summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* TODO: make sure a single krbPrincipalName value gets used for ↵kdc-fixesAlexander Bokovoy2015-08-101-1/+16
| | | | canonicalization too
* IPA KDB: use empty profile to init krb5 context in testsSumit Bose2015-08-101-1/+7
| | | | | | If the systems /etc/krb5.conf contains some unexpected or broken configuration the test might fail. With this patch the tests are run with an empty configuration.
* IPA KDB: allow case in-sensitive realm in AS requestSumit Bose2015-08-105-4/+101
| | | | | | | | If the canonicalization flag is set the realm of the client principal in an AS request (kinit) is transformed into upper-case to match the IPA convention for realm names. Resolves https://fedorahosted.org/freeipa/ticket/4844
* dcerpc: Simplify generation of LSA-RPC binding stringsTomas Babej2015-08-071-2/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix selector of protocol for LSA RPC binding stringAlexander Bokovoy2015-08-071-2/+2
| | | | | | | | | | | | | For Windows Server 2012R2 and others which force SMB2 protocol use we have to specify right DCE RPC binding options. For using SMB1 protocol we have to omit specifying SMB2 protocol and anything else or otherwise SMB1 would be considered a pipe to connect to. This is by design of a binding string format. https://fedorahosted.org/freeipa/ticket/5183 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fix incorrect type comparison in trust-fetch-domainsTomas Babej2015-08-061-1/+1
| | | | | | | | Value needs to be unpacked from the list and converted before comparison. https://fedorahosted.org/freeipa/ticket/5182 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Fix otptoken-remove-managedby command summaryFraser Tweedale2015-08-051-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Port from python-kerberos to python-gssapiMichael Simacek2015-08-055-53/+95
| | | | | | | | | | | | kerberos library doesn't support Python 3 and probably never will. python-gssapi library is Python 3 compatible. https://fedorahosted.org/freeipa/ticket/5147 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* store certificates issued for user entries as userCertificate;binaryMartin Babinsky2015-08-042-13/+31
| | | | | | | | | | | This patch forces the user management CLI command to store certificates as userCertificate;binary attribute. The code to retrieve of user information was modified to enable outputting of userCertificate;binary attribute to the command line. The modification also fixes https://fedorahosted.org/freeipa/ticket/5173 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* test suite for user/host/service certificate management API commandsMartin Babinsky2015-08-031-0/+349
| | | | | | | | | These tests excercise various scenarios when using new class of API commands to add or remove certificates to user/service/host entries. Part of http://www.freeipa.org/page/V4/User_Certificates Reviewed-By: Milan Kubík <mkubik@redhat.com>
* user-show: add --out option to save certificates to fileFraser Tweedale2015-07-313-4/+30
| | | | | | | | | | Add the --out option to user-show, bringing it into line with host-show and service-show with the ability to save the user's certificate(s) to a file. https://fedorahosted.org/freeipa/ticket/5171 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile-import: do not require profileId in profile dataChristian Heimes2015-07-311-3/+5
| | | | | | | | | | | | | certprofile-import no longer requires profileId in profile data. Instead the profile ID from the command line is taken and added to the profile data internally. If profileId is set in the profile, then it still has to match the CLI option. https://fedorahosted.org/freeipa/ticket/5090 Reviewed-By: Martin Basti <mbasti@redhat.com>
* tests: Allow Tracker.dn be an instance of FuzzyMilan Kubík2015-07-311-2/+3
| | | | | | | | | | | | | Some of the IPA LDAP entries are using ipaUniqueID as the "primary key". To match this UUID based attribute in assert_deepequal, an instance of Fuzzy class must be used. This change adds the possibility to assign the Fuzzy object as the DN for the tracked entry. The user may need to override the rdn and name properties for the class using the Fuzzy DN. Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
* Validate vault's file parametersChristian Heimes2015-07-311-12/+47
| | | | | | | | | | | A user can pass file names for password, public and private key files to the vault plugin. The plugin attempts to read from these files. If any file can't be, an internal error was raised. The patch wraps all reads and turns any IOError and UnicodeError into a ValidationError. https://fedorahosted.org/freeipa/ticket/5155 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Modernize number literalsPetr Viktorin2015-07-3130-92/+92
| | | | | | | | | | | | | | Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Replace M2Crypto RC4 with python-cryptography ARC4Christian Heimes2015-07-312-7/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch removes the dependency on M2Crypto in favor for cryptography. Cryptography is more strict about the key size and doesn't support non-standard key sizes: >>> from M2Crypto import RC4 >>> from ipaserver.dcerpc import arcfour_encrypt >>> RC4.RC4(b'key').update(b'data') 'o\r@\x8c' >>> arcfour_encrypt(b'key', b'data') Traceback (most recent call last): ... ValueError: Invalid key size (24) for RC4. Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported: >>> arcfour_encrypt(b'key12', b'data') '\xcd\xf80d' >>> RC4.RC4(b'key12').update(b'data') '\xcd\xf80d' http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4 https://fedorahosted.org/freeipa/ticket/5148 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Require Dogtag PKI >= 10.2.6Christian Heimes2015-07-291-3/+3
