Commit Graph

3245 Commits

Author SHA1 Message Date
Fraser Tweedale
e1df2e0792 cert-request: accept CSRs with extraneous data
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR.  Recent commits that switch to using python-cryptography for
cert and CSR handling broke this.  Our acceptance tests use such
CSRs, hence the tests are now failing.

To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM.  This avoids re-using the
user-supplied data, in case it has extraneous data.

Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-11-11 15:42:26 +01:00
Jan Cholasta
a8fdb8de82 install: introduce installer class hierarchy
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-11-11 12:17:25 +01:00
Fraser Tweedale
b0430b67dc Remove __main__ code from ipalib.x509 and ipalib.pkcs10
This code was presumably once used for testing, but has been
subsumed by the actual test suite.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
db116f73fe x509: use python-cryptography to process certs
Update x509.load_certificate and related functions to return
python-cryptography ``Certificate`` objects.  Update the call sites
accordingly, including removal of NSS initialisation code.

Also update GeneralName parsing code to return python-cryptography
GeneralName values, for consistency with other code that processes
GeneralNames.  The new function, `get_san_general_names`, and
associated helper functions, can be removed when python-cryptography
provides a way to deal with unrecognised critical extensions.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
c57dc890b2 x509: use pyasn1-modules X.509 specs
Remove our hand-rolled pyasn1 specifications for X.509 in favour of
those provided by the pyasn1-modules library.

This also avoids a bug in our _Extension spec wherein parsing fails
if the 'critical' field is absent.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
44c2d685f0 x509: avoid use of nss.data_to_hex
Avoid use of the nss.data_to_hex function for formatting certificate
fingerprints.  Add our own helper functions to format the
fingerprints as hex (with colons).

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
85487281cd pkcs10: remove pyasn1 PKCS #10 spec
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).

Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Fraser Tweedale
66637f766d pkcs10: use python-cryptography for CSR processing
Update ``ipalib.pkcs10`` module to use python-cryptography for CSR
processing instead of NSS.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-11-10 10:21:47 +01:00
Petr Spacek
8de11b091f Build: Makefiles for Python packages
This version builds only one version of Python packages. If you want to
build for Python 2 & 3 call configure twice using different --with-python
or specify PYTHON variable when calling make.

dist-hook is using SOURCES.txt file from egg-info.
According to Petr Viktorin this should be enough for our purposes
and avoids need to create plugins for setuptools.

Currently VPATH builds do not work for various reasons.
This should be fixed later on.

Most credit goes to these guys:
 Christian Heimes <cheimes@redhat.com>
 Petr Viktorin <pviktori@redhat.com>
 Kevin Brown <kevin@kevin-brown.com>

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-11-09 13:08:32 +01:00
Tomas Krizek
e2780b2106 ldap2: change default time/size limit
* Set default time_limit and size_limit in ldap2 to unlimited.
* Set time_limit and size_limit to None in backend. This will respect
    ipaconfig values.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-11-07 11:34:03 +01:00
Christian Heimes
91920e7cb4 Add __name__ == __main__ guards to setup.pys
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-10-25 18:11:31 +02:00
Simo Sorce
2f567f0e8e Fix error message encoding
- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-10-25 14:01:06 +02:00
Jan Cholasta
0d370a959b pylint: enable the import-error check
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-24 14:11:08 +02:00
Christian Heimes
4cd83fb51c Port all setup.py to setuptools
All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-20 18:43:37 +02:00
Martin Babinsky
29829cc55a remove trailing newlines form python modules
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version

https://fedorahosted.org/freeipa/ticket/6391

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-12 10:38:52 +02:00
Martin Basti
4628522c53 Pylint: fix the rest of unused local variables
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-10-11 16:50:32 +02:00
Lenka Doudova
c3e3130a35 Tests: Fix failing test_ipalib/test_parameters
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.

Partially fixes https://fedorahosted.org/freeipa/ticket/6292

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-10-11 15:51:09 +02:00
Tomas Krizek
0dea726466 ipa: check if provided config file exists
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.

https://fedorahosted.org/freeipa/ticket/6114

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-06 19:21:26 +02:00
Tomas Krizek
d7a2dfddbc ipa: allow relative paths for config file
Remove unnecessary check for absolute file paths for config file.

https://fedorahosted.org/freeipa/ticket/6114

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-10-06 19:21:26 +02:00
Martin Basti
45e3aee352 Pylint: enable check for unused-variables
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Martin Basti
0f88f8fe88 Remove unused variables in the code
This commit removes unused variables or rename variables as "expected to
be unused" by using "_" prefix.

This covers only cases where fix was easy or only one unused variable
was in a module

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-09-27 13:35:58 +02:00
Jan Barta
9bc57a01e1 pylint: fix old-style-class
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
275e85d076 pylint: fix unneeded-not
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Jan Barta
36484e8672 pylint: fix simplifiable-if-statement warnings
fix inefficient if statements, enable pylint check

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-09-22 16:52:57 +02:00
Martin Basti
8f8e3d008f Use constant for user and group patterns
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.

https://fedorahosted.org/freeipa/ticket/5822

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-09-20 17:35:28 +02:00
Martin Basti
1c96ff7a6c Abstract procedures for IP address warnings
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.

https://fedorahosted.org/freeipa/ticket/5814

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-09-14 15:30:55 +02:00
Fraser Tweedale
c5cbc8de89 Add HTTPRequestError class
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError.  The exception includes no
information about the response status.

Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.

Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-07 12:49:28 +02:00
Fraser Tweedale
08b7683130 Track lightweight CAs on replica installation
Add Certmonger tracking requests for lightweight CAs on replica
installation.  As part of this change, extract most of the
lightweight CA tracking code out of ipa-certupdate and into
cainstance.

Fixes: https://fedorahosted.org/freeipa/ticket/6019
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-09-06 12:11:53 +02:00
Jan Cholasta
a3d178b86d cli: use full name when executing a command
Fixes the CLI not to always call the default version of a command even when
the version was explicitly specified.

https://fedorahosted.org/freeipa/ticket/6279

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-09-05 18:03:52 +02:00
Martin Babinsky
82e754e9c5 raise ValidationError when deprecated param is passed to command
https://fedorahosted.org/freeipa/ticket/6190

Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
2016-09-05 09:23:37 +02:00
Fraser Tweedale
a381d888cd x509: include otherName DER value in GeneralNameInfo
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
e3acc3659c x509: use NSS enums and OIDs to identify SAN types
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
dae82b25bd x509: fix SAN directoryName parsing
The subjectAltName extension parsing code in ipalib.x509 fails on
directoryName values because the Choice structure is not endowed
with an inner type.  Implement the Name structure, whose inner type
is a CHOICE { SEQUENCE OF RelativeDistinguishedName }, to resolve.

Note that the structure still does not get fully parsed; only enough
to recognise the SequenceOf tag and not fail.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Fraser Tweedale
0245d2aadf Move GeneralName parsing code to ipalib.x509
GeneralName parsing code is primarily relevant to X.509.  An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.

