`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.
```python
import ipalib
with ipalib.api as api:
api.Commands.ping()
```
See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.
This commit introduces explicit targets and references to ensure that
the pages are correctly linked.
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.
Fixes: https://pagure.io/freeipa/issue/9379
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The replica install was unilaterally removing KRB5CCNAME from
os.environ in some cases. Instead check first to see if it is
present and only remove in that case.
Fixes: https://pagure.io/freeipa/issue/9446
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.
When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:
- existing server value in /etc/ipa/default.conf
- the chosen CA host if the server doesn't provide one
- the chosen KRA host if the server doesn't provide one
This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.
In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.
For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.
Fixes: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
389DS supports BDB and LMDB backends. FreeIPA installation fails with
LMDB backend since it tries to apply tuning for BDB backend.
Instead, tuning for BDB should be applied only when 389DS uses BDB
backend.
Fixes: https://pagure.io/freeipa/issue/9435
Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.
Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.
This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.
So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The XML API is already deprecated and will be removed in some
future release.
All but the updateCRL API has an equivalent in REST. The upstream
dogtag project documents most of the API at
https://github.com/dogtagpki/pki/wiki/REST-API . I say most
because not every API includes sample input/output. The
pki ca-cert command is a good substitute for seeing how the API
is used by their own tooling.
This changes no pre-existing conventions. All serial numbers are
converted to decimal prior to transmission and are treated as
strings to avoid previous limitations with sizing (which would
have been exacerbated by random serial numbers).
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.
Fix is to use 90days+2hours to expire the cert.
Fixes: https://pagure.io/freeipa/issue/9428
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
LDAPSearch class constructs a filter from a set of attributes and their
values passed in by the command. During this construction process a
limited set of attributes gets converted to a special form, the rest is
simply taken as a string and escaped according to LDAP rules.
This means DateTime class would simply be converted to string using
str(DateTime) and that uses default formatting method. For LDAP we need
to apply a specific formatting method instead.
Following LDAP attributes now handled as datetime.datetime:
( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE)
( 2.16.840.1.113730.3.8.16.1.3 NAME 'ipatokenNotBefore' DESC 'Token validity date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
( 2.16.840.1.113730.3.8.16.1.4 NAME 'ipatokenNotAfter' DESC 'Token expiration date' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'IPA OTP')
Fixes: https://pagure.io/freeipa/issue/9395
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
An attempt to do this was already coded but the wrong
argument was used. It was passing in the location name and
not the map name so the map wouldn't be completely removed.
Include a test to verify that the map is gone after removing
it by calling automountlocation-tofiles which will fail if the
map wasn't properly removed.
Fixes: https://pagure.io/freeipa/issue/9397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The description of "Subordinate ID Selfservice User" role had
'subordiante' instead of 'subordinate'.
This patch corrects the default value and adds a replace to fix
existing deployments.
Related: https://pagure.io/freeipa/issue/9418
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-server-guard reads a lock file in order to
check if the lock is still taken by comparing
the stored value, for instance:
expire = 20230810155452589311
with the current datetime.
The expire value needs to be timezone-aware in
order to be compared with "now" which is also tz aware.
Related: https://pagure.io/freeipa/issue/9425
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-cert-fix compares the current datetime with the
value obtained from a cert.not_valid_after.
With the fix for #9425, not_valid_after is timezone
aware and cannot be compared to a naive datetime.
Make the datetime "now" timezone aware.
Related: https://pagure.io/freeipa/issue/9425
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-epn is using timezone-aware timestamps for "now"
but converts krbpasswordexpiration attribute into
a naive datetime object that is missing the tzinfo.
It is not possible to substract timezone aware and
naive values. Convert krbpasswordexpiration attribute
into an UTC value before doing the substration.
Related: https://pagure.io/freeipa/issue/9425
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If there is already a sssd.conf file before the installer is
executed, the nss and pam services may not be enabled by the
installer. This happens for instance if the machine is hardened
for STIG and sssd.conf does not define services=... in the
[sssd] section.
The consequence is that trust cannot be established with an AD
domain.
The installer must enable nss and pam services even if there is
a pre-existing sssd.conf file.
Fixes: https://pagure.io/freeipa/issue/9427
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The fixture issue_and_expire_acme_cert returns a function
that fills the hosts array. If the function is not called in
the test (for instance because a test is skipped, as in
TestACMEPrune::test_prune_cert_search_size_limit), hosts = []
and hosts[0] raises an IndexError.
Fix the fixture to check first that hosts is not empty.
Related: https://pagure.io/freeipa/issue/9348
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
In the future pkispawn will validate all path params so the
default values for pki_ca_signing_csr_path and
pki_ca_signing_cert_path need to be removed since they point
to non-existent files. When the params are actually used for
installing an external CA, CAInstance.__spawn_instance()
will initialize them with the correct paths.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test TestTopologyOptions::test_add_remove_segment is
randomly failing downstream. Test scenario:
- create a line topology master <-> repl1 <-> repl2
- create user on master
- wait for repl success on master
- check that the user is seen on repl2
The test waits for replication to complete on the master but
it should also wait for the replication to complete on repl1
before checking the user presence on repl2.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
In the future pkispawn will validate all path params so the
default value for pki_cert_chain_path needs to be removed
since it points to a non-existent file. When the param is
actually used (e.g. for installing with an external CA)
CAInstance.__spawn_instance() will configure the param to
point to the actual cert chain.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In the future the default value for pki_share_dbuser_dn might
change. To ensure that CA and KRA in IPA will use the same
database user, the pki_share_dbuser_dn needs to be defined
for CA to match the same param for KRA.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The subsystem.count param has actually been removed since
PKI 10.10 so it doesn't need to be set in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When modifying ipa-epn code, a warning was issued:
--------------
Python 3.11.4 (main, Jun 7 2023, 00:00:00) [GCC 13.1.1 20230511 (Red Hat 13.1.1-2)]
************* Module ipaclient.install.ipa_epn
ipaclient/install/ipa_epn.py:89: [W0719(broad-exception-raised), drop_privileges] Raising too general exception: Exception)
--------------
Use 'RequiresRoot' exception class and clarify the message:
ipalib.errors.RequiresRoot: Cannot drop privileges!
Related: https://pagure.io/freeipa/issue/9425
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The following warning is displayed on a system running with Python 3.12:
-------------------
/usr/lib/python3.12/site-packages/ipalib/rpc.py:925: DeprecationWarning:
datetime.utcnow() is deprecated and scheduled for removal in a future
version. Use timezone-aware objects to represent datetimes in UTC:
datetime.now(datetime.UTC).
timestamp=datetime.datetime.utcnow())
-------------------
Fixes: https://pagure.io/freeipa/issue/9425
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
system date moved in order to expire the certs. Sometime it
is observed that subsequent operation fails with 500 error for CA,
hence restart the services after moving date and wait for sometime
to get things settle.
