...and vice versa
backup requires string not bytes, but ldap provide bytes thus data must
be decoded and encoded from restore
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Exception is too brod and may hide various issues that show up later. If
the code expects that entry may exist, then ldap.ALREADY_EXISTS
exception should be used
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
basedn in custodia related modules has type bytes, that causes issues in
Py3 when strings were concatenated with bytes
```
malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'"
```
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
configparser.get() changed in python3 and `raw` is now a keyword attribute.
Also it must be set to True, otherwise InterpolationSyntaxError is raised
'''
InterpolationSyntaxError: '%' must be followed by '%' or '(', found:
'%2fvar%2frun%2fslapd-EXAMPLE-COM.socket'
'''
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since named.conf API for bind-dyndb-ldap was updated, our parsing
regexes have to change.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11,
an API was accepted upstream. This caused backward incompatible changes
to the named.conf configuration file used to configure the
bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and
BIND 9.11 are required to use with the new config file format.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.
This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
Option serial_autoincrement is no longer supported. Remove it from
the named.conf parser and add it to deprecated options to be removed.
https://fedorahosted.org/freeipa/ticket/6565
Reviewed-By: Martin Basti <mbasti@redhat.com>
Property valid_months is no longer used anywhere in the code. It was
removed when the selfsign funcionality was dropped.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Keysize property is no longer used anywhere in the code. It was
originally introduced for the request_cert function, which was later
refactored to use a function argument instead.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In Python 2, the order was preserved by accident.
This change makes sure the order is preserved in both Python 2 and 3.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Print api.env, uname, euid/egid, cwd and Python version when tests are
run with -v (e.g. ipa-run-tests -v).
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
promote_check currently requires DL == 1. Relax the check to
require DL >= 1, so that things will work for future DL increases.
Also separate the concerns of retrieving the current domain level,
validating whether the domain level is supported by the IPA version,
and validating whether the current domain level supports the replica
installation method attempted (i.e. replica file versus promotion).
Part of: https://fedorahosted.org/freeipa/ticket/5011
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In order to enable correct handling of hard errors from within the
composite installer code, all calls to `sys.exit` have to be replaced
with raising ScriptError.
https://fedorahosted.org/freeipa/ticket/6629
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When a non-lint job fails, all the relevant logs from the test runner
will be gzipped and uploaded to https://transfer.sh file sharing
service. The download link will then be displayed at the very end of the
Travis build log.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
bytes as argument of str() gives unexpected result by adding prefix "b"
there.
Also add missing safe_option() call to logging (it will fix another
str(bytes) issue)
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some DNS servers behaves oddly and instead sending result without RRSIG records
don't reply at all when DNSSEC flag is enabled (timeout). Instead of
hard error IPA should this handle as DNSSEC error and continue with
installation/adding forwarders.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
User repr() instead of str() for bytes, it has the same effect, but it
is proper way how to print bytes
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DS changed a format of replication status attribute. Now it is with
prefix "Error (x)" where x is the error code.
Both formats were kept to allow tests run on older and new
versions of DS.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
for Decimal only from client to server direction uses __base64__
notation. Server replies with pure string for Decimal data, and also
server is able to parse string and create decimal values where needed.
without this we need ugly py3 code:
- return {'__base64__': base64.b64encode(str(val))}
+ return {'__base64__': base64.b64encode(
+ str(val).encode('ascii')).decode('ascii')}
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The encode method of LDAPClient didn't return DNSName as bytes but
string in py3. In py2 it returns non-unicode string so it can be encoded
safely by ascii as to_text() method returns only ascii characters.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In py3 keys() doesn't return list but iterator so it must be transformed
to tuple otherwise iterator will be broken.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Using unicode(bytes) call causes undesired side effect that is inserting
`b` character to result. This obviously causes issues with binary base64 data
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Requesting certificates for test purposes is not necessary as we allow to
upload arbitrary certificate to the user, host or service. Also requesting
certificate from dogtag takes some time and the test is slower for no good
reason.
More it's not posible to request certificate for stageuser even though it's
possible to upload certificates to stageusers now.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
Move {add,remove}-cert implementation from user to baseuser and inherit
{,stage}user-{add,remove}-cert from it.
https://fedorahosted.org/freeipa/ticket/6623
Reviewed-By: Martin Basti <mbasti@redhat.com>
Do not log the value of the --password option of ipa-client-install when it
is run from ipa-replica-install before replica promotion.
https://fedorahosted.org/freeipa/ticket/6633
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
pki-base provides pki-base-python2, but we should depend directly on
pki-base-python2 because in future pki-base may provide pki-base-python3
instead.
Source: cheimes@redhat.comhttps://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
FreeIPA server modules requires pki module
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Adds a test case for issue in SSSD that manifested in
an inability to resolve nested membership in netgroups
The test case tests for direct and indirect membership.
https://fedorahosted.org/freeipa/ticket/6439
Reviewed-By: Martin Basti <mbasti@redhat.com>
In 'store_session_cookie', if the server does not set the session
cookie for some reason, the 'session_cookie' variable does not get
assigned, resulting in UnboundLocalError. Set an initial value of
'None'.
Fixes: https://fedorahosted.org/freeipa/ticket/6636
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-kra-install creates an admin cert file in
/root/.dogtag/pki-tomcat/ca_admin.cert but does not check that the
parent directory exists. This situation can happen when uninstall + restore
has been run.
The fix creates the directory if not present.
https://fedorahosted.org/freeipa/ticket/6606
Reviewed-By: Christian Heimes <cheimes@redhat.com>
