Commit Graph

1019 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
b054532658 adtrust install: define constants for rid bases
Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
5541b9d69f Installers: configure sid generation in server/replica installer
ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.

Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Chris Kelley
9310366a6f Parse getStatus as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+

The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-08-05 17:35:51 -04:00
Rob Crittenden
02e19d0a39 Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-07-09 13:21:00 -04:00
Christian Heimes
1c4ae37293 Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-07-09 09:47:30 -04:00
Florence Blanc-Renaud
a7c8517826 man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.

Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-07-07 21:54:17 +02:00
Christian Heimes
a4631b7f3f Fix Custodia imports
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-16 10:28:17 -04:00
Stanislav Levin
0a169b1bea krb_utils: Simplify get_credentials
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.

With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.

Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-06-12 11:19:25 +03:00
Florence Blanc-Renaud
5509e00a82 ipa-cert-fix man page: add note about certmonger renewal
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.

Also add a similar note at the end of ipa-cert-fix.

Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-06-10 20:59:27 +02:00
MIZUTA Takeshi
5250ef826e Add --keyfile option to ipa-otptoken-import.1
ipa-otptoken-import.1 describes the -k option.
However, the long option --keyfile option is also available.
Therefore, add the --keyfile option to ipa-otptoken-import.1.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-05-27 18:28:19 +03:00
MIZUTA Takeshi
5b87f587ea Add argument for --entry option in ipa-managed-entries.1
There are no arguments in the --entry option,
but DN for the managed entry definition must actually be specified.
Therefore, add MANAGED_ENTRY as an argument.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-05-20 14:43:38 -04:00
MIZUTA Takeshi
120983bb02 Add argument for --schema-file option in ipa-ldap-updater.1
There are no arguments in the --schema-file option,
but the Schema file in LDIF format must actually be specified.
Therefore, add FILE.ldif as an argument

In addition, the --schema option no longer exists, so remove the description.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-05-20 14:19:22 +02:00
MIZUTA Takeshi
9ec73436bc Add arguments to the description of OPTIONS in ipa-winsync-migrate.1
ipa-winsync-migrate.1 has an explanation of options, but no arguments.
Therefore, add the arguments for --realm and --server.
Also, add a short option -U for --unattended.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-05-18 15:14:14 +02:00
Rob Crittenden
8365d5e734 Unify installer context to be 'installer'
'install' was being used in some places.

The context can be used to limit what configuration is
used for a given request so having consistency is
valuable.

This affected the force_schema_updates value in LDAPClient
which looks for api.env.context in ('installer', 'updates')

Related: https://pagure.io/freeipa/issue/8798

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2021-05-12 10:45:57 -04:00
Stanislav Levin
91e7452393 pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)

Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-30 09:58:42 +02:00
Stanislav Levin
271fd162a7 ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.

Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00
François Cami
216720af83 ipa-csreplica-manage, ipa-replica-manage: refactor
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
François Cami
bc3906f9aa ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.

Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
François Cami
4b2c50ae62 ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.

Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-03-02 11:48:59 +01:00
Antonio Torres
5d8cb1dd1f ipa-cacert-manage: add prune option
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.

Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-02-12 14:08:11 -05:00
Rob Crittenden
ed21787190 Add exit status to the ipactl man page
The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.

https://pagure.io/freeipa/issue/8550

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-02-04 01:29:53 +01:00
Rob Crittenden
6518a600b4 Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).

https://pagure.io/freeipa/issue/8669

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-01-21 13:51:45 +01:00
Rob Crittenden
c6644b8566 Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.

https://pagure.io/freeipa/issue/8589

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-12-03 16:57:01 -05:00
Rob Crittenden
e0ff82c884 Change the return codes of ipa-acme-manage
Traditionally in IPA 0 = success, 1 = error and then
specific error messages follow from that. Shift the
ipa-acme-manage return codes for "not installed" and
"not a CA" up by one.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
2768b0dbaf Require an ipa-ca SAN on 3rd party certs if ACME is enabled
ACME requires an ipa-ca SAN to have a fixed URL to connect to.
If the Apache certificate is replaced by a 3rd party cert then
it must provide this SAN otherwise it will break ACME.

https://pagure.io/freeipa/issue/8498

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 14:01:05 -05:00
Rob Crittenden
69ae48c8b6 Add a status option to ipa-acme-manage
It's handy in general and good for testing to be able to
detect the current ACME status without having to revert
to using curl.

https://pagure.io/freeipa/issue/8524

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
2020-11-02 10:43:57 -05:00
Christian Heimes
e28ec76898 Unify access to FQDN
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.

Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.

C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.

Fixes: https://pagure.io/freeipa/issue/8501
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2020-10-26 17:11:19 +11:00
Christian Heimes
6860c63760 Use separate install logs for AD and DNS instance
ipa-dns-install and ipa-adtrust-install no longer overwrite
ipaserver-install.log. Instead they use a separate log file.

