Longer-running CLI commands sometimes fail with "gateway time out" although
the task still runs and finishes on server, not notifying the CLI back.
Increasing socket-timeout should solve this.
https://fedorahosted.org/freeipa/ticket/5833
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Add option to preserve user to the delete dialog on active user's details page.
The delete dialog is the same as on the page of all active users.
https://fedorahosted.org/freeipa/ticket/5370
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Add option to add host dialog which allows to show generated OTP.
This patch also changed the way of informing user about success of adding host
but only when the 'Generate OTP' option is checked. There is a new dialog with
generated OTP.
https://fedorahosted.org/freeipa/ticket/4602
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Remove no_members=False from because topologysuffix_attribute doesn't
have no_members option, and this causes errors in replication.py
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
According to review feedback, I changed the help message as follow
$ ipa cert_revoke -h
Usage: ipa [global-options] cert-revoke SERIAL-NUMBER [options]
Revoke a certificate.
Options:
-h, --help show this help message and exit
--revocation-reason=INT
Reason for revoking the certificate (0-10). Type "ipa
help cert" for revocation reason details.
https://fedorahosted.org/freeipa/ticket/5819
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
The 'no_cli' is not valid flag in parameters scope, so to hide option from
CLI 'no_option' flag should be used
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
With many members commands became slow. Making this option public allows
users to speedup searches.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
zanata.xml should not contain <locale>, because this tag is deprecated
and locales are handled/configured on the server side. Also locale
mappings are done on server side.
https://fedorahosted.org/freeipa/ticket/5915
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This upgrade has to be done on each IPA DNS server independently.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.
To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.
The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.
Command dnsconfig_show displays it only if --all option was used.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
The code was duplicate and less generic anyway.
As a side-effect I had to re-wrap dns.exception.DNSException into a
PublicError so it can be displayed to the user.
DNSError is now a super class for other DNS-related errors. Errors from
DNS resolver are re-raised as DNSResolverError.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This is preparatory work to avoid (future) cyclic import between
ipapython.dnsutil and ipapython.ipautil.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Forwarding policy "first" or "none" may conflicts with some automatic empty
zones. Queries for zones specified by RFC 6303 will ignore
forwarding and recursion and always result in NXDOMAIN answers.
This is not detected and warned about. Global forwarding is equivalent
to forward zone ".".
Example:
Forward zone 1.10.in-addr.arpa with policy "first"
will not forward anything because BIND will automatically prefer
automatic empty zone "10.in-addr.arpa." which is authoritative.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the keys() method of mappings returns a KeyView object
that reflects the mapping's state. In LDAPEntry, this means that
the collection returned by keys() is case-insensitive and supports
aliases.
Part of the fix for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, dict.items() returns a view.
When such a view is iterated over, the dict cannot change size.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Python 3's JSON module provides line number information in
its parsing error. Update the test to expect this.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Order of Python dicts/sets was always unreliable, but in Python 3
it's usually different every time. This affects the order in which
values of a LDAP attribute appear.
LDAP values are also specified to be unordered.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
In Python 3, the module name changed from 'ConfigParser' to
'configparser'. Use the appropriate location from six.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Using a pragma instead of guards is easier to write, less error prone
and avoids name clashes (a source of very subtle bugs). This pragma
is supported on almost all compilers, including all the compilers we
care about: https://en.wikipedia.org/wiki/Pragma_once#Portability.
This patch does not change the autogenerated files: asn1/asn1c/*.h.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
CA-less options were missing, as well as --allow-zone-overlap
and --auto-reverse.
Fix short option for --realm which was displayed as -d instead of -r.
https://fedorahosted.org/freeipa/ticket/5835
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
pylint 1.5 reports 'kw' as 'no-member' for PublicError and
PublicMessage. It is false positive in both cases.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
If the user is configured for OTP or RADIUS authentication, insert the
relevant authentication indicator.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if either password or password+otp were permitted,
only the otp preauth mech would be returned to the client. Now, the
client will receive either enc_ts or enc_chl in addition to otp.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Before this patch, if the user was configured for either OTP or password
it was possible to do a 1FA authentication through ipa-otpd. Because this
correctly respected the configuration, it is not a security error.
However, once we begin to insert authentication indicators into the
Kerberos tickets, we cannot allow 1FA authentications through this
code path. Otherwise the ticket would contain a 2FA indicator when
only 1FA was actually performed.
To solve this problem, we have ipa-otpd send a critical control during
the bind operation which informs the LDAP server that it *MUST* validate
an OTP token for authentication to be successful. Next, we implement
support for this control in the ipa-pwd-extop plugin. The end result is
that the bind operation will always fail if the control is present and
no OTP is validated.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
This gives us a place to handle all OTP related controls. Also,
genericize otpctrl_present() so that the OID can be specified as an
argument to the function call.
These changes are preparatory for the subsequent patches.
https://fedorahosted.org/freeipa/ticket/433
Reviewed-By: Sumit Bose <sbose@redhat.com>
Some CA upgrade steps in upgrader requires running CA. We have to always
start CA and wait for running status using http, because systemd may
return false positive result that CA is running even if CA is just
starting and unable to serve.
https://fedorahosted.org/freeipa/ticket/5868
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Rename the `name` argument of Command.get_default_of to `_name` to avoid
conflicts with keyword arguments.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
This will make it possible to move the plugin modules between ipalib,
ipaclient and ipaserver without having to change the imports.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Copy arguments of vault_{add,mod,archive,retrieve} from
vault_{add,mod,archive,retrieve}_internal.
Also add missing LDAPCreate arguments to vault_add_internal.
This will make it possible to move the commands to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Move client-side code from the vault class to module-level functions.
This will make it possible to move the code to ipaclient without the vault
class bits.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Import DN from ipapython.dn rather than ipalib.plugins.baseldap.
This will make it possible to move otptoken_sync to ipaclient.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Replace code which references the DNSRecord and dnsrecord classes with
equivalent code which uses only generic data structures.
This will make it possible to move client code to ipaclient without
dnsrecord bits, DNSRecord and all its subclasses.
The conversion from record value to structured record can't be done on the
client without DNSRecord and subclasses. Introduce a new internal command
dnsrecord_split_parts to do the job on the server when necessary.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
