krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.
https://fedorahosted.org/freeipa/ticket/6100
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
The name of delete action is now 'delete_active_user' not just 'delete' therefore
tests needs to be fixed.
https://fedorahosted.org/freeipa/ticket/6052
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Wildcard '*' has not been working for log collecting. I just set
the whole SSSD log directory to be collected. tar utility is able to
archive whole directories.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
We should collect as much as possible relevant logs to be able do better
investigation from test automation
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Providing missing test case verifying authentication as IPA user, namely:
"kinit -E ipauser@IPADOMAIN".
https://fedorahosted.org/freeipa/ticket/6036
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Use a helper function to perform operations on dates in LDAP attributes.
Related to #2795
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: David Kupka <dkupka@redhat.com>
When installer replaces any file with newer, it must use 'copy' instead of
'mv' to keep SELinux context valid.
https://fedorahosted.org/freeipa/ticket/6111
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The CLI was not using session cookies for communication with IPA API.
The kernel_keyring code was expecting the keyname to be a string, but
in python 2 a unicode was supplied (the key is built using
ipa_session_cookie:%principal and principal is a unicode).
The patch fixes the assertions, allowing to store and retrieve the cookie.
It also adds a test with unicode key name.
https://fedorahosted.org/freeipa/ticket/5984
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Method IPASystemRecords.records_list_from_node returns only list
consists only from record names not tuple, which caused unpacking error
https://fedorahosted.org/freeipa/ticket/6117
Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com>
* target for ptr record must be absolute domain name
* zone is detected using DNS system instead of random splitting of
hostname
https://fedorahosted.org/freeipa/ticket/6060
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Fix conflict between "got" and "expected" values when testing "dnsconfig_mod:
Update global DNS settings"
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipa-ca-install said that it used
/var/log/ipareplica-ca-install.log
but in fact it used
/var/log/ipaserver-ca-install.log
This patch unites it to ipareplica-ca-install.log
It was chosen because of backwards compatibility - ipareplica-ca-install
was more commonly used. ipaserver-ca-install.log was used only in rare
CA less -> CA installation.
https://fedorahosted.org/freeipa/ticket/6086
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.
https://fedorahosted.org/freeipa/ticket/6059
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.
https://fedorahosted.org/freeipa/ticket/6078
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Improving handling of rename operation by user tracker, together with
fixes for user tests, that failed as consequence.
Failures were caused by RFE Kerberos principal alias.
Some tests were rewritten, since they used "--setattr" option instead of
"--rename", and hence didn't reflect proper behaviour of the principal
aliases feature.
https://fedorahosted.org/freeipa/ticket/6024
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This patch fixes the 3rd issue of ticket 6012:
ipa-server-install --uninstall -U
complains while removing Kerberos service principals from /etc/krb5.keytab
----
Failed to remove Kerberos service principals: Command '/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r DOM-221.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM' returned non-zero exit status 5
----
This happens because the uninstaller performs the following sequence:
1/ restore pre-install files, including /etc/krb5.keytab
At this point /etc/krb5.keytab does not contain any principal for
IPA domain
2/ call ipa-client-install --uninstall, which in turns runs
ipa-rmkeytab -k /etc/krb5.keytab -r <domain>
to remove the principals.
The fix ignores ipa-rmkeytab's exit code 5 (Principal name or realm not
found in keytab)
https://fedorahosted.org/freeipa/ticket/6012
Reviewed-By: Martin Basti <mbasti@redhat.com>
Relax the check for valid hostname component by allowing multiple consecutive
'-' or '/' characters int he middle of the label (the first/last character
must still be alphanumeric or underscore). Also use verbose regex format to
document its structure.
https://fedorahosted.org/freeipa/ticket/4710
Reviewed-By: Martin Basti <mbasti@redhat.com>
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.
A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.
https://fedorahosted.org/freeipa/ticket/6037https://fedorahosted.org/freeipa/ticket/6061
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
While investigating the issue for selinuxusermap-add-hostgroup,
we discovered that other commands were missing output.
