Commit Graph

2764 Commits

Author SHA1 Message Date
Stanislav Laznicka
7cbd9bd429 Encrypt httpd key stored on disk
This commit adds configuration for HTTPD to encrypt/decrypt its
key which we currently store in clear on the disc.

A password-reading script is added for mod_ssl. This script is
extensible for the future use of directory server with the
expectation that key encryption/decription will be handled
similarly by its configuration.

https://pagure.io/freeipa/issue/7421

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-03-23 12:48:46 +01:00
Stanislav Laznicka
e7e06f6d78
Dogtag configs: rename deprecated options
ipa-{server,kra}-install logs have been showing warnings about
deprecation of some Dogtag configuration options. Follow
the warnings' advice and rename these options to their newer
form.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-22 16:17:29 +01:00
Alexander Bokovoy
b47d6a3654 use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.

With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.

Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.

LDAP Whoami command returns a string 'dn: <DN of the bind>', so we have
to strip first four characters to get actual DN.

Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-22 11:33:17 +01:00
Alexander Bokovoy
2da9a4ca6a
Update template directory with new variables when upgrading ipa.conf.template
With e6c707b168 we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.

Add all missing variables to the upgrade code.

Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-21 22:22:35 +01:00
Alexander Bokovoy
48acb7d865
Processing of server roles should ignore errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.

Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.

Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-21 22:22:35 +01:00
Petr Vobornik
b43e73143d
realm domains: improve doc text
It is quite unclear how realm domains behave without reading source
code. New doc text describes its purpose and how it is managed.

https://pagure.io/freeipa/issue/7424

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-21 15:29:50 +01:00
Florence Blanc-Renaud
0f31564b35 ipa-replica-install: make sure that certmonger picks the right master
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.

The replication conflict later causes kerberos issues, preventing
from installing a new replica.

The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.

https://pagure.io/freeipa/issue/7041

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-21 09:35:56 +01:00
Fraser Tweedale
83c173cf9d install: configure dogtag status request timeout
Configure the status request timeout, i.e. the connect/data timeout
on the HTTP request to get the status of Dogtag.

This configuration is needed in "multiple IP address" scenarios
where this server's hostname has multiple IP addresses but the HTTP
server is only listening on one of them.  Without a timeout, if a
"wrong" IP address is tried first, it will take a long time to
timeout, exceeding the overall timeout hence the request will not be
re-tried.  Setting a shorter timeout allows the request to be
re-tried.

Note that HSMs cause different behaviour so this value might not be
suitable for when we implement HSM support.  It is known that a
value of 5s is too short in HSM environment.

This fix requires pki-core >= 10.6.0, which is already required by
the spec file.

Fixes: https://pagure.io/freeipa/issue/7425
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-03-20 10:28:05 +01:00
Christian Heimes
a6e6e7f5e4 More cleanup after uninstall
Remove more files during ipaserver uninstallation:

* /etc/gssproxy/10-ipa.conf
* /etc/httpd/alias/*.ipasave
* /etc/httpd/conf/password.conf
* /etc/ipa/dnssec/softhsm2.conf
* /etc/systemd/system/httpd.service.d/
* /var/lib/ipa/dnssec/tokens

Fixes: https://pagure.io/freeipa/issue/7183
See: https://pagure.io/freeipa/issue/2694
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-20 10:15:28 +01:00
Christian Heimes
3871fe6de5 Keep owner when backing up CA.cfg
DogtagInstance.backup_config uses shutil.copy to create a backup of the
config file. The function does not retain owner and group, so it creates a
backup as user and group root:root.

Closes: https://pagure.io/freeipa/issue/7426
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexey Slaykovsky <alexey@slaykovsky.com>
2018-03-19 15:46:56 +01:00
Christian Heimes
7a03a4e9a4 Instrument installer to profile steps
Installer now prints runtime of each step / part to install log.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-16 07:33:58 +01:00
amitkuma
a3060b5238 Error message while adding idrange with untrusted domain
While trying to add idrange with untrusted domain name error
message is misleading.

Changing the error message to:
invalid 'ID Range setup':Specified trusted domain
name could not be found.

Resolves: https://pagure.io/freeipa/issue/5078
Reviewed-By: Alexander Koksharov <akokshar@redhat.com>
2018-03-15 07:31:37 +01:00
Florence Blanc-Renaud
105e774914 ipa-restore: remove /etc/httpd/conf.d/nss.conf
When ipa-restore is called, it needs to delete the file
nss.conf, otherwise httpd server will try to initialize
the NSS engine and access NSSCertificateDatabase.
This is a regression introduced with the switch from NSS
to SSL.

https://pagure.io/freeipa/issue/7440

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-14 12:25:04 +01:00
Stanislav Laznicka
7960352f1c Backup HTTPD's mod_ssl config and cert-key pair
https://pagure.io/freeipa/issue/3757

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-13 10:52:41 +01:00
Florence Blanc-Renaud
54ea4aade6 ipa-server-install: handle error when calling kdb5_util create
ipa-server-install creates the kerberos container by calling
kdb5_util create -s -r $REALM -x ipa-setup-override-restrictions

but does not react on failure of this command. The installer fails later
when trying to create a ldap principal, and it is difficult to diagnose the
root cause.

