summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* cert-request: match names against principal aliasesFraser Tweedale2016-12-062-40/+158
| | | | | | | | | | | | | | | Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* fix missing translation stringshanyin2016-12-061-1/+1
| | | | Reviewed-By: Martin Basti <mbasti@redhat.com>
* replica-conncheck: improve message loggingTomas Krizek2016-12-061-47/+51
| | | | | | | | | | Make sure all messages displayed on screen to the user can be found in the log as well. The messages are also logged if the script is ran in quiet mode. https://fedorahosted.org/freeipa/ticket/6497 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* replica-conncheck: improve error message during replicainstallTomas Krizek2016-12-061-1/+1
| | | | | | | | | | | Replica conncheck may fail for other reasons then network misconfiguration. For example, an incorrect admin password might be provided. Since conncheck is ran as a separate script in quiet mode, no insightful error message can be displayed. https://fedorahosted.org/freeipa/ticket/6497 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipa-replica-conncheck: fix race conditionTomas Krizek2016-12-061-6/+11
| | | | | | | | | | When the thread that opens ports would execute notify() before the original thread could call wait(), the original thread would wait indefinitely for a notify() call. https://fedorahosted.org/freeipa/ticket/6487 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* permission-find: fix a sizelimit off-by-one bugStanislav Laznicka2016-12-061-9/+9
| | | | | | | | | permission-find: sizelimit option set to number of permissions -1 could return all permissions anyway https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* fix permission_find fail on low search size limitStanislav Laznicka2016-12-061-2/+2
| | | | | | | | | | | permission_find() method would have failed if size_limit in config is too small caused by a search in post_callback. This search should also respect the passed sizelimit or the sizelimit from ipa config if no sizelimit is passed. https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make get_entries() not ignore its limit argumentsStanislav Laznicka2016-12-061-1/+2
| | | | | | | | | | | get_entries() wouldn't pass some arguments deeper to find_entries() function it wraps. This would cause unexpected behavior in some cases throughout the framework where specific (non-)limitations are expected. https://fedorahosted.org/freeipa/ticket/5640 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add 'env_confdir' to constantsMartin Babinsky2016-12-051-0/+1
| | | | | | | | | Env confdir is always populated so it should be listed among variables set during a call to `Env._bootstrap()`. https://fedorahosted.org/freeipa/ticket/6389 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Add python-pyasn1-modules into dependenciesPavel Vomacka2016-12-051-0/+3
| | | | | | | | | | | | | | Python-pyasn1-modules is needed because of this import: from pyasn1_modules import rfc2459 in ipalib/x509.py. Python-pyasn1-modules is required only by python-ldap package, but it would be good to not rely on another package and rather say explicitely that this package is necessary. https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Relax check for .git to support freeipa in submodulesChristian Heimes2016-12-051-1/+1
| | | | | | | | | | | Let's relax the check for .git from directory to exists in order to support freeipa in a git submodule. Submodules have a .git file with content like gitdir: ../.git/modules/freeipa Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Ignore backup~ files like config.h.in~Christian Heimes2016-12-051-0/+1
| | | | | Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Fetch correct exception in IPA_CONFDIR testChristian Heimes2016-12-051-2/+1
| | | | | | | fixes c2934aaa Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Raise errors.EnvironmentError if IPA_CONFDIR var is incorrectly usedPetr Vobornik2016-12-023-6/+15
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Use env var IPA_CONFDIR to get confdirChristian Heimes2016-12-025-3/+68
| | | | | | | | | | | | | The environment variable IPA_CONFDIR overrides the default confdir path. The value of the environment variable must be an absolute path to an existing directory. The new variable makes it much simpler to use the 'ipa' command and ipalib with a local configuration directory. Some scripts (e.g. servers, installers, and upgrades) set the confdir explicitly and do not support the env var. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Fix pep-8 transgressions in ipalib/misc.pyMartin Babinsky2016-12-021-9/+16
| | | | | | | | Make the code moved from `ipaserver/plugins` pep-8 conformant. https://fedorahosted.org/freeipa/ticket/6490 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Make `env` and `plugins` commands local againMartin Babinsky2016-12-023-121/+133
| | | | | | | | | | | | | | During thin client refactoring, LocalOrRemote class implementation of `run` method was overriden by default Command implementation during instantiation of client plugins from schema. This caused these commands to always forward this request to IPA master. This patch restores the original behavior: unless `--server` option was specified, the commands will always print out local config. https://fedorahosted.org/freeipa/ticket/6490 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Revert "Add 'ipa localenv' subcommand"Martin Babinsky2016-12-022-29/+1
| | | | | | | | | | This reverts commit 1166fbc4946596fcc2ed51a1ec6990fc7dae8964. The proper fix is to restore pre-thin client behavior of commands inheriting from LocalOrRemote class. https://fedorahosted.org/freeipa/ticket/6490 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Adjustments for setup requirements v2Pavel Vomacka2016-12-022-6/+0
