Commit Graph

6459 Commits

Author SHA1 Message Date
Sumit Bose
b1cfb47dc0 CLDAP: do not read IPA domain from hostname
Currently the CLDAP plugin determines the IPA domain name by reading
the current host name and splitting of the domain part. But since an IPA
server does not have to be in a DNS domain which has the same name as
the IPA domain this may fail. The domain name was used to search the
ipaNTDomainAttrs object, but since this object is unique in the tree it
is sufficient to use the objectclass in the search filter. Now the IPA
domain can be read from the ipaNTDomainAttrs object as well.

Fixes https://fedorahosted.org/freeipa/ticket/3941
2013-09-27 15:06:21 +02:00
Petr Vobornik
edf0719409 Allow edit of ipakrbokasdelegate in Web UI when attrlevelrights are unknown
Old host entries are missing object class with krbticketflags attribute. Therefore UI does not receive attrlevelrights for it. This OC is added when ipakrbokasdelegate is set.

This patch adds the usual hack for such cases.

https://fedorahosted.org/freeipa/ticket/3940
2013-09-26 10:24:14 +02:00
Petr Viktorin
a93fc02af6 Raise an error when updating CIDict with duplicate keys
Updating a CIDict with data like {'A': 1, 'a': 2} would lead to data
loss since only one of the items would get to the CIDict.
This can result in non-obvious bugs similar to this one in python-ldap:
https://bugzilla.redhat.com/show_bug.cgi?id=1007820

Raise an error in this case; any resolution must be done by the caller.
2013-09-25 10:13:56 +02:00
Petr Viktorin
0226064bac Add missing dict methods to CIDict
Make the CIDict interface match standard dict (except view* methods).

Add __contains__, __iter__, clear.
Add keyword and iterable support for __init__, update.
Also add values() and itervalues(). Previously the dict versions were
used; the new ones guarantee that the order matches keys().
Mark view* methods as not implemented.
CIDict.copy() now returns a CIDict.

Test the above additions, and fromkeys() which worked but wasn't tested.
2013-09-25 10:13:56 +02:00
Petr Viktorin
468e5e40cc Convert test_ipautil from unittest to nose 2013-09-25 10:13:56 +02:00
Petr Viktorin
3e505fe532 Move tests to test directories
Nose doesn't pick up directories that don't begin with 'test'.
Rename ipatests/test_ipaserver/install to test_install so that it's run.

Also, merge test_ipautil.py from ipapython/test into tests/test_ipapython,
so the whole test suite is in one place.
2013-09-25 10:13:56 +02:00
Alexander Bokovoy
a9843d6918 ipa-sam: report supported enctypes based on Kerberos realm configuration
We store Kerberos realm configuration in cn=REALM,cn=kerberos,$SUFFIX.
Along other configuration options, this container has list of default
supported encryption types, in krbDefaultEncSaltTypes.

Fetch krbDefaultEncSaltTypes value on ipa-sam initialization and convert
discovered list to the mask of supported encryption types according to
security.idl from Samba:
        typedef [public,bitmap32bit] bitmap {
                KERB_ENCTYPE_DES_CBC_CRC             = 0x00000001,
                KERB_ENCTYPE_DES_CBC_MD5             = 0x00000002,
                KERB_ENCTYPE_RC4_HMAC_MD5            = 0x00000004,
                KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
                KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010
        } kerb_EncTypes;

Part of https://fedorahosted.org/freeipa/ticket/3898
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
860a3ff647 ipa-sam: do not leak LDAPMessage on ipa-sam initialization
We used to handle some of code paths to free memory allocated by the LDAP library
but there are few more unhandled. In addition, search result wasn't freed on successful
initialization, leaking for long time.

https://fedorahosted.org/freeipa/ticket/3913
2013-09-20 09:59:02 +02:00
Alexander Bokovoy
9cf8ec79c9 ipa-sam: do not modify objectclass when trust object already created
When trust is established, last step done by IPA framework is to set
encryption types associated with the trust. This operation fails due
to ipa-sam attempting to modify object classes in trust object entry
which is not allowed by ACI.

