Update ipaSudoRule objectClass on upgrades to add new attributes.
Ensure uniqueness of sudoOrder in rules.
The attributes sudoNotBefore and sudoNotAfter are being added to
schema but not as Params.
https://fedorahosted.org/freeipa/ticket/1314
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
For some reason lost to history the sub_dict in dsinstance and
cainstance used FQHN instead of FQDN. This made upgrade scripts not
work reliably as the variable might be different depending on context.
Use FQDN universally instead.
There are two reasons for the plugin framework:
1. To provide a way of doing manual/complex LDAP changes without having
to keep extending ldapupdate.py (like we did with managed entries).
2. Allows for better control of restarts.
There are two types of plugins, preop and postop. A preop plugin runs
before any file-based updates are loaded. A postop plugin runs after
all file-based updates are applied.
A preop plugin may update LDAP directly or craft update entries to be
applied with the file-based updates.
Either a preop or postop plugin may attempt to restart the dirsrv instance.
The instance is only restartable if ipa-ldap-updater is being executed
as root. A warning is printed if a restart is requested for a non-root
user.
Plugins are not executed by default. This is so we can use ldapupdate
to apply simple updates in commands like ipa-nis-manage.
https://fedorahosted.org/freeipa/ticket/1789https://fedorahosted.org/freeipa/ticket/1790https://fedorahosted.org/freeipa/ticket/2032
change default_logger_level to debug in configure_standard_logging
add new ipa_log_manager module, move log_mgr there, also export
root_logger from log_mgr.
change all log_manager imports to ipa_log_manager and change
log_manager.root_logger to root_logger.
add missing import for parse_log_level()
We no longer need to enforce that no 389-ds instances exist on an IPA
server. Checking that the ports exist should be enough.
This used to be one mechanism we used to check to see if IPA was already
installed. We have a better mechanism now.
https://fedorahosted.org/freeipa/ticket/1735
https://fedorahosted.org/freeipa/ticket/1794
If the master does not yet support the total update list feature we still
run the memberof fixup task and not fail to replicate due to the new
attribute not being settable.
Jointly-developed-with: Simo Sorce <ssorce@redhat.com>
Jointly-developed-with: Nathank Kinder <nkinder@redhat.com>
At one point in time we couldn't depend on the 389-ds having
the managed entries plugin so this code was added to support
both versions. It is no longer needed.
https://fedorahosted.org/freeipa/ticket/1242
Repoint cn=Managed Entries,cn=plugins,cn=config in common_setup
Create: cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Definitions,cn=Managed Entries,cn=etc,$SUFFIX
Create: cn=Templates,cn=Managed Entries,cn=etc,$SUFFIX
Create method for dynamically migrating any and all custom Managed Entries
from the cn=config space into the new container.
Separate the connection creation during update so that a restart can
be performed to initialize changes before performing a delete.
Add wait_for_open_socket() method in installutils
https://fedorahosted.org/freeipa/ticket/1708
Fix permissions for (configuration) files produced by
ipa-server-install or ipa-client-install. This patch is needed
when root has a umask preventing files from being world readable.
https://fedorahosted.org/freeipa/ticket/1644
Added new container in etc to hold the automembership configs.
Modified constants to point to the new container
Modified dsinstance to create the container
Created automember.py to add the new commands
Added xmlrpc test to verify functionality
Added minor fix to user.py for constant behavior between memberof
and automember
https://fedorahosted.org/freeipa/ticket/1272
The installer and ipactl used two different methods to determine
whether IPA was configured, unify them.
When uninstalling report any thing that looks suspicious and warn
that a re-install may fail. This includes any remaining 389-ds instances
and any state or files that remains after all the module uninstallers
are complete.
Add wrappers for removing files and directories to log failures.
https://fedorahosted.org/freeipa/ticket/1715
When we perform an upgrade 389-ds is set to listen only on its
ldapi port. Theoretically it should be restored to the previous
state regardless of whether the upgrades were successful or not.
