Move the remaining plugin code from ipalib.plugins to ipaserver.plugins.
Remove the now unused ipalib.plugins package.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Specify RPC connection options once in API.bootstrap rather than in each
invocation of rpcclient.connect.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.
DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Forwarding policy "first" or "none" may conflicts with some automatic empty
zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers.
This is not detected and warned about. Global forwarding is equivalent
to forward zone ".".
Example:
Forward zone 1.10.in-addr.arpa with policy "first"
will not forward anything because BIND will automatically prefer
automatic empty zone "10.in-addr.arpa." which is authoritative.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Include keyword arguments of exceptions in RPC responses. This is limited
to JSON-RPC, as XML-RPC does not support additional data in error
responses.
Include keyword arguments of messages in RPC responses.
Include keyword arguments of exceptions in batch command result.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
The 'certificate' option is Str, but 'usercertificate' is Bytes.
Decode before comparing one with the other.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
The attributes krbextradata, krbprincipalkey, and userpassword contain
binary data.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Python 3 unsets the exception variable at the end of an "except"
block to prevent reference cycles and speed up garbage collection.
Store the exception under a different name in order to use it later.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In Python 3, a module from the current package can be imported
either with the absolute name or by using an explicit relative import.
Part of the work for https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This fix provides means to remove certificates from host that were added during tests, but not removed.
Ticket: https://fedorahosted.org/freeipa/ticket/5839
Reviewed-By: Martin Basti <mbasti@redhat.com>
API commands inheriting from LDAPSearch should mention which limit was
exceeded in the warning message sent with truncated results.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The short hostname construction for the negative test case in
test_cert_plugin::test_cert_find suite could not work when domain name was
different as hostname of the test runner, leading to test failure. A more
naive approach works better in this case.
https://fedorahosted.org/freeipa/ticket/5688
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
Fixes some Coverity issues
ipadiscovery.py: added assert should universe break
plugins/dns.py: removed dead code
dnssec/ldapkeydb.py: attribute assert in the proper object
test_automount_plugin.py: fixed possible close() on None
xmlrpc_test.py: Coverity does not like accessing None.__class__
https://fedorahosted.org/freeipa/ticket/5661
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Follow-up to commit 23507e6124
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Enables check and fixes:
************* Module ipa-replica-conncheck
install/tools/ipa-replica-conncheck:150:
[W0106(expression-not-assigned), parse_options] Expression
"(replica_group.add_option('-w', '--password', dest='password',
sensitive=True, help='Password for the principal'), )" is assigned to
nothing)
************* Module ipatests.test_xmlrpc.test_automount_plugin
ipatests/test_xmlrpc/test_automount_plugin.py:437:
[W0106(expression-not-assigned),
test_automount_indirect.test_1a_automountmap_add_indirect] Expression
"api.Command['automountmap_add_indirect'](self.locname, self.mapname,
**self.map_kw)['result']" is assigned to nothing)
************* Module ipatests.test_ipaserver.test_otptoken_import
ipatests/test_ipaserver/test_otptoken_import.py:128:
[W0106(expression-not-assigned), test_otptoken_import.test_mini]
Expression "[(t.id, t.options) for t in doc.getKeyPackages()]" is
assigned to nothing)
************* Module ipatests.test_ipaserver.test_ldap
ipatests/test_ipaserver/test_ldap.py:221:
[W0106(expression-not-assigned), test_LDAPEntry.test_popitem] Expression
"list(e) == []" is assigned to nothing)
************* Module ipa-client-install
ipa-client/ipa-install/ipa-client-install:114:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-p', '--principal', dest='principal',
help='principal to use to join the IPA realm'), )" is assigned to
nothing)
ipa-client/ipa-install/ipa-client-install:116:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-w', '--password', dest='password',
sensitive=True, help='password to join the IPA realm (assumes bulk
password unless principal is also set)'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:118:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-k', '--keytab', dest='keytab', help='path to
backed up keytab from previous enrollment'), )" is assigned to nothing)
ipa-client/ipa-install/ipa-client-install:120:
[W0106(expression-not-assigned), parse_options] Expression
"(basic_group.add_option('-W', dest='prompt_password',
action='store_true', default=False, help='Prompt for a password to join
the IPA realm'), )" is assigned to nothing)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Enables check and fixes:
ipatests/test_xmlrpc/test_permission_plugin.py:534:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)
ipatests/test_xmlrpc/test_permission_plugin.py:652:
[W1301(unused-format-string-key), test_permission] Unused key 'tdn' in
format string dictionary)
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The ipautil.run function now returns an object with returncode and
output are accessible as attributes.
The stdout and stderr of all commands are logged (unless skip_output is given).
The stdout/stderr contents must be explicitly requested with a keyword
argument, otherwise they are None.