Additionally, wrong handle was used by dcerpc.py code when executing
SetInformationTrustedDomain() against IPA smbd which prevented even to
reach the point where ipa-sam would be asked to modify the trust object.
2013-09-20 09:59:02 +02:00
Tomas Babej
316a9c2159 Use getent admin@domain for nss check in ipa-client-install
Use 'getent admin@domain' rather than 'getent admin@REALM' to check if nss
is working properly since admin@REALM check fails in case the domain and the realm
name does not match.

https://fedorahosted.org/freeipa/ticket/3906
2013-09-20 09:56:27 +02:00
Krzysztof Klimonda
8c03b1dbcd Fix -Wformat-security warnings 2013-09-16 17:35:22 +02:00
Nick Hatch
685bda4563 Don't exclude symlinks when loading plugins 2013-09-16 17:35:22 +02:00
Timo Aaltonen
397986d19a Don't search platform path
Don't use Python.h from the platform specific path
2013-09-16 17:35:22 +02:00
Timo Aaltonen
afce2f8162 Use /usr/bin/python as fallback python path 2013-09-16 17:35:22 +02:00
Petr Vobornik
5c4a72de59 Fix redirection on deletion of last dns record entry
https://fedorahosted.org/freeipa/ticket/3907
2013-09-16 13:56:25 +02:00
Ana Krivokapic
7c22b852c7 Follow tmpfiles.d packaging guidelines
https://fedorahosted.org/freeipa/ticket/3881
2013-09-16 13:33:13 +02:00
Ana Krivokapic
15cc9740c0 Do not show unexpected error in ipa-ldap-updater
Prevent showing of unfriendly "Unexpected error" message, when providing
incorrect DM password to ipa-ldap-updater.

https://fedorahosted.org/freeipa/ticket/3825
2013-09-16 12:35:36 +02:00
Simo Sorce
5157fd450f Add Delegation Info to MS-PAC
https://fedorahosted.org/freeipa/ticket/3442
2013-09-13 18:03:53 +02:00
Jan Cholasta
e380acdc1c Fix nsslapdPlugin object class after initial replication.
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.

https://fedorahosted.org/freeipa/ticket/3915
2013-09-10 09:49:43 +02:00
Ana Krivokapic
a70b08e9ae Do not crash if DS is down during server uninstall
DS is contacted during server uninstallation, in order to obtain information
about replication agreements. If DS is unavailable, warn and continue with
uninstallation.

https://fedorahosted.org/freeipa/ticket/3867
2013-09-09 17:24:04 +02:00
Ana Krivokapic
66242e6ab0 Fix invocations of FileError in ipa-client-install
Some of the FileErrors in ipa-client-install were raised incorrectly
(without the 'reason' argument), which resulted in bad error messages
during ipa-client-install.

https://fedorahosted.org/freeipa/ticket/3758
2013-09-09 14:20:17 +02:00
Ana Krivokapic
28144e358c Replace ntpdate calls with ntpd
Due to the upcoming deprecation of the ntpdate program (targeted for Fedora 20),
replace ntpdate calls with ntpd.

https://fedorahosted.org/freeipa/ticket/3797
2013-09-09 13:37:32 +02:00
Petr Viktorin
a9225be0fa Make make-lint compatible with Pylint 1.0
Pylint 1.0 was released[0] and it brings some incompatibilities,
as well as a bug[1] that's triggered by FreeIPA code.

This patch updates make-lint to be compatible with Pylint 1.0,
while keeping support for version 0.26.

[0] http://www.logilab.org/blogentry/163292
[1] https://bitbucket.org/logilab/pylint/issue/47

Ticket: https://fedorahosted.org/freeipa/ticket/3865
2013-09-06 15:43:25 +02:00
Petr Viktorin
85b974d1bc Remove __all__ specifications in ipaclient and ipaserver.install
The __all__ list does not cause submodules to be imported, e.g.
one would still have to `import ipaclient.ipachangeconf` rather than
just `import ipaclient` to use `ipaclient.ipachangeconf`.

Even if they did do anything, the lists were incomplete, and (since
`import *` is not used on these modules) unnecessary.

