Commit Graph

12674 Commits

Author SHA1 Message Date
Christian Heimes
4124743862 Replace messagebus with modern name dbus
"messagebus" is an old, archaic name for dbus. Upstream dbus has started
to move away from the old name. Let's use the modern term in FreeIPA,
too.

Fixes: https://pagure.io/freeipa/issue/7754
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-11-08 17:44:45 +01:00
Christian Heimes
e569afb04e Fix test_cli_fsencoding on Python 3.7, take 2
0a5a7bdef7 introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
2018-11-08 16:03:21 +01:00
Christian Heimes
816783a1b9 Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.

Coverity Scan issue 323649, Copy-paste error

   The copied code will not have its intended effect.
   In postprocess_result: A copied piece of code is inconsistent with the
   original (CWE-398)

See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-08 13:16:26 +01:00
Serhii Tsymbaliuk
da70f397cb Increase memory size for ipaserver topology (nightly-master.yaml)
Fix "Cannot allocate memory" error for Web UI tests

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-08 08:34:13 +01:00
Alexander Bokovoy
82af034023 ipaserver.install.adtrust: fix CID 323644
Fix Coverity finding CID 323644: logically dead code path

The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.

As result, a part of the code got neglected and was never executed.

Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.

We mock up the actual execution so that no access to LDAP or Samba is
needed.

Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-07 16:37:18 +01:00
Christian Heimes
8b0f3595fd Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.

The commit also fixes two related issues:

* The server upgrade code now enables ifp service in sssd.conf. The
  existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
  unrecognized service.

Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-11-07 16:28:35 +01:00
Sergey Orlov
324da5c379 ipatests: add test for ipa-advise for enabling sudo for admins group
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo

Related to https://pagure.io/freeipa/issue/7538

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-07 13:48:54 +01:00
Christian Heimes
0a5a7bdef7 Fix test_cli_fsencoding on Python 3.7
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now
supports UTF-8 file system encoding with non-UTF-8 C locale.

See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538
See: https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-07 13:11:48 +01:00
Fraser Tweedale
b8007e14cc rpc: always read response
If the server responds 401 and the response body is empty, the
client raises ResponseNotReady.  This occurs because:

1. For a non-200 response, the response read only if the
   Content-Length header occurs.

2. The response must be read before another request (e.g. the
   follow-up request with WWW-Authenticate header set), and this
   condition was not met.  For details see
   https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.

This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.

Nevertheless, this problem has been observed in the wild.  I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.

Resolve the issue by always reading the response.  It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.

Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-07 08:39:42 +01:00
Fraser Tweedale
4cd26fcba5 ipaldap: avoid invalid modlist when attribute encoding differs
ipaldap does not take into account the possibility of the attribute
encoding returned by python-ldap differing from the attribute
encoding produced by FreeIPA.  In particular this can occur with DNs
with special characters that require escaping.  For example,
python-ldap (or the underlying LDAP library) escapes special
characters using hex encoding:

  CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU

Whereas FreeIPA, when encoding the DN, escapes the character
directly:

  CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU

Therefore it is possible to generate an invalid modlist. For
example, during external CA certificate renewal, if the issuer DN
includes a comma in one of the attribute values (as above), an
invalid modlist will be generated:

  [ (ldap.MOD_ADD, 'ipacaissuerdn',
      [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
  , (ldap.MOD_DELETE, 'ipacaissuerdn',
      [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
  ]

Although encoded differently, these are the same value.  If this
modification is applied to the object, attributeOrValueExists (error
20) occurs.

To avoid the issue, put deletes before adds in the modlist.  If a
value is present (with different encodings) as both an addition and
a deletion, it must be because the original object contained the
value with a different encoding.  Therefore it is safe to delete it,
then add it back.

Note that the modlist is not optimal.  In the simplest case (like
above example), there should be no modification to perform.  It is
considerably more complex (and more computation) to implement this
because the raw attribute values must be decoded before comparison.

Fixes: https://pagure.io/freeipa/issue/7750
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-06 10:59:06 +01:00
Christian Heimes
da2078bc60 ipapwd_pre_mod: NULL ptr deref
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-01 13:56:31 +01:00
Christian Heimes
800e448aeb ipadb_mspac_get_trusted_domains: NULL ptr deref
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
does not guarantee that it returns a non-empty result.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-01 13:56:31 +01:00
Christian Heimes
aa261ba5b1 has_krbprincipalkey: avoid double free
Set keys to NULL after free rder to avoid potential double free.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-11-01 13:56:31 +01:00
Rob Crittenden
f4e37385b4 Enable replica install info logging to match ipa-server-install
Increase log level to info by setting verbose=True and adding
a console format.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

https://pagure.io/freeipa/issue/7408

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Rob Crittenden
4cde696d71 Demote log message in custodia _wait_keys to debug
This was previously suppressed because of the log level in
an installation was set to error so it was never displayed
Keeping consistency and demoting it to debug since the
log level is increased to info.

