Remove no_members=False from because topologysuffix_attribute doesn't
have no_members option, and this causes errors in replication.py
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In all *-find commands, member attributes shouldn't be processed due
high amount fo ldpaserches cause serious performance issues. For this
reason --no-members option is set by default in CLI and API.
To get members in *-find command option --all in CLI is rquired or
'no_members=False' or 'all=True' must be set in API call.
For other commands processing of members stays unchanged. WebUI is not
affected by this change.
https://fedorahosted.org/freeipa/ticket/4995
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This upgrade has to be done on each IPA DNS server independently.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders in named.conf too (independently on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This change is necessary to override automatic empty zone configuration
in latest BIND and bind-dyndb-ldap 9.0+.
This procedure is still not complete because we need to handle global
forwarders too (in LDAP and in named.conf on each server).
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Ad-hoc LDAP calls in DNS upgrade code were hard to maintain and
ipaConfigString was bad idea from the very beginning as it was hard to
manipulate the number in it.
To avoid problems in future we are introducing new ipaDNSVersion
attribute which is used on cn=dns instead of ipaConfigString.
Original value of ipaConfigString is kept in the tree for now
so older upgraders see it and do not execute the upgrade procedure again.
The attribute can be changed only by installer/upgrade so it is not
exposed in dnsconfig_mod API.
Command dnsconfig_show displays it only if --all option was used.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
After discussion with Martin Basti we decided to standardize on root_logger
with hope that one day we will use root_logger.getLogger('module')
to make logging prettier and tunable per module.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This is preparatory work to avoid (future) cyclic import between
ipapython.dnsutil and ipapython.ipautil.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some CA upgrade steps in upgrader requires running CA. We have to always
start CA and wait for running status using http, because systemd may
return false positive result that CA is running even if CA is just
starting and unable to serve.
https://fedorahosted.org/freeipa/ticket/5868
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replace API.import_plugins with a new method API.add_package which allows
loading plugin packages into an API object from a package object.
This makes loading of plugin packages loading consistent with loading of
plugin modules and classes.
Rename API.modules to API.packages and use package objects where
implemented to reflect the change.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
Include keyword arguments of exceptions in RPC responses. This is limited
to JSON-RPC, as XML-RPC does not support additional data in error
responses.
Include keyword arguments of messages in RPC responses.
Include keyword arguments of exceptions in batch command result.
https://fedorahosted.org/freeipa/ticket/4739
Reviewed-By: David Kupka <dkupka@redhat.com>
The CA renewal master flag was uncoditionally set on every replica during
replica install. This causes the Dogtag certificates initially shared
among all replicas to differ after renewal.
Do not set the CA renewal master flag in replica install anymore. On
upgrade, remove the flag from all but one IPA masters.
https://fedorahosted.org/freeipa/ticket/5902
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When trying to install a second time KRA, in case domain-level=0 the error lessage is not correct. It mentions :
"ipa-kra-install: error: A replica file is required."
Note that this behavior is not observed if domain-level=1
The subject of the fix consist in checking that KRA is not already installed before going ahead in the installation process.
Tests done: I have made the following tests in bot domain-level=0 and domain-level=1 :
- Install KRA (check it is correctly installed),
- Install KRA a second time (check that the correct error message is raised)
- uninstall KRA (check that it is correctly uninstalled)
- Install KRA again (check that it is correctly installed)
Reviewed-By: Petr Spacek <pspacek@redhat.com>
A regression caused replica installation to replace the FreeIPA
version of caIPAserviceCert with the version shipped by Dogtag.
During upgrade, detect and repair occurrences of this problem.
Part of: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).
Avoid this situation by never overwriting existing profiles during
the LDAP import.
Fixes: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
In order to handle mal-formatted XML returned from Dogtag, added
exception handling around etree.fromstring function.
https://fedorahosted.org/freeipa/ticket/5885
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
This happens when upgrading from IPA <= 4.0 to versions 4.3+.
DNS caching might cause false positive in code which replaces master zone
with forward zone. This will effectivelly delete the master zone
without adding a replacement forward zone.
