The lower version is needed while building on RHEL.
Also po/Rules-quot file is deleted and added to .gitignore.
https://fedorahosted.org/freeipa/ticket/6418
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Replace the dual definitions of domain_name, dm_password and admin_password
knobs in server install with single definitions using the original names
without the 'new_' prefix.
This fixes the options read from the installer option cache in step 2 of
external CA install to use the correct knob names.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
During the server installation, the installer requests certificates
through certmonger. The current timeout is 60s and is too low.
Increase this timeout to api.env.startup_timeout as done in
ipa_cacert_manage or ipa_certupdate.py
(the code checks the status each 5s up to the timeout value).
https://fedorahosted.org/freeipa/ticket/6433
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When a hostname is provided to host_port_open, it should check if
ports are open for ALL IPs that are resolved from the hostname, instead
of checking whether the port is reachable on at least one of the IPs.
https://fedorahosted.org/freeipa/ticket/6522
Reviewed-By: Petr Spacek <pspacek@redhat.com>
If permission-find is fired with an argument and sizelimit set
a message about truncation will be sent along with the result
as the search in post_callback() does general search instead
of having its filter properly set.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Martin Basti <mbasti@redhat.com>
Make it easier to generate search filters properly
and in a unified way in any inheriting method
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Martin Basti <mbasti@redhat.com>
Instead of checking sysrestore status which leads to incorrect
evaluation of DNS configuration status during 4.2 -> 4.4 upgrade, look
into named.conf to see whther it was already modified by IPA installer.
https://fedorahosted.org/freeipa/ticket/6503
Reviewed-By: Martin Basti <mbasti@redhat.com>
https://github.com/martbab/ipa-docker-test-runner is now used to run the
following tasks in Travis CI:
* pull in a FreeIPA test runner Docker image
* configure/make lint/make rpms
* install rpms
* install FreeIPA server and KRA
* run out-of-tree tests
For performance reasons (last two steps are very time-consuming) the available
tests were split roughly in half and are run as two separate jobs to speed up
the process.
AD trust is not installed as part of tests since the enabled compat plugin
causes false negative errors.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Prepare a configuration file for
https://github.com/martbab/ipa-docker-test-runner. The latest
freeipa-fedora-test-runner Docker image (F25 as of time of writing this
message) will be used to run tests. Some of them will be purposefuly excluded
from the test suite, namely:
* test_integration and test_webui: for obvious reasons, CI tests require
complicated multi-host setup which is currently not achievable in Travis CI
* test_ipapython/test_keyring: Docker can not cope with storing and retrieving
secrets from Kernel keyring, that is a known issue
* test_xmlrpc/test_dns_plugin.py:test_dns_soa: There are 2-3 non-deterministic
failures in this suite in Travis CI, this suite was disabled until the root
cause is discovered and fixed/workarounded
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Currently we do not check Kerberos principal aliases when validating
a CSR. Enhance cert-request to accept the following scenarios:
- for hosts and services: CN and SAN dnsNames match a principal
alias (realm and service name must be same as nominated principal)
- for all principal types: UPN or KRB5PrincipalName othername match
any principal alias.
Fixes: https://fedorahosted.org/freeipa/ticket/6295
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Make sure all messages displayed on screen to the user can be found
in the log as well. The messages are also logged if the script is ran
in quiet mode.
https://fedorahosted.org/freeipa/ticket/6497
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Replica conncheck may fail for other reasons then network
misconfiguration. For example, an incorrect admin password might be
provided. Since conncheck is ran as a separate script in quiet mode,
no insightful error message can be displayed.
https://fedorahosted.org/freeipa/ticket/6497
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When the thread that opens ports would execute notify() before the
original thread could call wait(), the original thread would wait
indefinitely for a notify() call.
https://fedorahosted.org/freeipa/ticket/6487
Reviewed-By: Petr Spacek <pspacek@redhat.com>
permission-find: sizelimit option set to number of permissions -1
could return all permissions anyway
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
permission_find() method would have failed if size_limit in config is too
small caused by a search in post_callback. This search should also
respect the passed sizelimit or the sizelimit from ipa config if no
sizelimit is passed.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
get_entries() wouldn't pass some arguments deeper to find_entries()
function it wraps. This would cause unexpected behavior in some
cases throughout the framework where specific (non-)limitations
are expected.
https://fedorahosted.org/freeipa/ticket/5640
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Env confdir is always populated so it should be listed among variables
set during a call to `Env._bootstrap()`.
https://fedorahosted.org/freeipa/ticket/6389
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python-pyasn1-modules is needed because of this import:
from pyasn1_modules import rfc2459
in ipalib/x509.py.
Python-pyasn1-modules is required only by python-ldap package, but it would be
good to not rely on another package and rather say explicitely that
this package is necessary.
https://fedorahosted.org/freeipa/ticket/6398
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Let's relax the check for .git from directory to exists in order to
support freeipa in a git submodule. Submodules have a .git file with
content like
gitdir: ../.git/modules/freeipa
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
The environment variable IPA_CONFDIR overrides the default confdir path.
