[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 329 commits: Bump to IPA 4.12
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Mon Dec 9 13:36:27 GMT 2024
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa
Commits:
1251c15f by Antonio Torres at 2023-08-21T16:39:16+02:00
Bump to IPA 4.12
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
8d081ce8 by Mohammad Rizwan at 2023-08-23T13:10:02-04:00
ipatests: accommodate DST in ACME cert expiry
There is one hour time difference between expiry of ACME cert if
the certificate is issued while daylight saving is start and
expires after DST ends. For 2023 daylight saving time start at
Sunday 12 March and ends at Sunday 5 November. Every certificate
which is expiring after November 5th will have 1 hour difference in
expiry.
Fix is to use 90days+2hours to expire the cert.
Fixes: https://pagure.io/freeipa/issue/9428
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ed52142c by Rob Crittenden at 2023-08-28T10:21:48-04:00
Use the PKI REST API wherever possible instead of XML
The XML API is already deprecated and will be removed in some
future release.
All but the updateCRL API has an equivalent in REST. The upstream
dogtag project documents most of the API at
https://github.com/dogtagpki/pki/wiki/REST-API . I say most
because not every API includes sample input/output. The
pki ca-cert command is a good substitute for seeing how the API
is used by their own tooling.
This changes no pre-existing conventions. All serial numbers are
converted to decimal prior to transmission and are treated as
strings to avoid previous limitations with sizing (which would
have been exacerbated by random serial numbers).
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
317e7061 by Rob Crittenden at 2023-08-28T10:21:48-04:00
Adjust test to handle revocation reason REMOVE_FROM_CRL
The dogtag REST API has a change of behavior regarding
revocation reason 8, REMOVE_FROM_CRL. The XML interface
accepts it blindly and marks the certifiate as revoked.
This is complicated within RFC 5280 but the jist is that
it only affects a certificate on hold and only for delta
CRLs.
So this modifies the behavior of revocation 8 so that
the certificate is put on hold (6) first.
Fixes: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0654fb37 by Florence Blanc-Renaud at 2023-08-30T09:13:23-04:00
idp: add the ipaidpuser objectclass when needed
The ipaidpuser objectclass is required for the attribute ipaidpsub.
When a user is created or modified with --idp-user-id, the operation
must ensure that the objectclass is added if missing.
Add a test for user creation and user modification with --idp-user-id.
Fixes: https://pagure.io/freeipa/issue/9433
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f25b2a7 by Christian Heimes at 2023-08-30T09:18:17-04:00
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
Related: https://pagure.io/freeipa/issue/9272
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
45fa4354 by Rob Crittenden at 2023-09-01T13:13:02-04:00
Configure affinity during server installation
Write a new krb5.conf in case any values changed finding the
right server to configure against (e.g. for CA, KRA) and
ensure the API connection is to the remote server that
will be installed against.
When finding a CA or KRA during initial replica installation
set the remote master as well. The order is:
- existing server value in /etc/ipa/default.conf
- the chosen CA host if the server doesn't provide one
- the chosen KRA host if the server doesn't provide one
This is more or less heirarchical. If a server is provided
then that is considered first. If it provides all the
optional services needed (CA and/or KRA) then it will
be used. Otherwise it will fall back to a server that provides
all the required services.
In short, providing --server either at client install or
with ipa-replica-install is no guarantee that it will
define all topology. This may be unexpected behavior.
For the case of adding a CA or KRA things are effectively
unchanged. This type of install does not appear to be
impacted by affinity issues.
Fixes: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
953c7cc0 by Viktor Ashirov at 2023-09-01T13:16:15-04:00
BDB tuning should be applied only when BDB backend is used
389DS supports BDB and LMDB backends. FreeIPA installation fails with
LMDB backend since it tries to apply tuning for BDB backend.
Instead, tuning for BDB should be applied only when 389DS uses BDB
backend.
Fixes: https://pagure.io/freeipa/issue/9435
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2bc247d8 by Antonio Torres at 2023-09-11T09:12:51+02:00
ipatests: rename 'ipatuura' directory to 'scim' in bridge tests
A recent commit [1] in ipa-tuura project renamed the 'ipatuura' django app
to 'scim'. Change it in IPA side as well to fix tests.
[1]: https://github.com/freeipa/ipa-tuura/commit/f12592cea496818af782f953e0e9643c9ea440b5
Fixes: https://pagure.io/freeipa/issue/9447
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d355761f by Alexander Bokovoy at 2023-09-11T09:24:31+02:00
ipa-client-install: enable SELinux for SSSD
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f123b01d by Alexander Bokovoy at 2023-09-11T09:51:51+02:00
updates: add ACIs for RBCD self-management
Fixes: https://pagure.io/freeipa/issue/9354
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
6aa3c3b6 by Alexander Bokovoy at 2023-09-12T14:32:00-04:00
Restore selinux states if they exist at uninstall time
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
dade02d5 by Alexandra Nikandrova at 2023-09-12T21:41:57+02:00
doc: typo in basic_usage.md
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
f248b22e by Rob Crittenden at 2023-09-14T07:59:44+02:00
Don't assume KRB5CCNAME is in the environment in replica install
The replica install was unilaterally removing KRB5CCNAME from
os.environ in some cases. Instead check first to see if it is
present and only remove in that case.
Fixes: https://pagure.io/freeipa/issue/9446
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
32721c41 by Alexander Bokovoy at 2023-09-18T17:36:40+02:00
Allow ipa-otpd to access USB devices for passkeys
Main SELinux policy will allow transition of passkey_child (SSSD) to
ipa_otpd_t context to perform FIDO2 operations with USB devices.
This means ipa-otpd will need to be able to read data from sysfs and
connect to USB devices.
Add required permissions to IPA subpolicy as well. See rhbz#2238224 for
discussion.
Related: https://pagure.io/freeipa/issue/9434
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Zdenek Pytela <zpytela at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ddf7711 by Christian Heimes at 2023-09-18T17:46:24+02:00
Use find_spec() in meta importer
The `find_module()` method of meta importers has been deprecated for a
long time. Python 3.12 no longer falls back to `find_module()`.
See: https://docs.python.org/3.12/whatsnew/3.12.html#removed
Related: https://pagure.io/freeipa/issue/9437
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
496e3ace by Mohammad Rizwan at 2023-09-18T17:51:30+02:00
ipatests: restart ipa services after moving date
When system date is moved into future, it have unprecedented
behavior i.e CA becomes irresponsive or unexpected certificcate
state. Hence restart the ipa service after moving the date to
gracefully serve the request.
Fixes: https://pagure.io/freeipa/issue/9379
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4af05dde by Francisco Trivino at 2023-09-26T11:30:33+02:00
Workshop: fix broken Sphinx cross-references.
Many of the workshop pages links are directing to URLs that end with
".rst" instead of ".html", as a result, these links are broken.
This commit introduces explicit targets and references to ensure that
the pages are correctly linked.
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8b70ee1e by Florence Blanc-Renaud at 2023-09-29T12:05:48+02:00
Covscan issues: deadcode and Use after free
Covscan detected an unused value in ipa_kdb_principals.c
and a use-after-free in ipa-print-pac.c.
Fixes: https://pagure.io/freeipa/issue/9431
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6aebfe74 by Christian Heimes at 2023-09-29T12:57:06+02:00
Add context manager to ipalib.API
`ipalib.API` instances like `ipalib.api` now provide a context manager
that connects and disconnects the API object. Users no longer have to
deal with different types of backends or finalize the API correctly.
```python
import ipalib
with ipalib.api as api:
api.Commands.ping()
```
See: https://pagure.io/freeipa/issue/9443
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1a2cd7f4 by Alexander Bokovoy at 2023-09-29T15:06:33-04:00
Use datetime.timezone.utc instead of newer datetime.UTC alias
datetime.UTC alias was added in Python 3.11:
https://docs.python.org/3/library/datetime.html#datetime.UTC
datetime.timezone.utc was present since Python 3.2.
Since RHEL 9 is using Python 3.9, use more compatible variant.
Fixes: https://pagure.io/freeipa/issue/9454
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
843f4a74 by Antonio Torres at 2023-10-03T14:56:42+02:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
fe223cde by Antonio Torres at 2023-10-03T14:57:20+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
48cfe684 by Alexander Bokovoy at 2023-10-04T08:37:28-04:00
Increase memory usage for Azure CI upgrade test
The test often fails when running in parallel to other tests as very
little memory is left. 389-ds memory autotuning causes database backend
to refuse working in such cases. 389-ds team suggested more memory has
to be made available.
Increate RAM for this test to 2.5GB instead of 2.2GB.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b22605ee by Alexander Bokovoy at 2023-10-04T08:37:28-04:00
Azure CI: increase memory for forced reenrollment test
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f9075f9f by Florence Blanc-Renaud at 2023-10-04T09:15:29-04:00
ipatests: fix healthcheck test without DNS
ipa-healthcheck has added a new check for ipa-ca record
missing. The test needs to be adapted to handle the new check.
Fixes: https://pagure.io/freeipa/issue/9459
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e459e5b8 by Florence Blanc-Renaud at 2023-10-04T09:17:52-04:00
ipatests: fix healthcheck test for --indent option
ipa-healthcheck --indent option expects an integer. The error
message changed with ipa-healthcheck 0.13.
Recent versions also check that the value is in the range 0-32.
The test must be compatible with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
430054db by Florence Blanc-Renaud at 2023-10-04T09:20:44-04:00
ipatests: fix test_ipactl_scenario_check
The test is comparing the PID of services before and after
calling ipactl start, expecting to have the same value.
It should not compare the pid for ipa-dnskeysyncd as this service
is automatically restarted upon failure.
Fixes: https://pagure.io/freeipa/issue/9415
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fe005dd3 by Viktor Ashirov at 2023-10-05T07:38:05+02:00
WebUI: update favicon.ico
I noticed that FreeIPA favicon is a bit squished. I would like to unsquish it.
And resize it to 32x32 pixels as it would look a bit better on HiDPI screens.
Fixes: https://pagure.io/freeipa/issue/9449
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
62454574 by Rob Crittenden at 2023-10-16T13:23:20-04:00
Allow password policy minlength to be removed like other values
This is a side-effect of adding the libpwquality options. It
imposes its own hardcoded minimum password length so some care
was needed to ensure that it isn't set too low.
So if there are no libpwquality options used then it's fine to
have no minlength in the policy.
Fixes: https://pagure.io/freeipa/issue/9297
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b6af3a43 by Florence Blanc-Renaud at 2023-10-16T14:46:45-04:00
ipalib: fix the IPACertificate validity dates
The class IPACertificate builds objects from x509 Certificate
objects and creates the not_valid_before and not_valid_after values
by converting to a timestamp + applying timezone delta to UTC + reading
from the timestamp. This results in applying twice the delta.
Use a simpler method that replaces the timezone info with UTC in the
datetime object.
Fixes: https://pagure.io/freeipa/issue/9462
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a8a92303 by Rob Crittenden at 2023-10-19T07:40:47+02:00
ipa-client: correct directory location by using constants instead
If something in the client sysrestore.state wasn't removed by
the installer a warning message was printed with an incorrect
location. Fix this by using constants instead.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5270d58a by Endi Sukma Dewata at 2023-10-19T07:42:28+02:00
Enable LWCA monitor explicitly
Currently LWCA is only supported in IPA since the key
replication depends on Custodia, so LWCA is not actually
supported in regular PKI installation. However, currently
the AuthorityMonitor is enabled by default and it executes
a persistent search to monitor LWCA replication so it is
wasting resources in non-IPA environment.
