summaryrefslogtreecommitdiffstats
path: root/ipapython
Commit message (Collapse)AuthorAgeFilesLines
* Extend ipa-replica-manage to be able to manage DNA ranges.Rob Crittenden2013-03-131-0/+2
| | | | | | | | | | | | | | | | | Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321
* Use IPAdmin rather than raw python-ldap in migration.py and ipadiscovery.pyPetr Viktorin2013-03-132-75/+46
| | | | | | | | | | | | | These used ipautil.get_ipa_basedn. Convert that to use the new wrappers. Beef up the error handling in ipaldap to accomodate the errors we catch in the server discovery. Add a DatabaseTimeout exception to errors.py. These were the last uses of ipautil.convert_ldap_error, remove that. https://fedorahosted.org/freeipa/ticket/3487 https://fedorahosted.org/freeipa/ticket/3446
* Use IPAdmin rather than raw python-ldap in ipa-client-installPetr Viktorin2013-03-131-1/+4
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3487
* Move ipaldap to ipapythonPetr Viktorin2013-03-131-0/+1815
| | | | Part of the work for: https://fedorahosted.org/freeipa/ticket/3446
* Derive Entity class from Entry, and move it to ldapupdatePetr Viktorin2013-03-011-131/+0
| | | | | | | The two classes were nearly identical, and the updater is the only code that uses Entity. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Remove unused methods from Entry, Entity, and IPAdminPetr Viktorin2013-03-011-52/+0
| | | | | | These classes are deprecated, there's no use keeping unused methods around. Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
* Add custom mapping object for LDAP entry data.Jan Cholasta2013-03-011-0/+2
|
* Make ipapython.dogtag log requests at debug level, not infoPetr Viktorin2013-02-011-1/+1
|
* Port ipa-replica-prepare to the admintool frameworkPetr Viktorin2013-02-011-1/+4
| | | | | | | | | | | | | Break the script into several smaller methods. Use modern idioms: os.path.join instead of string addition; the with statement for closing files. Add --quiet, --verbose, and --log-file options. Use logging instead of print statements. (http://freeipa.org/page/V3/Logging_and_output) Part of: https://fedorahosted.org/freeipa/ticket/2652 Fixes: https://fedorahosted.org/freeipa/ticket/3285
* Better logging for AdminTool and ipa-ldap-updaterPetr Viktorin2013-02-011-30/+90
| | | | | | | | | | | | | - Automatically add a "Logging and output options" group with the --quiet, --verbose, --log-file options. - Set up logging based on these options; details are in the setup_logging docstring and in the design document. - Don't bind log methods as individual methods of the class. This means one less linter exception. - Make the help for command line options consistent with optparse's --help and --version options. Design document: http://freeipa.org/page/V3/Logging_and_output
* Add support for RFC 6594 SSHFP DNS records.Jan Cholasta2013-02-011-3/+12
| | | | https://fedorahosted.org/freeipa/ticket/2642
* Drop ipapython.compat.Jan Cholasta2013-02-013-84/+2
|
* Use new certmonger locking to prevent NSS database corruption.Rob Crittenden2013-01-291-11/+27
| | | | | | | | | | | | | | | | | | | | | | | | dogtag opens its NSS database in read/write mode so we need to be very careful during renewal that we don't also open it up read/write. We basically need to serialize access to the database. certmonger does the majority of this work via internal locking from the point where it generates a new key/submits a rewewal through the pre_save and releases the lock after the post_save command. This lock is held per NSS database so we're save from certmonger. dogtag needs to be shutdown in the pre_save state so certmonger can safely add the certificate and we can manipulate trust in the post_save command. Fix a number of bugs in renewal. The CA wasn't actually being restarted at all due to a naming change upstream. In python we need to reference services using python-ish names but the service is pki-cad. We need a translation for non-Fedora systems as well. Update the CA ou=People entry when he CA subsystem certificate is renewed. This certificate is used as an identity certificate to bind to the DS instance. https://fedorahosted.org/freeipa/ticket/3292 https://fedorahosted.org/freeipa/ticket/3322
* Pylint cleanup.Jan Cholasta2013-01-293-21/+16
| | | | | | | Add more dynamic attribute info to IPATypeChecker in make-lint. Remove unnecessary pylint comments. Fix false positivies introduced by Pylint 0.26. https://fedorahosted.org/freeipa/ticket/3379
