p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.
Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It required support in dogtag which was added in 10.5.0.
This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg
The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.
So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.
https://pagure.io/freeipa/issue/8906
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.
For each address, make sure that it's neither reserved nor a
link-local address.
Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.
Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.
It was moved to installutils.py to avoid circular import.
https://pagure.io/freeipa/issue/8885
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.
Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).
Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.
The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.
Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CLI, IPA integration and storage backends are not used by IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Incorporate Custodia into IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use new nsslapd-ldapiautoauthdnattr feature to switch BIND named from
GSSAPI bind to EXTERNAL LDAPI bind.
Requires 389-DS >= 1.4.4.11 or >= 2.0.2
Fixes: https://pagure.io/freeipa/issue/8544
See: https://github.com/389ds/389-ds-base/issues/4381
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.
With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.
Also add a similar note at the end of ipa-cert-fix.
Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add 'Auto private groups' field on 'Add ID range' form with the following options: true, false, hybrid.
The field is optional and can be omitted.
Its value can be also modified on 'Range Settings' page after the range is added.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.
The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.
Fixes: https://pagure.io/freeipa/issue/8872
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute
See https://github.com/389ds/389-ds-base/issues/4786 for details
Fixes: https://pagure.io/freeipa/issue/8799
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since commit 1906afbeb3c8b7140601be7f9bee2f7fef5b0a5e, in order to fix
rhbz#1780082, pki defines AJP connectors using localhost4 and localhost6:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="..."/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost6" name="Connector2" secret="..."/>
When /etc/hosts only defines the following:
127.0.0.1 localhost
::1 localhost
the connector initialization may fail with
java.net.BindException: Address already in use
The installer can add the following definitions to pkispawn cfg file:
pki_ajp_host_ipv4=127.0.0.1
pki_ajp_host_ipv6=::1
in order to force the value to an IP address instead of localhost4/6.
Fixes: https://pagure.io/freeipa/issue/8851
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The DNS server may not process a query in a its internal timeout for
a some reason or don't answer for a query at all. This may indicate
a high load on DNS server. For example, if IPA DNS server is
configured with 'none' forward policy (read as resolver), then
SERVFAIL/Timeout errors will be normal until the hot cache for zones.
Resolver's timeout in turn, indicates that it queried a server, but
didn't received an answer in specified timeout.
Related: https://pagure.io/freeipa/issue/7397
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit aa1350384a.
The search for certificates is a complex, three-step process,
which filters results in subsequent searches. This filters out
non-relevant certificates when deleting a host or service.
This patch breaks that so deleting one service of a host will
revoke *all* certificates for that host.
Another attempt will be made separately to implement this.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The -s option no longer exists, so remove it from the command usage.
Also, due to this fix, E128 occurred in pycodestyle, so the coding style was changed.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to call import_included_profiles the dogtag RA plugin
needs to have been loaded. Modify the requirements to also allow
the installer context along with the ra_plugin value.
This lets us add missing profiles during a replica installation.
This is needed for ACME when installing a new replica in a
cluster of older servers that don't have support for ACME.
https://pagure.io/freeipa/issue/8738
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
update_dna_shared_config plugin now waits for presence of both
``dnaHostname=fqdn+dnaPortNum=0`` and
``dnaHostname=fqdn+dnaPortNum=389`` entries before it updates the
entries.
The commit also refactors the code of update_dna_shared_config for
subordinate id support.
Fixes: https://pagure.io/freeipa/issue/8831
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
For add/remove member and remove_principal the LDAP connection
was being used directly, bypassing the LDAPClient overlay.
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The `hbacrule` module performs a call to `selinuxusermap-find`
during entry deletion. This can be optimized by passing pkey_only=True
to the search, skipping the post-callback function. Passing the full
DN of the hbacrule and detecting it in the selinuxusermap find
also saves one call to hbacrule-show, further reducing the searches.
Related: https://pagure.io/freeipa/issue/8784
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is the experimental fix to workaround the issue with
PKI on Azure Pipelines. PKI is the most sensitive to slow
systems(at least, appropriate delays and timeouts should be
adjusted for such).