To reduce unnecessary resource consumption the LWCA monitor
will be disabled by default in PKI, so IPA will need to
enable it explicitly for new and existing installations.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
44349cfa by Endi Sukma Dewata at 2023-10-19T07:44:27+02:00
Remove unused hierarchy.select
The hierarchy.select param has been removed in PKI 11.5 so
it doesn't need to be updated in renew_ca_cert.in.
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1202d014 by Endi Sukma Dewata at 2023-10-19T07:44:27+02:00
Replace subsystem.select with CAInstance.is_crlgen_enabled()
The subsystem.select is not a reliable indicator to determine
whether the CA is a renewal master since there is no process in
PKI to update the param when the role of the instance changes
(from master to clone and vice versa) so the param has been
removed in PKI 11.5.
Instead, it's better to use CAInstance.is_crlgen_enabled() since
CRL generation is only enabled in a renewal master.
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9d49f403 by Sudhir Menon at 2023-10-19T12:27:01+02:00
ipatests: Skip the test failing due to FIPS policy
1. test_certmonger_reads_token_HSM test in test_installaton.py
is failing in FIPS/STIG mode with the below error.
SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import.
Error attempting to import private key in STIG mode
2. Adding the posfix config change, because there was a crash
seen in smtpd in FIPS mode.
ie. postconf -e smtpd_tls_fingerprint_digest=sha256
KCS: https://access.redhat.com/solutions/6958957
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d50624dc by Florence Blanc-Renaud at 2023-10-19T13:57:40-04:00
group-add-member fails with an external member
The command ipa group-add-member --external aduser at addomain.test
fails with an internal error when used with samba 4.19.
The command internally calls samba.security.dom_sid(sid) which
used to raise a TypeError but now raises a ValueError
(commit 9abdd67 on https://github.com/samba-team/samba).
IPA source code needs to handle properly both exception types.
Fixes: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ed6fa602 by Florence Blanc-Renaud at 2023-10-23T13:35:01+02:00
Handle samba changes in samba.security.dom_sid()
samba.security.dom_sid() in 4.19 now raises ValueError instead of
TypeError. Fix the expected exception.
Related: https://pagure.io/freeipa/issue/9466
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56a2bc57 by Rob Crittenden at 2023-11-02T14:47:50+01:00
The PKI JSON API the revocation reason key may be case-sensitive
PKI 11.4.0 changed the reason keyword in the REST API from lower-case
to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6
Use Reason instead of reason as the keyword for revocations
for PKI 11.4.0+
Related: https://pagure.io/freeipa/issue/9345
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
caccd6c6 by Rob Crittenden at 2023-11-02T14:47:50+01:00
WIP: Get the PKI version from the remote to determine the argument
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07e56372 by Florence Blanc-Renaud at 2023-11-13T16:39:52-05:00
ipatests: fix expected output for ipahealthcheck.meta.services
ipa-healthcheck commit 31be12b introduced a change in the output
message when pki-tomcatd is not running.
With versions <= 0.12, the service name is displayed as
pki_tomcatd (with an underscore), but with 0.13+ it is
pki-tomcatd (with a dash).
Fixes: https://pagure.io/freeipa/issue/9460
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c63fe925 by Jeremy Frasier at 2023-11-16T15:06:26-05:00
Fixes: Python SyntaxWarnings about invalid escape sequences
Otherwise we get some SyntaxWarnings about invalid escape sequences
such as '\d' and '\{', e.g.:
/usr/sbin/ipa-replica-manage:393: SyntaxWarning: invalid escape sequence '\{'
data = re.match('\{replica (\d+) (ldap://.*:\d+)\}(\s+\w+\s+\w*){0,1}', ruv)
/usr/sbin/ipa-replica-manage:721: SyntaxWarning: invalid escape sequence '\d'
(re.sub(':\d+', '', x), y)
/usr/sbin/ipa-replica-manage:726: SyntaxWarning: invalid escape sequence '\d'
(re.sub(':\d+', '', x), y)
Fixes: https://pagure.io/freeipa/issue/9483
Signed-off-by: Jeremy Frasier <jeremy.frasier at gwe.cisa.dhs.gov>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d659d21b by Rob Crittenden at 2023-11-16T15:51:03-05:00
ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.
Add an exclude for this specific key so tests will pass again.
We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.
Fixes: https://pagure.io/freeipa/issue/9400
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
f00b52ce by Rob Crittenden at 2023-11-16T15:51:03-05:00
ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
d97d62de by Christian Heimes at 2023-11-17T11:56:19-05:00
docs: Mention that Keycloak requires openid scope
See: https://www.keycloak.org/docs/latest/upgrading/index.html#userinfo-endpoint-changes
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
51968582 by Antonio Torres at 2023-11-20T14:44:56+01:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
5e17c134 by Alexander Bokovoy at 2023-11-27T18:15:44+01:00
Remove ipaserver.custodia.__init__.py
Use native Python namespaces instead.
Related: https://pagure.io/freeipa/issue/9467
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
60fe752d by Rafael Guterres Jeffman at 2023-11-27T18:17:34+01:00
ipaserver/dcerpc: avoid logging stack trace in retrieve_anonymously
If an error occured when searching foc a DC a stack trace was logged,
and execution was aborted.
This patch allows execution to continue and log the error message that
caused the 'finddc' do fail.
Fixes: https://pagure.io/freeipa/issue/9484
Related: https://issues.redhat.com/browse/RHEL-12149
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6bc9e9d0 by Alexander Bokovoy at 2023-11-28T17:02:47+01:00
Remove upgrade test from Azure CI
It is already running in PR CI for all kinds of targets:
ipatests/prci_definitions/gating.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_389ds.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_pki.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_selinux.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_latest_testing_selinux.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_previous.yaml: test_suite: test_integration/test_upgrade.py
ipatests/prci_definitions/nightly_rawhide.yaml: test_suite: test_integration/test_upgrade.py
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ee2d7d3 by Alexander Bokovoy at 2023-11-28T17:02:47+01:00
doc/designs: add description of identity mapping in IPA
Fixes: https://pagure.io/freeipa/issue/9477
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c861415 by Mark Reynolds at 2023-11-28T17:09:32+01:00
Issue 3656 - Extend schema function to return MAY or MUST attrs
Add new paramters to get_allowed_attributes() to return just MAY or MUST
attributes
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5deeee31 by Christian Heimes at 2023-12-01T09:46:31+01:00
Add 'cache_dir' option to api.env
`api.env` now has a `cache_dir` option, which defaults to
`os.path.join(USER_CACHE_PATH, 'ipa')`. Schema cache, server info, and
KRA key cache use `api.env.cache_dir` as base directory. The option
allows application to set a custom cache directory.
Related: https://pagure.io/freeipa/issue/9438
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1513934
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5028b391 by Florence Blanc-Renaud at 2023-12-04T15:58:07+01:00
Integration tests: disable test_sso
Changes in ipa-tuura project are breaking the test
(removal of a script required for test preparation).
Disable the test until a solution is found in ipa-tuura.
Related: https://pagure.io/freeipa/issue/9476
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d61d1b05 by Florence Blanc-Renaud at 2023-12-11T09:49:47+01:00
Make test_external_ca.py compatible with crypto 41.0.0
The integration test test_external_ca.py is not compatible with
python-cryptography 41.0.0+.
The test is installing ipa server with an externally-signed CA cert
using a Microsoft Certificate Service profile:
ipa-server-install --external-ca --external-ca-type ms-cs
--external-ca-profile "1.2.3.4:10:200"
The command generates a CSR in /root/ipa.csr. The test reads the CSR,
extracts the extensions and compares with the requested extension
for the Microsoft Template.
With python-cryptography 41.0.0+, the extension can be decoded as
cryptography.x509.MSCertificateTemplate while with older version
the extension is decoded as cryptography.x509.UnrecognizedExtension.
Handle both cases properly.
Fixes: https://pagure.io/freeipa/issue/9490
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
53951ca8 by Florence Blanc-Renaud at 2023-12-11T09:52:05+01:00
test_external_idp: update code for selenium 4.10
The integration test is using selenium web driver to simulate a
user authentication with an external IdP. The user performs kinit
and is provided with a URL where he needs to authenticate.
The test was written for selenium API 4.9 and must be adapted to
the changes introduced in 4.10:
- the headless method has been deprecated
- executable_path argument has been deprecated
Fixes: https://pagure.io/freeipa/issue/9493
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
9abb50eb by Florence Blanc-Renaud at 2023-12-11T09:55:20+01:00
test_install: restart services after date change
The test TestKRAinstallAfterCertRenew is moving the
date in the future in order to reach the grace period where
certmonger detects some certificates need to be renewed.
Restart the services after the date change.
Fixes: https://pagure.io/freeipa/issue/9405
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
25b58e6d by Florence Blanc-Renaud at 2023-12-11T11:51:43+01:00
Webui: use service options to init Firefox driver
With selenium driver 4.10 and above, the API for Firefox driver
initialization has changed and does not use any more the
log_path argument.
The log path is now provided through a FirefoxService option
in the webdriver initialization.
Fixes: https://pagure.io/freeipa/issue/9492
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3fd5d57e by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - Add new password policy logging function
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1a16130a by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - Update logging in ipa_enrollment
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8a6361dc by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_graceperiod
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
23ead1dc by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_lockout
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
79b08556 by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_modrdn
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2a1d454c by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_otp_counter
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cd5a084 by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_otp_lasttoken
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0007876f by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa-pwd-extop
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6d3d1918 by Mark Reynolds at 2023-12-14T09:24:46+01:00
Issue 9497 - update debug logging in ipa_uuid
Fixes: https://pagure.io/freeipa/issue/9497
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dc2ab916 by Endi Sukma Dewata at 2023-12-19T12:51:46+01:00
Remove unused pki_theme_* params
The pki_theme_enable and pki_theme_server_dir params are not
used by pkispawn so they can be removed.
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
48846e98 by Rob Crittenden at 2023-12-19T12:58:50+01:00
hbactest was not collecting or returning messages
hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find
Collect any messages returned from thsi call and display them
to the user on the cli.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d1e09c68 by Rob Crittenden at 2023-12-19T12:58:50+01:00
ipatests: Verify that hbactest will return messages
Limit the sizelimit of the hbactest request to confirm that
the output includes a SearchResultTruncated message.
Fixes: https://pagure.io/freeipa/issue/9486
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a177121a by Florence Blanc-Renaud at 2023-12-19T14:59:42+01:00
ipatests: disable dnssec validation in tests using dnf
The 2 following tests rely on dnf install and use
mirrors.fedoraproject.org which has a broken trust chain.
Disable dnssec validation so that dnf succeeds.
Fixes: https://pagure.io/freeipa/issue/9498
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
821259f0 by Thorsten Scherf at 2023-12-19T16:24:19+01:00
ipa-client: Check if IPA CA cert is empty
IPA CA file should not be used when file is empty.
Fixes: https://pagure.io/freeipa/issue/9499
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
00f8ddbf by Alexander Bokovoy at 2023-12-22T10:34:19+01:00
ipa-kdb: add better detection of allowed user auth type
If default user authentication type is set to a list that does not
include a password or a hardened credential, the resulting configuration
might be incorrect for special service principals, including a krbtgt/..
one.
Add detection of special principals to avoid these situations and always
allow password or hardened for services.