Part of: https://fedorahosted.org/freeipa/ticket/6022

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-26 09:09:45 +02:00
Christian Heimes
c346a2d1d1 Remove Custodia server keys from LDAP
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-24 14:26:57 +02:00
Alexander Bokovoy
6332cb3125 trust: automatically resolve DNS trust conflicts for triangle trusts
For configuration where:
  - AD example.com trusts IPA at ipa.example.com
  - AD example.org trusts AD example.com
  - a trust is tried to be established between ipa.example.com and
    example.org,

there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.

This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.

A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:

   1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
   2. Establish trust between ipa.example.com and example.org

It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.

This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:

   1. Attempt to establish trust and update trust topology information.
   2. If trust topology conflict is detected as result of (1):
   2.1. Fetch trust topology infromation for the conflicting forest
        trust
   2.2. Add exclusion entry to our domain to the trust topology obtained
        in (2.1)
   2.3. Update trust topology for the conflicting forest trust
   3. Re-establish trust between ipa.example.com and example.org

We cannot do the same for shared secret trust and for external trust,
though:

   1. For shared secret trust we don't have administrative credentials
      in the forest reporting the conflict

   2. For the external trust we cannot set topology information due to
      MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
      definition and thus setting topology information will fail.

To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.

Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-08-22 13:31:47 +02:00
Lenka Doudova
44a2bdd8ea Tests: Fix failing tests in test_ipalib/test_frontend
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
  ipa.test_ipalib.test_frontend.test_Attribute.test_init
  ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run

https://fedorahosted.org/freeipa/ticket/6188

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-08-17 17:41:08 +02:00
Lenka Doudova
425291dc19 Fix malformed or missing docstrings in ipalib/messages
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.

https://fedorahosted.org/freeipa/ticket/6215

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-08-16 11:59:35 +02:00
Jan Cholasta
e9c1d21b9f parameters: move the confirm kwarg to Param
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.

Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.

This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.

https://fedorahosted.org/freeipa/ticket/6174

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2016-08-10 08:51:39 +02:00
David Kupka
e76b0bbbcc help: Do not create instances to get information about commands and topics
Creating instance requires that complete schema for the command is
read from schema cache and passed to constructor. This operation takes
a lot of time. Utilizing class properties and pregenerated help bits
allows to get the necessary information directly from classes reducing
time it takes significantly.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
David Kupka
29f7f822ab frontend: Change doc, summary, topic and NO_CLI to class properties
Avoid need to instantiate all commands just to get information for
displaying help.

https://fedorahosted.org/freeipa/ticket/6048

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-08-03 16:32:39 +02:00
Martin Babinsky
da2305ddb9 harden the check for trust namespace overlap in new principals
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.

https://fedorahosted.org/freeipa/ticket/6099

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-28 09:34:43 +02:00
Martin Babinsky
15cfd0ee20 allow multiple dashes in the components of server hostname
Relax the check for valid hostname component by allowing multiple consecutive
'-' or '/' characters int he middle of the label (the first/last character
must still be alphanumeric or underscore). Also use verbose regex format to
document its structure.

https://fedorahosted.org/freeipa/ticket/4710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-07-20 16:23:24 +02:00
Martin Babinsky
f0a61546f5 allow 'value' output param in commands without primary key
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.

A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.

https://fedorahosted.org/freeipa/ticket/6037
https://fedorahosted.org/freeipa/ticket/6061

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-20 13:57:01 +02:00
Martin Babinsky
a5c8c9880d messages: specify message type for ResultFormattingError
the ResultFormattingError message class was missing a `type` member which
could cause `otptoken-add` command to crash during QR image rendering using
suboptimal TTY settings

https://fedorahosted.org/freeipa/ticket/6081

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-07-15 13:55:36 +02:00
Martin Babinsky
e6ff83e361 Provide API for management of host, service, and user principal aliases
New commands (*-{add,remove}-principal [PKEY] [PRINCIPAL ...])
were added to manage principal aliases.

'add' commands will check the following:
* the correct principal type is supplied as an alias
* the principals have correct realm and the realm/alternative suffix (e.g.
  e-mail) do not overlap with those of trusted AD domains

If the entry does not have canonical principal name, the first returned
principal name will be set as one. This is mostly to smoothly operate on
entries created on older servers.

'remove' commands will check that there is at least one principal alias equal
to the canonical name left on the entry.

See also: http://www.freeipa.org/page/V4/Kerberos_principal_aliases

https://fedorahosted.org/freeipa/ticket/1365
https://fedorahosted.org/freeipa/ticket/3961
https://fedorahosted.org/freeipa/ticket/5413

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Martin Babinsky
974eb7b5ef ipalib: introduce Principal parameter
This patch introduces a separate Principal parameter that allows the framework
to syntactically validate incoming/outcoming principals by using a single
shared codebase.

https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-07-01 09:37:25 +02:00
Jan Cholasta
2cf7c7b4ac client: add support for pre-schema servers
Bundle remote plugin interface definitions for servers which lack API
schema support. These server API versions are included:
* 2.49: IPA 3.1.0 on RHEL/CentOS 6.5+,
* 2.114: IPA 4.1.4 on Fedora 22,
* 2.156: IPA 4.2.0 on RHEL/CentOS 7.2 and IPA 4.2.4 on Fedora 23,
* 2.164: IPA 4.3.1 on Fedora 23.

For servers with other API versions, the closest lower API version is used.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00
Jan Cholasta
cf713ac283 client: do not crash when overriding remote command as method
Do not crash during API initialization when overriding remote command that
is not a method with MethodOverride.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-07-01 09:40:04 +02:00
Jan Cholasta
390fd3d305 plugable: add option to ignore override errors
Add new `no_fail` option to API.add_plugin. When set to True, override
errors are ignored and the affected plugins are skipped.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-30 16:32:20 +02:00
Fraser Tweedale
3fab1b6350 cert-request: better error msg when 'add' not supported
cert-request supports adding service principals that don't exist.
If add is requested for other principal types, the error message
just says "the principal doesn't exist".

Add a new error type with better error message to explain that 'add'
is not supported for host or user principals.

Fixes: https://fedorahosted.org/freeipa/ticket/5991
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-30 15:42:06 +02:00
Jan Cholasta
dcf8b47471 session: move the session module from ipalib to ipaserver
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-30 14:09:24 +02:00
Martin Basti
5693d19550 CA replica promotion: add proper CA DNS records
Update 'ipa-ca' records with A/AAAA records of the newly added replica

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-28 16:56:35 +02:00
David Kupka
a636842889 schema: Caching on schema on client
Store schema in per user cache. Together with schemas also information
about mapping between server and fingerprint is stored to reduce traffic.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-28 15:03:42 +02:00
David Kupka
65aa2d48ff env: Add 'server' variable to api.env
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-28 15:03:42 +02:00
Jan Cholasta
5f52e0fcbf frontend: forward command calls using full name
Forward commands to remote server using the full versioned name.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
4284d4fb4d plugable: support plugin versioning
Allow multiple incompatible versions of a plugin using the same name. The
current plugins are assumed to be version '1'.

