summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Allow to install the KRA on a promoted servercustodiaSimo Sorce2015-10-209-152/+301
| | | | Signed-off-by: Simo Sorce <simo@redhat.com>
* Allow ipa-ca-install to use the new promotion codeSimo Sorce2015-10-202-41/+91
| | | | | | | This makes it possible to install a CA after-the-fact on a server that has been promoted (and has no replica file available). Signed-off-by: Simo Sorce <simo@redhat.com>
* CI: installation with customized DS configMartin Basti2015-10-152-5/+105
| | | | | | | | | | Test covers: https://fedorahosted.org/freeipa/ticket/4949 https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add option to specify LDIF file that contains DS configuration changesMartin Basti2015-10-156-15/+64
| | | | | | | | | | | | | This allows to user modify configuration changes of the directory server instance during installation of DS https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Add method to read changes from LDIFMartin Basti2015-10-151-0/+40
| | | | | | | | | | | | | | | | modifications_from_ldif will read LDIF file and changes in LDIF will be cached until parse() is called. After calling parse() method changes will be applied into destination LDIF. Only changetype modify is supported, the default operation is add. https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Make offline LDIF modify more robustMartin Basti2015-10-152-101/+109
| | | | | | | | | | | | | | * move code to installutils * add replace_value method * use lists instead of single values for add_value, remove_value methods https://fedorahosted.org/freeipa/ticket/4949 Also fixes: https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove unused kra optionSimo Sorce2015-10-151-3/+0
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add low level helper to get domain levelSimo Sorce2015-10-151-0/+14
| | | | | | | | | This can be used only locally on an existing master (uses ldapi). Useful to check the domain_level in scripts before the api is initialized and/or credentials are available. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Make checks for existing credentials reusableSimo Sorce2015-10-152-73/+75
| | | | | | | move the in installutils so they can be reused by multiple scripts Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow to setup the CA when promoting a replicaSimo Sorce2015-10-156-62/+332
| | | | | | | | | This patch makes --setup-ca work to set upa clone CA while creating a new replica. The standalone ipa-ca-install script is not converted yet though. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* prevent operation on tombstonesLudwig Krispenz2015-10-154-1/+22
| | | | Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* handle multiple managed suffixesLudwig Krispenz2015-10-1510-51/+221
| | | | | | | | trigger topology updaet if suffix entry is added trigger topology update if managedSuffix is modified in host entry Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology plugin configuration workaroundPetr Vobornik2015-10-152-0/+2
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* enable topology plugin on upgradePetr Vobornik2015-10-153-0/+52
| | | | | Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: manage ca replication agreementsPetr Vobornik2015-10-157-2/+64
| | | | | | | | | | | | | Configure IPA so that topology plugin will manage also CA replication agreements. upgrades if CA is congigured: - ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX - ipaReplTopoManagedSuffix: o=ipaca is added to master entry - binddngroup is added to o=ipaca replica entry Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add function to extract CA certs for installSimo Sorce2015-10-152-2/+61
| | | | | Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Allow ipa-replica-conncheck to use default credsSimo Sorce2015-10-153-43/+83
| | | | | | | | If the user has already run kinit try to use those credentials. The user can always override by explicitly passing the -p flag. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Change DNS installer code to use passed in apiSimo Sorce2015-10-153-57/+69
| | | | | | | | | Fixes a number of places where api was not passed around internally. Also allows to install dns in replica promotion which requires an alternative api to be created with the right configuration. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Implement replica promotion functionalitySimo Sorce2015-10-1514-58/+860
| | | | | | | | | | | | | | | | | | This patch implements a new flag --promote for the ipa-replica-install command that allows an administrative user to 'promote' an already joined client to become a full ipa server. The only credentials used are that of an administrator. This code relies on ipa-custodia being available on the peer master as well as a number of other patches to allow a computer account to request certificates for its services. Therefore this feature is marked to work only with domain level 1 and above servers. Ticket: https://fedorahosted.org/freeipa/ticket/2888 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Require a DS version that has working DNA pluginSimo Sorce2015-10-151-3/+3
| | | | | | | | The DNA plugin needed to be fixed to deal with replica binddn groups. Version 1.3.4.4 is needed for that. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Add ipa-custodia serviceSimo Sorce2015-10-1521-4/+763
| | | | | | | | | | Add a customized Custodia daemon and enable it after installation. Generates server keys and loads them in LDAP autonomously on install or update. Provides client code classes too. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* topology: add realm suffix to master entry on updatePetr Vobornik2015-10-151-0/+5
| | | | | | Realm suffix was set only during installation but not on update. Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* admintool: Add error message with path to log on failure.David Kupka2015-10-151-0/+4
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* tests: Add tests for idoverride object integrityTomas Babej2015-10-141-2/+173
| | | | | | | | | | | As far as IPA objects are concerned, ID overrides are supposed to be removed when the respective user/group is removed. Adds a couple of tests to ensure this behaviour is covered. https://fedorahosted.org/freeipa/ticket/5322 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* idoverride: Ignore ValidationErrors when converting the anchorTomas Babej2015-10-141-24/+33