Special handling is needed for the following principals:
- krbtgt/.. -- TGT service principals
- K/M -- master key principal
- kadmin/changepw -- service for changing passwords
- kadmin/kadmin -- kadmin service principal
- kadmin/history -- key used to encrypt history
Additionally, implicitly allow password or hardened credential use for
IPA services and IPA hosts since applications typically use keytabs for
that purpose.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
69ae9feb by Alexander Bokovoy at 2023-12-22T10:34:19+01:00
ipa-kdb: when applying ticket policy, do not deny PKINIT
PKINIT differs from other pre-authentication methods by the fact that it
can be matched indepedently of the user authentication types via certmap
plugin in KDC.
Since PKINIT is a strong authentication method, allow its authentication
indicator and only apply the ticket policy.
Fixes: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
62c44c9e by Alexander Bokovoy at 2023-12-22T10:34:19+01:00
ipa-kdb: clarify user auth table mapping use of _AUTH_PASSWORD
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
c3bc9386 by Alexander Bokovoy at 2023-12-22T10:34:19+01:00
ipatests: make sure PKINIT enrollment works with a strict policy
Previously, for a global policy which does not include
'password', krb5kdc restart was failing. Now it should succeed.
We set admin user authentication type to PASSWORD to simplify
configuration in the test.
What matters here is that global policy does not include PKINIT and that
means a code in the ticket policy check will allow PKINIT implicitly
rather than explicitly.
Related: https://pagure.io/freeipa/issue/9485
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8981ede1 by Florence Blanc-Renaud at 2024-01-09T08:40:47+01:00
azure tests: move to fedora 39
Update python3 to ensure the fix for BZ 2252567 is pulled.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
020af153 by Florence Blanc-Renaud at 2024-01-09T08:40:47+01:00
pylint: updates related to deprecations
pylint 3.0 has deprectated a few functions:
- check_messages: Use utils.only_required_for_messages
- The config attribute of BaseChecker has been deprecated. You can
use checker.linter.config to access the global configuration object
instead of a checker-specific object
- Everything related to the __implements__ construct was removed.
- Checker should only inherit BaseChecker or any of the other checker
types from pylint.checkers.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f485ba7 by Florence Blanc-Renaud at 2024-01-09T08:40:47+01:00
pylint: disable new checks
pylint 3.0 introduces new checks that raise too many errors:
use-implicit-booleaness-not-comparison-to-string,
use-implicit-booleaness-not-comparison-to-zero,
broad-exception-raised,
Disable the new checks in pylintrc
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8d7bd6c6 by Florence Blanc-Renaud at 2024-01-09T08:40:47+01:00
pylint: fix errors
Fix the following errors:
I0021(useless-suppression)
R1710(inconsistent-return-statements)
E1101(no-member)
Ignore the following errors:
E0601(used-before-assignment)
The variable is imported when the code is run in_server.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bf1110bd by Florence Blanc-Renaud at 2024-01-09T08:40:47+01:00
Tox: use sitepackages
Tox is creating a virtual environment before execution.
With python 3.12 the virtual env does not include any
more setuptools, so use setuptools from the globally
installed packages.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
11877d59 by Rob Crittenden at 2024-01-09T16:15:23-05:00
Include supported migration scenarios in the ipa-to-ipa docs
Lay out the supported migration paths. Users are likely to get
creative with migration so we need to narrow the path for which
we can provide support.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
13778d88 by Rob Crittenden at 2024-01-10T10:26:51+01:00
Check the HTTP Referer header on all requests
The referer was only checked in WSGIExecutioner classes:
- jsonserver
- KerberosWSGIExecutioner
- xmlserver
- jsonserver_kerb
This left /i18n_messages, /session/login_kerberos,
/session/login_x509, /session/login_password,
/session/change_password and /session/sync_token unprotected
against CSRF attacks.
CVE-2023-5455
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
86b073a7 by Rob Crittenden at 2024-01-10T10:27:06+01:00
Integration tests for verifying Referer header in the UI
Validate that the change_password and login_password endpoints
verify the HTTP Referer header. There is some overlap in the
tests: belt and suspenders.
All endpoints except session/login_x509 are covered, sometimes
having to rely on expected bad results (see the i18n endpoint).
session/login_x509 is not tested yet as it requires significant
additional setup in order to associate a user certificate with
a user entry, etc.
This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf
and adding:
Satisfy Any
Require all granted
Then comment out Auth and SSLVerify, etc. and restart httpd.
With a valid Referer will fail with a 401 and log that there is no
KRB5CCNAME. This comes after the referer check.
With an invalid Referer it will fail with a 400 Bad Request as
expected.
CVE-2023-5455
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
a44cb097 by Rob Crittenden at 2024-01-10T13:35:51-05:00
ACME: Don't treat pki-server ca-config-show failures as fatal
Up to PKI 11.5.0 even when a pki-server call failed it had a
return value of 0. This was fixed in 11.5.0 which breaks
ipa-acme-manage pruning. If a configuration value is not set
then the call fails and the tool gives up with an error like:
ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit
In previous versions this resulted in an empty string so the tool
displayed the default value.
So now upon failure look in the stderr output for "No such parameter"
and return an empty string so the behavior is consistent between
both old and new PKI server versions.
Fixes: https://pagure.io/freeipa/issue/9503
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8ef3d6ce by Sudhir Menon at 2024-01-10T14:58:49-05:00
ipatests: Skip ds_encryption tests on RHEL9 SUT.
test_ipahealthcheck_ds_encryption tests are failing
in RHEL9 SUT because in this test tls protocol version
is set to TLS1.0 using the below command, but its
reset to TLS1.2 causing the test to fail.
'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0'
Hence the test is skipped to be run on RHEL9.0 SUT.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e4420624 by Rob Crittenden at 2024-01-11T17:13:35+01:00
Fix ipa-client-automount install/uninstall with new install states
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().
The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".
Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.
This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ce811db6 by Rob Crittenden at 2024-01-11T17:13:35+01:00
ipatests: Test client install/uninstall with automount enabled
The automount installation was failing. Confirm that it is fixed.
The uninstall was not restoring all files/configuration. Verify
that the index and state files are gone which means that all state
and files were restored.
Fixes: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
54fb1173 by Rob Crittenden at 2024-01-11T17:13:35+01:00
ipa-client-automount: Don't use deprecated ipadiscovery.IPADiscovery
This class was moved to ipaclient/discovery.py in e6d560af66 to make
it available to PyPI.
Related: https://pagure.io/freeipa/issue/9487
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2a95a05f by Rob Crittenden at 2024-01-11T17:15:53+01:00
Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.
If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.
Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.
Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e5a9e461 by Rob Crittenden at 2024-01-11T17:19:47+01:00
get_directive: don't error out on substring mismatch
This function is designed to retrieve a value from an
ini-like file. In particular PKI CS.cfg.
In an attempt to be more efficient a substring search,
using startswith(), is used before calling a regular
expression match.
The problem is that if the requested directive is a
substring of a different one then it will pass the
startswith() and fail the regular expression match
with a ValueError, assuming it is malformed.
There is no need for this. The caller must be able to
handle None as a response anyway. So continue if
no match is found.
This was seen when PKI dropped storing certificate blobs
in CS.cfg. The CA certificate is stored in ca.signing.cert.
If it isn't present then ca.signing.certnickname will match
the substring but not the directive. This should not be
treated as an error.
Fixes: https://pagure.io/freeipa/issue/9506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2c0fe1dd by zoedong at 2024-01-12T08:36:20-05:00
ipaplatform: add opencloudos/tencentos support
Fixes:https://pagure.io/freeipa/issue/9501
Signed-off-by: zoedong <zoedong at tencent.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49c090b9 by 007hacky007 at 2024-01-12T15:26:45+01:00
webui: Unify user group members columns with users columns
Adds 'givenname', 'sn' and 'nsaccountlock' columns to the user group members
and makes columns in the users view and user group members unified.
i.e. Makes easy to see disabled users in the group.
Fixes: https://pagure.io/freeipa/issue/9390
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
2874823c by Carla Martinez at 2024-01-12T15:26:45+01:00
ipatests: test new columns in group details
Test for checking the new columns 'givenname', 'sn' and 'nsaccountlock'.
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
a5d38ca1 by Alexander Bokovoy at 2024-01-12T18:41:01-05:00
host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.
Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.
Fixes: https://pagure.io/freeipa/issue/9496
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
717ae87a by Florence Blanc-Renaud at 2024-01-12T18:46:41-05:00
Nightly tests: test on f38 and f39
Fedora 39 is now officically available. Update the test definitions:
- lastest now uses f39
- previous now uses f38
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
9b456101 by Alexander Bokovoy at 2024-01-17T19:32:47+01:00
adtrustinstance: make sure NetBIOS name defaults are set properly
Some tools may pass None as NetBIOS name if not put explicitly by a
user. This meant to use default NetBIOS name generator based on the
domain (realm) name. However, this wasn't done properly, so None is
passed later to python-ldap and it rejects such LDAP entry.
Fixes: https://pagure.io/freeipa/issue/9514
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
36455436 by Rob Crittenden at 2024-01-18T11:51:18+01:00
Server affinity: Don't rely just on [ca|kra]_enabled for installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c740cb84 by Masahiro Matsuya at 2024-01-23T07:57:56+01:00
ipatests: wait for replica update in test_dns_locations
test_ipa_ca_records and test_adtrust_system_records can fail with
NXDOMAIN, because it doesn't wait enough for the update on replica.
It can be resolved by waiting for the update with wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/9504
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e399232a by Alexander Bokovoy at 2024-01-23T13:19:37+01:00
ipasam: make krbtgt TDO principal canonical
For the trusted domain object for remote realm, we have to use
krbtgt/REMOTE-FLAT-NAME at OUR-REALM as a canonical name.
Fixes: https://pagure.io/freeipa/issue/9471
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
5adc07ae by Alexander Bokovoy at 2024-01-23T13:19:37+01:00
doc/Makefile: run sphinx in serial mode
Unfortunately, using pydata_sphinx_theme extension generates warnings in
sphix processing. These warnings cause documentation build to be
considered a failure:
WARNING: the pydata_sphinx_theme extension is not safe for parallel writing
WARNING: doing serial write
....
build finished with problems, 2 warnings.
make: *** [Makefile:24: html] Error 1
Since the build is already doing a serial write, enforce it from start.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
e6014a5c by Rob Crittenden at 2024-01-23T16:32:58+01:00
Server affinity: call ca.install() if there is a CA in the topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a45a7a20 by Christian Heimes at 2024-01-24T14:54:24+01:00
Compatibility fix for PyCA cryptography 42.0.0
Cryptography 42.0.0 introduced two new abstract properties
`not_valid_before_utc` and `not_valid_after_utc`, which are non-naive UTC
variants of the `not_valid_before` and `not_valid_after` properties.
The old properties are deprecated. The changeset also modifies code and
tests to use the new `_utc` variants.
Fixes: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
22875ea2 by Christian Heimes at 2024-01-25T18:07:20+01:00
test_acme: Use ipalib.x509
Use IPA's x509 module instead of `cryptography.x509`. This fixes a
regression which was introduced in commit a45a7a20.
Related: https://pagure.io/freeipa/issue/9518
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
d002a4d7 by Stanislav Levin at 2024-01-30T07:43:57+01:00
ipapython: Clean up krb5_error
`krb5_error` has different definition in MIT krb.
https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html
> Error message structure.
>
> Declaration:
> typedef struct _krb5_error krb5_error
While `krb5_error_code`
https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code
> krb5_error_code
> Used to convey an operation status.
>
> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.
