The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.
Related to https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.
Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.
Resolves https://fedorahosted.org/freeipa/ticket/4908
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as
AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933
Reviewed-By: Martin Basti <mbasti@redhat.com>
We use ntpd now to sync time before fetching a TGT during client
install. Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.
This patch adds the ability for commands run via ipautil.run() to
have an optional timeout. This capability is used by the NTP sync
code that is run during ipa-client-install.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
NSEC3PARAM is configurable only from zone commands. This patch removes
this record type from DNS records.
Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Do not show parts options in help output, if record is marked as unsupported.
Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Show records which are unsupported, if they are in LDAP.
Those records are not editable, and web UI doesnt show them.
Fixes traceback caused by --structured option
Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
are updated at the same time.
Schema-compat should ignore update on DNA config.
https://fedorahosted.org/freeipa/ticket/4927
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.
https://fedorahosted.org/freeipa/ticket/4896
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.
https://fedorahosted.org/freeipa/ticket/4902
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- Add test for invalid run of the ipa-advise command
- Add tests for valid runs of the ipa-advise command
https://fedorahosted.org/freeipa/ticket/4029
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.
Resolves https://fedorahosted.org/freeipa/ticket/4924
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.
https://fedorahosted.org/freeipa/ticket/4915
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:
- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c
Remove GPL v2.0 license files from LDIFs or template to keep
consistency.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.
https://fedorahosted.org/freeipa/ticket/4883
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adds xmlrpc tests for:
- Adding a user ID override with sshpubkey
- Modifying a user ID override to contain sshpubkey
- Removing a sshpubkey value from a user ID override
https://fedorahosted.org/freeipa/ticket/4868
Reviewed-By: Martin Kosek <mkosek@redhat.com>
This works if the change is made to a token which is owned and managed by the
same person. The new owner then automatically becomes token's manager unless
the attribute 'managedBy' is explicitly set otherwise.
https://fedorahosted.org/freeipa/ticket/4681
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
'ipa migrate-ds' will now exit with error message if no suitable users/groups
are found on LDAP server during migration.
https://fedorahosted.org/freeipa/ticket/4846
Reviewed-By: David Kupka <dkupka@redhat.com>
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.
https://fedorahosted.org/freeipa/ticket/4791
Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.
Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.
Resolves: https://fedorahosted.org/freeipa/ticket/4861
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* removed unneeded reference increment
* added increment of Py_None
Part of ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Jan Cholasta <jcholast@redhat.com>