The fix raises a RuntimeException when kdb5_util fails, to make sure
that the installer exits immediately with a proper error message.

Note: no test added because there is no easy reproducer. One would need to
stop dirsrv just before calling kdb5_util to simulate a failure.

https://pagure.io/freeipa/issue/7438

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2018-03-13 10:09:13 +01:00
Nathaniel McCallum
d498d7272d Revert "Don't allow OTP or RADIUS in FIPS mode"
This reverts commit 16a952a0a4.

OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping
traffic in a VPN.

https://pagure.io/freeipa/issue/7168
https://pagure.io/freeipa/issue/7243

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Nathaniel McCallum
a01a24ce5a Increase the default token key size
The previous default token key size would fail in FIPS mode for the sha384
and sha512 algorithms. With the updated key size, the default will work in
all cases.

https://pagure.io/freeipa/issue/7168

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-03-12 13:29:19 -04:00
Fraser Tweedale
3650e3b955 upgrade: remove fix_trust_flags procedure
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup.  With the move to mod_ssl, it now raises an
exception, so remove it.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-03-07 12:31:04 +01:00
Rob Crittenden
95a45a2b09 Don't try to backup CS.cfg during upgrade if CA is not configured
https://pagure.io/freeipa/issue/7409

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-03-06 14:17:16 -05:00
Florence Blanc-Renaud
4295df17a4 ipa host-add: do not raise exception when reverse record not added
When ipa host-add --random is unable to add a reverse record (for instance
because the server does not manage any reverse zone), the command
adds the host but exits (return code=1) with an error without actually
outputing the random password generated.
With this fix, the behavior is modified. The commands succeeds (return code=0)
but prints a warning.

This commit also adds a unit test.

https://pagure.io/freeipa/issue/7374

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-23 14:39:34 +01:00
Christian Heimes
df99af4a68 Remove unused modutils wrappers from NSS/CertDB
The disable system trust feature is no longer used.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
492e3c9b1e NSSDB: Let certutil decide its default db type
CertDB no longer makes any assumptions about the default db type of a NSS
DB. Instead it let's certutil decide when dbtype is set to 'auto'. This
makes it much easier to support F27 and F28 from a single code base.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
c5fb6c8502 Prepare migration of mod_nss NSSDB to sql format
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
  auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.

The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.

https://pagure.io/freeipa/issue/7354

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Christian Heimes
88fd3f9435 certmonger: Use explicit storage format
Add storage='NSSDB' to various places. It makes it a bit easier to track
down NSSDB usage.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-23 11:04:10 +01:00
Stanislav Laznicka
75845733f8
Backup ssl.conf when migrating from mod_nss
We should backup mod_ssl configuration when migrating from nss
otherwise the uninstall would later leave the machine with
IPA-specific settings.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
1ca68ea730
httpinstance fixup: remove commented-out lines
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
ee49947b6c
httpinstance: fix publishing of CA cert
Adjust the HTTPInstance.__publish_ca_cert() method so that it only
exports the lowest intermediate CA certificate that signed the
HTTP certificate.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
8ea04ab3e3
httpinstance: verify priv key belongs to certificate
Verify the certificate issued during an installation belongs
to its private key.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
dde62ff883
httpinstance: backup mod_nss conf instead of just removing it
Backup mod_nss configuration in case IPA is uninstalled once
and there's applications that require it. We too required it
in previous versions, after all.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
0c388d1e8f
service: rename import_ca_certs_* to export_*
The import_ca_certs_{file,nssdb} methods were actually exporting
CA certificates from LDAP to different formats. The new names should
better reflect what these methods are actually doing.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
92d91ed58b
fixup: add ipa-rewrite.conf to ssl.conf on upgrade
Fixes ipa-server-upgrade when upgrading from a pre-mod_ssl
version where the appropriate "Include" statement needs to
be added to ssl.conf settings so that WebUI functions properly.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
9a7c315984
Make ipa-server-certinstall store HTTPD cert in a file
This refactors the way certificate files are replaced during
ipa-server-certinstall and uses that approach on KDC and
HTTPD certificate cert-key pairs.

