If CERTMONGER_CERTIFICATE is not set in certain scenario, the
code would fail since None cannot be passed to loading certificates.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The recent certificate refactoring assures that ipaldap operations
are able to work with IPACertificate values when communication with
the LDAP server. Use these capabilities and prevent possible bugs.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This was a forgotten part from previous certificate refactoring which
would cause issues since the second part of results throughout the
dogtag-ipa-ca-renew-agent-submit is expected to be a string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The hyphenated forms are less ambiguous and easier to read.
(For more grammar background, see for example
"Hyphenate Complex Adjectives" in http://stylepedia.net/
Grammar-Hyphenation )
https://pagure.io/freeipa/issue/6582
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Set python3-mod_wsgi as a requirement for FreeIPA in the spec file
if with_python3 is specified so that httpd runs IPA server under
Python 3.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is a commit which expands current scripts being run under
python3 by default. We set the -bb option so that any Bytes/Str
error breaks execution.
This commit shall be reverted before reaching production.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In case someone is using the script from tarball, outside of git,
the git checkout command shouldn't fail the script.
Related https://pagure.io/freeipa/issue/6605
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
There are multiple types of entries and objects accessible in API and not all
of them have the same set methods. Spliting Tracker into multiple trackers
should reflect this better.
https://pagure.io/freeipa/issue/7105
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In Fedora 27 curl is proposing to switch to using OpenSSL as
the crypto backend instead of NSS. This requires a new set of
arguments to certmonger to bootstrap fetching the IPA RA cert.
https://pagure.io/freeipa/issue/7076
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Previously all columns was shown as links, that was caused by setting
link attribute of each column to true. This true value was there because
of possibility to turn off links in whole table on self-service pages.
Now only column which is primary key is set to be shown as link.
https://pagure.io/freeipa/issue/7066
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
*.po are re-generated during build. These changes shouldn't be
comitted to git unless translation have been updated (during
release).
Fixes https://pagure.io/freeipa/issue/6605
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
traceback.format_exc() does not take exception object as an argument.
This made Python 3 get stuck amid ipa-replica-conncheck, probably
because it was waiting for a thread to finish.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
When service-find was issued under Python 3, the command fails
because it tried to sort a list of Principal objects which was not
possible.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
The latest version of caIPAserviceCert profile includes a feature
that is not available before Dogtag 10.4, and this version of the
profile is intended for new installs only (otherwise, problems will
arise in topologies containing CA replicas at an earlier version).
But IPA versions before v4.2 did not use LDAP-based profiles, so the
new version of the profile gets imported when upgrading from
pre-v4.2 to v4.5 or later.
We do not yet have a proper version- and topology-aware profile
update mechanism, so to resolve this issue, ship the older version
of the profile alongside the newer version, and make sure we use the
older version when importing the profile in an upgrade context.
https://pagure.io/freeipa/issue/7097
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Creating a method to check if ipa client is configured. Also,
changing scripts to use it instead of duplicating the check.
https://pagure.io/freeipa/issue/6261
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
It may happen that FQDN does not match with the domain mapped to
the host. In this case we add wildcard for both domains.
https://pagure.io/freeipa/issue/7100
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
IPA should suggest user to install dependent packages instead
of throwing traceback. To work with IPA and Yubikey, packages
libyubikey(not in official RHEL repo) and libusb are required.
Resolves: https://pagure.io/freeipa/issue/6979
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
bytes/str fixes for LDAP data, JSON encoding and temp files.
Require jwcrpyto 0.4.2 with fix for RHBZ #1476150https://pagure.io/freeipa/issue/4985
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
To know what to focus on when some check fail. E.g. to detect that
IPv6 address or its resolution for localhost is misconfigured.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
host_port_open copied logging behavior of ipa-replica-conncheck utility
which doesn't make it much reusable.
Now log level can be controlled from caller so other callers might use
other logging level without host_port_open guessing what was the
intention.
https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipaldap.LDAPEntry expects that entry attributes, if multi-valued,
are lists.
The recent cert refactoring made it possible to pass certificate
values from options directly to LDAPEntry. This should now be
handled in appropriate general way in baseldap.LDAPCreate
since if options.get() is called, it returns tuple instead
of list which confuses ipaldap.
https://pagure.io/freeipa/issue/7077
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
external_ca test suite is failing during installation due to
missing SKI extension.
https://pagure.io/freeipa/issue/7099
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
The server-del command passes str instance instead of bytes to
ldap.modify_s which results in the target server not being
removed properly.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
Python 3 does not allow comparing SetuptoolsVersion and str
instances.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There were several cases in ipaserver.install.certs where bytes
would be read/written as normal strings, this commit fixes that.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
This commit enables ipa-client-install to be installable in
Python 3 and makes it run in Python 3 by default.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
We were trying to load a certificate as a string even though it
was an object already.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Since OptionParser behaves differently in Python 2/3,
zonemgr_callback now handles value as str in both version.
https://pagure.io/freeipa/issue/5990
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It's nearly impossible to find out what happened when doing
replica connection check and it fails during the RPC phase.
The error is now logged.
Reviewed-By: Martin Basti <mbasti@redhat.com>
When version is mismatched and ipa-server-upgrade is required,
log the version mismatch properly in journal.
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
certmonger returns PEM certificates with an additional newline
after the base64 encoded cert, remove it
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Certificates, both in PEM and DER format, should be handled as bytes
in Python 3.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>