Add AD-Trust, DNS, KRA, and replica log files to backups.

Fixes: https://pagure.io/freeipa/issue/8528
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-10-06 15:35:35 +02:00
Christian Heimes
fbb6484dbe Check ca_wrapped in ipa-custodia-check
ca_wrapped uses Dogtag's pki tool (written in Java) to wrap key
material. Add checks to custodia to verify that key wrapping works.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-10-05 14:24:55 +02:00
Christian Heimes
99a40cbbe9 Simplify LDAPUpdater
- drop unused dm_password and ldapi arguments
- remove online feature that was never implemented
- allow passing of api object that is used to populate substitution
  dictionary
- simplify substitution dictionary updates
- remove unused instances vars

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-09-22 09:21:00 -04:00
Rob Crittenden
d7a4756dac Create a common place to retrieve facts about an IPA installation
This is common to both client and server. Start with whether the
client or server is configured.

https://pagure.io/freeipa/issue/8384

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-08-06 14:11:27 +02:00
Christian Heimes
8f6502db03 Convert ipa-httpd-pwdreader into Python script
and use paths from ipaplatform.

Fixes: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-07-30 11:38:25 +02:00
Fraser Tweedale
083c6aedc6 acme: add ipa-acme-manage command
Add the ipa-acme-manage command which can be used to enable or
disable the IPA ACME service.  It must be used on each server.  In
the future we will implement deployment-wide configuration
(including enable/disable) of the ACME service via IPA API, with
configuration stored in and replicated by LDAP.  But until then, we
need a simple command for administrators to use.

Part of: https://pagure.io/freeipa/issue/4751

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-07-10 08:33:22 -04:00
Alexander Scheel
a087d82e78 Specify cert_paths when calling PKIConnection
PKIConnection now defaults to specifying verify=True. We've introduced
a new parameter, cert_paths, to specify additional paths (directories or
files) to load as certificates. Specify the IPA CA certificate file so
we can guarantee connections succeed and validate the peer's certificate.

Point to IPA CA certificate during pkispawn

Bump pki_version to 10.9.0-0.4 (aka -b2)

Fixes: https://pagure.io/freeipa/issue/8379
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155
Related: https://github.com/dogtagpki/pki/pull/443
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-07-08 11:50:37 +02:00
Florence Blanc-Renaud
7ac60a87bc Man pages: fix syntax issues
Fix the syntax in ipa-cacert-manage.1 and default.conf.5

Fixes: https://pagure.io/freeipa/issue/8273
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-04-16 14:01:03 +02:00
François Cami
3665ba928b ipa-backup: Make sure all roles are installed on the current master.
ipa-backup does not check whether the IPA master it is running on has
all used roles installed. This can lead into situations where backups
are done on a CAless or KRAless host while these roles are used in the
IPA cluster. These backups cannot be used to restore a complete cluster.

With this change, ipa-backup refuses to execute if the roles installed
on the current host do not match the list of roles used in the cluster.
A --disable-role-check knob is provided to restore the previous behavior.

Fixes: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
Alexander Bokovoy
b3dbb36867 adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.

Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-02-13 21:20:13 +02:00
Rob Crittenden
acfb6191a1 Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Florence Blanc-Renaud
8a522bed6b ipa-cacert-manage man page: fix indentation
Fix the indentation of the SYNPOSIS section

Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-12-13 17:49:22 +02:00
Florence Blanc-Renaud
0fc8562b24 ipa-server-certinstall manpage: add missing options
Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE

Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-10-17 08:11:45 +02:00
Fraser Tweedale
bfead9ce66 ipa-pki-retrieve-key: request AES encryption (with fallback)
Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-25 12:42:06 +10:00
Christian Heimes
90f7232454 Don't create log files from help scripts
Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.

This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.

Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-24 15:23:30 +02:00
Florence Blanc-Renaud
802e54dd0e replica install: enforce --server arg
When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2019-09-23 14:36:10 +02:00
Rob Critenden
e5af8c19a9 Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Theodor van Nahl
adcf04255c Fix UnboundLocalError in ipa-replica-manage on errors
If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-08-06 07:13:37 +02:00
Fraser Tweedale
130e1dc343 move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes.  These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933).  So move these classes to
ipalib.

Part of: https://pagure.io/freeipa/issue/7548

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-07-17 17:58:58 +03:00
François Cami
37ab150cc7 Introduce minimal ipa-client-automount.in and ipactl.in
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.

Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
François Cami
c0cf65c4f7 Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-06-28 10:53:07 +02:00
Christian Heimes
6d02eddd3e Replace PYTHONSHEBANG with valid shebang
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.

The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.

Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-06-24 09:35:57 +02:00
Christian Heimes
c027b9334b Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.

Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-06-18 10:36:24 +10:00