summaryrefslogtreecommitdiffstats
path: root/ipaserver
Commit message (Collapse)AuthorAgeFilesLines
* Support for Certificate Identity MappingFlorence Blanc-Renaud2017-02-235-9/+596
| | | | | | See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping https://fedorahosted.org/freeipa/ticket/6542
* Fix ipa-server-upgradeStanislav Laznicka2017-02-231-1/+2
| | | | | | | | | Running ipa-server-upgrade would fail to stop ipa_memcached if it's already uninstalled. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Use newer Certificate.serial_number in krainstance.pyStanislav Laznicka2017-02-231-1/+1
| | | | Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* use the methods of the parent class to retrieve CIFS kerberos keysMartin Babinsky2017-02-221-19/+11
| | | | | | | | | | | | adtrustinstance will now use parent's methods to retrieve keys for CIFS principal. Since the keys are appended to the host keytab (/etc/krb5.keytab) we need to make sure that only the stale CIFS keys are purged from the file and that we do not re-set its ownership. https://fedorahosted.org/freeipa/ticket/6638 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* httpinstance: re-use parent's methods to retrieve anonymous keytabMartin Babinsky2017-02-221-1/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/6638 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Make request_service_keytab into a public methodMartin Babinsky2017-02-223-5/+5
| | | | | | | | | | a cosmetic change: we had private method comprising of calls to public ones, which did not make much sense in our case https://fedorahosted.org/freeipa/ticket/6638 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* allow for more flexibility when requesting service keytabMartin Babinsky2017-02-221-15/+26
| | | | | | | | | | | | | The service installers can now override the methods for cleaning up stale keytabs and changing file ownership of the newly acquired keytabs. The default actions should be usable by most installers without specific overriding. https://fedorahosted.org/freeipa/ticket/6638 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix session logoutSimo Sorce2017-02-222-5/+5
| | | | | | | | | | | There were 2 issues with session logouts, one is that the logout_cookie was checked and acted on in the wrong place, the other is that the wrong value was set in the IPASESSION header. Fixes https://fedorahosted.org/freeipa/ticket/6685 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* scripts, tests: explicitly set confdir in the rest of server codeJan Cholasta2017-02-227-8/+16
| | | | | | | | | | | Commit 1e6a204b4372bbbfb722a00370a5ce4e34406b9f added explicit confdir setting to api.bootstrap() calls of a randomly selected portion of server-side scripts and tests. This commit adds it to the rest of server-side code for consistency. https://fedorahosted.org/freeipa/ticket/6389 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* FIPS: perform replica installation checkTomas Krizek2017-02-211-0/+22
| | | | | | | | | | | Check status of remote server's FIPS mode and proceed with installation only if it matches the current replica's FIPS mode. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* replicainstall: add context manager for rpc clientTomas Krizek2017-02-211-11/+22
| | | | | | | | Abstract creating rpc client into a context manager to allow re-use. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* check_remote_version: update exception and docstringTomas Krizek2017-02-211-1/+8
| | | | | | | | Refactor function to use ScriptError exception and provide docstring. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Minor typo fix in DNS install pluginAbhijeet Kasurde2017-02-211-2/+2
| | | | | Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* server upgrade: uninstall ipa_memcached properlyJan Cholasta2017-02-201-4/+2
| | | | | | | | | Make sure ipa_memcached is not running and no stale state is left in the sysupgrade state file on server upgrade. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* server upgrade: always upgrade KRA agent PEM fileJan Cholasta2017-02-201-3/+4
| | | | | | | | | | | | | | Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* server upgrade: fix upgrade from pre-4.0Jan Cholasta2017-02-201-1/+1
| | | | | | | | | | | | | | update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* server upgrade: fix upgrade in CA-lessJan Cholasta2017-02-202-1/+6
| | | | | | | | | | | | | Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Do not configure PKI ajp redirection to use "::1"Florence Blanc-Renaud2017-02-171-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" /> ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Move AD trust installation code to a separate moduleMartin Babinsky2017-02-171-0/+382
| | | | | | | | | | | | This facilitates calling the necessary checks and configuration code as a module from e.g. a composite installer. The code that checks for the admin credentials stays in the standalone installer as the code inside the adtrust module is expected to operate also without admin credentials. https://fedorahosted.org/freeipa/ticket/6629 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Update warning message for replica installAbhijeet Kasurde2017-02-171-1/+5
| | | | | | | | | | | New warning message in replica install describes more about "insufficient privilege" error Fixes https://fedorahosted.org/freeipa/ticket/6352 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* custodiainstance: don't use IPA-specific CertDBStanislav Laznicka2017-02-171-13/+8
| | | | | | | Replaced CertDB with NSSDatabase. Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add password to certutil calls in NSSDatabaseStanislav Laznicka2017-02-173-4/+31
| | | | | | | | | | NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Change session logout to kill only the cookieSimo Sorce2017-02-172-36/+3
| | | | | | | | | | | Removing the ccache goes too far as it will cause unrelated sessions to fail as well, this is a problem for accounts used to do unattended operations and that may operate in parallel. Fixes https://fedorahosted.org/freeipa/ticket/6682 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* pkinit: make sure to have proper dictionary for Kerberos instance on upgradeAlexander Bokovoy2017-02-161-0/+12
| | | | | | | | | | | When running PKINIT upgrade we need to make sure full substitution dictionary is in place or otherwise executing LDAP updates will fail to find proper objects because $SUFFIX, $DOMAIN, and other variables will not be substituted. Fixes https://fedorahosted.org/freeipa/ticket/6670 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Add FIPS-token password of HTTPD NSS databaseStanislav Laznicka2017-02-151-7/+12