>
> Declaration
> typedef krb5_int32 krb5_error_code
And this is what was actually used.
To prevent confusion of types `krb5_error` was replaced with
`krb5_error_code`.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cd04875 by Stanislav Levin at 2024-01-30T07:43:57+01:00
ipapython: Correct return type of krb5_free_cred_contents
According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html
> krb5_free_cred_contents - Free the contents of a krb5_creds structure.
>
> void krb5_free_cred_contents(krb5_context context, krb5_creds * val)
> param:
> [in] context - Library context
>
> [in] val - Credential structure to free contents of
>
> This function frees the contents of val , but not the structure itself.
https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166
This leads to undefined behavior and `krb5_free_cred_contents` can
raise KRB5Error (because of garbage data) while actually its foreign
function doesn't.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9802e852 by Stanislav Levin at 2024-01-30T07:43:57+01:00
ipapython: Propagate KRB5Error exceptions on iterating ccache
`ipapython.session_storage.get_data` iterates over
credentials in a credential cache till `krb5_cc_next_cred` returns
an error. This function doesn't expect any error on calling
other kerberos foreign functions during iteration. But that can
actually happen and KRB5Error exceptions stop an iteration while
they should be propagated.
With this change iteration will exactly stop on `krb5_cc_next_cred`
error as it was supposed to be.
Fixes: https://pagure.io/freeipa/issue/9519
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
75afdfea by Julien Rische at 2024-01-30T07:50:19+01:00
ipa-kdb: Fix memory leak during PAC verification
Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak
during the copy of some PAC buffers, because of an unfreed memory
allocation context.
Fixes: https://pagure.io/freeipa/issue/9520
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4ffc53b by Alexander Bokovoy at 2024-01-30T10:11:47-05:00
doc/designs/id-mapping.md: expand on ID range allocation details
Related: https://pagure.io/freeipa/issue/9477
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2d0a088f by Francisco Trivino at 2024-01-30T10:18:02-05:00
Vault: add support for RSA-OAEP wrapping algo
None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS
approved mechanism. This commit adds support for RSA-OAEP padding as a
fallback.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4cc6b9cd by Francisco Trivino at 2024-01-30T10:18:02-05:00
Vault: improve vault server archival/retrieval calls error handling
If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
error and raising it as an IPA error.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
305fcc25 by Francisco Trivino at 2024-01-30T10:18:02-05:00
kra: set RSA-OAEP as default wrapping algo when FIPS is enabled
Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved
FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS
is enabled. It also handles upgrade path.
Fixes: https://pagure.io/freeipa/issue/9191
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f8dcd788 by Alexander Bokovoy at 2024-01-30T16:25:29+01:00
sidgen: ignore staged users when generating SIDs
Staged users have
uidNumber: -1
gidNumber: -1
ipaUniqueID: autogenerate
We cannot generate ipaSecurityIdentifier based on those UID/GID numbers.
However, '-1' value will trigger an error
find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large.
And that, in turn, will cause stopping SID generation for all users.
Detect 'ipaUniqueID: autogenerate' situation and ignore these entries.
Fixes: https://pagure.io/freeipa/issue/9517
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
89d945fe by Alexander Bokovoy at 2024-01-30T16:25:29+01:00
sidgen: fix missing prototypes
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
ed977a6e by Alexander Bokovoy at 2024-01-30T16:25:29+01:00
kdb: PAC generator: do not fail if canonical principal is missing
krbCanonicalName is mandatory for services but IPA services created
before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done
to set krbCanonicalName; services created after that version were
upgraded to do have krbCanonicalName.
Accept krbPrincipalName alone since they have no alias either */
Fixes: https://pagure.io/freeipa/issue/9465
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
677d3080 by Florence Blanc-Renaud at 2024-01-30T18:25:10+01:00
ipa-backup: adapt for 389ds switch to LMDB
ipa-backup is relying on the presence of the directory
/var/lib/dirsrv/slapd-<INSTANCE>/db/ipaca/
to detect if the CA is installed on the server and backup
the ipaca backend.
With the switch to LMDB, this directory does not exist and the
backup is missing ipaca information.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check if ipaca backend is present (this method has been
introduced in 389ds 2.1.0 and works with Berkeley DB and LMDB).
Fixes: https://pagure.io/freeipa/issue/9516
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
9c470d10 by Florence Blanc-Renaud at 2024-01-30T18:27:12+01:00
ipatests: test_idp fails calling yum list wget
On rawhide, the package wget has been replaced with wget2
(more info in https://bugzilla.redhat.com/show_bug.cgi?id=2254790).
The test test_idp is checking that the sudo command is working
for a keycloak user, by creating a sudo rule for the yum command
and calling sudo yum list wget.
As the wget package does not exist any more on Rawhide, the command
returns an error:
Error: No matching Packages to list
and the test fails.
Replace the call "sudo yum list wget" with a call to "sudo yum list yum"
as the yum package is always present.
Fixes: https://pagure.io/freeipa/issue/9522
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7f849956 by Sudhir Menon at 2024-02-02T11:03:00+01:00
ipatests: Skip tests for ipahealtcheck tests for specific pki version
CADogtagCertsConfigCheck is no more available on RHEL9, hence the
respective tests are skipped.
Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig'
Ref: https://issues.redhat.com/browse/RHEL-21367
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bd04dc28 by Alexander Bokovoy at 2024-02-06T10:57:08+01:00
ipa-kdb: support Samba 4.20 private libraries
Samba 4.20 will change name extension of the private libraries from
'samba4' to 'private-samba'. Detect private extension through configure
step and make sure to use the right library name in Makefile.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
41bc6fc3 by Temuri Doghonadze at 2024-02-06T15:14:45+01:00
Translated using Weblate (Georgian)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
abc48e28 by 김인수 at 2024-02-06T15:14:45+01:00
Translated using Weblate (Korean)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c3cb63e5 by Jan Kuparinen at 2024-02-06T15:14:45+01:00
Translated using Weblate (Finnish)
Co-authored-by: Ricky Tigg <ricky.tigg at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9e31e704 by Piotr Drąg at 2024-02-06T15:14:45+01:00
Translated using Weblate (Polish)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
591bbee8 by Yuri Chornoivan at 2024-02-06T15:14:45+01:00
Translated using Weblate (Ukrainian)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b9552bcb by Andika Triwidada at 2024-02-06T15:14:45+01:00
Translated using Weblate (Indonesian)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6a591109 by Weblate at 2024-02-07T09:46:12+01:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f3a3d291 by Emilio Herrera at 2024-02-08T15:35:22+01:00
Translated using Weblate (Spanish)
Currently translated at 58.1% (2834 of 4877 strings)
Co-authored-by: Emilio Herrera <ehespinosa57 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d6aaa626 by Rafael Fontenelle at 2024-02-08T15:35:22+01:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bea9614b by 김인수 at 2024-02-08T15:35:22+01:00
Translated using Weblate (Korean)
Currently translated at 4.4% (216 of 4877 strings)
Co-authored-by: 김인수 <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
dfb5099e by Florence Blanc-Renaud at 2024-02-12T08:32:20+01:00
ipatests: remove xfail thanks to sssd 2.9.4
SSSD 2.9.4 fixes some issues related to auto-private-group
Related: https://pagure.io/freeipa/issue/9295
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
908ef6a1 by Florence Blanc-Renaud at 2024-02-12T08:32:20+01:00
ipatests: add xfail for autoprivate group test with override
Because of SSSD issue 7169, secondary groups are not
retrieved when autoprivate group is set and an idoverride
replaces the user's primary group.
Mark the known issues as xfail.
Related: https://github.com/SSSD/sssd/issues/7169
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
8b48c5f9 by Rafael Fontenelle at 2024-02-13T15:35:26+01:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 4.6% (227 of 4877 strings)
Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
05f8eaea by Temuri Doghonadze at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 11.7% (572 of 4877 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
27506375 by Weblate Translation Memory at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 11.7% (572 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b29f2e23 by Temuri Doghonadze at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 27.8% (1358 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5b182399 by Weblate Translation Memory at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 27.8% (1358 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5c91cb2f by Weblate Translation Memory at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 30.0% (1466 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e2cab8e9 by Temuri Doghonadze at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 30.0% (1466 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ab602a6 by Temuri Doghonadze at 2024-02-13T15:35:26+01:00
Translated using Weblate (Georgian)
Currently translated at 35.0% (1708 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e5bb0f39 by Florence Blanc-Renaud at 2024-02-14T09:26:00+01:00
ipatests: fix tasks.wait_for_replication method
With the fix for https://pagure.io/freeipa/issue/9171, the
method entry.single_value['nsds5replicaupdateinprogress'] now
returns a Boolean instead of a string "TRUE"/"FALSE".
The method tasks.wait_for_replication needs to be fixed so that
it properly detects when replication is not done.
Fixes: https://pagure.io/freeipa/issue/9530
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
83592935 by Julien Rische at 2024-02-16T09:38:02+01:00
ipa-kdb: Rework ipadb_reinit_mspac()
Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac
only if all its attributes can be set. If not, ipactx->mspac is set to
NULL. This makes easier to determine if the KDC is able to generate PACs
or not.
Also ipadb_reinit_mspac() is now able to return a status message
explaining why initialization of the PAC generator failed. This message
is printed in KDC logs.
Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
dc3e902b by Julien Rische at 2024-02-20T16:33:59+01:00
ipa-kdb: Fix double free in ipadb_reinit_mspac()
Fixes: https://pagure.io/freeipa/issue/9535
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
404fe101 by Alexander Bokovoy at 2024-02-21T17:07:33-05:00
rpcserver: validate Kerberos principal name before running kinit
Do minimal validation of the Kerberos principal name when passing it to
kinit command line tool. Also pass it as the final argument to prevent
option injection.
Accepted Kerberos principals are:
- user names, using the following regexp
(username with optional @realm, no spaces or slashes in the name):
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
- service names (with slash in the name but no spaces). Validation of
the hostname is done. There is no validation of the service name.
The regular expression above also covers cases where a principal name
starts with '-'. This prevents option injection as well.
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
33af154b by Rob Crittenden at 2024-02-22T14:35:59-05:00
validate_principal: Don't try to verify that the realm is known
The actual value is less important than whether it matches the
regular expression. A number of legal but difficult to know in
context realms could be passed in here (trust for example).
This fixes CVE-2024-1481
Fixes: https://pagure.io/freeipa/issue/9541
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3766fb98 by Rob Crittenden at 2024-02-23T14:11:25+01:00
ipa-restore: adapt for 389-ds switch to LMDB
ipa-restore is relying on the presence of specific directories,
e.g. /var/lib/dirsrv/slapd-/db/ipaca, to detect
which backends are in use (userRoot or ipaca).
With the switch to LMDB, these directories do not exist and the
restore fails finding the ipaca backend.
Use lib389.cli_ctl.dblib.run_dbscan utility instead to
check which backends are present.
This method was been introduced in 389ds 2.1.0 and works with
Berkeley DB and LMDB.
Add a --data option to the ipa-backup and ipa-restore tasks to do
only an LDIF backup and restore. Also add the ability to restore by
backend.
Add new tests to do a data-only backup and restore.
