Commit Graph

7875 Commits

Author SHA1 Message Date
Martin Babinsky
d7863f3e1e show the exception message thrown by dogtag._parse_ca_status during install
https://fedorahosted.org/freeipa/ticket/4885

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2015-03-26 14:46:56 +01:00
Martin Babinsky
3284cbf773 migrate-ds: print out failed attempts when no users/groups are migrated
This patch should fix both https://fedorahosted.org/freeipa/ticket/4846 and
https://fedorahosted.org/freeipa/ticket/4952.

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-03-23 13:08:41 +01:00
Jan Cholasta
f0a49b962c upload_cacrt: Fix empty cACertificate in cn=CAcert
https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 14:39:22 +00:00
Jan Cholasta
6e672109ea client: Fix ca_is_enabled calls
The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.

https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 14:39:22 +00:00
Jan Cholasta
ad77613be6 client-install: Do not crash on invalid CA certificate in LDAP
When CA certificates in LDAP are corrupted, use the otherwise acquired CA
certificates from before.

https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 14:39:22 +00:00
Jan Cholasta
4154c8893f certstore: Make certificate retrieval more robust
https://fedorahosted.org/freeipa/ticket/4565

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-03-19 14:39:22 +00:00
Sumit Bose
179be3c222 extdom: fix memory leak
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-18 17:02:09 +00:00
Sumit Bose
c55632374d extdom: return LDAP_NO_SUCH_OBJECT to the client
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-18 17:00:53 +00:00
Sumit Bose
ec7a55a056 extdom: make nss buffer configurable
The get*_r_wrapper() calls expect a maximum buffer size to avoid memory
shortage if too many threads try to allocate buffers e.g. for large
groups. With this patch this size can be configured by setting
ipaExtdomMaxNssBufSize in the plugin config object
cn=ipa_extdom_extop,cn=plugins,cn=config.

Related to https://fedorahosted.org/freeipa/ticket/4908

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-18 12:40:55 +01:00
Sumit Bose
5bd4b7a09d extdom: handle ERANGE return code for getXXYYY_r() calls
The getXXYYY_r() calls require a buffer to store the variable data of
the passwd and group structs. If the provided buffer is too small ERANGE
is returned and the caller can try with a larger buffer again.

Cmocka/cwrap based unit-tests for get*_r_wrapper() are added.

Resolves https://fedorahosted.org/freeipa/ticket/4908

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-18 12:40:55 +01:00
Sumit Bose
cc6fc3728c Add configure check for cwrap libraries
Currently only nss-wrapper is checked, checks for other crwap libraries
can be added e.g. as

AM_CHECK_WRAPPER(uid_wrapper, HAVE_UID_WRAPPER)

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-03-18 12:40:55 +01:00
Martin Babinsky
41ca3fb499 ipa-dns-install: use STARTTLS to connect to DS
BindInstance et al. now use STARTTLS to set up secure connection to DS during
ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-18 12:32:57 +01:00
Nathan Kinder
80aeb445e2 Timeout when performing time sync during client install
We use ntpd now to sync time before fetching a TGT during client
install.  Unfortuantely, ntpd will hang forever if it is unable to
reach the NTP server.

This patch adds the ability for commands run via ipautil.run() to
have an optional timeout.  This capability is used by the NTP sync
code that is run during ipa-client-install.

Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2015-03-16 15:55:26 +01:00
Gabe
169a37d1a8 ipa-replica-prepare can only be created on the first master
https://fedorahosted.org/freeipa/ticket/4944

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-03-13 14:46:45 +01:00
Martin Basti
939fd3dd6c Fix dead code in ipap11helper module
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-11 14:32:20 +01:00
Martin Basti
5f191e85e9 DNS: remove NSEC3PARAM from records
NSEC3PARAM is configurable only from zone commands. This patch removes
this record type from DNS records.

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:22:32 +01:00
Martin Basti
d89fca7ea9 DNS fix: do not show part options for unsupported records
Do not show parts options in help output, if record is marked as unsupported.

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:22:32 +01:00
Martin Basti
56f0eb443c DNS fix: do not traceback if unsupported records are in LDAP
Show records which are unsupported, if they are in LDAP.
Those records are not editable, and web UI doesnt show them.

