Commit Graph

12283 Commits

Author SHA1 Message Date
Christian Heimes
7c2ca14118 Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Armando Neto
e8d33ccfd1 ipa-server-install: fix zonemgr argument validator
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.

Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.

Issue: https://pagure.io/freeipa/issue/7612

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-05 23:09:27 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Christian Heimes
198a2c6112 Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.

The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.

Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-05 19:45:10 +02:00
Armando Neto
53c5496647 ipa-client-install: Update how comments are added by ipachangeconf
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.

IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.

New settings will be added without any note.

Issue: https://pagure.io/freeipa/issue/5202

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-05 19:42:43 +02:00
Michal Reznik
417f748682 ipa_tests: ipa-replica-prepare stuck on user input
TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.

https://pagure.io/freeipa/issue/7615

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-04 16:03:02 +02:00
Armando Neto
79391ad8e1 ui_tests: fix test_config::test_size_limits
Fix a regression caused by: https://pagure.io/freeipa/issue/7606

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-07-04 15:21:30 +02:00
Michal Reznik
e140d198ea ui_tests: stabilization fixes
This patch aims to fix the following tests which seems to be quite
unstable recently:

test_user::test_actions - closing notification and moving to element
to have screenshot of current place.

test_user::certificates - add wait() / close_notification

Also adds missing @screenshot decorator to test_user_misc method.

Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-07-04 15:21:30 +02:00
Christian Heimes
a7627a7d8a Require JSS 4.4.5 with replication fixes
JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.

See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Christian Heimes
6896c90eb2 Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.

See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Nikhil Dehadrai
dcaa62f6a4 Test for improved Custodia key distribution
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.

Fixes: https://pagure.io/freeipa/issue/7518

Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-03 11:04:50 -04:00
Justin Stephenson
00dceb434d Skip zone overlap check with auto-reverse
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.

https://pagure.io/freeipa/issue/7239

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Rob Crittenden
627cb490d2 Extend CALessBase::installer_server to accept extra_args
Allow callers to pass abitrary extra arguments to the installer.

This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Christian Heimes
4084189f09 pylint: Class node has been renamed to ClassDef
nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 17:20:19 +02:00
Christian Heimes
f8159d0be0 Pythhon3.7: re module has no re._pattern_type
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 17:20:19 +02:00
Christian Heimes
52cdd213b4 Catch ACIError instead of invalid credentials
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.

Apparently no manual or automated test ran into the timeout during
testing.

Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 15:48:43 +02:00
Anuja More
0128b3f92e
Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-29 10:31:50 +02:00
Florence Blanc-Renaud
7bf99e8dc5 Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.

Related to:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-28 11:41:17 +02:00
Florence Blanc-Renaud
a39f656340 ipa-client-install: enable and start oddjobd if mkhomedir
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called

Fixes:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-28 11:41:17 +02:00
Armando Neto
d622be295a Prevent the creation on users and groups with numeric characters only
Update regular expression validator to prevent user and group creation.

Fixes: https://pagure.io/freeipa/issue/7572

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 15:25:39 -03:00
Alexander Bokovoy
81f36df7ac ipaserver/dcerpc.py: handle indirect topology conflicts
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.

Use realmdomains to find a correct exclusion entry to build.

Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 12:49:35 -03:00
Varun Mylaraiah
39ac5f442a ui_tests: extend test_pwpolicy.py suite
Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574

Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-06-27 13:31:54 +02:00
Christian Heimes
c2eb0f1612
Fix permission of public files in upgrader
Make CA bundles, certs, and cert directories world-accessible in
upgrader.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
89b2137dc2
Make /etc/httpd/alias world readable & executable
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.

Note: executable for a directory means, that a process is allowed to
traverse into the directory.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
1434f2a203
Always make ipa.p11-kit world-readable
Ensure that ipa.p11-kit is always world-readable.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
ba8cbb8c62
Ensure that public cert and CA bundle are readable
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
0e21d93391
Use 4 WSGI workers on 64bit systems
Commit f1d5ab3a03 increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.

See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-25 13:41:18 +02:00
Mohammad Rizwan Yusuf
e90d90c5c3
Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca

related ticket: https://pagure.io/freeipa/issue/7316

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>

Replaced hardcoded issuer CN for external ca with constant

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-25 10:37:58 +02:00
Sudhir Menon
89ae434131 Adding modified DOAP file
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-22 11:02:40 -04:00
Sudhir Menon
c7ac8b91db DOAP Description for IPA Project
https://pagure.io/freeipa/issue/2536

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-22 11:02:40 -04:00
Christian Heimes
ad838c37a9 Fix replication races in Dogtag admin code
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.

The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.

setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.

Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00
Christian Heimes
1b966f708a Use common replication wait timeout of 5min
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.

Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00
Christian Heimes
14c869b347 Improve and fix timeout bug in wait_for_entry()
replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.

Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.

See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00
Armando Neto
de8d308196 ipaserver config plugin: Increase search records minimum limit
Check if the given search records value is greater than an arbitrary number that is not so close to zero.

https://pagure.io/freeipa/issue/6617

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-21 14:42:15 -04:00
Stanislav Levin
c1f7a14c95 Fix some untranslatable commands in Web UI API Browser
There are some missing translatable docstrings of commands and modules.

Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-21 18:42:05 +02:00
Stanislav Levin
32ed10caf9 Apply validate_doc() to NO_CLI commands
This should prevent from NO_CLI commands have no translatable
description or have no one at all in Web UI API Browser.

Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-21 18:42:05 +02:00
Christian Heimes
3a8f0bb16b Remove restarted_named and xfail
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.

Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.

See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Christian Heimes
dae4aac912 Tests: Set default TTL for DNS zones to 1 sec
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.

This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.

This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Tomas Krizek
6fb45d2f56 test_dnssec: re-add named-pkcs11 workarounds
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.

This reverts commit 8bc6775122
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.

Run DNSSEC tests on PR-CI

Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:54:49 +02:00
Stanislav Levin
4b3bc490d3 Fix formatted translations of error messages in topology plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
1dfdbfd8bf Fix formatted translations of error messages in serverroles plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
6f245db8ea Fix formatted translations in trust plugin
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.

Also some messages to be translated at request time should
not use format()

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
229f1608db Fix translation of idrange_* commands description
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.

Also some messages to be translated at request time should
not use format().

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
65414d1471 Fix formatted translations in domainlevel plugin
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
854597c411 Use intended format() method of translation object
Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Stanislav Levin
f4716b6991 Add support for format method to translation objects
For now translation classes have old style % formatting way only.
But 'format' is convenience, preferred in Python3 string formatting method.

Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-21 15:30:58 +02:00
Christian Heimes
8c3ff0308c
Always set ca_host when installing replica
ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.

Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-21 11:49:26 +02:00
Ganna Kaihorodova
84ae625fe2 check nsds5ReplicaReleaseTimeout option was set
Check for nsds5ReplicaReleaseTimeout option was set

relates to: https://pagure.io/freeipa/issue/7488

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 12:42:51 +02:00
Anuja More
9ead70844e Test that host can remove there own services
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 10:06:39 +02:00
Rob Crittenden
036d51d514
Handle subyptes in ACIs
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):

userattr="ipaAllowedToPerform;read_keys#GROUPDN";

The regular expression pattern needed to be updated to handle
this case.

Related: https://pagure.io/freeipa/issue/6760

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-20 08:38:03 +02:00