The value of the environment variable must be an absolute path to an existing
directory. The new variable makes it much simpler to use the 'ipa'
command and ipalib with a local configuration directory.
Some scripts (e.g. servers, installers, and upgrades) set the confdir
explicitly and do not support the env var.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
During thin client refactoring, LocalOrRemote class implementation of `run`
method was overriden by default Command implementation during instantiation of
client plugins from schema. This caused these commands to always forward this
request to IPA master.
This patch restores the original behavior: unless `--server` option was
specified, the commands will always print out local config.
https://fedorahosted.org/freeipa/ticket/6490
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
This reverts commit 1166fbc494. The proper fix
is to restore pre-thin client behavior of commands inheriting from
LocalOrRemote class.
https://fedorahosted.org/freeipa/ticket/6490
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.
The special contexts are:
* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates
The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.
https://fedorahosted.org/freeipa/ticket/6389
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipaplatform is not available in PyPI wheel packages. The guard silences
a pylint error in wheel pylint tests.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix version range typo in ipasetup.py.in.
Sorry, the bug slipped through my internal tests. The version pinning is
only relevant for make wheel_bundle. The wheel bundle target has been
failing from the start because python-nss has a build bug for wheels,
https://bugzilla.redhat.com/show_bug.cgi?id=1389739https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes cheimes@redhat.com
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Previously, a separate thread would be created for each socket used
for conncheck. It would also time out after one second, after which it
would be closed and reopened again. This caused random failures of
conncheck.
Now all sockets are handled in a single thread and once the server
starts to listen on a port, it does not close that connection until the
script finishes.
Only IPv6 socket is used for simplicity, since it can handle both IPv6
and IPv4 connections. This requires IPv6 kernel support, which is
required by other parts of IPA anyway.
https://fedorahosted.org/freeipa/ticket/6487
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Setuptools 0.9.8 does not support PEP 440 version schema with +git
suffix and PEP 508 env markers.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
python-cryptography versions < 1.3 no longer compile with recent OpenSSL
1.0.2 versions. In order to build wheels, a more recent version of
cryptography is required. 1.3.1 is the oldest well tested version (RHEL
7.3) that is known to work with FreeIPA.
Bump up in freeipa.spec is not required for technical reasons. The
problem only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* make wheel_bundle no longer bundles ipaplatform
* ipaclient and ipalib use a consistent extra tag for the install
subpackage. `pip install ipalib[ipalib.install]` looks a bit silly.
https://fedorahosted.org/freeipa/ticket/6474
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When running ipa-replica-install in domain-level 1, the installer
requests the LDAP and HTTP certificates using certmonger but does
not check the return code. The installer goes on and fails when
restarting dirsrv.
Fix: when certmonger was not able to request the certificate, raise an
exception and exit from the installer:
[28/45]: retrieving DS Certificate
[error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE)
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE)
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
https://fedorahosted.org/freeipa/ticket/6514
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
In some cases we need to check the result of kinit and print out the error
message. Therefore we need it to return the result.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on
enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the
oldest version that has been tested at length by QE. It's know to work.
Bump up in freeipa.spec is not required for technical reasons. The
packaging bug only affects PyPI packages. It's policy to keep
requirements in sync.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
During the rebase of commit 822e1bc82a on top
of commit 808b1436b4, the call to track the
RA agent certificate with certmonger was accidentally removed from
ipa-replica-install.
Put the call back so that the certificate is tracked after replica install.
https://fedorahosted.org/freeipa/ticket/6392
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Fix some typos, missing or surplus dependencies.
* Remove setup requirement on wheel since it triggers download.
ipatests is now installable. Tests need further changes to be runable.
https://fedorahosted.org/freeipa/ticket/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
`__repr__` now returns more descriptive string containing the actual principal
name while keeping the ability to reconstruct the object from it.
This makes principal names visible in debug logs, easing troubleshooting a
bit.
https://fedorahosted.org/freeipa/ticket/6505
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Apparently "files" implementation of hosts NSS database cannot deal with
trailing period in host names.
Previously name server.example.com which is was resolvable neither using
dns nor myhostname NSS modules were rejected by installer
(despite having matching line in /etc/hosts).
These names which are resolvable purely using "files" database are now
accepted.
The problem is that I had to remove trailing period from names passed
to getaddrinfo() function. This effectivelly enables search list processing.
This means that items from the search list might be silently appended to
the query and we might get an IP address for totally different names
than we asked for.
Unfortunatelly I see no way around this while keeping ability
to use names from NSS hosts database.
https://fedorahosted.org/freeipa/ticket/6518
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Needed for basic certs in idoverrides tests
https://fedorahosted.org/freeipa/ticket/6412
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Milan Kubik <mkubik@redhat.com>
