| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ipa-replica-prepare must be run on a replica with CA or all the certs
needs to be provided (for CA-less case).
The old messages were utterly confusing because they mixed errors about
missing certs and missing local CA instance into one text.
https://fedorahosted.org/freeipa/ticket/6134
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ipa hbactest command produces a Traceback (TypeError: cannot concatenate
'str' and 'bool' objects)
This happens because hbactest overrides output_for_cli but does not
properly handle the output for 'value' field. 'value' contains a boolean
but it should not be displayed (refer to ipalib/frontend.py,
Command.output_for_cli()).
Note that the issue did not appear before because the 'value' field
had a flag no_display.
https://fedorahosted.org/freeipa/ticket/6157
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
The assert checked that the returncode of the replica uninstallation is zero
where in fact the uninstallation was expected to fail with the certain error
message
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The option was accidentally removed in commit
4b119e21a2f93ca16c5edf3d1058552b44feeaf8.
https://fedorahosted.org/freeipa/ticket/6154
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The code which loads the external CA cert chain was never executed because
of an incorrect usage of an iterator (iterating over it twice).
https://fedorahosted.org/freeipa/ticket/6166
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RedHatCAService.wait_until_running() uses dogtag.ca_status() to make a
HTTP(s) request to Dogtag in order to check if /ca/admin/ca/getStatus
returns OK. The ca_status() function defaults to api.env.ca_host as
host.
On a replica without CA ca_host is a remote host (e.g. master's
FQDN). ipa-ca-install waits for master:8080 instead of replica:8080,
which might be blocked by a firewall.
https://fedorahosted.org/freeipa/ticket/6016
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When client comunicates with server that doesn't support 'schema'
command it needs to determine its api version to be able to use the
right compat code. Storing information about server version reduces the
need to call 'env' or 'ping' command only to first time the server is
contacted.
https://fedorahosted.org/freeipa/ticket/6069
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Creating instance requires that complete schema for the command is
read from schema cache and passed to constructor. This operation takes
a lot of time. Utilizing class properties and pregenerated help bits
allows to get the necessary information directly from classes reducing
time it takes significantly.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Store name, summary, topic_topic and exclude in single entry in cache
for all commands. These data are needed for help and storing and
loading them together allows fast help response.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Information about schema cache format is stored in every cache item.
When schema cache format changes in incompatible way format will be
increased. When format stored in cache doesn't match currently used
format the entry in cache is ignored.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Avoid need to instantiate all commands just to get information for
displaying help.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Check presence of schema in cache (and download it if necessary) on
__init__ instead of with each __getitem__ call. Prefill internal
dictionary with empty record for each command to be able to quickly
determine if requested command exist in schema or not. Rest of schema
data are read from cache on first attempt to retrive them.
https://fedorahosted.org/freeipa/ticket/6048
https://fedorahosted.org/freeipa/ticket/6069
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Installer/IPA generates passwords for warious purpose:
* KRA
* kerberos master key
* NSSDB password
* temporary passwords during installation
Length of passwords should be increased to 22, ~128bits of entropy, to
be safe nowadays.
https://fedorahosted.org/freeipa/ticket/6116
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
| |
assert_error was lately transfered from test_caless.py to tasks.py, which
started to cause import errors in replica promotion tests
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
| |
|
|
|
|
|
|
| |
ValueError is raised when decryption fails.
https://fedorahosted.org/freeipa/ticket/6160
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #5681 and commit 586fee293f42388510fa5436af19460bbe1fdec5 changed
the location of the ipa.conf for Apache HTTPD. The variables
SYSTEMD_SYSTEM_HTTPD_D_DIR and SYSTEMD_SYSTEM_HTTPD_IPA_CONF point to
the wrong directory /etc/systemd/system/httpd.d/. The path is corrected
to /etc/systemd/system/httpd.service.d/.
https://fedorahosted.org/freeipa/ticket/6158
https://bugzilla.redhat.com/show_bug.cgi?id=1362537
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
|
|
|
|
| |
API is not needed in uninstallation, it may only produce errors.
https://fedorahosted.org/freeipa/ticket/6072
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As part of https://fedorahosted.org/freeipa/ticket/5281, the has_keytab
attribute was removed from results of service-mod command. Removing this
attribute from list of expected keys to prevent failing tests.