To be sure that a subsequent re-install will be successful go ahead
and remove the state for these options. Think of it as wearing a
belt and suspenders. Otherwise a re-install could return an error
message that IPA is already configured.
https://fedorahosted.org/freeipa/ticket/1667
We were orphaning a few files/directories when uninstalling 389-instances
both for IPA and dogtag. This should remove everything but the logs.
ticket https://fedorahosted.org/freeipa/ticket/1700
This construct allows to have a group of ipaExternalMember attributes, that can
be nested in a normal ipa Group ('memberOf' is allowed).
It cannot contain normal ipa users/groups and cannot be nested with another
group of the same type ('member' is not allowed).
For the most part the existing replication code worked with the
following exceptions:
- Added more port options
- It assumed that initial connections were done to an SSL port. Added
ability to use startTLS
- It assumed that the name of the agreement was the same on both sides.
In dogtag one is marked as master and one as clone. A new option is
added, master, the determines which side we're working on or None
if it isn't a dogtag agreement.
- Don't set the attribute exclude list on dogtag agreements
- dogtag doesn't set a schedule by default (which is actually recommended
by 389-ds). This causes problems when doing a force-sync though so
if one is done we set a schedule to run all the time. Otherwise the
temporary schedule can't be removed (LDAP operations error).
https://fedorahosted.org/freeipa/ticket/1250
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
For the most part certificates will be treated as being in DER format.
When we load a certificate we will generally accept it in any format but
will convert it to DER before proceeding in normalize_certificate().
This also re-arranges a bit of code to pull some certificate-specific
functions out of ipalib/plugins/service.py into ipalib/x509.py.
This also tries to use variable names to indicate what format the certificate
is in at any given point:
dercert: DER
cert: PEM
nsscert: a python-nss Certificate object
rawcert: unknown format
ticket 32
The last step of a replication re-initiailization is to run the
memberof task. The current function would only authenticate using simple
auth to monitor the task but we may be doing this using admin GSSAPI
credentials so support that type of bind as well.
In short this fixes:
# kinit admin
# ipa-replica-manage re-initialize --from=master.example.com
https://fedorahosted.org/freeipa/ticket/1248
The Managed Entries plugin configurations weren't being created on
replica installs. The templates were there but the cn=config
portions were not.
This patch adds them as updates. The template portion will be added
in the initial replication.
ticket 1222
Enforce that the remote hostname matches the remote SSL server certificate
when 389-ds operates as an SSL client.
Also add an update file to turn this off for existing installations.
This also changes the way the ldapupdater modlist is generated to be more
like the framework. Single-value attributes are done as replacements
and there is a list of force-replacement attributes.
ticket 1069
Wait for DS ports to open after _every_ DS service restart.
Several restarts were missed by the current open port checker
implementation.
https://fedorahosted.org/freeipa/ticket/1182
This was causing a replica DS instance to crash if the task was not
completed when we attempted a shutdown to do a restart.
In replication.py we were restarting the DS instance without waiting
for the ports to become available.
It is unlikely that the dn of the memberof task will change but just in
case I noted it in the two places it is referenced.
ticket 1188
When Directory Server operation is run right after the server restart
the listening ports may not be opened yet. This makes the installation
fail.
This patch fixes this issue by waiting for both secure and insecure
Directory Server ports to open after every restart.
https://fedorahosted.org/freeipa/ticket/1076
This fixes 2 AVCS:
* One because we are enabling port 7390 because an SSL port must be
defined to use TLS On 7389.
* We were symlinking to the main IPA 389-ds NSS certificate databsae.
Instead generate a separate NSS database and certificate and have
certmonger track it separately
I also noticed some variable inconsistency in cainstance.py. Everywhere
else we use self.fqdn and that was using self.host_name. I found it
confusing so I fixed it.
ticket 1085
IPA server/replica uninstallation may fail when it tries to restore
a Directory server configuration file in sysrestore directory, which
was already restored before.
The problem is in Directory Server uninstaller which uses and modifies
its own image of sysrestore directory state instead of using the
common uninstaller image.
https://fedorahosted.org/freeipa/ticket/1026
The group is now required because 389-ds has tightened the permissions
on /var/run/dirsrv. We use the same group for both our LDAP instances
and /var/run/dirsrv ends up as root:dirsrv mode 0770.
ticket 1010
Read access is denied to the sudo container for unauthenticated users.
