This allows for re-use of this method in cases where the caller can not or
wishes not to instantiate local Samba domain to retrieve information about
remote ones.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls
performed against non-root forest domain DCs were automatically routed to the
root domain DCs to resolve trust topology information.
This is no longer the case, so the `dcerpc.fetch_domains` function must
explicitly contact root domain DCs even in the case when an external two-way
trust to non-root domain is requested.
https://fedorahosted.org/freeipa/ticket/6057
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Redirect bash error output to prevent displaying error
messages in bash completion for ipa command.
https://fedorahosted.org/freeipa/ticket/6273
Reviewed-By: David Kupka <dkupka@redhat.com>
When running test_install/test_updates and test_pkcs10/test_pkcs10 as
outoftree, these are skipped with reason 'Unable to find test update files'.
For outoftree tests wrong paths are checked for these files.
Changing file localization to provide proper test setup.
https://fedorahosted.org/freeipa/ticket/6284
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix an AttributeError in XML-RPC methodSignature and methodHelp commands
caused by incorrect mangled name usage.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Force reconnect to LDAP as DS might have been restarted after the
connection was opened, rendering the connection invalid.
This fixes a crash in ipa-replica-install with --setup-ca.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
When `trust-add` is supplied AD domain admin name without realm component, the
code appends the uppercased AD forest root domain name to construct the full
principal. This can cause authentication error, however, when external trust
with non-root domain is requested.
We should instead use the supplied DNS domain name (if valid) as a realm
component.
https://fedorahosted.org/freeipa/ticket/6277
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several tests in test_xmlrpc/test_trust_plugin.py fail because some attributes
are not expected. Fixing the tests so that the extra attributes are recognized.
https://fedorahosted.org/freeipa/ticket/6276
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
When a command is called on the server over RPC without its version
specified, assume version 1 instead of the highest known version.
This ensures backward compatibility with old clients, which do not support
versioned commands and understand only the first version of any given
command.
https://fedorahosted.org/freeipa/ticket/6217
Reviewed-By: David Kupka <dkupka@redhat.com>
Changing negative test case that verified that a certificate with different
than expected issuer cannot be added to a service to a positive one that
verifies that this operation now proceeds successfully. Corresponds to changes
made in scope of https://fedorahosted.org/freeipa/ticket/4559 implementation.
https://fedorahosted.org/freeipa/ticket/6258
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
During an extend op password update, there is a test if the
user is changing the password is himself. It uses local Slapi_SDN
variable that are not freed
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The code is supposed to check that the SAN name is also authorized to be used
with the specified profile id.
The original principal has already been checked.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When running ipa-adtrust-install, a netbios-name option must be specified.
Currently if an invalid netbios name in form of empty string is specified, the
installation proceeds, but changes the invalid value to a netbios name
determined from domain name without any notification.
Fixing this so that any attempt to supply empty string as netbios name fails
with error in case of unattended installation, or to request input of valid
netbios name from command line during normal installation.
https://fedorahosted.org/freeipa/ticket/6120
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
domainlevel method is called upon each master uninstallation. Sometimes the
master uninstallation is called from within teardown method of some tests when
the master was not in fact installed, in which case the kinit_admin would
always raise an error.
https://fedorahosted.org/freeipa/ticket/6254
Reviewed-By: Martin Basti <mbasti@redhat.com>
Include name of the CA that issued a certificate in cert-request, cert-show
and cert-find.
This allows the caller to call further commands on the cert without having
to call ca-find to find the name of the CA.
https://fedorahosted.org/freeipa/ticket/6151
Reviewed-By: Martin Basti <mbasti@redhat.com>
Add back `serial_number_hex` and `revoked` param values to cert-find output
accidentally removed in commit c718ef0588.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
was using DNS zone 'fwzone2.test.' and expected to get warning
'Forwarding policy conflicts with some automatic empty zones.'
(aka 'DNSForwardPolicyConflictWithEmptyZone').
This does not make sense because 'test.' zone is not listed in IANA registry
'Locally-Served DNS Zones':
http://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml
To fix this I simply removed the warning from set of expected results.
https://fedorahosted.org/freeipa/ticket/6213
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Class test_forward_zones in ipatests/test_xmlrpc/test_dns_plugin
had server IP and zone name interchanged in "expected" dictionart.
I do not understand how this happened.
https://fedorahosted.org/freeipa/ticket/6213
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
There is no notable package size cost, as all the libraries and
packages are already in the freeipa-client package and
freeipa-admintools only contained a short shim calling this code.
Move /bin/ipa to freeipa-client, along with a man page and bash
completion.
Resolves: https://fedorahosted.org/freeipa/ticket/5934
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.
https://fedorahosted.org/freeipa/ticket/6199
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Plugins are being imported in the test_ldap/test_Backend test, which is no
longer valid due to changes made during thin client implementation. Plugins are
imported automatically and explicit imports make tests fail because of the
duplicity.
https://fedorahosted.org/freeipa/ticket/6194
Reviewed-By: Martin Basti <mbasti@redhat.com>
Due to thin client implementation a part of the original test is no longer
valid and causes test to fail.
https://fedorahosted.org/freeipa/ticket/6192
Reviewed-By: Martin Basti <mbasti@redhat.com>
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.
https://fedorahosted.org/freeipa/ticket/6247
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Due to race conditions the test sometimes catches 2 one-way segments instead of
one bidirectional. We need to give the master time to merge the one-way
segments before we test the output.
https://fedorahosted.org/freeipa/ticket/6265
Reviewed-By: Martin Basti <mbasti@redhat.com>
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The subjectAltName extension parsing code in ipalib.x509 fails on
directoryName values because the Choice structure is not endowed
with an inner type. Implement the Name structure, whose inner type
is a CHOICE { SEQUENCE OF RelativeDistinguishedName }, to resolve.
Note that the structure still does not get fully parsed; only enough
to recognise the SequenceOf tag and not fail.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.
https://fedorahosted.org/freeipa/ticket/4291
Reviewed-By: Martin Basti <mbasti@redhat.com>
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936https://fedorahosted.org/freeipa/ticket/6056
Reviewed-By: Martin Basti <mbasti@redhat.com>
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.
https://fedorahosted.org/freeipa/ticket/6200
Reviewed-By: Martin Basti <mbasti@redhat.com>
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