Ticket: https://fedorahosted.org/freeipa/ticket/6149
Reviewed-By: Ganna Kaihorodova <gkaihoro@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
The migration procedure has been updated to re-set `krbcanonicalname`
attribute on migrated users as well as `krbprincipalname` so that migration
from FreeIPA versions supporting principal aliases does not break subsequent
authentication of migrated users.
https://fedorahosted.org/freeipa/ticket/6101
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/6064
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
Parf of: https://fedorahosted.org/freeipa/ticket/6064
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/6064
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/6064
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
Part of: https://fedorahosted.org/freeipa/ticket/6064
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
| |
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Global variable '_dcerpc_bindings_installed' is in some cases used
before assigment. This patch ensures that _dcerpc_bindings_installed is
always initialized.
https://fedorahosted.org/freeipa/ticket/6082
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Add tests for alias manipulation, tests authentication and several
error scenarios.
https://fedorahosted.org/freeipa/ticket/6142
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The context manager has been extended to optionally request principal
canonicalization and indicate that the enterprise principal is being
used.
This allows to change the user during the test to an user using the alias
and to test behavior related to enterprise principals.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In order to authenticate with a principal alias it is necessary
to request canonicalization of the principal. This patch extends
the kinit_password with this option.
The option to indicate enterprise principal has been added as well.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Moves helper functions used in range plugin test to a separate
module to allow code reuse.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new module contains utility functions and a context manager to
make the mocking of an existing AD trust relation in the XMLRPC tests.
The module provides with two functions that create and delete the
containers for trusts and cifs domains. A context manager using these
is provided as well.
The user of the context manager is responsible for deleting all the
LDAP entries created during the test within the context. If there are
some entries left at the time of exiting the context manager, making
the container entries non-leaf entries, the tests will fail.
The context manager will not work when used on a server that already
has trust established.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Added mod_entry method to allow modifying existing entries via the
ldap connection.
The commit also implements the context manager protocol for the class.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The commit implements a mixin class providing capability
to track and modify kerberos principal aliases on supported
types of entries.
The class using the mixin must inherit from the Tracker class
and must provide the implementation of two methods:
* _make_add_alias_cmd
* _make_remove_alias_cmd
These are used to get the type specific command for the particular
entry class. The methods provided will not work on entries that
do not have 'krbprincipalname' attribute.
The service, host and user trackers are being extended to use this
new mixin class.
https://fedorahosted.org/freeipa/ticket/6142
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Replica installation must not check existence of --domain - the domain
must (logically) exist.
https://fedorahosted.org/freeipa/ticket/6130
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Copy & paste accident caused the ping command to be called with an unwanted
argument, which results in an exception.
Remove the argument to fix it.
https://fedorahosted.org/freeipa/ticket/6129
|
| |
|
|
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/6058
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Rather than checking the server counterpart's NO_CLI, which may be False
even for commands supported on the server, check wheter the server
counterpart is a command defined on the server or a local placeholder.
https://fedorahosted.org/freeipa/ticket/6089
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
| |
|
|
|
|
|
|
| |
This reverts commit 9feeaca9fb552229638ce98086aa75905a45b48d.
https://fedorahosted.org/freeipa/ticket/6089
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
As the 'cn' is not in the response of user-show there is empty column in adder dialog.
Therefore the column was removed.
https://fedorahosted.org/freeipa/ticket/6055
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
This check must handle the possibility of optional attributes
(ipantadditionalsuffixes and ipantflatname) missing in the trusted domain
entry.
https://fedorahosted.org/freeipa/ticket/6099
Reviewed-By: David Kupka <dkupka@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
krbCanonicalName is for a long time among the attributes guarded by uniqueness
plugins, but there was never an index for it. Now that the attribute is really
used to store canonical principal names we need to add index for it to avoid
performance regressions.
https://fedorahosted.org/freeipa/ticket/6100
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
| |
|
|
|
|
|
|
| |
Only specific delete actions will be explicitely set.
Part of: https://fedorahosted.org/freeipa/ticket/6052
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
The name of delete action is now 'delete_active_user' not just 'delete' therefore
tests needs to be fixed.
https://fedorahosted.org/freeipa/ticket/6052
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
|
|
| |
Some menu item names has changed. This commit sets the correct names.
https://fedorahosted.org/freeipa/ticket/6053
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6054
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
|
|
| |
The adder dialog window stayed opened but not visible. This patch closes it.
https://fedorahosted.org/freeipa/ticket/6050
Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
|
| |
|
|
|
|
| |
https://fedorahosted.org/freeipa/ticket/6097
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Wildcard '*' has not been working for log collecting. I just set
the whole SSSD log directory to be collected. tar utility is able to
archive whole directories.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
|
|
|
| |
We should collect as much as possible relevant logs to be able do better
investigation from test automation
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
|
| |
|
|
|
| |
Fixes: https://fedorahosted.org/freeipa/ticket/6085
Reviewed-By: Petr Spacek <pspacek@redhat.com>
|
