DNS privileges are important for handling DNS locations which can be
created without DNS servers in IPA topology. We will also need this
privileges presented for future feature 'External DNS support'
https://fedorahosted.org/freeipa/ticket/2008
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Previously, an offline replica would mean the RUVs cannot
be removed otherwise the task would be hanging in the DS.
This is fixed in 389-ds 1.3.5.
https://fedorahosted.org/freeipa/ticket/5396
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
Deletion of a replica would fail should there
be no RUVs on the server.
Also removed some dead code in del_master_managed which might
cause premature exit if RuntimeError occurs.
https://fedorahosted.org/freeipa/ticket/5307
Reviewed-By: Martin Basti <mbasti@redhat.com>
Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Should fix the DS from going unresponsive in some cases
https://fedorahosted.org/freeipa/ticket/5383
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Longer-running CLI commands sometimes fail with "gateway time out" although
the task still runs and finishes on server, not notifying the CLI back.
Increasing socket-timeout should solve this.
https://fedorahosted.org/freeipa/ticket/5833
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add option to preserve user to the delete dialog on active user's details page.
The delete dialog is the same as on the page of all active users.
https://fedorahosted.org/freeipa/ticket/5370
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add option to add host dialog which allows to show generated OTP.
This patch also changed the way of informing user about success of adding host
but only when the 'Generate OTP' option is checked. There is a new dialog with
generated OTP.
https://fedorahosted.org/freeipa/ticket/4602
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.
To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.
The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.
Command dnsconfig_show displays it only if --all option was used.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
CA-less options were missing, as well as --allow-zone-overlap
and --auto-reverse.
Fix short option for --realm which was displayed as -d instead of -r.
https://fedorahosted.org/freeipa/ticket/5835
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For non-critical services which are failing may be beneficial for users
to ignore them and let IPA critical services start. For this a hint to
use --ignore-service-failue option should be shown.
https://fedorahosted.org/freeipa/ticket/5820
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
clean-dangling-ruv would fail in topologies with only one CA or
when only one IPA server is present
https://fedorahosted.org/freeipa/ticket/5840
Reviewed-By: Martin Basti <mbasti@redhat.com>
Minor fix in ipa-compat-manage command help message.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Store and retrieve the authentication indicator "require_auth" string in
the krbPrincipalAuthInd attribute. Skip storing auth indicators to
krbExtraData.
https://fedorahosted.org/freeipa/ticket/5782
Reviewed-By: Sumit Bose <sbose@redhat.com>
Forward policy defaults to 'first' if no IP address belonging to a private
or reserved ranges is detected on local interfaces (RFC 6303).
Defaults to only if a private IP address is detected.
This prevents problems with BIND automatic empty zones because
conflicting zones cannot be disabled unless forwarding policy == only.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The function duplicated ipalib.util.verify_host_resolvable() in slightly
incompatible way because it used NSS while rest of IPA is using only DNS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The rid passed to abort-clean-ruv and clean-ruv is now searched
for in both ipaca and domain trees as well as list-ruv now
displays both RUVs and CS-RUVs
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
get_ruv does not call sys.exit anymore, instead it raises RuntimeError
for better error handling
Also removed duplicit code from abort_clean_ruv
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message
Fixes : https://fedorahosted.org/freeipa/ticket/5076
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
As Internet Explorer is not a supported browser anymore, browser Kerberos
configuration page shows warning to user about the same.
Fixes : https://fedorahosted.org/freeipa/ticket/5656
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
- User is now notified about "Kerberos Principal expiration" message instead of
"Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
generic error message.
https://fedorahosted.org/freeipa/ticket/5077
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.
https://fedorahosted.org/freeipa/ticket/4631
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.
https://fedorahosted.org/freeipa/ticket/5712
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
