| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
In Python 3, exceptions don't behave as tuples of their arguments;
instead of e[1] it's necessary to use e.args[1].
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
When resolv.conf is set to point to the master's ip before installation, the
ipa-server-install does not create a reverse zone for it's ip even despite
--auto-reverse option provided. The fix is not to mess around with resolv.conf
before master installation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During IPA server upgrade from pre-4.3 versions, the ACIs permitting
manipulation of replication agreements are removed from the
'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping
tree,cn=config'. However they are never re-added breaking management and
installation of replicas.
This patch modifies the update process so that the ACIs are first added to the
'cn=mapping tree,cn=config' and then removed from the child entries.
https://fedorahosted.org/freeipa/ticket/5575
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
ipactl is not aware of new services installed later, if ipactl restart
or start has not been executed.
This commit is workaround, proper fix may need to improve ipactl.
https://fedorahosted.org/freeipa/ticket/5262
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
If connection do LDAP failed (or LDAP server is down) we cannot verify
if there is any additonal instance of CA, KRA, DNSSEC master.
In this case a user is warned and promted to confirm uninstallation.
https://fedorahosted.org/freeipa/ticket/5544
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
| |
ipa-kra-install needs directory manager password
Regression caused by c4b9b295d8184694c50c0d56051e0273445c98ec
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Enables check and fixes one issue.
get_entries can be replaced by get_entry, filter is not needed because
check of 'originfilter' attribute is done later.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
Enables check and marks occurences of runtime error in dcerpc.py as
false positive.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
LDAP calls just assert if an invalid (NULL) context is passed in,
so we need to be sure we have a valid connection context before
calling into LDAP APIs and fail outright if a context can't be obtained.
https://fedorahosted.org/freeipa/ticket/5577
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove des3 and arcfour from the defaults for new installs.
NOTE: the ipasam/dcerpc code sill uses arcfour
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/4740
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5583
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5585
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5585
Reviewed-By: Tomas Babej <tbabej@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The HTTP reason phrase sent by Dogtag is assumed to be encoded in
UTF-8, but the encoding used by Tomcat is dependent on system
locale, causing decode errors in some locales.
The reason phrase is optional and will not be sent in a future
version of Tomcat[1], so do not bother decoding and returning it.
[1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37
Fixes: https://fedorahosted.org/freeipa/ticket/5578
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5601
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
These tests will ensure that our package version handling code can correctly
decide when to upgrade IPA master.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We always have to call find_base() in order to force libldap to open
the socket. However, if no base is actually required then there is
no reason to error out if find_base() fails. This condition can arise
when anonymous binds are disabled.
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
| |
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
| |
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using rpm-python to compare package versions since the implicit NSS
initialization upon the module import breaks NSS handling in IPA code. Call
rpm-libs C-API function via CFFI instead.
Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet
that spurred this patch.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Attribute 'unattended' is not always present in 'options' so function
parameter 'unattended' should be used.
https://fedorahosted.org/freeipa/ticket/5563
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5563
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Opiton should be added to ipa-replica-prepare when it was added to
ipa-{server,replica,dns}-install but was forgotten.
https://fedorahosted.org/freeipa/ticket/5563
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
revzone2 changed to unresolvable reverse zone
test for root zone now supresses the overlap check
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Former upgrade file always created the NIS Server container, that caused
the ipa-nis-manage did not set all required NIS maps. Default creation
of container has been removed.
Updating of NIS Server configuration and
NIS maps is done only if the NIS Server container exists.
https://fedorahosted.org/freeipa/ticket/5507
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-server-upgrade tests whether certmonger service is running before
attempting to upgrade IPA master. This causes the upgrader to always fail when
there is no CA installer and certmonger is not needed, effectively preventing
CA-less IPA master to upgrade succefuly.
This test is now skipped if CA is not enabled.
https://fedorahosted.org/freeipa/ticket/5519
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit allows to use mixed case of keys for sysrestore, before this
commit all keys were saved in lowercase what prevents to accesing them.
Original usage of mixed case for sysretore key in opendssecinstance had
to be changed to lowercase to prevent issues on already installed
systems.
https://fedorahosted.org/freeipa/ticket/5574
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5564
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Previously the command returned False whenever an exception occured
which caused installed to continue even when there was a problem with
LDAP connection.
https://fedorahosted.org/freeipa/ticket/5564
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now the option correctly adds missing reverse zones even in unattended
mode.
Still, this is not sufficient in all cases because 'automatic empty zones'
created by BIND (as specified in RFC 6303) can shadow the reverse zones
hosted on other servers. This needs to be solved in a separate patch.
https://fedorahosted.org/freeipa/ticket/5559
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5553
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5532
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Gabe Alford <redhatrises@gmail.com>
|
| |
|
|
|
|
| |
Also added ipa_backup, ipa_restore and replica_uninstall functions
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
This error may potentially happen when plugin migration is skipped due
an error. In that case variable 'update' was undefined.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Command "ldap-cleanup <zone name>" is called to remove all key metadata from
LDAP. This command is now called when disabling DNSSEC on a DNS zone. The stale
metadata were causing problems when re-enabling DNSSEC on the same zone.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Command "ldap-cleanup <zone name>" will remove all key metadata from
LDAP. This can be used manually in sequence like:
ldap-cleanup <zone name>
update <zone name>
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.
ldap-cleanup command should be called when disabling DNSSEC on a DNS
zone to remove stale key metadata from LDAP.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This filtering is useful in cases where LDAP contains DNS zones which
have old metadata objects and DNSSEC disabled. Such zones must be
ignored to prevent errors while calling dnssec-keyfromlabel or rndc.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Key purging has to be only only after key metadata purging so
ipa-dnskeysyncd on replices does not fail while dereferencing
non-existing keys.
https://fedorahosted.org/freeipa/ticket/5334
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ldapkeydb.py can be executed directly now. In that case it will print
out key metadata as obtained using IPA LDAP API.
Kerberos credential cache has to be filled with principal posessing
appropriate access rights before the script is execured.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We have to explicitly specify "none" value to prevent dnssec-keyfromlabel
utility from using current time for keys without "publish" and "activate"
timestamps.
Previously this lead to situation where key was in (intermediate) state
"generated" in OpenDNSSEC but BIND started to use this key for signing.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously we published timestamps of planned state changes in LDAP.
This led to situations where state transition in OpenDNSSEC was blocked
by an additional condition (or unavailability of OpenDNSSEC) but BIND
actually did the transition as planned.
Additionally key state mapping was incorrect for KSK so sometimes KSK
was not used for signing when it should.
Example (for code without this fix):
- Add a zone and let OpenDNSSEC to generate keys.
- Wait until keys are in state "published" and next state is "inactive".
- Shutdown OpenDNSSEC or break replication from DNSSEC key master.
- See that keys on DNS replicas will transition to state "inactive" even
though it should not happen because OpenDNSSEC is not available
(i.e. new keys may not be available).
- End result is that affected zone will not be signed anymore, even
though it should stay signed with the old keys.
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/5348
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