Also the tests was calling fixture which is not required for it, hence
removed it as well.
Fixes: https://pagure.io/freeipa/issue/9348
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The deletion of the admin is now forbidden (even if it is
not the last member of the admins group) and the error
message has changed from "admin cannot be deleted or
disabled because it is the last member of group admins"
to " user admin cannot be deleted/modified: privileged user".
Update the expected message in the webui test.
Related: https://pagure.io/freeipa/issue/8878
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
admin is required for trust operations
Note that testing for removing the last member is now
irrelevant because admin must always exist so the test
for it was removed, but the code check remains. It is done
after the protected member check.
Fixes: https://pagure.io/freeipa/issue/8878
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use of 'ipa idp-add --provider' was supposed to allow override scope and
other IdP options. The defaults are provided by the IdP template and
were actually not overridden. Fix this.
Fixes: https://pagure.io/freeipa/issue/9421
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Adding proper error handling to the is_master_host() function to allow
it to make the difference between the absence of a master host object
and a connection failure. This will keep the krb5kdc daemon from
continuing to run with a NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/9422
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Three memory leaks are addressed:
1. String values retrieved from the pblock need to be manually
freed.
2. The list of objectclasses retreived from the pblock need to be
freed.
3. Internal search results need to be freed.
Fixes: https://pagure.io/freeipa/issue/9403
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_epn.py::TestEPN::test_EPN_config_file ensures that
/etc/ipa/epn.conf is installed and compares its checksum with an
expected value.
Commit fcad9c9 has changed the content of the file and the cksum
must be updated to reflect the new content.
Fixes: https://pagure.io/freeipa/issue/9419
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adding mail_from_realname setting to configuration so that the real name of the sender of the password expiration notification can be customized. This addition does not affect existing configurations.
Fixes: https://pagure.io/freeipa/issue/9336
Signed-off-by: Simon Nussbaum <simon.nussbaum@adfinis.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The user and stageuser commands return the following error
when the user is created/updated with a non existing idp:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: no such entry
The error is not descriptive enough and has been modified to
display instead:
$ ipa user-add testuser --first test --last user --idp dummy
ipa: ERROR: External IdP configuration dummy not found
Fixes: https://pagure.io/freeipa/issue/9416
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
when system hardning done i.e in case of STIG, sometimes http challanges
can't be validated by CA if port 80 is not open. This fix enable it to facilitate
the communication.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When 389-ds process an OTP authentication, the ipa-pwd-extop
plugin reads a buffer to extract the authentication type.
The type is stored in an int but the data is a ber_tag_t.
On big endian machines the type cast does not cause any issue
but on s390x the buffer that should return 128 is seen as 0.
As a consequence, the plugin considers that the method is not
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
The fix is simple and consists in using the right type
(ber_tag_t is an unsigned long).
Fixes: https://pagure.io/freeipa/issue/9402
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The tasks.download_packages method is using
dnf install --downloaddir PATH --downloadonly
but the option --downloaddir does not exist any more with
dnf5 that is shipped in rawhide.
An alternative is to use
dnf download
which downloads to the current directory. This alternative
works for both dnf and dnf5.
Fixes: https://pagure.io/freeipa/issue/9399
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test TestBackupAndRestoreWithReplica is simulating a
master crash in order to check the behavior after ipa-restore.
Since commit 67a33e5, the uninstaller restarts the services in
order to unregister the server from PKI security domain. An
indirect consequence is that master/replica communication is re-
established and operations removing entries (done by the uninstaller)
are replicated to the replica.
This means that the scenario does not really simulate a server crash.
To make sure that no replication happens during this "crash", stop
the replica first, then uninstall the master, and finally restart
the replica before calling the ipa-restore command on the master.
Fixes: https://pagure.io/freeipa/issue/9404
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A host uses Location (nshostlocation) as an optional hint where
a host may phsyically be located (e.g. Lab 2). This will result in
an attribute in the host entry like:
nshostlocation: Lab 2
A server uses location (ipalocation) to identify which DNS location
the server is part of (e.g. prague). This will result in an attribute
in the server entry like:
ipalocation: idnsname=prague,cn=locations,cn=etc,dc=example,dc=test
They are completely different animals.
https://pagure.io/freeipa/issue/9317
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
In order to know if ca/kra is installed locally, the code
is calling pki-server subsystem-show _subsystem_
and ensures that "Enabled: True" is in the output.
If a subsystem fails to start, the command returns
"Enabled: False" but it doesn't mean that the subsystem
is not installed, it just means that it is not active
right now.
Same output if the subsystem has been disabled with
pki-server subsystem-disable _subsystem_.
The correct way to check if a subsystem is installed is to
ensure that subsystem-show does not exit on error and
contains "Enabled: ", whatever the value.
Related: https://pagure.io/freeipa/issue/9330
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The uninstaller is stopping all the services before
calling pkidestroy to uninstall the CA.
With PKI 11.4+ this sequence fails as pkidestroy tries
to connect to PKI server in order to unregister from the
security domain. The error interrupts the full completion
of pkidestroy, is logged but doesn't make ipa uninstallation
fail.
The issue is that trying to re-install later on would fail because
pkidestroy did not completely uninstall the CA.
To avoid this, call pkidestroy before shutting down the services.
Also add an uninstall_check method that restarts IPA if it is
not running, and use pkidestroy --force to make sure that PKI
is uninstalled even if restart failed.
Fixes: https://pagure.io/freeipa/issue/9330
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The upgrade checks the replication agreements to ensure that
some attributes are excluded from replication. The agreements
are stored in entries like
cn=serverToreplica,cn=replica,cn=_suffix_,cn=mapping tree,cn=config
but those entries are managed by the replication topology plugin
and should not be updated directly. The consequence is that the update
of the attributes fails and ipa-server-update prints an error message:
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
to perform: Entry and attributes are managed by topology plugin.No direct
modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.
The upgrade continues but the replication is not excluding
passwordgraceusertime.
Instead of editing the agreements, perform the modifications on
the topology segments.
Fixes: https://pagure.io/freeipa/issue/9385
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add an upgrade test with the following scenario:
- remove PKI drop-in file (to simulate an upgrade from an old
version)
- remove caECServerCertWithSCT profile from LDAP
- launch the ipa-server-upgrade command
- check that the upgrade added the file
Related: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
During the installation of IPA server, the installer adds a drop-in
file in /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf
that ensures the CA is reachable before the start command returns.