* Use secure method to acquire IPA CA certificateJohn Dennis2013-01-231-0/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Major changes ipa-client-install: * Use GSSAPI connection to LDAP server to download CA cert (now the default method) * Add --ca-cert-file option to load the CA cert from a disk file. Validate the file. If this option is used the supplied CA cert is considered definitive. * The insecure HTTP retrieval method is still supported but it must be explicitly forced and a warning will be emitted. * Remain backward compatible with unattended case (except for aberrant condition when preexisting /etc/ipa/ca.crt differs from securely obtained CA cert, see below) * If /etc/ipa/ca.crt CA cert preexists the validate it matches the securely acquired CA cert, if not: - If --unattended and not --force abort with error - If interactive query user to accept new CA cert, if not abort In either case warn user. * If interactive and LDAP retrieval fails prompt user if they want to proceed with insecure HTTP method * If not interactive and LDAP retrieval fails abort unless --force * Backup preexisting /etc/ipa/ca.crt in FileStore prior to execution, if ipa-client-install fails it will be restored. Other changes: * Add new exception class CertificateInvalidError * Add utility convert_ldap_error() to ipalib.ipautil * Replace all hardcoded instances of /etc/ipa/ca.crt in ipa-client-install with CACERT constant (matches existing practice elsewhere). * ipadiscovery no longer retrieves CA cert via HTTP. * Handle LDAP minssf failures during discovery, treat failure to check ldap server as a warninbg in absebce of a provided CA certificate via --ca-cert-file or though existing /etc/ipa/ca.crt file. Signed-off-by: Simo Sorce <simo@redhat.com> Signed-off-by: Rob Crittenden <rcritten@redhat.com>
* convert the base platform modules into packagesTimo Aaltonen2013-01-1410-178/+273
|
* Cookie Expires date should be locale insensitiveJohn Dennis2012-12-201-31/+11
| | | | | | | | | | | | | | | | | | | | | | | The Expires attribute in a cookie is supposed to follow the RFC 822 (superseded by RFC 1123) date format. That format includes a weekday abbreviation (e.g. Tue) which must be in English according to the RFC's. ipapython/cookie.py has methods to parse and format the Expires attribute but they were based on strptime() and strftime() which respects the locale. If a non-English locale is in effect the wrong date string will be produced and/or it won't be able to parse the date string. The fix is to use the date parsing and formatting functions from email.utils which specifically follow the RFC's and are not locale sensitive. This patch also updates the unit test to use email.utils as well. The patch should be applied to the following branches: Ticket: https://fedorahosted.org/freeipa/ticket/3313
* Switch %r specifiers to '%s' in Public errorsLynn Root2012-12-111-3/+3
| | | | | | | | | | | This switch drops the preceding 'u' from strings within Public error messages. This patch also addresses the related unfriendly 'u' from re-raising errors from netaddr.IPAddress by passing a bytestring through the function. Also switched ValidationError to TypeError in validate_scalar per jcholast@redhat.com. Ticket: https://fedorahosted.org/freeipa/ticket/3121 Ticket: https://fedorahosted.org/freeipa/ticket/2588
* Compliant client side session cookie behaviorJohn Dennis2012-12-101-0/+699
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In summary this patch does: * Follow the defined rules for cookies when: - receiving a cookie (process the attributes) - storing a cookie (store cookie + attributes) - sending a cookie + validate the cookie domain against the request URL + validate the cookie path against the request URL + validate the cookie expiration + if valid then send only the cookie, no attribtues * Modifies how a request URL is stored during a XMLRPC request/response sequence. * Refactors a bit of the request/response logic to allow for making the decision whether to send a session cookie instead of full Kerberous auth easier. * The server now includes expiration information in the session cookie it sends to the client. The server always had the information available to prevent using an expired session cookie. Now that expiration timestamp is returned to the client as well and now the client will not send an expired session cookie back to the server. * Adds a new module and unit test for cookies (see below) Formerly we were always returning the session cookie no matter what the domain or path was in the URL. We were also sending the cookie attributes which are for the client only (used to determine if to return a cookie). The attributes are not meant to be sent to the server and the previous behavior was a protocol violation. We also were not checking the cookie expiration. Cookie library issues: We need a library to create, parse, manipulate and format cookies both in a client context and a server context. Core Python has two cookie libraries, Cookie.py and cookielib.py. Why did we add a new cookie module instead of using either of these two core Python libaries? Cookie.py is designed for server side generation but can be used to parse cookies on the client. It's the library we were using in the server. However when I tried to use it in the client I discovered it has some serious bugs. There are 7 defined