The unique identifier of plugins was changed from plugin name to plugin
name and version. By default, the highest version available at build time
is used. If the plugin is an unknown remote plugin, version of '1' is used
by default.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
79d1f58335 plugable: use plugin class as the key in API namespaces
When iterating over APINameSpace objects, use plugin class rather than its
name as the key.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Jan Cholasta
9a21964877 misc: generate plugins result directly in the command
Move the code that generated result of the `plugins` command from API to
the command itself.

https://fedorahosted.org/freeipa/ticket/4427

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-28 13:30:49 +02:00
Martin Babinsky
705f66f749 IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
Hosts, services, and (stage)-users will now have krbcanonicalname attribute
set to the same value as krbprincipalname on creation. Moreover, new services
will not have ipakrbprincipalalias set anymore.

Part of https://fedorahosted.org/freeipa/ticket/3864

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2016-06-23 09:48:06 +02:00
Stanislav Laznicka
9a8c5c9dfd host/service-show/find shouldn't fail on invalid certificate
host/service-show/find methods would have failed if the first
certificate they had in userCertificate attribute were invalid.
Expected behavior is that they just show the rest of the reqested
attributes.

https://fedorahosted.org/freeipa/ticket/5797

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-22 17:43:14 +02:00
David Kupka
4b97cabb52 schema: Add known_fingerprints option to schema command
When client requests schema it can list fingerprints of cached schemas
and server responds with SchemaUpToDate exception specifying fingeprint
of schema to use.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-21 15:11:19 +02:00
Jan Barta
94909d21db pylint: fix: multiple-statements
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2016-06-21 13:51:28 +02:00
Jan Cholasta
234270dc75 dns: do not rely on custom param fields in record attributes
Obtain the information provided by the `hint` kwarg and `dnsrecord_part`
and `dnsrecord_extra` flags by other means.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
b405a1218b frontend: do not crash on missing output in output_for_cli
Do not crash in Command.output_for_cli when an output value is missing.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
0b53ae4cda frontend: skip value output in output_for_cli
Do not include the `value` output value in CLI output in
Command.output_for_cli by default.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Jan Cholasta
f554078291 frontend: don't copy command arguments to output params
Use only object params and params defined in has_output_params as output
params. This removes unnecessary duplication of params defined both in
object plugins and as command arguments.

This requires all command output params to be properly defined in either
the object plugins or the command's has_output_params. Fix the plugins
where this wasn't true.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-20 16:39:12 +02:00
Yuri Chornoivan
a95e0777ac Fix minor typos
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-20 13:49:32 +02:00
Martin Babinsky
a6eb87bd68 server-del: perform full master removal in managed topology
This patch implements most of the del_master_managed() functionality as a part
of `server-del` command.

`server-del` nows performs these actions:
  * check topology connectivity
  * check that at least one CA/DNS server and DNSSec masters are left
    after removal
  * cleanup all LDAP entries/attributes exposing information about the master
  * cleanup master DNS records
  * remove master and service principals
  * remove master entry from LDAP
  * check that all segments pointing to the master were removed

  `server-del` now accepts the following options:
  * `--force`: force master removal even if it doesn't exist
  * `--ignore-topology-disconnect`: ignore errors arising from disconnected
    topology before and after master removal
  * `--ignore-last-of-role`: remove master even if it is last DNS server,
    and DNSSec key master. The last CA will *not* be removed regardless of
    this option.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Babinsky
d8ae2b4055 ipaserver module for working with managed topology
This module should aggregate common functionality utilized in the commands
managing domain-level 1 topology.

https://fedorahosted.org/freeipa/ticket/5588

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-06-17 18:55:19 +02:00
Martin Basti
8dde1201ed DNS Locations: show warning if there is no DNS servers in location
DNS servers must be in each location, otherwise DNS location without DNS
server assigned will not work.

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
1997733cdf DNS Locations: require to restart named-pkcs11 affter location change
Send a warning message that named-pkcs11 service must be restarted after
changes related to locations or server weight

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-06-17 18:05:03 +02:00
Martin Basti
2157ea0e6d DNS Locations: dnsserver-* commands
New commands for manipulation with DNS server configuration were added:
 * dnsserver-show
 * dnsserver-mod
 * dnsserver-find

https://fedorahosted.org/bind-dyndb-ldap/wiki/Design/PerServerConfigInLDAP
https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
4076e8e4e5 DNS Locations: server-mod: add automatic records update
For any location or server weight change is required to update records

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
e23159596e DNS Locations: command dns-update-system-records
command dns-update-system-records updates/fixes DNS records for IPA
services:
* updating A, AAAA records for CA
* updating SRV records for LDAP, kerberos and AD trust
* updating TXT record in _kerberos with proper realm
* updating dns locations if used

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Martin Basti
87c23ba029 DNS Locations: DNS data management
Adding module that allows to work with IPA DNS system records:
* getting system records
* updating system records
* work with DNS locations

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-17 15:22:24 +02:00
Jan Cholasta
f7240c6df8 frontend: call execute rather than forward in Local
This allows properly subclassing from both Local and other Command classes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
448af06234 dns, passwd: fix outputs of dns_resolve and passwd commands
Use proper output type for the `value` output of the commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
e2a8290af1 batch, schema: use Dict instead of Any
Add new Dict parameter class and use it in the batch and command_defaults
plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
4128c565ea plugable: initialize plugins on demand
Use a new API namespace class which does not initialize plugins until they
are accessed.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Jan Cholasta
bebdce89b6 plugable: allow plugins to be non-classes
Allow registering any object that is callable and has `name` and `bases`
attributes as a plugin.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-15 14:03:51 +02:00
Fraser Tweedale
3d4db834ca Add 'ca' plugin
This commit adds the 'ca' plugin for creating and managing
lightweight CAs.  The initial implementation supports a single level
of sub-CAs underneath the IPA CA.

This commit also:

- adds the container for FreeIPA CA objects

- adds schema for the FreeIPA CA objects

- updates ipa-pki-proxy.conf to allow access to the Dogtag
  lightweight CAs REST API.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-15 07:13:38 +02:00
Martin Basti
493ae1e502 Fix: Local variable s_indent might be referenced before defined
Sanity fix to make sure we do not hit UnboundLocalError and fail
terribly

https://fedorahosted.org/freeipa/ticket/5921

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-13 13:58:36 +02:00
Jan Cholasta
9c19dd3506 schema: do not validate unrequested params in command_defaults
Request specific params when getting the defaults instead of getting
defaults for all params and filtering the result.

This fixes command_defaults failing with validation errors on unrequested
params.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-09 09:11:28 +02:00
Fraser Tweedale
b0d9a4728f Setup lightweight CA key retrieval on install/upgrade
Add the ipa-pki-retrieve-key helper program and configure
lightweight CA key replication on installation and upgrade.  The
specific configuration steps are:

- Add the 'dogtag/$HOSTNAME' service principal
- Create the pricipal's Custodia keys
- Retrieve the principal's keytab
- Configure Dogtag's CS.cfg to use ExternalProcessKeyRetriever
  to invoke ipa-pki-retrieve-key for key retrieval

Also bump the minimum version of Dogtag to 10.3.2.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-09 09:04:27 +02:00
Fraser Tweedale
fa149cff86 Remove service and host cert issuer validation
When adding certifiates to a host or service entry, we currently
check that the issuer matches the issuer DN of the IPA CA.  Now that
sub-CAs have been implemented, this check is no longer valid and
will cause false negatives.  Remove it and update call sites.

