Commit Graph

11783 Commits

Author SHA1 Message Date
Christian Heimes
dca9f84961 Address more 'to login'
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
ae3160fdd7 Fix grammar error: Log out
https://pagure.io/freeipa/issue/7258

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Christian Heimes
3756dbf964 Fix grammar in login screen
https://pagure.io/freeipa/issue/7263

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-12-12 12:53:21 +01:00
Rob Crittenden
d7aa7945e8 Run server upgrade in ipactl start/restart
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.

This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.

The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.

Fixes: https://pagure.io/freeipa/issue/6968

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-12 12:08:35 +01:00
Christian Heimes
7fbbf6689e Add make targets for fast linting and testing
Fast linting only needs modified files with pylint and diff with
pycodestyle. It's good enough to detect most code errors very fast. It
typically takes less than 10 seconds. A complete full pylint run uses
all CPU cores for several minutes. PEP 8 violations are typically
reported after 30 minutes to several hours on Travis CI.

Fast lintings uses git diff and git merge-base to find all modified
files in a branch or working tree. There is no easy way to find the
branch source. On Travis the information is provided by Travis. For
local development it's a new variable IPA_GIT_BRANCH in VERSION.m4.

Fast testing execute all unit tests that do not depend on ipalib.api.

In total it takes about 30-40 seconds (!) to execute linting, PEP 8 checks
and unittests for both Python 2 and 3.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Christian Heimes
b98f9b46de Add marker needs_ipaapi and option to skip tests
The new marker needs_ipaapi is used to mark tests that needs an
initialized API (ipalib.api) or some sort of other API services (running
LDAP server) to work. Some packages use api.Command or api.Backend on
module level. They are not marked but rather skipped entirely.

A new option ``skip-ipaapi`` is added to skip all API based tests. With
the option, only simple unit tests are executed. As of now, freeIPA
contains more than 500 unit tests that can be executed in about 5
seconds.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-12-11 20:40:06 +01:00
Christian Heimes
ec4620ecb2 Add python_requires to Python package metadata
freeIPA 4.6 and 4.7 requires Python 2.7 or >= 3.5.

https://pagure.io/freeipa/issue/7294

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-11 15:32:45 +01:00
Fraser Tweedale
34f73b4a94 install: report CA Subject DN and subject base to be used
Currently we do not report what Subject DN or subject base will be
used for the CA installation.  This leads to situations where the
administrator wants a different Subject DN later.  Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.

The go/no-go prompt in ipa-ca-install is new.  It is suppressed for
unattended installations.

Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:06:28 +01:00
Michal Reznik
29d0f8673c test_x509: test very long OID
Active Directory creates OIDs long enough to trigger a failure.
This can cause e.g. ipa-server-install failure when installing
with an externally-signed CA.

https://pagure.io/freeipa/issue/7300

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 12:05:16 +01:00
Fraser Tweedale
39fdc2d250 ipa_certupdate: avoid classmethod and staticmethod
Because classmethod and staticmethod are just fancy ways of calling
plain old functions, turn the classmethods and staticmethods of
CertUpdate into plain old functions.

This improves readability by making it clear that the behaviour of
the routines cannot depend on instance or class variables.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
97942a7c7a Run certupdate after promoting to CA-ful deployment
After installing a CA in a CA-less installations (using
ipa-ca-install), the new CA certificate is not installed in
/etc/httpd/alias. This causes communication failure between IPA
framework and Dogtag (it cannot verify the Dogtag server
certificate).

Perform a CertUpdate as the final step when promoting a CA-less
deployment to CA-ful.

Fixes: https://pagure.io/freeipa/issue/7230
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
8960141adb ipa-ca-install: run certupdate as initial step
When installing a CA replica, perform a certupdate to ensure that
the relevant CA cert is present.  This is necessary if the admin has
just promoted the topology from CA-less to CA-ful but didn't
manually run ipa-certupdate afterwards.

Fixes: https://pagure.io/freeipa/issue/6577
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Fraser Tweedale
93d53e5cd0 CertUpdate: make it easy to invoke from other programs
The guts of ipa-certupdate are useful to execute as part of other
programs (e.g. as a first step of ipa-ca-install).  Refactor
ipa_certupdate.CertUpdate to make it easy to do that.  In
particular, make it possible to use an already-initialised API
object.