Fixes traceback caused by --structured option

Ticket: https://fedorahosted.org/freeipa/ticket/4930
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-09 15:22:32 +01:00
Petr Spacek
8fefd63152 p11helper: clarify error message
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Petr Spacek
40f56e5f38 p11helper: use sizeof() instead of magic constants
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Petr Spacek
a6d7e8df60 p11helper: standardize indentation and other visual aspects of the code
https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-03-06 10:58:10 +01:00
Martin Basti
4e2ddfb553 Remove unused method from ipap11pkcs helper module
Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
Martin Basti
508ad92b71 Fix memory leaks in ipap11helper
Ticket: https://fedorahosted.org/freeipa/ticket/4657
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
Martin Basti
c411d6a908 DNSSEC add support for CKM_RSA_PKCS_OAEP mechanism
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:13
Reviewed-By: Petr Spacek <pspacek@redhat.com>
2015-03-06 10:54:21 +01:00
root
5c3611481a Limit deadlocks between DS plugin DNA and slapi-nis
Deadlock can occur if DNA plugin (shared) config and Schema-compat plugin config
	are updated at the same time.
	Schema-compat should ignore update on DNA config.

	https://fedorahosted.org/freeipa/ticket/4927

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 13:34:25 +00:00
David Kupka
253f9adae7 Restore default.conf and use it to build API.
When restoring ipa after uninstallation we need to extract and load
configuration of the restored environment.

https://fedorahosted.org/freeipa/ticket/4896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-03-05 12:18:00 +00:00
David Kupka
0344f246c2 Use IPA CA certificate when available and ignore NO_TLS_LDAP when not.
ipa-client-automount is run after ipa-client-install so the CA certificate
should be available. If the certificate is not available and ipadiscovery.ipacheckldap
returns NO_TLS_LDAP warn user and try to continue.

https://fedorahosted.org/freeipa/ticket/4902

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2015-03-05 10:59:01 +01:00
Gabe
ddd7fb6a68 ipatests: Add tests for valid and invalid ipa-advise
- Add test for invalid run of the ipa-advise command
- Add tests for valid runs of the ipa-advise command

https://fedorahosted.org/freeipa/ticket/4029

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-26 20:57:49 +01:00
Gabe
3ab7f551f8 ipa-replica-prepare should document ipv6 options
https://fedorahosted.org/freeipa/ticket/4877

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-26 00:55:30 +01:00
Sumit Bose
e8b3ed3596 ipa-range-check: do not treat missing objects as error
Currently the range check plugin will return a 'Range Check error'
message if a ldapmodify operation tries to change a non-existing object.
Since the range check plugin does not need to care about non-existing
objects we can just return 0 indicating that the range check plugin has
done its work.

Resolves https://fedorahosted.org/freeipa/ticket/4924

Reviewed-By: Tomas Babej <tbabej@redhat.com>
2015-02-24 22:47:36 +01:00
Tomas Babej
96624f2189 idviews: Use case-insensitive detection of Default Trust View
The usage of lowercased varsion of 'Default Trust View' can no
longer be used to bypass the validation.

https://fedorahosted.org/freeipa/ticket/4915

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-23 17:51:21 +01:00
Simo Sorce
840903c497 Stop including the DES algorythm from openssl.
Since we dropped support for LANMAN hashes we do not need DES from OpenSSL
anymore. Stop including an testing for it.
Test for the MD4 algorythm instead whichis still used for the NT Hashes.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:27:22 +01:00
Simo Sorce
ecbef04692 Add a clear OpenSSL exception.
We are linking with OpenSSL in 2 files, so make it clear we intentionally
add a GPLv3 exception to allow that linking by third parties.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-23 16:25:54 +01:00
Martin Kosek
4ddcca6435 Remove references to GPL v2.0 license
All FreeIPA original code should be licensed to GPL v3+ license,
update the respective files:

- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c

Remove GPL v2.0 license files from LDIFs or template to keep
consistency.