A first patch fixes most of the issues:
freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch
This patch fixes servicedelegation CLI, where
servicedelegation.takes_params was missing
ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and
memberprincipal
https://fedorahosted.org/freeipa/ticket/6026
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In commit f554078291 we stopped copying
command arguments to output params in order to remove redundancies and
reduce API schema in size. Since then, output params were removed from
API schema completely and are reconstructed on the client.
Not including arguments in output params hides failed members from member
commands' CLI output. To fix this, copy arguments to output params again,
but only on the client side.
https://fedorahosted.org/freeipa/ticket/6026
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.
Add the hostname as a SAN dNSName when these certs are created.
(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).
Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Basic set of tests to verify support of UPN functionality.
Test cases:
- establish trust
- verify the trust recognizes UPN
- verify AD user with UPN can be resolved
- verify AD user with UPN can authenticate
- remove trust
https://fedorahosted.org/freeipa/ticket/6094
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Provides basic coverage for external trust feature.
Test cases:
1. verify an external trust with AD subdomain can be established
- verify only one trustdomain is listed
- verify subdomain users are resolvable
- verify trust can be deleted
2. verify non-external trust with AD subdomain cannot be established
3. verify an external trust with AD forest root domain can be established
- verify that even if AD subdomain is specified, it is not associated with the trust
- verify trust can be deleted
https://fedorahosted.org/freeipa/ticket/6093
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipapwd_encrypt_encode_key allocates 'kset' on the heap but
with num_keys and keys not being initialized.
Then ipa_krb5_generate_key_data initializes them with the
generated keys.
If ipa_krb5_generate_key_data fails (here EINVAL meaning no
principal->realm.data), num_keys and keys are left uninitialized.
Upon failure, ipapwd_keyset_free is called to free 'kset'
that contains random num_keys and keys.
allocates kset with calloc so that kset->num_keys==0 and
kset->keys==NULL
https://fedorahosted.org/freeipa/ticket/6030
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
This test is testing default IPA system records in locations, if
priority and weight were properly set per service, per server, per
location.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.
This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.
https://fedorahosted.org/freeipa/ticket/6083
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Required features that were expected to be released in Dogtag 10.3.4
have instead been released for Fedora in 10.3.3-3. Retract the
minimum required version.
https://fedorahosted.org/freeipa/ticket/5956
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Provides basic service tracker, so far for purposes of [1].
Tracker is not complete, some methods will need to be added in case of service test refactoring.
[1] https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Milan Kubik <mkubik@redhat.com>
the ResultFormattingError message class was missing a `type` member which
could cause `otptoken-add` command to crash during QR image rendering using
suboptimal TTY settings
https://fedorahosted.org/freeipa/ticket/6081
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When a MODRDN is performed on the user entry, the MODRDN plugin resets both
krbPrincipalName and krbCanonicalName to the value constructed from uid. In
doing so, hovewer, any principal aliases added to the krbPrincipalName are
wiped clean. In this patch old aliases are fetched before the MODRDN operation
takes place and inserted back after it is performed.
This also preserves previous user logins which can be used further for
authentication as aliases.
https://fedorahosted.org/freeipa/ticket/6028
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
`vault-add` commands does much processing depending on the vault type even
before the request is forwarded to remote server. Since default values for
parameters are now filled only on server side, the client-side logic would
fail if the vault type was not explicitly given. In this case we have to
retrieve and use the default vault type from schema.
https://fedorahosted.org/freeipa/ticket/6047
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
An extra parameter on client side command override of migrate-ds output
was causing errors.
https://fedorahosted.org/freeipa/ticket/6034
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Only function 'remove_sshpubkey_from_output_list_post' should be used in
postcallbacks of *-find, otherwise only one entry will be cleaned up
https://fedorahosted.org/freeipa/ticket/6043
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Client plugins fot vault commands were disabled by NO_CLI=True,
inherited from vault_add_interal, that is always NO_CLI=True.
Introduced by this commit 8278da6967
Removed NO_CLI=True from client side plugins for vault.
https://fedorahosted.org/freeipa/ticket/6035
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The API object namespace iterators now yield plugin classes themselves
instead of their names as strings. The method enumerating through available
plugins needs to be made aware of this change.
https://fedorahosted.org/freeipa/ticket/6044
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
