| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
With CA-less master and CA-less replica, attempting to install CA on replica
would fail. LDAPS has to be enabled during replica promotion, because it is
required by Dogtag.
https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Use a handler created for the purpose of deciding whether
to raise exception or not.
https://fedorahosted.org/freeipa/ticket/6259
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Tests test_Registry and test_API are failing, both due to changes made during
thin client implementation. Partial fix for [1], complete fix for [2].
[1] https://fedorahosted.org/freeipa/ticket/6191
[2] https://fedorahosted.org/freeipa/ticket/6186
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Plugins are being imported in the test_ldap/test_Backend test, which is no
longer valid due to changes made during thin client implementation. Plugins are
imported automatically and explicit imports make tests fail because of the
duplicity.
https://fedorahosted.org/freeipa/ticket/6194
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Due to thin client implementation a part of the original test is no longer
valid and causes test to fail.
https://fedorahosted.org/freeipa/ticket/6192
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Force client to send the value of ipatokenotpkey and ipapermlocation as
entered by user.
https://fedorahosted.org/freeipa/ticket/6247
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This fixes CA replica install in a topology upgraded from CA-less to
CA-full.
https://fedorahosted.org/freeipa/ticket/6207
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Due to race conditions the test sometimes catches 2 one-way segments instead of
one bidirectional. We need to give the master time to merge the one-way
segments before we test the output.
https://fedorahosted.org/freeipa/ticket/6265
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
Enhance the cert-show command to return subject alternative name
values.
Fixes: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
We want to include the whole DER value when we pretty-print
unrecognised otherNames, so add a field to the GeneralNameInfo
namedtuple and populate it for otherNames.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
GeneralName parsing currently relies heavily on strings from NSS.
Make the code hopefully less brittle by identifying GeneralName
types by NSS enums and, for otherName, the name-type OID also.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The subjectAltName extension parsing code in ipalib.x509 fails on
directoryName values because the Choice structure is not endowed
with an inner type. Implement the Name structure, whose inner type
is a CHOICE { SEQUENCE OF RelativeDistinguishedName }, to resolve.
Note that the structure still does not get fully parsed; only enough
to recognise the SequenceOf tag and not fail.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
GeneralName parsing code is primarily relevant to X.509. An
upcoming change will add SAN parsing to the cert-show command, so
first move the GeneralName parsing code from ipalib.pkcs10 to
ipalib.x509.
Part of: https://fedorahosted.org/freeipa/ticket/6022
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6255
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6138
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Installation in pure IPv6 environment failed because pki-tomcat tried to use
IPv4 loopback. Configuring tomcat to use IPv6 loopback instead of IPv4 fixes
this issue.
https://fedorahosted.org/freeipa/ticket/4291
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
httpd 2.4.6-6 does not support mod_proxy ProxyPass for Unix sockets. The
feature is provided by 2.4.7 upstream was backported to 2.4.6-31
(bz1168081). It's required to proxy Custodia.
https://bugzilla.redhat.com/show_bug.cgi?id=1168081
https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass
https://fedorahosted.org/freeipa/ticket/6251
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
attribute
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.
[1] https://fedorahosted.org/freeipa/ticket/5764
Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Due to [1] being implemented, retrieve and search tests with --all option
specified fail due to extra attribute.
[1] https://fedorahosted.org/freeipa/ticket/5764
Ticket: https://fedorahosted.org/freeipa/ticket/6240
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
|
| |
|
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/6248
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.
https://fedorahosted.org/freeipa/ticket/6200
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.
https://fedorahosted.org/freeipa/ticket/6015
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6242
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/5932
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
In ipatests/test_xmlrpc/test_idviews_plugin several variables are declared
twice, while never using the first declaration. The duplicate declaration is
hereby removed.
https://fedorahosted.org/freeipa/ticket/6246
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6233
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Update the fake API object to match the real API object interface including
the changes introduced with the API compatibility feature.
https://fedorahosted.org/freeipa/ticket/6188
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
This fixes pylint failing on import errors during 'lint' phase of build.
https://fedorahosted.org/freeipa/ticket/6244
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6234
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6236
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Due to implementation of [1], new attribute 'ipakrboktoauthasdelegate' was presented, but is not recognized by ID views tests, thus causing them to fail.
[1] https://fedorahosted.org/freeipa/ticket/5764
https://fedorahosted.org/freeipa/ticket/6241
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In terms of cross-forest trust parent domain is the root domain of
the forest because we only have trust established with the forest root.
In FreeIPA LDAP store all sub-domains stored in cn=<forest root>,
cn=ad,cn=trusts,... subtree. Thus, a first RDN after cn=ad is the
forest root domain. This allows us to simplify logic of finding
the parent domain.
For complex hierachical forests with more than two levels of
sub-domains, this will still be true because of the forest trust:
as forest trust is established to the forest root domain, any
communication to any sub-domain must traverse forest root domain's
domain controller.
Note that SSSD also generated incorrectly CA paths information
for forests with non-hierarchical tree-roots. In such cases
IPA KDC got confused and mistakenly assumed direct trust to the
non-hierarchical tree-root instead of going through the forest
root domain. See https://fedorahosted.org/sssd/ticket/3103 for
details.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ID ranges for child domains of a forest trust were created incorrectly
in FreeIPA 4.4.0 due to refactoring of -- if the domain was already
existing, we never attempted to create the ID range for it.
At the same time, when domain was missing, we attempted to add ID range
and passed both forest root and the child domain names to add_range().
However, add_range() only looks at the first positional argument which
was the forest root name. That ID range always exists (it is created
before child domains are processed).