| | | | | | | | | | | | | Dogtag 10.2.6 comes with two fixes for cloning from 9.x to 10.x instances: https://fedorahosted.org/pki/ticket/1495 https://fedorahosted.org/pki/ticket/1488 https://fedorahosted.org/freeipa/ticket/5140 https://fedorahosted.org/freeipa/ticket/5129 Reviewed-By: Martin Basti <mbasti@redhat.com>
* webui: fix regressions failed auth messagesPetr Vobornik2015-07-292-5/+5
| | | | | | | | | | | | 1. after logout, krb auth no longer shows "session expired" but correct "Authentication with Kerberos failed". 2. "The password or username you entered is incorrect." is showed on failed forms-based auth. https://fedorahosted.org/freeipa/ticket/5163 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ULC: Fix stageused-add --from-delete commandMartin Basti2015-07-291-4/+5
| | | | | | | | | | | Nonexistent method was used to move deleted user to staged area. Minor fixes added: * handle not found error * return new DN https://fedorahosted.org/freeipa/ticket/5145 Reviewed-By: David Kupka <dkupka@redhat.com>
* Use 'mv -Z' in specfile to restore SELinux contextMartin Basti2015-07-291-6/+3
| | | | | | | | | There might be AVC denial between moving file and restoring context. Using 'mv -Z' will solve this issue. https://fedorahosted.org/freeipa/ticket/4923 Reviewed-By: David Kupka <dkupka@redhat.com>
* ACI plugin: correctly parse bind rules enclosed in parenthesesMartin Babinsky2015-07-291-2/+6
| | | | | | | | | Since bind rule such as `(userdn = "ldap:///anyone")` is also a valid statement, the ipalib ACI parser was updated to handle this case. https://fedorahosted.org/freeipa/ticket/5037 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Fix client ca.crt to match the server's certGabe2015-07-271-1/+1
| | | | | | https://fedorahosted.org/freeipa/ticket/3809 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Use Exception class instead of StandardErrorNiranjan Mallapadi2015-07-271-2/+2
| | | | | | | | In except clause, use of "," is not recommended (PEP 3110) Signed-off-by: Niranjan Mallapadi <mrniranjan@fedoraproject.org> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Viktorin <pviktori@redhat.com>
* otptoken: use ipapython.nsslib instead of Python's ssl moduleChristian Heimes2015-07-272-30/+8
| | | | | | | | | | | | The otptoken plugin is the only module in FreeIPA that uses Python's ssl module instead of NSS. The patch replaces ssl with NSSConnection. It uses the default NSS database to lookup trust anchors. NSSConnection uses NSS for hostname matching. The package python-backports-ssl_match_hostname is no longer required. https://fedorahosted.org/freeipa/ticket/5068 Reviewed-By: Martin Basti <mbasti@redhat.com>
* certprofile-import: improve profile format documentationChristian Heimes2015-07-271-1/+1
| | | | | | | | | The certprofile-import plugin expects a raw Dogtag config file. The XML format is not supported. --help gives a hint about the correct file format. https://fedorahosted.org/freeipa/ticket/5089 Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
* Added test - topology plugin is listed among DS pluginsOleg Fayans2015-07-271-0/+70
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* Remove ico files from MakefileMartin Basti2015-07-271-2/+0
| | | | | | | | | Icons were removed in a4be844809179ff0a05286606df1487d81a70022 but still persist in Makefile. This patch fixes Makefile. https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* webui: add Kerberos configuration instructions for ChromePetr Vobornik2015-07-273-31/+80
| | | | | | | | | | * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Basti <mbasti@redhat.com>
* replication: Fix incorrect exception invocationTomas Babej2015-07-241-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* idviews: Enforce objectclass check in idoverride*-delTomas Babej2015-07-231-0/+19
| | | | | | | | | | | | | Even with anchor to sid type checking, it would be still possible to delete a user ID override by specifying a group raw anchor and vice versa. This patch introduces a objectclass check in idoverride*-del commands to prevent that. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* idviews: Restrict anchor to name and name to anchor conversionsTomas Babej2015-07-231-4/+46
| | | | | | | | | | | | | When converting the ID override anchor from AD SID representation to the object name, we need to properly restrict the type of the object that is being resolved. The same restriction applies for the opposite direction, when converting the object name to it's SID. https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* dcerpc: Add get_trusted_domain_object_type methodTomas Babej2015-07-231-0/+29
| | | | | | https://fedorahosted.org/freeipa/ticket/5029 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* fix broken search for users by their managerMartin Babinsky2015-07-233-11/+8
