There is no reason to proceed if a CA is already installed, and the
check does not involve a lot of setup, so do it early on.
Ticket: https://fedorahosted.org/freeipa/ticket/5397
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The client XML-RPC implementation is tied to rpclib internals,
so with a change in Python it needs to be updated. And rpclib
changed in Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
StringIO was renamed in Python 3. The import was was unused,
so remove it.
Files need to be opened in binary mode if bytes are written to them.
(For Python 2: on Linux, there's no practical difference between
text and binary mode)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The unlock_principal_password unlocks the (new) user by running
ldappasswd as the user.
change_principal is an context manager that changes identity
for the supplied api object by disconnecting and reconnecting
the rpcclient in and outside of requested kerberos context.
This context manager allows to run tests that cannot be
executed as an admin user which can for example override
an CA ACL.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Also includes basic ACL manipulation and adding
and removing members to/from the acl.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
The patch implements the tracker for CA ACL feature.
The basic CRUD checkers has been implemented. The methods
for adding and removing the association of the resources
with the ACL do not have the check methods. These will be provided
as a separate test suite.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
After removing a server the replicaid needs to be cleared in the ruv entry and
in the changelog.
This was triggere by initiating a cleanallruv task in "ipa-replica-manage del",
but the removal of a master already triggers a cleanup of segments and replication
agreement by the topology plugin, so this could be handled by the plugin as well.
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Makes sure that the first check that is performed when trustdomain-del
command is run is that the actual trusted domain exists. This is done to
prevent a subseqent error which might be misleading.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The trust_show command does not raise a properly formatted NotFound
error if the trust is not found, only a generic EmptyResult error
is raised.
This patch makes the trust_show tell us what actually could not be
found.
https://fedorahosted.org/freeipa/ticket/5389
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Instead of searching for all zones to identify the correct reverse zone, we
will first ask the resolver to return the name of zone that should contain the
desired record and then see if IPA manages this zone.
This patch also removes a duplicate function in bindinstance.py that is not
used anywhere.
https://fedorahosted.org/freeipa/ticket/5200
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, the "message" property was removed in favor of calling str().
Add it to PublicMessage, since IPA code depends on it.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Warning user that DNSSEC key master is not installed when commands
dnszone-add, dnszone-mod, dnszone-show when option dnssec=true
https://fedorahosted.org/freeipa/ticket/5290
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The service containers are no needed there after uninstall anymore.
Removing these service also allows to detect if DNSSEC master is
installed on any replica for any user.
https://fedorahosted.org/freeipa/ticket/5290
Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNS installer allows to reinstall DNS and DNSSEC, so the status of
services should be stored only for first time.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In some cases replication may take much more time than we expected. This
patch adds explicit cech if DS records has been replicated.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Reviewed-By: Martin Basti <mbasti@redhat.com>
This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).
https://fedorahosted.org/freeipa/ticket/2888
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
the original replica installation path (ipa-replica-prepare +
ipa-replica-install) remains valid only when IPA domain level is zero. When
this is not the case, ipa-replica-prepare will print out an error message which
instructs the user to use the new replica promotion machinery to setup
replicas.
https://fedorahosted.org/freeipa/ticket/5175
Reviewed-By: Martin Basti <mbasti@redhat.com>
This patch cleans up an unused parameter and fixes the return value when
'ipaDomainLevel' is found: instead of a dict we should return an integer.
Reviewed-By: Martin Basti <mbasti@redhat.com>
This can be used only locally on an existing master (uses ldapi).
Useful to check the domain_level in scripts before the api is
initialized and/or credentials are available.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
move the in installutils so they can be reused by multiple scripts
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
