In Python 3, the base64.b64decode function raises binascii.Error (a ValueError
subclass) when it finds incorrect padding. In Python 2 it raises TypeError.
Callers should usually handle ValueError; unless they are specifically
concerned with handling base64 padding issues).
In some cases, callers should handle ValueError:
- ipalib.pkcs10 (get_friendlyname, load_certificate_request): callers should
handle ValueError
- ipalib.x509 (load_certificate*, get_*): callers should handle ValueError
In other cases ValueError is handled:
- ipalib.parameters
- ipapython.ssh
- ipalib.rpc (json_decode_binary - callers already expect ValueError)
- ipaserver.install.ldapupdate
Elsewhere no error handling is done, because values come from trusted
sources, or are pre-validated:
- vault plugin
- ipaserver.install.cainstance
- ipaserver.install.certs
- ipaserver.install.ipa_otptoken_import
Reviewed-By: Tomas Babej <>
Configure IPA so that topology plugin will manage also CA replication
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <>
Reviewed-By: Jan Cholasta <>
This patch implements a new flag --promote for the ipa-replica-install command
that allows an administrative user to 'promote' an already joined client to
become a full ipa server.
The only credentials used are that of an administrator. This code relies on
ipa-custodia being available on the peer master as well as a number of other
patches to allow a computer account to request certificates for its services.
Therefore this feature is marked to work only with domain level 1 and above
Signed-off-by: Simo Sorce <>
Reviewed-By: Jan Cholasta <>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <>
Reviewed-By: Jan Cholasta <>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <>
Reviewed-By: Jan Cholasta <>
Reviewed-By: Martin Basti <>
For the duration of the test, makes resolv.conf unmanaged.
If NetworkManager is not running, nothing is changed.
Reviewed-By: Martin Basti <>
the patch fixes regression in ipa-restore caused by overwriting /etc/passwd,
/etc/shadow and fiends during restore of authconfig configuration files. These
files are now excluded from authconfig backup dir.
Reviewed-By: David Kupka <>
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
Reviewed-By: Martin Basti <>
The CA and KRA installation code has been modified to use LDAPI
to create the CA and KRA agents directly in the CA and KRA
database. This way it's no longer necessary to use the Directory
Manager password or CA and KRA admin certificate.
Reviewed-By: Martin Basti <>
Reusing old ccache after reinstall causes authentication error. And
prevents DNSSEC from working.
Related to ticket:
Reviewed-By: Petr Spacek <>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
In Python 3, filter() returns an iterator.
Use list comprehensions instead.
Reviewed-By: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <>
Reviewed-By: Jan Cholasta <>
The ipa-kra-install tool has been modified to use password files
instead of clear text passwords when invoking pki tool such that
the passwords are no longer visible in ipaserver-kra-install.log.
Reviewed-By: Alexander Bokovoy <>
Instead of separate checking of DNS required packages, we need just
check if IPA DNS package is installed.
Reviewed-By: Martin Babinsky <>
Reviewed-By: Petr Spacek <>
Reviewed-By: Tomas Babej <>
Introduce a ipaplatform/ file to store platform related
constants, which are not paths.
Reviewed-By: Martin Basti <>
Reviewed-By: Petr Spacek <>
This commit allows to replace or disable DNSSEC key master
Replacing DNSSEC master requires to copy kasp.db file manually by user
--disable-dnssec-master DNSSEC master will be disabled
--dnssec-master --kasp-db=FILE This configure new DNSSEC master server, kasp.db from old server is required for sucessful replacement
--force Skip checks
Reviewed-By: Petr Spacek <>
The variables path_namespace and task_namespace in the base platform
are not used anywhere in the rest of the codebase and are just
debris from previous implementation.
This patch removes them.
Reviewed-By: Tomas Babej <>
Previously is_active() was frenetically calling systemctl is_active in
tight loop which in fact made the process slower.
Reviewed-By: Martin Basti <>
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
Reviewed-By: Nathaniel McCallum <>
Reviewed-By: Simo Sorce <>
Directory server is deprecating use of tools in instance specific paths. Instead
tools in bin/sbin path should be used.
Reviewed-By: Martin Basti <>
Use state in LDAP rather than local state to check if KRA is installed.
Use correct log file names.
Reviewed-By: David Kupka <>
To detect if DS server is running, use the slapd socket for upgrade, and the LDAP port
for installation.
Without enabled LDAPi socket checking doesnt work.
Reviewed-By: Fraser Tweedale <>
During server upgrade we should wait until DS is ready after restart, otherwise
connection error is raised.
Instead of 389 port, the DS socket is checked.
Reviewed-By: Fraser Tweedale <>
during IPA server uninstall, the httpd service ccache is not removed from
runtime directory. This file then causes server-side client install to fail
when performing subsequent installation without rebooting/recreating runtime
This patch ensures that the old httpd ccache is explicitly destroyed during
Reviewed-By: David Kupka <>
Checking status of the CA via proxy cause issues when httpd instance is
To check status of CA we do not need proxy.
Reviewed-By: Jan Cholasta <>
Verify version and platform before upgrade or ipactl start|restart
* do not allow upgrade on different platforms
* do not allow upgrade data with higher version than build has
* do not start services if platform mismatch
* do not start services if upgrade is needed
* do not start services if data with higher version than build has
New ipactl options:
--skip-version-check: do not validate IPA version
--ignore-service-failures (was --force): ignore if a service start fail
and continue with starting other services
--force: combine --skip-version-check and --ignore-service-failures
Reviewed-By: Jan Cholasta <>
Reviewed-By: David Kupka <>
* install master, replica, then instal DNSSEC on master
* test if zone is signed (added on master)
* test if zone is signed (added on replica)
* install master with DNSSEC, then install replica
* test if root zone is signed
* add zone, verify signatures using our root zone
Reviewed-By: Milan Kubik <>
We use ntpd now to sync time before fetching a TGT during client
install. Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.
This patch adds the ability for commands run via to
have an optional timeout. This capability is used by the NTP sync
code that is run during ipa-client-install.
Reviewed-By: Martin Babinsky <>
The patch adds a function which calls '' during DS instance
removal. This should allow for a more thorough removal of DS related data
during server uninstallation (such as closing custom ports, cleaning up
slapd-* entries etc.)
This patch is related to
Reviewed-By: Martin Basti <>
Due workaroud we accidentaly started to check certificate, which causes
problems during installation.
Reviewed-By: Jan Cholasta <>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Reviewed-By: Jan Cholasta <>
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.
Reviewed-By: Jan Cholasta <>
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
Reviewed-By: Jan Cholasta <>