Part of: https://fedorahosted.org/freeipa/ticket/4559

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-06 08:58:01 +02:00
Martin Basti
bae621415d DNS Locations: location-* commands
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

https://fedorahosted.org/freeipa/ticket/2008

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-06-03 15:58:21 +02:00
Jan Cholasta
8b7f2500ba frontend: do not check API minor version of the client
Thin client always respects API schema of the server, even when it is newer
that the server. Remove the API minor version check done on the server, as
it is no longer necessary.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
6e44557b60 ipalib: move server-side plugins to ipaserver
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.

Remove the now unused ipalib.plugins package.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
ec841e5d7a ipaclient: implement thin client
Dynamically create plugin package for the remote server with modules and
commands based on the API schema when client API is finalizes. For in-tree
API instances, use ipalib.plugins directly.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
f5fd2b8750 misc: hide the unused --all option of env and plugins in CLI
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
2f7df393fd ipalib: move File command arguments to ipaclient
File arguments are relevant only on the client, on the server they are the
same as Str. Specify the arguments as Str in ipalib.plugins and override
them with File in ipaclient.plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
5a4a29be1c rpc: do not validate command name in RPCClient.forward
The validation is already done on the server.

This allows manually forwarding commands unknown to the client but known
to the server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
11de39651f rpc: optimize JSON-RPC response handling
Speed up JSON-RPC response handling by putting received response data
fragments in a list and joining them at once instead of concatenating
each fragment one by one.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
56c66f44a0 rpc: specify connection options in API config
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
e056b8dea2 rpc: allow overriding NSS DB directory in API config
Add new `nss_dir` API config option to allow rpcclient to use a non-default
NSS DB for the connection.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
43dc424041 rpc: respect API config in RPCClient.create_connection
When connecting rpcclient, get the default values of the `verbose`,
`fallback` and `delegate` options from API config rather than hard-code
them.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
f35beca68c ipalib: introduce API schema plugins
Add a set of plugins for API schema introspection. This includes:
* a set of commands for command introspection
  (`command_find`, `command_show`, `command_defaults`),
* a set of commands for command param introspection
  (`param_find`, `param_show`),
* a set of commands for command output introspection
  (`output_find`, `output_show`),
* a set of commands for help topic introspection
  (`topic_find`, `topic_show`),
* a command to get the full API schema in one call (`schema`).

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
3cf5f83d92 ipalib: replace DeprecatedParam with deprecated Param argument
Introduce new `deprecated` Param keywork argument. Setting it to True on a
param has the same effect as using DeprecatedParam. This allows deprecating
params while retaining their type information.

Revert all DeprecatedParam params back to their original definition and set
`deprecated` to True.

Remove the now unused DeprecatedParam class.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
0e989e2a28 parameters: introduce no_convert keyword argument
When set to true, the argument causes params to not convert unicode values
to the param type.

This will allow thin client to properly handle params which can be
converted from unicode to the param type only on the server, e.g. because
of a normalizer.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
98ede1b0e8 parameters: introduce cli_metavar keyword argument
Add new Param keyword argument cli_metavar to specify the stand-in for CLI
option arguments in command help text. Uppercase class name is used by
default.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
4c7be74526 ipalib: split off client-side plugin code into ipaclient
Provide client-side overrides for command plugins which implement any of
the client-side `interactive_prompt_callback`, `forward` or
`output_for_cli` methods and move the methods from the original plugins to
the overrides.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
6cfb9d73d9 dns: move code shared by client and server to separate module
Move the shared code to a new ipalib.dns module.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
60d946241c frontend: turn Method attributes into properties
Implement the `obj_name`, `attr_name` and `obj` Method attributes as
properties to allow them to be overriden in sub-classes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
1391cd65ad plugable: remember overriden plugins in API
Remember what plugin class was overriden by what plugin class in API
objects. Add new method API.get_plugin_next which returns the plugin
class which was overriden by the plugin class specified as argument.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
19cf6e9509 plugable: simplify API plugin initialization code
Use a flat dictionary to track plugins in API rather than nested
dictionaries.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
ed4c2d9252 plugable: turn Plugin attributes into properties
Implement the `name`, `doc` and `summary` Plugin attributes as properties
to allow them to be overriden in sub-classes.

Always use .doc rather than .__doc__ to access plugin documentation.

Remove the mostly unused `module`, `fullname`, `bases` and `label`
attributes.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
fe18adb258 help, makeapi: do not use hardcoded plugin package name
Iterate over all plugin packages defined in the API to find the given
topic module. The last module found has priority.

This will allow topics to be defined in client-side plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
cd5ecdbaee help, makeapi: specify module topic by name
Specify module topic by name rather than by name and summary. A topic
module of the topic name must exist. Summary is extracted from the
docstring of the topic module.

This changes makes topic handling more generic and consistent between
modules and commands.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
0a984afd81 help, makeapi: allow setting command topic explicitly
Help topic can now be specified in the 'topic' class attribute of command
plugins. Default value is the name of the module where the command is
defined.

This allows defining a command outside of the topic module.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
327d95296a ipalib: move client-side plugins to ipaclient
Move the rpcclient backend and commands which are executed on the client
to ipaclient.plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
f1ad3e67ae ipaclient: introduce ipaclient.plugins
Load plugins from ipaclient.plugins in client API instances.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
9b0df69f75 dns: fix dnsrecord interactive mode
Do not crash in interactive mode of dnsrecord_{add,mod}.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Jan Cholasta
748a4c31bf cli: make optional positional command arguments actually optional
Fix commands defined in ipalib.cli not to assume optional positional
arguments have a value of None when not specified.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-06-03 09:00:34 +02:00
Nathaniel McCallum
4ded2ffc16 Enable service authentication indicator management
https://fedorahosted.org/freeipa/ticket/433

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-06-02 19:02:14 +02:00
Pavel Vomacka
3b37e29ac6 Add option to show OTP when adding host
Add option to add host dialog which allows to show generated OTP.
This patch also changed the way of informing user about success of adding host
but only when the 'Generate OTP' option is checked. There is a new dialog with
generated OTP.

https://fedorahosted.org/freeipa/ticket/4602

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-06-02 18:38:32 +02:00
Patrice Duc-Jacquet
deb896768f Add more information regarding where to find revocation reason in "ipa cert_revoke -h" and "ipa cert_find -h".
According to review feedback, I changed the help message as follow

$ ipa cert_revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]

Revoke a certificate.
Options:
  -h, --help            show this help message and exit
  --revocation-reason=INT
                        Reason for revoking the certificate (0-10). Type "ipa
                        help cert" for revocation reason details.

https://fedorahosted.org/freeipa/ticket/5819

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
2016-06-02 10:40:54 +02:00
Martin Basti
5c58751d72 Fix: replace incorrect no_cli with no_option flag
The 'no_cli' is not valid flag in parameters scope, so to hide option from
CLI 'no_option' flag should be used

https://fedorahosted.org/freeipa/ticket/4995

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-06-02 09:37:52 +02:00
Martin Basti
5f42b42bd4 Performance: Find commands: do not process members by default
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.

To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.

