authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls
It should have effect primarily on el5 systems.
https://fedorahosted.org/freeipa/ticket/5654
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently in an environment with trust to AD the compat tree does not
show AD users as members of IPA groups. The reason is that IPA groups
are read directly from the IPA DS tree and external groups are not
handled.
slapi-nis project has added support for it in 0.55, make sure we update
configuration for the group map if it exists and depend on 0.55 version.
https://fedorahosted.org/freeipa/ticket/4403
Reviewed-By: Tomas Babej <tbabej@redhat.com>
PTR records are not mandratory for IPA, result fo checks should be only
warning not hard error.
https://fedorahosted.org/freeipa/ticket/5686
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
The scripts in this directory are simple python scripts, nothing arch-specific
in them. Having them under libexec would simplify the code a bit too, since
there would be no need to worry about lib vs lib64 (which also cause trouble
on Debian).
https://fedorahosted.org/freeipa/ticket/5586
Reviewed-By: David Kupka <dkupka@redhat.com>
This permission cannot be MANAGED permission because it is located in
nonreplicating part of the LDAP tree.
As side effect, the particular ACI has not been created on all replicas.
This commit makes Read Replication Agreements non managed permission and
also fix missing ACI on replicas.
https://fedorahosted.org/freeipa/ticket/5631
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Attributes are added to IPA error objects dynamicaly and pylint is not
able to handle it itself. Add missing attributes to definitions in
pylint plugin.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.
https://fedorahosted.org/freeipa/ticket/5625
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
Fixes issues discovered by Coverity
plugins/baseldap.py: possible undefined value in return
certmonger.py: possible dereference of None value
i18n.py: fixed always True bug (+ cosmetic change)
https://fedorahosted.org/freeipa/ticket/5661
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes some Coverity issues
ipadiscovery.py: added assert should universe break
plugins/dns.py: removed dead code
dnssec/ldapkeydb.py: attribute assert in the proper object
test_automount_plugin.py: fixed possible close() on None
xmlrpc_test.py: Coverity does not like accessing None.__class__
https://fedorahosted.org/freeipa/ticket/5661
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
DS restart executed by upgrade plugin causes that upgrade framework
is waiting for the improper socket. It leads to TimeoutError because
DS is not listening on 389 port during upgrade. This commit fixes the issue.
Required for: https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Detect missing ipaNTSecurityIdentifier and print message for a user,
that the trust is broken as result of trust-show and trust-find commands.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.
Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
During upgrade to IPA 4.2, literally "$SUFFIX" value was added to
configuration of sidgen and extdom plugins. This cause that SID are not properly configured.
Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task
against IPA domain (if exists).
All trusts added when plugins configuration was broken must be re-added.
https://fedorahosted.org/freeipa/ticket/5665
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Py3 does not support iter* methods, this commit replaces 2 occurencies
of iteritems() to items(). The dictionaries there are not big, this is
sufficient we do not need to use six.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
New checks have been introduced in pylint 1.5 and many of them are not
compatible with IPA code or produce false positives.
Disable them all.
Note: due older versions of pylint, new checks cannot be disabled
locally, must be disabled globally.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
During IPA server upgrade, the migration of Dogtag profiles into LDAP
backend was bound to the update of CS.cfg which enabled the LDAP profile
subsystem. If the subsequent profile migration failed, the subsequent
upgrades were not executing the migration code leaving CA subsystem in
broken state. Therefore the migration code path should be executed
regardless of the status of the main Dogtag config file.
https://fedorahosted.org/freeipa/ticket/5682
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
similar issue and cause as in https://fedorahosted.org/freeipa/ticket/5567
root cause is that binding triggers validation which clears messages in
validation summary. Maybe it could be refactored in a future to not use
the same validation summary field for API calls and fields.
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Checkbox label is no longer clickable, most tests fail with error like this:
AssertionError: Can't click on checkbox label: table.table
Message: Element is not clickable at point (37, 340.3999938964844). Other element would receive the click:
<input class="standalone" id="cn18" value="itest-group" name="cn" type="checkbox">
The checkbox is clickable directly without the label, this patch provides according fix.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
- Use binascii.hexlify instead of encode('hex')
- Keep the library name as a text string instead of encoding to bytes
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python defaults to 'w+b', but all callers in IPA write use text (as
opposed to bytes).
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, the error message from the decimal module is
less clear than before.
(It's apparently the price to pay for speed -- Python3 uses
libmpdec as its Decimal implementation by default.)
Don't check for the exact error message.
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for
any n >= 0:
* every server has replication agreement with 2 - 4 other servers.
* at least two agreements must fail in order to disconnect the topology.
Otherwise there can be server(s) with single agreement on the edge of the
topology.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Message was printed only to stdout and leaves ipaupgrade.log without any
record that ipa-server-upgrade failed because ipa server is not
installed.
Now error is passed to logger which prints meassage to stderr and
ipaupgrade.log.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
