Derive the default value of `xmlrpc_uri` and `ldap_uri` from `server`.
Derive the default value of `basedn` from `domain`.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Domain, realm, basedn, xmlrpc_uri, ldap_uri do not have any reasonable default.
This patch removes hardcoded default so the so the code which depends
on these values blows up early and does not do crazy stuff
with default values instead of real ones.
This should help to uncover issues caused by improper ipalib
initialization.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
LDAPClient should be used for ad-hoc connections, so the argument is not
necessary, and currently also unused.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument. The default URI might be ldapi://, so make sure
autobind is not attempted where the custom URI was ldap://.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use the default LDAP URI from api.env.ldap_uri instead of specifying a
custom URI in the argument, as the custom URI is always the same as the
default URI.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use LDAPClient instead of ldap2 for ad-hoc remote LDAP connections in the
user_status and migrate-ds plugins.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This library is a prerequisite for successful Smart Card authentication
on the client. The client-side advise should make sure this dependency
is present.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is to prevent NSS asking for database password when operating in
FIPS 140 mode.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
this simplifies handling compound statements using _AdviceOutput class.
The necessary statements are exposed as context managers and API for
most common constructs is provided.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A series of context managers simplify formatting of common compound
statements such as `if`, `else if`, `else` blocks.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Indentation levels are now handled transparently by a dedicated class
and should not pollute the statement printing logic.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.
https://pagure.io/freeipa/issue/7036
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
lambda in py3 has '__code__' attribute instead of 'func_code'
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We have only one debug log level and it causes issues with py3.
...
File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
base64 encoding returns bytes but these can't be added together with
a string.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
python3-mod_wsgi expects that the application() method returns
bytes otherwise it breaks.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
The CommonNameToSANDefault component was added to Dogtag 10.4. When
a profile is configured to use it, this profile copies the CN in the
certificate to the Subject Alternative Name extension as a dNSName
(if and only if it does look like a DNS name).
It is desirable that the default service profile use this component.
Add it to the default profile, for new installations only. For
existing installations, until a proper profile update mechanism is
implemented, administrators who wish to use it must configure it via
the 'certprofile-mod' command.
Fixes: https://pagure.io/freeipa/issue/7007
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In py3 dict.items() doesn't return list so we must create a list to
avoid changing dictionary over iteration.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In py3 the variable is valid only in the block where it is defined. We
must move test definition to global scope.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.
Ticket #7037
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This check should prevent regressions in already py3 ported server plugins.
Later it may be extened to multiple logs.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since ipautil.template_file() returns a string, we should not try
to write it as bytes.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
in py3 we are receiving ugly tracebacks due __del__ method that
should be used very carefully or never. Due tracebacks, this doesn't
work and context manager should be used for reliable connection
termination.
Exception ignored in: <bound method LDAPClient.__del__ of ipaserver.plugins.ldap2.ldap2()>
Traceback (most recent call last):
File "/usr/lib/python3.5/site-packages/ipapython/ipaldap.py", line 1057, in __del__
File "/usr/lib/python3.5/site-packages/ipaserver/plugins/ldap2.py", line 123, in close
File "/usr/lib/python3.5/site-packages/ipalib/backend.py", line 94, in isconnected
NameError: name 'hasattr' is not defined
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
It was hard to detect what is supposed to be in self._orig variable.
Renaming to _orig_raw makes clear for future generations that it
contains bytes.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.
Resolves https://pagure.io/freeipa/issue/7026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.
Resolves https://pagure.io/freeipa/issue/7026
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
python-netifaces now provides IPv6 netmask in format mask/prefix. It
breaks freeipa as it is unexpected format for python-netaddr. We must
split netmask and provide only prefix for netaddr.
https://pagure.io/freeipa/issue/7021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This testconfig is temporary until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
ipa-dns-install uses ip_netmask=False --> parse_netmask=False, other installers uses default (parse_netmask=True).
Use this consistent accross all installers.
Also this option is unused (and shouldn't be used).
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