For other commands processing of members stays unchanged. WebUI is not
affected by this change.

https://fedorahosted.org/freeipa/ticket/4995

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-05-31 14:08:54 +02:00
Martin Basti
91572afc60 Make option --no-members public in CLI
With many members commands became slow. Making this option public allows
users to speedup searches.

https://fedorahosted.org/freeipa/ticket/4995

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-05-31 14:08:54 +02:00
Petr Spacek
321a2ba918 Add ipaDNSVersion option to dnsconfig* commands and use new attribute
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.

To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.

The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.

Command dnsconfig_show displays it only if --all option was used.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
70794c7b1d Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.

DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
ec49130b94 Use root_logger for verify_host_resolvable()
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
0c75df4bf3 Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
This is preparatory work to avoid (future) cyclic import between
ipapython.dnsutil and ipapython.ipautil.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Petr Spacek
da71e7e9de DNS: Warn if forwarding policy conflicts with automatic empty zones
Forwarding policy "first" or "none" may conflicts with some automatic empty
zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers.

This is not detected and warned about. Global forwarding is equivalent
to forward zone ".".

Example:
Forward zone 1.10.in-addr.arpa with policy "first"
will not forward anything because BIND will automatically prefer
automatic empty zone "10.in-addr.arpa." which is authoritative.

https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-30 20:14:32 +02:00
Stanislav Laznicka
1ce63e6193 Added some attributes to Modify Users permission
Added 'employeenumber', 'departmentnumber' and 'mail' to Modify Users
permission

https://fedorahosted.org/freeipa/ticket/5911#comment:2

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-29 14:13:12 +02:00
Martin Basti
25eed1c6cb Remove unused variables in automount plugin
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-05-26 11:30:20 +02:00
Jan Cholasta
2b50fc6170 frontend: allow commands to have an argument named name
Rename the `name` argument of Command.get_default_of to `_name` to avoid
conflicts with keyword arguments.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
9e3c16e322 ipalib: use relative imports for cross-plugin imports
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
4b119e21a2 vault: copy arguments of client commands from server counterparts
Copy arguments of vault_{add,mod,archive,retrieve} from
vault_{add,mod,archive,retrieve}_internal.

Also add missing LDAPCreate arguments to vault_add_internal.

This will make it possible to move the commands to ipaclient.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
b09b92831f vault: move client-side code to the module level
Move client-side code from the vault class to module-level functions.

This will make it possible to move the code to ipaclient without the vault
class bits.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
4a243536b3 otptoken_yubikey: fix otptoken_add_yubikey arguments
Copy args, options and output of otptoken_add_yubikey from otptoken_add.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
be471699b6 otptoken: fix import of DN
Import DN from ipapython.dn rather than ipalib.plugins.baseldap.

This will make it possible to move otptoken_sync to ipaclient.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
eb8be95043 dns: do not rely on server data structures in code called on client
Replace code which references the DNSRecord and dnsrecord classes with
equivalent code which uses only generic data structures.

This will make it possible to move client code to ipaclient without
dnsrecord bits, DNSRecord and all its subclasses.

The conversion from record value to structured record can't be done on the
client without DNSRecord and subclasses. Introduce a new internal command
dnsrecord_split_parts to do the job on the server when necessary.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
b6af621432 dns: move code called on client to the module level
Move DNSRecord and dnsrecord code called on client to module-level
functions.

This will make it possible to move the code to ipaclient without the
DNSRecord and dnsrecord class bits.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
1bcf08aab6 automount: do not inherit automountlocation_import from LDAPQuery
automountlocation_import is a client-side command which does not use LDAP
directly. Inherit it from Command rather than LDAPQuery and copy its
arguments from automountlocation_show.

This will make it possible to move automountlocation_import to ipaclient.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
f28cd62285 frontend: move the interactive_prompt callback type to Command
Move interactive_prompt callback type from baseldap.BaseLDAPCommand to
Command.

This will make it possible to move all interactive_prompt callbacks to
ipaclient.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
60fa6ed444 frontend: merge baseldap.CallbackRegistry into Command
Also make it possible for subclasses to introduce new callback types.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
a30bc8a351 plugable: switch API to Registry-based plugin discovery
Merge Registrar into Registry. Use the Registry instance of each plugin
module to discover plugins in the module instead of the global Registrar
instance.

This removes the side-effect of all plugins in a module being re-registered
every time the module is imported.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
88c0b66abc plugable: remove the unused deprecated API.register method
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
15a4c0d276 ipalib, ipaserver: fix incorrect API.register calls in docstrings
Use API.add_plugin to load specific plugins into API objects. Use Registry
to register plugins.

This fixes doctests.

https://fedorahosted.org/freeipa/ticket/4739
https://fedorahosted.org/freeipa/ticket/5115

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
bed546ee82 ipalib, ipaserver: migrate all plugins to Registry-based registration
Do not use the deprecated API.register method.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
0d62968b6f plugable: replace API.import_plugins with new API.add_package
Replace API.import_plugins with a new method API.add_package which allows
loading plugin packages into an API object from a package object.

This makes loading of plugin packages loading consistent with loading of
plugin modules and classes.

Rename API.modules to API.packages and use package objects where
implemented to reflect the change.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
b08f771518 ipalib: remove the unused csv argument of Param
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
77e27de147 makeapi: optimize API.txt
Change Param formatting to:
* always use quantified names rather than the `required` and `multivalue`
  kwargs,
* ignore kwargs with default value,
* ignore kwargs related to validation, as validation is now strictly
  server-side,
* ignore the `attribute` and `primary_key` kwargs, as they are relevant
  only on object params,
* ignore the `include` and `exclude` kwargs, as makeapi takes into account
  only params available in the 'cli' context,
* ignore the unused `csv` kwarg.

Format optional Output arguments as kwargs.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
ac2e9e84cf frontend: do not forward argument defaults to server
When forwarding a command call to a server, use only arguments which were
explicitly specified by the caller.

This increases compatibility between new clients and old servers.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
213237c7fe user: do not assume the preserve flags have value in user_del
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
3eaafe42b5 frontend: do not forward unspecified positional arguments to server
When forwarding a command call to a server, do not use a value of None in
place of unspecified positional arguments.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
71f960457e ipalib: make optional positional command arguments actually optional
Fix several plugins not to assume optional positional arguments have a
value of None when not specified.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
f8cf136c55 batch: do not crash when no argument is specified
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
278fa29906 frontend: perform argument value validation only on server
Do not validate values of command arguments on the client and let the
server handle validation.

This will make the client more lightweight by not having it to carry
validation code and metadata with itself for the price of increasing
network traffic in case the validation fails.

Types of the arguments are still validated on both the client and the
server.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
13b010685b frontend: remove the unused Command.soft_validate method
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
2f6b333187 frontend: re-raise remote RequirementError using CLI name in CLI
https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
e0275abe6f rpc: include structured error information in responses
Include keyword arguments of exceptions in RPC responses. This is limited
to JSON-RPC, as XML-RPC does not support additional data in error
responses.

Include keyword arguments of messages in RPC responses.

