There were cases where DNS plugin was too tolerant in a raw DNS
record option (--<rrtype-rec) processing. It let people specify
DNS record parts options in dnsrecord-mod operations for some
record without specifying the record that should be updated. It
also ignored DNS record parts in dnsrecord-add operation when the
raw DNS record value was already set via --<rrtype>-rec option.
This patch hardens the processing and returns error in both
described cases to make the processes clearer and more robust.
All these use cases were also covered by new unit tests.
https://fedorahosted.org/freeipa/ticket/2551
Some of these are not real defects, because we are guaranteed to have valid
context in some functions, and checks are not necessary.
I added the checks anyway in order to silence Coverity on these issues.
One meleak on error condition was fixed in
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
Silence errors in ipa-client/ipa-getkeytab.c, the code looks wrong, but it is
actually fine as we count before hand so we never actually use the wrong value
that is computed on the last pass when p == 0
Fixes: https://fedorahosted.org/freeipa/ticket/2488
DNS plugin contains several RR type record validators run in
pre_callback which cannot be used as standard param validator
as it needs more data and resources that standard validators
provide. However, the precallback validators are not run for
DNS records created by new structured options and thus an invalid
value may slip in.
This patch moves the execution of these precallback validators
_after_ the processing of structured DNS options. It also cleans
them up a little and makes them more robust.
https://fedorahosted.org/freeipa/ticket/2550
get_allowed_attributes function was improved to look for allowed
attributes also in the superior objectclasses of specified objectclass.
This fixes the regression caused by patch for ticket #2293. Test-case
for unit-test was also created.
https://fedorahosted.org/freeipa/ticket/2293
Splitting on commas is not an idempotent operation:
'a,b\,c' -> ('a', 'b,c') -> ('a', 'b', 'c')
That means we can't do it when the call is forwarded, so this is only
done on the CLI. The UI already sends values as a tuple.
Replace escaping in the csv parser with quoting. Quoted strings can have
embedded commas instead of having to escape them. This prevents the csv
parser from eating all escape characters.
Also, document Param's csv arguments, and update tests.
https://fedorahosted.org/freeipa/ticket/2417https://fedorahosted.org/freeipa/ticket/2227
DNS forwarder's value can consist of IP address and a port.
The syntax is '<IP ADDRESS> port <PORT>'. A new validator was created for this purpose. It is based on IP address validator.
https://fedorahosted.org/freeipa/ticket/2490
dnsconfig was extended of new attributes, so reflecting it in UI.
New attributes:
* idnsForwardPolicy
* idnsAllowSyncPTR
* idnsZoneRefresh
https://fedorahosted.org/freeipa/ticket/2489
Add a support for new global options in bind-dyndb-ldap, that is:
* idnsforwardpolicy: Default policy for conditional forwarding
* idnsallowsyncptr: Allow globaly PTR synchronization for dynamic
updates
* idnszonerefresh: Default interval between regular polls of the
name server for new DNS zones
https://fedorahosted.org/freeipa/ticket/2439
Let user enter custom ports for zone conditional forwarders or
global forwarders in dnsconfig. Ports can be specified in
a standard BIND format: IP_ADDRESS [port PORT]
https://fedorahosted.org/freeipa/ticket/2462
For general command-line errors we want to use the cli_name on output.
The exception is when using *attr, we want to return that attribute name
in the exception.
https://fedorahosted.org/freeipa/ticket/1418
Building the ipa rpms returns this:
warning: File listed twice: /usr/share/ipa/ui/extension.js
This is because of a glob:
%{_usr}/share/ipa/ui/*.js
and then more specifically:
%config(noreplace) %{_usr}/share/ipa/ui/extension.js
https://fedorahosted.org/freeipa/ticket/2253
If an error content is displayed a successfull refresh doesn't show properly populated facet content. This patch adds show_content call to refresh success handlers which solves the problem.
https://fedorahosted.org/freeipa/ticket/2449
When an error which caused calling of report_error occurt, the content of a facet got replaced by error message. There was no way how to force the facet to recreate its content and the facet became unusable.
This patch creates a containter for an error message. On error, report_error writes its content to error container, content container is hidden and error container is shown. Older comment in a code suggested to move the error message to facet's footer. A message in a footer could be missed by the user and on top of that a footer is sometimes used by various facet and we would have to solve the same problem again.
From experience the cause of an error is usually a missing pkey in a path. Therefore error information suggests user to navigate to top level. It causes to load default facets with default values so errors in navigation state shouldn't happen.
Facet content is displayed back on facet_show. If user tries to display same object as before facet's need_update() would return false, therefore need_update was modified to always return true if error is displayed.
Reproduction:
1) display any nested entity - ie DNS record
2) delete its parent pkey from path - &dnszone-pkey=example.com
3) reload the page with this path
https://fedorahosted.org/freeipa/ticket/2449
Some of our tests checked for exceptions using an error-prone
try block: they allowed the expected exception to pass, but sometimes
forgot an else block, so the test passed when an exception wasn't
thrown.
This changes the tests to use the appropriate nose tools (raises,
assert_raises).
For consistency, tests that had a correct else block are also changed.
Also fix some test problems that were hidden by the above:
- in some sudorule and HBAC tests, change the *_add_user argument name
from `users` to `user`
- don't remove HBAC testing data while it was still used
in_server controls how a method is dispatched, it should not also control
what plugins are imported.
This suppresses the error message "session memcached servers not running."
https://fedorahosted.org/freeipa/ticket/2499
HBAC Test validation message contains all missing values in form of list of links instead of general 'missing values' message and redirection to first missing value's facet.