Fixes: https://pagure.io/freeipa/issue/9526
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
150050ed by Temuri Doghonadze at 2024-02-28T13:13:19+01:00
Translated using Weblate (Georgian)
Currently translated at 35.0% (1708 of 4877 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
da8ab4b5 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
633ea8ba by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.5% (223 of 4877 strings)
Co-authored-by: 김인수 <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cb073530 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.6% (226 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b4da6896 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.6% (227 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2959bec7 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.6% (227 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
655b1319 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.6% (228 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f18db3ab by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.6% (228 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cd1a36f2 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.7% (230 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
20b01b09 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 4.7% (230 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
23d64942 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 5.5% (270 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f7a56eb3 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 5.5% (270 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
049a56d6 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.0% (295 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bc3085cd by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.0% (295 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f4504e1e by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.4% (317 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
da9f2294 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.4% (317 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c6aae204 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2877cae0 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1ce532d5 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 6.7% (327 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
282b5515 by Temuri Doghonadze at 2024-02-28T13:13:19+01:00
Translated using Weblate (Georgian)
Currently translated at 35.0% (1709 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d9afa628 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 7.0% (342 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
78d86ba0 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 7.5% (370 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
86aae371 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 7.5% (370 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
99922e99 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 8.4% (412 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7b2ac6a2 by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 8.4% (412 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f2befb49 by 김인수 at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 10.6% (520 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f4a1696a by Weblate Translation Memory at 2024-02-28T13:13:19+01:00
Translated using Weblate (Korean)
Currently translated at 10.6% (520 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
558a7de8 by Florence Blanc-Renaud at 2024-03-01T11:53:48+01:00
ipatests: some tests are date-sensitive and fail Feb 29
A few tests are changing the date back and forth using for
instance date -s +3Years+1day and date -s -3Years-1day.
This method does not bring the system back to the current date
if executed around Feb 28 or 29 on a leap year, and may result
in de-synchronized server and client.
Add a note in the test to warn about potential future failures.
Related: https://pagure.io/freeipa/issue/9548
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9ad27c95 by 김인수 at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 13.4% (655 of 4877 strings)
Co-authored-by: 김인수 <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ee6ff01b by Weblate Translation Memory at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 13.4% (655 of 4877 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e60072fe by 김인수 at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 14.5% (712 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d8a4bde2 by Weblate Translation Memory at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 14.5% (712 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
04ac64a4 by 김인수 at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 18.4% (899 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
05f1bf9e by Weblate Translation Memory at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 18.4% (899 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bf5c9892 by 김인수 at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ca776b6a by Weblate Translation Memory at 2024-03-04T08:44:31+01:00
Translated using Weblate (Korean)
Currently translated at 18.9% (922 of 4877 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c3d228d4 by Rob Crittenden at 2024-03-05T15:46:01-05:00
Vault: add additional fallback to RSA-OAEP wrapping algo
There is a fallback when creating the wrapping key but one was missing
when trying to use the cached transport_cert.
This allows, along with forcing keyWrap.useOAEP=true, vault creation
on an nCipher HSM.
This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1d2897e3 by Alexander Bokovoy at 2024-03-12T13:53:11+01:00
ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind
When authentication indicators were introduced in 2016, ipa-pwd-extop
plugin gained ability to reject LDAP BIND when an LDAP client insists
the authentication must use an OTP token. This is used by ipa-otpd to
ensure Kerberos authentication using OTP method is done with at least
two factors (the token and the password).
This enfrocement is only possible when an LDAP client sends the LDAP
control. There are cases when LDAP clients cannot be configured to send
a custom LDAP control during BIND operation. For these clients an LDAP
BIND against an account that only has password and no valid token would
succeed even if admins intend it to fail.
Ability to do LDAP BIND without a token was added to allow users to add
their own OTP tokens securely. If administrators require full
enforcement over LDAP BIND, it is cannot be achieved with LDAP without
sending the LDAP control to do so.
Add IPA configuration string, EnforceLDAPOTP, to allow administrators to
prevent LDAP BIND with a password only if user is required to have OTP
tokens. With this configuration enabled, it will be not possible for
users to add OTP token if one is missing, thus ensuring no user can
authenticate without OTP and admins will have to add initial OTP tokens
to users explicitly.
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
23b224d7 by Alexander Bokovoy at 2024-03-12T13:53:11+01:00
ipa-pwd-extop: add MFA note in case of a successful LDAP bind with OTP
In case there is a successful OTP authentication attempt, register it as
an operation note on the BIND operation in LDAP. 389-ds then will print
a multi-factor authentication note in both access and security logs
according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
Fixes: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e431ce0c by Alexander Bokovoy at 2024-03-14T13:53:16+01:00
ipa-pwd-extop: declare operation notes support from 389-ds locally
The function slapi_pblock_set_flag_operation_notes(); is defined in
ldap/servers/slapd/pblock.c in 389-ds but is only available through
slapi-private.h header, not through slapi-plugin.h public API.
It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349.
Since we only use it with an MFA note, all versions of the 389-ds that
will support MFA note will have this function.
Fixes: https://pagure.io/freeipa/issue/9554
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
557f0a56 by Mark Reynolds at 2024-03-14T13:59:48+01:00
Issue 9547 - Update IPA to IPA migration design doc
Update the ipa to ipa migration doc in regards to the new IPA migration tool
Fixes: https://pagure.io/freeipa/issue/9547
Signed-off-by: Mark Reynolds <mreynolds at redhatr.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9a1d74f by Alexander Bokovoy at 2024-03-19T15:20:39+01:00
dcerpc: invalidate forest trust info cache when filtering out realm domains
When get_realmdomains() method is called, it will filter out subdomains
of the IPA primary domain. This is required because Active Directory
domain controllers are assuming subdomains already covered by the main
domain namespace.
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
method of validating the forest trust information. They are the same as
rules in [MS-ADTS] section 6.1.6. Specifically,
- A top-level name must not be superior to an enabled top-level name
for another trusted domain object, unless the current trusted domain
object has a corresponding exclusion record.
In practice, we filtered those subdomains already but the code wasn't
invalidating a previously retrieved forest trust information.
Fixes: https://pagure.io/freeipa/issue/9551
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
64861a0c by Florence Blanc-Renaud at 2024-03-20T13:59:21+01:00
idrange-add: add a warning because 389ds restart is required
After the addition of a new idrange, the sidgen plugin is not
immediately aware of the new idrange and a restart of 389ds is
required. Otherwise the creation of new user/group with a uid/gid
inside the new range fails to grant a SID to the user/group.
Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
adf95dcf by Sudhir Menon at 2024-03-25T12:27:43+01:00
ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases.
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
which causes error in STIG mode.
[root at master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
Incorrect password/PIN entered.
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a57b665b by Alexander Bokovoy at 2024-03-27T18:04:26+01:00
idrange: only issue warning to restart services for a local range
SIDGEN plugin only uses local ID ranges and thus a restart is really
needed only when a local range is added, modified or removed.
Also fix the SSSD warning because removal of any range requires restart
everywhere, not just on a specific server.
Fixes: https://pagure.io/freeipa/issue/9558
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6cc668ff by Florence Blanc-Renaud at 2024-03-27T18:04:26+01:00
xmlrpc: adapt range plugin test
A warning is added in ipa idrange-add/mod/del for
local ranges. Adapt the test expectation.
Related: https://pagure.io/freeipa/issue/9558
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
38d0e74b by Christian Heimes at 2024-03-27T18:07:17+01:00
Move ipalib.install.kinit to ipalib
- kinit helpers are now in `ipalib.kinit`.
- helpers can now use default ccache locations like many other similar
helpers
- helpers return the result from `run` for debugging
- constants are now in `krb_utils`
- helpers pass `KRB5*` and `GSS*` env vars along, so `KRB5_TRACE` works
- document how to kinit for `ipalib.api`
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a9bb8112 by Rob Crittenden at 2024-04-02T23:06:43+02:00
Check for file permissions after the ca/cert-show is complete
The commands ca-show and cert-show provide the ability to direct
the certificate output to a file. If the requested object was
not present then this resulted in a zero-length file.
This is because the check to determine if the file was writable,
by opening it, was done prior to the operation to retrieve
the entry.
So move the check after the data retrieval.
Also convert cert-show to be more consistent with ca-show.
I considered cleaning up the empty file afterward but IMHO we
shouldn't touch the file until we're ready to write. This
costs an API roundtrip but its a small price to pay for
potentially protecting existing data.
Fixes: https://pagure.io/freeipa/issue/9562
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5d3c6b76 by Rob Crittenden at 2024-04-02T23:06:43+02:00
Return 2 when certificates are not found during requests
The ipa tool has nearly since epoch returned 2 for the case of
entry not found.
The certificate processing raises a separate error,
CertificateOperationsError, when something goes wrong.
This returns 1.
With the introduction of the JSON API most requests will get
a proper HTTP return code representing what went wrong. In this
case we can use 404 to determine if the request resulted in
a NotFound therefore can eventually return a 2 and be
consistent in return values.
Related: https://pagure.io/freeipa/issue/9562
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ca6604b5 by Alexander Bokovoy at 2024-04-03T10:43:55-04:00
Use raw strings for Python 3 compatibility in old API client code
Python 3 enforces checks on \ sequences in strings. Instead of copying
over the new mix of normal and raw strings from the server side, turn
those strings in the remote plugins to raw mode.
Fixes: https://pagure.io/freeipa/issue/9565
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc7c2cb6 by Erik Belko at 2024-04-04T15:56:25+01:00
xmlrpc tests: Create user with manager option set using user-add
Related: https://pagure.io/freeipa/issue/9515
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
1df2abbd by Stanislav Levin at 2024-04-04T11:42:24-04:00
ap: Migrate to docker compose V2
Azure Pipelines started to roll 20240401.4 Ubuntu image that doesn't
include docker-compose v1:
https://github.com/actions/runner-images/blob/ubuntu20/20240401.4/images/ubuntu/Ubuntu2004-Readme.md
See https://github.com/actions/runner-images/issues/9557
Compose V1 to V2 migration guide:
https://docs.docker.com/compose/migrate/
Fixes: https://pagure.io/freeipa/issue/9566
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cbe18735 by Mark Reynolds at 2024-04-04T15:49:42-04:00
IPA-to-IPA migration tool (beta)
Tool for migrating one remote IPA server to a local IPA server.
This should still be considered the beta version as it has not gone
through any QE yet
Fixes: https://pagure.io/freeipa/issue/3656
signed-off: Mark Reynolds (mreynolds at redhat.com)
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6294b93e by Rob Crittenden at 2024-04-04T16:30:09-04:00
ipatests: Ignore spacing in OpenSSL validation error message
The error message format changed between releases of OpenSSL.
The updated version has dropped spaces around equal signs
between RDN elements in the subject.
e.g. In 3.1.1 it reports O = EXAMPLE.TEST, CN = IPA RA
and in 3.2.1 reports O=EXAMPLE.TEST, CN=IPA RA
So ignore all spacing in the error message so it works on all
versions.
I saw this in openssl-3.1.1-4.fc39.x86_64 vs
openssl-3.2.1-3.fc41.x86_64
Fixes: https://pagure.io/freeipa/issue/9567
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8084b94c by Mark Reynolds at 2024-04-04T17:25:04-04:00
Issue 9568 - Update IPA to IPA migration design doc
The usage for migrating DNS changed. It went from "--skip-dns",
to "--migrate-dns"
Fixes: https://pagure.io/freeipa/issue/9568
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
182dca38 by Thomas Woerner at 2024-04-05T10:05:56+02:00
principal_has_privilege: Check also idoverriseuser (ipaOriginalUid)
The current filter in principal_has_privilege is only working for normal
IPA users where krbprincipalname is matching the principal. An idoverride
user (for example from AD) is not found with this filter.
