in the preop check do not reject the deletion of a segment, if not both endpoints
are managed servers for the suffix
thisis part of work for ticlet #5072
Reviewed-By: Simo Sorce <ssorce@redhat.com>
reject attempts to add segments to suffixes, which do not exist or are not configured.
check completenes and validity of segment attributes
cf ticket 5088: https://fedorahosted.org/freeipa/ticket/5088
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
OpenDNSSEC stores key metadata in local time zone but BIND needs
timestamps in UTC. UTC will be stored in LDAP.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
Online initialization can be triggered by setting "nsds5BeginReplicaRefresh[;left|;right]": start to a
segment. But this field remained in the segment and after restart the init would be executed again.
see Ticket #5065
To fix this the field is cleared:
- after a backend comes back online after being initialized
- since there is a delay and the sending server could be restarted in between,
the field is also scheced and renḿoved at startup
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
This patch moves duplicate code in `ipadb_get_connection` to get default and
supported key encodings/salt types from Kerberos container to a common
function handling this task.
It is actually a small cosmetic enhancement of the fix of
https://fedorahosted.org/freeipa/ticket/4914
Reviewed-By: Martin Basti <mbasti@redhat.com>
New exporter's command 'ipa-full-update' will resynchronize all zone
keys from ODS database to LDAP.
This command holds database lock for the whole time to avoid race
conditions so it should be used only in special cases, e.g. during
master server migration.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Martin Basti <mbasti@redhat.com>
this patch contains the following improvements:
check for existing segments works for all combinations of one directional and bidirectional segments
rdns of replication agreements generated from one directional segments are preserves after
merging of segments, so that deletion of the segment deletes the corresponding replication
agreements
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
when a server is removed from the topology the plugin tries to remove the
credentials from the replica and the bind dn group.
It performs an internal search for the ldap principal, but can fail if it was already removed
Due to an unitialized variable in this case it can eitehr crash or erroneously remove all
principals.
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
when updating an replication agreement from a toplogy segment an incorrect default value was used for bindmethod.
Only attributes explicitely set in the segment should be applied.
At shutdown the server could crash because the plugin was called after it was stopped.
https://fedorahosted.org/freeipa/ticket/5035
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
When kadmin tries to change a password it will get the allowed keysalts
from the password policy. Failure to provide them will result in kadmin
using the defaults specified in the kdc.conf file or hardcoded defaults
(the default salt is then of type NORMAL).
This patch provides the supported values that have been read out of the
appropriate LDAP attribute when we read the server configuration.
Then at actual password change, check if kadmin is handing us back the exact
list of supported encsalts we sent it, and in that case replace it with the
real default encsalts.
Fixes https://fedorahosted.org/freeipa/ticket/4914
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Martin Babinsky <mbabinsk@redhat.com>
Add plugin commands to stageuser plugin:
stageuser_activate: activate entries created by IPA CLIs
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: David Kupka <dkupka@redhat.com>
This bug caused negative token windows to wrap-around, causing issues
with TOTP authentication and (especially) synchronization.
https://fedorahosted.org/freeipa/ticket/4990
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipa-dnskeysyncd, ipa-dnskeysync-replica, and ipa-ods-exporter use a generic
'ccache' filename for credential storage, making debugging Kerberos-related
errors unnecessarily complicated. This patch renames the ccache files so that
each of these daemons now has its own credenital cache.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
IPA UUID should not generate ipaUniqueID for entries under 'cn=provisioning,SUFFIX'
Add in the configuration the ability to set (optional) 'ipaUuidExcludeSubtree'
https://fedorahosted.org/freeipa/ticket/3813
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Besides moving the existing tests to cmocka two new tests are added
which were missing from the old tests.
Related to https://fedorahosted.org/freeipa/ticket/4922
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.
Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
Resolves https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as
AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.
Resolves https://fedorahosted.org/freeipa/ticket/4924
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:
- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c
Remove GPL v2.0 license files from LDIFs or template to keep
consistency.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.
Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.
Resolves: https://fedorahosted.org/freeipa/ticket/4861
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