cookie elements, it fails to correctly parse 3 of the 7 elements which makes it unusable because we depend on those elements. Since Cookie.py was designed for server side cookie processing it's not hard to understand how fails to correctly parse a cookie because that's a client side need. (Cookie.py also has an awkward baroque API and is missing some useful functionality we would have to build on top of it). cookielib.py is designed for client side. It's fully featured and obeys all the RFC's. It would be great to use however it's tightly coupled with another core library, urllib2.py. The http request and response objects must be urllib2 objects. But we don't use urllib2, rather we use httplib because xmlrpclib uses httplib. I don't see a reason why a cookie library should be so tightly coupled to a protocol library, but it is and that means we can't use it (I tried to just pick some isolated entrypoints for our use but I kept hitting interaction/dependency problems). I decided to solve the cookie library problems by writing a minimal cookie library that does what we need and no more than that. It is a new module in ipapython shared by both client and server and comes with a new unit test. The module has plenty of documentation, no need to repeat it here. Request URL issues: We also had problems in rpc.py whereby information from the request which is needed when we process the response is not available. Most important was the requesting URL. It turns out that the way the class and object relationships are structured it's impossible to get this information. Someone else must have run into the same issue because there was a routine called reconstruct_url() which attempted to recreate the request URL from other available information. Unfortunately reconstruct_url() was not callable from inside the response handler. So I decided to store the information in the thread context and when the request is received extract it from the thread context. It's perhaps not an ideal solution but we do similar things elsewhere so at least it's consistent. I removed the reconstruct_url() function because the exact information is now in the context and trying to apply heuristics to recreate the url is probably not robust. Ticket https://fedorahosted.org/freeipa/ticket/3022
* Stop and disable conflicting time&date servicesMartin Kosek2012-12-074-5/+18
| | | | | | | | | | | | | | | | | | | | Fedora 16 introduced chrony as default client time&date synchronization service: http://fedoraproject.org/wiki/Features/ChronyDefaultNTP Thus, there may be people already using chrony as their time and date synchronization service before installing IPA. However, installing IPA server or client on such machine may lead to unexpected behavior, as the IPA installer would configure ntpd and leave the machine with both ntpd and chronyd enabled. However, since the OS does not allow both chronyd and ntpd to be running concurrently and chronyd has the precedence, ntpd would not be run on that system at all. Make sure, that user is warned when trying to install IPA on such system and is given a possibility to either not to let IPA configure ntpd at all or to let the installer stop and disable chronyd. https://fedorahosted.org/freeipa/ticket/2974
* Only update the list of running services in the installer or ipactl.Rob Crittenden2012-12-052-4/+17
| | | | | | | | The file is only present in the case of a server installation. It should only be touched by the server installer and ipactl. https://fedorahosted.org/freeipa/ticket/3277
* Change network configuration fileMartin Kosek2012-12-054-2/+138
| | | | | | | | | | | Fedora+systemd changed deprecated /etc/sysconfig/network which was used by IPA to store static hostname for the IPA machine. See https://bugzilla.redhat.com/show_bug.cgi?id=881785 for details. Change Fedora platform files to store the hostname to /etc/hostname instead. https://fedorahosted.org/freeipa/ticket/3279
* Drop unused readline importLubomir Rintel2012-12-041-1/+1
| | | | | | | | | | | | | | | | | | | The actual readline usage was removed in commit f19218f7 (Remove duplicate and unused utility code, https://fedorahosted.org/freeipa/ticket/2650) and the import remained. Readline should not be initialized if the output is not to terminal (and it does no checks itself, so import in anything that would be useful to redirect should be conditional), since it may garble the output [1]: $ TERM=xterm python -c 'import readline' |hexdump -C 00000000 1b 5b 3f 31 30 33 34 68 |.[?1034h| 00000008 [1] https://bugzilla.redhat.com/show_bug.cgi?id=304181#c1 https://fedorahosted.org/freeipa/ticket/2691 https://fedorahosted.org/freeipa/ticket/3276
* Use correct Dogtag configuration in get_pin and get_ca_certchainPetr Viktorin2012-11-232-4/+8
| | | | | | Some install utilities used Dogtag configuration before Dogtag was configured. Fix by passing the relevant dogtag_constants where they're needed.
