| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.
This stops the file from being created in /etc/httpd/alias during classic
replica install.
https://pagure.io/freeipa/issue/4639
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.
https://pagure.io/freeipa/issue/6596
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
See design http://www.freeipa.org/page/V4/Certificate_Identity_Mapping
https://fedorahosted.org/freeipa/ticket/6542
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.
https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
a cosmetic change: we had private method comprising of calls to public
ones, which did not make much sense in our case
https://fedorahosted.org/freeipa/ticket/6638
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt
Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is in preparation for separating out the user under which the
ipa api framework runs as.
This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Convert function to NamedTemporaryFile with textual mode, because
passwords are text. Using `with` and NamedTemporaryFile gives more
security agains leaking password from tempfiles.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ldif parser uses file in text mode, so we have to open it in text mode
in py3
Also values passed to parser should be bytes
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
| |
"Adding SASL mappings.." is duplicated step in __common_setup in DS
instance and should be removed.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently only the "subject base" of the IPA CA subject DN can be
customised, via the installer's --subject-base option. The RDN
"CN=Certificate Authority" is appended to form the subject DN, and
this composition is widely assumed.
Some administrators need more control over the CA subject DN,
especially to satisfy expectations of external CAs when the IPA CA
is to be externally signed.
This patch adds full customisability of the CA subject DN.
Specifically:
- Add the --ca-subject option for specifying the full IPA CA subject
DN. Defaults to "CN=Certificate Authority, O=$SUBJECT_BASE".
- ipa-ca-install, when installing a CA in a previous CA-less
topology, updates DS certmap.conf with the new new CA subject DN.
- DsInstance.find_subject_base no longer looks in certmap.conf,
because the CA subject DN can be unrelated to the subject base.
Fixes: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For full customisability of the IPA CA subject DN, we will need the
ability to update DS `certmap.conf' when upgrading a deployment from
CA-less to CA-ful.
Extract the existing behaviour, which is private to DsInstance, to
the `write_certmap_conf' top-level function.
Also update `certmap.conf.template' for substition of the whole CA
subject DN (not just the subject base).
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/2614
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Also had to recalculate entropy of the passwords as originally,
probability of generating each character was 1/256, however the
default probability of each character in the ipa_generate_password
is 1/95 (1/94 for first and last character).
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/6586
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.
https://fedorahosted.org/freeipa/ticket/5678
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
CACERT depends on ipaplatform.
Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The certstore module depends on ipaplatform.
Move it to ipalib.install, as it is used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
SHARE_DIR and PLUGIN_SHARE_DIR depend on ipaplatform.
Replace all uses of SHARE_DIR with paths.USR_SHARE_IPA_DIR and remove
both SHARE_DIR and PLUGIN_SHARE_DIR.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The certmonger and sysrestore modules depend on ipaplatform.
Move them to ipalib.install as they are used only from installers.
https://fedorahosted.org/freeipa/ticket/6474
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Since service.admin_conn is only an alias to api.Backend.ldap2,
replace it everywhere with the explicit api.Backend.ldap2 instead.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
ds_newinst.pl was removed from 389 DS over 9 years ago. Remove
references to it.
Fixes: https://fedorahosted.org/freeipa/ticket/6496
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.
This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.
https://fedorahosted.org/freeipa/ticket/6406
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
DS replica can now use remote API and ipa-getkeytab to create service
principal and fetch the keytab in both domain levels. There is no need to use
KDC installer to do it.
https://fedorahosted.org/freeipa/ticket/6405
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The Service class now accepts keytab path and service name part of Kerberos
principal as members. Kerberos principal is turned into a property computed
from service prefix, FQDN and realm. the handling of Kerberos principals and
keytabs in service installers was changed to use class members instead of
copy-pasted constants. This shall aid in the future refactoring of
principal/keytab handling code.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This will aid further refactoring of service installers, since the user will
be defined only once during parent class initialization.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Instead of delegating handling of some parameters like fstore to the parent
class, the *Instance installers had the logic copy-pasted in their
constructors. Some other members were also moved to the Service class and the
parent class constructors in children were fixed to modern standards of
initializing parent class in Python.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
`CertDB.request_service_cert` could re-create NSSDB files if the supplied CA
certificate was not found in database. This could cause subtle bugs since the
files were recreated with wrong permissions. This behavior was removed so that
there are no destructive operations performed by the method.
https://fedorahosted.org/freeipa/ticket/6429
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To make the code more general, moved the update_dna_shared_config
among other update plugins.
Bugfix: DNA shared config connection protocol was compared to a
method string which would result in a try to always update it
even if there was no need to.
https://fedorahosted.org/389/ticket/48373 causes that two
shared DNA config entries are created instead of one.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Replica populate can be applied with other update plugins.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During replica installation, if the IPA deployment has a custom
subject_base, the routines that create the DS and HTTP NSSDBs
erroneously compare the subject of CA certs to the *default* subject
base. This causes the IPA CA cert to be added to the NSSDBs with a
nickname derived from the subject name, instead of "{REALM} IPA CA".
At a later stage of installation, the `upload_cacrt` plugin reads
certs from the HTTP NSSDB in order to update the cn=certificates
LDAP certstore. The NSSDB nickname of the cert is used as the CN
for the entry. Because the IPA CA cert was not installed in the
HTTP NSSDB with the "{REALM} IPA CA", this causes a spurious entry
for the IPA CA to be added to the certstore.
To avoid this scenario, use the deployment's actual subject base
when deciding if a cert is the IPA CA cert.
Fixes: https://fedorahosted.org/freeipa/ticket/6415
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.
- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)
- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove ldap_connect and ldap_disconnect from services. admin_conn is
just an alias to api.Backend.ldap2 and therefore the connection should
be managed elsewhere.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Connect and/or disconnect api.Backend.ldap2 connection when directory
server is stopped/restarted. Checking is ldap2 connection is connected
is neccesary for edge cases during ds installation (initial start).
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
* enable ldapi and root autobind early during the ds installation
* perform these changes using simple_bind with dm_password
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Remove directory manager's password from service's constructors
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
* Rename do_sasl_gssapi_bind to gssapi_bind
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
* Rename do_external_bind to external_bind
* Remove user_name argument in external_bind() and always set it
to effective user name
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
| |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This reverts commit 89de60c5d8ba64d619101a7498b8c4469b6e50ae.
This commit breaks replica installation
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.
https://fedorahosted.org/freeipa/ticket/5750
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Sometimes the lock table would run out of available locks. This should
improve the lock table default configuration.
https://fedorahosted.org/freeipa/ticket/5914
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Use the existing remote server API to create service entries instead of a
client API.
This fixes a crash during replica promotion due to unavailable schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
|
