Samba Python bindings provide samba.arcfour_encrypt(key, data). Instead
of implementing own wrapper, use Samba's.
In future Samba versions this wrapper will be FIPS 140-2 compatible.
Fixes https://pagure.io/freeipa/issue/6697
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.
https://pagure.io/freeipa/issue/6538
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Set `mode` to `development` in default.conf after ipa-server-install.
https://pagure.io/freeipa/issue/6625
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Do not set or delete attributes directly on KerberosWSGIExecutioner, ldap2
and ra_lightweight_ca instances, as that raises an AttributeError in
development mode because of ReadOnly locking.
Use the usual workaround of `object.__setattr__` and `object.__delattr__`
to fix the issue.
https://pagure.io/freeipa/issue/6625
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Cache the KRA transport certificate on disk (in ~/.cache/ipa) as well as
in memory.
https://fedorahosted.org/freeipa/ticket/6652
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fix a crash caused by feeding incorrect data to `json.dumps()` in
`JSONServerProxy.__request()` introduced by commit
8159c2883b.
https://pagure.io/freeipa/issue/6734
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Re-introduce option groups in ipa-client-install, ipa-server-install and
ipa-replica-install.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not automatically create the "basic options" and "uninstall options"
option groups in the CLI code.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Split off SSSD knob definitions from the ClientInstallInterface class into
a new SSSDInstallInterface class.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Remove duplicate definitions of knobs already defined in client install.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Remove duplicate -w alias of --admin-password in ipa-server-install and
ipa-replica-install.
https://pagure.io/freeipa/issue/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Load the certificate from a file specified in the first argument. Raw
certificate value can be specified using --certificate.
https://pagure.io/freeipa/issue/6646
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Time estimates have been updated to be more accurate. Only
tasks that are estimated to take longer than 10 seconds have
the estimate displayed.
https://pagure.io/freeipa/issue/6596
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.
Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Web UI showed pop-up dialog which recommends to install additional CA in
topology section when only 1 CA existed even if there was only one master.
Though behind the pop-up is to prevent situation, where multiple replicas
are installed but neither with --setup-ca option and thus risking to loose
CA when original master is lost.
The warning was displayed also if only one IPA server exists. It is unnecessary
to annoy admin only about CA because the entire IPA is not duplicated.
Therefore the pop-up is now shown only one IPA server exists.
https://pagure.io/freeipa/issue/6598
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Instead of using the kernel keyring, store the session cookie within the
ccache. This way kdestroy will really wipe away all credentials.
Ticket: https://pagure.io/freeipa/issue/6661
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the new multibase search to collect policies from multiple subtrees.
The 'any' parameter is set to 'true' so the search stop when the first result
is found in any of the bases.
https://fedorahosted.org/freeipa/ticket/6568
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Internally performs multiple seraches as needed based on the basedn
strings passed in and whether the caller indicated that any result is ok
or all results are needed.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replace the placeholder with the actual value during build.
This fixes the client incorrectly assuming that the default version of all
plugins is 1.
https://pagure.io/freeipa/issue/6597
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).
https://pagure.io/freeipa/issue/6608
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Whoami command allows to query details about currently
authenticated identity. The command returns following information:
* object class name
* function to call to get actual details about the object
* arguments to pass to the function
There are five types of objects that could bind to IPA using their
credentials. `ipa whoami` call expects one of the following:
* users
* staged users
* hosts
* Kerberos services
* ID user override from the default trust view
The latter category of objects is automatically mapped by SASL GSSAPI
mapping rule in 389-ds for users from trusted Active Directory forests.
The command is expected to be used by Web UI to define proper view for
the authenticated identity. It is not visible in the command line
interface is `ipa` command.