| | | | | | | | | | | When converting the anchor to a human readable form, SID validation may fail, i.e. if the domain is no longer trusted. Ignore such cases and pass along the anchor in the raw format. https://fedorahosted.org/freeipa/ticket/5322 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* remove ID overrides when deleting a userMartin Babinsky2015-10-141-0/+6
| | | | | | | | patch fixes a regression introduced during user-del refactoring https://fedorahosted.org/freeipa/ticket/5365 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipa-adtrust-install: Print complete SRV recordsPetr Spacek2015-10-141-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5358 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Fixes disappearing automember expressionsStanislav Laznicka2015-10-141-2/+3
| | | | | | https://fedorahosted.org/freeipa/ticket/5353 Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Replace tab with space in test_user_plugin.pyMartin Basti2015-10-141-2/+2
| | | | | | Mixing tabs and spaces is not allowed in python3 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
* Remove bind configuration detected questionGabe2015-10-132-11/+0
| | | | | | https://fedorahosted.org/freeipa/ticket/5351 Reviewed-By: Martin Basti <mbasti@redhat.com>
* vault: fix private service vault creationJan Cholasta2015-10-132-3/+4
| | | | | | https://fedorahosted.org/freeipa/ticket/5361 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipaldap: Remove extraneous `long` (included in six.int_types)Petr Viktorin2015-10-131-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Alias long to int under Python 3Petr Viktorin2015-10-133-0/+7
| | | | | | In py3, the two types are unified under the name "int". Reviewed-By: Tomas Babej <tbabej@redhat.com>
* rpc: Name argument to KerberosErrorPetr Viktorin2015-10-131-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib.parameters: Require bytes for Bytes.patternPetr Viktorin2015-10-132-2/+4
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib.parameters: Handle 0-prefixed octal format of intsPetr Viktorin2015-10-132-0/+4
| | | | | | | | | | In Python 2, numbers prfixed with '0' are parsed as octal, e.g. '020' -> 16. In Python 3, the prefix is '0o'. Handle the old syntax for IPA's parameter conversion to keep backwards compatibility. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_keyring: Use str(e) instead of e.message for exceptionsPetr Viktorin2015-10-131-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Add `message` property to IPA's errors and warnings under Python 3Petr Viktorin2015-10-131-0/+12
| | | | | | | | Python 3 removes the "message" attribute from exceptions, in favor of just calling str(). Add it back for IPA's own exception types. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* ipalib.aci: Port to Python 3Petr Viktorin2015-10-133-14/+16
| | | | | | | | | - Don't encode under Python 3, where shlex would choke on bytes - Sort the attrs dictionary in export_to_string, so the tests are deterministic. (The iteration order of dicts was always unspecified, but was always the same in practice under CPython 2.) Reviewed-By: Tomas Babej <tbabej@redhat.com>
* test_ipalib.test_frontend: Port unbound method tests to Python 3Petr Viktorin2015-10-131-4/+16
| | | | | | | Python 3 uses plain function objects instead of unbound methods. So, what was Class.method.__func__ is now just Class.method. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Rename caught exception for use outside the except: block.Petr Viktorin2015-10-132-6/+4
| | | | | | | | | | | | | | In Python 3, the variable with the currently handled exception is unset at the end of the except block. (This is done to break reference cycles, since exception instances now carry tracebacks, which contain all locals.) Fix this in baseldap's error handler. Use a simpler structure for the ipatests.raises utility that only uses the exception inside the except block. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* x509: Port to Python 3Petr Viktorin2015-10-132-16/+14
| | | | | | | | | | | | In python 3 , `bytes` has the buffer interface, and `buffer` was removed. Also, invalid padding in base64-encoded data raises a ValueError rather than TypeError. In tests, use pytest.assert_raises for more correct exception assertions. Also, get rid of unused imports in the tests Reviewed-By: Tomas Babej <tbabej@redhat.com>
* Do not compare types that are not comparable in Python 3Petr Viktorin2015-10-133-6/+12
| | | | | | | | | | In Python 3, different types are generally not comparable (except for equality), and None can't be compared to None. Fix cases of these comparisons. In ipatest.util, give up on sorting lists if the sorting raises a TypeError. Reviewed-By: Tomas Babej <tbabej@redhat.com>
* comment: Add Documentation string to deduplicate functionDavid Kupka2015-10-131-0/+3
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* The delegation uris are not set, match message to code.Jan Pazdziora2015-10-131-1/+1
| | | | Reviewed-By: Tomas Babej <tbabej@redhat.com>
* CI Test: add setup_kra options into install scriptsMartin Basti2015-10-122-11/+27
| | | | | | https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* upgrade: make sure ldap2 is connected in export_kra_agent_pemJan Cholasta2015-10-121-0/+7
| | | | | | https://fedorahosted.org/freeipa/ticket/5360 Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
* schema: do not derive ipaVaultPublicKey from ipaPublicKeyJan Cholasta2015-10-121-1/+2
| | | | | | | | | This is a workaround for DS bug: https://bugzilla.redhat.com/show_bug.cgi?id=1267782 https://fedorahosted.org/freeipa/ticket/5359 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* CI TEST: VaultMartin Basti2015-10-121-0/+205
| | | | | | | | Simple CI test for vault feature, including testing with replica Covers https://fedorahosted.org/freeipa/ticket/5302 Reviewed-By: Milan Kubik <mkubik@redhat.com>
* tests: Amend result assertions in realmdomains testsTomas Babej2015-10-121-8/+68
| | | | | | | | | | * Nonexistent domains have to be added/deleted with force * Warning messages are emitted * Some error messages have been altered https://fedorahosted.org/freeipa/ticket/5278 Reviewed-By: Martin Basti <mbasti@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-01 09:14:48 +0000