Pylint 1.0 reports undeclared names in __all__ as a warning.
2013-09-06 15:42:33 +02:00
Petr Spacek
0924177ab0 Add timestamps to named debug logs in /var/named/data/named.run 2013-09-06 15:39:36 +02:00
Ana Krivokapic
95483d3b9f Add option to ipa-client-install to configure automount
Add the --automount-location option to ipa-client-install. If the option is
used, ipa-client-automount is called at the end of ipa-client-install.

https://fedorahosted.org/freeipa/ticket/3740
2013-09-05 12:43:52 +02:00
Petr Vobornik
f312d72510 Fix RUV search scope in ipa-replica-manage
The search had an incorrect scope and therefore it didn't find any RUV.

This issue prevented removing of replica.

https://fedorahosted.org/freeipa/ticket/3876
2013-09-04 12:46:29 +02:00
Ana Krivokapic
7959f3ee1e Add warning when uninstalling active replica
Add a warning when trying to uninstall a replica that has active replication
agreements.

https://fedorahosted.org/freeipa/ticket/3867
2013-09-04 11:07:32 +02:00
Ana Krivokapic
de7b1f86dc Create DS user and group during ipa-restore
ipa-restore would fail if DS user did not exist. Check for presence of DS
user and group and create them if needed.

https://fedorahosted.org/freeipa/ticket/3856
2013-09-02 16:28:37 +02:00
Ana Krivokapic
f40cb4c031 Add integration tests for forced client re-enrollment
Add integration tests for the forced client re-enrollment feature:
http://www.freeipa.org/page/V3/Forced_client_re-enrollment#Test_Plan

https://fedorahosted.org/freeipa/ticket/3832
2013-09-02 12:29:36 +02:00
Jakub Hrozek
ec08458b65 EXTDOM: Do not overwrite domain_name for INP_SID 2013-08-29 15:30:38 +02:00
Sumit Bose
5c357b462d CLDAP: make sure an empty reply is returned on any error
If ipa_cldap_decode() reply is not initialized.

Fixes https://fedorahosted.org/freeipa/ticket/3885
2013-08-29 15:28:18 +02:00
Rob Crittenden
3940a574f9 Re-order NULL check in ipa_lockout.
There is no risk of crash here as slapi_valueset_first_value() can handle
the case where the valueset is NULL, but there is no point in calling that
if we know there are no values.

https://fedorahosted.org/freeipa/ticket/3880
2013-08-29 15:26:46 +02:00
Petr Viktorin
f742520760 Add man pages for testing tools
Add man pages for ipa-run-tests, ipa-test-task, and ipa-test-config.

https://fedorahosted.org/freeipa/ticket/3855 (part 5)
2013-08-29 15:18:34 +02:00
Tomas Babej
a3d489443c Log proper error message when defaultNamingContext not found 2013-08-29 14:05:20 +02:00
Jan Cholasta
7c66912824 Fix service-disable in CA-less install.
https://fedorahosted.org/freeipa/ticket/3886
2013-08-29 10:18:32 +02:00
Petr Viktorin
9b200c7c72 Add CA-less install tests
Differences from the test plan at
http://www.freeipa.org/index.php?title=V3/CA-less_install&oldid=6669 are:
- The following tests are included in all applicable positive
  install tests, rather than being standalone test cases:
  - Verify CA certificate stored in LDAP
  - Verify CA PEM file created by IPA server install
  - Verify that IPA server install does not configure certmonger
  - Verify CA PEM file created by IPA replica install
  - Verify that IPA replica install does not configure certmonger
  - Verify CA PEM file created by IPA client install
- PKI setup is done only once for each test class
- Master installation is done once for the IPA command tests, and
  once for the certinstall tests
- Certificates are compared after base64 decoding to avoid failures
  from formatting mismatches
- Minor changes necessary for automation (e.g. adding --unattended
  and --password options, correcting error messages)
- Web UI tests are not included here

https://fedorahosted.org/freeipa/ticket/3830
2013-08-28 20:14:46 +02:00
Ana Krivokapic
196c4b5f53 Fix tests which fail after ipa-adtrust-install
Some unit tests were failing after ipa-adtrust-install has been run on the
IPA server, due to missing attributes ('ipantsecurityidentifier') and
objectclasses ('ipantuserattrs' and 'ipantgroupattrs'). This patch detects if
ipa-adtrust-install has been run, and adds missing attributes and objectclasses
where appropriate.