* Changes to use a single database for dogtag and IPAAde Lee2012-11-231-1/+11
| | | | | | | | | | | | New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances.
* Save service name on service startup/shutdownSimo Sorce2012-11-014-0/+50
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipactl to stop only and all the services that have been started by any ipa tool/install script
* Revert "Save service name on service startup"Simo Sorce2012-11-014-29/+0
| | | | | | | This reverts commit 1ef651e7f9f5f940051dc470385aa08eefcd60af. This was an olde version of the patch, next commit will put in the acked version.
* Save service name on service startupSimo Sorce2012-11-014-0/+29
| | | | | | | | This is done as a default action of the ancestor class so that no matter what platform is currently used this code is always the same and the name is the wellknown service name. This information will be used by ipacl to stop only and all the services that have been started by any ipa tool/install script
* Preserve original service_name in servicesSimo Sorce2012-11-012-15/+16
| | | | | | | | | This is needed to be able to reference stuff always wth the same name. The platform specific private name must be kept in a platform specific variable. In the case of systemd we store it in systemd_name For the redhat platform wellknown names and service name are the same so currently no special name is needed.
* After unininstall see if certmonger is still tracking any of our certs.Rob Crittenden2012-11-011-0/+36
| | | | | | | | | | | | | | Rather than providing a list of nicknames I'm going to look at the NSS databases directly. Anything in there is suspect and this will help future-proof us. certmonger may be tracking other certificates but we only care about a subset of them, so don't complain if there are other tracked certificates. This reads the certmonger files directly so the service doesn't need to be started. https://fedorahosted.org/freeipa/ticket/2702
* IPA Server check in ipa-replica-manageTomas Babej2012-10-311-0/+13
| | | | | | | | | | When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105
* Close connection after each request, avoid NSS shutdown problem.Rob Crittenden2012-10-241-0/+6
| | | | | | | The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180
* Make sure the CA is running when starting servicesPetr Viktorin2012-10-232-61/+154
| | | | | | | | | | | | | | | | - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084
* Add fallback for httpd restarts on sysV platformsMartin Kosek2012-10-181-0/+17
| | | | | | | | | | | | httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965
* ipautil.run: Log the command line before running the commandPetr Viktorin2012-10-171-6/+11
| | | | | | | | When the user interrupts a long-running command, this ensures that the command is logged. Also, when watching log files (or the -d output), it's apparent what's being done. https://fedorahosted.org/freeipa/ticket/3174
* Create Firefox extension on upgrade and replica-installPetr Viktorin2012-10-101-4/+13
| | | | | | | | If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150
* Fix CA CRL migration crash in ipa-upgradeconfigMartin Kosek2012-10-101-2/+2
| | | | | | | | | | | | | | | | | CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159
* Move CRL publish directory to IPA owned directoryMartin Kosek2012-10-091-2/+2
| | | | | | | | | | | | | | | | | | | | | | | Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144
* Wait for secure Dogtag ports when starting the pki servicesPetr Viktorin2012-10-031-4/+4
| | | | | | | | Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
* Improve DN usage in ipa-client-installMartin Kosek2012-10-021-1/+1
| | | | | | | | | | | | | | | | | | | | | A hotfix pushed in a scope of ticket 3088 forced conversion of DN object (baseDN) in IPA client discovery so that ipa-client-install does not crash when creating an IPA default.conf. Since this is not a preferred way to handle DN objects, improve its usage: - make sure, that baseDN retrieved by client discovery is always a DN object - update ipachangeconf.py code to handle strings better and instead of concatenating objects, make sure they are converted to string first As a side-effect of ipachangeconf changes, default.conf config file generated by ipa-client-install has no longer empty new line at the end of a file. Whole ipachangeconf.py has been modified to be compliant with PEP8. https://fedorahosted.org/freeipa/ticket/3088
* Improves sssd.conf handling during ipa-client uninstallTomas Babej2012-09-201-2/+13
| | | | | | | | | | | | | | | | | | | | | | | The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740
* SSHPublicKey.fingerprint_dns_sha1 should return unicode value.Jan Cholasta2012-09-201-1/+1
|
* Use Dogtag 10 only when it is availablePetr Viktorin2012-09-174-19/+128
