Commit Graph

15410 Commits

Author SHA1 Message Date
Weblate
6f3c9a2533 Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
e92b847850 Translated using Weblate (Finnish)
Currently translated at 17.7% (842 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
cd702b5421 Translated using Weblate (Finnish)
Currently translated at 17.7% (840 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Ricky Tigg
ab652aa11a Translated using Weblate (Finnish)
Currently translated at 17.5% (833 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Piotr Drąg
35f58c9af4 Translated using Weblate (Polish)
Currently translated at 9.5% (453 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
f680614b5c Translated using Weblate (Finnish)
Currently translated at 17.5% (832 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
581dfddcf7 Translated using Weblate (Finnish)
Currently translated at 17.2% (816 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Andika Triwidada
c7ba8f5f28 Translated using Weblate (Indonesian)
Currently translated at 6.8% (323 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
7fc89bc0ba Translated using Weblate (Finnish)
Currently translated at 16.9% (804 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Yuri Chornoivan
cf338b5b35 Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4739 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Weblate
8b1eb488bd Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
386e51168a Translated using Weblate (Finnish)
Currently translated at 16.7% (794 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
feb94b3aa5 Translated using Weblate (Finnish)
Currently translated at 16.1% (764 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Ricky Tigg
e7623b4f5a Translated using Weblate (Finnish)
Currently translated at 16.0% (762 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
e39ccf5988 Translated using Weblate (Finnish)
Currently translated at 15.9% (754 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Piotr Drąg
fd985ae43a Translated using Weblate (Polish)
Currently translated at 9.5% (452 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Ricky Tigg
0ab3870229 Translated using Weblate (Finnish)
Currently translated at 15.6% (743 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
706faddf24 Translated using Weblate (Finnish)
Currently translated at 15.6% (742 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
dd345aaca8 Translated using Weblate (Finnish)
Currently translated at 15.5% (736 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
31ba6aa500 Translated using Weblate (Finnish)
Currently translated at 10.9% (520 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Yuri Chornoivan
b9f9462055 Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4739 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Yuri Chornoivan
5cc8e5b869 Translated using Weblate (Ukrainian)
Currently translated at 99.4% (4713 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Yuri Chornoivan
a0e0d57a42 Translated using Weblate (Ukrainian)
Currently translated at 98.5% (4671 of 4739 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Weblate
3c7fe6c49d Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Jan Kuparinen
4185578705 Translated using Weblate (Finnish)
Currently translated at 7.7% (362 of 4672 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Weblate
ac2c3de889 Update translation files
Updated by "Update LINGUAS file" hook in Weblate.

Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
Florence Blanc-Renaud
cca7a7cd77 ipa man page: format the EXAMPLES section
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.

Add .TP (tagged, indented paragraph) before each example.

Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-30 15:15:50 +02:00
Rob Crittenden
dbec885cb0 Move client certificate request after krb5.conf is created
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.

This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.

Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.

Fixes: https://pagure.io/freeipa/issue/9246

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-09-29 16:40:19 -04:00
Carla Martinez
55ef0008b8 Update API and VERSION
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
a3b4b476b9 webui: Set 'SOA serial' field as read-only
On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
b326b4afae ipatest: Remove warning message for 'idnssoaserial'
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.

Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Carla Martinez
c74c701cac Set 'idnssoaserial' to deprecated
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.

This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.

Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
2022-09-29 14:23:44 +02:00
Florence Blanc-Renaud
59db0faf21 ipatests: add negative test for otptoken-sync
Scenario:  call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens

The test expects a return code = 1.

Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-29 07:58:44 -04:00
Florence Blanc-Renaud
f1b2d8ab36 ipa otptoken-sync: return error when sync fails
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.

- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.

- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.

The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.

Fixes: https://pagure.io/freeipa/issue/9248

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-29 07:58:44 -04:00
Rob Crittenden
9d9d925b14 Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.

If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.

This was seen in performance testing of how many simultaneous
client enrollments are possible.

Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.

https://pagure.io/freeipa/issue/9228

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-09-26 08:48:42 +02:00
Florence Blanc-Renaud
7aeb9e5860 ipa-cacert-manage prune: remove all expired certs
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.

To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.

Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-23 09:49:06 +02:00
Carla Martinez
926680ffb2 webui: Show 'Sudo order' column
In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.

Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-09-21 10:45:32 +02:00
Scott Poore
04c2b06984 ipatests: add prci definitions for test_sso jobs
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-20 14:54:04 -04:00
Scott Poore
a4da017272 ipatests: add Keycloak Bridge test
Add test code for new bridge server (ipa-tuura) and Keycloak plugin.

Add uninstall functions for create_keycloak.py so that the tests can
be run repeatedly.

Fixes: https://pagure.io/freeipa/issue/9227
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-20 14:54:04 -04:00
Rob Crittenden
36591995ac Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.

Fixes: https://pagure.io/freeipa/issue/9243

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-09-20 14:51:56 -04:00
Stanislav Levin
94835d19b5 x509: Replace removed register_interface with subclassing
python-cryptography 38.0 removed `register_interface` decorator:
pyca/cryptography@f70e334a52

Backward compatibility:
Cryptography haven't changed the interface of `Certificate` since it was
first used by IPA (4.6.0) till cryptography 38.0.

cryptography 38.0 (pyca/cryptography@c1b7307a3e)
added `tbs_precertificate_bytes` attribute.

Fixes: https://pagure.io/freeipa/issue/9160
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-09-19 14:15:36 -04:00
Carla Martinez
090d4f9e9d Set pkeys in test_selinuxusermap.py::test_misc::delete_record
The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.

The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.

Fixes: https://pagure.io/freeipa/issue/9161

Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-08-30 16:07:42 +02:00
Jesse Sandberg
fa85301895 Fix ipa-ccache-sweeper activation timer and clean up service file
Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed

Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg@netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-29 18:28:42 +02:00
Alexander Bokovoy
ad8f90f816 ipa-otpd: initialize local pointers and handle gcc 10
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).

Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.

Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.

Fixes: https://pagure.io/freeipa/issue/9230

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-08-29 17:34:20 +02:00
Alexander Bokovoy
2ae316d430 fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.

Fix it by doing two things:

 - force use of canonicalization of an enterprise principal on server
   side, not just specifying that the principal is an enterprise one;

 - recognize that a principal in the whoami()-returned object can have
   aliases and the principal returned by the server in the JSON response
   may be one of those aliases.

Fixes: https://pagure.io/freeipa/issue/9226

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-08-29 17:30:22 +02:00
Endi S. Dewata
06183a061a Remove pki_restart_configured_instance
The pki_restart_configured_instance param is no longer used
by pkispawn so it has been removed.

https://github.com/dogtagpki/pki/blob/master/docs/changes/v11.3.0/Server-Changes.adoc

Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-08-19 10:19:10 +02:00
Scott Poore
5a225deaa0 ipatests: Rename create_quarkus to create_keycloak
The module installs and configures a Keycloak server and
not just the Quarkus Java framework.  So, renaming to better
reflect what the module is used for.

Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-08-19 09:47:41 +02:00
Rob Crittenden
0468cc6085 Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
c8955a4d0a Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00
Rob Crittenden
b6587d3361 doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.

Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.

Fixes: https://pagure.io/freeipa/issue/9212

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-08-18 17:51:20 -04:00