Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In order to stop tracking LDAP server cert, ipa-restore is using
dse.ldif to find the certificate name. But when ipa-server-install
--uninstall has been called, the file does not exist, leading to a
IOError exception (regression introduced by 87540fe).
The ipa-restore code properly catches the exception in python3 because
IOError is a subclass of OSError, but in python2 this is not the case.
The fix catches IOError and OSError to work properly with both version.
Fixes:
https://pagure.io/freeipa/issue/7231
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
RADIUS, which is also internally used in the process of OTP
authentication by ipa-otpd, requires MD5 checksums which
makes it impossible to be used in FIPS mode. Don't allow users
setting OTP or RADIUS authentication if in FIPS mode.
https://pagure.io/freeipa/issue/7168
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bug Description:
When adding an entry, ipa-uuid plugin may generate a unique value
for some of its attribute.
If the generated attribute is part of the RDN, the target DN
is replaced on the fly and the previous one freed.
Unfortunately, previous DN may be later used instead of
the new one.
Fix Description:
Make sure to use only the current DN of the operation
https://bugzilla.redhat.com/show_bug.cgi?id=1496226https://pagure.io/freeipa/issue/7227
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The man page does not provide enough information about replicated
environments and the use of the -r option.
This fix adds an example how to use the same keytab on 2 different
hosts, and points to ipa {service/host}-allow-retrieve-keytab.
Fixes:
https://pagure.io/freeipa/issue/7237
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Bytes would cause the logger to throw up while interpolating the
string.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
CA-less tests debug logging uses representation of a variable
containing the certificate object, which does not help very much.
Use the actual DER representation of the certificate on such places.
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
host-find <host_name> command performance gets deteriorated when
there's way too many hosts in the LDAP tree. We're adding indices
to try and mitigate this behavior.
https://pagure.io/freeipa/issue/6371
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add NTP, ipa-ca and ADTrust system records tests. Also test if
changes are being reflected when uninstalling a host.
The test cases are added as extension into test_dns_locations suite.
https://pagure.io/freeipa/issue/6091
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When running test_caless suite in py3 we need to open CA cert in
binary mode so we can provide bytes later for python-cryptography.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Decode get_file_contents() in order to not get bytes when running py3
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The pytests_plugins/integration/config.py::Config class
provides the get_logger method in order to customize the
default log of the plugin.
Previously, before commit 07229c8ff6,
the code was using ipa_log_manager, a custom log solution. After
moving to use the default python way, the log is not configured anymore.
This PR address it changing the level to DEBUG in order to capture
the output of pytest_multihosts commands.
As an example, when running `ipa-server-install`, you will be able
to see an output like this:
```
[[...].Host.master.cmd2] Checking DNS domain ipa.test, please wait ...
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] The log file for this installation can be found in /var/log/ipaserver-install.log
[[...].Host.master.cmd2] ==============================================================================
[[...].Host.master.cmd2] This program will set up the FreeIPA Server.
[[...].Host.master.cmd2]
[[...].Host.master.cmd2] This includes:
[[...].Host.master.cmd2] * Configure a stand-alone CA (dogtag) for certificate management
[[...].Host.master.cmd2] * Configure the Network Time Daemon (ntpd)
[[...].Host.master.cmd2] * Create and configure an instance of Directory Server
[[...].Host.master.cmd2] * Create and configure a Kerberos Key Distribution Center (KDC)
```
Fixes: https://pagure.io/freeipa/issue/7186
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Since test_external_ca isn't using the multihost framework,
logs collection has to be set up explicitly.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
ipa-replica-conncheck is using the socket methods sendall()
and sendto() with str. Theses methods expect str params in
python2 but bytes in python3.
Related to
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Adding notice for user to restart services after
ipa-server-certinstall.
https://pagure.io/freeipa/issue/7016
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The caJarSigningCert profile was used for issuing the object signing
certificate for signing the Firefox auto-configuration extension
(XPI). We removed the extension and object signing certificate some
time ago, so remove the profile and the related code that sets it
up.
Fixes: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The CertDB.issue_signing_cert method was used to issue the object
signing cert for signing the Firefox auto-configuration extension
(XPI). We removed the extension and certificate some time ago, and
the method is now unused so remove it.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We added MIME types for JAR and XPI files, which were needed for
correct handling of the Firefox auto-configuration plugin. The
plugin was removed some time ago, so remove the media type
definitions.
