Commit Graph

9200 Commits

Author SHA1 Message Date
Martin Babinsky
aa74995736 spec: require python-cryptography newer than 0.9
When generating keys for custodia service, the key material is stored in
python-cryptography's OpenSSL backend encoded as DER. This only works in
python-cryptography 0.9 and newer so we need to make sure this version pulled
in during RPM build and install.

https://fedorahosted.org/freeipa/ticket/5744

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-21 17:53:25 +01:00
Thierry Bordaz
e1bbd90360 DS deadlock when memberof scopes topology plugin updates
Topology plugin may merge (aka DEL) segments that would trigger
internal search for groups owning that segment. The problem
is that it is searching those groups into the full suffix and
so need the schema compat map lock.

If any other operation holding schema compat map lock need to
access the page involved in the DEL, there is a deadlock.

This fix is to prevent useless group searching if the target entry
is a segment or is in compat tree.

https://fedorahosted.org/freeipa/ticket/5637

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-18 13:25:08 +01:00
Jakub Hrozek
c6371abeb3 sudo: Fix a typo in the --help output of sudocmdgroup
Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-18 12:38:42 +01:00
Martin Babinsky
3ab63fa6ba spec: add conflict with bind-chroot to freeipa-server-dns
https://fedorahosted.org/freeipa/ticket/5696

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-18 09:32:47 +01:00
Martin Basti
04d4519ed5 client: enable ChallengeResponseAuthentication in sshd_config
In order to enable SSSD smart prompting and allow it to ask for 1FA and
2FA separately, ChallengeResponseAuthentication should be set to yes.
This change will enable better processing of the 2FA value and it will
also enable other features, like allow SSSD to make the 2FA option in
some cases and have a way of informing user that 2FA is optional.

https://fedorahosted.org/freeipa/ticket/5703

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-18 09:21:58 +01:00
Martin Basti
d6f03da753 spec: Add missing dependencies to python*-ipalib package
Standalone instalation of python*-ipalib packages does not pull all
required packages and results into import errors.

https://fedorahosted.org/freeipa/ticket/5680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-18 07:16:39 +01:00
Martin Basti
de8c6d81fd Fix broken trust warnings
Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all.

https://fedorahosted.org/freeipa/ticket/5737

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-16 13:50:56 +01:00
Jan Cholasta
54a59475f3 certdb: never use the -r option of certutil
The -r option makes certutil output certificates in DER. If there are
multiple certificates sharing the same nickname, certutil will output
them concatenated into a single blob. The blob is not a valid DER
anymore and causes failures further in the code.

Use the -a option instead to output the certificates in PEM and convert
them to DER on demand.

https://fedorahosted.org/freeipa/ticket/5117
https://fedorahosted.org/freeipa/ticket/5720

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:35:44 +01:00
Martin Basti
fb3a5d5a9c Use platform path constant for SSSD log dir
The path to SSSD log directory is platform specific and should be in
ipaplatform module.

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:31:02 +01:00
Martin Basti
0cb870e565 Remove redundant parameters from CS.cfg in dogtaginstance
Bind DN is not used for client certificate authentication so they can be
safely removed.

https://fedorahosted.org/freeipa/ticket/5298

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-16 09:28:21 +01:00
Martin Basti
4871cb5b54 stageuser-activate: Normalize manager value
Manager(s) were returned as list od DN, this commit fixes behavior and
managers are returned as list of logins.

https://fedorahosted.org/freeipa/ticket/5481

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-16 09:09:36 +01:00
Martin Babinsky
8290d4b4cb only search for Kerberos SRV records when autodiscovery was requested
When a list of servers is passed to ipa-client-{install,automount} the search
of Kerberos and LDAP SRV records should be suppressed and the specified
hostnames used directly as LDAP servers/KDCs. We thus should not performed
search for KDCs when the autodiscovery was actually not requested.

https://fedorahosted.org/freeipa/ticket/4305

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-14 13:43:50 +01:00
Oleg Fayans
578cff9567 Workaround for ticket 5627
https://fedorahosted.org/freeipa/ticket/5723

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-11 17:27:45 +01:00
Oleg Fayans
b5807fd9b6 Made apply_common_fixes call at replica installation independent on domain_level
Besides added obligatory domain/realm-specific commandline options
 to replica installation

https://fedorahosted.org/freeipa/ticket/5723

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-11 17:27:45 +01:00
Oleg Fayans
b4071c542f Removed a constantly failing call to prepare_host
prepare_host is executed from within each of install_master, install_replica
and install_client in tasks.py anyway, so no need to call it here also.
Besindes this call kept failing when IntegrationTest wes initialized more than
once during the test execution.

https://fedorahosted.org/freeipa/ticket/5723

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-11 17:27:45 +01:00
Oleg Fayans
ddadbf8274 Enabled setting domain level explicitly in test class
Needed for replica promotion tests

https://fedorahosted.org/freeipa/ticket/5723

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-11 17:27:45 +01:00
Oleg Fayans
0b1fe08f1d Integration tests for replica promotion feature
http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan

https://fedorahosted.org/freeipa/ticket/5723

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-11 17:27:45 +01:00
Lenka Doudova
904db149e9 WebUI test: ID views
Provides missing test coverage for ID views web UI.