Include keyword arguments of exceptions in batch command result.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
861294c0d6 parameters: remove unused ConversionError and ValidationError arguments
Do not set the `value`, `index` and `rule` arguments when raising
ConversionError and ValidationError. The arguments are unused and are not
specified consistently accross the framework and plugins.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Jan Cholasta
c37aba291f rpc: do not crash when unable to parse JSON
When unable to parse JSON response from the server, properly raise
JSONError not to cause a crash.

https://fedorahosted.org/freeipa/ticket/4739

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-05-25 16:06:26 +02:00
Martin Basti
ad1cac1283 Fix referenced before assigment variables in except statements
Variable msg may not exists in the last except context, and even it
contains improper value because it is not related to catched exception

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-05-20 15:05:25 +02:00
Jan Cholasta
83f6ddb473 makeapi: use the same formatting for int and long values
This prevents validation failures on architectures where integer is less
than 32 bits.

https://fedorahosted.org/freeipa/ticket/5894

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-19 16:43:58 +02:00
Petr Spacek
89cdf6ee1e Batch command: avoid accessing potentially undefined context.principal
This might happen when the command is called directly in Python,
e.g. in installers and so on.

Pylint pylint-1.5.5-1.fc24.noarch caught this.

https://fedorahosted.org/freeipa/ticket/5838

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-05-12 13:28:00 +02:00
Petr Viktorin
5dbb0f6fec ipalib.cli: Improve reporting of binary values in the CLI
Make sure the base64-encoded value is a string, so it is printed
without the b'' markers.

Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-05-10 12:41:15 +02:00
Tomas Babej
6adf863781 idviews: Add user certificate attribute to user ID overrides
https://fedorahosted.org/freeipa/ticket/4955

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-05-06 07:12:01 +02:00
Petr Viktorin
6ddf0d657f certprofile plugin: Use binary mode for file with binary data
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-05-05 16:42:46 +02:00
Petr Viktorin
baaa041b8a ipalib.rpc: Send base64-encoded data as string under Python 3
Python 3's JSON library cannot deal with bytes, so decode
base64-encoded data to string.

Part of the work for https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-05-05 16:42:46 +02:00
Petr Viktorin
890f83b0bb radiusproxy plugin: Use str(error) rather than error.message
In Python 3, the "message" attribute has been removed in favor of
calling str() on the error.

Part of the work for https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-05-05 16:42:46 +02:00
Abhijeet Kasurde
3d07c889ce Added fix for notifying user about locked user account in WebUI
User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message

Fixes : https://fedorahosted.org/freeipa/ticket/5076

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-04-28 17:04:37 +02:00
Petr Viktorin
28b0bfaefe dns plugin: Fix zone normalization under Python 3
In Python 3, str.encode('ascii') converts to bytes, and str()
(nicknamed unicode() in IPA) returns the string representation
of an object, which is b'...' for bytes.

So, unicode('...'.encode('ascii')) results in "b'...'".

Change the code to only call encode() for the error.

Part of the work for https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-28 16:22:07 +02:00
Martin Basti
14ee02dcbd Do not do extra search for ipasshpubkey to generate fingerprints
Host, user and idview commands do unnnecessary extra search for
ipasshpubkey attribute to generate fingerprints.

Note: Host and user plugins shows ipasshpubkey only when the attribute
is changed, idviews show ipasshpubkey always. This behavior has been
kept by this commit.

common_pre/post_callbacks were fixed in [base|stage]user modules.
common_callbacks requires the same arguments as pre/post_callbacks now
(except baseuser_find.post_common_callback)

Note2: in *-add commands there is no need for managing ipasshpubkey as
this attribute should be shown always there.

https://fedorahosted.org/freeipa/ticket/3376

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2016-04-26 13:37:23 +02:00
Martin Basti
fe2ce02a6f Performace: don't download password attributes in host/user-find
For each entry in user/host-find was executed an extra search for password
attributes what has significant impact on performance (for 2000 users
there were 2000 additional searches)

http://www.freeipa.org/page/V4/Performance_Improvements

https://fedorahosted.org/freeipa/ticket/5281

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-22 13:28:57 +02:00
Pavel Vomacka
f446792353 Add 'skip overlap check' checkbox into add zone dialog
https://fedorahosted.org/freeipa/ticket/5773

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-04-22 10:11:48 +02:00
Fraser Tweedale
c2b92b5735 caacl: correctly handle full user principal name
The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.

Fixes: https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-04-20 18:07:19 +02:00
Abhijeet Kasurde
2a20c74633 Added fix for notifying user about Kerberos principal expiration in WebUI
- User is now notified about "Kerberos Principal expiration" message instead of
  "Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
  generic error message.

https://fedorahosted.org/freeipa/ticket/5077

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-04-15 17:58:04 +02:00
Pavel Vomacka
d01f7e8556 Add activate option to stage user details page
Add activate option to the action menu on stage user details page.

https://fedorahosted.org/freeipa/ticket/5369

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-04-15 16:41:55 +02:00
Martin Basti
93871bf017 Limit max username length to 255 in config-mod
This value is same as is used in user and stageuser commands.

https://fedorahosted.org/freeipa/ticket/5774

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-04-15 13:24:34 +02:00
Martin Babinsky
62bb478e11 specify type of exceeded limit when warning about truncated search results
API commands inheriting from LDAPSearch should mention which limit was
exceeded in the warning message sent with truncated results.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Martin Babinsky
1f0959735f differentiate between limit types when LDAP search exceeds configured limits
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.

https://fedorahosted.org/freeipa/ticket/5677

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:52:22 +02:00
Martin Basti
b23ad42269 host-del --updatedns: print warnings instead of error
When DNS records do not exist, print warnings instead of hard error

https://fedorahosted.org/freeipa/ticket/5627

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:47:53 +02:00
Martin Basti
54e3859595 host_del: update help for --updatedns option
Clarify that dns removes only A, AAAA, PTR, SSHFP records of the host(s) managed by IPA DNS.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
e8c8134eee host_del: remove only A, AAAA, SSHFP, PTR records
only A, AAAA, SSHPF and PTR records are managed by IPA. The other
records should be removed by user.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
1e70d6b914 host_del: split removing A/AAAA and PTR records to separate functions
This change is needed because A/AAAA and PTR record will be handled
separately.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
bea066c336 host_del: remove unneeded dnszone-show command call
This command has no effect in that block of code, dnsrecord_show is
enough for detection if records exists.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
9a0f92be0d host_del: replace dns-record find command with show
Due the configuration of dnsrecord_find, it works as dnsrecord-show,
thus it can be replaced.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
40e3a0bf63 host_del: fix removal of host records
Originally only the first A/AAAA record is removed, and one other record. This commit fixes it
and all records are removed.

https://fedorahosted.org/freeipa/ticket/5675

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2016-04-13 17:44:56 +02:00
Martin Basti
d9fe502e83 Add missing pre_common_callback to stageuser_add
This pre_callback contains method to preprocessing usercertificate that
was not called during stageuser-add. This commit adds missing
pre_common_callback call to stageuser_add.

https://fedorahosted.org/freeipa/ticket/5759

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-04-12 10:09:12 +02:00
Martin Babinsky
7febe569ce otptoken-add: improve the robustness of QR code printing
The python-qrcode print_ascii() method does not work in terminals with
non-UTF-8 encoding. When this is the case do not render QR code but print a
warning instead. Also print a warning when the QR code size is greater that
terminal width if the output is a tty.

https://fedorahosted.org/freeipa/ticket/5700

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-24 14:35:19 +01:00
Martin Basti
d1e29fe60e Fix: catch Exception instead of more specific exception types
Regression caused by commit 491447cc5a,
ValueErrori and AttributeError are too much specific for these cases, multiple types of
exception can be raised.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-22 17:33:02 +01:00
Martin Basti
da0318d4d7 Pylint: remove unnecessary-semicolon
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
b66028af18 Pylint: import max one module per line
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
d46cd5d956 Pylint: enable reimported check
Fixes current reimports and enables pylint check for them

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Martin Basti
491447cc5a pylint: remove bare except
Bare except should not be used.