This shared user can be used to provide authenticated access to the
sudo information.
https://fedorahosted.org/freeipa/ticket/998
The 389-ds replication plugin may not be installed on all platforms
and our replication version plugin will cause 389-ds to not start
if it is loaded and the replication plugin is not. So disable by
default.
When a replica is prepared we check for the replication plugin.
If it exists we will enable the replication version plugin.
Likewise on installation of a replica we check for existence of
the repliation plugin and if it is there then we enable the version
plugin before replication begins.
ticket 918
A cosmetic patch to IPA server installation output aimed to make
capitalization in installer output consistent. Several installation
tasks started with a lowercase letter and several installation
task steps started with an uppercase letter.
https://fedorahosted.org/freeipa/ticket/776
Also remove the option to choose a user.
It is silly to keep it, when you can't choose the group nor the CA
directory user.
Fixes: https://fedorahosted.org/freeipa/ticket/851
On a failed bind this will update krbLoginFailedCount and krbLastFailedAuth
and will potentially fail the bind altogether.
On a successful bind it will zero krbLoginFailedCount and set
krbLastSuccessfulAuth.
This will also enforce locked-out accounts.
See http://k5wiki.kerberos.org/wiki/Projects/Lockout for details on
kerberos lockout.
ticket 343
This gives the root user low privileges so that when anonymous searches are
denied the init scripts can still search the directory via ldapi to get the
list of serevices to start.
Fixes: https://fedorahosted.org/freeipa/ticket/795
This has been completely abandoned since ipa v1 and is not built by default.
Instead of carrying dead weight, let's remove it for now.
Fixes: https://fedorahosted.org/freeipa/ticket/761
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
The CA is installed before DS so we need to wait until DS is actually installed
to be able to ldap_enable the CA instance.
Fixes: https://fedorahosted.org/freeipa/ticket/612
This allows us to have the CA ready to serve out certs for any operation even
before the dsinstance is created. The CA is independent of the dsinstance
anyway.
Also fixes: https://fedorahosted.org/freeipa/ticket/544
This replace the former ipactl script, as well as replace the current way ipa
components are started.
Instead of enabling each service in the system init scripts, enable only the
ipa script, and then let it start all components based on the configuration
read from the LDAP tree.
resolves: https://fedorahosted.org/freeipa/ticket/294
If we don't then we need to add it when a group is detached causing
aci issues.
I had to move where we create the UPG template until after the DS
restart so the schema is available.
ticket 542
This changes the system limits for the dirsrv user as well as
configuring DS to allow by default 8192 max files and 64 reserved
files (for replication indexes, etc..).
Fixes: https://fedorahosted.org/freeipa/ticket/464
Change the way we specify the id ranges to force uid and gid ranges to always
be the same. Add option to specify a maximum id.
Change DNA configuration to use shared ranges so that masters and replicas can
actually share the same overall range in a safe way.
Configure replicas so that their default range is depleted. This will force
them to fetch a range portion from the master on the first install.
fixes: https://fedorahosted.org/freeipa/ticket/198
Even though ldap.conf(5) claims that LDAPTLS_CACERT takes precedence over
LDAPTLS_CACERTDIR, this seems to be broken in F14. This patch works around
the issue by setting both into the environment.
https://fedorahosted.org/freeipa/ticket/467
We check the resolver against the resolver and DNS against DNS but not
the resolver against DNS so if something is wrong in /etc/hosts we don't
catch it and nasty connection messages occur.
Also fix a problem where a bogus error message was being displayed because
we were trying to close an unconnected LDAP connection.
ticket 327
* Adding a new SUDO schema file
* Adding this new file to the list of targets in make file
* Create SUDO container for sudo rules
* Add default sudo services to HBAC services
* Add default SUDO HBAC service group with two services sudo & sudo-i
* Installing schema
No SUDO rules are created by default by this patch.
This started with the client uninstaller returning a 1 when not installed.
There was no way to tell whether the uninstall failed or the client
simply wasn't installed which caused no end of grief with the installer.
