clean-dangling-ruv would fail in topologies with only one CA or
when only one IPA server is present
https://fedorahosted.org/freeipa/ticket/5840
Reviewed-By: Martin Basti <mbasti@redhat.com>
The 'certificate' option is Str, but 'usercertificate' is Bytes.
Decode before comparing one with the other.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Make sure the base64-encoded value is a string, so it is printed
without the b'' markers.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
This happens when upgrading from IPA <= 4.0 to versions 4.3+.
DNS caching might cause false positive in code which replaces master zone
with forward zone. This will effectivelly delete the master zone
without adding a replacement forward zone.
Solution is to use skip_overlap_check option for dnsforwardzone_add command
so zone existence check is skipped and the upgrade can proceed.
https://fedorahosted.org/freeipa/ticket/5851
Reviewed-By: Martin Basti <mbasti@redhat.com>
Removed custom class of CalledProcessError which was required for
Python versions prior to 2.5
Fixes: https://fedorahosted.org/freeipa/ticket/5717
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When building RPMs with Python 3 support, /usr/bin/ipa will now
use Python 3.
The in-tree ipa command will also run on Python 3.
When building with make install, $(PYTHON) is honored and it will
still default to Python 2.
Part of the work for https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Minor fix in ipa-compat-manage command help message.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Python 3's JSON library cannot deal with bytes, so decode
base64-encoded data to string.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The attributes krbextradata, krbprincipalkey, and userpassword contain
binary data.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, the "message" attribute has been removed in favor of
calling str() on the error.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Python 3 unsets the exception variable at the end of an "except"
block to prevent reference cycles and speed up garbage collection.
Store the exception under a different name in order to use it later.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, a module from the current package can be imported
either with the absolute name or by using an explicit relative import.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Updated references and ipa command example in IPA man page
https://fedorahosted.org/freeipa/ticket/5871
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This fix provides means to remove certificates from host that were added during tests, but not removed.
Ticket: https://fedorahosted.org/freeipa/ticket/5839
Reviewed-By: Martin Basti <mbasti@redhat.com>
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.
https://fedorahosted.org/freeipa/ticket/5782
Reviewed-By: Sumit Bose <sbose@redhat.com>
Forward policy defaults to 'first' if no IP address belonging to a private
or reserved ranges is detected on local interfaces (RFC 6303).
Defaults to only if a private IP address is detected.
This prevents problems with BIND automatic empty zones because
conflicting zones cannot be disabled unless forwarding policy == only.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
I'm going to extend this so it is better to have it in module.
At the same time it is now using shared assert_absolute_dnsname()
helper.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Sanity check for zone names and such should be the same everywhere.
This new function will be a replacement for ad-hoc checks.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The function duplicated ipalib.util.verify_host_resolvable() in slightly
incompatible way because it used NSS while rest of IPA is using only DNS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The rid passed to abort-clean-ruv and clean-ruv is now searched
for in both ipaca and domain trees as well as list-ruv now
displays both RUVs and CS-RUVs
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
get_ruv does not call sys.exit anymore, instead it raises RuntimeError
for better error handling
Also removed duplicit code from abort_clean_ruv
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message
Fixes : https://fedorahosted.org/freeipa/ticket/5076
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
In Python 3, dict.keys() returns a key view. It is not safe to delete
dict keys when iterating over this view.
Convert the keys to list first.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, str.encode('ascii') converts to bytes, and str()
(nicknamed unicode() in IPA) returns the string representation
of an object, which is b'...' for bytes.
So, unicode('...'.encode('ascii')) results in "b'...'".
Change the code to only call encode() for the error.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Perl was missing in BuildRequires anyway and it is used only on one place,
all other places are using sed.
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
As Internet Explorer is not a supported browser anymore, browser Kerberos
configuration page shows warning to user about the same.
Fixes : https://fedorahosted.org/freeipa/ticket/5656
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Is safer to raise error than trying to find what is wrong with method
that is not correctly overriden
The new method set_hostname has been added which should be overriden on other
platforms.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