Solution is to use skip_overlap_check option for dnsforwardzone_add command
so zone existence check is skipped and the upgrade can proceed.
https://fedorahosted.org/freeipa/ticket/5851
Reviewed-By: Martin Basti <mbasti@redhat.com>
Forward policy defaults to 'first' if no IP address belonging to a private
or reserved ranges is detected on local interfaces (RFC 6303).
Defaults to only if a private IP address is detected.
This prevents problems with BIND automatic empty zones because
conflicting zones cannot be disabled unless forwarding policy == only.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
This option specified forward policy for global forwarders.
The value is put inside /etc/named.conf.
https://fedorahosted.org/freeipa/ticket/5710
Reviewed-By: Martin Basti <mbasti@redhat.com>
User in now notified about "Locked User account" message instead of
"The password or username you entered is incorrect" or any generic error
message
Fixes : https://fedorahosted.org/freeipa/ticket/5076
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
This prevents cases when hostname on system is set inconsistently
(transient and static hostname differs) and may cause IPA errors.
This commit ensures that all hostnames are set properly.
https://fedorahosted.org/freeipa/ticket/5794
Reviewed-By: David Kupka <dkupka@redhat.com>
File httpd.service was created by RPM, what causes that httpd service may
fail due IPA specific configuration even if IPA wasn't installed or was
uninstalled (without erasing RPMs).
With this patch httpd service is configured by httpd.d/ipa.conf during
IPA installation and this config is removed by uninstaller, so no
residual http configuration related to IPA should stay there.
https://fedorahosted.org/freeipa/ticket/5681
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ipa-replica-prepare could crash during addition of replica's PTR records if
there was no reverse zone managed by IPA and 'bindinstance.find_reverse_zone'
returns an unhandled None. The code will now issue a warning and skip the PTR
record addition in this case.
https://fedorahosted.org/freeipa/ticket/5740
Reviewed-By: Martin Basti <mbasti@redhat.com>
- User is now notified about "Kerberos Principal expiration" message instead of
"Wrong username or password" message.
- User is also notified about "Invalid password" message instead of
generic error message.
https://fedorahosted.org/freeipa/ticket/5077
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
When LDAP search fails on exceeded limits, we should raise an specific
exception for the type of limit raised (size, time, administrative) so that
the consumer can distinguish between e.g. searches returning too many entries
and those timing out.
https://fedorahosted.org/freeipa/ticket/5677
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Those values differ among distributions and there is no guarantee that they're
reserved. It's better to look them up based on HTTPD_USER's name.
https://fedorahosted.org/freeipa/ticket/5712
Reviewed-By: Martin Basti <mbasti@redhat.com>
Use ipaplatform.constants in every corner instead of importing other bits or calling
some platform specific things, and remove most of the remaining hardcoded uid's.
https://fedorahosted.org/freeipa/ticket/5343
Reviewed-By: David Kupka <dkupka@redhat.com>
Iteration over indexes without calling enumeration fuction is not pythonic and should not be used.
In this case iteration can be replaced by list comprehension. Fixing this allows to enable
pylint consider-using-enumerate check.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Fixes current reimports and enables pylint check for them
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Global variables should be defined in the outer space, not just marked
as global inside functions.
Removes unused global variables
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Bind DN is not used for client certificate authentication so they can be
safely removed.
https://fedorahosted.org/freeipa/ticket/5298
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
nsSSLCiphers: "default" provides only secure ciphers that should be used when
connecting to DS
https://fedorahosted.org/freeipa/ticket/5684
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The 'net' command fails unless smb.conf exists. Touch
the file prior to any 'net' call to make sure we do not crash
for this very reason.
https://fedorahosted.org/freeipa/ticket/5687
Reviewed-By: Martin Basti <mbasti@redhat.com>
pylint 1.5 prints many false positive no-member errors which are
supressed by this commit.
https://fedorahosted.org/freeipa/ticket/5615
Reviewed-By: David Kupka <dkupka@redhat.com>