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-20 15:40:42 +01:00
Tomas Babej
73f6d69adf ipalib: Make sure correct attribute name is referenced for fax
Fixes the invalid attribute name reference in the
'System: Read User Addressbook Attributes' permission.

https://fedorahosted.org/freeipa/ticket/4883

Reviewed-By: Martin Kosek <mkosek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-19 18:36:16 +01:00
Tomas Babej
6667701315 ipatests: Add coverage for adding and removing sshpubkeys in ID overrides
Adds xmlrpc tests for:
  - Adding a user ID override with sshpubkey
  - Modifying a user ID override to contain sshpubkey
  - Removing a sshpubkey value from a user ID override

https://fedorahosted.org/freeipa/ticket/4868

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-19 17:03:06 +01:00
Petr Vobornik
bfef4d2496 ipatests: add missing ssh object classes to idoverrideuser
Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-19 17:03:06 +01:00
Petr Vobornik
7f560c5da1 Become IPA 4.1.3 2015-02-18 14:18:54 +01:00
Martin Babinsky
c985de1ee6 Changing the token owner changes also the manager
This works if the change is made to a token which is owned and managed by the
same person. The new owner then automatically becomes token's manager unless
the attribute 'managedBy' is explicitly set otherwise.

https://fedorahosted.org/freeipa/ticket/4681

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-18 13:55:27 +01:00
Martin Kosek
2dd54c9f33 group-detach does not add correct objectclasses
https://fedorahosted.org/freeipa/ticket/4874

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2015-02-18 13:18:31 +01:00
Petr Vobornik
f1abbbca45 Fix TOTP Synchronization Window label
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
2015-02-17 08:26:42 +01:00
Gabe
0ffe759d09 permission-add does not prompt for ipapermright in interactive mode
- Add flag "ask_create" to ipalib/plugins/permission.py
- Bump API version

https://fedorahosted.org/freeipa/ticket/4872

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-02-16 16:39:37 +01:00
Martin Babinsky
f7e6102ebf migrate-ds: exit with error message if no users/groups to migrate are found
'ipa migrate-ds' will now exit with error message if no suitable users/groups
are found on LDAP server during migration.

https://fedorahosted.org/freeipa/ticket/4846

Reviewed-By: David Kupka <dkupka@redhat.com>
2015-02-16 16:33:46 +01:00
Alexander Bokovoy
6d6e924b1f ipa-kdb: reject principals from disabled domains as a KDC policy
Fixes https://fedorahosted.org/freeipa/ticket/4788

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:30:57 +01:00
Alexander Bokovoy
0d3b4cd3ec ipa-kdb: when processing transitions, hand over unknown ones to KDC
When processing cross-realm trust transitions, let the KDC to handle
those we don't know about. Admins might define the transitions as
explicit [capaths] in krb5.conf.

https://fedorahosted.org/freeipa/ticket/4791

Reviewed-By: Sumit Bose <sbose@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-02-16 16:29:59 +01:00
Simo Sorce
6162426999 Handle DAL ABI change in MIT 1.13
In this new MIT version the DAL interface changes slightly but
KRB5_KDB_DAL_MAJOR_VERSION was not changed.

Luckily KRB5_KDB_API_VERSION did change and that's enough to know
what to compile in.

Resolves: https://fedorahosted.org/freeipa/ticket/4861

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2015-02-13 08:54:34 +01:00
Jan Cholasta
caf70a11b2 Bump 389-ds-base and pki-ca dependencies for POODLE fixes
https://fedorahosted.org/freeipa/ticket/4653

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-02-10 15:37:41 +00:00
Martin Basti
2f4ed3cb32 Fix reference counting in pkcs11 extension
* removed unneeded reference increment
* added increment of Py_None

Part of ticket: https://fedorahosted.org/freeipa/ticket/4657

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2015-02-10 15:30:38 +00:00
Martin Babinsky
919f0db93f ipa-client-install: put eol character after the last line of altered config file(s)
https://fedorahosted.org/freeipa/ticket/4864

Reviewed-By: Martin Basti <mbasti@redhat.com>
2015-02-10 12:54:29 +01:00
Gabe
d251e5219e Typos in ipa-rmkeytab options help and man page
https://fedorahosted.org/freeipa/ticket/4890

Reviewed-By: Martin Kosek <mkosek@redhat.com>
2015-02-10 08:30:46 +01:00