So that facet.simple_facet_header could be used even in pages without
entity structure - e.g. future topology graph.
prerequisite for: https://fedorahosted.org/freeipa/ticket/4286
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When we promote an IPA client to replica, we need to write master-like
default.conf once we start configuring directory server instance. This way
even if DS configuration fails for some reason the server uninstall code can
work properly and clean up partially configured replica.
https://fedorahosted.org/freeipa/ticket/5417
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp. This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Simple regexp substitution caused that the domain directive fell under
an inapprorpiate section, if the domain directive was not present. Hence
the idmapd.conf file was not properly parsed.
Use IPAChangeConf to put the directive in its correct place even if it
the domain directive is missing.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
The IPAChangeConf normallizes section names to lower case. There are
cases where this behaviour might not be desirable, so provide a way to
opt out.
https://fedorahosted.org/freeipa/ticket/5069
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
Python dns resolver append configured domain to queries which may lead
to false positive answer.
Exmaple: resolving "ipa.example.com" may return records for
"ipa.example.com.example.com" if domain is configured as "example.com"
https://fedorahosted.org/freeipa/ticket/5421
Reviewed-By: Petr Spacek <pspacek@redhat.com>
To debug DNS issues other commands should be used like 'dig', 'host',
'nslookup' instead of command 'ipa dns-resolve'.
This command is executed on server side, what may not be helpful with
debugging clients.
'ipa dns-resolve' command is worse copy of host command, users should use
'host' command instead.
dns-resolve is removed from CLI
https://fedorahosted.org/freeipa/ticket/5466
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Return False does not mean that update failed, it mean that nothing has
been updated, respectively ldap is up to date.
https://fedorahosted.org/freeipa/ticket/5482
Reviewed-By: Tomas Babej <tbabej@redhat.com>
If the code within the private_ccache contextmanager does not
set/removes the KRB5CCNAME, the pop method will raise KeyError, which
will cause unnecessary termination of the code flow.
Make sure the KRB5CCNAME is popped out of os.environ only if present.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Dogtag 9 CA and CA DS install and uninstall code was removed. Existing
Dogtag 9 CA and CA DS instances are disabled on upgrade.
Creating a replica of a Dogtag 9 IPA master is still supported.
https://fedorahosted.org/freeipa/ticket/5197
Reviewed-By: David Kupka <dkupka@redhat.com>
Replica does not need to have A/AAAA records during install, so we
cannot enforce it and service must be added with --force option.
https://fedorahosted.org/freeipa/ticket/5420
Reviewed-By: Tomas Babej <tbabej@redhat.com>
ensure_default_caacl() was leaking open api.Backend.ldap2 connection which
could crash server/replica installation at later stages. This patch ensures
that after checking default CA ACL profiles the backend is disconnected.
https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers. Update ipa-replica-install to add
these if they are missing.
Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.
To ensure that the cainstance installation can add profiles, supply
the RA certificate as part of the instance configuration.
Certmonger renewal setup is avoided at this point because the NSSDB
gets reinitialised later in installation procedure.
Also move the addition of the default CA ACL from dsinstance
installation to cainstance installation.
Fixes: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already
been initialised with the given dbdir.
Part of: https://fedorahosted.org/freeipa/ticket/5459
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since endptr points to a location inside of dummy, dummy should be freed
only after dereferencing endptr.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Since we are interested in looking up the SID of a group it makes sense
to include the objectclass which contains the SID attribute in the
search filter. This makes sure the group is not accidentally found a
second time in the compat tree.
Related to https://fedorahosted.org/freeipa/ticket/5457
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix for https://fedorahosted.org/freeipa/ticket/4826 temporarily disallowed
modification of local ID ranges via API calls The corresponding XMLRPC tests
were updated to reflect this change.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
When importing IPA-managed certificate profiles into Dogtag,
profiles with the same name (usually caIPAserviceCert) are removed,
then immediately recreated with the new profile data. This causes a
race condition - Dogtag's LDAPProfileSystem profileChangeMonitor
thread could observe and process the deletion after the profile was
recreated, disappearing it again.
Update the profile instead of deleting and recreating it to avoid
this race condition.
Fixes: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Pretty printing the TLS peer certificate to logs on every request
introduces a lot of noise; do not log it (subject name, key usage
and validity are still logged).
Fix and tidy up some HTTP logging messages for Dogtag requests.
Part of: https://fedorahosted.org/freeipa/ticket/5269
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added commands:
* user-add-manager
* user-remove-manager
* stageuser-add-manager
* stageuser-remove-manager
Commit contains override of convert_attribute_members method in baseuser
class that ensures the managers will be returned in 'manager' attribute
due to backward compatibility instead of 'manager_user' as would be
expected.
https://fedorahosted.org/freeipa/ticket/5344
This patch also fixes: https://fedorahosted.org/freeipa/ticket/5387
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Different opbject types were compared thus always result of comparation
was False and caching does not work.
https://fedorahosted.org/freeipa/ticket/5463
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Default krb5.conf needn't have defined default_realm.
Unit tests should not rely on existing default value.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The cmocka-1.0 introduced new interface for tests
which is not compatible with the old one.
And the old interface is deprecated which caused compiled warnings.
Reviewed-By: Martin Basti <mbasti@redhat.com>
The automake generated makefiles have already a target check.
We need to provide this target also to non-generated
Makefiles so we can recursively call make check from
top level Makefile
Reviewed-By: Martin Basti <mbasti@redhat.com>
In file included from ipa_extdom_extop.c:41:0:
ipa_extdom_extop.c: In function ‘ipa_extdom_init_ctx’:
ipa_extdom_extop.c:203:9: warning: format ‘%d’ expects argument of type ‘int’,
but argument 4 has type ‘size_t {aka long unsigned int}’ [-Wformat=]
LOG("Maximal nss buffer size set to [%d]!\n", ctx->max_nss_buf_size);
^
../common/util.h:53:21: note: in definition of macro ‘LOG_PLUGIN_NAME’
fmt, ##__VA_ARGS__)
^
ipa_extdom_extop.c:203:5: note: in expansion of macro ‘LOG’
Reviewed-By: Martin Basti <mbasti@redhat.com>
topology_pre.c: In function ‘ipa_topo_pre_add’:
topology_pre.c:509:15: warning: declaration of ‘errtxt’ shadows a previous local [-Wshadow]
char *errtxt;
^
topology_pre.c:494:11: note: shadowed declaration is here
char *errtxt = NULL;
^
Reviewed-By: Martin Basti <mbasti@redhat.com>
