By default, pytest considers test classes only if they're named
'Test*'; Nose also allows 'test_*'.
Configure pytest to allow the non-pep8 names as well.
Reviewed-By: Tomas Babej <>
The setUp/dearDown names are used in the unittest module, but there is no reason
to use them in non-`unittest` test cases.
Nose supports both styles (but mixing them can cause trouble when
calling super()'s methods).
Pytest only supports the new ones.
Reviewed-By: Tomas Babej <>
Interactive prompt callback returns list of str instead of CheckedIPAddress
Reviewed-By: Jan Cholasta <>
Instead of manually encoding controls, use an actual asn1 compiler.
The file asn1/asn1c/ipa.asn1 will contain ipa modules. The generated code
is committed to the tree and built into a static library that is linked
to the code that uses it.
The first module implements the GetKeytabControl control.
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Nathaniel McCallum <>
The filtering was incorrect and would result in always discarding all values.
Also make sure there are no duplicates in the list.
Partial fix for:
Reviewed-By: Alexander Bokovoy <>
Reviewed-By: Nathaniel McCallum <>
so that httpd ccache won't contain old credentials which would make ipa CLI fail with error:
Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Decrypt integrity check failed)
Reviewed-By: Petr Viktorin <>
Because of dnspython implementation, in some cases UnicodeError is
raised instead of DNS SyntaxError
Reviewed-By: Jan Cholasta <>
Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.
fixes CVE-2014-7850
Reviewed-By: Tomas Babej <>
This is just workaround, checking if CA is working raises false positive
exception during upgrade
Reviewed-By: Simo Sorce <>
The expiration date was always set to the expiration date of the original
Reviewed-By: David Kupka <>
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
Reviewed-By: Petr Vobornik <>
This way make rpms will always generate new packages that can be installed on
top fo older ones, regardless of alphabetic ordering of the GIT commit id.
Also make sure version and date variables are immditely resolved, so they can't
change during the build.
Reviewed-By: Nathaniel McCallum <>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Reviewed-By: Jan Cholasta <>
The man pages for various FreeIPA setup tools are more descriptive on how to
configure multiple DNS forwarders than the corresponding cli help. This patch
makes the cli help more verbose now for the following tools:
* ipa-dns-install
* ipa-replica-install
* ipa-server-install
Reviewed-By: Martin Basti <>
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.
Reviewed-By: Jan Cholasta <>
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Reviewed-By: David Kupka <>
The wrong search scope was being used when trying to determine if
a given master had a CA installed when trying to create a new
Reviewed-By: Nathaniel McCallum <>
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
Reviewed-By: Jan Cholasta <>
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Reviewed-By: David Kupka <>
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
Reviewed-By: Petr Viktorin <>
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
Reviewed-By: Tomas Babej <>
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
Reviewed-By: Tomas Babej <>
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
No schema change is done.
Reviewed-By: Tomas Babej <>
The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.
Reviewed-By: Jan Cholasta <>
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
Reviewed-By: Alexander Bokovoy <>
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
Reviewed-By: Martin Basti <>
Reviewed-By: Alexander Bokovoy <>