A new filter for the principal as an ipaOriginalUid has been added as a
second try if a match with krbprincipalname was not found.
principal_has_privilege is used in the replica connection check. The
additional check enables to deploy replicas using an AD user/administrator
that has been added to the "admins" group.
Fixes: https://pagure.io/freeipa/issue/9542
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6b0f6ff1 by Rob Crittenden at 2024-04-10T09:26:47+02:00
Allow the admin user to be disabled
A previous change made it not possible to remove the admin
user. This also included disabling the admin user. The user can
be disabled, just not deleted because it is required.
Move the test test_ipa_cacert_manage_prune to the end of the
class because it changes time which can break replication.
Fixes: https://pagure.io/freeipa/issue/9489
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d16c3499 by Alexander Bokovoy at 2024-04-10T09:30:53+02:00
internal: fix 'tokensfor' typo and regenerate pot file
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dda22366 by Florence Blanc-Renaud at 2024-04-12T15:59:04+02:00
webui test: Update message for admin disable
An admin can be disabled if he is not the last member of the
admins group. Update the expecrted error message.
Fixes: https://pagure.io/freeipa/issue/9574
Related: https://pagure.io/freeipa/issue/9489
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f78d25fc by Rob Crittenden at 2024-04-15T16:03:10+02:00
ipa-crlgen-manage: manage the cert status task execution time
ca.certStatusUpdateInterval manages how frequently to update
the certificate status in LDAP (expired, etc).
By default this is not set on the initial master and pkispawn sets
it to 0 on replicas. This can lead to no server running this
task and therefore the status attribute not reflecting the current
state.
On enabling CRL generation remove any value which will cause PKI
to use its default. On disabling set it to 0.
Only one server should run the update status task to prevent
unnecessary replication.
Fixes: https://pagure.io/freeipa/issue/9569
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f9f96ac4 by Mark Reynolds at 2024-04-15T16:06:23+02:00
Issue 9570 - migrate nsaccountlock
IPA migration tool, when retrieving a remote entry from the
source/remote server request the operational attribute 'nsaccountlock'
Fixes: https://pagure.io/freeipa/issue/9570
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cce8dc4d by Mark Reynolds at 2024-04-30T14:26:55-04:00
Issue 9579 - Remove bash_completions_dir for RHEL
RHEL 9 does not support the bach_completions_dir macro, but it is still
needed for Fedora builds
Fixes: https://pagure.io/freeipa/issue/9579
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
6c6b9354 by Rafael Guterres Jeffman at 2024-05-03T16:35:19-04:00
Replace netifaces with ifaddr
Python netifaces has been unmaintained and its main repository has been
archived since June, 2021.
Python ifaddr is an alternative to netifaces, is currently maintained,
and provides an API which requires little change for FreeIPA current
usage.
This patch modifies FreeIPA to rely on ifaddr instead of neitfaces, due
to its current maintainance status.
Fixes: https://pagure.io/freeipa/issue/9555
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9e1e22d4 by Pavel Březina at 2024-05-06T17:10:18-04:00
ipaserver: fix incorrect double negative in exception message
Signed-off-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bb8dd0bf by Florence Blanc-Renaud at 2024-05-07T14:33:04+02:00
Spec file: depend on nfs-utils or nfsv4-client-utils
The freeipa-client package currently requires nfs-utils.
The requirement can be relaxed and modified into nfs-utils or
nfsv4-client-utils.
Fixes: https://pagure.io/freeipa/issue/9586
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cba3094c by Rob Crittenden at 2024-05-16T08:46:32-04:00
Support the certmonger nss-user option
Some certificate operations need to be executed as a specific
user so that underlying files will have the correct ownership.
certmogner normally runs as root. The nss-user option defines
a user to switch to when saving NSS certifciates so if a
software token (e.g. SoftHSM) then the files created will be
owned by the token owner.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e6078c63 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Don't generate a cafile on HSM instalations
We don't export the CA certificates on an HSM installation
because an HSM won't allow the private keys to leave the
HSM, by design.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
34f28f06 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add token support to installer certificate handling
Pass along the user-provided password file, if any, to the
underlying NSS database. This will provide for per-token
passwords.
If a token is in a nickname then break it out and pass it to
certutil separately.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
73d52a61 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Only generate kracert.p12 when not installing with HSM
The private keys are not retrievable from an HSM by
design so don't try during KRA install.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e3234708 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Don't move KRA keys when key backup is disabled
The KRA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys
is set to False. This is the case IPA is configured with HSM
support.
With an HSM you don't export private keys.
Related: https://pagure.io/freeipa/issue/7677
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f658a264 by Rob Crittenden at 2024-05-16T08:46:32-04:00
doc: Add token-password-file to HSM design, set new OID
Clarify when the user will be prompted interactively during
installation.
Set the OID for ipaCaHSMConfiguration.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d9efa728 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add LDAP attribute ipaCaHSMConfiguration to store HSM state
This will be used so that when a replica is created it can
configure the HSM without relying on the user to pass in
the same token, library name, etc.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
82c0b19a by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add HSM configuration options to installer scripts
The bulk of the installer effort to enable HSM support without
having to provide an override file.
This pulls the HSM configuration from a remote server when installing
a replica so that the token name and library don't need to be
passed with every installation.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a99091ad by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add attribute ipacahsmconfiguration to the "Read CAs" ACI
This will allow the HSM stored configuration to be read.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7ad3b489 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Update SELinux policy to allow certmonger to PKI config files
Needed so the helper renew_ca_cert can read password.conf in order
to get the token password. These files are already readable with
FS permissions.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
93622005 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add token support to the renew_ca_cert certmonger helper
The certificates live on the token so need to be retrieved
from there with the token name. The certificates are visible
in NSS softoken but operations need to be done on the HSM
version. The right password is necessary so retrieve it from
the PKI password store.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d0c489e2 by Rob Crittenden at 2024-05-16T08:46:32-04:00
If HSM is configured add the token name to config-show output
A token can only be set in an HSM installation so this is implicit:
if a token exists then HSM is enabled, if not then it isn't.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0708f603 by Rob Crittenden at 2024-05-16T08:46:32-04:00
renew_ca_cert: skip removing non-CA certs, fix nickname
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.
An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.
Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b89aa919 by Rob Crittenden at 2024-05-16T08:46:32-04:00
renew_ca_cert: set peer trust on the KRA audit certificate
The PKI audit certificates require that trusted peer (P) be
set on the certificate. This is done already for the CA audit
certificate. Also set this on the KRA audit certificate on
renewal.
https://pagure.io/freeipa/issue/9353
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
06a8791b by Rob Crittenden at 2024-05-16T08:46:32-04:00
tests: helper to copy files from one host to another
Simple function that takes a list of file names and copies
them from one host to another.
It isn't the most efficient but for a small number of files it
should be sufficient.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
36dbc6b0 by Mohammad Rizwan at 2024-05-16T08:46:32-04:00
ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM.
Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6b894f28 by Rob Crittenden at 2024-05-16T08:46:32-04:00
After installing a KRA, copy the updated token to other machines
This can be eventually squashed into the main "test" patch but
keeping it separate to make it easier to see what has happened.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
31d66bac by Rob Crittenden at 2024-05-16T08:46:32-04:00
Validate the HSM token library path and name during installation
It would fail eventually with the output in the CA logs but it
wasn't always very obvious and you had to wait a while to find
out about a typo.
Scraping modutil output is a bit ugly but it is guaranteed
to be installed and this should work both with p11-kit and
without.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c6dd21f0 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Remove caSigningCert from list of certs to renew
This certificate should not be renewed this way.
ipa-cacert-manage renew should be used.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
87ecca0f by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add SELinux subpackage for nCipher nfast HSM support
A number of files that need to be managed by certmonger
have unconfined_u:object_r:pki_common_t:s0.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f8798b3e by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add SELinux subpackage for Thales Luna HSM support
This is simple, a port needs to be available to certmonger
to communicate during renewals of CA subsystem certificats.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1ec875c6 by Mohammad Rizwan at 2024-05-16T08:46:32-04:00
ipatests: test software HSM installation with server & replica
Use SoftHSM2 to install an IPA CA to store the keys in an HSM.
Whenenver new keys are generated either in the initial install
or if a KRA is installed then the token needs to be synced
between all servers prior to installing a new CA or KRA.
Fixes: https://pagure.io/freeipa/issue/9273
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b63103c8 by Rob Crittenden at 2024-05-16T08:46:32-04:00
tests: Fix failing test test_testconfig.py with missing token variables
Arguments were added to the configuration file to allow specifying
the token option values. These needed to be included into the
defaults as well.
This should be merged into the tests prior to pushing.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c6f2d021 by Rob Crittenden at 2024-05-16T08:46:32-04:00
dogtag-ipa-ca-renew-agent-submit: expect certs to be on HSMs
On a non-HSM, non-renewal-server replica we look in LDAP for
an updated certificate. If the certificates don't match then we
have a new one and write it out. If they match the assumption is
that it hasn't been renewed yet so go into CA_WORKING.
The problem is that for networked HSMs the cert will already be
visible in the database so certmonger will always be in CA_WORKING.
In this case we can assume that if the certs are the same then
that's just fine.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
31fda79a by Rob Crittenden at 2024-05-16T08:46:32-04:00
Prompt for token password if not provided in replica/ipa-ca-install
If the password wasn't provided by --token-password then an empty
value would be passed into the CA installer which promptly failed.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b9ec2fb0 by Rob Crittenden at 2024-05-16T08:46:32-04:00
KRA: force OAEP for some HSM-based installations
Not all HSMs support PKCS#1 v1.5. The nShield nFast is one we know
of so force the KRA to use OAEP in this case..
This can be seen in HSMs where the device doesn't support the
PKCS#1 v1.5 mechanism. It will error out with either "invalid
algorithm" or CKR_FUNCTION_FAILED.
There is currently no good way to test for this capability in
advance of configuration. Testing for mechanisms alone is
insufficient. The only real way to test would be to attempt a
wrap/unwrap but it is very complex.
If the list of affected HSMs increases we can use a table
instead based on "best guess" of some sort of property but
looking for a unique string inside the library path is a
pretty straigthforward way.
Note that this doesn't preclude someone from wanting to require
OAEP directly by modifying the KRA CS.cfg and it won't impact
FIPs mode which requires OAEP.
Related: https://pagure.io/freeipa/issue/9191
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ea0bf402 by Rob Crittenden at 2024-05-16T08:46:32-04:00
After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bcd8d2d9 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Require certmonger 0.79.17+ for required HSM changes
* Switch to CA user when saving NSS certificates
* Add new certs to internal token, try harder to remove on renewal
* Don't restrict tokens to CKM_RSA_X_509
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
879a937d by Rob Crittenden at 2024-05-16T08:46:32-04:00
Include the HSM tests in the nightlies
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6b6c1879 by Rob Crittenden at 2024-05-16T08:46:32-04:00
Call hsm_validator on KRA installs and validate the HSM password
hsm_validator was validating that the token was available but
not that the provided password worked. Add that capability.
Also call it early in the CA and KRA installation cycle so that
it errors out early. This is particularly important for the KRA
because there is no uninstaller.
Bump the minimum PKI release to 11.5.0 as that contains important
fixes for the HSM.
Remove an unused arguments to hsm_version and hsm_validator.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c861ce5a by Rob Crittenden at 2024-05-16T08:46:32-04:00
Add SELinux module checking to hsm_validator
Don't blow up if the expected module is not installed but warn
about it. Hopefully users will actually read the output and/or the
installation log.
