When generating keys for custodia service, the key material is stored in
python-cryptography's OpenSSL backend encoded as DER. This only works in
python-cryptography 0.9 and newer so we need to make sure this version pulled
in during RPM build and install.
https://fedorahosted.org/freeipa/ticket/5744
Reviewed-By: Martin Basti <mbasti@redhat.com>
Topology plugin may merge (aka DEL) segments that would trigger
internal search for groups owning that segment. The problem
is that it is searching those groups into the full suffix and
so need the schema compat map lock.
If any other operation holding schema compat map lock need to
access the page involved in the DEL, there is a deadlock.
This fix is to prevent useless group searching if the target entry
is a segment or is in compat tree.
https://fedorahosted.org/freeipa/ticket/5637
Reviewed-By: Martin Basti <mbasti@redhat.com>
In order to enable SSSD smart prompting and allow it to ask for 1FA and
2FA separately, ChallengeResponseAuthentication should be set to yes.
This change will enable better processing of the 2FA value and it will
also enable other features, like allow SSSD to make the 2FA option in
some cases and have a way of informing user that 2FA is optional.
https://fedorahosted.org/freeipa/ticket/5703
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Standalone instalation of python*-ipalib packages does not pull all
required packages and results into import errors.
https://fedorahosted.org/freeipa/ticket/5680
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.
https://fedorahosted.org/freeipa/ticket/5737
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.
Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.
https://fedorahosted.org/freeipa/ticket/5117https://fedorahosted.org/freeipa/ticket/5720
Reviewed-By: David Kupka <dkupka@redhat.com>
Bind DN is not used for client certificate authentication so they can be
safely removed.
https://fedorahosted.org/freeipa/ticket/5298
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Manager(s) were returned as list od DN, this commit fixes behavior and
managers are returned as list of logins.
https://fedorahosted.org/freeipa/ticket/5481
Reviewed-By: David Kupka <dkupka@redhat.com>
When a list of servers is passed to ipa-client-{install,automount} the search
of Kerberos and LDAP SRV records should be suppressed and the specified
hostnames used directly as LDAP servers/KDCs. We thus should not performed
search for KDCs when the autodiscovery was actually not requested.
https://fedorahosted.org/freeipa/ticket/4305
Reviewed-By: Martin Basti <mbasti@redhat.com>
prepare_host is executed from within each of install_master, install_replica
and install_client in tasks.py anyway, so no need to call it here also.
Besindes this call kept failing when IntegrationTest wes initialized more than
once during the test execution.
https://fedorahosted.org/freeipa/ticket/5723
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add new field in user add dialog. This combo box lists all posix groups
so user can choose one. It is also possible to fill a GID number
which is not in the list.
https://fedorahosted.org/freeipa/ticket/5505
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
There is an animation of nodes layout after first load of graph or adding new node.
Then all nodes of the graph are set to the fixed state. The node is set to fixed even after
manual turn off of fixed state.
https://fedorahosted.org/freeipa/ticket/5649
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add zooming and panning functionality to the topology graph. Also the page rememberes
the old setting of the graph position and size. So, after refreshing the graph has
the same position and size as it had before.
https://fedorahosted.org/freeipa/ticket/5502
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
'yes' is also valid value in krb5.conf but we should be consistent and
use only 'true' as we do for other options.
https://fedorahosted.org/freeipa/ticket/5518
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The string "wbclient" is not mentioned anywhere in
source code and there isn't any issue with building
freeipa packages without this package.
Reviewed-By: Sumit Bose <sbose@redhat.com>
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files
ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
#define LDAP_PAGE_SIZE 1024
In file included from /usr/include/samba-4.0/smbldap.h:24:0,
from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
#define LDAP_PAGE_SIZE 1000
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The short hostname construction for the negative test case in
test_cert_plugin::test_cert_find suite could not work when domain name was
different as hostname of the test runner, leading to test failure. A more
naive approach works better in this case.
https://fedorahosted.org/freeipa/ticket/5688
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.
This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The config file specifies 8 cores but Pylint very quickly
ends up with 3 cores so do not worry about overwhelming your system.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.
https://fedorahosted.org/freeipa/ticket/5718
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reworks also sessionStorage test because disablement of cookies might be connected
with sessionStorage and localStorage. E.g. Chrome raises exception when *Storage
is accessed with "Block sites from setting any data" settings set in
"Content Settings/Cookies" section.
https://fedorahosted.org/freeipa/ticket/4338
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Test will use tasks methods instead of custom commands to be able work
with domain levels.
https://fedorahosted.org/freeipa/ticket/5606
Reviewed-By: Milan Kubik <mkubik@redhat.com>
The 'net' command fails unless smb.conf exists. Touch
the file prior to any 'net' call to make sure we do not crash
for this very reason.
https://fedorahosted.org/freeipa/ticket/5687
Reviewed-By: Martin Basti <mbasti@redhat.com>
For historical reasons, the string module contained some functions
that mirror methods of the str type. These are eremoved in Python 3.
Use str methods instead.
Part of the work for https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipacheckldap uses a schema-less connection with decode_attrs=False,
so bytes need to be decoded manually.
This was not a problem in Python2 where bytes and unicode could
be mixed freely.
Part of the work for https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Call the add_message() method of Command from anywhere in the implementation
of a command to add a message to the result of the command.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add context which is valid for the duration of command call. The context
is accessible using the `context` attribute of Command and Object plugins.
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>