Somehow Azure's test envs became slower then they were earlier
(for example, CA subsystem start changed
~(20-30)sec -> ~(45-60)sec). This triggered various issues with
subsystems of PKI in CI.
PKI honors `PKISPAWN_STARTUP_TIMEOUT_SECONDS` env variable (if
not set the timeout is 60sec) for pkispawn tool. The default
timeout is inconsistent with IPA's one (startup_timeout=120sec), which in
particular, is used in ipa-pki-wait-running tool).
Related: https://pagure.io/freeipa/issue/8830
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.
The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.
Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This utilizes the new status option so that we only retrieve
VALID certificates when revoking certificates issued for a
specific host or service.
ae74d348c3 made a special case
in cert_find when searching for hosts and services so that if only
one host/service was searched on do a subject search. It only
works when there is exactly one option requested.
Since we want to restrict to only VALID certificates, pass
the hostname as subject directly when revoking certs when deleting
an entry to limit the number of certificates to consider.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.
Related: https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.
Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This saves at least one search per user-mod because the current
set of objectclasses are verified to ensure they are complete
on each update.
So always retrieve them in get_either_dn(). They are used by
every call but there is negligible overhead in retrieving
this from LDAP.
https://pagure.io/freeipa/issue/8801
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The pkey of services is krbprincipalname. The host plugin passes
this full value to service_del and service_disable if the service
hostname matches the requested host.
This limits the amount of data and post-processing done
when host_del and host_disable call service_find. It also saves
a presence query for keytab in each service found.
https://pagure.io/freeipa/issue/8787
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This may be called multiple times in a request and should
be impossible to change.
https://pagure.io/freeipa/issue/8797
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* move WSGI app code to main code base so it can be used with other
WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Combining the existence check with the sudoorder handling
allows to reduce the number of searches during a sudorule
modification by removing a call to sudorule-show.
Related: https://pagure.io/freeipa/issue/8780
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.
Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.
Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.
Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.
As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.
[0]: d2f5fc304f
[1]: 0e1b4a0c84
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired. 'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.
This heuristic is a bit too optimistic. If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.
Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:
"During handling of the above exception, another exception occurred"
The handling is in fact expected.
This changes the user-facing installer output from:
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
to
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.
Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.
https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.
Related: https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.
RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.
Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS
Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'
Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This should make it easier to troubleshoot low memory installation
failures from the logs.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.
We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.
With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.
IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.
Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.
RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-user` family of commands.
SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.
Add member type validators to 'ipa sudorule-add/remove-user' family
commands and rely on member type validators from 'idviews' plugin to
resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.
RN: IPA now supports adding users and groups from trusted Active
RN: Directory domains in SUDO rules without an intermediate non-POSIX
RN: group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Register extended validator for users from trusted domains to be called
through add_external_pre_callback() in sudorules and other plugins.
The callbacks allow to validate user names as following:
- if user name passes basic user name validator it is accepted, otherwise
- if user name can be resolved to any user in IPA or in a trusted
domain, it is accepted
- otherwise the name is rejected
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It was possible to add external members without any validation. Any
object that was not found in IPA LDAP was considered an external object
and a command such as sudorule could have added it to the list of values
for externalUser attribute.
With member validator support, real external members from trusted
domains can be differentiated from the objects that were not found in
IPA and in trusted domains.
Use information from the ID Views plugin to treat external objects
accordingly. Not found objects will be part of the error messaging
instead.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
baseldap.py:add_external_pre_callback() allows to redefine validators
used to validate member names. Originally this was done to allow
hostname validation and reused default validators associated with other
parameter types.
Provide extension of the validator callbacks to allow fine grained
validation strategy. This is helpful in case we want to apply an
alternative validation strategy in case default validator fails.
New validators can be added to 'member_validator' registry in a similar
way to how API objects are registered:
from .baseldap import member_validator
@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
<validate value here>
Arguments passed to the validator are arguments passed to the
add_external_pre_callback() augmented with the value to validate.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Peter Keresztes Schmidt <carbenium@outlook.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.
Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.
One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.
'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.
With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.
Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.
Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.
Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp. Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.
Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.
Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Support both the case where there is a limit imposed on the
container and when there isn't.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 81c97bb992.
This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.
ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.
https://pagure.io/freeipa/issue/8634
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We want to always use SMB encryption if it is possible on LSA pipe as we
are going to pass what accounts to a plain-text content within
CreateTrustedDomainEx2 call.
The catch is that older Samba version might not have a way to enforce
this and we need fall back to work with existing connection then.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.
Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When establishing trust to Active Directory forest, RC4 is used to
encrypt trusted domain object credentials as an application-specific
material in a secure channel based on AES session key.
In FIPS mode it is not possible to use RC4 directly.
Samba 4.14 and backports to 4.13 in Fedora 33+ and RHEL 8.4+ now
provide a helper that wraps LSA RPC call CreateTrustedDomainEx2.
This helper ensures that in FIPS mode we first check that LSA session
key is AES before allowing RC4 use internally in Samba bindings. Thus,
it becomes possible to establish trust to Active Directory forest in
FIPS mode.
Adopt FreeIPA code to use the helper provided by Samba when it is
available. If neither the helper nor unprotected arcfour_encrypt utility
is available from Samba bindings, fail import of the ipaserver.dcerpc
module.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.
Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.
This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.
We use common pattern of checking the service during uninstall:
svc = SVCClass()
if svc.is_configured():
svc.uninstall()
Thus, service class constructor must not do UID/GID resolution
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.
Fixes: https://pagure.io/freeipa/issue/7599
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role. This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When there are no services in LDAP that have specified states, we don't
need to update their state.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.
I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.
If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On upgrading a server without ACME to one with ACME
the RA Agent DN needs to be added as a member of the
ACME Enterprise Users group. This was previously
done as part of the creation of that entry.
So on upgrade the RA Agent wouldn't be a member so
ipa-acme-manage didn't have access to operate against
the CA REST API.
In order to add the RA Agent to this group during installation
the ACME provisioning has to come after that step so it is
moved from the middle of an installation to the end and
the group addition moved into the setup_acme() method.
https://pagure.io/freeipa/issue/8603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Internal profiles were assigned which prevented rewewals.
dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.
There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
389-ds now stores a replication agreement status message in a JSON
string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html
Fixes: https://pagure.io/freeipa/issue/7975
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.
ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.
The fix also improves the method used to verify that a path exists.
Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
The cookie in ACME processing was supposed to be passed as a part of the
REST request but we did not pass those additional headers. Pylint on
Rawhide noticed that headers objects were left unused.
2020-11-13T11:26:46.1038078Z Please wait ...
2020-11-13T11:26:46.1038385Z
2020-11-13T11:28:02.8563776Z ************* Module ipaserver.install.ipa_acme_manage
2020-11-13T11:28:02.8565974Z ipaserver/install/ipa_acme_manage.py:50: [W0612(unused-variable), acme_state.__exit__] Unused variable 'headers')
2020-11-13T11:28:02.8567071Z ipaserver/install/ipa_acme_manage.py:57: [W0612(unused-variable), acme_state.enable] Unused variable 'headers')
2020-11-13T11:28:02.8568031Z ipaserver/install/ipa_acme_manage.py:63: [W0612(unused-variable), acme_state.disable] Unused variable 'headers')
Fixes: https://pagure.io/freeipa/issue/8584
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
PTR records in zones other than in-addr.arpa and in6.arpa are legal,
e.g. DNS-SD [RFC6763] uses such records. If in a reverse zone
proceed with the existing checks, otherwise just accept the record.
Fixes: https://pagure.io/freeipa/issue/5566
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If no results are returned then find_entries will raise
EmptyResult and not NotFound. NotFound is returned if
the search base doesn't exist.
The test for not entries can be removed as well since this
is the EmptyResult case. In case of a NotFound this will
be handled by the ExecutionError clause.
Found with https://pagure.io/freeipa/issue/8555
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipapwdpolicy is the objectclass which defines the libpwquality
attributes. For older sytems it isn't strictly necessary (or
visible) but not having it included will result in policies
not being visible with pwpolicy-find.
https://pagure.io/freeipa/issue/8555
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.
https://pagure.io/freeipa/issue/8498
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.
https://pagure.io/freeipa/issue/8498
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
New validation efforts in 389-ds-base require that the backend entry for
a database be created before the mapping tree entry. This enforces that
the mapping tree entry (the suffix) actually belongs to an existing backend.