This is done by looking for strings in the path. Not great but
it's at least something.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6af8577d by Rob Crittenden at 2024-05-16T08:46:32-04:00
docs: Add a section on SELinux modules to the HSM design
Additional SELinux rules are necessary for the HSM to be
managed by IPA and certmonger. Given the infinite possible
naming combinations of library paths and modules this is
a best effort. A message is logged if a missing module
is detected.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7d54a6da by Francisco Trivino at 2024-05-17T09:53:53+02:00
ipa-client-install: add support for sss_ssh_knownhosts
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts.
With this update, if the file /usr/bin/sss_ssh_knownhosts is present,
KnownHostsCommand will be used instead of ProxyCommand. Also, GlobalKnownHostsFile
is disabled as it is no longer needed.
Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b34525c7 by Francisco Trivino at 2024-05-17T09:53:53+02:00
Spec file: add support for sss_ssh_knownhosts
sss_ssh_knownhostsproxy will be deprecated in favor of sss_ssh_knownhosts. This commit
implements a mechanism to apply the change when upgrading from older versions.
Fixes: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f225b3df by Rob Crittenden at 2024-05-20T14:46:55-04:00
Don't try to validate the HSM arguments on a non-HSM installation
If there is no token name it is safe to assume that an HSM
installation is not requested. The validator assumes that if
there is a token name then the library and password are also
provided.
Fixes: https://pagure.io/freeipa/issue/9593
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
544652aa by Mark Reynolds at 2024-05-20T14:52:12-04:00
Issue 9591 - Allow get_ruv() to handle incomplete RUV elements
Sometimes RUV's are missing the LDAP Url and max/min csns. This prevents
cleanallruv task from running. However, cleanallruv doesn't need to
know the LDAP URL or min/max csns. Added a new paramter to get_run()
called "strict", and when set to False it will still process and
include incomplete RUVs.
Fixes: https://pagure.io/freeipa/issue/9591
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
47920e78 by Erik Belko at 2024-05-21T14:50:46+02:00
ipatests: Update ipa-adtrust-install test
update after change in implementation of `krb_utils.get_principal()` now using GSSAPI
Related: https://pagure.io/freeipa/issue/9575
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
9dc57ef7 by Thomas Woerner at 2024-05-22T09:59:34+02:00
idviews: Use ipaAnchorUUID without DCERPC bindings for SID anchors
SID anchors are only resolvable on servers with DCERPC bindings
installed. On non agent replica these bindings are not installed and
therefore group and role management if there are AD user idoverride
members.
If there is an ipaUserOverride for the anchor, the ipaoriginaluid is
returned.
Fixes: https://pagure.io/freeipa/issue/9544
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6fc35156 by Rob Crittenden at 2024-05-22T10:00:39+02:00
Add permissions for topologysegment
I don't know why these weren't added originally when the
topology plugin was created.
Add them all to the 'Replication Administrators' privilege
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
295ac638 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
privilege: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
In principal_has_privilege() we can take None principal object as a sign
that currently bound LDAP DN has to be checked for the privilege. This
allows to match any type of account to the privilege, with exception of
the cn=Directory Manager which is never added to privileges explicitly.
cn=Directory Manager will be allowed any privilege because it already
can write to any LDAP entry.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
3608b2b6 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
batch: account for auto-binding in server context
When batch runs under server context, we have no context.principal set
because we talk directly to LDAPI endpoint and authenticate using
auto-binding, not GSSAPI. Account to that in the logger.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
71d886f0 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
config: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
ab546563 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
server: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
08f1e6f2 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
trust: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
Make sure to reject requests unless we are operating as a Directory
Manager in such cases.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
b6131b57 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
trust: handle stray pylint warning
We only get to this code path when running in the server context. At
that point _bindings_installed will be defined. Pylint cannot track this
and always fails with this check.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
e386e220 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
cert: use context.principal only when it is defined
In server-like context we use LDAPI connection with auto-binding to LDAP
object based on the UID of the process connecting to LDAPI UNIX domain
socket. This means context.principal is not set and we cannot use it.
When processing certificate issuance requests a care has to be done to
match operations done as LDAP auto-bind to actual principals for
validation. This is a tough one as we have no principal to match for
cn=Directory Manager. Use fake principal to fail validation here and
rely on LDAP ACIs instead.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
902c8b0b by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
passwd: handle LDAP auto-bind use case as well
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
c325f9c0 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
user: handle LDAP auto-bind for whoami case
In LDAP auto-bind situation we will not have a Kerberos principal
available, so we should be using a different mechanism to find the
object. Since we already have a valid bound LDAP DN, use it as a base DN
here and simply require presence of the POSIX account.
This will not match 'cn=Directory Manager' but none of the code we have
uses LDAP auto-bind as root when calling 'ipa user-find --whoami'.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
6cc0a0b9 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
pylint: use yield_from for trivial cases
Follow pylint recommendations (turned errors in recent pylint updates)
and use PEP-380 syntax for subgenerators. This is supported by all
Python 3 versions since ~2011.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
9e861693 by Alexander Bokovoy at 2024-05-22T10:03:38+02:00
batch: add keeponly option
batch(methods=Dict(), keeponly=list) will allow to execute batch of
commands and remove from the output everything but the attributes which
names were passed in the keeponly list.
This can be useful if you are only interested in getting names and
assigned random passwords, for example.
Fix batch API test in test_integration/test_idm_api.py and use it to
validate keeponly option.
Fixes: https://pagure.io/freeipa/issue/9583
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
fd0f432f by Alexander Bokovoy at 2024-05-22T17:06:23-04:00
ipalib: move json formatter to a separate file
To prevent cyclic imports, move JSON handling code to a separate file.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
145e3317 by Alexander Bokovoy at 2024-05-22T17:06:23-04:00
ipalib/rpc: Reformat after moving json code around
Context changes cause linters to complain for older code formatting
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
84eed2a6 by Alexander Bokovoy at 2024-05-22T17:06:23-04:00
frontend: add systemd journal audit of executed API commands
For each executed command in server context, send the information about
the command to the systemd journal. The resulting string is similar to
what is recored in httpd's error_log for API requests coming through the
RPC layer.
In server mode operations are performed directly on the server over
LDAPI unix domain socket, so httpd end-point is not used and therefore
operations aren't recorded in the error_log.
With this change any IPA API operation is sent as an audit event to the
journal, alog with additional information collected by the journald
itself.
To aid with identification of these messages, an application name is
replaced with IPA.API and the actual name from api.env.script is made a
part of the logged message. The actual application script name is
available as part of the journal metadata anyway.
If no Kerberos authentication was used but rather LDAPI autobind was in
use, the name of the authenticated principal will be replaced with
[autobind].
Messages sent with syslog NOTICE priority.
More information is available in the design document 'audit-ipa-api.md'
Fixes: https://pagure.io/freeipa/issue/9589
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
53681208 by Alexander Bokovoy at 2024-05-23T15:12:27-04:00
custodia: do not use deprecated jwcrypto wrappers
jwcrypto has turned JWK object into a dict-like structure in 2020 and
marked data wrappers as deprecated. The only exception for direct
foo['bar'] access is a key ID -- some keys might have no 'kid' property,
thus it is best to use jwk.get('kid') instead for those.
Fixes: https://pagure.io/freeipa/issue/9597
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1223016e by Alexander Bokovoy at 2024-05-28T11:14:35+02:00
console: for public errors only print a final one
By default, interactive console prints full traceback in case of an
error. This looks weird in the console when LDAP errors pop up.
Instead, process PublicError exceptions as if they are final ones and
only print their message.
As a result, calls like api.Command.user_show('unknown') would
result in a concise message:
>>> api.Command.user_show('unknown')
IPA public error exception: NotFound: unknown: user not found
>>>
rather than a two-screen long traceback.
Fixes: https://pagure.io/freeipa/issue/9590
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
69c6a817 by Florence Blanc-Renaud at 2024-05-28T14:39:33+02:00
ipa-replica-manage list-ruvs: display FQDN in the output
The behavior of ipa-replica-manage list-ruv was modified with
the commit 544652a and now displays host short names instead
of FQDN:port.
Fix the regular expression in order to return the FQDN:port again.
Fixes: https://pagure.io/freeipa/issue/9598
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
b3789876 by Antonio Torres at 2024-05-28T16:11:04+02:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
c250b1a7 by Antonio Torres at 2024-05-28T16:13:33+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
407408e9 by Antonio Torres at 2024-05-28T16:19:49+02:00
Become IPA 4.12.0
- - - - -
ea375937 by Antonio Torres at 2024-05-28T16:26:57+02:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
f77c0a57 by Julien Rische at 2024-06-10T12:46:05+02:00
kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.
In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.
This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.
This fixes CVE-2024-2698
Signed-off-by: Julien Rische <jrische at redhat.com>
- - - - -
4a61184d by Julien Rische at 2024-06-10T12:46:05+02:00
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
global one, use flags from the global ticket policy if they are set.
Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
flags.
However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.
This was causing multiple issues, which are mitigated by the new
approach:
Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.
In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).
Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".
It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.
When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.
This fixes CVE-2024-3183
Signed-off-by: Julien Rische <jrische at redhat.com>
- - - - -
5b3735b0 by Antonio Torres at 2024-06-10T12:46:37+02:00
Bump minor version number
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
584d0cec by Rob Crittenden at 2024-06-10T14:59:18-04:00
Use a unique task name for each backend in ipa-backup
The name used to be "export_%Y_%m_%d_%H_%M_%S" so if the tasks
were added within the same second the second backend would fail.
Add the backend name to the task name to ensure uniqueness.
export_{backend}_%Y_%m_%d_%H_%M_%S
Fixes: https://pagure.io/freeipa/issue/9584
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
- - - - -
ebccaac3 by Rob Crittenden at 2024-06-12T16:43:25-04:00
Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.
Also add a manual ACI to allow reading the min/max
domain level.
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
9de053ef by Florence Blanc-Renaud at 2024-06-18T08:46:14+02:00
ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.
Open the keyfile in binary mode to pass the expected format.
Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
09e66dc9 by Florence Blanc-Renaud at 2024-06-24T14:51:38+02:00
spec file: do not create /etc/ssh/ssh_config.orig if unchanged
The upgrade removes the line
HostKeyAlgorithms ssh-rsa,ssh-dss
if present in /etc/ssh/ssh_config and creates a backup in
/etc/ssh/ssh_config.orig, even if no change was applied.
Create the backup file only if the file was changed.
Fixes: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
4d51446b by Florence Blanc-Renaud at 2024-06-24T14:51:38+02:00
ipatests: add test for ticket 9610
Test scenario:
- ensure there is no /etc/ssh/ssh_config.orig file
- force ipa-client package reinstallation
- ensure no backup file is created in /etc/ssh/ssh_config.orig
Related: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
c8e3fdeb by Florence Blanc-Renaud at 2024-06-26T07:36:53+02:00
PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.
Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
467ec04f by Florence Blanc-Renaud at 2024-06-26T07:36:53+02:00
ipatests: add test for PKINIT renewal on hidden replica
Test scenario: on a hidden replica, force the renewal of
PKINIT cert by calling getcert resubmit.
Related: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
58154be7 by Florence Blanc-Renaud at 2024-06-26T09:50:34+02:00
ipatests: configure gating and nightly tests on ipa-4-12 branch
Update the pipelines for ipa-4-12 branch:
- run tests on fedora 40
- use the vagrant image freeipa/ci-ipa-4-12-f40
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
4521fe5f by Florence Blanc-Renaud at 2024-06-26T09:50:34+02:00
ipatests: mark test_ca_show_error_handling as xfail
With PKI 11.5.0, the test
test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
is failing with an exception and a different error message.
