Use ding-libs to parse /etc/ipa/default.conf to find the IPA server
to contact by default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2203
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Simple regexp substitution caused that the domain directive fell under
an inapprorpiate section, if the domain directive was not present. Hence
the idmapd.conf file was not properly parsed.
Use IPAChangeConf to put the directive in its correct place even if it
the domain directive is missing.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
The IPAChangeConf normallizes section names to lower case. There are
cases where this behaviour might not be desirable, so provide a way to
opt out.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
See https://lintian.debian.org/tags/manpage-has-errors-from-man.html for
an explanation. Issues found were
ipa-client-install.1.gz 208: warning [p 5, 4.0i]: cannot adjust line
default.conf.5.gz 50: warning: macro `np' not defined
Reviewed-By: Martin Basti <mbasti@redhat.com>
The module name was lowercased in Python 3.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, these modules are reorganized.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
StandardError was removed in Python3 and instead
Exception should be used.
Signed-off-by: Robert Kuska <rkuska@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The six way of doing this is to replace all occurences of "unicode"
with "six.text_type". However, "unicode" is non-ambiguous and
(arguably) easier to read. Also, using it makes the patches smaller,
which should help with backporting.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
This mimics Python 3's behavior, where sys.argv is automatically decoded
using file system encoding, as returned by sys.getfilesystemencoding(). This
includes reimplementation of os.fsdecode() from Python 3.
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
The form`raise Error, value` is deprecated in favor of `raise Error(value)`,
and will be removed in Python 3.
Use the new syntax.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In Python 3, `print` is no longer a statement. Call it as a function
everywhere, and include the future import to remove the statement
in Python 2 code as well.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Python 2 has keys()/values()/items(), which return lists,
iterkeys()/itervalues()/iteritems(), which return iterators,
and viewkeys()/viewvalues()/viewitems() which return views.
Python 3 has only keys()/values()/items(), which return views.
To get iterators, one can use iter() or a for loop/comprehension;
for lists there's the list() constructor.
When iterating through the entire dict, without modifying the dict,
the difference between Python 2's items() and iteritems() is
negligible, especially on small dicts (the main overhead is
extra memory, not CPU time). In the interest of simpler code,
this patch changes many instances of iteritems() to items(),
iterkeys() to keys() etc.
In other cases, helpers like six.itervalues are used.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
sys.exc_value is deprecated since Python 1.5, and was removed in Python 3.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Use Python-3 compatible syntax, without breaking compatibility with py 2.7
- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
strict type checking checking, e.g. type(0).
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When DBus is present in the system it is always running.
Starting of certmomger is handled in ipapython/certmonger.py module if
necessary. Restarting is no longer needed since freeipa is not changing
certmonger's files.
https://fedorahosted.org/freeipa/ticket/5095
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When installing IPA client in debug mode, the ntpd command spawned during
initial time-sync with master KDC will also run in debug mode.
https://fedorahosted.org/freeipa/ticket/4931
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Python 3 doesn't support tuple unpacking in except clauses. All implicit
tuple unpackings have been replaced with explicit unpacking of e.args.
https://fedorahosted.org/freeipa/ticket/5120
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit ea7f392bb9.
The option can be either set in IPA config file or specified as
'ipa -e skip_version_check=1 [COMMAND]'.
https://fedorahosted.org/freeipa/ticket/4768
Reviewed-By: Martin Basti <mbasti@redhat.com>
Increasing memcache timeout to 600 seconds when configuring sssd on IPA server
should improve performance when dealing with large groups in trusts.
https://fedorahosted.org/freeipa/ticket/4964
Reviewed-By: Martin Basti <mbasti@redhat.com>
A new plugin has been added to manage vaults. Test scripts have
also been added to verify the functionality.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
When rolling back partially configured IPA client a number of OSErrors pop up
due to uninstaller trying to remove files that do not exist anymore. This
patch supresses these errors while keeping them in log as debug messages.
https://fedorahosted.org/freeipa/ticket/4966
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Detected NTP servers from SRV records should be used in NTP client
configuration.
https://fedorahosted.org/freeipa/ticket/4981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Calls to ipautil.run using kinit were replaced with calls
kinit_keytab/kinit_password functions implemented in the PATCH 0015.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
New option '--kinit-attempts' enables the host to make multiple attempts to
obtain host TGT from master before giving up and aborting client installation.
In addition, all kinit attempts were replaced by calls to
'ipautil.kinit_keytab' and 'ipautil.kinit_password'.
https://fedorahosted.org/freeipa/ticket/4808
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
When --no-ntp is specified during ipa-client-install, we still
attempt to perform a time sync before obtaining a TGT from the
KDC. We should not be attempting to sync time with the KDC if
we are explicitly told to not configure ntp.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The command was added in API version 2.107. Old IPA servers may crash with
NetworkError on ca_is_enabled, handle this case gracefully.
https://fedorahosted.org/freeipa/ticket/4565
Reviewed-By: David Kupka <dkupka@redhat.com>
