server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Upstream ticket was raised for issuing an warning message
whenever data in ipa vault is overwritten.
In Bugzilla(1339129) its agreed upon that Current behavior is consistent
with other IPA commands. None of ipa mod commands asks for confirmation
and therefore it should be the same here.
But to document, that vault can contain only one value in ipa help vault.
This PR addresses the changes agreed in Bugzilla.
Resolves: https://pagure.io/freeipa/issue/5922
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Now radius proxy plugin allows to add more then one radius server
into radius proxy but the first one from ldap response is being
parsed (you can see ./daemons/ipa-optd/parse.c).
So this kind of behaviour is a bug, as it was determined on IRC.
This patch removes possibility to add more then one radius server
into radius proxy.
Pagure: https://pagure.io/freeipa/issue/7542
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
Early return prevented adding last warning message in the method:
"Ignoring these warnings and proceeding with removal"
And thus `check_master_removal` in `test_server_del` did not work.
https://pagure.io/freeipa/issue/7517
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Allow services to be members of the groups, like users and other groups
can already be.
This is required for use cases where such services aren't associated
with a particular host (and thus, the host object cannot be used to
retrieve the keytabs) but represent purely client Kerberos principals to
use in a dynamically generated environment such as Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7513
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add --skip-host-check option to ipa service-add command to allow
creating services without corresponding host object. This is needed to
cover use cases where Kerberos services created to handle client
authentication in a dynamically generated environment like Kubernetes.
Fixes: https://pagure.io/freeipa/issue/7514
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When a user with sufficient permissions creates a group using ipa
group-add and then deletes it again with group-del ipa gives an
Insufficient access error, but still deletes the group.
This is due to a need to remove an associaed password policy for the
group. However, a password policy might be inaccessible to the user
(created by a more powerful admin) and there is no way to check that it
exists with current privileges other than trying to remove it.
Seeing a Python exceptions in the Apache log without explanation is
confusing to many users, so add a warning message that explains what
happens here.
Fixes: https://pagure.io/freeipa/issue/6884
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In Python 3, cryptography requires certificate data to be binary. Even
PEM encoded files are treated as binary content.
certmap-match and cert-find were loading certificates as text files. A
new BinaryFile type loads files as binary content.
Fixes: https://pagure.io/freeipa/issue/7520
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Both of these are legal: unconfined_u and unconfined.u
https://pagure.io/freeipa/issue/7510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add absolute_import from __future__ so that pylint
does not fail and to achieve python3 behavior in
python2.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In certprofile-import if the config file contains two profileId
directives with different values, with the first matching the
profile ID CLI argument and the second differing, the profile gets
imported under the second ID. This leads to:
- failure to enable the profile
- failure to add the IPA "tracking" certprofile object
- inability to delete the misnamed profile from Dogtag (via ipa CLI)
To avert this scenario, detect and reject profile configurations
where profileId is specified multiple times (whether or not the
values differ).
https://pagure.io/freeipa/issue/7503
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.
https://pagure.io/freeipa/issue/7424
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
While trying to add idrange with untrusted domain name error
message is misleading.
Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.
Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.
This commit also adds a unit test.
https://pagure.io/freeipa/issue/7374
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Fixes a regression in 4.5.0 where special character set was limited.
Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.
Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.
https://pagure.io/freeipa/issue/7380
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
$ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.
This commit properly handles the exception, and adds a test.
https://pagure.io/freeipa/issue/7397
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ldap2.can_add checks for add permission of a given entry.
It did not work properly due to a defect in 389 DS. Now that the
defect has been fixed, we also need to update can_add to work with
the mechanism 389 DS provides for checking add permission for
entries where ACIs are in effect.
Update the ldap2.can_add implementation to perform the add
permission check properly. Also update call sites accordingly.
Update the spec file to require 389-ds-base-1.3.7.9-1 which is the
first release containing the fix. This version of 389-ds-base also
resolves a couple of other issues related to replication and
connection management.
Fixes: https://pagure.io/freeipa/issue/6609
Fixes: https://pagure.io/freeipa/issue/7165
Fixes: https://pagure.io/freeipa/issue/7228
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Allow caller to specify that the GetEffectiveRights server control
should be used on a per-operation basis. Also update
ldap2.get_effective_rights to use this new API.
Part of: https://pagure.io/freeipa/issue/6609
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When executing cert-request, if Dogtag successfully issues a
certificate but python-cryptography cannot parse the certificate, an
unhandled exception occurs. Handle the exception by notifying about
the malformed certificate in the response messages.
Fixes: https://pagure.io/freeipa/issue/7390
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa rpc server did set the LANG environment variable on each
request and it was not thread safe which led to unpredictable
mixed languages output. Also, there were mistakes regarding
setting the Accept-Language HTTP header.
Now on each request we're setting the "languages" property
in the context thread local variable and client is setting
the Accept-Language HTTP header correctly.
Also, as the server is caching the schema and the schema can
be generated for several languages it's good to store different
schema fingerprint for each language separately.
pagure: https://pagure.io/freeipa/issue/7238
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipa-server-install --uninstall command is calling server-del to
delete replica. This scenario does not work since server-del
is also deleting all principals from and ldap breaking ldap
replication. As a result, only part of deletions are propagated
to the other replicals leaving a lot of orphaned data there.
https://pagure.io/freeipa/issue/7371
This patch won't fully fix the issue with left-over data
but more data is cleaned up and only ldap principal is left
thus ending in a better state.
Issue will be fully fixed only when topology plugin is patched
as well. The following pagure ticket is created to track
topology plugin change:
https://pagure.io/freeipa/issue/7359
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Changing from iteritems() to values() in order to be compatible with
python3.
https://pagure.io/freeipa/issue/7373
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When the option --domain-resolution-order is used with the command
ipa idview-add, the resulting LDAP object stores the value in
ipadomainresolutionorder attribute.
The issue is that the add command does not add the needed object
class (ipaNameResolutionData) because it is part of
possible_objectclasses but not of object_class.
The fix makes sure to add the objectclass when the option
--domain-resolution-order is used, and adds a non-regression test.
Note that idview-mod does not have any issue as it correctly handles
the addition of missing possible objectclasses.
Fixes:
https://pagure.io/freeipa/issue/7350
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
for/else makes only sense when the for loop uses break, too. If the for
loop simply returns on success, then else is not necessary.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Turn calls "handle_not_found()" into "raise handle_not_found()" to
indicate control flow chance. It makes the code easier to understand,
the control flow more obvious and helps static analyzers.
It's OK to raise here because handle_not_found() always raises an
exception.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instantiating an exception, but not raising it, has no effect.
https://pagure.io/freeipa/issue/7344
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.
This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.
To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.
Fixes https://pagure.io/freeipa/issue/7264
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Add the correct procedure for re-running ipa trust-add with a different
range type.
Fixes:
https://pagure.io/freeipa/issue/7308
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace python3-pyldap with python3-ldap.
Remove some old code for compatibility with very old python-ldap.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