Part of: https://pagure.io/freeipa/issue/6577

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-11 08:35:04 +01:00
Mohammad Rizwan Yusuf
feee70d7bb ipatest: replica install with existing entry on master
replica install might fail because of existing entry for replica like
    `cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX` etc. The situation
    may arise due to incorrect uninstall of replica or ipa server-del is
    not executed on master.

    related bug : https://pagure.io/freeipa/issue/7174

Fixes: https://pagure.io/freeipa/issue/7276

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-11 08:32:39 +01:00
Alexander Bokovoy
c19eb49935 ipaserver/plugins/trust.py: pep8 compliance
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
a57f613314 trust: detect and error out when non-AD trust with IPA domain name exists
Quite often users choose wrong type of trust on Active Directory side
when setting up a trust to freeIPA. The trust type supported by freeIPA
is just a normal forest trust to another Active Directory. However,
some people follow old internet recipes that force using a trust to MIT
Kerberos realm.

This is a wrong type of trust. Unfortunately, when someone used MIT
Kerberos realm trust, there is no way to programmatically remote the
trust from freeIPA side. As result, we have to detect such situation and
report an error.

To do proper reporting, we need reuse some constants and trust type
names we use in IPA CLI/Web UI. These common components were moved to
a separate ipaserver/dcerpc_common.py module that is imported by both
ipaserver/plugins/trust.py and ipaserver/dcerpc.py.

Fixes https://pagure.io/freeipa/issue/7264

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Alexander Bokovoy
956e265fae ipaserver/plugins/trust.py; fix some indenting issues
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2017-12-07 21:18:51 +02:00
Fraser Tweedale
3eb3844353 renew_ra_cert: fix update of IPA RA user entry
The post-save hook for the RA Agent certificate invokes
cainstance.update_people_entry with the DER certificate instead of a
python-cryptograpy Certificate object.  Apply to correct type.

Fixes: https://pagure.io/freeipa/issue/7282
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-07 17:28:12 +01:00
Christian Heimes
8700101d98 Remove Custodia keys on uninstall
Keys are removed from disk and LDAP

https://pagure.io/freeipa/issue/7253

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-07 16:55:40 +01:00
Christian Heimes
1505922c2b NSSDB: use preferred convert command
After further testing, Kai Engert proposed to use -N with -f -@ to
convert a NSSDB from DBM to SQL format.

https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql#Upgrade.2Fcompatibility_impact

https://pagure.io/freeipa/issue/7049

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-07 16:46:10 +01:00
Florence Blanc-Renaud
891cced446 Improve help message for ipa trust-add --range-type
Add the correct procedure for re-running ipa trust-add with a different
range type.

Fixes:
https://pagure.io/freeipa/issue/7308

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 14:00:27 +01:00
Fraser Tweedale
ba411b0f6d Re-enable some KRA installation tests
Some KRA installation tests were disabled due to failures caused by
security domain session replication lag.  This problem has been
addressed in Dogtag by introducing a default 5 second sleep after
security domain login, to give more time for session data to be
replicated to other hosts.  There is still a possibility for this
kind of failure, but the delay minimises it.

FreeIPA depends on the version of Dogtag that contains this change,
so remove the failing-test annotations.

Fixes: https://pagure.io/freeipa/issue/7220
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:03:30 +01:00
Fraser Tweedale
c42c440de5 Use correct version of Python in RPM scripts
Fixes: https://pagure.io/freeipa/issue/7299
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-12-07 13:02:26 +01:00
Christian Heimes
be09823fd5 Skip test_rpcclient_context in client tests
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Christian Heimes
c1f275f9eb Update to python-ldap 3.0.0
Replace python3-pyldap with python3-ldap.

Remove some old code for compatibility with very old python-ldap.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2017-12-06 16:54:04 +01:00
Rob Crittenden
01bfe2247e If the cafile is not present or readable then raise an exception
This can happen on the API level if a user passes in None as
cafile or if the value passed in does not exist or is not
readable by the IPA framework user.

This will also catch situations where /etc/ipa/ca.crt has
incorrect permissions and will provide more useful information
than just [Errno 13] Permission denied.

https://pagure.io/freeipa/issue/7145

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Rob Crittenden
e8a26afb94 Add test to ensure that properties are being set in rpcclient
Upon a connection several values should be available within
the connextion context. Test that they are being set properly.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Rob Crittenden
17bda0b1a5 Use the CA chain file from the RPC context
The value can be passed in the create_connection() call but
wasn't used outside that call. It already defaults to
api.env.tls_ca_cert so the context.ca_certfile should be used
instead so the caller can override the cert chain on a
per-connection basis. This may be handy in the future when
there is IPA-to-IPA trust, or for IPA-to-IPA migration.

https://pagure.io/freeipa/issue/7145

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-12-04 10:29:19 -05:00
Michal Reznik
1ec3d54d55 test_batch_plugin: fix py2/3 failing assertion
When running "test_batch_plugin" with Py2 against Py3 server we
got assertion error due to a command trying to run as bytes.