| | | | | | | | | This change is required for httpd to function properly in FIPS https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Pretty print JSON in debug mode (debug level >= 2)Christian Heimes2017-02-151-1/+3
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Faster JSON encoder/decoderChristian Heimes2017-02-151-5/+3
| | | | | | | | | | | | | | | | | | Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix uninstall stopping ipa.serviceSimo Sorce2017-02-151-2/+6
| | | | | | | | | | | | | When uninstalling systemd is told to disable the service, but it is not told to sopt it, so it believes it is still running. This can cause issues in some cases if a reinstall is performed right after an uninstall, as systemd may decide to stop the disabled service while we are reinstalling, causing the new install to fail. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rationalize creation of RA and HTTPD NSS databasesSimo Sorce2017-02-154-37/+51
| | | | | | | | | | The RA database sould not be created by the HTTP instance, but in the code path that creates the CA instance. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add a new user to run the framework codeSimo Sorce2017-02-157-12/+26
| | | | | | | | | | | | | | | | | Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Always use /etc/ipa/ca.crt as CA cert fileSimo Sorce2017-02-153-11/+7
| | | | | | | | | | | | | It seem like ALIAS_CACERT_ASC was just a redundant location for the CA cert file which is always available in /etc/ipa/ca.crt Just use the canonical CA cert location in /etc/ipa for all cases and stop creating a separate cacert file. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Simplify NSSDatabase password file handlingSimo Sorce2017-02-155-30/+21
| | | | | | | https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Separate RA cert store from the HTTP cert storeSimo Sorce2017-02-1520-151/+191
| | | | | | | | | | | | | | | This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure HTTPD to work via Gss-ProxySimo Sorce2017-02-155-12/+29
| | | | | | | | https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use Anonymous user to obtain FAST armor ccacheSimo Sorce2017-02-156-26/+41
| | | | | | | | | | | | The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Drop use of kinit_as_http from trust codeSimo Sorce2017-02-152-51/+3
| | | | | | | | | | | | | | The framework will not have direct access to the keytab anymore. This function was used in two places, to fetch the domain list and to re-initialize the PAC when enabling or disabling a domain trust. The domian list is normally fetched via oddjob anyway so this use is not necesary anymore, and the MS-PAC re-initialization can be moved later to oddjob if needed. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Generate tmpfiles config at install timeSimo Sorce2017-02-156-32/+39
| | | | | | | | | | | | | | We do not want to generate runtime directories just because the packages are installed, but only if the server is actually setup and run. Also this will be needed later because we will create a user at install time and some tmpfiles will need to be owned by this user. As we are changing this code also rationalize the directory structure and move it from the http rundir to the ipa specific rundir. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Change session handlingSimo Sorce2017-02-1511-1520/+153
| | | | | | | | | | | | | | | | Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Backup /root/kracert.p12Christian Heimes2017-02-141-0/+1
| | | | | | | | | ipa-backup now backs up /root/kracert.p12. The file contains the certs and encrypted private keys for KRA transport, storage and audit. Closes: https://fedorahosted.org/freeipa/ticket/6659 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Allow nsaccountlock to be searched in user-find commandGabe2017-02-141-1/+17
| | | | | | | | This patch provides the ability to search and find users who are enabled/disabled in `ipa user-find` command without breaking API compatibility. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove is_fips_enabled checks in installers and ipactlStanislav Laznicka2017-02-132-10/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* cryptography has deprecated serial in favor of serial_numberChristian Heimes2017-02-103-6/+6
| | | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* py3: change_admin_password: use textual modeMartin Basti2017-02-101-16/+8
| | | | | | | | | | Convert function to NamedTemporaryFile with textual mode, because passwords are text. Using `with` and NamedTemporaryFile gives more security agains leaking password from tempfiles. https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: create DNS zonefile: use textual modeMartin Basti2017-02-101-4/+7
| | | | | | | | Also code was rewritten to use NamedTemporaryFile with context https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: upgradeinstance: use bytes literals with LDIF operationsMartin Basti2017-02-101-3/+3
| | | | | | | | python ldif support only bytes as values, literals must be bytes https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: upgradeinstance: decode data before storing them as backup...Martin Basti2017-02-101-6/+8
| | | | | | | | | | ...and vice versa backup requires string not bytes, but ldap provide bytes thus data must be decoded and encoded from restore https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: upgradeinstance: open dse.ldif in textual modeMartin Basti2017-02-101-7/+7
| | | | | | | | ldap ldif parser requires to have input file opened in textual mode https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* custodia: kem.set_keys: replace too-broad exceptionMartin Basti2017-02-101-2/+1
| | | | | | | | Exception is too brod and may hide various issues that show up later. If the code expects that entry may exist, then ldap.ALREADY_EXISTS exception should be used Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: kem.py: user bytes with ldap valuesMartin Basti2017-02-101-7/+7
| | | | | | | | python ldap requires bytes as values https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* py3: custodia: basedn must be unicodeMartin Basti2017-02-101-1/+1
| | | | | | | | | | | | | basedn in custodia related modules has type bytes, that causes issues in Py3 when strings were concatenated with bytes ``` malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'" ``` https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2025-08-28 14:17:27 +0000