ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.
This commit is workaround, proper fix may need to improve ipactl.
https://fedorahosted.org/freeipa/ticket/5262
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If connection do LDAP failed (or LDAP server is down) we cannot verify
if there is any additonal instance of CA, KRA, DNSSEC master.
In this case a user is warned and promted to confirm uninstallation.
https://fedorahosted.org/freeipa/ticket/5544
Reviewed-By: David Kupka <dkupka@redhat.com>
Enables check and fixes one issue.
get_entries can be replaced by get_entry, filter is not needed because
check of 'originfilter' attribute is done later.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.
https://fedorahosted.org/freeipa/ticket/5577
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The HTTP reason phrase sent by Dogtag is assumed to be encoded in
UTF-8, but the encoding used by Tomcat is dependent on system
locale, causing decode errors in some locales.
The reason phrase is optional and will not be sent in a future
version of Tomcat[1], so do not bother decoding and returning it.
[1] 707ab1c77f
Fixes: https://fedorahosted.org/freeipa/ticket/5578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
These tests will ensure that our package version handling code can correctly
decide when to upgrade IPA master.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.
Reviewed-By: Martin Basti <mbasti@redhat.com>
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Stop using rpm-python to compare package versions since the implicit NSS
initialization upon the module import breaks NSS handling in IPA code. Call
rpm-libs C-API function via CFFI instead.
Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet
that spurred this patch.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Attribute 'unattended' is not always present in 'options' so function
parameter 'unattended' should be used.
https://fedorahosted.org/freeipa/ticket/5563
Reviewed-By: Martin Basti <mbasti@redhat.com>
Opiton should be added to ipa-replica-prepare when it was added to
ipa-{server,replica,dns}-install but was forgotten.
https://fedorahosted.org/freeipa/ticket/5563
Reviewed-By: Martin Basti <mbasti@redhat.com>
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.
This test is now skipped if CA is not enabled.
https://fedorahosted.org/freeipa/ticket/5519
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit allows to use mixed case of keys for sysrestore, before this
commit all keys were saved in lowercase what prevents to accesing them.
Original usage of mixed case for sysretore key in opendssecinstance had
to be changed to lowercase to prevent issues on already installed
systems.
https://fedorahosted.org/freeipa/ticket/5574
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously the command returned False whenever an exception occured
which caused installed to continue even when there was a problem with
LDAP connection.
https://fedorahosted.org/freeipa/ticket/5564
Reviewed-By: David Kupka <dkupka@redhat.com>
Now the option correctly adds missing reverse zones even in unattended
mode.
Still, this is not sufficient in all cases because 'automatic empty zones'
created by BIND (as specified in RFC 6303) can shadow the reverse zones
hosted on other servers. This needs to be solved in a separate patch.
https://fedorahosted.org/freeipa/ticket/5559
Reviewed-By: David Kupka <dkupka@redhat.com>
This error may potentially happen when plugin migration is skipped due
an error. In that case variable 'update' was undefined.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Command "ldap-cleanup <zone name>" is called to remove all key metadata from
LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale
metadata were causing problems when re-enabling DNSSEC on the same zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.
ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
This filtering is useful in cases where LDAP contains DNS zones which
have old metadata objects and DNSSEC disabled. Such zones must be
ignored to prevent errors while calling dnssec-keyfromlabel or rndc.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.
https://fedorahosted.org/freeipa/ticket/5334
Reviewed-By: Martin Basti <mbasti@redhat.com>
ldapkeydb.py can be executed directly now. In that case it will print
out key metadata as obtained using IPA LDAP API.
Kerberos credential cache has to be filled with principal posessing
appropriate access rights before the script is execured.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.
Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.
Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.
Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
though it should not happen because OpenDNSSEC is not available
(i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
though it should stay signed with the old keys.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This import statement has been removed in commit
e4075b1fe2. This caused requests for service
certs to fail, since the validation functions from x509 module crashed with
NameError.
https://fedorahosted.org/freeipa/ticket/5561
Reviewed-By: Martin Basti <mbasti@redhat.com>
Enables check and fixes:
************* Module ipa-replica-conncheck
install/tools/ipa-replica-conncheck:150:
[W0106(expression-not-assigned), parse_options] Expression
"(replica_group.add_option('-w', '--password', dest='password',
sensitive=True, help='Password for the principal'), )" is assigned to
nothing)
************* Module ipatests.test_xmlrpc.test_automount_plugin
ipatests/test_xmlrpc/test_automount_plugin.py:437:
[W0106(expression-not-assigned),
test_automount_indirect.test_1a_automountmap_add_indirect] Expression
"api.Command['automountmap_add_indirect'](self.locname, self.mapname,
**self.map_kw)['result']" is assigned to nothing)
************* Module ipatests.test_ipaserver.test_otptoken_import
ipatests/test_ipaserver/test_otptoken_import.py:128:
[W0106(expression-not-assigned), test_otptoken_import.test_mini]
Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is
assigned to nothing)
************* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:221:
[W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression
"list(e) == []" is assigned to nothing)
************* Module ipa-client-install
ipa-client/ipa-install/ipa-client-install:114:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-p', '--principal', dest='principal',
help='principal to use to join the IPA realm'), )" is assigned to
nothing)
ipa-client/ipa-install/ipa-client-install:116:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-w', '--password', dest='password',
sensitive=True, help='password to join the IPA realm (assumes bulk
password unless principal is also set)'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:118:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to
backed up keytab from previous enrollment'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:120:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-W', dest='prompt_password',
action='store_true', default=False, help='Prompt for a password to join
the IPA realm'), )" is assigned to nothing)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Enables check and fixes:
ipatests/test_xmlrpc/test_permission_plugin.py:534:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)
ipatests/test_xmlrpc/test_permission_plugin.py:652:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