E.g.: unknown command 'b'ping''

https://pagure.io/freeipa/issue/7131

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-30 15:51:24 +01:00
Christian Heimes
f45d72af83 Update builddep command to install Python 3 and tox deps
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-30 13:47:54 +01:00
Alexander Bokovoy
78ad1cfe4f ipa-extdom-extop: refactor nsswitch operations
Refactor nsswitch operations in ipa-extdom-extop plugin to allow use
of timeout-enabled nsswitch calls provided by libsss_nss_idmap.

Standard POSIX nsswitch API has no way to cancel requests which may
cause ipa-extdom-extop requests to hang far too long and potentially
exhaust LDAP server workers. In addition, glibc nsswitch API iterates
through all nsswitch modules one by one and with multiple parallel
requests a lock up may happen in an unrelated nsswitch module like
nss_files.so.2.

A solution to the latter issue is to directly load nss_sss.so.2 plugin
and utilize it. This, however, does not solve a problem with lack of
cancellable API.

With SSSD 1.16.1, libsss_nss_idmap provides a timeout-enabled variant of
nsswitch API that is directly integrated with SSSD client side machinery
used by nss_sss.so.2. As result, this API can be used instead of loading
nss_sss.so.2 directly.

To support older SSSD version, both direct loading of nss_sss.so.2 and
new timeout-enabled API are supported by this changeset. An API to
abstract both is designed to be a mix between internal glibc nsswitch
API and external nsswitch API that libsss_nss_idmap mimics. API does not
expose per-call timeout. Instead, it allows to set a timeout per
nsswitch operation context to reduce requirements on information
a caller has to maintain.

A choice which API to use is made at configure time.

In order to test the API, a cmocka test is updated to explicitly load
nss_files.so.2 as a backend. Since use of nss_sss.so.2 would always
depend on availablility of SSSD, predictable testing would not be
possible without it otherwise. Also, cmocka test does not use
nss_wrapper anymore because nss_wrapper overrides higher level glibc
nsswitch API while we are loading an individual nsswitch module
directly.

As result, cmocka test overrides fopen() call used by nss_files.so.2 to
load /etc/passwd and /etc/group. An overridden version changes paths to
/etc/passwd and /etc/group to a local test_data/passwd and
test_data/group. This way we can continue testing a backend API for
ipa-extdom-extop with the same data as with nss_wrapper.

Fixes https://pagure.io/freeipa/issue/5464

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2017-11-30 11:38:03 +02:00
Alexander Bokovoy
64f4c71dd6 test_dns_plugin: cope with missing IPv6 in Travis
If IPv6 is not enabled, cope with the possibility to get incomplete
output back from the IPA CLI.

To do so, use lambda to analyze the result rather than explicit
comparison with the expected output.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00
Alexander Bokovoy
868c7e7c91 travis-ci: collect logs from cmocka tests
When 'make check' is run, automake produces logs for each test to be ran.
Collect all the logs from the tests.

Also prepare the template to quickly enable use of gdb with traceback
in case a test is crashing. To use it, add LOG_COMPILE definition to
the 'make' line.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00
Alexander Bokovoy
8ec4b8159e ipa-kdb: override krb5.conf when testing KDC code in cmocka
When testing KDC code in cmocka we rely on libkrb5 defaults.
libkrb5 would read /etc/krb5.conf by default and would load a KDB
module from there if it is defined for the test realm (EXAMPLE.COM).

Since EXAMPLE.COM is a common name used for test realms, make sure to
not using /etc/krb5.conf from the system. Instead, force KRB5_CONFIG to
/dev/null so that only libkrb5 compiled-in defaults are in use.

In such setup libkrb5 will attempt to load KDB driver db2 for our test
realm. db2 driver doesn't fail if its database is not available (unlike
FreeIPA's one), so it survives initialization.