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2016-03-22 10:20:51 +01:00
Jakub Hrozek
c6371abeb3 sudo: Fix a typo in the --help output of sudocmdgroup
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-18 12:38:42 +01:00
Martin Basti
de8c6d81fd Fix broken trust warnings
Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.

https://fedorahosted.org/freeipa/ticket/5737

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-16 13:50:56 +01:00
Martin Basti
4871cb5b54 stageuser-activate: Normalize manager value
Manager(s) were returned as list od DN, this commit fixes behavior and
managers are returned as list of logins.

https://fedorahosted.org/freeipa/ticket/5481

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:09:36 +01:00
Jérôme Fenal
67b806e5d9 Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-10 19:35:12 +01:00
Simo Sorce
3e45c9be0a Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-08 18:48:40 +01:00
Tomas Babej
8bf6aa2c1c ipalib: Fix user certificate docstrings
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-07 12:21:12 +01:00
Martin Basti
2c8e100c73 fix suspicious except statements
The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.

https://fedorahosted.org/freeipa/ticket/5718

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-04 13:10:08 +01:00
Petr Viktorin
34db5759fa ipalib.x809: Accept bytes for make_pem
Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Jan Cholasta
3c57c305ad ipalib: add convenient Command method for adding messages
Call the add_message() method of Command from anywhere in the implementation
of a command to add a message to the result of the command.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 10:06:18 +01:00
Jan Cholasta
e5520dc347 ipalib: provide per-call command context
Add context which is valid for the duration of command call. The context
is accessible using the `context` attribute of Command and Object plugins.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 10:06:18 +01:00
Martin Basti
72d5499c5a pylint: supress false positive no-member errors
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-02 14:57:36 +01:00
Martin Basti
0d39abddc2 Remove duplicated except
Both exceptions have been catched before, so it is bacically dead code

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-02-25 13:48:44 +01:00
Stanislav Laznicka
d7efd8a33a Fixes minor issues
Fixes issues discovered by Coverity

plugins/baseldap.py:      possible undefined value in return
certmonger.py:            possible dereference of None value
i18n.py:                  fixed always True bug (+ cosmetic change)

https://fedorahosted.org/freeipa/ticket/5661

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-02-24 09:21:30 +01:00
Stanislav Laznicka
9757384c7c Cosmetic changes to the code
Fixes some Coverity issues

ipadiscovery.py:          added assert should universe break
plugins/dns.py:           removed dead code
dnssec/ldapkeydb.py:      attribute assert in the proper object
test_automount_plugin.py: fixed possible close() on None
xmlrpc_test.py:           Coverity does not like accessing None.__class__

https://fedorahosted.org/freeipa/ticket/5661

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-02-24 09:21:30 +01:00
Martin Basti
c96822f3e5 Warn user if trust is broken
Detect missing ipaNTSecurityIdentifier and print message for a user,
that the trust is broken as result of trust-show and trust-find commands.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-23 17:35:20 +01:00
Martin Basti
70bd7c8802 trusts: use ipaNTTrustPartner attribute to detect trust entries
Trust entries were found by presence of ipaNTSecurityIdentifier
attribute. Unfortunately this attribute might not be there due the bug.
As replacement for this, attribute ipaNTTrustPartner can be used.

Note: other non trust entries located in cn=trusts subtree can be
cross-realm principals.

https://fedorahosted.org/freeipa/ticket/5665

Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-02-23 17:35:20 +01:00
Petr Viktorin
d1252cfb8e cli: Don't encode/decode for stdin/stdout on Python 3
https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-17 10:41:29 +01:00
Michael Simacek
831856ea55 Fix bytes/string handling in rpc
https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-17 10:41:29 +01:00
Martin Basti
2ce8921fe6 make lint: use config file and plugin for pylint
Our custom implementation of pylint checker is often broken by
incompatible change on pylint side. Using supported solutions (config
file, pylint plugins) should avoid this issue.

The plugin adds missing (dynamic) member to classes in abstract syntax
tree generated for pylint, instead of just ignoring missing members and
all sub-members. This should improve pylint detection of typos and
missing members in api. env and test config.

make-lint python script has been removed, to run pylint execute 'make
lint'

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-02-11 11:06:39 +01:00
Thorsten Scherf
d85d709473 Fixed typo in service-add
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-02-02 15:34:16 +01:00
Pavel Vomacka
d5674b1490 Add tool tips for Revert, Refresh, Undo, and Undo All
Add tool tips for buttons in detail view. New tooltips:
Reload - Reload current settings from the server.
Revert - Undo all unsaved changes.
Undo - Undo this change.
Undo all - Undo all changes in this field.

https://fedorahosted.org/freeipa/ticket/5428

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-01-27 14:14:56 +01:00
Martin Basti
9a945b201e Warn user when ipa *-find reach limit
Truncated entries were silently ignored, now a user receives warning.

https://fedorahosted.org/freeipa/ticket/4022

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
2016-01-27 12:54:25 +01:00
Martin Babinsky
d726da3ba2 uninstallation: more robust check for master removal from topology
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.

https://fedorahosted.org/freeipa/ticket/5584

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-21 18:12:42 +01:00
Petr Viktorin
06a678c159 Avoid builtins that were removed in Python 3
- `file` was removed in favor of `open`. Switch to the new spelling.
- `buffer` was removed in favor of a buffer protocol (and memoryview),
  and `reload` was moved to importlib.
  Both are used in py2-only blocks, so just placate PyLint.

https://fedorahosted.org/freeipa/ticket/5623

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-20 11:59:21 +01:00
Petr Viktorin
465dd9829c Don't index exceptions directly
In Python 3, exceptions don't behave as tuples of their arguments;
instead of e[1] it's necessary to use e.args[1].

https://fedorahosted.org/freeipa/ticket/5623

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-20 11:59:21 +01:00
Petr Viktorin
126d899321 Use explicit truncating division
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".

https://fedorahosted.org/freeipa/ticket/5623

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-20 11:59:21 +01:00
Tomas Babej
ddf2c813b4 Loggger: Use warning instead of warn - dns plugin
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-19 14:26:52 +01:00
Tomas Babej
78c5bf9f8e logger: Use warning instead of warn
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-18 17:49:54 +01:00
Jan Cholasta
7e56b4bbd7 ipapython: remove default_encoding_utf8
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.

https://fedorahosted.org/freeipa/ticket/5596

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-01-15 13:39:52 +01:00
Jan Cholasta
6b2b173a4d ipalib: assume version 2.0 when skip_version_check is enabled
https://fedorahosted.org/freeipa/ticket/5601

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-12 16:37:29 +01:00
Petr Spacek
17a4a29c25 Fix dns_is_enabled() API command to throw exceptions as appropriate
Previously the command returned False whenever an exception occured
which caused installed to continue even when there was a problem with
LDAP connection.