https://fedorahosted.org/freeipa/ticket/3852
2013-08-28 16:45:57 +02:00
Petr Viktorin
fed7e7b231 Add missing license header to ipa-test-config 2013-08-28 14:40:18 +02:00
Petr Vobornik
92569b712c Update idrange search facet after trust creation
Adding a trust creates a range -> range search facet should be marked as expired.

https://fedorahosted.org/freeipa/ticket/3874
2013-08-28 14:23:42 +02:00
Simo Sorce
bea533c69a kdb-princ: Fix memory leak
If we do not store the keys in the entry we need to free the array before
continuing or the data is leaked.

CoverityID: 11910

Fixes:
https://fedorahosted.org/freeipa/ticket/3884
2013-08-28 12:42:56 +02:00
Simo Sorce
f96257397e kdb-mspac: Fix out of bounds memset
This memset was harmless as the following data is then set again, but an
optimizing compiler might conceivably reorder instructions causing issues.

CoverityID: 11909

Fixes:
https://fedorahosted.org/freeipa/ticket/3883
2013-08-28 12:42:56 +02:00
Simo Sorce
b29ce20705 pwd-plugin: Fix ignored return error
CoverityID: 11904

Also remove 'inline', the compiler can do it on its own if needed.

Fixes:
https://fedorahosted.org/freeipa/ticket/3882
2013-08-28 12:42:56 +02:00
Jan Cholasta
3c9261699a Fix ipa-server-certinstall usage string.
https://fedorahosted.org/freeipa/ticket/3869
2013-08-28 10:20:42 +02:00
Jan Cholasta
fc8f0ae3ad Add --dirman-password option to ipa-server-certinstall.
https://fedorahosted.org/freeipa/ticket/3869
2013-08-28 10:20:41 +02:00
Jan Cholasta
5a8e326aeb Fix nsSaslMapping object class before configuring SASL mappings.
This is a workaround for <https://fedorahosted.org/389/ticket/47490>.

https://fedorahosted.org/freeipa/ticket/3778
2013-08-27 18:43:20 +02:00
Tomas Babej
e68bef0b1c Fix incorrect error message occurence when re-adding the trust
You cannot re-add the trust and modify the range in the process.
The check in the code was malfunctioning since it assumed that
range_size parameter has default value. However, default value
is assigned only later in the add_range function.

https://fedorahosted.org/freeipa/ticket/3870
2013-08-27 17:01:37 +02:00
Ana Krivokapic
1749cce3f7 Add integration tests for Kerberos Flags
Add integration tests for the Kerberos Flags feature:
http://www.freeipa.org/page/V3/Kerberos_Flags#Test_Plan
(except the web UI tests).

https://fedorahosted.org/freeipa/ticket/3831
2013-08-27 12:45:12 +02:00
Tomas Babej
ab6a6e27d8 Make CS.cfg edits with CA instance stopped
This patch makes sure that all edits to CS.cfg configuration file
are performed while pki-tomcatd service is stopped.

Introduces a new contextmanager stopped_service for handling
a general problem of performing a task that needs certain service
being stopped.

https://fedorahosted.org/freeipa/ticket/3804
2013-08-26 16:21:36 +02:00
Tomas Babej
6961cf2e77 Perform dirsrv tuning at platform level
When configuring the 389 Directory Server instance, we tune it
so that number of file descriptors available to the DS is increased
from the default 1024 to 8192.

There are platform specific steps that need to be conducted
differently on systemd compatible platforms and sysV compatible
platforms.

systemd: set LimitNOFILE to 8192 in /etc/sysconfig/dirsrv.systemd
sysV: set ulimit -n 8192 in /etc/sysconfig/dirsrv
      set ulimit - nofile 8192 in /etc/security/limits.conf

https://fedorahosted.org/freeipa/ticket/3823
2013-08-26 13:07:17 +02:00