Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.
Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
Reviewed-By: Martin Basti <mbasti@redhat.com>
This function determines which type of authorization data should be
added to the Kerberos ticket. There are global default and it is
possible to configure this per service as well. The second argument is
the data base entry of a service. If no service is given it makes sense
to return the global defaults and most parts of get_authz_data_types()
handle this case well and this patch fixes the remain issue and adds a
test for this as well.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Import all external CA certs to the Dogtag NSS database on IPA CA cert
renewal. This fixes Dogtag not being able to connect to DS which uses 3rd
party server cert after ipa-certupdate.
https://fedorahosted.org/freeipa/ticket/5595
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add tool tips for buttons in detail view. New tooltips:
Reload - Reload current settings from the server.
Revert - Undo all unsaved changes.
Undo - Undo this change.
Undo all - Undo all changes in this field.
https://fedorahosted.org/freeipa/ticket/5428
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Make ipaclient a Python library like ipapython, ipalib, etc.
Use setup.py instead of autotools for installing it.
Move C client tools, Python scripts, and man pages, to client/.
Remove old, empty or outdated, boilerplate files (NEWS, README, AUTHORS).
Remove /setup-client.py (ipalib/setup.py should be used instead).
Update Makefiles and the spec file accordingly.
https://fedorahosted.org/freeipa/ticket/5638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There is no point in setting 'enable_ra' to True in IPA config when the
replica is promoted from CA-less master. The installer should set
'enable_ra' to False and unset 'ra_plugin' directive in this case.
https://fedorahosted.org/freeipa/ticket/5626
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
when CA replica configures 'cn=replica,cn=o\=ipaca,cn=mapping tree,cn=config'
entry on remote master during replica installation, the 'nsds5replicabinddn'
and 'nsds5replicabinddngroup' attributes are not correctly updated when this
entry already existed on the master (e.g. when existing domain-level 0
topology was promoted to domain level 1). This patch ensures that these
attributes are always set correctly regardless of existence of the replica
entry.
https://fedorahosted.org/freeipa/ticket/5412
Reviewed-By: Martin Basti <mbasti@redhat.com>
When uninstalling IPA master in domain level 1 topology, the code that checks
for correct removal from topology will now consider failures to lookup host
entry in local LDAP and to obtain host TGT as a sign that the master entry was
already removed.
https://fedorahosted.org/freeipa/ticket/5584
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
A workaround was introduced for ticket #4676 that used wget to
perform an (unauthenticated) https request to check the CA status.
Later, wget was changed to curl (the request remained
unauthenticated).
Remove the workaround and use an http request (no TLS) to check the
CA status. Also remove the now-unused unauthenticated_http_request
method, and update specfile to remove ipalib dependency on curl.
Reviewed-By: Martin Basti <mbasti@redhat.com>
There was a change where suffixes in server are not longer returned as DNs
but rather a cn of related topology suffix. I.e. they share "memberof" logic.
This caused that search page doesn't get the data because it uses
"no_member: true" option by default.
This patch overrides the behavior because it is OK for server search page
to fetch also member data - it is not so costly as e.g. in users.
https://fedorahosted.org/freeipa/ticket/5609
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Pylint can be run with the --py3k switch to detect porting issues.
This is not compatible with regular checking (i.e. to do all checks,
pylint must be run twice, with and without --py3k).
So, do an additional run of pylint in a subprocess for the py3k checks.
Add a --no-py3k switch to skip the additional py3k run.
Also add a --no-lint switch to allow only running the py3 checks.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
- `file` was removed in favor of `open`. Switch to the new spelling.
- `buffer` was removed in favor of a buffer protocol (and memoryview),
and `reload` was moved to importlib.
Both are used in py2-only blocks, so just placate PyLint.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Follow-up to commit 23507e6124
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Pylint considers `print` a statement if the __future__ import is
not present, even if it's used like a function with one argument.
Add the __future__ import to files `pylint --py3k` complains about.
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When resolv.conf is set to point to the master's ip before installation, the
ipa-server-install does not create a reverse zone for it's ip even despite
--auto-reverse option provided. The fix is not to mess around with resolv.conf
before master installation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.
This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.
https://fedorahosted.org/freeipa/ticket/5575
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.
This commit is workaround, proper fix may need to improve ipactl.
https://fedorahosted.org/freeipa/ticket/5262
Reviewed-By: David Kupka <dkupka@redhat.com>
If connection do LDAP failed (or LDAP server is down) we cannot verify
if there is any additonal instance of CA, KRA, DNSSEC master.
In this case a user is warned and promted to confirm uninstallation.
https://fedorahosted.org/freeipa/ticket/5544
Reviewed-By: David Kupka <dkupka@redhat.com>
Enables check and fixes one issue.
get_entries can be replaced by get_entry, filter is not needed because
check of 'originfilter' attribute is done later.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
