Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object. When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles. This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
https://fedorahosted.org/freeipa/ticket/6560
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python3 removed the getheaders() function and replaced it with a
get_all() one. Add compat code.
https://fedorahosted.org/freeipa/ticket/6558
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Result of {host,service}-{find,show} commands with option '--all' always contains
krbpwpolicyreference attributes.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.
https://fedorahosted.org/freeipa/ticket/6539
Reviewed-By: Martin Basti <mbasti@redhat.com>
Spaces are causing problems in libtool, makefiles, autoconf itself, gettextize
framework etc. so this issue cannot be easily fixed.
Return on investment is too small to invest into this. Let's detect the
whitespace early and error out with descriptive error message.
https://fedorahosted.org/freeipa/ticket/6537
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
32b1743e5f introduced a regression in
test_serverroles.py, caused by ca_find attempting to log into the
Dogtag REST API. (ca_find is called by cert_find which is called by
server_del during cleanup).
Avoid logging into Dogtag in cert_find unless something actually
needs to be retrieved.
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
configure option --with/without-pylint was replaced by
--enable/disable-pylint. Pylint is always called as $(PYTHON) -m python.
If you need to override Pylint version, use command "make pylint PYTHON=xxx".
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
python3-samba is intentionally ommited because it is not in Fedora repos.
Pylint somehow magically ignores this missing package.
Keep in mind that server will not work until this this solved.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.
After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.
For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.
https://fedorahosted.org/freeipa/ticket/157
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commint 2cbaf15604 introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.
https://fedorahosted.org/freeipa/ticket/6468
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere
https://fedorahosted.org/freeipa/ticket/6534
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.
https://fedorahosted.org/freeipa/ticket/6546
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.
On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:
net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab
Fixes https://fedorahosted.org/freeipa/ticket/6551
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Commit 6409abf1 removes hard dependency of ipalib in ipalatform to avoid
cyclic dependenies, this commit updates ipactl accordingly
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Administrators need a way to retrieve the certificate or certificate
chain of an IPA-managed lightweight CA. Add params to the `ca'
object for carrying the CA certificate and chain (as multiple DER
values). Add the `--chain' flag for including the chain in the
result (chain is also included with `--all'). Add the
`--certificate-out' option for writing the certificate to a file (or
the chain, if `--chain' was given).
Fixes: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
certdb.NSSDatabase.import_files currently accumulates certificates
extracted from input files as a string, which is ugly. Accumulate a
list of PEMs instead, and join() them just in time for PKCS #12
creation.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to
use the new function.
Part of: https://fedorahosted.org/freeipa/ticket/6178
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Pre-3.3 masters do not support setting 'nsds5replicabinddngroup'
attribute on existing replica entry during setup of initial replication.
In this case UNWILLING_TO_PERFORM is returned. The code can interpret
this error as an indication of old master and fall back to just adding
its LDAP principal to entry's 'nsds5replicabinddn' attribute.
https://fedorahosted.org/freeipa/ticket/6532
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Since commit f919ab4ee0, a temporary file is
used to give passwords to pk12util. When a password is empty, the temporary
will be empty as well, which pk12util does not like.
Add new line after the password in the temporary file to please pk12util.
https://fedorahosted.org/freeipa/ticket/6541
Reviewed-By: David Kupka <dkupka@redhat.com>
'nsds5replicabinddngroupcheckinterval' attribute was not properly added
to 'o=ipaca' replica attribute during upgrade. The CA topology update
plugin should now add it to the entry if it exists.
https://fedorahosted.org/freeipa/ticket/6508
Reviewed-By: Martin Basti <mbasti@redhat.com>
The lower version is needed while building on RHEL.
Also po/Rules-quot file is deleted and added to .gitignore.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.
This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.
https://fedorahosted.org/freeipa/ticket/6522
Reviewed-By: Petr Spacek <pspacek@redhat.com>
If permission-find is fired with an argument and sizelimit set
a message about truncation will be sent along with the result
as the search in post_callback() does general search instead
of having its filter properly set.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Martin Basti <mbasti@redhat.com>
Make it easier to generate search filters properly
and in a unified way in any inheriting method
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead of checking sysrestore status which leads to incorrect
evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
into named.conf to see whther it was already modified by IPA installer.
https://fedorahosted.org/freeipa/ticket/6503
Reviewed-By: Martin Basti <mbasti@redhat.com>
https://github.com/martbab/ipa-docker-test-runner is now used to run the
following tasks in Travis CI:
* pull in a FreeIPA test runner Docker image
* configure/make lint/make rpms
* install rpms
* install FreeIPA server and KRA
* run out-of-tree tests
For performance reasons (last two steps are very time-consuming) the available
tests were split roughly in half and are run as two separate jobs to speed up
the process.
AD trust is not installed as part of tests since the enabled compat plugin
causes false negative errors.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare a configuration file for
https://github.com/martbab/ipa-docker-test-runner. The latest
freeipa-fedora-test-runner Docker image (F25 as of time of writing this
message) will be used to run tests. Some of them will be purposefuly excluded
from the test suite, namely:
* test_integration and test_webui: for obvious reasons, CI tests require
complicated multi-host setup which is currently not achievable in Travis CI
* test_ipapython/test_keyring: Docker can not cope with storing and retrieving
secrets from Kernel keyring, that is a known issue
* test_xmlrpc/test_dns_plugin.py:test_dns_soa: There are 2-3 non-deterministic
failures in this suite in Travis CI, this suite was disabled until the root
cause is discovered and fixed/workarounded
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
- for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
- for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Make sure all messages displayed on screen to the user can be found
in the log as well. The messages are also logged if the script is ran
in quiet mode.
https://fedorahosted.org/freeipa/ticket/6497
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replica conncheck may fail for other reasons then network
misconfiguration. For example, an incorrect admin password might be
provided. Since conncheck is ran as a separate script in quiet mode,
no insightful error message can be displayed.
https://fedorahosted.org/freeipa/ticket/6497
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the thread that opens ports would execute notify() before the
original thread could call wait(), the original thread would wait
indefinitely for a notify() call.
https://fedorahosted.org/freeipa/ticket/6487
Reviewed-By: Petr Spacek <pspacek@redhat.com>
permission-find: sizelimit option set to number of permissions -1
could return all permissions anyway
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
permission_find() method would have failed if size_limit in config is too
small caused by a search in post_callback. This search should also
respect the passed sizelimit or the sizelimit from ipa config if no
sizelimit is passed.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
get_entries() wouldn't pass some arguments deeper to find_entries()
function it wraps. This would cause unexpected behavior in some
cases throughout the framework where specific (non-)limitations
are expected.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python-pyasn1-modules is needed because of this import:
from pyasn1_modules import rfc2459
in ipalib/x509.py.
Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.
https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Let's relax the check for .git from directory to exists in order to
support freeipa in a git submodule. Submodules have a .git file with
content like
gitdir: ../.git/modules/freeipa
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