| | | | | | | | Remove setup requirement on wheel since it triggers download. https://fedorahosted.org/freeipa/ticket/6468 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Set explicit confdir option for global contextsChristian Heimes2016-12-0232-42/+86
| | | | | | | | | | | | | | | | | | | | | | | | | Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Remove import of ipaplatform.paths from test_ipalibChristian Heimes2016-12-021-5/+4
| | | | | | | | | ipalib's env bootstrapping uses hard-coded defaults, too. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Remove BIN_FALSE and BIN_TRUEChristian Heimes2016-12-022-6/+4
| | | | | | | https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Add pylint guard to import of ipaplatform in ipapython.certdbChristian Heimes2016-12-021-4/+6
| | | | | | | | | | ipaplatform is not available in PyPI wheel packages. The guard silences a pylint error in wheel pylint tests. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* Require python-gssapi >= 1.2.0, take 2Christian Heimes2016-12-011-1/+1
| | | | | | | | | | | | | | Fix version range typo in ipasetup.py.in. Sorry, the bug slipped through my internal tests. The version pinning is only relevant for make wheel_bundle. The wheel bundle target has been failing from the start because python-nss has a build bug for wheels, https://bugzilla.redhat.com/show_bug.cgi?id=1389739 https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes cheimes@redhat.com Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* ipa-replica-conncheck: do not close listening ports until requiredTomas Krizek2016-12-012-109/+113
| | | | | | | | | | | | | | | | | | | Previously, a separate thread would be created for each socket used for conncheck. It would also time out after one second, after which it would be closed and reopened again. This caused random failures of conncheck. Now all sockets are handled in a single thread and once the server starts to listen on a port, it does not close that connection until the script finishes. Only IPv6 socket is used for simplicity, since it can handle both IPv6 and IPv4 connections. This requires IPv6 kernel support, which is required by other parts of IPA anyway. https://fedorahosted.org/freeipa/ticket/6487 Reviewed-By: Petr Spacek <pspacek@redhat.com>
* Backwards compatibility with setuptools 0.9.8Christian Heimes2016-12-011-6/+25
| | | | | | | | | | Setuptools 0.9.8 does not support PEP 440 version schema with +git suffix and PEP 508 env markers. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
* Require python-cryptography >= 1.3.1Christian Heimes2016-11-302-7/+7
| | | | | | | | | | | | | | | | python-cryptography versions < 1.3 no longer compile with recent OpenSSL 1.0.2 versions. In order to build wheels, a more recent version of cryptography is required. 1.3.1 is the oldest well tested version (RHEL 7.3) that is known to work with FreeIPA. Bump up in freeipa.spec is not required for technical reasons. The problem only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Wheel bundles fixesChristian Heimes2016-11-303-4/+4
| | | | | | | | | | | * make wheel_bundle no longer bundles ipaplatform * ipaclient and ipalib use a consistent extra tag for the install subpackage. `pip install ipalib[ipalib.install]` looks a bit silly. https://fedorahosted.org/freeipa/ticket/6474 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Check the result of cert request in replica installerFlorence Blanc-Renaud2016-11-302-8/+7
| | | | | | | | | | | | | | | | | | | | | | When running ipa-replica-install in domain-level 1, the installer requests the LDAP and HTTP certificates using certmonger but does not check the return code. The installer goes on and fails when restarting dirsrv. Fix: when certmonger was not able to request the certificate, raise an exception and exit from the installer: [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information https://fedorahosted.org/freeipa/ticket/6514 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Test: basic kerberos over http functionalityOleg Fayans2016-11-301-0/+58
| | | | | | https://fedorahosted.org/freeipa/ticket/6446 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Test: made kinit_admin a returning functionOleg Fayans2016-11-301-2/+2
| | | | | | | In some cases we need to check the result of kinit and print out the error message. Therefore we need it to return the result. Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Require python-gssapi >= 1.2.0Christian Heimes2016-11-302-7/+7
| | | | | | | | | | | | | | | The PyPI package for python-gssapi 1.1.x has a packaging bug. It depends on enum34 for Python 3 although it is only required for 2.7. 1.2.0 is the oldest version that has been tested at length by QE. It's know to work. Bump up in freeipa.spec is not required for technical reasons. The packaging bug only affects PyPI packages. It's policy to keep requirements in sync. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* replica install: track the RA agent certificate againJan Cholasta2016-11-301-1/+5
| | | | | | | | | | | | | During the rebase of commit 822e1bc82af3a6c1556546c4fbe96eeafad45762 on top of commit 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f, the call to track the RA agent certificate with certmonger was accidentally removed from ipa-replica-install. Put the call back so that the certificate is tracked after replica install. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
* Adjustments for setup requirementsChristian Heimes2016-11-307-22/+17