https://pagure.io/freeipa/issue/3757

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
205675239a
httpinstance: handle supplied PKCS#12 files in installation
Part of the mod_nss -> mod_ssl move. This patch allows loading
necessary certificates for Apache to function from PKCS#12 files.
This should fix CA-less and domain level 0 installations.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Stanislav Laznicka
7dc923cc4c
mod_ssl migration: fix upload_cacrt.py plugin
Fix the upload_cacrt.py plugin to use the DS NSS database to
upload the CA certificate from (which is the original behavior).
This is possibly required for the upgrade path from some very
old IPA versions that did not use the certificates storage in
LDAP.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
fa135e6ef1
Update smart_card_auth advise script for mod_ssl
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
4d2c7a4a75
Add value in set_directive after a commented-out version
When setting a value using set_directive() look for a commented-out
version of the directive and add the new value immediately after
that to keep the proper context.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
5531c9f26b
Don't backup nss.conf on upgrade with the switch to mod_ssl
This is because if backed up it may contain IPA-specific entries
like an import of ipa-rewrite.conf that on uninstall won't exist
and this will keep Apache from restarting.

We already have a backup of nss.conf from pre-install. Stick with
that.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
4596674481
Enable upgrades from a mod_nss-installed master to mod_ssl
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Rob Crittenden
805aea2443
Use mod_ssl instead of mod_nss for Apache TLS for new installs
Change some built-in assumptions that Apache has an NSS certificate
database.

Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.

Drop mod_nss-specific methods and functions.

There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.

TODO:
 - backup and restore
 - use user-provided PKCS#12 file for the certificate and key

Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-21 07:57:40 +01:00
Christian Heimes
68caeb8b19 Add mocked test for named crypto policy update
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
aee0d2180c Upgrade named.conf to include crypto policy
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
Christian Heimes
90a75f0d43 Use system-wide crypto-policies on Fedora
HTTPS connections from IPA framework and bind named instance now use
system-wide crypto-policies on Fedora.

For HTTPS the 'DEFAULT' crypto policy also includes unnecessary ciphers
for PSK, SRP, aDSS and 3DES. Since these ciphers are not used by freeIPA,
they are explicitly excluded.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1179925
See: https://bugzilla.redhat.com/show_bug.cgi?id=1179220
Fixes: https://pagure.io/freeipa/issue/4853
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-20 17:01:52 +01:00
John L
eaa5be3eec Remove special characters in host_add random OTP generation
Fixes a regression in 4.5.0 where special character set was limited.

Special characters in the OTP has caused issues in unattended
installations where the OTP is not properly quoted or escaped.

Expansion of the special character set in 4.5.0 release may cause
existing user installation scripts to fail where they wouldn't
otherwise.

https://pagure.io/freeipa/issue/7380

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-02-19 14:52:40 -05:00
Stanislav Laznicka
f31797c70a Have all the scripts run in python 3 by default
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-15 18:43:12 +01:00
Christian Heimes
1b0c55a3b3 Unified ldap_initialize() function
Replace all ldap.initialize() calls with a helper function
ldap_initialize(). It handles cacert and cert validation correctly. It
also provides a unique place to handle python-ldap 3.0 bytes warnings in
the future.

Fixes: https://pagure.io/freeipa/issue/7411
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 18:32:17 +01:00
Christian Heimes
0cc2a6cae0 Fix multiple uninstallation of server
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.

Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
2018-02-15 14:02:03 +01:00
Christian Heimes
8ffa33c24e Generate same API.txt under Python 2 and 3
Use Python 3's reprlib with customizations to create same API.txt under
Python 2 and 3. Some plugins have been slightly altered to use stable
sorting for dynamically created parameter lists.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-02-15 09:41:30 +01:00
Florence Blanc-Renaud
7364c268eb ipa host-add --ip-address: properly handle NoNameservers
When ipa host-add --ip-address is called but no DNS server is able to answer
for the reverse zone, get_reverse_zone raises a NoNameservers exception.
The exception is not managed by add_records_for_host_validation, and this
leads to the command exiting on failure with an InternalError:
    $ ipa host-add testhost.ipadomain.com --ip-address 172.16.30.22
    ipa: ERROR: an internal error has occurred
A traceback is also logged in httpd error_log.

This commit properly handles the exception, and adds a test.

https://pagure.io/freeipa/issue/7397

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-02-12 17:30:52 +01:00
Aleksei Slaikovskii
93b7c40158 Enable and start oddjobd after ipa-restore if it's not running.
If after ipa-restore the service oddjobd is not running,
domain-level1 replica installation will fail during
ipa-replica-conncheck because this step is using oddjob
to start the process ipa-replica-conncheck on the master.

This patch fixes it. Also added regression test.

https://pagure.io/freeipa/issue/7234

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2018-02-09 09:44:11 +01:00
Timo Aaltonen
e6c707b168 ipaplatform, ipa.conf: Use paths variables in ipa.conf.template
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-02-09 09:14:22 +01:00