The ipa-client-automount script used lxml.etree to modify
/etc/autofs_ldap_auth.conf.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module ipapython.dnssec.odsmgr is the only module in ipalib,
ipaclient, ipapython and ipaplatform that uses lxml.etree.
https://fedorahosted.org/freeipa/ticket/6469
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Exclude rpmbuild from pylint checks when make lint is executed.
Clean up the current find expression.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
api.env.nss_dir is no longer hard-coded to paths.IPA_NSSDB_DIR. Instead
the path is calculated relatively to api.env.confdir. The default value
is still /etc/ipa/nssdb. The change makes it a bit easier to run
FreeIPA's API with a custom configuration directory.
See https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaplatform.fedora.services used to modify the redhat_system_units dict.
It now creates a proper shallow copy.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Some of .less files included by ipa.less were not listed in the
Makefile.am so some changes might not trigger rebuild.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This allows us to simply use makerpms.sh to configure the build tree,
install RPMs to configure system for the first time and then use make install
for rapid devel/test cycles.
Configuration parameteres were taken from rpm-4.13.0-0.rc1.27.fc24.x86_64.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.
It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Build called from makerpms.sh is not verbose by default anymore.
It still prints all directories and files it builds but the long
command lines are hidden by default.
It has the advantage that compiler and other warnings are visible to
developers right away. If you need to debug something,
use --disable-silent-rules to override the default
(or call configure manually).
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Setuptools will print only warnings. The option has to be used before
setuptools command specification, otherwise it will not apply to sub-commands.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Make sure that the file /var/run/ipa/renewal.lock is deleted upon
uninstallation, in order to avoid subsequent installation issues.
- Modify certmonger renewal script: restart the http/dirsrv services
only if they were already running
- Cleanup certmonger ra renewal script: no need to restart httpd
- Reorder during http install: request the SSL cert before adding
ipa-service-guard
Rationale: when a CA helper is modified, certmonger launches the helper
with various operations (FETCH_ROOTS, ...) If the CA helper is once again
modified, the on-going helper is killed. This can lead to
ipa-service-guard being killed and not releasing the renew lock.
If the SSL cert is requested with IPA helper before ipa-service-guard is added,
we avoid this locking issue.
Part of the refactoring effort, certificates sub-effort.
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
In order to use the commit template, run the
following command:
git config commit.template .git-commit-template
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
As the group type has been changed from 'normal' to 'nonposix' we need to update
this information also in tests.
https://fedorahosted.org/freeipa/ticket/6334
Reviewed-By: Martin Basti <mbasti@redhat.com>
Method file_exists is reported by pylint as not being a member of transport
object, however it is used as such. Adding the method to object to avoid pylint
errors or unnecessary pylint disable.
https://fedorahosted.org/freeipa/ticket/6400
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Providing cleanup of trust information from AD machines for legacy client tests.
https://fedorahosted.org/freeipa/ticket/6396
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipaclient plugins are now using nss_dir from api.env instead of
hard-coded paths.IPA_NSSDB_DIR.
Closes: https://fedorahosted.org/freeipa/ticket/6386
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The cert-request command used to accept CSRs that had extra data
surrounding the PEM data, e.g. commentary about the contents of the
CSR. Recent commits that switch to using python-cryptography for
cert and CSR handling broke this. Our acceptance tests use such
CSRs, hence the tests are now failing.
To avoid the issue, freshly encode the python-cryptography
CertificateSigningRequest object as PEM. This avoids re-using the
user-supplied data, in case it has extraneous data.
Fixes: https://fedorahosted.org/freeipa/ticket/6472
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously an adhoc connection was established for checking if
dns(sec) container exists. A simple or external bind was used.
Instead, always connect with ldapi through api.Backend.ldap2.
https://fedorahosted.org/freeipa/ticket/6461
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
With this fix, user will be notified about pressing enter
to proceed with IPA installation procedure, if user has
provided valid IP address previously.
Fixes https://fedorahosted.org/freeipa/ticket/5949
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Migrate ipa-client-install from the custom script to the new installer
class hierarchy classes.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Migrate ipa-server-install and ipa-replica-install from the old installer
classes to the new installer class hierarchy classes.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add class hierarchy which allows inherting knob definitions between the
various client and server install scripts.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new @group decorator to declare an installer class as a knob group
instead of subclassing Group, so that subclassing the installer does not
create duplicates of the original group.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Declare knob bases explicitly using a keyword argument instead of guessing
if the type argument is a base or a type of the knob.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Replace cli_name, cli_short_name and cli_positional knob arguments with a
single cli_names argument, which allows defining one or more CLI names
using the argparse convention ("--option" for long option name, "-o" for
short option name and "argument" for positional argument name).
Also replace cli_aliases with cli_deprecated_names which uses the same
convention.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use type(None) rather than bool to define knobs which are represented as
command line flags. This allows declaring both "--option" and
"--option={0,1}"-style command line options.
Use enum.Enum subclasses instead of set literals to declare enumerations.
Use typing.List[T] instead of (list, T) to declare lists. (Note that a
minimal reimplementation of typing.List is used instead of the Python 2
backport of the typing module due to non-technical reasons.)
Use CheckedIPAddress instead of 'ip' and 'ip-local' to declare IP
addresses.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new knob() knob constructor. Keep the old Knob() constructor for
backward compatibility with old code.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Let IPAOptionParser handle parsing of its supported types and use an option
callback only for unsupported types.
Instead of parsing positional arguments manually, parse them using a custom
IPAOptionParser instance, reusing the option parsing code.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead of specifying which knobs should be positional arguments in
cli.install_tool(), do it using a flag in knob definition, where the rest
of CLI configuration is.
As a side effect, the usage string for CLI tools can now be generated
automatically.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Martin Basti <mbasti@redhat.com>
Dogtag requires Directory Manager password for its installation.
On Domain Level 1 a special password for Directory Manager is
created and used during the installation. However, by importing
the real DM password from remote LDAP, we can no longer use
the temporary password from the replica installation.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This functionality was merged to Service class and is not longer used
anywhere.
https://fedorahosted.org/freeipa/ticket/6405
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