Modify the code to make sure child domain name is passed as the first
positional argument. In addition, the oddjob helper should explicitly
set context='server' so that idrange code will be able to see and use
ipaserver/dcerpc.py helpers.
Resolves: https://fedorahosted.org/freeipa/ticket/5738
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When external trust is established, it is by definition is
non-transitive: it is not possible to obtain Kerberos tickets to any
service outside the trusted domain.
Reflect this reality by only accepting UPN suffixes from the external
trust -- since the trusted domain is a part of another forest and UPN
suffixes are forest-wide, there could be user accounts in the trusted
domain that use forest-wide UPN suffix but it will be impossible to
reach the forest root via the externally trusted domain.
Also, an argument to netr_DsRGetForestTrustInformation() has to be
either forest root domain name or None (NULL). Otherwise we'll get
an error as explained in MS-NRPC 3.5.4.7.5.
https://fedorahosted.org/freeipa/ticket/6021
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For configuration where:
- AD example.com trusts IPA at ipa.example.com
- AD example.org trusts AD example.com
- a trust is tried to be established between ipa.example.com and
example.org,
there will be a trust topology conflict detected by example.org domain
controller because ipa.example.com DNS namespace overlaps with
example.com DNS namespace.
This type of trust topology conflict is documented in MS-ADTS 6.1.6.9.3.2
"Building Well-Formed msDS-TrustForestTrustInfo Message". A similar
conflict can arise for SID and NetBIOS namespaces. However, unlike SID
and NetBIOS namespaces, we can solve DNS namespace conflict
automatically if there are administrative credentials for example.org
available.
A manual sequence to solve the DNS namespace conflict is described in
https://msdn.microsoft.com/it-it/library/cc786254%28v=ws.10%29.aspx.
This sequence boils down to the following steps:
1. As an administrator of the example.org, you need to add an
exclusion entry for ipa.example.com in the properties of the trust to
example.com
2. Establish trust between ipa.example.com and example.org
It is important to add the exclusion entry before step 4 or there will
be conflict recorded which cannot be cleared easily right now due to a
combination of bugs in both IPA and Active Directory.
This patchset implements automated solution for the case when we have
access to the example.org's administrator credentials:
1. Attempt to establish trust and update trust topology information.
2. If trust topology conflict is detected as result of (1):
2.1. Fetch trust topology infromation for the conflicting forest
trust
2.2. Add exclusion entry to our domain to the trust topology obtained
in (2.1)
2.3. Update trust topology for the conflicting forest trust
3. Re-establish trust between ipa.example.com and example.org
We cannot do the same for shared secret trust and for external trust,
though:
1. For shared secret trust we don't have administrative credentials
in the forest reporting the conflict
2. For the external trust we cannot set topology information due to
MS-LSAD 3.1.4.7.16 because external trust is non-transitive by
definition and thus setting topology information will fail.
To test this logic one can use two Samba AD forests with FreeIPA
using a sub-domain of one of them.
Fixes: https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Because Samba Python bindings provide long-named methods and constants,
sometimes it is impossible to fit into 80 columns without causing
damage to readability of the code. This patchset attempts to reduce
pep8 complaints to a minimum.
https://fedorahosted.org/freeipa/ticket/6076
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Port name "msft-gc" is taken form /etc/services file provided by package
setup-2.10.1-1.fc24.noarch.
https://fedorahosted.org/freeipa/ticket/6235
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The 'cert_revoke' command checks the 'revoke certificate'
permission, however, if an ACIError is raised, it then invokes the
'cert_show' command. The rational was to re-use a "host manages
certificate" check that is part of the 'cert_show' command, however,
it is sufficient that 'cert_show' executes successfully for
'cert_revoke' to recover from the ACIError continue. Therefore,
anyone with 'retrieve certificate' permission can revoke *any*
certificate and cause various kinds of DoS.
Fix the problem by extracting the "host manages certificate" check
to its own method and explicitly calling it from 'cert_revoke'.
Fixes: https://fedorahosted.org/freeipa/ticket/6232
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Allow upgrade process to include schema files from third-party plugins
installed in /usr/share/ipa/schema.d/*.schema.
The directory /usr/shar/eipa/schema.d is owned by the server-common
subpackage and therefore third-party plugins should depend on
freeipa-server-common (ipa-server-common) package in their package
dependencies.
Resolves: https://fedorahosted.org/freeipa/ticket/5864
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
These debug prints were forgotten there and should be removed, because
str(DN) is often operation and we may save time with handling exceptions
and printing unwanted debug
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
With recent change in DS (CVE fix), ds is not returging DuplicatedEntry
error in case that user is not permitted by ACI to write, but ACIError instead.
Is safe to ignore ACI error in container, because it will be raised
again later if user has no access to container.
https://fedorahosted.org/freeipa/ticket/6159
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6204
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Some tests in ipatests/test_ipalib/test_frontend.py are failing due to changes
related to thin client implementation. Providing fix for:
ipa.test_ipalib.test_frontend.test_Attribute.test_init
ipa.test_ipalib.test_frontend.test_LocalOrRemote.test_run
https://fedorahosted.org/freeipa/ticket/6188
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Some of the tests are failing due to changes introduced because of thin client feature.
https://fedorahosted.org/freeipa/ticket/6187
https://fedorahosted.org/freeipa/ticket/6224
Reviewed-By: Milan Kubik <mkubik@redhat.com>
|
| |
|
|
|
|
| |
Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
| |
Add new checkbox to host and service details page
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
| |
Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Prompt for PIN only once in interactive mode.
This fixes ipa-server-install, ipa-server-certinstall and
ipa-replica-prepare prompting over and over when the PIN is empty.
https://fedorahosted.org/freeipa/ticket/6032
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
|