This led to a lot of certmonger failures too, either trying to stop
tracking a non-existent cert or not handling an existing tracked
certificate.
I moved the certmonger code out of the installer and put it into the
client/server shared ipapython lib. It now tries a lot harder and smarter
to untrack a certificate.
ticket 142
We don't use certmonger to get certificates during installation because
of the chicken-and-egg problem. This means that the IPA web and ldap
certs aren't being tracked for renewal.
This requires some manual changes to the certmonger request files once
tracking has begun because it doesn't store a subject or principal template
when a cert is added via start-tracking.
This also required some changes to the cert command plugin to allow a
host to execute calls against its own service certs.
ticket 67
Move the user-private group caching code out of the global config and
determine the value the first time it is needed.
Renamed global_init() back to get_schema() and make it take an optional
connection. This solves the problem of being able to do all operations
with a simple bind instead of GSSAPI.
Moved the global get_syntax() into a class method so that a schema
can be passed in.
If a schema wasn't loaded during the module import then it is loaded
when the connection is created (so we have the credntials needed for
binding).
ticket 63
Move the netgroup compat configuration from the nis configuration to
the existing compat configuration.
Add a 'status' option to the ipa-copmat-manage tool.
ticket 91
This patch:
- bumps up the minimum version of python-nss
- will initialize NSS with nodb if a CSR is loaded and it isn't already
init'd
- will shutdown NSS if initialized in the RPC subsystem so we use right db
- updated and added a few more tests
Relying more on NSS introduces a bit of a problem. For NSS to work you
need to have initialized a database (either a real one or no_db). But once
you've initialized one and want to use another you have to close down the
first one. I've added some code to nsslib.py to do just that. This could
potentially have some bad side-effects at some point, it works ok now.
This uses a new 389-ds plugin, Managed Entries, to automatically create
a group entry when a user is created. The DNA plugin ensures that the
group has a gidNumber that matches the users uidNumber. When the user is
removed the group is automatically removed as well.
If the managed entries plugin is not available or if a specific, separate
range for gidNumber is passed in at install time then User-Private Groups
will not be configured.
The code checking for the Managed Entries plugin may be removed at some
point. This is there because this plugin is only available in a 389-ds
alpha release currently (1.2.6-a4).
Whenever we upgrade IPA such that any data incompatibilities might occur
then we need to bump the DATA_VERSION value so that data will not
replicate to other servers. The idea is that you can do an in-place
upgrade of each IPA server and the different versions own't pollute
each other with bad data.
This is to make initial installation and testing easier.
Use the --no_hbac_allow option on the command-line to disable this when
doing an install.
To remove it from a running server do: ipa hbac-del allow_all
We have had a state file for quite some time that is used to return
the system to its pre-install state. We can use that to determine what
has been configured.
This patch:
- uses the state file to determine if dogtag was installed
- prevents someone from trying to re-install an installed server
- displays some output when uninstalling
- re-arranges the ipa_kpasswd installation so the state is properly saved
- removes pkiuser if it was added by the installer
- fetches and installs the CA on both masters and clients
This creates a new role, replicaadmin, so a non-DM user can do
limited management of replication agreements.
Note that with cn=config if an unauthorized user performs a search
an error is not returned, no entries are returned. This makes it
difficult to determine if there are simply no replication agreements or
we aren't allowed to see them. Once the ipaldap.py module gets
replaced by ldap2 we can use Get Effective Rights to easily tell the
difference.
If the group exists but the user doesn't then useradd blows up
trying to create the user and group. So test to see if the group
exists and if it does pass along the -g argument to useradd.
Resolves#502960
Let the user, upon installation, set the certificate subject base
for the dogtag CA. Certificate requests will automatically be given
this subject base, regardless of what is in the CSR.
The selfsign plugin does not currently support this dynamic name
re-assignment and will reject any incoming requests that don't
conform to the subject base.
The certificate subject base is stored in cn=ipaconfig but it does
NOT dynamically update the configuration, for dogtag at least. The
file /var/lib/pki-ca/profiles/ca/caIPAserviceCert.cfg would need to
be updated and pki-cad restarted.