This is because in Python 3, the output needs to be decoded, and that can
fail if it's not decodable (human-readable) text.
The raw (bytes) output is always available from the result object,
as is "leniently" decoded output suitable for logging.
All calls are changed to reflect this.
A use of Popen in cainstance is changed to ipautil.run.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The previous way of implementing trackers in the module with
the test caused circular imports. The separate package resolves
this issue.
https://fedorahosted.org/freeipa/ticket/5467
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Fix for https://fedorahosted.org/freeipa/ticket/4826 temporarily disallowed
modification of local ID ranges via API calls The corresponding XMLRPC tests
were updated to reflect this change.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Test 'Try to add SRV record to zone %r both via parts and a raw value'
can raise various exceptions which are all valid. Due to internal
representation IPA may raise exception for any of target, port,
priority, weight part.
This commit handles all of them.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
192.0.2.0/24 is IANA reserved address that should not be used. netaddr
module check implemented for this address and IPA reject this address as
invalid.
198.18.0.0/15 is IANA reserved address for benchmark testing purpose, so
we can safely use this network.
http://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Web UI tests were marked as tier1 tests.
The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.
The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:
$ py.test -v -m tier1 ipatests
or in case of out of tree tests:
$ ipa-run-tests -m tier1
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Added try-except block in dns plugin in order to provide user
friendly message to end user.
https://fedorahosted.org/freeipa/ticket/4811
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Also includes basic ACL manipulation and adding
and removing members to/from the acl.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
The patch implements the tracker for CA ACL feature.
The basic CRUD checkers has been implemented. The methods
for adding and removing the association of the resources
with the ACL do not have the check methods. These will be provided
as a separate test suite.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
As far as IPA objects are concerned, ID overrides are supposed
to be removed when the respective user/group is removed.
Adds a couple of tests to ensure this behaviour is covered.
https://fedorahosted.org/freeipa/ticket/5322
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
- Don't encode under Python 3, where shlex would choke on bytes
- Sort the attrs dictionary in export_to_string, so the tests are
deterministic. (The iteration order of dicts was always unspecified,
but was always the same in practice under CPython 2.)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Nonexistent domains have to be added/deleted with force
* Warning messages are emitted
* Some error messages have been altered
https://fedorahosted.org/freeipa/ticket/5278
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the types module no longer provide alternate names for
built-in types, e.g. `types.StringType` can just be spelled `str`.
NoneType is also removed; it needs to be replaced with type(None)
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Since IPA 4.2 has an additional permission
"Request Certificate ignoring CA ACLs", the number of legacy
permission in testcase is updated from 8 to 9.
https://fedorahosted.org/freeipa/ticket/5264
Signed off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
In Python 3, range() behaves like the old xrange().
The difference between range() and xrange() is usually not significant,
especially if the whole result is iterated over.
Convert xrange() usage to range() for small ranges.
Use modern idioms in a few other uses of range().
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 2, map() returns a list; in Python 3 it returns an iterator.
Replace all uses by list comprehensions, generators, or for loops,
as required.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The vault-mod command has been modified to support changing vault
encryption attributes (i.e. type, password, public/private keys)
in addition to normal attributes (i.e. description). Changing the
encryption requires retrieving the stored secret with the old
attributes and rearchiving it with the new attributes.
https://fedorahosted.org/freeipa/ticket/5176
Reviewed-By: Martin Basti <mbasti@redhat.com>
These tests excercise various scenarios when using new class of API commands
to add or remove certificates to user/service/host entries.
Part of http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Milan Kubík <mkubik@redhat.com>
Some of the IPA LDAP entries are using ipaUniqueID as
the "primary key". To match this UUID based attribute
in assert_deepequal, an instance of Fuzzy class must
be used. This change adds the possibility to assign
the Fuzzy object as the DN for the tracked entry.
The user may need to override the rdn and name
properties for the class using the Fuzzy DN.
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Old certificates of the services are no longer removed and revoked
after new ones have been issued.
Check that both old and new certificates are present.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The realmdomains_mod command will fail if the testing environment
is configured improperly and the IPA domain's NS/SOA records are
not resolvable. This can easily happen if the machine's DNS server
is not configured to the IPA server.
Leave a explanatory note in the class.
Reviewed-By: Martin Basti <mbasti@redhat.com>
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the
https://fedorahosted.org/freeipa/ticket/5109
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
New LDAP ACIs have been added to allow vault owners to manage the
vaults and to allow members to access the vaults. New CLIs have
been added to manage the owner and member list. The LDAP schema
has been updated as well.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
A new attribute ipaVaultPublicKey has been added to replace the
existing ipaPublicKey used to store the vault public key.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With added support for multiple certificates for hosts, services, and even
users, IPA testing framework will need a more flexible way to generate
temporary testing certificates for these entities. This patch modifies the
currently used `testcert` module to support these requirements.