| | | | | | | | | The patch fixes incorrect construction of search filter when using `ipa user-find` with '--manager' option. https://fedorahosted.org/freeipa/ticket/5146 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* dcerpc: Fix UnboundLocalError for ccache_nameTomas Babej2015-07-221-0/+2
| | | | Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* tests: test_cert: Services can have multiple certificatesTomas Babej2015-07-221-4/+4
| | | | | | | | | Old certificates of the services are no longer removed and revoked after new ones have been issued. Check that both old and new certificates are present. Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* tests: test_rpc: Create connection for the current threadTomas Babej2015-07-221-0/+3
| | | | | | | Both context.xmlclient and context.xmlclient_<id> need to be created in order to successfully call the Command.forward method. Reviewed-By: Martin Basti <mbasti@redhat.com>
* tests: vault_plugin: Skip tests if KRA not availableTomas Babej2015-07-221-0/+11
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* tests: Version is currently generated during command callTomas Babej2015-07-221-35/+16
| | | | | | | | In the previous versions, version in the response was generated as part of the process_keyword_arguments method. This is no longer true, and so the explicit check for it should be removed. Reviewed-By: Martin Basti <mbasti@redhat.com>
* tests: realmdomains_plugin: Add explanatory commentTomas Babej2015-07-221-0/+3
| | | | | | | | | | | The realmdomains_mod command will fail if the testing environment is configured improperly and the IPA domain's NS/SOA records are not resolvable. This can easily happen if the machine's DNS server is not configured to the IPA server. Leave a explanatory note in the class. Reviewed-By: Martin Basti <mbasti@redhat.com>
* tests: service_plugin: Make sure the cert is decoded from base64Tomas Babej2015-07-221-1/+5
| | | | Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idviews: Check for the Default Trust View only if applying the viewTomas Babej2015-07-221-6/+8
| | | | | | | | | | Currently, the code wrongly validates the idview-unapply command. Move check for the forbidden application of the Default Trust View into the correct logical branch. https://fedorahosted.org/freeipa/ticket/4969 Reviewed-By: Martin Basti <mbasti@redhat.com>
* dcerpc: Expand explanation for WERR_ACCESS_DENIEDTomas Babej2015-07-211-7/+29
| | | | | | | | | | | It's possible for AD to contact a wrong IPA server in case the DNS SRV records on the AD sides are not properly configured. Mention this case in the error message as well. https://fedorahosted.org/freeipa/ticket/5013 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* tests: user_plugin: Add preserved flag when --all is usedTomas Babej2015-07-211-1/+4
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* DNS: check if DNS package is installedMartin Basti2015-07-217-39/+10
| | | | | | | | | | | Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipaplatform: Add constants submoduleTomas Babej2015-07-216-1/+64
| | | | | | | | Introduce a ipaplatform/constants.py file to store platform related constants, which are not paths. Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* DNS: Consolidate DNS RR types in API and schemaMartin Basti2015-07-217-80/+71
| | | | | | | | | | | | | | | | | | | | | | | | * Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API: These records never worked, they dont have attributes in schema. TSIG and TKEY are meta-RR should not be in LDAP TA is not supported by BIND NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be in LDAP. *! SIG, NSEC are already defined in schema, must stay in API. * Add HINFO, MINFO, MD, NXT records to API as unsupported records These records are already defined in LDAP schema * Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records These records were defined in IPA API as unsupported, but schema definition was missing. This causes that ACI cannot be created for these records and dnszone-find failed. (#5055) https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* ipa-client-install: Do not (re)start certmonger and DBus daemons.David Kupka2015-07-201-56/+15
| | | | | | | | | | | | When DBus is present in the system it is always running. Starting of certmomger is handled in ipapython/certmonger.py module if necessary. Restarting is no longer needed since freeipa is not changing certmonger's files. https://fedorahosted.org/freeipa/ticket/5095 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* cermonger: Use private unix socket when DBus SystemBus is not available.David Kupka2015-07-202-43/+98
| | | | | | https://fedorahosted.org/freeipa/ticket/5095 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* enable debugging of ntpd during client installationMartin Babinsky2015-07-202-4/+8
| | | | | | | | | | When installing IPA client in debug mode, the ntpd command spawned during initial time-sync with master KDC will also run in debug mode. https://fedorahosted.org/freeipa/ticket/4931 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* domainlevel: Fix incorrect initializations of InvalidDomainLevelError exceptionsTomas Babej2015-07-202-4/+4
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
generated by cgit (git 2.34.1) at 2024-04-23 20:25:33 +0000