If the file is missing (for instance because the server was installed
with an old version before this drop-in was created), the upgrade
should add the file.
Fixes: https://pagure.io/freeipa/issue/9381
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are 2 possible methods to rename users and groups:
- either use ipa user|group-mod oldname --rename newname
- or use settattr:
ipa user-mod oldname --setattr uid=newname
ipa group-mod oldname --setattr cn=newname
The first method validates the new name but the second method
doesn't. Add a validation to make both methods consistent
Fixes: https://pagure.io/freeipa/issue/9396
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the ipalib.x509 IPACertificate class to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
cryptography 0.0081
OpenSSL.crypto 0.2271
ipalib.x509 2.6814
Since only issuer and subject are required there is no need to
make the expensive IPACertificate call.
The IPACertificate parsing time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates (excluding
transmission overhead, etc).
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
When searching with the default sizelimit of 100 the time is
~10s without this patch. With it the time is 1.5s.
CLI times from before and after searching for all certs:
original:
-------------------------------
Number of entries returned 5038
-------------------------------
real 0m15.507s
user 0m0.828s
sys 0m0.241s
using cryptography:
real 0m4.037s
user 0m0.816s
sys 0m0.193s
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This reverts commit 1f30cc6527.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This reverts commit 191880bc9f.
The problem isn't with python-cryptography, it is with the
IPACertificate class which does way more work on a certificate
than is necessary in cert-find.
Related: https://pagure.io/freeipa/issue/9331
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
SSSD already provides a config snippet which includes
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java.
Test checks that krb5.conf does not include
SSSD_PUBCONF_KRB5_INCLUDE_D_DIR.
Related: https://pagure.io/freeipa/issue/9267
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Without this the installation is successful but the DNS
records will not work. With --setup-dns there will be no
A record for the host (only an NS record) and the PTR record
will point to the domain name.
Fixes: https://pagure.io/freeipa/issue/9003
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The webui test test_service.py::test_service::test_arbitrary_certificates
randomly fails.
The test is creating a new service then navigates to the Service page
and clicks on the Add Certificate button.
The notification area may still be present and hide the button, with
the message "Service successfully added".
Close all notifications before navigating to the Service page.
Fixes: https://pagure.io/freeipa/issue/9389
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
test_smb is now successful because the windows server version
has been updated to windows-server-2022 with
- KB5012170
- KB5025230
- KB5022507
- servicing stack 10.0.20348.1663
in freeipa-pr-ci commit 3ba4151.
Remove the xfail.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
MIT Kerberos KDC code will do verification of the PAC full checksum
buffers, we don't need to process them. This change only applies to
newer MIT Kerberos version which have this buffer type defined, hence
using #ifdef to protect the use of the define.
This should have no functional difference.
Related: https://pagure.io/freeipa/issue/9371
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Kerberos principal aliases lookup had a long-standing TODO item to
support server referrals for host-based aliases. This commit implements
server referrals for hosts belonging to trusted domains. The use-case is
a part of S4U processing in a two-way trust when an IPA service requests
a ticket to a host in a trusted domain (e.g. service on AD DC). In such
situation, the server principal in TGS request will be a normal principal
in our domain and KDC needs to respond with a server referral. This
referral can be issued by a KDB driver or by the KDC itself, using
'domain_realms' section of krb5.conf. Since KDB knows all suffixes
associated with the trusted domains, implement the logic there.
Fixes: https://pagure.io/freeipa/issue/9164
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Postpone ticket checksum configuration after KDB module was initialized.
This, in practice, should now happen when a master key is retrieved.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.
Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.
Do not call any free() call because the whole context is corrupted as
tests do show.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089
--------
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
--------
Use MIT Kerberos 1.21+ facility to hint about proper enctype for
cross-realm TGT.
Fixes: https://pagure.io/freeipa/issue/9124
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
SSSD 2.9.0 provides support for passkey in rawhide.
Note that f37 and f38 ship 2.9.0 without the passkey feature
but this is not an issue as IPA has a "Recommends: sssd-passkey"
definition, not a "Requires:"
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
By setting passkey_child_debug_level in default.conf the debug level for
the passkey_child helper utility can be set.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The package sssd-passkey provides the executable
/usr/libexec/sssd/passkey_child
which is not mandatory but recommended.
Add a weak dependency from ipa client package on sssd-passkey.
TBD: when a new version of sssd is released with passkey
support, bump the SSSD version.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SSSD ships passkey_child binary in /usr/libexec/sssd and
it needs the same security context as /usr/libexec/sssd/oidc_child
(ipa_otpd_exec_t type).
Add the context in the SELinux policy provided by IPA.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2169438
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Include changes related to passkey auth indicators.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
SSSD's command passkey_child was previously using stderr to
print the following messages:
PIN required.
Please touch the device.
but switched to stdout instead in the commit
6b0d175f8f
Stdout was used only for displaying the generated passkey.
This means that ipa user-add-passkey --register now must read
stdout line by line and print only the messages that the user
needs to see (all lines except the one containing the passkey).
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The passkey is a long string and not user-friendly.
Instead of showing the whole passkey in the webui, only show
the id part and a string for discoverable or server-side passkey.
Related: https://pagure.io/freeipa/issue/9261
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Apart from server-side credentials passkey should also register
discoverable credentials.
ipa user-add-passkey --register now supports an additional option,
--cred-type server-side|discoverable
that is propagated to passkey_child command.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- added passkey detection based on the presence of ipaPassKey attribute
in the LDAP entry of the principal
- added 'passkey' authentication indicator
- added support for enforcing KDC policy based on the 'passkey'
indicator
Fixes: https://pagure.io/freeipa/issue/9263
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new test ensuring that it is possible to modify
the krbt policy settings related to passkey authentication
(max life and max renew)
Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add new checkbox value "Passkey" for authentication type
(user page, config page)
Add new checkbox value "Passkey" for authentication indicator
(service page, host page)
Add new fields for Passkey krbptpolicy (max life, max renew)
Related: https://pagure.io/freeipa/issue/9262
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add tests for the new passkey authentication type
(ipa user-*, ipa config-mod)
Add tests for the new passkey authentication indicator
(ipa service-*, ipa host-*)
Add tests for the new krbtpolicy parameters
(ipa krbtpolicy-mod --passkey-maxlife=INT --passkeymaxrenew=INT)
Related: ipatests/test_xmlrpc/test_user_plugin.py
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This condition was checked in group-add but not in group-mod.