Part of: https://pagure.io/freeipa/issue/7226
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The x509.subject_base() function is only used in tests. During
the recent certificate refactoring, we had to get rid of the
ipalib.x509 import from the module scope so that there were no
circular dependecies and add it exactly to this funcion which
is not used in the production code.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
We don't need the strip_header() function, to load an unknown
x509 certificate, load_unknown_x509_certificate() should be used.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
As man page already does it, update the help text to show REPLICA_FILE
as optional.
Fixes https://pagure.io/freeipa/issue/7223
Signed-off-by: Rishabh Dave <rishabhddave@gmail.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
ipa-replica-conncheck can be called with --principal / --password or
with an existing Kerberos credential cache in order to supply the
authorized identity logging in to the master machine (in
auto-master-check mode).
In domain-level 0, the tool is called with --principal and password
and tries to obtain a TGT by performing kinit, but does not set the
env var KRB5CCNAME. Subsequent calls to IPA API do not use the
credential cache and fail. In this case, ipa-replica-conncheck falls
back to using SSH to check master connectivity instead of IPA API,
and the ssh check is less robust.
The code should set the KRB5CCNAME env var for IPA API to use the
credential cache.
Fixes:
https://pagure.io/freeipa/issue/7221
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixed ipa-restore code to get rid of bytes related TypeError and
to get ipa-restore work again.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
krb5-1.16 includes DAL version 7, which changes the signature of
audit_as_req to include local and remote address parameters.
This patch just enables building against the new DAL version and bumps
the minimum in freeipa.spec.in, but doesn't use the new information
for anything.
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
LDIFWriter.unparse() expects the scalar values of the attributes
of the entries to be bytes as it applies a byte regular expression
to check whether to base64-encode the values or not. Previously,
we were passing the scalar attribute values as strings which
was breaking the LDIFWriter.unparse() exectution.
https://pagure.io/freeipa/issue/7131
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
The new template should allow to use python3 to run ipa-run-tests
since it provides the required dependencies for HTML test results
extraction and python3-paramiko.
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
The content synchronization plugin can be limited to the dns subtree in
Directory Server. This increases performance and helps to prevent some
potential issues.
Fixes: https://pagure.io/freeipa/issue/6515
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
cffi throws warnings during the implicit cast from char * to
unsigned char * since the support of these casts is nearing
its end of life.
https://pagure.io/freeipa/issue/7131
Previously, CSRs were handled as a Str parameter which brought
trouble to Python 3 because of its more strict type requirements.
We introduce a CertificateSigningRequest parameter which allows to
use python-cryptography x509.CertificateSigningRequest to represent
CSRs in the framework.
https://pagure.io/freeipa/issue/7131
The type checks in ipalib.parameters were too strict. An object
that inherits from a type should implement its public interface.
This should allow us checking for types of objects whose class
implementations are private to a module but they implement a certain
public interface (which is typical for e.g. python-cryptography).
https://pagure.io/freeipa/issue/7131
cert_get_requestdata() method is meant for internal use only and
is never passed a file. Make its parameter public_key_info Bytes
to better represent what's actually being passed to it.
https://pagure.io/freeipa/issue/7131
To avoid insidious bug during server installation on Fedora 27,
the dependency of 389-ds-base is bumped.
https://bugzilla.redhat.com/show_bug.cgi?id=1488295
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During integration tests, the log level of 8192 (replication debugging)
was excessive and made reading 389-ds logs very hard without providing
any useful information.
Part of: https://pagure.io/freeipa/issue/7162
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixing import errors introduced by commits
icac3475a0454b730d6e5b2093c2e63d395acd387 and
0b7d9c5.
https://pagure.io/freeipa/issue/7132
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
cmd.api.Command.dnsrecord_split_parts expects name to be unicode
string and instead gets ascii. It leads to an error:
ipa: ERROR: invalid 'name': must be Unicode text
This commit's change is casting name's type to unicode so
'ipa dnsrecord-mod' will not fail with error above.
https://pagure.io/freeipa/issue/7185
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When performing force synchronization, implicitly ignore initial
time skew (if any) and restore it afterwards.
This also changes semantics of force-sync by waiting until the end of
the initial replication.
Fixes https://pagure.io/freeipa/issue/7211
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
