Updated by "Update LINGUAS file" hook in Weblate.
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.
Add .TP (tagged, indented paragraph) before each example.
Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.
This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.
Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.
Fixes: https://pagure.io/freeipa/issue/9246
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.
Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.
This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Scenario: call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens
The test expects a return code = 1.
Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.
To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.
Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>