For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()
Fixes: https://pagure.io/freeipa/issue/8558
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
The initial ACME support required that each server individually
enable/disable the service. PKI 10.10.0 stores this state in LDAP
so global enable/disable is available and the IPA code relies on
this.
Parse the VERSION file shipped with PKI to determine the version.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
This allows non-plugin components to import the RestClient
classes.
Removed code that only imported pki if in_server was True. This
was legacy code from when the plugins were also loaded in the
client.
Left the ra_plugin stanza for now. This is part of the old
abstraction that allowed for different CA plugins.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
This is to be able to import ACME schema provided by dogtag.
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.
FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.
Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.
In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.
We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.
What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.
Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.
The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
certmonger was later restarted to remove the custom CA entries
and the startup delay sometimes caused uninstallation to fail.
certmonger is stopped in cainstance.py::uninstall() so it will
still be stopped post-install.
https://pagure.io/freeipa/issue/8533
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cainstance and krainstance now reuse the main LDAP connection
api.Backend.ldap2 in all helper functions. Some functions used to create
and tear down their own LDAP connection. This was a remnant of the old
CA LDAP instance in FreeIPA 3.x.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The ra_certprofile API is slow. It takes ~200ms to migrate and enable a
profile even when the profile already available. The migration step
slows down the installer and upgrader by about 12 to 15 seconds.
Skip all profiles that have been imported by Dogtag already.
Related: https://pagure.io/freeipa/issue/8522
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DNS data management now uses NSS's getaddrinfo() instead of direct DNS
queries to resolve the ipa-ca record. This fixes missing ipa-ca records
when the current hostname is not resolvable in DNS but has correct
records in /etc/hosts.
Reduce timeout to 15 seconds and tighten timeout loop.
The changeset can speed up installation by almost 60 seconds.
ipa-server-install without built-in DNS calls into DNS data management
twice with a timeout of 30 seconds for each call.
Fixes: https://pagure.io/freeipa/issue/8529
Related: https://pagure.io/freeipa/issue/8521
Related: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
resolve_ip_addresses_nss(host) is equivalent to
get_server_ip_address(api.env.host, True, False, []). The function
get_server_ip_address() is designed to perform interactive checks that
should not be triggered in automatic upgrade code.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On systems with multiple IP addresses the update code could add
::1 and 127.0.0.1 multiple times.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.
Add AD-Trust, DNS, KRA, and replica log files to backups.
Fixes: https://pagure.io/freeipa/issue/8528
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Move several steps to an earlier phase of CA spawn. RA and ACME agent
ACLs are now configured while the server is down. This avoids yet
another restart and saves between 11 and 50 seconds per installation.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The step set_audit_renewal modifies Dogtag's caSignedLogCert.cfg to bump
renewal to 2 years. The problem was fixed in Dogtag upstream in 2012 before
Dogtag 10.0 came out, see
f5b8ea5b08
The update step would also no longer work. Profiles have been migrated
to LDAP several FreeIPA releases ago. pkispawn populates LDAP with all
of Dogtag's default profiles. FreeIPA does not overwrite any existing
profiles.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The installer now stop and patches dse.ldif only when the option
--dirsrv-config-file is used. LDBM nsslapd-db-locks are increased in a
new step.
This speeds up installer by 4 or more seconds on a fast system.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
11 years ago 5ad91a0781 added a magic sleep to work around a rare deadlock
bug in memberOf plugin. Thierry is not aware of any outstanding issues
with memberOf plugin that could lead to a deadlock.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The new lib389-based installer configured 389-DS with LDAPI support and
autobind for root. nsslapd-ldapiautobind is enabled by lib389.
cn=root-autobind,cn=config entry is no longer needed.
nsslapd-ldapimaptoentries is kept enabled for future use.
Related: https://pagure.io/freeipa/issue/8521
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Index definitions were split across four files. indices.ldif contained
the initial subset of indices. Three update files partly duplicated the
indices and partly added new indices.
All indices are now defined in a single update file that is sorted
alphanumerically.
The changeset avoids two additional index tasks and reduces installation
time by 5 to 10 seconds.
Fixes: https://pagure.io/freeipa/issue/8493
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>