* ipca-ca-install: Use a single ldap connection for the entire
script. Connecting with ccache in promote is not needed.
* ipa-cacert-manage: Always connect to ldap, since renew and install
are the only options and renew seems to need ldap connection even
for self signed certificates.
* ipa-compat-manage: Use one ldap connection for the entire script.
Replaced try-finally with proper disconnect, code block reindented.
* ipa-csreplica-manage: Properly establish and close the ldap connection.
* ipa-dns-install: Proper connect, disconnect to ldap.
* ipa-kra-install: Proper connect/disconnect for install and uninstall.
* ipa-ldap-update: Proper connect and disconnect to ldap.
* ipa-nis-manage: Proper connect/disconnect for ldap. Try-finally removed
and code block reindented.
* ipa-replica-manage: Proper connect/disconnect to ldap.
* ipa-replica-prepare: Connect added to validate_options(), where api is
initialized and disconnected added at the end of run. Reconnect in
ask_for_options() to validate directory manager password.
* ipa-server-certinstall: Use api.Backend.ldap2 for ldap connections.
* ipa-server-upgrade: Connect to and disconnect from api.Backend.ldap2.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Set default bind_dn to cn=directory manager.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove ldap_connect and ldap_disconnect from services. admin_conn is
just an alias to api.Backend.ldap2 and therefore the connection should
be managed elsewhere.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Configure ldap connection in LDAPUpdate to use ldapi.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diconnect the established connection oncee is it no longer needed.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Move connect to the beggining of the uninstall_check and properly
close the connection at the end of the script.
* Connect to ldap in external CA installation (step2).
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove adhoc connects and disconnects of api.Backend.ldap2. Connection
should be established only at the start of the script, destroyed at the
end of the script and re-established when directory server is restarted.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Create a utility function to restart a directory server and
reconnect the api.Backend.ldap2 connection.
* Use restart_dirsrv instead of knownservices.dirsrv.restart to
ensure api.Backend.ldap2 is reconnected.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
connect/disconnect api.Backend.ldap2 connection when directory
server is started/stopped
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Connect and/or disconnect api.Backend.ldap2 connection when directory
server is stopped/restarted. Checking is ldap2 connection is connected
is neccesary for edge cases during ds installation (initial start).
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Set default time_limit and size_limit in ldap2 to unlimited.
* Set time_limit and size_limit to None in backend. This will respect
ipaconfig values.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installation of Certificate Server replica requires directory manager
password. Specify it explicitly in function call and pass it in
through an argument.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* read realm from config file
* configure api.env to use ldapi genrated from realm
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* enable ldapi and root autobind early during the ds installation
* perform these changes using simple_bind with dm_password
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* move IPAdmin methods to LDAPClient
* add extra arguments (cacert, sasl_nocanon) to LDAPClient.__init__()
* add host, port, _protocol to LDAPClient (parsed from ldap_uri)
* create get_ldap_uri() method to create ldap_uri from former
IPAdmin.__init__() arguments
* replace IPAdmin with LDAPClient + get_ldap_uri()
* remove ununsed function argument hostname from
enable_replication_version_checking()
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rename do_sasl_gssapi_bind to gssapi_bind
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Rename do_external_bind to external_bind
* Remove user_name argument in external_bind() and always set it
to effective user name
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use LDAPClient.simple_bind instead of extra call to IPAdmin.do_simple_bind
* Rename binddn to bind_dn
* Rename bindpw to bind_password
* Explicitly specify bind_dn in all calls
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Testing whether it is possible to connect to directory server is already done
in RedHatDirectoryService.restart().
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
Update 'ipa trustdomain-del' command to properly calculate DN to the
actual child domain and handle the case when it is missing correctly.
Fixes https://fedorahosted.org/freeipa/ticket/6445
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Replica installation on DL1 would fail to create a httpd instance
due to missing '/etc/httpd/alias/cacert.asc'. Create this file
in the setup_ssl step to avoid the error.
https://fedorahosted.org/freeipa/ticket/6393
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There is a change introduced in 4.4 that new services have canonical name. The old ones
didn't have it, therefore these services were not correctly displayed in WebUI.
