In commit ed4c2d9252, changes to the Plugin
class were made, but the test was updated only partially.
Update the rest to fix the failing test.
https://fedorahosted.org/freeipa/ticket/6313
Reviewed-By: Martin Basti <mbasti@redhat.com>
Removing --force option from tracker base class so it would not be required to
be implemented in every specific tracker, even though it's not necessary.
Modifying existing trackers to reflect this change.
https://fedorahosted.org/freeipa/ticket/6124
Reviewed-By: Martin Basti <mbasti@redhat.com>
SSSD restart has been mistakenly added to integration tests
(test_integration/tasks.py::uninstall_master). When system setup is correct,
this restart has no significance, moreover it makes tests fail, hence its
removal is necessary.
https://fedorahosted.org/freeipa/ticket/6338
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Hostname is always set, remove the text that says
hostname is set only if it does not match the current
hostname.
https://fedorahosted.org/freeipa/ticket/6330
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Inform the user where to find additional information
about certificate revocation reasons.
https://fedorahosted.org/freeipa/ticket/6327
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The added log messages allow easier debugging of
IP related issues during ipa-client-install.
https://fedorahosted.org/freeipa/ticket/6331
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Re-raise the thrown exception to get an error message
instead of a traceback during ipa-client-install with
invalid IP address.
https://fedorahosted.org/freeipa/ticket/6340
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
User and groups regexp are the same and constant should be used to avoid
any future misconfigurations.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Regexp should not enforce lenght of string, we have different checks for
that. Secondly regexp with length specified produces an incorrect error
message.
https://fedorahosted.org/freeipa/ticket/5822
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.
https://fedorahosted.org/freeipa/ticket/5791
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.
https://fedorahosted.org/freeipa/ticket/5557
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert
validity.
https://fedorahosted.org/freeipa/ticket/6263
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In case that API is not accessible the 404 error is thrown. There was error dialog
with almost no information. The new dialog says what error is there and what can be
the main cause of the error.
https://fedorahosted.org/freeipa/ticket/4821
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also created a decorator that removes the segment that the next test does not
expect.
https://fedorahosted.org/freeipa/ticket/6250
Reviewed-By: Martin Basti <mbasti@redhat.com>
As the segment name is a stochastic valu, which can have either of the two
nodes as the left node, we need to adapt the tests to not expect some
particular segment name but rather to calculate it dynamically based on node
names and the output of topologysegment-find ipa call
Reviewed-By: Martin Basti <mbasti@redhat.com>
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
For some reasons named may not be runnig and this cause fail of this
upgrade step. This step is not critical so only ERROR message with
recommendation is shown.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some upgrade steps require bind running, to be succesfull. Upgrader
makes sure that bind starts.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Commit c2af032c03 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.
https://fedorahosted.org/freeipa/ticket/6329
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adding 'defaults' sudorule to prevent requesting further user authentication.
Adding checks that if a user should be rejected access, a proper error message
is displayed.
https://fedorahosted.org/freeipa/ticket/6262
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
The code should always contact forest root DCs when requesting trust domain
info. In the case of one-way or external trusts
`com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest
root domain is contacted directly through Samba using the credentials of HTTP
principal.
https://fedorahosted.org/freeipa/ticket/6328
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In test_one_command_installation the ipa-replica-install was missing '--server'
and '-U' options which resulted in false negative result. In
test_client_enrollment_by_unprivileged_user '--server' option was messing.
test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It
leaded to 3 failed cases.
https://fedorahosted.org/freeipa/ticket/6301
Reviewed-By: Martin Basti <mbasti@redhat.com>
The server installation in most cases returns response code 0 no matter what
happens except for really severe errors. In this case when we try to uninstall
the middle replica of a line topology, it fails, notifies us that we should use
'--ignore-topology-disconnect', but returns 0
https://fedorahosted.org/freeipa/ticket/6300
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix a regression in recent change to request cert via Dogtag REST
API. 'ra.request_certificate' was no longer raising
CertificateOperationError when the cert request failed. Inspect the
request result to determine if the request completed, and raise if
it did not.
Fixes: https://fedorahosted.org/freeipa/ticket/6309
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Test ipatests/test_ipaserver/test_ldap::test_Backend fails claiming service
cannot be found. Fixing this by not using api with in_tree parameter.
https://fedorahosted.org/freeipa/ticket/6312
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Trust tests fail if they are executed after external trust tests. This is
caused my missing cleanup. Providing cleanup that would enable correct
execution of the tests regardless of their order.
https://fedorahosted.org/freeipa/ticket/6306
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In integration trust tests some values are checked using regular expressions.
Some of these expressions from recently added coverage have minor mistakes
which causes the comparisons to fail. Providing fix for these regular
expressions.
https://fedorahosted.org/freeipa/ticket/6285
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in
their leaf RDN depending on their origin. Since 'cn' is the primary key, we
can return it in `get_primary_key_from_dn` right away and avoid any extraneous
LDAP search.
https://fedorahosted.org/freeipa/ticket/5855
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Also moving activate_action method several lines up - correcting logical order of methods.
https://fedorahosted.org/freeipa/ticket/5818
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is no reason (RFC) why we should prevent users to add multicast
addresses to A/AAAA records
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently environments may use prefix /31 on point-to-point connections what
makes IPA validators to fail. IPA should not care if IP address is broadcast
or not. In some cases (when prefix is not specified) IPA cannot decide
properly if broadcast address is really broadcast.
This commit allows usage of broadcast addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes
IPA validators to fail. IPA should not care if IP address is network or not.
This commit allows usage of network addresses in:
* host plugin
* dns plugin
* server-installer
* client-installer
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
Revocation of host/service certs on host/service deletion or other
operations is broken when cert is issued by a lightweight (sub)CA,
causing the delete operation to be aborted. Look up the issuing CA
and pass it to 'cert_revoke' to fix the issue.
Fixes: https://fedorahosted.org/freeipa/ticket/6221
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Detect when cert-request returns HTTP 409, which indicates that the
target CA is disabled - a valid scenario - and raise
CertificateOperationError with a friendly message instead of
HTTPRequestError.
Fixes: https://fedorahosted.org/freeipa/ticket/6260
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The Dogtag REST API gives better responses statuses than the RPC API
and properly reports failure due to disabled CA (status 409). Make
'ra' extend 'RestClient' and refactor the 'request_certificate'
method to use Dogtag's REST API.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently, HTTP requests that respond with status not in the 2xx
range raise RemoteRetrieveError. The exception includes no
information about the response status.
Add the 'HTTPRequestError' class which extends 'RemoteRequestError'
with an attribute for the response status, and update the Dogtag
RestClient to raise the new error.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently the Dogtag RestClient '_ssldo' method requires a session
cookie unconditionally, however, not all REST methods require a
session: some do not require authentication at all, and some will
authenticate the agent on the fly.
To avoid unnecessary login/logout requests via the context manager,
add the 'use_session' keyword argument to '_ssldo'. It defaults to
'True' to preserve existing behaviour (session required) but a
caller can set to 'False' to avoid the requirement.
Part of: https://fedorahosted.org/freeipa/ticket/6260
Part of: https://fedorahosted.org/freeipa/ticket/3473
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Always return the cert specified in --certificate in cert-find result, even
when the cert is not found in LDAP.
https://fedorahosted.org/freeipa/ticket/6304
Reviewed-By: David Kupka <dkupka@redhat.com>
