ipa-getkeytab command was augmented in a way that allows more flexible
selection of bind mechanisms:
* -H <LDAP_URI> option was added to specify full LDAP uri. By default the
URI will be constructed from retrieved server name as is done now.
Specifying this options precludes use of -s.
* -Y <EXTERNAL|GSSAPI> specifes SASL bind mechanism if no bind DN
was given (which implies simple bind)
This allows the command to be used also locally via LDAPI, eliminating the
need to provide any credentials at all as root (e.g. in installers)
https://fedorahosted.org/freeipa/ticket/6409
Reviewed-By: Simo Sorce <ssorce@redhat.com>
get rid of hardcoded CA cert path and allow the caller to use supplied custom
paths instead
https://fedorahosted.org/freeipa/ticket/6409
Reviewed-By: Simo Sorce <ssorce@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rename do_sasl_gssapi_bind to gssapi_bind
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The configure script checks for libcurl, but it is never actually used
anywhere.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This broke ONLY_CLIENT option in SPEC file. It will be fixed later on.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
setuptools does not support data_files any more. The ipa(1) man page is
now handled like the remaining man pages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when
building FreeIPA, we have to fix these errors
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The --server option now specifically mentions that
it expects the FQDN of the IPA server.
https://fedorahosted.org/freeipa/ticket/6202
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The man page and help of ipa-client-install and ipa-replica-conncheck
had an outdated information about what is used as a hostname.
https://fedorahosted.org/freeipa/ticket/5754
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The added log messages allow easier debugging of
IP related issues during ipa-client-install.
https://fedorahosted.org/freeipa/ticket/6331
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is
available before proceeding with the install.
https://fedorahosted.org/freeipa/ticket/5557
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Originaly there should be only two occurencees of this warning, one for
server, one for client. But obviously is not possible with current
installers to achive this goal, so I have to extract code to not mess
with 5 times copy and paste.
https://fedorahosted.org/freeipa/ticket/5814
Reviewed-By: David Kupka <dkupka@redhat.com>
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.
https://fedorahosted.org/freeipa/ticket/6071
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This patch fixes the 3rd issue of ticket 6012:
ipa-server-install --uninstall -U
complains while removing Kerberos service principals from /etc/krb5.keytab
----
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
----
This happens because the uninstaller performs the following sequence:
1/ restore pre-install files, including /etc/krb5.keytab
At this point /etc/krb5.keytab does not contain any principal for
IPA domain
2/ call ipa-client-install --uninstall, which in turns runs
ipa-rmkeytab -k /etc/krb5.keytab -r <domain>
to remove the principals.
The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not
found in keytab)
https://fedorahosted.org/freeipa/ticket/6012
Reviewed-By: Martin Basti <mbasti@redhat.com>
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
If locale setting was incorect, gettext failed to initialize and scripts
failed. this commit replaces error exit with warning message. (Better to
have untranslated output than fail)
https://fedorahosted.org/freeipa/ticket/5973
Reviewed-By: Petr Spacek <pspacek@redhat.com>
On slower machines, the original time 10s is not enough. Raising timeout
to 100sec should help.
https://fedorahosted.org/freeipa/ticket/5842
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The include of /etc/krb5.conf.d/ is required for crypto-policies to work properly
https://fedorahosted.org/freeipa/ticket/5912
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is required for the finalize call to be able connect to the server to
retrieve API schema.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When connecting rpcclient, get the default values of the `verbose`,
`fallback` and `delegate` options from API config rather than hard-code
them.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.
https://fedorahosted.org/freeipa/ticket/5591
Reviewed-By: David Kupka <dkupka@redhat.com>
Global variables should be defined in the outer space, not just marked
as global inside functions.
Removes unused global variables
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
In order to enable SSSD smart prompting and allow it to ask for 1FA and
2FA separately, ChallengeResponseAuthentication should be set to yes.
This change will enable better processing of the 2FA value and it will
also enable other features, like allow SSSD to make the 2FA option in
some cases and have a way of informing user that 2FA is optional.
https://fedorahosted.org/freeipa/ticket/5703
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
'yes' is also valid value in krb5.conf but we should be consistent and
use only 'true' as we do for other options.
https://fedorahosted.org/freeipa/ticket/5518
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.
https://fedorahosted.org/freeipa/ticket/5718
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
The ldap_result operation can time out, returning a NULL result,
which in turn causes the parsing operation to crash.
https://fedorahosted.org/freeipa/ticket/5642
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
