Commit Graph

6495 Commits

Author SHA1 Message Date
Rob Crittenden
0070c0feda Change the way we determine if the host has a password set.
When creating a host with a password we don't set a Kerberos
principal or add the Kerberos objectclasses. Those get added when the
host is enrolled. If one passed in --password= (so no password) then
we incorrectly thought the user was in fact setting a password, so the
principal and objectclasses weren't updated.

https://fedorahosted.org/freeipa/ticket/4102
2014-01-15 10:02:49 +01:00
Ana Krivokapic
689382dc83 Enable Retro Changelog and Content Synchronization DS plugins
Enable Retro Changelog and Content Synchronization DS plugins which are required
for SyncRepl support.

Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+.

https://fedorahosted.org/freeipa/ticket/3967
2014-01-14 16:37:56 +01:00
Tomas Babej
3e1386a57e acl: Remove krbPrincipalExpiration from list of admin's excluded attrs
Since we're exposing the krbPrincipalExpiration attribute for direct
editing in the CLI, remove it from the list of attributes that
admin cannot edit by default.

Part of: https://fedorahosted.org/freeipa/ticket/3306
2014-01-14 15:22:27 +01:00
Ana Krivokapic
367c130185 Make sure state of services is preserved after client uninstall
IPA client installation did not preserve the status of nscd and nslcd services
correctly. E.g. nscd would be started after uninstallation, even though it
wasn't running before client installation. Make sure the state of services is
saved before installation and correctly restored after uninstallation.

https://fedorahosted.org/freeipa/ticket/3790
2014-01-14 09:28:39 +01:00
Jan Cholasta
f7128b9c03 Use raw LDAP data in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:40 +01:00
Jan Cholasta
c86d9f33c9 Do not crash on bad LDAP data when formatting decode error message.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:40 +01:00
Jan Cholasta
d6c3d3f57a Store old entry state in dict rather than LDAPEntry.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
4284a8349b Remove legacy LDAPEntry properties data and orig_data.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
aa66cd5f35 Remove unused LDAPClient methods get_syntax and get_single_value.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
61887ac392 Add LDAPEntry method generate_modlist.
Use LDAPEntry.generate_modlist instead of LDAPClient._generate_modlist and
remove LDAPClient._generate_modlist.

https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
9d4bcb63de Reduce amount of LDAPEntry.reset_modlist calls in ldapupdate.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
21fab665f4 Use LDAPClient.update_entry for LDAP mods in ldapupdate.
Remove legacy IPAdmin methods generateModList and updateEntry.

https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
8d67acc026 Make IPASimpleLDAPObject.get_single_value result overridable.
Add some default overrides.

https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
c98cff25ab Move LDAPClient method get_single_value to IPASimpleLDAPObject.
Refactor IPASimpleLDAPObject methods get_syntax and get_single_value.

https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
24d85f15ee Use old entry state in LDAPClient.update_entry.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:41:39 +01:00
Jan Cholasta
7b3d9be388 Rename LDAPEntry method commit to reset_modlist.
https://fedorahosted.org/freeipa/ticket/3488
2014-01-10 14:38:29 +01:00
Nathaniel McCallum
d1873a5a13 Add rpmbuild/ to .gitignore 2014-01-10 13:07:54 +01:00
Martin Kosek
faa820f39e hbactest does not work for external users
Original patch for ticket #3803 implemented support to resolve SIDs
through SSSD. However, it also broke hbactest for external users. The
result of the updated external member group search must be local
non-external groups, not the external ones. Otherwise the rule is not
matched.

https://fedorahosted.org/freeipa/ticket/3803
2014-01-10 12:55:44 +01:00
Martin Kosek
554d43d689 Revert restart scripts file permissions change
Previous commit accidentally added executable permission to
restart_pkicad and stop_pkicad.
2014-01-08 09:54:53 +01:00
Jan Cholasta
911f5e9eb7 PKI service restart after CA renewal failed
Fix both the service restart procedure and registration of old
pki-cad well known service name.

This patch was adapted from original patch of Jan Cholasta 178 to
fix ticket 4092.

https://fedorahosted.org/freeipa/ticket/4092
2014-01-08 09:47:23 +01:00
Petr Viktorin
4a64a1f18b Allow anonymous and all permissions
Disallow adding permissions with non-default bindtype to privileges

Ticket: https://fedorahosted.org/freeipa/ticket/4032
Design: http://www.freeipa.org/page/V3/Anonymous_and_All_permissions
2014-01-07 09:56:41 +01:00
Petr Viktorin
d7f5d58d35 Use new registration API in the privilege plugin 2014-01-07 09:56:36 +01:00
Petr Viktorin
7ec4d58bf7 cli.print_attribute: Convert values to strings
When output_for_cli was called directly, rather than for values
received through XML or JSON API, joining multiple values failed
on non-strings such as DN objects.

Convert output to strings before printing it out.
2014-01-03 14:11:33 +01:00
Martin Kosek
0accfabfa3 Increase Java stack size on s390 platforms
As reported in https://bugzilla.redhat.com/show_bug.cgi?id=1040576,
the default stack trace needs to be also increased on s390 platforms
to prevent rhino segfault.
2014-01-03 13:56:05 +01:00
Xiao-Long Chen
5e96fbc22a Use /usr/bin/python2
Part of the effort to port FreeIPA to Arch Linux,
where Python 3 is the default.