This evaluation is done later in the pre_callback so that all
the other machinations about posix are already done to make
it easier to tell whether this condition is true or not.
Fixes: https://pagure.io/freeipa/issue/8990
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Only three remaining scripts used this form, two of which are
for developers only and not shipped.
The shebang in ipa-ccache-sweeper will be converted to
"#!$(PYTHON) -I" in the build process.
Fixes: https://pagure.io/freeipa/issue/8941
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Update the rawhide Vagrant box to 0.8.3
(built May 26 2023 using fedora-39)
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The fixture issue_and_expire_acme_cert is changing the date
on master and client. It also resets the admin password as
it gets expired after the date change.
Currently the code is resetting the password by performing
kinit on the client, which leaves the master with an expired
ticket in its cache. Reset the password on the master instead
in order to have a valid ticket for the next operations.
Fixes: https://pagure.io/freeipa/issue/9383
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Commit f78dc0b163 was missing an exception for the constrained
delegation ACL TL data type during the principal entry update operation.
This ACL is not meant to be stored as encoded data in krbExtraData.
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since November 2020, Active Directory KDC generates a new type of
signature as part of the PAC. It is called "ticket signature", and is
generated based on the encrypted part of the ticket. The presence of
this signature is not mandatory in order for the PAC to be accepted for
S4U requests.
However, the behavior is different for MIT krb5. Support was added as
part of the 1.20 release, and this signature is required in order to
process S4U requests. Contrary to the PAC extended KDC signature, the
code generating this signature cannot be isolated and backported to
older krb5 versions because this version of the KDB API does not allow
passing the content of the ticket's encrypted part to IPA.
This is an issue in gradual upgrade scenarios where some IPA servers
rely on 1.19 and older versions of MIT krb5, while others use version
1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will
be rejected when used by a service against a 1.20+ IPA KDC for S4U
requests.
On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or
newer, it will include a downstream-only update adding the
"optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the
absence of PAC ticket signatures, if necessary.
This commit adds an extra step during the installation and update
processes where it adds a "pacTktSignSupported" ipaConfigString
attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if
the MIT krb5 version IPA what built with was 1.20 or newer.
This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry
attribute. This means the value of the attribute is not actually stored
in the database (to avoid race conditions), but its value is determined
at the KDC starting time by search the "pacTktSignSupported"
ipaConfigString in the server list. If this value is missing for at
least of them is missing, enforcement of the PAC ticket signature is
disabled by setting "optional_pac_tkt_chksum" to true for the local
realm TGS KDB entry.
For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual
string attribute is set to true systematically, because, at least for
now, trusted AD domains can still have PAC ticket signature support
disabled.
Given the fact the "pacTktSignSupported" ipaConfigString for a single
server is added when this server is updated, and that the value of
"optional_pac_tkt_chksum" is determined at KDC starting time based on
the ipaConfigString attributes of all the KDCs in the domain, this
requires to restart all the KDCs in the domain after all IPA servers
were updated in order for PAC ticket signature enforcement to actually
take effect.
Fixes: https://pagure.io/freeipa/issue/9371
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In November 2022, Microsoft introduced a new PAC signature type called
"extended KDC signature" (or "full PAC checksum"). This new PAC
signature will be required by default by Active Directory in July 2023
for S4U requests, and opt-out will no longer be possible after October
2023.
Support for this new signature type was added to MIT krb5, but it relies
on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
the code generating extended KDC signatures cannot be backported as it
is without backporting the full new KDB API code too. This would have
too much impact to be done.
As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
8 will include a downstream-only update adding the
krb5_pac_full_sign_compat() function, which can be used in combination
with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
Fixes: https://pagure.io/freeipa/issue/9373
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
fontawesome 6.x is not entirely compatible with 4.x version but in
Fedora the change was made to make 4.x bits FreeIPA depends on to be
forward-ported to 6.x build. This also allows to have common dependency
for all versions.
This patch switches to the common dependency using 'fonts(fontawesome)'.
This works on all Fedora and RHEL versions.
Signed-off-by: Jerry James <loganjerry@gmail.com>
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The commands ipa user-add or ipa group-add validate the
format of the user/group name and display the following
message when it does not conform to the expectations:
invalid 'login': may only include letters, numbers, _, -, . and $
The format is more complex, for instance '1234567' is an invalid
user name but the failure is inconsistent with the error message.
Modify the error message to point to ipa help user/group and add
more details in the help message.
Same change for idoverrideuser and idoverridegroup:
The user/group name must follow these rules:
- cannot contain only numbers
- must start with a letter, a number, _ or .
- may contain letters, numbers, _, ., or -
- may end with a letter, a number, _, ., - or $
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In order to expire the ACME cert, system is moved and while
issuing the kinit command, results into failure.
Hence run kinit command repeatedly untill things get settle.
This patch removes the sleep and adds tasks.run_repeatedly()
method instead.
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
If a cert-find fails on the CA side we get a Message tag
containing a string describing the failure plus the java stack
trace. Pull out the first part of the message as defined by the
first colon and include that in the error message returned to
the user.
The new message will appear as:
$ ipa cert-find
ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500)
vs the old generic message:
ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500)
This can be reproduced by setting nssizelimit to 100 on the
pkidbuser. The internal PKI search returns err=4 but the CA
tries to convert all values into certificates and it fails. The
value needs to be high enough that the CA can start but low
enough that you don't have to create hundreds of certificates
to demonstrate the issue.
https://pagure.io/freeipa/issue/9369
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Previous test to test_ssh_key_connection is calling ipa-server-upgrade command,
which restarts all the associated services.
Especially on slower machine, SSSD is not yet online when the SSH connection is attempted.
This results to only cached users being available.
Wait for SSSD to become available before the SSH connection is attempted.
Fixes: https://pagure.io/freeipa/issue/9377
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Fedora 38 is now available, move the testing pipelines to
- fedora 38 for the _latest definitions
- fedora 37 for the _previous definitions
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command ipa idview-show NAME has a post callback
method that replaces the ID override anchor with the corresponding
user name.
For instance the anchor
ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114
is replaced with the name of the ad user aduser@ad.test.
The method loops on all the anchors and for each one performs the
resolution, which can be a costly operation if the anchor is for
a trusted user. Instead of doing a search for each anchor, it is
possible to read the 'ipaOriginalUid' value from the ID override
entry.
Fixes: https://pagure.io/freeipa/issue/9372
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On fedora < 39, nodejs 20 is not the default version. As
a consequence, the installation of nodejs20 adds the command
/usr/bin/node-20 instead of /usr/bin/node.
FreeIPA build is using the node command and fails if the
command is missing.