Related: https://pagure.io/freeipa/issue/7408

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Rob Crittenden
9b7a152e95 Pass a list of values into add_master_dns_records
During replica installation the local IP addresses should be
added to DNS but will fail because a string is being passed
to an argument expecting a list. Convert to a list before
passing in individual IPs.

Discovered when fixing https://pagure.io/freeipa/issue/7408

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-11-01 13:08:58 +01:00
Serhii Tsymbaliuk
8954521007
WebUI tests: Make possible to use kwargs with @screenshot decorator
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
8f2a75cb00
UI tests for "Automount": check dialog confirmation using ENTER
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
6444808fd2
UI tests for "Automount": check some negative cases
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
ba40590e9d
UI tests for "Automount": check indirect map duplication
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
b7a149feb2
UI tests for "Automount": check creating automount key without some fields
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
de06bf2778
UI tests for "Automount": check creating indirect automount map without some fields
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
97f158aeec
UI tests for "Automount": Fix item deleting
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
e957e0aef0
UI tests for "Automount": check modifying map and key settings
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
1d4b43efa4
UI tests for "Automount": check "Add Automount..." dialogs
https://pagure.io/freeipa/issue/7735

Reviewed-By: Petr Cech <pcech@redhat.com>
2018-10-31 11:55:35 +01:00
Serhii Tsymbaliuk
8949aa64d9
UI tests for "Automember": Extend search cases
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
cd795257cc
UI tests for "Automember": Negative cases
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
33a74fb2c4
UI tests for "Automember": check setting default user/host group
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
a68035dcae
UI tests for "Automember": check creating and deleting of automember rule conditions
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
63cbf6294e
UI tests for "Automember": check creating and deleting of multiple rules
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Serhii Tsymbaliuk
49df1ab1c8
UI tests for "Automember": check search filter
https://pagure.io/freeipa/issue/7721

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2018-10-30 16:26:29 +01:00
Christian Heimes
ec208e9719 Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.

See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Fraser Tweedale
4b920df483 Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260 and
bumps the pki-core dependency.

Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 21:37:39 +02:00
Christian Heimes
204353e4dc Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Christian Heimes
ec54fa7712 Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.

Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 20:10:23 +02:00
Christian Heimes
2e7f3d1d0d Improve Python configuration for LGTM
LGTM is no longer able to analyse all Python code without importing it.
Define OS and Python package dependencies and build the project for
Python, too.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 18:04:23 +02:00
Florence Blanc-Renaud
fa559808d7 ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.

Related to: https://pagure.io/freeipa/issue/7632

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Florence Blanc-Renaud
4de5ea0930 ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.

This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.

Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-10-26 17:21:07 +02:00
Rob Crittenden
552777293d Collect the client and server uninstall logs in tests
When running the integration tests capture the uninstallation
logs as well as the installation logs.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Rob Crittenden
e59ee6099f Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.

These include:

1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')

Caused by check_client_configuration() not returning the correct
return value (2).

2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir

If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.

3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.

Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.

https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Rob Crittenden
235b5bd643 Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.

Related to https://pagure.io/freeipa/issue/7729

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-26 08:11:03 +02:00
Christian Heimes
a42ca499a6 Add Coverity Scan target
Add "make cov-scan" to automate Coverity scan builds. cov-build requires
extra quirks to work with recent versions of GCC on Fedora.

The make target requires a token and Coverity's build chain. Both are
available for privileged project owners on
https://scan.coverity.com/projects/freeipa-freeipa .

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 18:28:23 +02:00
Christian Heimes
4de97f496d Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.

Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 17:44:20 +02:00
Christian Heimes
5fe3198d80 Don't abuse strncpy() length limitation
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:

  warning: ‘strncpy’ output truncated before terminating nul copying as
  many bytes from a string as its length [-Wstringop-truncation]

Use memcpy() instead if strncpy() to copy data of known size.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 16:11:55 +02:00
Christian Heimes
836e29591c Fix ipadb_multires resource handling
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
* ipadb_multires_free() supports NULL as no-op.
* ipadb_multibase_search() consistently frees and NULLs
  struct ipadb_multires **res on error.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 16:11:55 +02:00
Florence Blanc-Renaud
4600e62b6b ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.

Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 14:20:29 +02:00
Christian Heimes
23e33443c9 Add lgtm.yml to analyzse C code with LGTM
See https://lgtm.com/help/lgtm/customizing-file-classification

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-10-24 10:49:12 +02:00
Alexander Bokovoy
3b79deae53 net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.

If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.

Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.

Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.

For upgrade code this is enough as in
a678336b8b we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.

Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-10-23 16:50:43 +02:00
Thomas Woerner
8e98c72e51 Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 16:45:22 +02:00
Thomas Woerner
389c17c5c6 Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.

See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-10-23 16:45:22 +02:00