We use kadmin.local to bootstrap the creation of the kerberos principals
for the IPA server machine: host, HTTP and ldap. This works fine and has
the side-effect of protecting the services from modification by an
admin (which would likely break the server).
Unfortunately this also means that the services can't be managed by useful
utilities such as certmonger. So we have to create them as "real" services
instead.
There are times where a caller will want to determine the course of
action based on the returncode instead of relying on it != 0.
This also lets the caller get the contents of stdout and stderr.
The CA was moved from residing in the DS NSS database into the Apache
database to support a self-signed CA certificate plugin. This was not
updated in the installer boilerplate.
The DS db wasn't getting a password set on it. Go ahead and set one.
We have to replace 05rfc2247.ldif because it contains some conflicting
attributes with DNS in some older versions of 389-DS/RHDS. This fails on
some newer versions of 389-DS/RHDS so this lets it continue installing
if the new file is not needed.
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
External CA signing is a 2-step process. You first have to run the IPA
installer which will generate a CSR. You pass this CSR to your external
CA and get back a cert. You then pass this cert and the CA cert and
re-run the installer. The CSR is always written to /root/ipa.csr.
A run would look like:
# ipa-server-install --ca --external-ca -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com -U
[ sign cert request ]
# ipa-server-install --ca --external-ca -p password -a password --external_cert_file=/tmp/rob.crt --external_ca_file=/tmp/cacert.crt -U -p password -a password -r EXAMPLE.COM -u dirsrv -n example.com --hostname=ipa.example.com
This also abstracts out the RA backend plugin so the self-signed CA we
create can be used in a running server. This means that the cert plugin
can request certs (and nothing else). This should let us do online replica
creation.
To handle the self-signed CA the simple ca_serialno file now contains
additional data so we don't have overlapping serial numbers in replicas.
This isn't used yet. Currently the cert plugin will not work on self-signed
replicas.
One very important change for self-signed CAs is that the CA is no longer
held in the DS database. It is now in the Apache database.
Lots of general fixes were also made in ipaserver.install.certs including:
- better handling when multiple CA certificates are in a single file
- A temporary directory for request certs is not always created when the
class is instantiated (you have to call setup_cert_request())
This also adds a new option to the template system. If you include
eval(string) in a file that goes through the templater then the
string in the eval will be evaluated by the Python interpreter. This is
used so one can do $UIDSTART+1. If any errors occur during the evaluation
the original string is is returned, eval() and all so it is up to the
developer to make sure the evaluation passes.
The default value for uid and gid is now a random value between
1,000,000 and (2^31 - 1,000,000)
If you don't want to use ldapi then you can remove the ldap_uri setting
in /etc/ipa/default.conf. The default for the framework is to use
ldap://localhost:389/
This involves creating a new CA instance on the replica and using pkisilent
to create a clone of the master CA.
Also generally fixes IPA to work with the latest dogtag SVN tip. A lot of
changes to ports and configuration have been done recently.
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.
Signed-off-by: Martin Nagy <mnagy@redhat.com>
We were duplicating it for KrbInstance and DsInstance. Since we will
also need it for BindInstance as well, it will be better if it is in the
Service class instead.
Notes:
- will create a CA instance (pki-ca) if it doesn't exist
- maintains support for a self-signed CA
- A signing cert is still not created so Firefox autoconfig still won't work
The CA is currently not automatically installed. You have to pass in the
--ca flag to install it.
What works:
- installation
- unistallation
- cert/ra plugins can issue and retrieve server certs
What doesn't work:
- self-signed CA is still created and issues Apache and DS certs
- dogtag and python-nss not in rpm requires
- requires that CS be in the "pre" install state from pkicreate
Loading this via LDIF is a temporary measure until we can load it online.
This requires removing the dNSRecord declarations from 05rfc2247.ldif
so a replacement copy is included for now.
Also add the netgroups container.
I have only tested the all, rpms and *clean targets directly.
install may work but the rpm moves a lot of things around for us.
The Apache configuration file isn't in its final state but it works
with the new mod_python configuration.