Force nodejs < 20 on fedora < 39 to make sure the node
command is installed.
Fixes: https://pagure.io/freeipa/issue/9374
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test test_ipahealthcheck.py::TestIpaHealthcheck frequently
hits its 90min timeout. Extend by 15min to allow completion.
Fixes: https://pagure.io/freeipa/issue/9362
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
When ipa cert-find --all is called, the function prints the
certificate public bytes. The code recently switched to OpenSSL.crypto
and the objects OpenSSL.crypto.X509 do not have the method
public_bytes(). Use to_cryptography() to transform into a
cryptography.x509.Certificate before calling public_bytes().
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cert-find is a rather complex beast because it not only
looks for certificates in the optional CA but within the
IPA LDAP database as well. It has a process to deduplicate
the certificates since any PKI issued certificates will
also be associated with an IPA record.
In order to obtain the data to deduplicate the certificates
the cert from LDAP must be parser for issuer and serial number.
ipaldap has automation to determine the datatype of an
attribute and will use the python-cryptography engine to
decode a certificate automatically if you access
entry['usercertificate'].
The downside is that this is comparatively slow. Here is the
parse time in microseconds:
OpenSSL.crypto 175
pyasn1 1010
python-cryptography 3136
The python-cryptography time is fine if you're parsing one
certificate but if the LDAP search returns a lot of certificates,
say in the thousands, then those microseconds add up quickly.
In testing it took ~17 seconds to parse 5k certificates.
It's hard to overstate just how much better the cryptography
Python interface is. In the case of OpenSSL really the only
certificate fields easily available are serial number, subject
and issuer. And the subject/issuer are in the OpenSSL reverse
format which doesn't compare nicely to the cryptography format.
The DN module can correct this.
Fortunately for cert-find we only need serial number and issuer,
so the OpenSSL module fine. It takes ~2 seconds.
pyasn1 is also relatively faster but switch to it would require
subtantially more effort for less payback.
cert-find when there are a lot of certificates has been
historically slow. It isn't related to the CA which returns
large sets (well, 5k anyway) in a second or two. It was the
LDAP comparision adding tens of seconds to the runtime.
CLI times from before and after:
original:
-------------------------------
Number of entries returned 5011
-------------------------------
real 0m21.155s
user 0m0.835s
sys 0m0.159s
using OpenSSL:
real 0m5.747s
user 0m0.864s
sys 0m0.148s
OpenSSL is forcibly lazy-loaded so it doesn't conflict with
python-requests. See ipaserver/wsgi.py for the gory details.
Fixes: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
The sizelimit option was not being passed into the dogtag
ra_find() command so it always returned all available certificates.
A value of 0 will retain old behavior and return all certificates.
The default value is the LDAP searchsizelimit.
Related: https://pagure.io/freeipa/issue/9331
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
Send stderr of pkgconf to /dev/null rather than printing the following
error text while parsing the spec file:
Package krb5 was not found in the pkg-config search path.
Perhaps you should add the directory containing `krb5.pc'
to the PKG_CONFIG_PATH environment variable
Package 'krb5', required by 'virtual:world', not found
`BuildRequires: pkgconfig(krb5)` ensures this won't happen when running
a real build. It simply avoids 4 lines of needless error output when
running something like `fedpkg prep`.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or
DS is restarted. The DNA plugin creates its configuration entries with
some delay after the plugin is enabled.
DS is now restarted after the DNA plugin is enabled so it can create the
entries while Dogtag and the rest of the system is installing. The
updater `update_dna_shared_config` no longer blocks and waits for two
times 60 seconds for `posix-ids` and `subordinate-ids`.
Fixes: https://pagure.io/freeipa/issue/9358
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Two tests have known issues in test_trust.py with sssd 2.8.2+:
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
(when called with the "hybrid" parameter)
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
(when called with the "true" parameter)
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
1 : Test to verify that groups have correct userclass when
external is set to true or false with group-add.
2 : After creating a nonposix group verify that all
following group_add calls to add posix groups calls are
not failing with missing attribute.
Related: https://pagure.io/freeipa/issue/9349
Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
This includes:
* Section about command/param info in usage guide
* Section about metadata retrieval in usage guide
* Guide about differences between CLI and API
* Access control guide (management of roles, privileges and
permissions).
* Guide about API contexts
* JSON-RPC usage guide and JSON-to-Python conversion
* Notes about types in API Reference
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a test that uses IPA API to allow delegation of RBCD configuration
to a host and then use it to set up RBCD rule for a service.
Run RBCD check when the rule exists and when the rule is removed.
Since we only provide RBCD support on KDC side with Kerberos 1.20, skip
the test on Fedora versions prior to Fedora 38 and on RHEL versions
prior to RHEL 9.2.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Resource-based constrained delegation (RBCD) is implemented with a new
callback used by the KDC. This callback is called when a server asks for
S4U2Proxy TGS request and passes a ticket that contains RBCD PAC
options.
The callback is supposed to take a client and a server principals, a PAC and a target
service database entry. Using the target service database entry it then
needs to decide whether a server principal is allowed to delegate the
client credentials to the target service.
The callback can also cross-check whether the client principal can be
limited in delegating own tickets but this is not implemented in the
current version.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA Kerberos implementation already supports delegation of
credentails, both unconstrained and constrained. Constrained delegation
is an extension developed by Microsoft and documented in MS-SFU
specification. MS-SFU specification also includes resource-based
constrained delegation (RBCD) which FreeIPA did not support.
Microsoft has decided to force use of RBCD for forest trust. This means
that certain use-cases will not be possible anymore.
This design document outlines approaches used by FreeIPA for constrained
delegation implementation, including RBCD.
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Confine search for S4U2Proxy access control lists to the subtree where
they created. This will allow to use a similar method to describe RBCD
access controls.
Related: https://pagure.io/freeipa/issue/5444
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Another change in automember plugin messaging that breaks FreeIPA tests.
Use common substring to match.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.
This fixes the default path to use the appropriate location in its
multiarch-qualified path.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.
This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.
Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.
Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments
Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.
Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286
Also added some generally helpful functions to tasks.py
Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.
Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When you run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server. Other files
are updated as well to reflect this change.
Additionally some typos are fixed with this patch too.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.
`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.
Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.
Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).
Also create a separate job for the new test TestACMEPrune.
Fixes: https://pagure.io/freeipa/issue/9324
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.
Second fix is related to mismatch of confing setting and corresponding
assert.
Third fix is related to extending time by 60 minutes to properly
expire the certs.
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.
So --enable=TRUE to --enable and --enable=FALSE to --disable
Fixes: https://pagure.io/freeipa/issue/9323
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This document showcases common usecases for the user to
interact with the PR-CI checker tool.
