freeipa.git/ipaserver, branch coverity FreeIPA patches DNS Locations: fix update-system-records unpacking error 2016-07-22T13:16:08+00:00 Martin Basti mbasti@redhat.com 2016-07-22T11:32:31+00:00 524719f420fa331b3a1d53d5d8bebdfee39c8371 Method IPASystemRecords.records_list_from_node returns only list consists only from record names not tuple, which caused unpacking error https://fedorahosted.org/freeipa/ticket/6117 Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com> 
Method IPASystemRecords.records_list_from_node returns only list
consists only from record names not tuple, which caused unpacking error

https://fedorahosted.org/freeipa/ticket/6117

Reviewed-By: Nikhil Dehadrai <ndehadra@redhat.com>
help: Add dnsserver commands to help topic 'dns' 2016-07-22T11:52:09+00:00 David Kupka dkupka@redhat.com 2016-07-15T09:55:19+00:00 34767ba25936700ba331fc5b7791ecd151083501 https://fedorahosted.org/freeipa/ticket/6069 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6069

Reviewed-By: Petr Spacek <pspacek@redhat.com>
Host-del: fix behavior of --updatedns and PTR records 2016-07-22T11:40:05+00:00 Martin Basti mbasti@redhat.com 2016-07-21T11:18:34+00:00 8aba4f63439853d524e8b394b7919159c86d2a08 * target for ptr record must be absolute domain name * zone is detected using DNS system instead of random splitting of hostname https://fedorahosted.org/freeipa/ticket/6060 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
* target for ptr record must be absolute domain name
* zone is detected using DNS system instead of random splitting of
hostname

https://fedorahosted.org/freeipa/ticket/6060

Reviewed-By: Petr Spacek <pspacek@redhat.com>
trust-add: handle `--all/--raw` options properly 2016-07-21T11:01:02+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-15T10:38:00+00:00 2234a774416309a44aecb84f27e6cf4c6a1a990f `trust-add` command did not handle these options correctly often resulting in internal errors or mangled output. This patch implements a behavior which is more in-line with the rest of the API commands. https://fedorahosted.org/freeipa/ticket/6059 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
`trust-add` command did not handle these options correctly often resulting in
internal errors or mangled output. This patch implements a behavior which is
more in-line with the rest of the API commands.

https://fedorahosted.org/freeipa/ticket/6059

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
prevent search for RADIUS proxy servers by secret 2016-07-21T08:49:10+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-21T07:42:01+00:00 66da08445370f7024a6a529a6659714c33b7525e radiusproxy-find should not allow search by proxy secret even for privileged users so we should hide it from CLI. https://fedorahosted.org/freeipa/ticket/6078 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
radiusproxy-find should not allow search by proxy secret even for privileged
users so we should hide it from CLI.

https://fedorahosted.org/freeipa/ticket/6078

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
expose `--secret` option in radiusproxy-* commands 2016-07-21T08:49:10+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-18T08:45:48+00:00 447feb7f37803b9bad8aab52841c4d1db293727a Option `--secret` was hidden from radiusproxy CLI preventing setting a secret on existing server or searching by secret. Since thin client implementation it was also not recognized by the interactive prompt code in CLI frontend since it never got there. https://fedorahosted.org/freeipa/ticket/6078 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Option `--secret` was hidden from radiusproxy CLI preventing setting a secret
on existing server or searching by secret. Since thin client implementation it
was also not recognized by the interactive prompt code in CLI frontend since
it never got there.

https://fedorahosted.org/freeipa/ticket/6078

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
allow 'value' output param in commands without primary key 2016-07-20T11:57:01+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-18T11:18:44+00:00 f0a61546f552d4df887617167f7dc1378cb95083 `PrimaryKey` output param works only for API objects that have primary keys, otherwise it expects None (nothing is associated with this param). Since the validation of command output was tightened durng thin client effort, some commands not honoring this contract began to fail output validation. A custom output was implemented for them to restore their functionality. It should however be considered as a fix for broken commands and not used further. https://fedorahosted.org/freeipa/ticket/6037 https://fedorahosted.org/freeipa/ticket/6061 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
`PrimaryKey` output param works only for API objects that have primary keys,
otherwise it expects None (nothing is associated with this param). Since the
validation of command output was tightened durng thin client effort, some
commands not honoring this contract began to fail output validation.

A custom output was implemented for them to restore their functionality. It
should however be considered as a fix for broken commands and not used
further.

https://fedorahosted.org/freeipa/ticket/6037
https://fedorahosted.org/freeipa/ticket/6061

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Show full error message for selinuxusermap-add-hostgroup 2016-07-20T11:13:05+00:00 Florence Blanc-Renaud flo@redhat.com 2016-07-20T09:02:30+00:00 90704df59dbe996ef1db58d7a11f826c008d08a3 While investigating the issue for selinuxusermap-add-hostgroup, we discovered that other commands were missing output. A first patch fixes most of the issues: freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch This patch fixes servicedelegation CLI, where servicedelegation.takes_params was missing ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and memberprincipal https://fedorahosted.org/freeipa/ticket/6026 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
While investigating the issue for selinuxusermap-add-hostgroup,
we discovered that other commands were missing output.
A first patch fixes most of the issues:
freeipa-jcholast-677-frontend-copy-command-arguments-to-output-params-on-.patch

This patch fixes servicedelegation CLI, where
servicedelegation.takes_params was missing
ipaallowedtarget_servicedelegationtarget, ipaallowedtoimpersonate and
memberprincipal

https://fedorahosted.org/freeipa/ticket/6026

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Create server and host certs with DNS altname 2016-07-19T12:18:04+00:00 Fraser Tweedale ftweedal@redhat.com 2015-12-07T05:14:28+00:00 b12db924143cd6828c596c0b8a261325f3f589f3 Currently server (HTTP / LDAP) certs are created without a Subject Alternative Name extension during server install, replica prepare and host enrolment, a potentially problematic violation of RFC 2818. Add the hostname as a SAN dNSName when these certs are created. (Certmonger adds an appropriate request extension when renewing the certificate, so nothing needs to be done for renewal). Fixes: https://fedorahosted.org/freeipa/ticket/4970 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
Currently server (HTTP / LDAP) certs are created without a Subject
Alternative Name extension during server install, replica prepare
and host enrolment, a potentially problematic violation of RFC 2818.

Add the hostname as a SAN dNSName when these certs are created.

(Certmonger adds an appropriate request extension when renewing the
certificate, so nothing needs to be done for renewal).

Fixes: https://fedorahosted.org/freeipa/ticket/4970
Reviewed-By: Petr Spacek <pspacek@redhat.com>
DNS install: Ensure that DNS servers container exists 2016-07-15T12:13:32+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-14T15:14:59+00:00 37bfd1fdde8906b2b5712d1f99f3f4be8f91ca0a during DNS installation it is assumed that the cn=servers,cn=dns container is always present in LDAP backend when migrating DNS server info to LDAP. This may not always be the case (e.g. when a new replica is set up against older master) so the code must take additional steps to ensure this container is present. https://fedorahosted.org/freeipa/ticket/6083 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.

This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.

https://fedorahosted.org/freeipa/ticket/6083

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>