This patch adds support for this type of services. Service name is taken from
'krbprincipalname' attribute in case that 'krbcanonicalname' attribute is not present
in server response.
https://fedorahosted.org/freeipa/ticket/6397
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
cert-show no longer shows validity dates without `--all', but this
is important information that should be shown by default. Make it
so.
Fixes: https://fedorahosted.org/freeipa/ticket/6419
Reviewed-By: Martin Basti <mbasti@redhat.com>
The Object Signing certificate created during server installation
was used only for signing the (recently removed) Firefox extension,
so there's no need to create that certificate any more.
Fixes: https://fedorahosted.org/freeipa/ticket/6399
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
httpd did not publish its certificate on DL1 which could
cause issues during client installation in a rare corner
case where there would be no way of getting the certificate
but from a HTTP instance.
https://fedorahosted.org/freeipa/ticket/6393
Reviewed-By: Martin Basti <mbasti@redhat.com>
Verify that command cert-find, cert-show and cert-request show CA even without
--all.
https://fedorahosted.org/freeipa/ticket/6410
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When master is without KRA installed, on domain level0 we cannot install
KRA replicas, thus this tests must be skipped on DL0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Currently tests were not testing one-step installation of KRA together
with replica. Adding --setup-kra to replica installation instead of
calling ipa-kra-install after.
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
KRA should be tested with warious replication topologies as well, mainly
in domain level 0
https://fedorahosted.org/freeipa/ticket/6088
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This reverts commit d650c54fe4. The proposed fix
is incorrect since the Configurable class has no knowledge about used debug
options. These are used only in upper layers when configuring loggers.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In tracker, 'self.attrs' variable is created and filled in track_create method.
Some objects are not created but still require access to this variable.
Created 'self.attrs' variable in init
https://fedorahosted.org/freeipa/ticket/6125
Reviewed-By: Milan Kubik <mkubik@redhat.com>
- Make sure to pass down the debug flag to ipa-client-install when
the server install is run in debug mode
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- Use the correct unicode string for an error message, otherwise an
exception will generate another exception about incorrect type,
masking the original error.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On pwpolicy module import, "klist -V" is run to determine if the installed
krb5 version supports account lockout (>= 1.8).
Remove the check, as we require a krb5 version which does support account
lockout (1.12).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The configure script checks for libcurl, but it is never actually used
anywhere.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add import hook to makeapi and makeaci which makes them ignore import
errors in modules in our source tree and instead print a warning.
This makes it possible to build IPA without having to have most of our
runtime dependencies installed.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead of importing ipalib to get IPA version string, create setup.py from
a template and have the version string automatically filled in.
This makes it possible to build the ipaserver package without having to
have ipalib dependencies installed.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Check for import errors with pylint to make sure new python package
dependencies are not overlooked.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Lint is never executed from rpmbuild, so the BuildRequires for lint are
purely informational.
Include them only if %with_lint RPM macro is specified.
Update .travis.yml accordingly.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Apparently, the docs were not updated when ipapython/platform was moved
to ipaplatform module and internals have changed.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The original approach with __path__ implemented
by 8f98fa1bd5 broke Pylint:
We decided to resort back to symlinks as it is easiest solution
which does not break pylint in weird ways.
This commit introduces configure --with-ipaplatform option.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is temporary workaround necessary until we throw away the hand-made
Makefile. ipaplatform is going to be managed by configure, but configure
right now depends on version-update target in Makefile.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is temporary workaround. makeapi/makeaci transitively import
ipaplatform, which will not exist before configure is executed.
On the other hand, configure requires version.m4,
which is generated by current Makefile.
This change works around this chicked-egg problem. It will disappear
when we start using top-level configure to generate top-level Makefile.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