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html
>> Error: Error: QUnit has already been defined.
>> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2
>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>> at <anonymous>:175:24
>> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```
Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
dojo.require will simply return if the package is already loaded.
See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
override for developers who need the old behavior for testing.
Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```
Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
test_integration/test_trust.py is divided into two parts.
1: class TestTrust
2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup
Fixes: https://pagure.io/freeipa/issue/9326
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning
related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.
Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.
Fixes: https://pagure.io/freeipa/issue/9316
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.
This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.
Fixes: https://pagure.io/freeipa/issue/9195
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.
Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.
Also indicate that the search time limit is in seconds.
Fixes: https://pagure.io/freeipa/issue/9325
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Renewal causes two certs to have the same nickname. Dogtag is
patched to allow for N certs with the same nickname, and this test
is to verify that CADogtagCertsConfigCheck still passes.
Related: https://github.com/dogtagpki/pki/pull/4285
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This test is located outside of the TestACMEPrune because
it enables RSNv3 while the server installed by TestACME doesn't.
It still needs a wrapper to enforce a version of PKI that
supports pruning because that is checked first in the tool.
Re-ordering that wouldn't be a good user experience.
https://pagure.io/freeipa/issue/9322
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Fix 1: timeout field was being checked twice and did not return fail code on error
Fix 2: Tool did not return error code on single file check unsuccessful run
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.
Import the IPA CA chain for manual execution.
Also fix up some $ -> # to indicate root is needed.
Related: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.
This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.
Random Serial Numbers v3 must be enabled for this to work.
Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.
Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.
A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.
The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.
No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.
Fixes: https://pagure.io/freeipa/issue/9294
Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.
Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver`
unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf`
or this file may not contain any configured name servers.
`TestDNSResolver` unit tests check only customized `nameservers`
property and should not depend on existence of `/etc/resolv.conf`.
Resolver accepts `configure` option.
https://dnspython.readthedocs.io/en/latest/resolver-class.html :
> configure, a bool. If True (the default), the resolver instance is
configured in the normal fashion for the operating system the resolver
is running on. (I.e. by reading a /etc/resolv.conf file on POSIX
systems and from the registry on Windows systems.)
Fixes: https://pagure.io/freeipa/issue/9319
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.
Fixes: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.
Related: https://pagure.io/freeipa/issue/9291
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.
msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.
To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.
Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This change fixes rpminspect issues reported when building
for RHEL, like the following one:
Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch)
is missing a corresponding %patch1001 macro, usually in %prep.
Waiver Authorization: Anyone
Suggested Remedy:
The named patch is defined in the source RPM header (this means it has a
PatchN: definition in the spec file) but is not applied anywhere in the
spec file. It is missing a corresponding %patch macro and the spec file
lacks the %autosetup or %autopatch macros. You can fix this by adding
the appropriate %patch macro in the spec file (usually in the %prep
section). The number specified with the %patch macro corresponds to the
number used to define the patch at the top of the spec file. So Patch47
is applied with a %patch47 macro.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Extend 'makeapi --validate' to validate API Reference files too. If
differences are found between the generated and stored docs the
validation fails. This command is executed in our Azure pipelines, so
every time a developer opens a PR but forgets to update the API
Reference, the CI will fail.
Fixes: https://pagure.io/freeipa/issue/9287
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replaced URL in Markdown Format with the proper reStructuredText markup
in file doc/workshop/12-external-idp-support.rst
Signed-off-by: Lenz Grimmer <lenz.grimmer@percona.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The installer is currently creating the samba domain object
before it adds the RID base and secondary RID base. As a consequence,
there is a window during which the sidgen plugin is active but
unable to generate SIDs (it requires the samba domain object to
find the domain SID and RID base to know where to start from).
There is no direct impact except the error log of 389ds that reports
ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct.
This fix configures the RID base and secondary RID base before the
domain object is created, thus removing this window.
Fixes: https://pagure.io/freeipa/issue/9309
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
PKI can issue ACME certs only when the key type is rsa.
With version 2.0.0, certbot defaults to ecdsa key type,
and this causes test failures.
For now, force rsa when requesting an ACME certificate.
This change can be reverted when PKI fixes the issue
on their side (https://github.com/dogtagpki/pki/issues/4273)
Related: https://pagure.io/freeipa/issue/9298
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The client installer code can be called in 3 different ways:
- from ipa-client-install CLI
- from ipa-replica-install CLI if the client is not already installed
- from ipa-server-install
In the last case, the client installer is called with
options.on_master=True
As a result, it's skipping the part that is creating the krb5
configuration:
if not options.on_master:
nolog = tuple()
configure_krb5_conf(...)
The configure_krb5_conf method is the place where the krb5.conf file is
backup'ed with the extention ".ipabkp". For a master installation, this
code is not called and the ipabkp file does not exist => delete raises
an error.
When delete fails because the file does not exist, no need to log an
error message.
Fixes: https://pagure.io/freeipa/issue/9306
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html:
> Used when a lambda expression is assigned to variable rather than
defining a standard function with the "def" keyword.
https://peps.python.org/pep-0008/#programming-recommendations:
> Always use a def statement instead of an assignment statement that
binds a lambda expression directly to an identifier:
def f(x): return 2*x
f = lambda x: 2*x
The first form means that the name of the resulting function object is
specifically ‘f’ instead of the generic ‘<lambda>’. This is more useful
for tracebacks and string representations in general. The use of the
assignment statement eliminates the sole benefit a lambda expression can
offer over an explicit def statement (i.e. that it can be embedded
inside a larger expression)
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
> Emitted when a local variable is accessed before its assignment took
place. Assignments in try blocks are assumed not to have occurred when
evaluating associated except/finally blocks. Assignments in except
blocks are assumed not to have occurred when evaluating statements
outside the block, except when the associated try block contains a
return statement.
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Fixes:
```
[E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree'
[E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur'
```
Fixes: https://pagure.io/freeipa/issue/9278
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
PEP 632 deprecates the distutils module. Replace
- distutils.spawn.find_executable with shutil.which
- distutils.log with logging
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The newer version of pylint has fixed false positives and
does not need anymore these suppressions:
- global-variable-not-assigned
- invalid-sequence-index
- no-name-in-module
- not-callable
- unsupported-assignment-operation
Related: https://pagure.io/freeipa/issue/9278
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The config file /var/kerberos/krb5kdc/kdc.conf is customized
during IPA server installation with a list of supported
encryption types.
In FIPS mode, camellia encryption is not supported and should
be filtered out. Because of a typo in the filtering method,
the camellia encryptions are appended while they should not.