Below is an example of how communication looks like for a host
principal:
# kinit -k
# ipa console
(Custom IPA interactive Python console)
>>> api.Command.whoami()
{u'command': u'host_show/1', u'object': u'host', u'arguments': (u'ipa.example.com',)}
>>>
Fixes https://pagure.io/freeipa/issue/6643
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During LDAP connection management refactoring the ad-hoc ldap connection
in `ipa-managed-entries` was replaced by calls to ldap2 backend without
updating API initialization.
https://pagure.io/freeipa/issue/6735
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add module which can show users which are mapped to the provided certificate.
Additionaly, the certificate is parsed and parsed information are
also displayed.
https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Result of certmap_match command is in the following format:
[{domain: 'domain1', uid:[uid11,uid12,uid13]}, {domain: 'domain2',
uid:[uid21, uid22, uid23},...]
For correct displaying in table we need to reformat it to the following:
[{domain: 'domain1', uid: 'uid11'}, {domain: 'domain1', uid: 'uid12'},...
This can be done using this Adapter.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In case that API call returns array of objects which contains data, using
'object_index' attribute in adapter specification we can set which object
should be used.
It is possible to choose only one object specified by its index in array.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When field on details facet has set 'autoload_value' to false, then it won't
be loaded using that.load method of details facet. That means that field
might stay unchanged even that loading of data was performed.
Part of: https://pagure.io/freeipa/issue/6601
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
First try custom location, then csrgen subdir in confdir and finally
fall back to package data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.
https://pagure.io/freeipa/issue/6714
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The logic of the extraction/validation of principal from the request and
subsequent authentication was simplified and most of the guesswork will
be done by KDC during kinit. This also allows principals from trusted
domains to login via rpcserver.
https://fedorahosted.org/freeipa/ticket/6343
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
`dnsrecord_add` interactive mode might prompt for value of non-existent
arguments `a_part_create_reverse` and `aaaa_part_create_reverse`. This
happens because `dnsrecord_add` extra flags are incorrectly defined as
parts of the respective DNS records.
Remove extra flags from DNS record parts to fix the interactive mode on old
clients talking to new servers. Skip non-existent arguments in the
interactive mode to fix new clients talking to old servers.
https://fedorahosted.org/freeipa/ticket/6457
Reviewed-By: Martin Basti <mbasti@redhat.com>
This will allow to test --setup-kra option together with
ipa-server-install in install tests
Separate installation using ipa-kra-install is already covered.
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This patch allows to install KRA on first IPA server in one step using
ipa-server-install
This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.
Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
All values were previously converted to lowercase which was not
coresponding with CLI behaviour. Now they stay as they are
inserted. I also have to change the strings to lowercase because
the otp and radius should be inserted as lowercase words.
https://fedorahosted.org/freeipa/ticket/6308
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add new attribute which keeps information whether each text added
using custom_checkbox_widget shoud be transformed to lowercase.
Part of: https://fedorahosted.org/freeipa/ticket/6308
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Fix is in checkboxes widget but the only affected one is attributes widget.
Reproduction:
1. Add permission with attribute with uppercase character
$ ipa permission-add aa_test --type=stageuser --attrs=businessCategory --right=read
2. Check if it is correctly displayed in Web UI
Actual result:
- businesscategory is not checked
Expected result:
- businesscategory is checked
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Implement a new IPA command allowing to retrieve the list of users matching
the provided certificate.
The command is using SSSD Dbus interface, thus including users from IPA
domain and from trusted domains. This requires sssd-dbus package to be
installed on IPA server.
https://fedorahosted.org/freeipa/ticket/6646
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
New customization button opens dialog with field for setting the number of lines
in tables. After saving the new value there is new topic which starts refreshing
current table facet (if shown) and set all other facets expired. Therefore all
tables are immediately regenerated.
https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Javascript integer validator checks whether value entered into field is number
and is not higher than Number.MAX_SAFE_INTEGER constant.
Part of: https://fedorahosted.org/freeipa/ticket/5742
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
ipa-server-install and ipa-replica-install manpages miss --setup-adtrust
options
https://pagure.io/freeipa/issue/6630
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
