All setup.py files are now using setuptools through a common file
ipasetup.py. The file is auto-generated and contain all common
settings.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This PR brings uniformity in option provided by no-hbac-allow
and other options present in IPA server install script
Fixes https://fedorahosted.org/freeipa/ticket/6357
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
As the issue with ipa installer always returning 0 returncode was addressed,
the test needs to be made aware of this change.
https://fedorahosted.org/freeipa/ticket/6401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Interestingly, the new macro AC_HEADER_STDC is alredy present.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The Python detection logic will be improved later when we start to use
top-level configure.ac to manage build completely. For now simple bump
is enough.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Mozldap is not used for some time now. We can remove
all traces of it.
AFAIK the complex logic for OpenLDAP detection should not be
necessary and -lldap_r -llber options should suffice.
Unfortunatelly OpenLDAP package does not ship
package config files so we have to hardcode flags.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use package config instead of checking headers.
Package config is faster because it does not invoke compiler
and guarantees proper linking flags because these are provided
by package maintainer instead of hardcoded into build system.
libkrad does not have package config file so we keep the old way here.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It was working accidentally because krb5 libs are part of OPENLDAP_LIBS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
setuptools does not support data_files any more. The ipa(1) man page is
now handled like the remaining man pages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In commit c718ef0588 some param values were
accidentally removed from cert-find output.
In commit 22d5f579bb `serial_number_hex` and
`revoked` were added back.
Add back `revocation_reason` as well. Also, do not include `revoked` with
--raw, as it's a virtual attribute.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In domain level 0 ipa-replica-prepare fails because dogtag is not ready
so soon after final restart during installation (tests are too fast).
Wait 30 seconds before ipa-replica-prepare is executed, to make sure
that dogtag is ready. Remove this workaround when ticket is fixed.
https://fedorahosted.org/freeipa/ticket/6274
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Providing tests for certificate revocation to replace deleted tests from
test_cert_find.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
A bunch of certplugin tests were testing number of revoked certificates with
various revocation reasons. Since existence of revoked certificates often
depends on other parts of IdM than IPA, it is not really valid to check their
presence unless creation of revoked certificate is intentionally tested.
https://fedorahosted.org/freeipa/ticket/6349
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Missing attributes in instance created by pickle.load cause AttributeError in
second part of ipa-server-install --external-ca.
https://fedorahosted.org/freeipa/ticket/6385
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
pylint-1.6.4-1.fc26.noarch reports "C0201(consider-iterating-dictionary)" when
building FreeIPA, we have to fix these errors
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint-1.6.4-1.fc26.noarch reports these, hence they should be fixed in order
to build FreeIPA with this version
https://fedorahosted.org/freeipa/ticket/6391
Reviewed-By: Martin Basti <mbasti@redhat.com>
The label of API Browser is now in translatable strings and it has
uppercase B at the beginnig of second word.
https://fedorahosted.org/freeipa/ticket/6384
Reviewed-By: Martin Basti <mbasti@redhat.com>
When the admin runs ipa-cacert-manage install, he should also run
ipa-certupdate on master/replicas/clients in order to update the
certificates databases.
The man page should mention this requirement, and also clarify that
"install" command does not replace IPA CA but rather installs an
additional trusted CA.
https://fedorahosted.org/freeipa/ticket/6381
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Parameters test fails because of KeyError caused by improper manipulation with
kwargs in Param.__init__ method. During initialization, if kwargs['required']
or kwargs['multivalue'] is None, it is delete from dictionary and hence the
missing key. Small change of the condition prevents this from happening.
Partially fixes https://fedorahosted.org/freeipa/ticket/6292
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add commentary to 'ca' plugin documentation to explain what happens
when a CA gets deleted - namely, that its signing cert gets revoked
and its private key deleted.
Also break the docstring up into smaller chunks to aid translation.
Fixes: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Require Dogtag 10.3.5-6, which is the first release that implements
revocation of lightweight CA signing certificates upon deletion.
Part of: https://fedorahosted.org/freeipa/ticket/6256
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a parser check to verify config file supplied to the ipa
command exists. Previously, invalid file paths would not results
in any error and would just silently proceed with default config.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove unnecessary check for absolute file paths for config file.
https://fedorahosted.org/freeipa/ticket/6114
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In the future Custodia is going to make CSStore.span an abstract method.
Closes: https://fedorahosted.org/freeipa/ticket/6365
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
cainstance.__spawn_instance() exits in rather weird manner on
successful external CA install. This masks the weird implementation
from the user. :-&
https://fedorahosted.org/freeipa/ticket/6230
Reviewed-By: David Kupka <dkupka@redhat.com>
The patch implements several test cases testing the enforcement
of CA ACLs on certificate requests with subject alternative names.
https://fedorahosted.org/freeipa/ticket/6366
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This is to prevent situations when installer prints
CRITICAL Failed to load ....ldif
and continues just to crash later on because of non-existing LDAP container
or so on.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The test would be failing because recent pretty-print changes
that caused the inner members of a dictionary to be printed
in a different order.
https://fedorahosted.org/freeipa/ticket/6373
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
The code which handles configuration of mod_nss module must be more robust
when handling NSS nicknames generated from subject names containing quoted RDN
values.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Functions `escape_seq` and `unescape_seq` have a generic use-case so it makes
sense to move them from `kerberos` to ipautil module so that other modules can
reuse them more readily.
https://fedorahosted.org/freeipa/ticket/5809
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
