freeipa.git/ipaclient, branch fixlogout FreeIPA patches client install: create /etc/ipa/nssdb with correct mode 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-16T09:57:14+00:00 b4fa354f500bcf3ac23ee3805f2c166c6a635b92 The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add password to certutil calls in NSSDatabase 2017-02-17T09:14:23+00:00 Stanislav Laznicka slaznick@redhat.com 2016-12-06T08:14:54+00:00 ca457eb5ce12291f555f1bf771114d6d7d191987 NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
DNS: dns-update-system-record can create nsupdate file 2017-02-15T11:20:55+00:00 Martin Basti mbasti@redhat.com 2017-01-27T12:42:19+00:00 7eb2ef61905a5c6ddf04237f0aa84e7585e1186d Added option --out <path> creates a file with IPA DNS data in nsupdate format. https://fedorahosted.org/freeipa/ticket/6585 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Added option --out <path> creates a file with IPA DNS data in nsupdate
format.

https://fedorahosted.org/freeipa/ticket/6585

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 d124e307f3b7d88bca53784f030ed6043b224432 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Remove is_fips_enabled checks in installers and ipactl 2017-02-13T17:10:55+00:00 Stanislav Laznicka slaznick@redhat.com 2016-12-06T07:55:56+00:00 08c71703a44d8aec308781351c3a9dd4a4ba94a7 https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
tests: Add tests for CSR autogeneration 2017-01-31T09:20:28+00:00 Ben Lipton blipton@redhat.com 2016-09-08T22:29:46+00:00 a26cf0d7910dd4c0a4da08682b4be8d3d94ba520 This patch also contains some code changes to make the code easier to test and to make the tests pass. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This patch also contains some code changes to make the code easier to
test and to make the tests pass.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csrgen: Use data_sources option to define which fields are rendered 2017-01-31T09:20:28+00:00 Ben Lipton blipton@redhat.com 2016-09-06T18:58:24+00:00 afd7c05d11432304bfdf183832a21d419f363689 This removes the ipa.syntaxrule and ipa.datarule macros in favor of simple 'if' statements based on the data referenced in the rules. The 'if' statement for a syntax rule is generated based on the data rules it contains. The Subject DN should not be generated unless all data rules are in place, so the ability to override the logical operator that combines data_sources (from 'or' to 'and') is added. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This removes the ipa.syntaxrule and ipa.datarule macros in favor of
simple 'if' statements based on the data referenced in the rules. The
'if' statement for a syntax rule is generated based on the data rules it
contains.

The Subject DN should not be generated unless all data rules are in
place, so the ability to override the logical operator that combines
data_sources (from 'or' to 'and') is added.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
csrgen: Add code to generate scripts that generate CSRs 2017-01-31T09:20:28+00:00 Ben Lipton blipton@redhat.com 2016-07-05T18:19:35+00:00 10ef5947860f5098182b1f95c08c1158e2da15f9 Adds a library that uses jinja2 to format a script that, when run, will build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses this library and builds the script for a given principal. The rules are read from json files in /usr/share/ipa/csr, but the rule provider is a separate class so that it can be replaced easily. https://fedorahosted.org/freeipa/ticket/4899 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Adds a library that uses jinja2 to format a script that, when run, will
build a CSR. Also adds a CLI command, 'cert-get-requestdata', that uses
this library and builds the script for a given principal. The rules are
read from json files in /usr/share/ipa/csr, but the rule provider is a
separate class so that it can be replaced easily.

https://fedorahosted.org/freeipa/ticket/4899

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: decode bytes for json.loads() 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-12T15:20:43+00:00 18337bf7f7c31a47fe0c7280f82fca043b548bd5 In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
client install: correctly report all failures 2017-01-20T16:34:07+00:00 Jan Cholasta jcholast@redhat.com 2017-01-03T06:43:12+00:00 26630db9d0fb1d9c8a02840b71b3fb3e8bdf3e0d In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>