| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.
Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
| |
|
|
|
|
|
| |
Related: https://bugzilla.redhat.com/1670239
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, RA agent certificate is issued using caServerCert profile.
This has unfortunate side effect of asserting id-pk-serverAuth EKU which
is not really needed for RA agent. If IPA CA certificate adds SAN DNS
constraints into issued certificates, presence of id-pk-serverAuth EKU
forces NSS (and other crypto libraries) to validate CN value with
regards to SAN DNS constraints, due to historical use of CN bearing DNS
name.
Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail
the check.
Default IPA CA configuration does *not* add SAN DNS constraints into RA
agent certificate. However, it is better to be prepared to such
behavior.
Related: https://bugzilla.redhat.com/1670239
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper. This includes the IPA RA agent certificate. Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request. This also covers the upgrade scenario (because
the same method gets invoked).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.
TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.
TLS 1.2 works everywhere and supports PFS.
Related: https://pagure.io/freeipa/issue/7667
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN
Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).
Add a knob to allow configuring the maximum hostname length (FQDN)
The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.
The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.
https://pagure.io/freeipa/issue/2018
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.
The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.
We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.
Reviewed-By: François Cami <fcami@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
man(5) default.conf says that startup_timeout has a default value of 120
seconds. Even 120 seconds are not effective unless systemd is also
reconfigured to have a larger DefaultTimeoutStartSec.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.
Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The HOME directory may not be available in containers. It's also the
wrong variable on some platforms. Use os.path.expanduser() instead of
HOME.
Fixes: https://pagure.io/freeipa/issue/7837
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
With increasing the minimal domain level to 1 ipa-replica-install will
refuse to install if the domain has domain level 0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Update regular expression validator to prevent user and group creation.
Fixes: https://pagure.io/freeipa/issue/7572
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
mod_ssl's limiting of client cert verification depth was causing
the replica installs to fail when master had been installed with
external CA since the SSLCACertificateFile was pointing to a file
with more than one certificate. This is caused by the default
SSLVerifyDepth value of 1. We set it to 5 as that should be
just about enough even for possible sub-CAs.
https://pagure.io/freeipa/issue/7530
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
With the recent encryption of the HTTPD keys, it's also necessary
to count with this scenario during upgrade and create the password
for the HTTPD private key along the cert/key pair.
This commit also moves the HTTPD_PASSWD_FILE_FMT from ipalib.constants
to ipaplatform.paths as it proved to be too hard to be used that way.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.
A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.
https://pagure.io/freeipa/issue/7421
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.
For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
| |
Describing the parameter kinit_lifetime that allows to limit the lifetime of ticket obtained by users authenticating to the WebGUI using login/password. Removing session_auth_duration and session_duration_type since these parameters are not relevant anymore.
Resolves: https://pagure.io/freeipa/issue/7333
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When running on memory-constrained systems, the `ipa-server-install`
program often fails during the "Configuring certificate server
(pki-tomcatd)" stage in FreeIPA 4.5 and 4.6.
The memory-intensive dogtag service causes swapping on low-memory
systems right after start-up, and especially new certificate
operations requested via certmonger can exceed the dbus client default
25 second timeout.
This patch changes dbus client timeouts for some such operations to
120 seconds (from the default 25 seconds, IIRC).
See more discussion in FreeIPA PR #1078 [1] and FreeIPA container
issue #157 [2]. Upstream ticket at [3].
[1]: https://github.com/freeipa/freeipa/pull/1078
[2]: https://github.com/freeipa/freeipa-container/issues/157
[3]: https://pagure.io/freeipa/issue/7213
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
| |
Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`.
Derive the default value of `basedn` from `domain`.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default.
This patch removes hardcoded default so the so the code which depends
on these values blows up early and does not do crazy stuff
with default values instead of real ones.
This should help to uncover issues caused by improper ipalib
initialization.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
CA sometimes "forgot to answer" so we have to add timeout for http
connection and ask again rather than wait for infinity.
https://pagure.io/freeipa/issue/6766
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.
https://fedorahosted.org/freeipa/ticket/6652
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
| |
https://pagure.io/freeipa/issue/6730
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
https://fedorahosted.org/freeipa/ticket/6542
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
NSSConnection was causing a lot of trouble in the past and there is
a lot of logic around it just to make it not fail. What's more,
when using NSS to create an SSL connection in FIPS mode, NSS
always requires database password which makes the `ipa` command
totally unusable.
NSSConnection is therefore replaced with Python's
httplib.HTTPSConnection which is OpenSSL based.
The HTTPSConnection is set up to handle authentication with client
certificate for connections to Dogtag server as RA agent. It allows
to handle client cert/private key in separate files and also
encrypted private key files.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.
Also, we don't allow tls_version_min/max to be set to a random
string anymore.
https://fedorahosted.org/freeipa/ticket/6607
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
CACERT depends on ipaplatform.
Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6406
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
api.env.nss_dir is no longer hard-coded to paths.IPA_NSSDB_DIR. Instead
the path is calculated relatively to api.env.confdir. The default value
is still /etc/ipa/nssdb. The change makes it a bit easier to run
FreeIPA's API with a custom configuration directory.
See https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add Certmonger tracking requests for lightweight CAs on replica
installation. As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.
Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Update 'ipa-ca' records with A/AAAA records of the newly added replica
https://fedorahosted.org/freeipa/ticket/5966
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Store schema in per user cache. Together with schemas also information
about mapping between server and fingerprint is stored to reduce traffic.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
New commands for manipulation with DNS server configuration were added:
* dnsserver-show
* dnsserver-mod
* dnsserver-find
https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds the 'ca' plugin for creating and managing
lightweight CAs. The initial implementation supports a single level
of sub-CAs underneath the IPA CA.
This commit also:
- adds the container for FreeIPA CA objects
- adds schema for the FreeIPA CA objects
- updates ipa-pki-proxy.conf to allow access to the Dogtag
lightweight CAs REST API.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade. The
specific configuration steps are:
- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
to invoke ipa-pki-retrieve-key for key retrieval
Also bump the minimum version of Dogtag to 10.3.2.
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
http://www.freeipa.org/page/V4/DNS_Location_Mechanism
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Add new `nss_dir` API config option to allow rpcclient to use a non-default
NSS DB for the connection.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
| |
Bare except should not be used.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
|
| |
|
|
|
|
|
| |
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
