| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.
Fixes: https://pagure.io/freeipa/issue/6838
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.
This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipa-client-install modifies /etc/krb5.conf and defines the following line:
pkinit_anchors = FILE: /etc/ipa/ca.crt
The extra space between FILE: and /etc/ipa/ca.crt break pkinit.
https://pagure.io/freeipa/issue/6916
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.
If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.
https://pagure.io/freeipa/issue/6876
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works
https://pagure.io/freeipa/issue/6902
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.
This patch initializes the API in a way that it doesn't download schema
on uninstallation and on installation it uses host keytab for it so it
no longer requires user's Kerberos credentials.
Also fix call of xxx_service_class_factory which requires api as param.
https://pagure.io/freeipa/issue/6861
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault
This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.
https://pagure.io/freeipa/issue/6907
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upgrader has been modified to configure either local or full PKINIT
depending on the CA status. Additionally, the new PKINIT configuration
will be written to the master's KDC entry.
https://pagure.io/freeipa/issue/6830
http://www.freeipa.org/page/V4/Kerberos_PKINIT
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the anonymous principal can only use PKINIT to fetch credential
cache it makes no sense to try and use its kerberos key to establish
FAST channel.
We should also be able to use custom PKINIT anchor for the armoring.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
An API was provided to report whether PKINIT is enabled for clients or
not. If yes, the pkinitEnabled value will be added to the
ipaConfigString attribute of master's KDC entry.
See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
more details.
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.
http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is some code duplication regarding setting ipaConfigString values
when:
* LDAP-enabling a service entry
* advertising enabled KDCProxy in LDAP
We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).
https://pagure.io/freeipa/issue/6830
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().
Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was
pointed out that apache has no access to /var/lib/ipa directory breaking
the session handling.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.
https://pagure.io/freeipa/issue/6880
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Bump krb5-* Requires to the version which includes the final version of
certauth support.
https://pagure.io/freeipa/issue/4905
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bump python-netaddr Requires to the version which has correct private and
reserved IPv4 address ranges.
This fixes DNS server install failure when 0.0.0.0 is entered as a
forwarder.
https://pagure.io/freeipa/issue/6894
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
pip install foo foo[more] does not install the extra dependencies 'more'
of foo. It's a known bug in pip, see
https://github.com/pypa/pip/issues/4391#issuecomment-290712930 and
https://github.com/pypa/pip/issues/988
The same bug applies to pip wheel. As a workaround pip wheel first
builds extra dependencies, then wheel dependencies. This ensures that
ipaclient[otptoken_yubikey] dependencies get built properly.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap
https://pagure.io/freeipa/issue/6875
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user
https://pagure.io/freeipa/issue/6896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
FreeIPA is not yet compatible with pylint 1.7.1+. Enforce pylint 1.6.x
until all issues have been addressed.
Related: https://pagure.io/freeipa/issue/6874
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
| |
The record variable could be null. This check makes sure
that variable won't be null.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
| |
All calls of alert were without explicit object. This commit
adds explicit object window.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The entries in cn=topology,cn=ipa,cn=etc should not be taken in
account for the compat plugin.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Due to LDAP connection refactoring, compat-manage would have behaved
differently for root and for other users even though it requires
the directory manager password. This is caused by it trying to do
external bind when it does not have the DIRMAN password which was
previously not supplied.
https://pagure.io/freeipa/issue/6821
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Silence warning "_BSD_SOURCE and _SVID_SOURCE are deprecated, use _DEFAULT_SOURCE"
http://man7.org/tlpi/code/faq.html#use_default_source
Closes: https://pagure.io/freeipa/issue/6818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
| |
Closes: https://pagure.io/freeipa/issue/6818
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
During upgrade, the plugin update_tdo_gidnumber is launched in order to
add a gidnumber to the Trusted Domain Object.
This plugin should not be run when ad trust is not installed, otherwise an
error message is displayed.
https://pagure.io/freeipa/issue/6881
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
| |
OpenSSL can't cope with empty files, add a newline after each password
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace empty string with a single space in the third argument of
`AC_CHECK_LIB` (`action-if-found`) where applicable.
Empty string in the argument causes `AC_CHECK_LIB` to use the default
action when a library is found which includes adding the library to `LIBS`,
which specifies libraries to be linked in every binary and library in the
project.
This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to
every binary and library in IPA, even where unused.
https://pagure.io/freeipa/issue/6846
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.
https://pagure.io/freeipa/issue/6878
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.
https://pagure.io/freeipa/issue/6872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.
https://pagure.io/freeipa/issue/6757
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Rather than post-processing the results of each internal search,
post-process the combined result.
This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.
https://pagure.io/freeipa/issue/6808
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths
host.collect_log(paths.KRB5KDC_LOG) added to tasks.py
Signed-off-by: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Add tox infrastructure to test client wheel packages workflow:
* build client packages
* install client packages
* ipa-run-tests --ipaclient-unittests under Python 2 and 3
* pylint of client packages under Python 2 and 3
* placeholder packages work as expected
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.
https://pagure.io/freeipa/issue/6853
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
| |
https://pagure.io/freeipa/issue/6845
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.
https://pagure.io/freeipa/issue/6183
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could
lead to bad packages for PyPI. Only build the packages we want with
correct flags.
Placeholder packages from 'make pypi_package' conflict with
'make wheel_bundle' packages. Use a separate destination directory for
PyPI packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
