If the entry's krbPrincipalName attribute is multi-valued, accept any of
the values, not just the last one we happen to examine.
https://fedorahosted.org/freeipa/ticket/3966
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
The UPG Definition is always present in IPA; if it can not be read
it's usually caused by insufficient privileges.
Previously the code assumed the absence of the entry meant that
UPG is disabled. With granular read permissions, this would mean
that users that can add users but can't read UPG Definition would
add users without UPG, and the reason for that would not be very clear.
It is better to fail early if the definition can't be read.
Raise an error if the UPG Definition is not available. This makes
read access to it a prerequisite for adding users.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since user_add checks the UPG definition to see if UPG is enabled,
user admins need read access to add users correctly.
All attributes are allowed since UPG Definition is an extensibleObject;
the needed attributes are not in the schema.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Since systemd has by default a 2 minute timeout to start
a service, the end of ipa-server-install might fail
because starting named times out. This patch ensures that
generate-rndc-key.sh runs before named service restart.
Also, warning message is displayed before KDC install and
generate-rndc-key.sh, if there is a lack of entropy, to
notify the user that the process could take more time
than expected.
Modifications done by Martin Kosek:
- removed whitespace at the end of installutils.py
- the warning in krbinstance.py moved right before the step
requiring entropy
- slightly reworded the warning message
https://fedorahosted.org/freeipa/ticket/4210
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Add the IPA version, and vendor version if applicable, to the beginning
of admintool logs -- both framework and indivitual tools that don't yet
use the framework.
This will make debugging easier.
https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will allow us to make vendors' lives easier by embedding a
vendor tag to installation logs.
Part of the work for: https://fedorahosted.org/freeipa/ticket/4219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
krbpasswordexpiration conversion to time failed because now we get
datetime object instead of string.
https://fedorahosted.org/freeipa/ticket/4339
Reviewed-By: Tomas Babej <tbabej@redhat.com>
dap2.find_entries modified the passed in attrs_list to remove
the virtual attributes memberindirect and memberofindirect
before passing the list to LDAP. This means that a call like
ldap2.get_entry(dn, attrs_list=some_framework_object.default_attributes)
would permanently remove the virtual attributes from
some_framework_object's definition.
Create a copy of the list instead.
https://fedorahosted.org/freeipa/ticket/4349
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Also remove
- the deny ACIs that implemented exceptions to it:
- no anonymous access to roles
- no anonymous access to member information
- no anonymous access to hbac
- no anonymous access to sudo (2×)
- its updater plugin
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
When upgrading from an "old" IPA, or installing the first "new" replica,
we need to keep allowing anonymous access to many user attributes.
Add an optional 'fixup_function' to the managed permission templates,
and use it to set the bind rule type to 'anonymous' when installing
(or upgrading to) the first "new" master.
This assumes that the anonymous read ACI will be removed in a "new" IPA.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3566
Reviewed-By: Martin Kosek <mkosek@redhat.com>
It turns out the ACI object of the anonymous read ACI, rather than just the
list of its attributes, will be useful in the future.
Change the plugin so that the ACI object is passed around.
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Creating tokens for yourself is the most common operation. Making this the
default optimizes for the common case.
Reviewed-By: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Specifying the default in the LDAP Object causes the parameter to be specified
for non-add operations. This is especially problematic when performing the
modify operation as it causes the primary key to change for every
modification.
https://fedorahosted.org/freeipa/ticket/4227
Reviewed-By: Petr Viktorin <pviktori@redhat.com>
If the KDC doesn't use the FreeIPA password for authentication, then it is
futile to provide this information. Doing so will only confuse the user. It
also causes password change dialogues when the password is irrelevant.
https://fedorahosted.org/freeipa/ticket/4299
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a 'Read Replication Agreements' permission to replace
the read ACI for cn=config.
https://fedorahosted.org/freeipa/ticket/3829
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Drop the logrotate file because Apache manages the logs
Drop the systemd configuration because we run in Apache
Import json_encode_binary from ipalib
Fix Requires
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
New decorator: ui_driver.screenshot created. It should be applied on test methods.
Screenshot is saved on each exception except SkipTest.
Configuration:
- add: `save_screenshots: True` to ~/.ipa/ui_test.conf to enable saving screenshots
- optionally add `screenshot_dir: /path/to/dir` to specify target directory
otherwise screenshots are saved to current directory
Reviewed-By: Adam Misnyovszki <amisnyov@redhat.com>
Added a callback feature to webui tests,
to extend functionality. Also added
assert_disabled function to ui_driver, to
check if a field is disabled in the browser.
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Makes ipa-client-install configure SSSD as the data provider
for the sudo service by default. This behaviour can be disabled
by using --no-sudo flag.
https://fedorahosted.org/freeipa/ticket/3358
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Provides two new options for the ipa-client-install:
--nisdomain: specifies the NIS domain name
--no_nisdomain: flag to aviod setting the NIS domain name
In case no --nisdomain is specified and --no_nisdomain flag was
not set, the IPA domain is used.
Manual pages updated.
http://fedorahosted.org/freeipa/ticket/3202
Reviewed-By: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When the static test site called batch delete,
it always referred to batch.json. This patch
fixes it, by referring entityname + '_batch_del.json'
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Fixes trust add, since now datetime object is returned
for 'modifytimestamp', which cannot be split like a string.
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
