This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This upgrade has to be done on each IPA DNS server independently.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.
To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.
The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.
Command dnsconfig_show displays it only if --all option was used.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.
DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This is preparatory work to avoid (future) cyclic import between
ipapython.dnsutil and ipapython.ipautil.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Forwarding policy "first" or "none" may conflicts with some automatic empty
zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers.
This is not detected and warned about. Global forwarding is equivalent
to forward zone ".".
Example:
Forward zone 1.10.in-addr.arpa with policy "first"
will not forward anything because BIND will automatically prefer
automatic empty zone "10.in-addr.arpa." which is authoritative.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the keys() method of mappings returns a KeyView object
that reflects the mapping's state. In LDAPEntry, this means that
the collection returned by keys() is case-insensitive and supports
aliases.
Part of the fix for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, dict.items() returns a view.
When such a view is iterated over, the dict cannot change size.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Python 3's JSON module provides line number information in
its parsing error. Update the test to expect this.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Order of Python dicts/sets was always unreliable, but in Python 3
it's usually different every time. This affects the order in which
values of a LDAP attribute appear.
LDAP values are also specified to be unordered.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the module name changed from 'ConfigParser' to
'configparser'. Use the appropriate location from six.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
CA-less options were missing, as well as --allow-zone-overlap
and --auto-reverse.
Fix short option for --realm which was displayed as -d instead of -r.
https://fedorahosted.org/freeipa/ticket/5835
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
pylint 1.5 reports 'kw' as 'no-member' for PublicError and
PublicMessage. It is false positive in both cases.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.
However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.
To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.
These changes are preparatory for the subsequent patches.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Some CA upgrade steps in upgrader requires running CA. We have to always
start CA and wait for running status using http, because systemd may
return false positive result that CA is running even if CA is just
starting and unable to serve.
https://fedorahosted.org/freeipa/ticket/5868
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Rename the `name` argument of Command.get_default_of to `_name` to avoid
conflicts with keyword arguments.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Copy arguments of vault_{add,mod,archive,retrieve} from
vault_{add,mod,archive,retrieve}_internal.
Also add missing LDAPCreate arguments to vault_add_internal.
This will make it possible to move the commands to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move client-side code from the vault class to module-level functions.
This will make it possible to move the code to ipaclient without the vault
class bits.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Import DN from ipapython.dn rather than ipalib.plugins.baseldap.
This will make it possible to move otptoken_sync to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace code which references the DNSRecord and dnsrecord classes with
equivalent code which uses only generic data structures.
This will make it possible to move client code to ipaclient without
dnsrecord bits, DNSRecord and all its subclasses.
The conversion from record value to structured record can't be done on the
client without DNSRecord and subclasses. Introduce a new internal command
dnsrecord_split_parts to do the job on the server when necessary.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move DNSRecord and dnsrecord code called on client to module-level
functions.
This will make it possible to move the code to ipaclient without the
DNSRecord and dnsrecord class bits.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
automountlocation_import is a client-side command which does not use LDAP
directly. Inherit it from Command rather than LDAPQuery and copy its
arguments from automountlocation_show.
This will make it possible to move automountlocation_import to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move interactive_prompt callback type from baseldap.BaseLDAPCommand to
Command.
This will make it possible to move all interactive_prompt callbacks to
ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Merge Registrar into Registry. Use the Registry instance of each plugin
module to discover plugins in the module instead of the global Registrar
instance.
This removes the side-effect of all plugins in a module being re-registered
every time the module is imported.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace API.import_plugins with a new method API.add_package which allows
loading plugin packages into an API object from a package object.
This makes loading of plugin packages loading consistent with loading of
plugin modules and classes.
Rename API.modules to API.packages and use package objects where
implemented to reflect the change.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Load the ldap2 and update_managed_permissions modules using API.add_module
rather than API.import_plugins.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Change Param formatting to:
* always use quantified names rather than the `required` and `multivalue`
kwargs,
* ignore kwargs with default value,
* ignore kwargs related to validation, as validation is now strictly
server-side,
* ignore the `attribute` and `primary_key` kwargs, as they are relevant
only on object params,
* ignore the `include` and `exclude` kwargs, as makeapi takes into account
only params available in the 'cli' context,
* ignore the unused `csv` kwarg.
Format optional Output arguments as kwargs.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
When forwarding a command call to a server, use only arguments which were
explicitly specified by the caller.
This increases compatibility between new clients and old servers.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