| | | | | | | | | | | | | | * Fix some typos, missing or surplus dependencies. * Remove setup requirement on wheel since it triggers download. ipatests is now installable. Tests need further changes to be runable. https://fedorahosted.org/freeipa/ticket/6468 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
* Enhance __repr__ method of PrincipalMartin Babinsky2016-11-302-0/+6
| | | | | | | | | | | | `__repr__` now returns more descriptive string containing the actual principal name while keeping the ability to reconstruct the object from it. This makes principal names visible in debug logs, easing troubleshooting a bit. https://fedorahosted.org/freeipa/ticket/6505 Reviewed-By: Christian Heimes <cheimes@redhat.com>
* Accept server host names resolvable only using /etc/hostsPetr Spacek2016-11-291-4/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Apparently "files" implementation of hosts NSS database cannot deal with trailing period in host names. Previously name server.example.com which is was resolvable neither using dns nor myhostname NSS modules were rejected by installer (despite having matching line in /etc/hosts). These names which are resolvable purely using "files" database are now accepted. The problem is that I had to remove trailing period from names passed to getaddrinfo() function. This effectivelly enables search list processing. This means that items from the search list might be silently appended to the query and we might get an IP address for totally different names than we asked for. Unfortunatelly I see no way around this while keeping ability to use names from NSS hosts database. https://fedorahosted.org/freeipa/ticket/6518 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* tests: Added basic tests for certs in idoverridesOleg Fayans2016-11-291-0/+82
| | | | | | | https://fedorahosted.org/freeipa/ticket/6412 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* Created idview trackerOleg Fayans2016-11-291-0/+116
| | | | | | | | | Needed for basic certs in idoverrides tests https://fedorahosted.org/freeipa/ticket/6412 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Milan Kubik <mkubik@redhat.com>
* replication: ensure bind DN group check interval is set on replica configMartin Babinsky2016-11-291-0/+6
| | | | | | | | | | This is a safeguard ensuring valid replica configuration against incorrectly upgraded masters lacking 'nsds5replicabinddngroupcheckinterval' attribute on their domain/ca topology config. https://fedorahosted.org/freeipa/ticket/6508 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* upgrade: add replica bind DN group check interval to CA topology configMartin Babinsky2016-11-291-0/+1
| | | | | | | | | | Without this attribute explicitly set the replication plugin won't recognize updates from members of 'replication managers' sysaccount group, leading to stuck replica CA installation. https://fedorahosted.org/freeipa/ticket/6508 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
* Build: properly integrate ipa.pot into build system testsPetr Spacek2016-11-291-2/+2
| | | | | | | | i18n.py tests indirectly depend on existence on ipa.pot file. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: properly integrate ipasetup.py into build systemPetr Spacek2016-11-293-7/+17
| | | | | | | | | | | | | | | | AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. There is a problem that Python sub-directories depend on ipasetup.py which is one level above the sub-directory. This means that depedencies are the other way around that expected. This is being worked around using hack from http://lists.gnu.org/archive/html/automake/2009-03/msg00011.html https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: properly integrate version.py into build systemPetr Spacek2016-11-293-5/+20
| | | | | | | | | | AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: properly integrate loader.js into build systemPetr Spacek2016-11-293-3/+15
| | | | | | | | | | AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: properly integrate freeipa.spec.in into build systemPetr Spacek2016-11-292-2/+9
| | | | | | | | | | AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Build: properly integrate ipa-version.h.in into build systemPetr Spacek2016-11-292-1/+13
| | | | | | | | | | AC_CONFIG_FILES in configure.ac works well only with Makefiles. Other files have to be handled by Makefile.am so depedencies are tracked properly. https://fedorahosted.org/freeipa/ticket/6498 Reviewed-By: Martin Basti <mbasti@redhat.com>
* ipaclient: remove hard dependency on ipaplatformJan Cholasta2016-11-293-19/+13
| | | | | | | | Hard-code the user cache directory path in ipaclient.remote_plugins.schema. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipaclient: move install modules to the install subpackageJan Cholasta2016-11-2912-26/+23
| | | | | | | | | | | | The ipa_certupdate, ipachangeconf, ipadiscovery and ntpconf modules depend on ipaplatform. Move them to ipaclient.install as they are used only from the client installer. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* ipalib: remove hard dependency on ipapythonJan Cholasta2016-11-293-3/+5
| | | | | | | | | | | Hard-code the path to /bin/false in SubprocessError doc string. Remove ipaplatform dependency from ipalib's setup.py and add it as optional installer dependency to ipalib's and ipaclient's setup.py. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
* constants: remove CACERTJan Cholasta2016-11-2912-73/+70
| | | | | | | | | | CACERT depends on ipaplatform. Replace all uses of CACERT with paths.IPA_CA_CRT and remove CACERT. https://fedorahosted.org/freeipa/ticket/6474 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-03 06:31:32 +0000