https://fedorahosted.org/freeipa/ticket/5564

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-01-08 10:14:51 +01:00
Petr Vobornik
a291ca8780 webui: add examples to network address validator error message
https://fedorahosted.org/freeipa/ticket/5532

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
2016-01-08 09:57:42 +01:00
Martin Babinsky
2fad223dbe ipalib/x509.py: revert deletion of ipalib api import
This import statement has been removed in commit
e4075b1fe2. This caused requests for service
certs to fail, since the validation functions from x509 module crashed with
NameError.

https://fedorahosted.org/freeipa/ticket/5561

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-01-04 17:41:59 +01:00
Martin Basti
00fd28e026 Enable pylint unnecessary-pass check
Enables check and removes extra pass statement from code.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
ded70b6c6e Enable pylint empty-docstring check
Enables check and fixes:
************* Module ipalib.session
ipalib/session.py:671: [C0112(empty-docstring), SessionAuthManager]
Empty class docstring)
ipalib/session.py:705: [C0112(empty-docstring),
SessionAuthManager.logout] Empty method docstring)
************* Module ipalib.cli
ipalib/cli.py:364: [C0112(empty-docstring), textui.print_entry] Empty
method docstring)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
1f6b1c2de7 Enable pylint trailing-whitespace check
Enables check and fixes:
************* Module ipapython.log_manager
ipapython/log_manager.py:808: [C0303(trailing-whitespace), ] Trailing
whitespace)
************* Module ipachangeconf
contrib/RHEL4/ipachangeconf.py:28: [C0303(trailing-whitespace), ]
Trailing whitespace)
contrib/RHEL4/ipachangeconf.py:116: [C0303(trailing-whitespace), ]
Trailing whitespace)
************* Module ipalib.plugins.pwpolicy
ipalib/plugins/pwpolicy.py:174: [C0303(trailing-whitespace), ] Trailing
whitespace)
ipalib/plugins/pwpolicy.py:180: [C0303(trailing-whitespace), ] Trailing
whitespace)

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
e1192ebd97 Remove wildcard imports
Wildcard imports should not be used.

Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Basti
e4075b1fe2 Remove unused imports
This patch removes unused imports, alse pylint has been configured to
check unused imports.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-23 07:59:22 +01:00
Martin Babinsky
cd5fa38945 raise more descriptive Backend connection-related exceptions
https://fedorahosted.org/freeipa/ticket/5473

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-21 12:05:23 +01:00
Petr Viktorin
53b60546e4 Package ipapython, ipalib, ipaplatform, ipatests for Python 3
Running make with PYTHON=/usr/bin/python3 will build/install the
bits for Python 3.

Executable scripts in ipatests have symlinks Python version suffixes
as per Fedora guidelines. Suffix-less names point to the Python 2 versions.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-17 10:52:57 +01:00
David Kupka
6c107d819c dns: do not add (forward)zone if it is already resolvable.
Check if the zone user wants to add is already resolvable and refuse to
create it if yes. --skip-overlap-check and --force options suppress this check.

https://fedorahosted.org/freeipa/ticket/5087

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-12-14 18:53:53 +01:00
Petr Viktorin
099cf98307 Refactor ipautil.run
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.

The stdout and stderr of all commands are logged (unless skip_output is given).

The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.

The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.

All calls are changed to reflect this.

A use of Popen in cainstance is changed to ipautil.run.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-14 10:54:23 +01:00
Jan Cholasta
8d7f67e08c replica install: add remote connection check over API
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.

https://fedorahosted.org/freeipa/ticket/5497

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-11 18:44:13 +01:00
Yuri Chornoivan
2180d5db8a Fix minor typos
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-12-07 12:07:47 +01:00
Jan Cholasta
a8d7ce5cf1 aci: add IPA servers host group 'ipaservers'
https://fedorahosted.org/freeipa/ticket/3416

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-12-07 08:13:23 +01:00
Petr Vobornik
81c06327b9 Extend topology help
`ipa help topology` is improved.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-12-04 19:51:55 +01:00
Petr Vobornik
517aa84569 rename topology suffixes to "domain" and "ca"
https://www.redhat.com/archives/freeipa-devel/2015-November/msg00485.html

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-04 12:59:21 +01:00
Petr Vobornik
581f5432bf topologysuffix: change iparepltopoconfroot API properties
Change CLI option, label and type to reflect that it is a only a DN
of the suffix.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-03 12:41:07 +01:00
Stanislav Laznicka
498471e4ae Removed duplicate domain name validating function
Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-12-02 17:26:56 +01:00
Jan Cholasta
4d24d8b26c topology: replace "suffices" with "suffixes"
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-12-01 09:30:21 +01:00
Jan Cholasta
46ae52569a server: use topologysuffix name in iparepltopomanagedsuffix
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-12-01 09:30:21 +01:00
Martin Basti
2a1a3c498a Upgrade: increase time limit for upgrades
Default ldap search limit is now 30 sec by default during upgrade.

Limits must be changed for the whole ldap2 connection, because this
connection is used inside update plugins and commands called from
upgrade.

Together with increasing the time limit, also size limit should be
unlimited during upgrade. With sizelimit=None we may get the
TimeExceeded exception from getting default value of the sizelimit from LDAP.

https://fedorahosted.org/freeipa/ticket/5267

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-12-01 08:51:44 +01:00
Petr Vobornik
c688954c27 topology: treat server suffix as multivalued attribute in API
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-27 15:56:59 +01:00
Petr Vobornik
68f6c2c7dc webui: topology graph facet
https://fedorahosted.org/freeipa/ticket/4286

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-27 15:50:56 +01:00
Martin Basti
6bbde3e0f7 Compare objectclasses as case insensitive in baseuser.py
Objectclasses must be handled as case insensitive.

https://fedorahosted.org/freeipa/ticket/5456

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-11-25 14:56:30 +01:00
Martin Basti
800c702324 Use absolute domain in detection of A/AAAA records
Python dns resolver append configured domain to queries which may lead
to false positive answer.

Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"

https://fedorahosted.org/freeipa/ticket/5421

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-11-25 14:13:26 +01:00
Martin Basti
7acfaee8ab Call directly function is_host_resolvable instead do call via framework
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-11-25 14:11:13 +01:00
Martin Basti
749dfc3917 Make command dns-resolve deprecated.
To debug DNS issues other commands should be used like 'dig', 'host',
'nslookup' instead of command 'ipa dns-resolve'.

This command is executed on server side, what may not be helpful with
debugging clients.

'ipa dns-resolve' command is worse copy of host command, users should use
'host' command instead.

dns-resolve is removed from CLI

https://fedorahosted.org/freeipa/ticket/5466

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-11-25 14:09:02 +01:00
Martin Basti
6eeb4e4f2a Fix upgrade of forwardzones when zone is in realmdomains
https://fedorahosted.org/freeipa/ticket/5472

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-11-25 13:39:45 +01:00
Fraser Tweedale
620036d26e Add profiles and default CA ACL on migration
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.

Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-11-24 10:12:24 +01:00
Martin Basti
bf654aee1c remove forgotten print in DNS plugin
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-11-23 12:38:33 +01:00