ipasearchrecordslimit can be -1, which means unlimited.
The permission_find post_callback failed in this case in legacy
permission handling.
Do not fail in this case.
Web UI build fails on some architectures or configuration due to
StackOverflow. This patch increases the stack size to solve it.
512k is usually enough but we encountered fail on ppc64 even with 2m,
therefore the 8m. The build is single threaded so it shouldn't waste
much memory.
To double-check the ACIs are correct, this uses different code
than the new permission plugin: the aci_show command.
A new option, location, is added to the command to support
these checks.
Lists and tuples are already allowed for convenience; it is easier to write
(1, 2, 3) or [1, 2, 3] than frozenset([1, 2, 3]).
This allows the set literal syntax, {1, 2, 3}, as well.
Latest support for subdomains introduced regression that masked
difference between newly added trust and re-added one.
Additionally, in case no new subdomains were found, the code was
returning None instead of an empty list which later could confuse
trustdomain-find command.
https://fedorahosted.org/freeipa/ticket/4067
The CLDAP DS plugin uses the uppercased first segment of the fully
qualified hostname as the NetBIOS name. We need to limit its size
to 15 characters.
https://fedorahosted.org/freeipa/ticket/4028
The driver only checked if the corresponding value was in the config, so
no_dns: False
had the same effect as
no_dns: True
Change the check to take the value into consideration.
This makes false-y values like False (from YAML) and empty string
(from environment) work as if the value was not specified.
Clean up the .gitignore file:
- Remove no longer used .gitignore entries, like .bzr files
- Do not repeat autotools generated files over and over again
- Whitelist existent Makefiles in the repository
- Better separate the .gitignore entries
The ipa-client-install script and ipa-join use different methods
of resolving the hostname, the former uses gethostbyaddr() call,
while the latter reads the "uinfo.nodename".
This can result ipa-client-install failures in case of broken PTR
records.
https://fedorahosted.org/freeipa/ticket/4027
The framework had a concept of external hostnames,
which the controller uses to contact the test machines,
but they were not loaded from configuration.
Load external names from configuration.
This makes tests pass in setups where internal and external
hostnames are different, and the internal hostnames are not
initially resolvable from the controller.
Apparently when we relicensed to GPLv3 we missed these two spots.
The actual boilerplate was changed in these files but not the
license tag passed to python setup.
When AD administrator credentials passed, they stored in realm_passwd,
not realm_password in the options.
When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
to normalize them.
Additionally, force Samba auth module to use NTLMSSP in case we have
credentials because at the point when trust is established, KDC is not
yet ready to issue tickets to a service in the other realm due to
MS-PAC information caching effects. The logic is a bit fuzzy because
credentials code makes decisions on what to use based on the smb.conf
parameters and Python bindings to set parameters to smb.conf make it so
that auth module believes these parameters were overidden by the user
through the command line and ignore some of options. We have to do calls
in the right order to force NTLMSSP use instead of Kerberos.
Fixes https://fedorahosted.org/freeipa/ticket/4046
Add the server class name, such as [xmlserver] or [jsonserver_kerb] to
the server logs. This will allow easier debugging of problems specific
to a protocol or server class.
Modify ipalib.rpc to support JSON-RPC in addition to XML-RPC.
This is done by subclassing and extending xmlrpclib, because
our existing code relies on xmlrpclib internals.
The URI to use is given in the new jsonrpc_uri env variable. When
it is not given, it is generated from xmlrpc_uri by replacing
/xml with /json.
The rpc_json_uri env variable existed before, but was unused,
undocumented and not set the install scripts.
This patch removes it in favor of jsonrpc_uri (for consistency
with xmlrpc_uri).
Add the rpc_protocol env variable to control the protocol
IPA uses. rpc_protocol defaults to 'jsonrpc', but may be changed
to 'xmlrpc'.
Make backend.Executioner and tests use the backend specified by
rpc_protocol.
For compatibility with unwrap_xml, decoding JSON now gives tuples
instead of lists.
Design: http://freeipa.org/page/V3/JSON-RPC
Ticket: https://fedorahosted.org/freeipa/ticket/3299