FreeIPA hasn't been ported to Python 3, so the code must be modified to
run /usr/bin/python2

https://fedorahosted.org/freeipa/ticket/3438

Updated by pviktori@redhat.com
2014-01-03 09:46:05 +01:00
Tomas Babej
2a2f5ac4e6 Fix incorrect path in error message on sysrestore failure
On sysrestore failure, user is prompted out to remove the sysrestore
file. However, the path to the sysrestore file mentioned in the
sentence is not correct.

https://fedorahosted.org/freeipa/ticket/4080
2013-12-20 16:04:22 +01:00
Jan Cholasta
1357eade4c Prevent garbage from readline on standard output of dogtag-ipa-retrieve-agent.
https://fedorahosted.org/freeipa/ticket/4064
2013-12-20 14:31:05 +01:00
Nathaniel McCallum
397b2876e2 Add OTP support to ipalib CLI
https://fedorahosted.org/freeipa/ticket/3368
2013-12-18 09:58:59 +01:00
Petr Viktorin
1a9beac1be permission_find: Do not fail for ipasearchrecordslimit=-1
ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
2013-12-17 12:29:56 +01:00
Jan Cholasta
bc3f3381c6 Convert remaining backend code to LDAPEntry API. 2013-12-16 14:44:19 +01:00
Petr Viktorin
acede580e1 Remove default from the ipapermlocation option
The value from my machine ended up wired into API.txt,
so builds on other machines would fail.

Correct the mistake.
2013-12-13 16:32:39 +01:00
Martin Kosek
f9aad573b1 Increase Java stack size on PPC platforms
Wit the default stack size, rhino segfaulted on PPC platforms.

https://bugzilla.redhat.com/show_bug.cgi?id=1040576
2013-12-13 15:22:55 +01:00
Petr Vobornik
ccac000012 Increase stack size for Web UI builder
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.

512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
2013-12-13 15:17:48 +01:00
Petr Viktorin
423bb38965 Test adding noaci/system permissions to privileges
Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
2013-12-13 15:08:52 +01:00
Petr Viktorin
d38748d64f Make sure SYSTEM permissions can be retreived with --all --raw
Part of the work for: https://fedorahosted.org/freeipa/ticket/4034
2013-12-13 15:08:52 +01:00
Petr Viktorin
7fc35ced1d permission plugin: Ensure ipapermlocation (subtree) always exists 2013-12-13 15:08:52 +01:00
Petr Viktorin
53caa7aca2 Roll back ACI changes on failed permission updates 2013-12-13 15:08:52 +01:00
Petr Viktorin
f47669a5b9 Verify ACIs are added correctly in tests
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
2013-12-13 15:08:52 +01:00
Petr Viktorin
d7ee87cfa1 Rewrite the Permission plugin
Ticket: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:52 +01:00
Petr Viktorin
445634d6ac Add new permission schema
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Design: http://www.freeipa.org/page/V3/Permissions_V2
2013-12-13 15:08:51 +01:00
Petr Viktorin
8ddb5da1ea Add tests for permission plugin with older clients
These tests use an old API version, which triggers
backwards-compatible behavior in the plugin.
2013-12-13 15:08:51 +01:00
Petr Viktorin
a1236b6542 Allow Declarative test classes to specify the API version
This makes it possible to test behavior with older clients.
2013-12-13 15:08:51 +01:00
Petr Viktorin
a8ba5e0ef9 Allow sets for initialization of frozenset-typed Param keywords
Lists and tuples are already allowed for convenience; it is easier to write
(1, 2, 3) or [1, 2, 3] than frozenset([1, 2, 3]).
This allows the set literal syntax, {1, 2, 3}, as well.
2013-12-13 15:08:51 +01:00
Alexander Bokovoy
73e7a6c409 trust: fix get_dn() to distinguish creating and re-adding trusts
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.

Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.

https://fedorahosted.org/freeipa/ticket/4067
2013-12-11 13:33:15 +01:00
Tomas Babej
71481a0aa4 ipa-cldap: Cut NetBIOS name after 15 characters
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.

https://fedorahosted.org/freeipa/ticket/4028
2013-12-11 13:23:38 +01:00
Petr Viktorin
f2ee8a7403 test_webui: Allow False values in configuration for no_ca, no_dns, has_trusts
The driver only checked if the corresponding value was in the config, so
    no_dns: False
had the same effect as
    no_dns: True

Change the check to take the value into consideration.

This makes false-y values like False (from YAML) and empty string
(from environment) work as if the value was not specified.
2013-12-10 15:42:33 +01:00
Petr Viktorin
b656398415 Regression test for user_status crash
https://fedorahosted.org/freeipa/ticket/4066
2013-12-10 15:34:45 +01:00
Jan Cholasta
36502a6367 Fix internal error in the user-status command.
https://fedorahosted.org/freeipa/ticket/4066
2013-12-10 15:34:45 +01:00
Martin Kosek
1e0405880f Consolidate .gitignore entries
Clean up the .gitignore file:
- Remove no longer used .gitignore entries, like .bzr files
- Do not repeat autotools generated files over and over again
- Whitelist existent Makefiles in the repository
- Better separate the .gitignore entries
2013-12-10 10:28:38 +01:00
Tomas Babej
89ab877c5c ipa-client-install: Always pass hostname to the ipa-join
The ipa-client-install script and ipa-join use different methods
of resolving the hostname, the former uses gethostbyaddr() call,
while the latter reads the "uinfo.nodename".

This can result ipa-client-install failures in case of broken PTR
records.

https://fedorahosted.org/freeipa/ticket/4027
2013-12-09 13:34:39 +01:00