As result, ipa-kdb-tests pass without unexpected breakage.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-29 15:55:00 +02:00
Christian Heimes
4069c129ea Add workaround for pytest 3.3.0 bug
pytest is setting an env var PYTEST_CURRENT_TEST to the test name + test
parameters. If parameters happen to contain NULL bytes, the putenv()
call fails with "ValueError: embedded null byte". The workaround uses
repr() of test parameters as parameter id.

See https://github.com/pytest-dev/pytest/issues/2957
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-28 19:43:15 +01:00
Petr Čech
cd80036b6b
tests: Mark failing tests as failing
Some tests from installation suite fail.
The issues are:

* ipa-replica-install --setup-kra if first KRA in topology fails
  https://pagure.io/freeipa/issue/7008

* Third KRA installation in topology fails
  https://pagure.io/freeipa/issue/7220

This patch marks those tests as failing.

Signed-off-by: Petr Čech <pcech@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2017-11-28 09:45:32 +01:00
Florence Blanc-Renaud
19138c5ba3 Fix ca less IPA install on fips mode
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.

The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.

Fixes:
https://pagure.io/freeipa/issue/7280

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-27 17:51:03 +01:00
Christian Heimes
f528a44865 Fix dict iteration bug in dnsrecord_show
In structured mode, dict size is modified by del record[attr].

https://pagure.io/freeipa/issue/7275

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-27 11:46:54 +01:00
Christian Heimes
191605efd6 Reproducer for bug in structured dnsrecord_show
"RuntimeError: dictionary changed size during iteration" in
ipaserver/plugins/dns.py", line 3209, in postprocess_record

https://pagure.io/freeipa/issue/7275

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-11-27 11:46:54 +01:00
Aleksei Slaikovskii
197b5ca639 ipalib/frontend.py output_for_cli loops optimization
Trivial fix which removes unnecessary for loops.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-23 19:18:43 +01:00
Tomas Krizek
4af36de102 prci: define testing topologies
Define usable topologies for upstream integration testing in PR CI.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Felipe Barreto <fbarreto@redhat.com>
2017-11-23 19:13:06 +01:00
Christian Heimes
c468e32012 Use Python 3 on Travis
Removes Travis workaround "group: deprecated-2017Q3"

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-23 18:31:30 +01:00
Florence Blanc-Renaud
a94ba732ab Fix ipa-replica-install when key not protected by PIN
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.

The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7

Fixes:
https://pagure.io/freeipa/issue/7274

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-23 13:29:54 +01:00
Michal Reznik
d3a2a9be24 test_vault: increase WAIT_AFTER_ARCHIVE
Fixes failing "ipa vault-retrieve" on replica due to a vault
not yet replicated. Increase from 30 to 45 seems to be enough.

https://pagure.io/freeipa/issue/7265

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-11-22 15:19:52 +01:00
Christian Heimes
57787f647e Prevent installation of Py2 and Py3 mod_wsgi
FreeIPA is either compatible with Python 2 mod_wsgi or Python 3
mod_wsgi. mod_wsgi can not coexist in the same Apache process as
mod_wsgi_python3. When both mod_wsgi and python3-mod_wsgi are installed,
the first loaded module wins and the other one is never loaded.

Add conflict on the other module to prevent installation of both
modules.

https://pagure.io/freeipa/issue/7161

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-22 09:51:56 +01:00
Tomas Krizek
e11bb3122d
prci: start testing PRs on fedora 27
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-11-21 16:56:44 +01:00
Christian Heimes
e1bd827bbf Require UTF-8 fs encoding
http://blog.dscpl.com.au/2014/09/setting-lang-and-lcall-when-using.html

https://pagure.io/freeipa/issue/5887

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 16:13:28 +01:00
Christian Heimes
ba037a3551 libotp: add libraries after objects
Add dependency on external libraries after dependency on internal
objects so the linker can correctly pick up all symbols.

https://pagure.io/freeipa/issue/7189

Original patch by Rob Crittenden

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-11-21 09:36:27 +01:00
Christian Heimes
9e640190ee
Run tox tests for PyPI packages on Travis
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-11-20 17:01:59 +01:00
Pavel Vomacka
04da856256 WebUI: make Domain Resolution Order writable
Objectclass which defines the Domain Resolution Order is added to
the object only after modification. Therefore before modification of
object the attributelevelrights does not contain the 'domainresolutionorder'
attribute and the WebUI evaluates field as not writable.

'w_if_no_aci' flag was designed to make writable those fields
for which we don't have attributelevelrights.

https://pagure.io/freeipa/issue/7169

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-11-16 19:54:49 +02:00