Because of dnspython implementation, in some cases UnicodeError is
raised instead of DNS SyntaxError
Ticket: https://fedorahosted.org/freeipa/ticket/4734
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Escape user defined text to prevent XSS attacks. Extra precaution was taken
to escape also parts which are unlikely to contain user-defined text.
fixes CVE-2014-7850
https://fedorahosted.org/freeipa/ticket/4742
Reviewed-By: Tomas Babej <tbabej@redhat.com>
This is just workaround, checking if CA is working raises false positive
exception during upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4676
Reviewed-By: Simo Sorce <ssorce@redhat.com>
The expiration date was always set to the expiration date of the original
certificate.
https://fedorahosted.org/freeipa/ticket/4717
Reviewed-By: David Kupka <dkupka@redhat.com>
This is possible because python-qrcode's output now fits in a standard
terminal. Also, update ipa-otp-import and otptoken-add-yubikey to
disable QR code output as it doesn't make sense in these contexts.
https://fedorahosted.org/freeipa/ticket/4703
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
This way make rpms will always generate new packages that can be installed on
top fo older ones, regardless of alphabetic ordering of the GIT commit id.
Also make sure version and date variables are immditely resolved, so they can't
change during the build.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4716
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The man pages for various FreeIPA setup tools are more descriptive on how to
configure multiple DNS forwarders than the corresponding cli help. This patch
makes the cli help more verbose now for the following tools:
* ipa-dns-install
* ipa-replica-install
* ipa-server-install
https://fedorahosted.org/freeipa/ticket/4465
Reviewed-By: Martin Basti <mbasti@redhat.com>
(Link to) service file from /etc/systemd/system/ must be removed before masking
systemd service.
https://fedorahosted.org/freeipa/ticket/4658
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Mixing 'Old' and 'New' attr style for referential integrity plugin causes errors.
Now old setting are migrated to new style setting before upgrade
Ticket: https://fedorahosted.org/freeipa/ticket/4622
Reviewed-By: David Kupka <dkupka@redhat.com>
The wrong search scope was being used when trying to determine if
a given master had a CA installed when trying to create a new
connection.
https://fedorahosted.org/freeipa/ticket/4704
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
https://fedorahosted.org/freeipa/ticket/4709
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Installer adds zonemgr as relative (and invalid) address.
This fix force installer to use absolute email.
Ticket: https://fedorahosted.org/freeipa/ticket/4707
Reviewed-By: David Kupka <dkupka@redhat.com>
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Base RID is no longer editable for ipa-trust-ad-posix range type
Adder dialog:
- Range type selector was moved up because it affects a field above it
Details page:
- Only fields relevant to range's type are visible
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
iparangetype output is a localized human-readable value which is not suitable for machine-based API consumers
Solved by new iparangetyperaw output attribute which contains iparangetype's raw value
Reviewed-By: Tomas Babej <tbabej@redhat.com>
We should not allow setting --rid-base for ranges of ipa-trust-ad-posix since we do not perform any RID -> UID/GID mappings for these ranges (objects have UID/GID set in AD). Thus, setting RID base makes no sense.
Since ipaBaseRID is a MUST in ipaTrustedADDomainRange object class, value '0' is allowed and used internally for 'ipa-trust-ad-posix' range type.
No schema change is done.
https://fedorahosted.org/freeipa/ticket/4221
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The NSSConnection class has been modified not to shutdown the
existing NSS database if the database is already opened to
establish an SSL connection, or is already opened by another
code that uses an NSS database without establishing an SSL
connection such as vault CLIs.
https://fedorahosted.org/freeipa/ticket/4638
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Before this patch users could log in using only the OTP value. This
arose because ipapwd_authentication() successfully determined that
an empty password was invalid, but 389 itself would see this as an
anonymous bind. An anonymous bind would never even get this far in
this code, so we simply deny requests with empty passwords.
This patch resolves CVE-2014-7828.
https://fedorahosted.org/freeipa/ticket/4690
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Defining schema-compat-ignore-subtree values for schema compat plugin config entries removes the
default value (ignore: cn=tasks,cn=config). This default value prevented deadlocks.
Schema plugin needs to scope the $SUFFIX and also any updates to its configuration.
This change restrict the schema compat to those subtrees. It replaces the definition of ignored subtrees
that would be too long for cn=config (tasks, mapping tree, replication, snmp..)
https://fedorahosted.org/freeipa/ticket/4635
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixes a memory leak, a library handle leak and a double free.
Also remove some redundant NULL checks before free to prevent false positives
in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also remove dead code in ipa-join and add initializer to a variable in
ipa-getkeytab to prevent false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also remove dead code and explicitly mark an ignored return value to prevent
false positives in static code analysis.
https://fedorahosted.org/freeipa/ticket/4651
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This should not normally happen, but if it does, report an error instead of
waiting idefinitely for the certificate to appear.
https://fedorahosted.org/freeipa/ticket/4629
Reviewed-By: David Kupka <dkupka@redhat.com>
The KRA backend has been simplified since most of the tasks have
been moved somewhere else. The transport certificate will be
installed on the client, and it is not needed by KRA backend. The
KRA agent's PEM certificate is now generated during installation
due to permission issue. The kra_host() for now is removed since
the current ldap_enable() cannot register the KRA service, so it
is using the kra_host environment variable.
The KRA installer has been modified to use Dogtag's CLI to create
KRA agent and setup the client authentication.
The proxy settings have been updated to include KRA's URLs.
Some constants have been renamed for clarity. The DOGTAG_AGENT_P12
has been renamed to DOGTAG_ADMIN_P12 since file actually contains
the Dogtag admin's certificate and private key and it can be used
to access both CA and KRA. The DOGTAG_AGENT_PEM has been renamed
to KRA_AGENT_PEM since it can only be used for KRA.
The Dogtag dependency has been updated to 10.2.1-0.1.
https://fedorahosted.org/freeipa/ticket/4503
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
IPA uses both named and named-pkcs11 service.
If named is masked use named-pkcs11, instead of raising exception
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