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2016-03-11 11:52:25 +01:00
Jérôme Fenal
67b806e5d9 Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-10 19:35:12 +01:00
Alexander Bokovoy
3208a09384 extdom: do not fail to process error case when no request is specified
Coverity CID 13130

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2016-03-10 19:24:55 +01:00
Pavel Vomacka
f7429a2dec Add field for group id in user add dialog
Add new field in user add dialog. This combo box lists all posix groups
so user can choose one. It is also possible to fill a GID number
which is not in the list.

https://fedorahosted.org/freeipa/ticket/5505

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-03-10 18:48:56 +01:00
Pavel Vomacka
1cc582e9b8 Nodes stay fixed after initial animation.
There is an animation of nodes layout after first load of graph or adding new node.
Then all nodes of the graph are set to the fixed state. The node is set to fixed even after
manual turn off of fixed state.

https://fedorahosted.org/freeipa/ticket/5649

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-03-10 18:24:32 +01:00
Pavel Vomacka
18a4053a68 Add pan and zoom functionality to the topology graph
Add zooming and panning functionality to the topology graph. Also the page rememberes
the old setting of the graph position and size. So, after refreshing the graph has
the same position and size as it had before.

https://fedorahosted.org/freeipa/ticket/5502

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2016-03-10 18:14:07 +01:00
Martin Basti
e0b9afded5 krb5conf: use 'true' instead of 'yes' for forwardable option
'yes' is also valid value in krb5.conf but we should be consistent and
use only 'true' as we do for other options.

https://fedorahosted.org/freeipa/ticket/5518

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-09 19:04:19 +01:00
Lukas Slebodnik
2a61ddb644 SPEC: Remove unused build dependency on libwbclient
The string "wbclient" is not mentioned anywhere in
source code and there isn't any issue with building
freeipa packages without this package.

Reviewed-By: Sumit Bose <sbose@redhat.com>
2016-03-09 19:03:06 +01:00
Simo Sorce
7a20fc671b Allow to specify Kerberos authz data type per user
Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 19:00:43 +01:00
Lukas Slebodnik
0906cc28b8 ipa-sam: Do not redefine LDAP_PAGE_SIZE
The value of LDAP_PAGE_SIZE was changed in samba-4.4
and it caused warning because it's already defined
in samba header files

ipa_sam.c:114:0: warning: "LDAP_PAGE_SIZE" redefined
 #define LDAP_PAGE_SIZE 1024

In file included from /usr/include/samba-4.0/smbldap.h:24:0,
                 from ipa_sam.c:31:
/usr/include/samba-4.0/smb_ldap.h:81:0: note: this is the location of the previous definition
 #define LDAP_PAGE_SIZE 1000

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2016-03-09 18:59:29 +01:00
Martin Basti
dd86f83c96 Configure 389ds with "default" cipher suite
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS

https://fedorahosted.org/freeipa/ticket/5684

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-09 10:04:58 +01:00
Martin Babinsky
abe3abb466 test_cert_plugin: use only first part of the hostname to construct short name
The short hostname construction for the negative test case in
test_cert_plugin::test_cert_find suite could not work when domain name was
different as hostname of the test runner, leading to test failure. A more
naive approach works better in this case.

https://fedorahosted.org/freeipa/ticket/5688

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-08 20:22:55 +01:00
Lukas Slebodnik
ebbb2eba5b CONFIGURE: Replace obsolete macros
The AC_PROG_LIBTOOL macro is obsoleted by since libtool-2.0
which is already in rhel6+

https://fedorahosted.org/FedoraReview/wiki/AutoTools

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-08 20:02:27 +01:00
Simo Sorce
3e45c9be0a Allow admins to disable preauth for SPNs.
Some legacy softare is not able to properly cope with preauthentication,
allow the admins to disable the requirement to use preauthentication for
all Service Principal Names if they so desire. IPA Users are excluded,
for users, which use password of lessere entrpy, preauthentication is
always required by default.

This setting does NOT override explicit policies set on service principals
or in the global policy, it only affects the default.

