We attempt to delete the trust that might exist already. If there are not enough
privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
However, failure to create trust will be due to the name collision as we already had
the trust with the same name before. Thus, raise access denied exception here
to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
https://fedorahosted.org/freeipa/ticket/4202
Reviewed-By: Martin Kosek <mkosek@redhat.com>
forest trust
Even though we are creating idranges for subdomains only in case
there is algorithmic ID mapping in use, we still need to fetch
list of subdomains for all other cases.
https://fedorahosted.org/freeipa/ticket/4205
Remove a reference to the old deprecated LDAP API invoked by
the usage of trust_add method.
https://fedorahosted.org/freeipa/ticket/4204
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With --pkey-only only primary key is returned. It makes no sense to check and
replace boolean values then.
https://fedorahosted.org/freeipa/ticket/4196
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Dialog loses focus when the links are clicked making the dialog uncontrollable by keyboard. This patch focuses the link again after expanding/collapsing the error list. Thus keeping the focus in a dialog
https://fedorahosted.org/freeipa/ticket/4097
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
When admin clears authdata flag for the service principal, KDC will pass
NULL client pointer (service proxy) to the DAL driver.
Make sure we bail out correctly.
Reviewed-By: Tomáš Babej <tbabej@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Bind instance is configured using a short-circuited way when replica is set up.
Make sure required properties are in place for that.
https://fedorahosted.org/freeipa/ticket/4186
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
In the parameters system, we have been checking for a positive list of values
which get converted to None. The problem is that this method can in some
cases throw warnings when type coercion doesn't work (particularly, string
to unicode). Instead, any values that evaluate to False that are neither
numeric nor boolean should be converted to None.
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
When restoring files from backup, we do use an incorrect order of
operations - we first restore SELinux context and then copy the
files from backup, when we need to do the exact opposite.
https://fedorahosted.org/freeipa/ticket/4133
Reviewed-By: Jan Pazdziora <jpazdziora@redhat.com>
Originally we made them all optional as a workaround for the lack of SELFDN
support in 389DS. However, with the advent of SELFDN, this hack is no longer
necessary. This patch updates TOTP to match HOTP in this regard.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
With the --all --raw options, the code assumed attribute-level rights
were set on ipaPermissionV2 attributes, even on permissions that did not
have the objectclass.
Add a check that the data is present before using it.
https://fedorahosted.org/freeipa/ticket/4121
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This class was built into the framework from its early days but it's
not used anywhere.
Remove it along with its tests
https://fedorahosted.org/freeipa/ticket/3460
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This plugin prevents the deletion or deactivation of the last
valid token for a user. This prevents the user from migrating
back to single factor authentication once OTP has been enabled.
Thanks to Mark Reynolds for helping me with this patch.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If an error occurs in the start up sequence in ipactl start/restart,
all the services are stopped. Using the --force option prevents
stopping of services that have successfully started, just skips the
services which can not be started.
ipactl status now shows stopped services also, if the directory
server is running.
With the contribution of Ana Krivokapic
https://fedorahosted.org/freeipa/ticket/3509
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Change the target filter to be multivalued.
Make the `type` option on permissions set location and an
(objectclass=...) targetfilter, instead of location and target.
Make changing or unsetting `type` remove existing
(objectclass=...) targetfilters only, and similarly,
changing/unsetting `memberof` to remove (memberof=...) only.
Update tests
Part of the work for: https://fedorahosted.org/freeipa/ticket/4074
Reviewed-By: Martin Kosek <mkosek@redhat.com>
fixed by starting the directory server when restarting if it is not
currently running to enable fetching running services
later restart didn't check that
also added a check, that if the directory server started at the
beginning, there is no need to restart it
https://fedorahosted.org/freeipa/ticket/4050
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When ipa client installation fails due to failed Kerberos authentication,
make sure that the message about the failed authentication is displayed last.
This makes it clear to the user that this was the reason for failed
installation.
https://fedorahosted.org/freeipa/ticket/3573
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
Older versions of dnspython have problems with implicit values for
size and h/v precision so our tests use explicit value.
See https://github.com/rthalley/dnspython/issues/47
This change is necessary because we want to test if data visible
over DNS protocol matches data visible over LDAP.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
- Fractional parts of integers are not mandatory.
- Expressions containing only size or only size + horizontal precision
are allowed.
- N/S/W/E handling was fixed.
See RFC 1876 section 3 for details.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
C99 is supported on all compilers we target and
provides some useful features, including:
* Standard struct initializers
* Compound literals
* For-loop declarations
* Standard bool type
* Variable arrays (use with caution)
* Too many others to mention...
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This handles the case where a user is configured for OTP in ipaUserAuthType,
but the user has not yet created any tokens. Until the user creates tokens,
the user should still be able to log in via password. This logic already
exists in LDAP, but ipa-kdb needs to perform the same validation to know
what data to return to the KDC.
https://fedorahosted.org/freeipa/ticket/4154
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This adds support for managed permissions. The attribute list
of these is computed from the "default" (modifiable only internally),
"allowed", and "excluded" lists. This makes it possible to cleanly
merge updated IPA defaults and user changes on upgrades.
The default managed permissions are to be added in a future patch.
For now they can only be created manually (see test_managed_permissions).
Tests included.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4033
Design: http://www.freeipa.org/page/V3/Managed_Read_permissions
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Sometimes, we will want to do more than just call IPA commands and
check the output. This patch makes it possible to add arbitrary
functions to Declarative tests. They will be called as part of
the sequence of tests.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Construct the ACI string from permission entry directly
in the permission plugin.
This is the next step in moving away from ipalib.aci.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
With this change, shortcut options like memberof and type will be
aplied on the server, not on the client.
This will allow us to pass more information than just updated options.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
