander Bokovoy
94f7d31d2d External IdP: add Web UI to manage IdP references
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Alexander Bokovoy
10e18c3dc7 external-idp: add support to manage external IdP objects
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Sumit Bose <sbose@redhat.com>
2022-05-10 15:52:41 +03:00
Rob Crittenden
fe9be8c4a1 Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.

When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.

So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.

This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).

Fixes: https://pagure.io/freeipa/issue/9004

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-03-16 12:18:35 +02:00
Christian Heimes
40c362e1ee Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.

Fixes: https://pagure.io/freeipa/issue/6524

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2022-03-16 12:07:01 +02:00
Alexander Bokovoy
a6030f5f53 Kerberos instance: default to AES256-SHA2 for master key encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.

This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.

MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.

Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key

One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.

Fixes: https://pagure.io/freeipa/issue/9119

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2022-03-16 11:14:35 +02:00
Stanislav Levin
5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
42ff1e0fc2 pylint: Fix consider-using-in
Pylint 2.11.0 extends consider-using-in check to work for
attribute access.

> To check if a variable is equal to one of many values,combine the
  values into a tuple and check if the variable is contained "in" it
  instead of checking for equality against each of the values.This
  is faster and less verbose.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
baf68ef37c pylint: Fix arguments-renamed
Pylint 2.9.0 introduced new checker which was a subset of
arguments-differ:

> Used when a method parameter has a different name than in the
  implemented interface or in an overridden method.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00
Stanislav Levin
df3c40fd34 pylint: Skip raising-bad-type
See https://github.com/PyCQA/pylint/issues/4772 for details.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00