"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.
This fixes a SELinux violation that prevented httpd from listing systemd
service files.
Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move the /etc/os-release parser and platform detection code out of the
private _importhook module. The ipaplatform module now contains an
osinfo module that provides distribution, os, and vendor information.
See: https://www.freedesktop.org/software/systemd/man/os-release.html
See: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The subject base is used as a fallback to find the available
CA certificates during client enrollment if the LDAP connection
fails (e.g. due to new client connecting to very old server) and
for constructing the subject if a certificate is requested.
raw=True is passed to config-show in order to avoid parsing
the server roles which will fail because the services aren't
marked as enabled until after the client installation is
successful on a master.
ipa-join providing the subject base via stderr was fragile and
would cause client enrollment to fail if any other output was
included in stderr.
https://pagure.io/freeipa/issue/7674
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The "keys.splice(i, 1)" removes one item at the specified position
from an array. Thus hashes which are stored at "that._key_indicies"
are no longer valid and should be reindexed.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
The clients of "get_key_index" expect index of key in matching case
otherwise -1. But instead of this function returns the "undefined"
value.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Setting ca_host caused replication failures on DL0
because it was trying to connect to wrong CA host.
Trying to avoid corner-case in ipaserver/plugins/dogtag.py
when api.env.host nor api.env.ca_host had not CA configured
and there was ca_host set to api.env.ca_host variable.
See: https://pagure.io/freeipa/issue/7566
Resolves: https://pagure.io/freeipa/issue/7629
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
related ticket : https://pagure.io/freeipa/issue/7587
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Pages with widgets like LoginScreen, MigrateScreen use login-pf styling.
This page has dark background instead of light. Thus styling for labels
for fields with error has color which makes the label hard to read or
almost invisible.
Change it to white so it is still readable.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
Translatable messages should be marked with @i18n. Also
these messages should be presented in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
To use all advantages of entire Web framework the "migration" page
should use "migrate" plugin. As well this allows to use IPA
translations.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
So far "migration" end point redirected to "error"/"invalid" page as
a result of the client request. To use ajax requests and to not
reload/load the whole page the response should include the result of
request.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
This plugin creates and registers a facet with password migrate page.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
This widget is intended to integrate password migrate page into the
entire IPA Web framework. The functionality is the same as mentioned
standalone "ipa/migration/index.html".
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal@localhost.localdomain>
Commit 811b0fdb46 introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a test checking that ipa-* commands properly display
'IPA is not configured on this system' when called on a
system without IPA.
Related to: https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some commands print tracebacks or unclear error message when
they are called on a machine where ipa packages are installed but
IPA is not configured.
Consistently report 'IPA is not configured on this system' in this
case.
Related to https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test for ipautil.run() method called with runas parameter.
The test is using ipautil.run() to execute /usr/bin/id and
checks that the uid/gid are consistent with the runas parameter.
Note that the test needs to be launched by the root user
(non-privileged user may not have the rights to execute ipautil.run()
with runas parameter).
Related to: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Fixes: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
--no-host-dns is supposed to avoid all DNS lookups so pass
this as the force value when creating the host in a replica
installation.
https://pagure.io/freeipa/issue/7656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There was an issue with ipa-server-upgrade and it was
showing an error while upgrading:
DN... does not exists or haven't been updated, caused
by not moving pointer to file begining when re-reading.
Resolves: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The old domain level check to suggest to use ipa-replica-prepare has been
converted to make sure that domain fulfills minimal domain level
requirement (no DL0).
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should
be used instead of DOMAIN_LEVEL_0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is not needed anymore due to the removal of the DL0 test
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
DL0 is not supported anymore therefore this test is failing.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This pull should not remove code, therefore it is needed to add addtional
conditionals to calm down pylint beacuse of unreachable code.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>