Fix the typo (camelia vs camellia) in order to filter properly.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS
algorithm and cannot be supported by the FIPS provider.
Do not require mac verification in FIPS mode: append the option
--nomacver to the command openssl pkcs12 used to extract a pem file
or a key from a p12 file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test ipatests/test_integration/test_fips.py is faking
FIPS mode and calls "openssl md5" to ensure the algo is
not available in the fake FIPS mode.
The error message has been updated with openssl-3.0.5-5.
In the past the command used to return:
$ openssl md5 /dev/null
Error setting digest
140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147:
And now it returns:
$ openssl md5 /dev/null
Error setting digest
00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties ()
00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252:
To be compatible with all versions, only check the common part:
Error setting digest
Mark the test as xfail since installation is currently not working.
Related: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Now that ipa-client-installs supports pkinit, the package
depends on krb5-pkinit-openssl.
Update the spec file, move the dependency from ipa-server
to ipa-client subpackage.
Fixes: https://pagure.io/freeipa/issue/9290
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add basic user management guide that includes various examples on
performing common tasks related to the user module, such as adding an
user, modifying it, adding certificates for it, etc.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test wants to check the error related to an
exception obtained inside a "with pytest.raises" instruction.
The object is an ExceptionInfo and offers a match method
to check the content of the string representation.
Use this match() method instead of str(excinfo) which now
returns
'<ExceptionInfo NoSuchElementException() tblen=10>'
Fixes: https://pagure.io/freeipa/issue/9282
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
The original implementation of the member manager added support for both
user and group managers but left out upgrade scenario. This means when
upgrading existing installation a manager whose rights defined by the
group membership would not be able to add group members until the ACI is
fixed.
Remove old ACI and add a full one during upgrade step.
Fixes: https://pagure.io/freeipa/issue/9286
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).
Related: https://pagure.io/freeipa/issue/9259
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.
This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.
Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.
Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The tests calling sssctl domain-status were marked xfail
because of SSSD issue #6331. Now that the issue is fixed
and freeipa bumped sssd required version, remove the xfail
annotation.
Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.
No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.
Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
On fedora 37+ the dnssec tests were broken. The tests
launched for each pull request were disabled or marked
as xfail.
With the bump of bind version, they should now succeed
and can be re-enabled.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.
Fixes: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.
Also change to a static function and pre-declare it to quiet a
compile-time warning.
https://pagure.io/freeipa/issue/9274
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Each token in an NSS database is likely to have its own
password/PIN. This allows the password to be set per token
available in the PKI password file.
This is necessary for HSM devices where the password is necessary
to access information about the private key (e.g. presence)
This may mean that to see all certificates in a given NSS database
one will need multiple instances of the NSSDatabase class, one for
each desired token (include None for the native token).
https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For testing purposes and uniformity, the 'Certificates'
table generated after a new certificate is added should
also have the 'name' attribute to be able to access its
value.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
For testing purposes and uniformity, the
'Certificates' label (located under
'Active users' settings ) should also have
'name' attribute, like seen in other parts of the WebUI.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.
Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.
Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There is a crash occurring that causes Keycloak to be unable to
communicate with ipa-tuura on the bridge server (replica0). This is
much more prevalent in Fedora 37 so we need to xfail that test case
until the crash is resolved.
Related: https://pagure.io/freeipa/issue/9264
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.
This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.
Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test@IPA.TEST instead of admin principal.
The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107
Bump the selinux-policy version to install the fix.
Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.
create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main
test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user
tasks.py:
- add set_user_password to only set password for ipa users
Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.
2nd issue: a given record has to be selected in
order to check that there is no "delete" button.
Fixes: https://pagure.io/freeipa/issue/9214
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.
Related : https://pagure.io/freeipa/issue/9127
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Previously the message was:
"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
but now the message is:
\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
Pagure: https://pagure.io/freeipa/issue/9238
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:
branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo@suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo@suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.
There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.
RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.
Fixes: https://pagure.io/freeipa/issue/9258
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.
This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.
Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.
Thanks @abbra!
Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fedora 37 beta is now available, move the testing pipelines to
- fedora 37 for the _latest definitions
- fedora 36 for the _previous definition
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.
Add .TP (tagged, indented paragraph) before each example.
Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.
This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.
Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.
Fixes: https://pagure.io/freeipa/issue/9246
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.
Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.
This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Scenario: call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens
The test expects a return code = 1.
Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.
To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.
Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.
Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.
Fixes: https://pagure.io/freeipa/issue/9243
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.
The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.
Fixes: https://pagure.io/freeipa/issue/9161
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed
Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg@netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).
Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.
Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.
Fixes: https://pagure.io/freeipa/issue/9230
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
The module installs and configures a Keycloak server and
not just the Quarkus Java framework. So, renaming to better
reflect what the module is used for.
Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
IPA DNS zone and forwardzone commands allow to use nameservers with ports
as "SERVER_IP port PORT_NUMBER". bind is supporting this syntax, but the
Resolver in dnspython that is used to verify the list of forwarders
(nameservers) is only allowing to have IP addresses in this list. With
dnspython version 2.20 there is a new validator in dns.resolver.BaseResolver
that ensures this.
Refs:
- https://bind9.readthedocs.io/en/v9_18_4/reference.html#zone-statement-grammar
- https://github.com/rthalley/dnspython/blob/master/dns/resolver.py#L1094
ipapython/dnsutil.DNSResolver derives from dns.resolver.Resolver. The setter
for nameservers has been overloaded in the DNSResolver class to split out
the port numbers into the nameserver_ports dict { SERVER_IP: PORT_NUMBER }.
After the setter for nameservers succeeded, nameserver_ports is set.
nameserver_ports is used in the resolve() method of dns.resolver.Resolver.
Additional tests have been added to verify that nameservers and also
nameserver_ports are properly set and also valid.
Fixes: https://pagure.io/freeipa/issue/9158
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:
* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema
None of these require a restart of the CA to be supported.
There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.
https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.
Related: https://pagure.io/freeipa/issue/9204
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test TestInstallDNSSECFirst is failing because of one of its
dependencies (the most likely suspect is the update of openssl-pkcs11).
Disable the test from azure gating until the issue is solved.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The test test_integration/test_subids.py::TestSubordinateId
needs a master and a client but the yaml definition for rawhide
and sssd is currently using master_1repl. Replace with
master_1repl_1client to fulfill the requirement.
Fixes: https://pagure.io/freeipa/issue/9217
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
New Tests include
TestRSNPKIConfig
TestRSNVault
The new tests are just extending existing classes to be run
with random serial numbers enabled
The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`
Added nightly definitions
Related Ticket: https://pagure.io/freeipa/issue/2016
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_latest_selinux.yaml
nightly_latest_testing.yaml
nightly_previous.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.
Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.
Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.
When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.
Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci
This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.
https://pagure.io/freeipa/issue/9188
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.
Fixes: https://pagure.io/freeipa/issue/9192
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The nightly test test_external_idp requires a topology
with 2 replicas. Fix the definition in nightly_latest_sssd.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase@frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-b and --best are the same option (see dnf(8)). Remove -b and keep
--best, because --best is more descriptive.
Signed-off-by: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Defined the tests that will be executed for SSSD's COPR nightly.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.
Pagure Issue: https://pagure.io/freeipa/issue/9179
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
@@ -166,6 +166,9 @@ Specifies the mount point that the development server will register. The default
.Boidc_child_debug_level<debuglevel>
Specifies the debug level of \fBoidc_child\fR, a helper process used by \fBipa-otpd\fR for OIDC/OAuth2 authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher HTTP debug output is added as well.
.TP
.Bpasskey_child_debug_level<debuglevel>
Specifies the debug level of \fBpasskey_child\fR, a helper process used by \fBipa-otpd\fR for passkey authentication. Level can be between 0 and 10, the higher the more details. If the level is 6 or higher libfido2 debug output is added as well.
.TP
.Bprompt_all<boolean>
Specifies that all options should be prompted for in the IPA client, even optional values. Default is False.
@@ -86,6 +86,9 @@ Time to wait, in milliseconds, between each e-mail sent to try to avoid overload
Specifies the From: e-mail address value in the e-mails sent. The default is noreply@ipadefaultemaildomain. This value can be found by running
.Iipaconfig-show
.TP
.Bmail_from_name<name>
Specifies the From: name value in the e-mails sent. The default is IPA-EPN.
.TP
.Bnotify_ttls<listofdays>
This is the list of days before a password expiration when ipa-epn should notify a user that their password will soon require a reset. If this value is not specified then the default list will be used: 28, 14, 7, 3, 1.
objectclasses: ( 2.16.840.1.113730.3.8.24.9 NAME 'ipaPasskeyUser' DESC 'IPA passkey user' AUXILIARY MAY ipapasskey X-ORIGIN 'IPA v4.10')
```
### Indices
No need to add a new index for ipapasskey as the search performed by SSSD
will use a filter based on the user uid.
## Feature Management
### UI
- A new tab will be added below "Policy", at the same level as `Host-Based Access Control`, `Sudo`, `SELInux User Maps`, `Password Policies` and `Kerberos Ticket Policy`, with the label `Passkey Configuration`.
It will allow to configure the attribute `Require User Verification`, with a check box: `on` or `off`.
- In the `User` facet, a new field will be added, below `SSH public keys`, with the label `Passkey mappings`, and will display the values, or allow to add a new value.
Note: since the Web browser may be running on a non-enrolled host without
the required packages, the WebUI will probably need specific javascript code
to register a key by inserting it on the machine where the browser is
running.
Investigations TBD regarding the possible solutions. The key registration
using the WebUI will not be part of the original implementation.
### CLI
| Command | Options | Description |
| --- | ----- | --- |
| **Passkey configuration** | | |
| passkeyconfig-show | | This command displays the Passkey settings |
| passkeyconfig-mod | --require-user-verification=BOOL | This command modifies the Passkey settings |
| **User Mapping** | | |
| user-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| user-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the device, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| user-remove-passkey | LOGIN PASSKEY... | |
| user-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
| stageuser-add-passkey | LOGIN [PASSKEY...] | This command does not require the device to be inserted and can directly add the mapping data, obtained through another mean (for instance through sssctl passkey-exec --register) |
| stageuser-add-passkey | LOGIN --register [--cose-type=['es256', 'rs256', 'eddsa']] [--require-user-verification=BOOL] | This command requires the insertion of the passkey, performs the registration with the specified cose type + user verification requirement, and adds the mapping data to the user entry |
| stageuser-remove-passkey | LOGIN PASSKEY... | |
| stageuser-show | LOGIN | This command displays the passkey mapping if set, with the label `Passkey mapping` |
### Configuration
The global settings can be read or modified using `ipa passkeyconfig-[show|mod]`.
## Upgrade
During upgrade, the new LDAP schema is automatically added and replicated to the replicas.
The upgrade must create the Passkey configuration entry if it does not already exist, with value='true' for the 'require user verification' setting.
## Test plan
XMLRPC tests must validate the new CLI.
## Troubleshooting and debugging
SSSD provides 2 new commands that can be used for debugging:
*`/usr/sbin/sssctl passkey-exec --register`: documented and supported. This command can be run as root only.
*`/usr/libexec/sssd/passkey_child --register`: internally called by `sssctl passkey-exec --register`. This command does not require root access.
objectClasses: (2.16.840.1.113730.3.8.24.7 NAME 'ipaIdpUser' SUP top AUXILIARY DESC 'User from an external Identity Provider ' MAY ( ipaIdpConfigLink $ ipaIdpSub ) X-ORIGIN 'IPA v4.9' )
### Passkey support
attributeTypes: ( 2.16.840.1.113730.3.8.23.26 NAME 'ipaRequireUserVerification' DESC 'require passkey user verification' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.10')
"type_hardened":"Hardened Password (by SPAKE or FAST)",
"type_idp":"External Identity Provider",
"type_passkey":"Passkey",
"user_tooltip":"<p>Per-user setting, overwrites the global setting if any option is checked.</p><p><strong>Password + Two-factor:</strong> LDAP and Kerberos allow authentication with either one of the authentication types but Kerberos uses pre-authentication method which requires to use armor ccache.</p><p><strong>RADIUS with another type:</strong> Kerberos always use RADIUS, but LDAP never does. LDAP only recognize the password and two-factor authentication options.</p>"
add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Kerberos principals can manage resource-based constrained delegation for themselves";allow (write) userdn = "ldap:///self";)
add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Managing principals can manage resource-based constrained delegation for other principals";allow (write) userattr = "managedby#GROUPDN" or userattr = "managedby#USERDN";)
add:aci: (targetattr = "memberPrincipal")(targattrfilters="add=objectclass:(objectclass=resourcedelegation)")(version 3.0;acl "permission:RBCD:Delegated permission to manage resource-based constrained delegation for other principals";allow (write) userattr="ipaAllowedToPerform;write_delegation#GROUPDN" or userattr="ipaAllowedToPerform;write_delegation#USERDN" ;)
"install":["dbus-python"],# for certmonger and resolve1
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