Related to work on http://www.freeipa.org/page/V4/User_Certificates
Reviewed-By: Milan Kubík <mkubik@redhat.com>
Show warning messages if DNSSEC validation is failing for particular FW
zone or if the specified forwarders do not work
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Validation now provides more detailed information and less false
positives failures.
https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
New commands have been added to archive and retrieve
data into and from a vault, also to retrieve the
transport certificate.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Implements a base class to help test LDAP based plugins.
The class has been decoupled from the original host plugin test
and moved to separate module ipatests.test_xmlrpc.ldaptracker.
https://fedorahosted.org/freeipa/ticket/5032
Reviewed-By: David Kupka <dkupka@redhat.com>
Service Constraints are the delegation model used by
ipa-kdb to grant service A to obtain a TGT for a user
against service B.
https://fedorahosted.org/freeipa/ticket/3644
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add regression test to check whether a post detach group has a full set of objectclass.
Add regression test to check whether group-add-member is successfull for a post detach group.
https://fedorahosted.org/freeipa/ticket/4909
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Adds xmlrpc tests for:
- Adding a user ID override with sshpubkey
- Modifying a user ID override to contain sshpubkey
- Removing a sshpubkey value from a user ID override
https://fedorahosted.org/freeipa/ticket/4868
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This adds a test case which makes sure that referential integrity
plugin does not leave any trailing references for ipaAssignedIDView
attribute on hosts, if the ID view being referenced has been deleted.
https://fedorahosted.org/freeipa/ticket/4839
Reviewed-By: David Kupka <dkupka@redhat.com>
The racker object "remembers" expected state across several tests,
so only changes (rather than all expected state) need to be specified
in each test. Also, the tracker fixture will make it easy to use hosts
in other test modules.
This change makes the tests independent; any permutation of any subset
of these tests should now pass.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This has several advantages:
- Tests other than run-command/check-response can be added easily
- Tracebacks are meaningful (which means we'll be able to remove a lot of
test name/description/location tracking code)
- Individual tests can be selected/deselected using normal pytest mechanisms
(but for isolated tests, more changes will be needed)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Drop support for pylint < 1.0
Enable ignoring unknown attributes on modules (both nose and pytest
use advanced techniques, support for which only made it to pylint
recently)
Fix some bugs revealed by pylint
Do minor refactoring or add pylint:disable directives where the
linter complains.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
`--hosts` and `--hostgroup` options added to:
* service-allow-create-keytab
* service-allow-retrieve-keytab
* service-disallow-create-keytab
* service-disallow-retrieve-keytab
* host-allow-create-keytab
* host-allow-retrieve-keytab
* host-disallow-create-keytab
* host-disallow-retrieve-keytab
in order to allow hosts to retrieve keytab of their services or related hosts as described on http://www.freeipa.org/page/V4/Keytab_Retrieval design page
https://fedorahosted.org/freeipa/ticket/4777
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Provide a local pytest plugin to generate tests.
The Declarative tests can now only be run with pytest
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Pytest will consider each Declarative test individually, running
setup/teardown for each one.
Move the setup and teardown to the class level.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Nose ran the `test_a_*` and `test_a2_*` tests in opposite order
than the source suggested. Fix this.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.
https://fedorahosted.org/freeipa/ticket/4610
Reviewed-By: Tomas Babej <tbabej@redhat.com>
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Add coverage for the ID views and ID overrides.
Part of: https://fedorahosted.org/freeipa/ticket/3979
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When renaming a object to the same name, errors.EmptyModList is raised.
This is not properly handled, and can cause other modifications in the
LDAPUpdate command to be ignored.
https://fedorahosted.org/freeipa/ticket/4548
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Description attribute is not required in LDAP schema so there is no reason to
require it in UI. Modified tests to reflect this change.
https://fedorahosted.org/freeipa/ticket/4387
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Currently a number of v2 permissions are in $SUFFIX, which the original
test did not anticipate.
Properly check that legacy permissions are found.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
The host-del command did not accept --continue option, since the
takes_options was overriden and did not take the options from LDAPDelete.
Fix the behaviour.
https://fedorahosted.org/freeipa/ticket/4473
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The attributes entryusn, createtimestamp, and modifytimestamp
should be readable whenever thir entry is, i.e. when we allow reading
the objectclass.
Automatically add them to every read permission that includes objectclass.
https://fedorahosted.org/freeipa/ticket/4534
Reviewed-By: Martin Kosek <mkosek@redhat.com>
bind-dyndb-ldap's bug caused test failure
https://fedorahosted.org/bind-dyndb-ldap/ticket/123
Owners with NS record works with the bug
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
