Previously, an offline replica would mean the RUVs cannot
be removed otherwise the task would be hanging in the DS.
This is fixed in 389-ds 1.3.5.
https://fedorahosted.org/freeipa/ticket/5396
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ludwig Krispenz <lkrispen@redhat.com>
Deletion of a replica would fail should there
be no RUVs on the server.
Also removed some dead code in del_master_managed which might
cause premature exit if RuntimeError occurs.
https://fedorahosted.org/freeipa/ticket/5307
Reviewed-By: Martin Basti <mbasti@redhat.com>
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
CA-less options were missing, as well as --allow-zone-overlap
and --auto-reverse.
Fix short option for --realm which was displayed as -d instead of -r.
https://fedorahosted.org/freeipa/ticket/5835
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
For non-critical services which are failing may be beneficial for users
to ignore them and let IPA critical services start. For this a hint to
use --ignore-service-failue option should be shown.
https://fedorahosted.org/freeipa/ticket/5820
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
clean-dangling-ruv would fail in topologies with only one CA or
when only one IPA server is present
https://fedorahosted.org/freeipa/ticket/5840
Reviewed-By: Martin Basti <mbasti@redhat.com>
Minor fix in ipa-compat-manage command help message.
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Forward policy defaults to 'first' if no IP address belonging to a private
or reserved ranges is detected on local interfaces (RFC 6303).
Defaults to only if a private IP address is detected.
This prevents problems with BIND automatic empty zones because
conflicting zones cannot be disabled unless forwarding policy == only.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The function duplicated ipalib.util.verify_host_resolvable() in slightly
incompatible way because it used NSS while rest of IPA is using only DNS.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The rid passed to abort-clean-ruv and clean-ruv is now searched
for in both ipaca and domain trees as well as list-ruv now
displays both RUVs and CS-RUVs
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
get_ruv does not call sys.exit anymore, instead it raises RuntimeError
for better error handling
Also removed duplicit code from abort_clean_ruv
https://fedorahosted.org/freeipa/ticket/4987
Reviewed-By: Martin Basti <mbasti@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Global variables should be defined in the outer space, not just marked
as global inside functions.
Removes unused global variables
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
'yes' is also valid value in krb5.conf but we should be consistent and
use only 'true' as we do for other options.
https://fedorahosted.org/freeipa/ticket/5518
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.
This commit is workaround, proper fix may need to improve ipactl.
https://fedorahosted.org/freeipa/ticket/5262
Reviewed-By: David Kupka <dkupka@redhat.com>
Enables check and fixes one issue.
get_entries can be replaced by get_entry, filter is not needed because
check of 'originfilter' attribute is done later.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Enables check and fixes:
************* Module ipa-replica-conncheck
install/tools/ipa-replica-conncheck:150:
[W0106(expression-not-assigned), parse_options] Expression
"(replica_group.add_option('-w', '--password', dest='password',
sensitive=True, help='Password for the principal'), )" is assigned to
nothing)
************* Module ipatests.test_xmlrpc.test_automount_plugin
ipatests/test_xmlrpc/test_automount_plugin.py:437:
[W0106(expression-not-assigned),
test_automount_indirect.test_1a_automountmap_add_indirect] Expression
"api.Command['automountmap_add_indirect'](self.locname, self.mapname,
**self.map_kw)['result']" is assigned to nothing)
************* Module ipatests.test_ipaserver.test_otptoken_import
ipatests/test_ipaserver/test_otptoken_import.py:128:
[W0106(expression-not-assigned), test_otptoken_import.test_mini]
Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is
assigned to nothing)
************* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:221:
[W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression
"list(e) == []" is assigned to nothing)
************* Module ipa-client-install
ipa-client/ipa-install/ipa-client-install:114:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-p', '--principal', dest='principal',
help='principal to use to join the IPA realm'), )" is assigned to
nothing)
ipa-client/ipa-install/ipa-client-install:116:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-w', '--password', dest='password',
sensitive=True, help='password to join the IPA realm (assumes bulk
password unless principal is also set)'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:118:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to
backed up keytab from previous enrollment'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:120:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-W', dest='prompt_password',
action='store_true', default=False, help='Prompt for a password to join
the IPA realm'), )" is assigned to nothing)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Wildcard imports should not be used.
Check for wildcard imports has been enabled in pylint.
Pylint note: options 'wildcard-import' causes too much false positive
results, so instead it I used 'unused-wildcard-import' option which has almost
the same effect.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When DNS is already installed somewhere in topology we should not check for
zone overlap because it would always say that we are overlapping our own domain.
ipa-replica-install already does that but ipa-dns-install did not.
https://fedorahosted.org/freeipa/ticket/5564
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
this patch makes the check_last_link_managed() function more resistant to both
orphaned topology suffixes and also to cases when there are IPA masters do not
seem to manage any suffix. The function will now only complain loudly about
these cases and not cause crashes.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Introducing '--auto-reverse' option. When specified reverse records for
all server's IP addresses are checked and when record nor reverse zone
does not exist reverse zone is created.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Raise an error when the domain already exists. This can be overriden using
--force or --allow-zone-overlap options.
https://fedorahosted.org/freeipa/ticket/3681
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Use the local host credentials rather than the user credentials when
setting up replication. The host must be a member of the ipaservers host
group. The user credentials are still required for connection check.
https://fedorahosted.org/freeipa/ticket/5401
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Move this check before the parts that check topology suffix connectivity, wait
for removed segments etc. If the hostname does not exist, it should really be
one of the first errors user encounters during ipa-replica-manage del.
https://fedorahosted.org/freeipa/ticket/5424
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
