Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
New classes for user and group names provide a convenient way to access
the uid and primary gid of a user / gid of a group. The classes also
provide chown() and chgrp() methods to simplify common operations.
The wrappers are subclasses of builtin str type and behave like ordinary
strings with additional features. The pwd and grp structs are retrieved
once and then cached.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Custom options can be supplied by a vendor via 'OPTIONS' env
variable(platform specific) and IPA installer will override them
in this case. Thus, at least, the base parsing of existing options
is required.
Current named command line options:
NS_MAIN_ARGS "46A:c:C:d:D:E:fFgi:lL:MⓂ️n:N:p:P:sS:t:T:U:u:vVx:X:"
If there are several same options the last passed wins.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For now Debian, Fedora, RHEL, etc. build BIND with 'native PKCS11'
support. Till recently, that was the strict requirement of DNSSEC.
The problem is that this restricts cross-platform features of FreeIPA.
With the help of libp11, which provides `pkcs11` engine plugin for
the OpenSSL library for accessing PKCS11 modules in a semi-
transparent way, FreeIPA could utilize OpenSSL version of BIND.
BIND in turn provides ability to specify the OpenSSL engine on the
command line of `named` and all the BIND `dnssec-*` tools by using
the `-E engine_name`.
Fixes: https://pagure.io/freeipa/issue/8094
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.
Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove logger arguments in all functions and logger attributes in all
objects, with the exception of API object logger, which is now deprecated.
Replace affected logger calls with module-level logger calls.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.
Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).
Changelog:
* created method get_slot() that returns slot number from
used label
* replaces usage of slot in __init__ method of P11_Helper
with label
* slot is dynamically detected from token label before
session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
which uses first free slot (we don't care about slot numbers
anymore)
https://pagure.io/freeipa/issue/6692
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.
This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.
https://fedorahosted.org/freeipa/ticket/5695
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The Service class now accepts keytab path and service name part of Kerberos
principal as members. Kerberos principal is turned into a property computed
from service prefix, FQDN and realm. the handling of Kerberos principals and
keytabs in service installers was changed to use class members instead of
copy-pasted constants. This shall aid in the future refactoring of
principal/keytab handling code.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Instead of delegating handling of some parameters like fstore to the parent
class, the *Instance installers had the logic copy-pasted in their
constructors. Some other members were also moved to the Service class and the
parent class constructors in children were fixed to modern standards of
initializing parent class in Python.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors
Enabled check should prevent to leave unused variable in code
Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Services hasn't been restored correctly, which causes disabling already
disabled services, or some service did not start. This patch fix these
issues.
Ticket: https://fedorahosted.org/freeipa/ticket/4869
Reviewed-By: David Kupka <dkupka@redhat.com>