| | | | | | | | | | | Put the changes from Ade's dogtag 10 patch into namespaced constants in dogtag.py, which are then referenced in the code. Make ipaserver.install.CAInstance use the service name specified in the configuration. Uninstallation, where config is removed before CA uninstall, also uses the (previously) configured value. This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
* Modifications to install scripts for dogtag 10Ade Lee2012-09-174-7/+13
| | | | | | | Dogtag 10 uses a new installer, new directory layout and new default ports. This patch changes the ipa install code to integrate these changes. https://fedorahosted.org/freeipa/ticket/2846
* Fix various typos.Yuri Chornoivan2012-09-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/3089
* Use OpenSSH-style public keys as the preferred format of SSH public keys.Jan Cholasta2012-09-062-20/+199
| | | | | | | | | | | | | | | Public keys in the old format (raw RFC 4253 blob) are automatically converted to OpenSSH-style public keys. OpenSSH-style public keys are now stored in LDAP. Changed sshpubkeyfp to be an output parameter, as that is what it actually is. Allow parameter normalizers to be used on values of any type, not just unicode, so that public key blobs (which are str) can be normalized to OpenSSH-style public keys. ticket 2932, 2935
* Internationalization for public errorsPetr Viktorin2012-09-031-5/+9
| | | | | | | | | | | | Currently, we throw many public exceptions without proper i18n. Wrap natural-language error messages in _() so they can be translated. In the service plugin, raise NotFound errors using handle_not_found helper so the error message contains the offending service. Use ScriptError instead of NotFoundError in bindinstance install. https://fedorahosted.org/freeipa/ticket/1953
* Ticket #2850 - Ipactl exception not handled wellJohn Dennis2012-08-271-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ticket #2850 - Ipactl exception not handled well There were various places in ipactl which intialized IpactlError with None as the msg. If you called str() on that exception all was well because ScriptError.__str__() converted a msg with None to the empty string (IpactlError is subclassed from ScriptError). But a few places directly access e.msg which will be None if initialized that way. It's hard to tell from the stack traces but I'm pretty sure it's those places which use e.msg directly which will cause the problems seen in the bug report. I do not believe it is ever correct to initialize an exception message to None, I don't even understand what that means. On the other hand initializing to the empty string is sensible and for that matter is the default for the class. This patch makes two fixes: 1) The ScriptError initializer will now convert a msg parameter of None to the empty string. 2) All places that initialized IpactlError's msg parameter to None removed the None initializer allowing the msg parameter to default to the empty string. I don't know how to test the fix for Ticket #2850 because it's not clear how it got into that state in the first place, but I do believe initialing the msg value to None is clearly wrong and should fix the problem.
* Ticket #3008: DN objects hash differently depending on caseJohn Dennis2012-08-221-14/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because the attrs & values in DN's, RDN's and AVA's are comparison case- insensitive the hash value between two objects which compare as equal but differ in case must also yield the same hash value. This is critical when these objects are used as a dict key or in a set because dicts and sets use the object's __hash__ value in conjunction with the objects __eq__ method to lookup the object. The defect is the DN, RDN & AVA objects computed their hash from the case- preserving string representation thus two otherwise equal objects incorrectly yielded different hash values. The problem manifests itself when one of these objects is used as a key in a dict, for example a dn. dn1 = DN(('cn', 'Bob')) dn2 = DN(('cn', 'bob')) dn1 == dn2 --> True hash(dn1) == hash(dn2) --> False d = {} d[dn1] = x d[dn2] = y len(d) --> 2 The patch fixes the above by lower casing the string representation of the object prior to computing it's hash. The patch also corrects a spelling mistake and a bogus return value in ldapupdate.py which happened to be discovered while researching this bug.
* Fix winsync agreements creationMartin Kosek2012-08-121-1/+9
| | | | | | | | | | | | | | Due to recent addition of ID range support to DsInstance, the class could no longer be instantiated when realm_name was passed but ID range parameters were not. This condition broke winsync agreements creation in ipa-replica-manage. Make sure that ID range computation in DsInstance does not crash in this cases so that winsync replica can be created. Also convert --binddn option of ipa-replica-manage script to IPA native DN type so that setup_agreement does not crash. https://fedorahosted.org/freeipa/ticket/2987