Signed-off-by: Simo Sorce <simo@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/3860
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-08 18:48:40 +01:00
Filip Skola
de63e16922 Refactor test_group_plugin, use GroupTracker for tests
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-03-08 16:32:11 +01:00
Petr Spacek
42c01eb327 Pylint: enable parallelism
The config file specifies 8 cores but Pylint very quickly
ends up with 3 cores so do not worry about overwhelming your system.

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-07 12:33:21 +01:00
Tomas Babej
8bf6aa2c1c ipalib: Fix user certificate docstrings
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2016-03-07 12:21:12 +01:00
Martin Basti
2211e9a6fa Remove unused arguments from update_ssh_keys method
First argumet has been unused and can be safely removed, because server
is not used for nsupdate anymore

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-04 13:20:49 +01:00
Martin Basti
2c8e100c73 fix suspicious except statements
The "except ValueError as UnicodeDecodeError" looks very suspicious.
Commit change except to catch both exceptions.

https://fedorahosted.org/freeipa/ticket/5718

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-04 13:10:08 +01:00
Petr Vobornik
3c519951c5 webui: fail nicely if cookies are disabled
Reworks also sessionStorage test because disablement of cookies might be connected
with sessionStorage and localStorage. E.g. Chrome raises exception when *Storage
is accessed with "Block sites from setting any data" settings set in
"Content Settings/Cookies" section.

https://fedorahosted.org/freeipa/ticket/4338

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-03 17:33:13 +01:00
Martin Basti
a63ce1fe22 CI: allow customized DS install test to work with domain levels
Test will use tasks methods instead of custom commands to be able work
with domain levels.

https://fedorahosted.org/freeipa/ticket/5606

Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-03-03 17:26:56 +01:00
Tomas Babej
61e627b4b3 l10n: Remove Transifex configuration
We're not using Transifex to manage our translations anymore.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 16:14:22 +01:00
Tomas Babej
24a39dea44 adtrustinstance: Make sure smb.conf exists
The 'net' command fails unless smb.conf exists. Touch
the file prior to any 'net' call to make sure we do not crash
for this very reason.

https://fedorahosted.org/freeipa/ticket/5687

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 16:12:30 +01:00
Petr Viktorin
34db5759fa ipalib.x809: Accept bytes for make_pem
Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Petr Viktorin
272ff9d1f7 ipapython.sysrestore: Use str methods instead of functions from the string module
For historical reasons, the string module contained some functions
that mirror methods of the str type. These are eremoved in Python 3.

Use str methods instead.

Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Petr Viktorin
cec7df5c54 ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
ipacheckldap uses a schema-less connection with decode_attrs=False,
so bytes need to be decoded manually.
This was not a problem in Python2 where bytes and unicode could
be mixed freely.

Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Petr Viktorin
8df86d5bff Move get_ipa_basedn from ipautil to ipadiscovery
The function wasn't used anywhere else.

Part of the work for https://fedorahosted.org/freeipa/ticket/5638

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2016-03-03 10:31:55 +01:00
Jan Cholasta
3c57c305ad ipalib: add convenient Command method for adding messages
Call the add_message() method of Command from anywhere in the implementation
of a command to add a message to the result of the command.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 10:06:18 +01:00
Jan Cholasta
e5520dc347 ipalib: provide per-call command context
Add context which is valid for the duration of command call. The context
is accessible using the `context` attribute of Command and Object plugins.

Reviewed-By: Martin Basti <mbasti@redhat.com>
2016-03-03 10:06:18 +01:00
Thierry Bordaz
6851e560dd configure DNA plugin shared config entries to allow connection with GSSAPI
https://fedorahosted.org/freeipa/ticket/4026

When a replica needs to extend its DNA range, it selects the remote replica with the
larger available range. If there is no replica agreement to that remote replica,
the shared config entry needs to contain the connection method/protocol.
This fix requires 389-ds
 * https://fedorahosted.org/389/ticket/47779
 * https://fedorahosted.org/389/ticket/48362

That are both fixed in 1.3.4.6

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2016-03-02 16:43:17 +01:00
Oleg Fayans
cfbb7769a7 Removed messing around with resolv.conf
Reviewed-By: Milan Kubik <mkubik@redhat.com>
2016-03-02 16:41:28 +01:00
Martin Basti
72d5499c5a pylint: supress false positive no-member errors
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.

https://fedorahosted.org/freeipa/ticket/5615

Reviewed-By: David Kupka <dkupka@redhat.com>
2016-03-02 14:57:36 +01:00
Petr Vobornik
c68e9510d0 fix incorrect name of ipa-winsync-migrate command in help
Help and status text used incorrect name "ipa-migrate-winsync"

https://fedorahosted.org/freeipa/ticket/5713

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2016-03-02 12:52:14 +01:00