User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message
Fixes : https://fedorahosted.org/freeipa/ticket/5076
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In Python 3, dict.keys() returns a key view. It is not safe to delete
dict keys when iterating over this view.
Convert the keys to list first.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, str.encode('ascii') converts to bytes, and str()
(nicknamed unicode() in IPA) returns the string representation
of an object, which is b'...' for bytes.
So, unicode('...'.encode('ascii')) results in "b'...'".
Change the code to only call encode() for the error.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Perl was missing in BuildRequires anyway and it is used only on one place,
all other places are using sed.
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
As Internet Explorer is not a supported browser anymore, browser Kerberos
configuration page shows warning to user about the same.
Fixes : https://fedorahosted.org/freeipa/ticket/5656
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Is safer to raise error than trying to find what is wrong with method
that is not correctly overriden
The new method set_hostname has been added which should be overriden on other
platforms.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
Host, user and idview commands do unnnecessary extra search for
ipasshpubkey attribute to generate fingerprints.
Note: Host and user plugins shows ipasshpubkey only when the attribute
is changed, idviews show ipasshpubkey always. This behavior has been
kept by this commit.
common_pre/post_callbacks were fixed in [base|stage]user modules.
common_callbacks requires the same arguments as pre/post_callbacks now
(except baseuser_find.post_common_callback)
Note2: in *-add commands there is no need for managing ipasshpubkey as
this attribute should be shown always there.
https://fedorahosted.org/freeipa/ticket/3376
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The unit test framework check has not been used in freeipa for long time
(if ever) but there was still conditional check for this framework.
It just produced confusing warning:
Without the 'CHECK' library, you will be unable
to run all tests in the 'make check' suite
Reviewed-By: Petr Spacek <pspacek@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The context manager was leaving API object disconnected when
an exception was raised inside of it. This led to resource leak
in the tests.
https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The caacl HBAC request is correct when just the username is given,
but the full 'user@REALM' form was not handled correctly.
Fixes: https://fedorahosted.org/freeipa/ticket/5733
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixed a false negative related to replication taking some time: added
wait_for_replication call before checking for new object in replicas.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-replica-prepare could crash during addition of replica's PTR records if
there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone'
returns an unhandled None. The code will now issue a warning and skip the PTR
record addition in this case.
https://fedorahosted.org/freeipa/ticket/5740
Reviewed-By: Martin Basti <mbasti@redhat.com>
- User is now notified about "Kerberos Principal expiration" message instead of
"Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
generic error message.
https://fedorahosted.org/freeipa/ticket/5077
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.
https://fedorahosted.org/freeipa/ticket/4631
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Netifaces allows to get addresses from local interfaces of the host in
safer way than parsing output of the ip command.
https://fedorahosted.org/freeipa/ticket/5591
Reviewed-By: David Kupka <dkupka@redhat.com>
API commands inheriting from LDAPSearch should mention which limit was
exceeded in the warning message sent with truncated results.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Clarify that dns removes only A, AAAA, PTR, SSHFP records of the host(s) managed by IPA DNS.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
only A, AAAA, SSHPF and PTR records are managed by IPA. The other
records should be removed by user.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This command has no effect in that block of code, dnsrecord_show is
enough for detection if records exists.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Due the configuration of dnsrecord_find, it works as dnsrecord-show,
thus it can be replaced.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Originally only the first A/AAAA record is removed, and one other record. This commit fixes it
and all records are removed.
https://fedorahosted.org/freeipa/ticket/5675
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This pre_callback contains method to preprocessing usercertificate that
was not called during stageuser-add. This commit adds missing
pre_common_callback call to stageuser_add.
https://fedorahosted.org/freeipa/ticket/5759
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The following testcases were automated:
1. Test one command replica installation
2. Test csreplica-manage-(del, connect, disconnect) are disabled in domain
level 1
3. Client enrollment and replica promotion by an unprivileged user are
prohibited
4. Replica uninstallation is prohibited if it disconnects a part of existing
topology (is possible only with --ignore-topology-disconnect option)
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The python-qrcode print_ascii() method does not work in terminals with
non-UTF-8 encoding. When this is the case do not render QR code but print a
warning instead. Also print a warning when the QR code size is greater that
terminal width if the output is a tty.
https://fedorahosted.org/freeipa/ticket/5700
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