When a link is clicked user is redirected to value's facet.
https://fedorahosted.org/freeipa/ticket/2182
Problem:
When value in checkbox is modified twice in a row (so it is at its original value) an 'undo' button is still visible even when it shouldn't be.
Cause:
IPA server sends boolean values as 'TRUE' or 'FALSE' (strings). Checkbox_widget converts them to JavaScript? boolean (true, false). Save method in checkbox_widget is returning array with a boolean. So test_dirty method always evaluates to dirty because 'FALSE' != false.
This patch is fixing the problem.
https://fedorahosted.org/freeipa/ticket/2494
IPA winsync plugin failed to replicate users when default user group
was non-posix even though User Private Groups (UPG) were enabled
on the server. Both their uidNumber and gidNumber were empty and
they missed essential object classes. When the default user group
was made posix and UPG was disabled it did not set gidNumber to
the default group gidNumber.
This patch improves this behavior to set gidNumber correctly
according to UPG configuration and the default group status
(posix/non-posix). 4 situations can occur, the following list
specifies what value is assigned to user gidNumber:
1) Default group posix, UPG enabled: gidNumber = UPG gidNumber
2) Default group posix, UPG disabled: gidNumber = default
group gidNumber
3) Default group non-posix, UPG enabled: gidNumber = UPG gidNumber
4) Default group non-posix, UPG disabled: an error is printed to
the dirsrv log as the gidNumber cannot be retrieved. User
is replicated in the same way as before this patch, i.e.
without essential object classes.
https://fedorahosted.org/freeipa/ticket/2436
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
Empty sequences (and sequences of empty strings) are normalized
to None, but the member filter code expected a list.
This patch extends a test for missing options to also catch
false values.
The functional change is from `if param_name in options:` to
`if options.get(param_name):`; the rest of the patch is code
de-duplication and tests.
These are CSV params with csv_skipspace set, so on the CLI, empty
set is given as a string with just spaces and commas (including
the empty string).
https://fedorahosted.org/freeipa/ticket/2479
We were comparing the current connection with itself so were never
going to call nss_shutdown(). dbdir needs to be set after the connection
has been made.
This worked on single server installs because we don't do a ping so
NSS would never be pre-initialized. If multiple servers are available we
call ping() to find one that is up before submitting the request, this is
what would have pre-initialized NSS.
This was tripping up request-cert because it will intialize NSS with no DB
if it hasn't been initialized. We need to initialize it to validate the
CSR.
A non-working client was doing this when calling cert-request:
- call load_certificate_request()
- nss.nss_nodb_init()
- load the CSR
- create a connection, dbdir=/etc/pki/nssdb
- the dbdir matches within the same connection, don't call nss_shutdown()
- connect to remote server
- fail, untrusted CA because we are still using db from nss_nodb_init.
Instead if we set dbdir afterward then this will properly be shutdown
and NSS re-initialized with correct dbdir.
https://fedorahosted.org/freeipa/ticket/2498
When a table is displaying a record set without entity's pkey attribute. A checkbox value isn't properly prepared. This patch adds the preparation (converts value to string).
https://fedorahosted.org/freeipa/ticket/2404
New version of openldap (openldap-2.4.26-6.fc16.x86_64) changed its
ABI and broke our TLS connection in ipa-replica-manage. This makes
it impossible to connect for example to Active Directory to set up
a winsync replication. We always receive a connection error stating
that Peer's certificate is not recognized even though we pass
a correct certificate.
This patch fixes the way we set up TLS. The change is backwards
compatible with older versions of openldap.
https://fedorahosted.org/freeipa/ticket/2500
The dn value needs to be quoted otherwise it is interpreted to be a
multi-value.
This will replace whatever value is currently set.
https://fedorahosted.org/freeipa/ticket/2452
Ticket #2274 implements a check for compat plugin and warns user if
it is enabled. However, there are 2 issues connected with the plugin:
1) The check is performed against the remote (migrated) LDAP server
and not the local LDAP server, which does not make much sense
2) When the compat plugin is missing in cn=plugins,cn=config, it
raises an error and thus breaks the migration
This patch fixes both issues.
https://fedorahosted.org/freeipa/ticket/2508
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
The `required` parameter attribute didn't distinguish between cases
where the parameter is not given and all, and where the parameter is
given but empty. The case of updating a required attribute couldn't
be validated properly, because when it is given but empty, validators
don't run.
This patch introduces a new flag, 'nonempty', that specifies the
parameter can be missing (if not required), but it can't be None.
This flag gets added automatically to required parameters in CRUD
Update.
Previously the commands were compared as serialized strings.
Differences in serializations meant commands with special characters
weren't found in the checked list.
Use the DN class to compare DNs correctly.
https://fedorahosted.org/freeipa/ticket/2483
We did not accept answers like "Yes", "YES", "No", etc. as valid
answers to yes/no prompts (used for example in dnsrecord-del
interactive mode). This could confuse users. This patch changes
the behavior to ignore the answer case.
https://fedorahosted.org/freeipa/ticket/2484
Older client machines may request DES keys not supported in newer
KDCs. Thsi was causing the entire request to fail as well as client
enrollment.
https://fedorahosted.org/freeipa/ticket/2424
The client installer was failing because a backend connection could be
created before a kinit was done.
Allow multiple simultaneous connections. This could fail with an NSS
shutdown error when the second connection was created (objects still
in use). If all connections currently use the same database then there
is no need to initialize, let it be skipped.
Add additional logging to client installer.
https://fedorahosted.org/freeipa/ticket/2478
Option '--noac' was added. If set, the ipa-client-install will not call
authconfig for setting nsswitch.conf and PAM configuration.
https://fedorahosted.org/freeipa/ticket/2369
