Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
ipa.test_ipalib.test_frontend.test_Attribute.test_init
ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run
https://fedorahosted.org/freeipa/ticket/6188
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Prompt for PIN only once in interactive mode.
This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.
https://fedorahosted.org/freeipa/ticket/6032
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.
https://fedorahosted.org/freeipa/ticket/6168
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Checking that classes are idenical gives the same result and
avoids unnecessary instantiation.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Read whole cache into memory and keep it there for lifetime of api
object. This removes the need to repetitively open/close the cache and
speeds up every access to it.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Do not open/close the file with every access to plugins. Extensive
access to filesystem may cause significant slowdown.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
To avoid the need to read all data for a plugin from cache and actualy
use the separately stored help data it must be requested and returned
separately.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fingerprint can be obtained from schema filename of from ServerInfo
instance. Use FORMAT in path to avoid openening schema just to read its
format.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Once dirty flag is set to True it must not be set back to False.
Otherwise changes are not written back to file.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.
Part of: https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Use issuer+serial rather than raw DER blob to identify certificates in
cert-find's intermediate result.
Restructure the code to make it (hopefully) easier to follow.
https://fedorahosted.org/freeipa/ticket/6098
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.
https://fedorahosted.org/freeipa/ticket/6062
Reviewed-By: Martin Basti <mbasti@redhat.com>
sys.exit() calls sometimes make it hard to find bugs and mask code that
does not always work properly.
https://fedorahosted.org/freeipa/ticket/5750
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.
I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.
In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Basti <mbasti@redhat.com>
Domain level 0 doesn't allow to create replica file on CA-less master, testcases were skipped with Domain level 0
[https://fedorahosted.org/freeipa/ticket/6134]
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This are manual fixes for patches submitted upstream, and should be
picked up once a new asn1c is available.
They will be overridden if the code is regenerated before then.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Regenerate the code with asn1c 0.9.27, this allows us to pick up a few
fixes for problems identified by coverity as well as other general bugfixes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix for accidentally pushed commit c15ba1f9e8
During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Some of the docstrings in ipalib/messages.py are malformed or missing
entirely. This causes test_ipalib/test_messages to fail due to non-matching
regex.
https://fedorahosted.org/freeipa/ticket/6215
Reviewed-By: Martin Basti <mbasti@redhat.com>
Tests test_ipalib/test_messages.py are failing because messages now contain
also 'data' attribute, which is not yet reflected in tests.
https://fedorahosted.org/freeipa/ticket/6185
Reviewed-By: Martin Basti <mbasti@redhat.com>
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.
https://fedorahosted.org/freeipa/ticket/6046
Reviewed-By: Martin Basti <mbasti@redhat.com>
Test that CRL URI and OCSP URI are present and correct in generated certificate.
https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
usage of ipautil.run in get_pem methond of ca-less tests was not
refactored when the ipautil.run was refactored in
099cf98307
This results in failure of all CA-less test.
https://fedorahosted.org/freeipa/ticket/6177
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some tests were broken because of the recent changes in baseldap (#5892)
as they were wrongly expecting an objectclass attribute.
https://fedorahosted.org/freeipa/ticket/6198
Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit also splits hostname backup and configuration into two separate
functions. This allows us to backup hostname without setting it at the
same time.
https://fedorahosted.org/freeipa/ticket/6071
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Attempts to compare local hostname with user-provided values are error
prone as we found out in #5794. This patch removes comparison and makes
the env values deterministic.
https://fedorahosted.org/freeipa/ticket/6071
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add output params for the otptoken-add-yubikey, vault-add, vault-mod,
vault-archive and vault-retrieve commands.
This fixes the commands not having any output in CLI.
https://fedorahosted.org/freeipa/ticket/6182
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.
Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.
This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.
https://fedorahosted.org/freeipa/ticket/6174
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
This file allows daemon tmpfiles.d to re-create the dirs in volatile
directories like /var/run or /var/lock. Without this file Dirsrv will
not start.
https://fedorahosted.org/freeipa/ticket/6165
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Topology graph didn't show plus icons correctly.
There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.
https://fedorahosted.org/freeipa/ticket/6175
Reviewed-By: Martin Basti <mbasti@redhat.com>
When service is not found in ipa-caalc-add-service command, return the
entire principal name of the service instead of the first character.
https://fedorahosted.org/freeipa/ticket/6171
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Remove the conflict, as bind-chroot caused issue only on systems with older
bind and bind-chroot - e.g. RHEL 6.
This reverts commit 3ab63fa6ba.
https://fedorahosted.org/freeipa/ticket/5696
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
Related change in samba
4406cf792a
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also put jsl into dependencies.
The patch also split lint target into more smaller targets.
The purpose of this change is to add possibility to run only
fast jslint by using make jslint and don't waste time with pylint,
which can take a lot of time.
https://fedorahosted.org/freeipa/ticket/6161
Reviewed-By: Martin Basti <mbasti@redhat.com>