Go to file
Rob Crittenden b5b9efeb57 Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.

This CA helper can do a number of things:

- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
  LDAP

A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.

There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
   certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
   URL to be passed to dogtag.

For the purposes of clarity "cookie" here is the value within
the JSON.

The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.

This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.

The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.

Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).

There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.

An example of a cookie when retrieving a new RA Agent certificate
is:

{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}

This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857

For a renewal, the reconstructed cookie will consist of:

{"profile": "caServerCert", "cookie": ""}

https://pagure.io/freeipa/issue/8164

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-13 10:08:38 -05:00
.copr Adding auto COPR builds 2019-12-14 14:20:34 +02:00
asn1 fix minor spelling mistakes 2017-05-19 09:52:46 +02:00
client Add config that maintains existing content to ipa-client-install manpage 2019-12-10 16:20:24 +01:00
contrib Fix lite-server to work with GSS_NAME 2019-12-06 10:23:15 +01:00
daemons ipa-kdb: Remove keys if password auth is disabled 2019-12-13 03:49:47 +02:00
doc DSU: add Design for Disable Stale Users 2019-11-23 00:12:24 +01:00
init Move ipa's systemd tmpfiles from /var/run to /run 2018-10-15 10:04:33 +02:00
install Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit 2020-01-13 10:08:38 -05:00
ipaclient ipa-client-samba: map domain sid of trust domain properly for display 2019-12-13 17:33:33 +02:00
ipalib Fix logic of check_client_configuration 2019-12-05 15:09:38 +01:00
ipaplatform travis: Remove CI integration 2019-12-02 16:39:01 -03:00
ipapython DNS install check: allow overlapping zone to be from the master itself 2019-12-12 18:24:44 +01:00
ipaserver AD user without override receive InternalServerError with API 2020-01-10 17:07:57 +01:00
ipatests Add xmlrpc test with input validation check for kerberos ticket policy. 2020-01-13 13:05:47 +01:00
po Update translations 2019-11-12 17:08:43 +02:00
pypi Cleanup shebang and executable bit 2018-07-05 19:46:42 +02:00
util covscan: free ucs2-encoded password copy when generating NTLM hash 2019-11-29 11:14:18 +01:00
.freeipa-pr-ci.yaml Making nigthly test definition editable by FreeIPA's contributors 2018-07-27 09:50:06 +02:00
.git-commit-template git-commit-template: update ticket url to use pagure.io instead of fedorahosted.org 2017-03-28 13:10:08 +02:00
.gitignore ipa-client-samba: a tool to configure Samba domain member on IPA client 2019-06-29 11:00:28 +03:00
.lgtm.yml Improve Python configuration for LGTM 2018-10-26 18:04:23 +02:00
.mailmap Update mailmap 2019-04-24 09:47:31 +02:00
.tox-install.sh Avoid use of '/tmp' for pip operations 2019-07-16 13:23:21 +03:00
.wheelconstraints.in Use pylint 1.7.5 with fix for bad python3 import 2017-12-19 13:28:06 +01:00
ACI.txt Add Authentication Indicator Kerberos ticket policy options 2019-11-21 11:13:12 -05:00
API.txt Add Authentication Indicator Kerberos ticket policy options 2019-11-21 11:13:12 -05:00
autogen.sh build tweaks - use automake's foreign mode, avoid creating empty files to satisfy gnu mode - run autoreconf -f to ensure that everything matches 2010-11-29 11:39:55 -05:00
BUILD.txt Add new tip for dependencies 2019-10-02 15:29:08 +02:00
CODE_OF_CONDUCT.md Changing Django's CoC to reflect FreeIPA CoC 2018-03-26 09:51:25 +02:00
configure.ac Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
Contributors.txt Update contributors 2019-11-12 20:49:18 +02:00
COPYING Change FreeIPA license to GPLv3+ 2010-12-20 17:19:53 -05:00
COPYING.openssl Add a clear OpenSSL exception. 2015-02-23 16:25:54 +01:00
freeipa.doap.rdf Adding modified DOAP file 2018-06-22 11:02:40 -04:00
freeipa.spec.in Update Apache HTTPd for RHBZ#1775146 2019-12-02 16:48:07 +01:00
ipa.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
ipasetup.py.in Address inconsistent-return-statements 2018-11-13 13:37:58 +01:00
make-doc Make an ipa-tests package 2013-06-17 19:22:50 +02:00
make-test Use pytest conftest.py and drop pytest.ini 2017-01-05 17:37:02 +01:00
makeaci.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
makeapi.in Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
Makefile.am travis: Remove CI integration 2019-12-02 16:39:01 -03:00
Makefile.python.am Add PYTHON_INSTALL_EXTRA_OPTIONS and --install-layout=deb 2017-03-15 13:48:23 +01:00
Makefile.pythonscripts.am ipa-scripts: fix all ipa command line scripts to operate with -I 2019-09-19 10:44:09 -04:00
makerpms.sh Fix unnecessary usrmerge assumptions 2019-04-17 13:56:05 +02:00
pylint_plugins.py Test installation with (fake) userspace FIPS 2019-11-14 16:01:15 +01:00
pylintrc Fix errors found by Pylint-2.4.3 2019-10-21 18:01:32 +11:00
README.md README: Update link to freeipa-devel archive 2019-03-20 17:32:43 +01:00
server.m4 Add a skeleton kdcpolicy plugin 2019-09-10 12:33:21 +03:00
tox.ini Avoid use of '/tmp' for pip operations 2019-07-16 13:23:21 +03:00
VERSION.m4 Add group membership management 2019-11-11 09:31:14 +01:00
zanata.xml Zanata: exlude testing ipa.pot file 2016-11-21 14:47:47 +01:00

FreeIPA Server

FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools.

FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks.

FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization.

Benefits

FreeIPA:

  • Allows all your users to access all the machines with the same credentials and security settings
  • Allows users to access personal files transparently from any machine in an authenticated and secure way
  • Uses an advanced grouping mechanism to restrict network access to services and files only to specific users
  • Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules
  • Enables delegation of selected administrative tasks to other power users
  • Integrates into Active Directory environments

Components

The FreeIPA project provides unified installation and management tools for the following components:

Project Website

Releases, announcements and other information can be found on the IPA server project page at http://www.freeipa.org/ .

Documentation

The most up-to-date documentation can be found at http://freeipa.org/page/Documentation .

Quick Start

To get started quickly, start here: http://www.freeipa.org/page/Quick_Start_Guide

For developers

Licensing

Please see the file called COPYING.

Contacts