| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We slice down the received cookie so that just the content that matter
is preserved. Thi is ok because servers can't trust anything else anyway
and will accept a cookie with the ancillary data missing.
By removing variable parts like the expiry component added by
mod_session or the Expiration or Max-Age metadata we keep only the part
of the cookie that changes only when a new session is generated.
This way when storing the cookie we actually add a new entry in the
ccache only when the session actually changes, and this prevents churn
on FILE based ccaches.
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unfortunately the MIT krb5 library has a severe limitation with FILE
ccaches when retrieving config data. It will always only search until
the first entry is found and return that one.
For FILE caches MIT krb5 does not support removing old entries when a
new one is stored, and storage happens only in append mode, so the end
result is that even if an update is stored it is never returned with the
standard krb5_cc_get_config() call.
To work around this issue we simply implement what krb5_cc_get_config()
does under the hood with the difference that we do not stop at the first
match but keep going until all ccache entries have been checked.
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If cookie authentication fails and we get back a 401 see if we
tried a SPNEGO auth by checking if we had a GSSAPI context. If not
it means our session cookie was invalid or expired or some other
error happened on the server that requires us to try a full SPNEGO
handshake, so go ahead and try it.
Fixes https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
Related https://pagure.io/freeipa/issue/6775
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.
Fixes https://pagure.io/freeipa/issue/6797
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".
This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.
https://pagure.io/freeipa/issue/6777
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release, the old master denies this operations.
https://pagure.io/freeipa/issue/6549
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The presence of IPA packages on PyPI revealed an interesting issue with
make wheel_bundle. pip gives final releases a higher precedence than our
development packages. make wheel_bundle downloads ipa 4.5.0 from PyPI
instead of using our own wheels.
Use a constraint file to enforce correct versions.
https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.
Files modified by IPA are kept with .ipasave suffix.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.
This stops the file from being created in /etc/httpd/alias during classic
replica install.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
This is to verify that all the executables are working properly (have
correct import paths etc.)
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The changes made to ipa-run-tests script in fd1b4f6 broke the
ipa-test-config and ipa-test-task scripts which are not executed
via pytest.
To fix the issue, all helper code and dependencies of the integration
plugin are moved out of ipatests.test_integration and into the
integration plugin. As first step ipatests.pytest_plugins.integration
is turned into a package.
https://pagure.io/freeipa/issue/6798
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
These are platform specific, add values for Debian and default values
for Fedora/RHEL.
Also, use prettier output when checking the extra python install options.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Update the caIPAserviceCert profile to accept 8192-bit RSA keys.
Affects new installs only, because there is not yet a facility to
update included profiles.
Fixes: https://pagure.io/freeipa/issue/6319
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The customers are often confused by ipa-cacert-manage install. The man page
should make it clear that IPA CA is not modified in any way by this command.
https://pagure.io/freeipa/issue/6795
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.
This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.
https://pagure.io/freeipa/issue/6773
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
When provided empty value in nolog parameter nolog_replace added 'XXXXXXXX'
three (once for plain value, once for http quoted value and last time for shell
quoted value) times before every character (including terminating '\0') in the string.
https://pagure.io/freeipa/issue/6738
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Apache has a default keep alive timeout of 5 seconds. That's too low for
interactive commands, e.g. password prompts. 30 seconds sounds like a
good compromise.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Do not forcefully close the connection after every request. This enables
HTTP connection keep-alive, also known as persistent TCP and TLS/SSL
connection. Keep-alive speed up consecutive HTTP requests by 15% (for
local, low-latency network connections to a fast server) to multiple
times (high latency connections or remote peers).
https://pagure.io/freeipa/issue/6641
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6774
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.
$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items
test_util.py ........
util.py ..
test_ipaclient/test_csrgen.py ..............ssss...
test_ipalib/test_aci.py ...................
test_ipalib/test_backend.py ........
test_ipalib/test_base.py ...............
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...............
test_ipalib/test_crud.py ...............
test_ipalib/test_errors.py .......
test_ipalib/test_frontend.py ........................................
test_ipalib/test_messages.py ....
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .............................................................
test_ipalib/test_plugable.py ........
test_ipalib/test_rpc.py ......ssssssss
test_ipalib/test_text.py .............................
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py ............
test_ipapython/test_dn.py ...........................
test_ipapython/test_ipautil.py ..................................................................
test_ipapython/test_ipavalidate.py ..........
test_ipapython/test_kerberos.py ..............
test_ipapython/test_keyring.py ..........
test_ipapython/test_ssh.py ...............................
test_pkcs10/test_pkcs10.py .....
https://fedorahosted.org/freeipa/ticket/6517
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).
Ticket: https://pagure.io/freeipa/issue/6771
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
| |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
| |
ctypes can only handle bytes, not text. Encode and decode all incoming
and outgoing text from UTF-8 to bytes.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:
* CA is configured or PKCS#12 file is provided
* LDAP, KDC and Apache are configured and the master role is thus
completed and enabled
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.
The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.
https://pagure.io/freeipa/issue/6739
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.
https://pagure.io/freeipa/issue/6759
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The pkg-config files for xmlrpc_c libraries are shipped just
in fedora/rhel due to downstream patch. Debian does not have
pkg-config files for xmlrpc_c. Therefore we need to fallback to older
method of detection XMLRPC_*FLAGS which was reverted
by the commit 1e0143c159134337a00a91d4ae64e614f72da62e
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
Provide python-ipa* aliases for python2-ipa* subpackages when the
python_provide RPM macro is not available.
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
nspr-devel, nss-devel and openssl-devel are required for client-only build,
move their respective BuildRequires from the server-specific BuildRequires
section to the main BuildRequires section.
Pass --enable-server or --disable-server to ./configure based on the value
of %{ONLY_CLIENT}.
Remove the `make client-check` call from %check, as the client-check target
does not exist anymore. Always call `make check` instead.
Do not package the /usr/share/ipa directory in freeipa-client-common, as it
is not created in client-only build.
https://pagure.io/freeipa/issue/6517
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Build ipatests only if %with_ipatests RPM macro is specified.
By default the macro is specified if ONLY_CLIENT is not specified.
https://pagure.io/freeipa/issue/6517
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Debian packages should be installed under dist-packages, not
site-packages. Debian has patched distutils and setuptools to add a new
flag '--install-layout'. For --with-ipaplatform=debian,
PYTHON_INSTALL_EXTRA_OPTIONS is set to '--install-layout=deb'.
https://pagure.io/freeipa/issue/6764
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
./configure no longer fails when pylint or jsl are not available. The
make targets for pylint and jsl are no longer defined without the tools.
Rational:
pylint and jsl are not required to build FreeIPA. Both are useful
developer tools. It's more user friendly to make both components
optionally with default config arguments. There is no reason to
fail building on a build system without development tools.
It's still possible to enforce dependency checks with --with-jslint and
--enable-pylint.
https://fedorahosted.org/freeipa/ticket/6604
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
| |
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