Mark as xfail until PKI provides a fix
Related: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
60c127d1 by Florence Blanc-Renaud at 2024-06-26T09:50:34+02:00
ipatests: fix / permissions to allow ssh with private key
The test test_ssh_key_connection is performing a ssh login
with a private and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9607
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
9e364910 by Rob Crittenden at 2024-06-26T13:30:48+02:00
Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.
Include a test to catch any additional files that may be created
and left behind.
Fixes: https://pagure.io/freeipa/issue/8080
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
48ff7da5 by Florence Blanc-Renaud at 2024-07-02T08:53:03+02:00
ipatests: fix / permissions for test_nested_group_members
The test test_nested_group_members is performing a ssh login
with a private key and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9615
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
52ea4ad4 by TAKAHASHI Masatsuna at 2024-07-04T17:48:04+02:00
ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.
Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
90b22ff8 by Sudhir Menon at 2024-07-08T15:21:04+02:00
ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
- - - - -
2f902efd by Florence Blanc-Renaud at 2024-07-08T15:26:24+02:00
ipa-ods-enforcer: stop must also stop the socket
ipa-ods-enforcer is a socket-activated service. In order to fully stop
the service, IPA needs to call
systemctl stop ipa-ods-enforcer.service ipa-ods-enforcer.socket
otherwise the socket remains active (listening) and can restart the
service.
A consequence of the issue is the backup / uninstall / restore
scenario that is failing to sign the zones. The uninstaller removes
the socket /run/opendnssec/engine.sock but leaves the ipa-ods-enforcer.socket
active. A subsequent restore or install will not re-create the socket.
Fixes: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6fe268af by Florence Blanc-Renaud at 2024-07-08T15:26:24+02:00
Uninstall: stop sssd-kcm before removing KCM ccaches database
The service is socket-activated and will be restarted whenever
needed. It must be stopped before the database is removed
otherwise it fails to recreate the file.
Fixes: https://pagure.io/freeipa/issue/9616
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d635d701 by Florence Blanc-Renaud at 2024-07-08T15:26:24+02:00
test_replica_install_after_restore: kinit after restore
After uninstall and restore, kinit is required before
launching any ipa command.
Related: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a8e75bbb by Thomas Woerner at 2024-07-08T16:39:16+02:00
ipa_sidgen: Allow sidgen_task to continue after finding issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.
This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.
Fixes: https://pagure.io/freeipa/issue/9618
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
06c02f5f by Shunsuke matsumoto at 2024-07-11T10:30:59+02:00
The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.
Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
efa57193 by Mark Reynolds at 2024-07-11T13:59:16+02:00
ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.
Fixes: https://pagure.io/freeipa/issue/9620
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1b278de4 by Rob Crittenden at 2024-07-12T08:32:35+02:00
Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.
This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:
Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee 34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status
Fixes: https://pagure.io/freeipa/issue/9629
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ab1bcb2 by Rob Crittenden at 2024-07-15T10:26:54-04:00
Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.
There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.
This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.
This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4ea1ad6a by Mohammad Rizwan at 2024-07-15T10:26:54-04:00
ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6c53a22a by Rob Crittenden at 2024-07-15T10:26:54-04:00
Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
eeade509 by Mark Reynolds at 2024-07-15T17:22:19-04:00
ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail. Instead just use the file path provided.
Fixes: https://pagure.io/freeipa/issue/9619
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ab47696f by Sudhir Menon at 2024-07-15T17:26:53-04:00
Added new testsuite(ipa_ipa_migration) in prci definitions
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
051d61fd by Alexander Bokovoy at 2024-07-17T09:06:14+02:00
ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.
The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
required, regardless of the state of LDAP client
In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.
If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------
Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.
Related: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b703150 by Anuja More at 2024-07-17T09:11:13+02:00
ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator at AD.EXAMPLE.COM is
used for the deployment or promotion of a replica
Related: https://pagure.io/freeipa/issue/9542
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
85a853ba by Mark Reynolds at 2024-07-17T09:17:17+02:00
Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries
We should also not migrate DNA ranges in staging mode
Fixes: https://pagure.io/freeipa/issue/9621
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de940802 by Florence Blanc-Renaud at 2024-07-19T08:39:21-04:00
ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.
Related: https://pagure.io/freeipa/issue/9620
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
6eb6a929 by Florence Blanc-Renaud at 2024-07-19T08:39:21-04:00
ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
Related: https://pagure.io/freeipa/issue/9621
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
d1a485a4 by Julien Rische at 2024-07-19T08:44:49-04:00
Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9f881882 by Julien Rische at 2024-07-19T08:44:49-04:00
Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fdd471d5 by Rob Crittenden at 2024-07-22T09:57:34-04:00
Fix a copy/paste issue when detecting the HSM SELinux subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2ddca5d5 by Florence Blanc-Renaud at 2024-07-31T08:25:30+02:00
spec file: do not use nodejs-22 on f39 and f40
Nodejs22 has been released on f39 and f40 and freeipa fails
to build with this version. Nodejs22 will be the default version
in f41+ and adds a symlink from /usr/bin/node-22 to /usr/bin/node
but on older fedora versions, the symlink is not created.
As our build is using /usr/bin/node command, it fails with
command not found.
Stick to Nodejs 20 on these older versions.
Fixes: https://pagure.io/freeipa/issue/9643
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0e4fbc3b by Mark Reynolds at 2024-07-31T16:14:49-04:00
ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.
Fixes: https://pagure.io/freeipa/issue/9642
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f03a96a7 by Rob Crittenden at 2024-07-31T16:17:27-04:00
ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.
Don't rely on previous running tests installing the token
password file so they can be run individually.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
38b83c2b by Rob Crittenden at 2024-07-31T16:19:02-04:00
Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
531bd05d by Alexander Bokovoy at 2024-07-31T16:20:31-04:00
ipalib/x509.py: support Cryptography 43
Cryptography 43 added two new abstract methods to Certificate class of
which we are using one, public_key_algorithm_oid.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f9c890c by Alexander Bokovoy at 2024-07-31T16:20:31-04:00
ipalib/x509.py: get rid of unicode helper
Pylint started to complain that 'unicode' variable is accessed before
definition. This is clearly a bug in how 'six' and pylint are working
together.
Replace use of 'unicode()' by 'str()'.
Fixes: https://pagure.io/freeipa/issue/9644
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc029043 by Alexander Bokovoy at 2024-07-31T16:20:31-04:00
ipalib/constants.py: factor out TripleDES use
Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7b5f3d79 by Alexander Bokovoy at 2024-07-31T16:20:31-04:00
Get rid of unicode and long helpers in ipa-otptoken-import
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
aadb8051 by Florence Blanc-Renaud at 2024-08-01T09:51:11+02:00
Replica CA installation: ignore time skew during initial replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.
The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.
During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ffba6964 by Rob Crittenden at 2024-08-05T14:50:10+02:00
Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.
This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.
Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.
Fixes: https://pagure.io/freeipa/issue/9624
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e83d949c by Rob Crittenden at 2024-08-05T14:52:12+02:00
Log errors reported by adtrustinstance.check_inst() using logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.
Fixes: https://pagure.io/freeipa/issue/9637
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
81401e6c by Florence Blanc-Renaud at 2024-08-05T21:23:27+02:00
ipatests: increase the timeout for test_hsm.py::TestHSMInstall
The test is often failing on timeout. Add 15min to the test definitions.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ee96c129 by Mohammad Rizwan at 2024-08-08T13:37:42+02:00
ipatests: Verify that SIDgen task continue even if it fails to assign sid
related: https://pagure.io/freeipa/issue/9618
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8046023f by Sudhir Menon at 2024-08-08T16:20:26+02:00
ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
84751a26 by Florence Blanc-Renaud at 2024-08-12T07:42:33+02:00
ipatests: skip HSM test if pki < 11.5.9
The test TestHSMNegative should be skipped if PKI is too old,
but its uninstall method does not check the PKI version.
Add a call to check_version in the class uninstall method.
Fixes: https://pagure.io/freeipa/issue/9648
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
1fc63e2b by Florence Blanc-Renaud at 2024-08-14T17:05:16+02:00
HSM: fix the module name
During the server installation, the installer checks if the
SElinux policy module for the specific hardware is detected. The
current code mixed up SElinux policy module name and RPM
package name and resulted in a false warning that the module
was missing.
The module name is ipa-nfast or ipa-luna, not ipa-selinux-nfast
or ipa-selinux-luna.
The name is defined in the spec file as %{module}-nfast
and module=ipa.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f37c2eb8 by Florence Blanc-Renaud at 2024-08-14T18:34:48+02:00
trust-add: handle unavailable domain
When ipa trust-add fails to retrieve the remote domain information,
it exits with "an internal error has occurred".
Handle the case with a better error message.
Fixes: https://pagure.io/freeipa/issue/9488
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5cc7941f by Rob Crittenden at 2024-08-15T10:03:40+02:00
Correct usage of public_key_algorithm_oid in ipalib/x509
public_key_algorithm_oid is property of underlying Certificate object
that is not supposed to be callable. I missed that it contained
() at the end.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d0684a7e by Rob Crittenden at 2024-08-15T10:03:40+02:00
Ignore TripleDES python-cryptography import warnings
TripleDES will be deprecated in python-cryptography 48.0.0. We
have code that uses it if it is available and otherwise ignores
it.
Because this gets imports in constants.py this warning is promiment
pretty much everywhere. So let's ignore it since we already handle
the issue.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
21c6ccc9 by Rob Crittenden at 2024-08-16T07:18:33+02:00
Fix some resource leaks identified by a static analyzer
Fixes: https://pagure.io/freeipa/issue/9367
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
ed813fe6 by Sudhir Menon at 2024-08-16T17:14:03+02:00
ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py
Test 'test_hsm_negative_bad_token_dir_permissions'
was failing in RHEL because of the below error.
"ipa: ERROR: stderr: usermod: invalid option -- 'r'"
Hence replaced the usermod with gpasswd command which does the same and
works on both RHEL and Fedora.
Ref: https://pagure.io/freeipa/issue/9626
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f5c72372 by Sudhir Menon at 2024-08-21T16:59:22+02:00
ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done
Related: https://pagure.io/freeipa/issue/9635
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c7da7e0d by Rob Crittenden at 2024-08-21T11:06:37-04:00
Become IPA v4.12.2
- - - - -
30 changed files:
- .lgtm.yml
- .wheelconstraints.in
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/ipa-getkeytab.c
- client/ipa-rmkeytab.c
- client/man/ipa.1
- client/share/ssh_ipa.conf.template
- configure.ac
- daemons/ipa-kdb/Makefile.am
- daemons/ipa-kdb/README.s4u2proxy.txt
- daemons/ipa-kdb/ipa-print-pac.c
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_mspac_private.h
- daemons/ipa-kdb/ipa_kdb_mspac_v6.c
- daemons/ipa-kdb/ipa_kdb_mspac_v9.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-otpd/bind.c
- daemons/ipa-otpd/forward.c
- daemons/ipa-sam/ipa_sam.c
- daemons/ipa-slapi-plugins/common/util.h
- daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
- daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e18ac3538e2f06f82a1f4eda7980e56e91017d47...c7da7e0dc979c2ecd834a0727114f53cdf878297
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e18ac3538e2f06f82a1f4eda7980e56e91017d47...c7da7e0dc979c2ecd834a0727114f53cdf878297
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20241209/d58779a0/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list