Ipa 4 4 #100
Closed
Ipa 4 4 #100
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Redirect bash error output to prevent displaying error messages in bash completion for ipa command. https://fedorahosted.org/freeipa/ticket/6273 Reviewed-By: David Kupka <dkupka@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `dcerpc.fetch_domains` function must explicitly contact root domain DCs even in the case when an external two-way trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This allows for re-use of this method in cases where the caller can not or wishes not to instantiate local Samba domain to retrieve information about remote ones. https://fedorahosted.org/freeipa/ticket/6057 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Prior To Windows Server 2012R2, the `netr_DsRGetForestTrustInformation` calls performed against non-root forest domain DCs were automatically routed to the root domain DCs to resolve trust topology information. This is no longer the case, so the `com.redhat.idm.trust-fetch-domains` oddjob helper used to establish one-way needs to explicitly contact root domain DCs even in the case when an external trust to non-root domain is requested. https://fedorahosted.org/freeipa/ticket/6057 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
https://fedorahosted.org/freeipa/ticket/6190 Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fixes the CLI not to always call the default version of a command even when the version was explicitly specified. https://fedorahosted.org/freeipa/ticket/6279 Reviewed-By: Martin Basti <mbasti@redhat.com>
jwcrypto's RSA1-5 (PKCS#1 v1.5) is vulnerable to padding oracle side-channel attacks. OAEP (PKCS#1 v2.0) is a safe, more modern alternative. https://fedorahosted.org/freeipa/ticket/6278 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>
Use super for proper handling of exceptions. msg property was added due compatibility with the current code. https://fedorahosted.org/freeipa/ticket/6294 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
In a CA-less installation, ipa-certupdate fails with the error message: $ ipa-certupdate trying https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json Forwarding 'ca_is_enabled' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json' Forwarding 'ca_find/1' to json server 'https://vm-180.abc.idm.lab.eng.brq.redhat.com/ipa/session/json' CA is not configured The ipa-certupdate command failed. The issue happens because ipa-certupdate tries to call ca_find even on a CA_less deployment. The fix skips the call to ca_find in this case. https://fedorahosted.org/freeipa/ticket/6288 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Add Certmonger tracking requests for lightweight CAs on replica installation. As part of this change, extract most of the lightweight CA tracking code out of ipa-certupdate and into cainstance. Fixes: https://fedorahosted.org/freeipa/ticket/6019 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When dnsrecord_add is called without options in interactive mode, it prompts the user to enter a record type. The record type is expected to be upper case further in the code, which causes non-upper case values not to work correctly. Fix this issue by upper casing the value after it is read. https://fedorahosted.org/freeipa/ticket/6203 Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix the code which determines if a record part is required and thus should be prompted not to wrongfully consider all record parts to be optional. https://fedorahosted.org/freeipa/ticket/6203 Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a client-side fallback of the dnsrecord_split_parts command for old servers to avoid CommandError in dnsrecord_add and dnsrecord_mod CLI interactive mode. https://fedorahosted.org/freeipa/ticket/6203 Reviewed-By: Martin Basti <mbasti@redhat.com>
https://fedorahosted.org/freeipa/ticket/6294 Reviewed-By: Martin Basti <mbasti@redhat.com>
Cache CommandError answer to schema command to avoid sending the command to pre-schema servers every time. This information expires after some time (1 hour) in order to start using schema as soon as the server is upgraded. https://fedorahosted.org/freeipa/ticket/6095 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Signed-off-by: David Kupka <dkupka@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Link-local addresses received from netifaces contains '%suffix' that causes parse error in IPNetwork class. We must remove %suffix before it us used in IPNetwork objects. https://fedorahosted.org/freeipa/ticket/6296 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Sometimes the entity_show command must be called with options which are gathered from result of entity_find command. These options needs to be passed as arguments in URL which points to details page. This functionality is implemented to table facet. There is new property 'additional_navigation_arguments' which is prepared for array of attributes which will be passed to URL. Part of: https://fedorahosted.org/freeipa/ticket/6238 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
The cert-show command needs to be called with cacn option. Cacn option is passed using URL attribute. https://fedorahosted.org/freeipa/ticket/6238 Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Also the same for removing certificate hold. https://fedorahosted.org/freeipa/ticket/6216 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
We soon plan to revoke certificates upon lightweight CA deletion. This makes it important to provide a way to prevent a CA from issuing certificates whilst not deleting and revoking it, and continuing to allow management of issued certs. This commit adds the ca-disable and ca-enable commands. Fixes: https://fedorahosted.org/freeipa/ticket/6257 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Always return the cert specified in --certificate in cert-find result, even when the cert is not found in LDAP. https://fedorahosted.org/freeipa/ticket/6304 Reviewed-By: David Kupka <dkupka@redhat.com>
Currently the Dogtag RestClient '_ssldo' method requires a session cookie unconditionally, however, not all REST methods require a session: some do not require authentication at all, and some will authenticate the agent on the fly. To avoid unnecessary login/logout requests via the context manager, add the 'use_session' keyword argument to '_ssldo'. It defaults to 'True' to preserve existing behaviour (session required) but a caller can set to 'False' to avoid the requirement. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Currently, HTTP requests that respond with status not in the 2xx range raise RemoteRetrieveError. The exception includes no information about the response status. Add the 'HTTPRequestError' class which extends 'RemoteRequestError' with an attribute for the response status, and update the Dogtag RestClient to raise the new error. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The Dogtag REST API gives better responses statuses than the RPC API and properly reports failure due to disabled CA (status 409). Make 'ra' extend 'RestClient' and refactor the 'request_certificate' method to use Dogtag's REST API. Part of: https://fedorahosted.org/freeipa/ticket/6260 Part of: https://fedorahosted.org/freeipa/ticket/3473 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Detect when cert-request returns HTTP 409, which indicates that the target CA is disabled - a valid scenario - and raise CertificateOperationError with a friendly message instead of HTTPRequestError. Fixes: https://fedorahosted.org/freeipa/ticket/6260 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Revocation of host/service certs on host/service deletion or other operations is broken when cert is issued by a lightweight (sub)CA, causing the delete operation to be aborted. Look up the issuing CA and pass it to 'cert_revoke' to fix the issue. Fixes: https://fedorahosted.org/freeipa/ticket/6221 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Currently cloud environments uses heavily prefix /32 (/128) what makes IPA validators to fail. IPA should not care if IP address is network or not. This commit allows usage of network addresses in: * host plugin * dns plugin * server-installer * client-installer https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
Currently environments may use prefix /31 on point-to-point connections what makes IPA validators to fail. IPA should not care if IP address is broadcast or not. In some cases (when prefix is not specified) IPA cannot decide properly if broadcast address is really broadcast. This commit allows usage of broadcast addresses in: * host plugin * dns plugin * server-installer * client-installer https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
There is no reason (RFC) why we should prevent users to add multicast addresses to A/AAAA records https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
Also moving activate_action method several lines up - correcting logical order of methods. https://fedorahosted.org/freeipa/ticket/5818 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
https://fedorahosted.org/freeipa/ticket/6203 Reviewed-By: Lenka Doudova <ldoudova@redhat.com>
The fix for 6288 was overwritten by commit 08b7683. https://fedorahosted.org/freeipa/ticket/6288 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
…om DN DNs for netgroup entries can contain either 'cn' or 'ipauniqueid' attribute in their leaf RDN depending on their origin. Since 'cn' is the primary key, we can return it in `get_primary_key_from_dn` right away and avoid any extraneous LDAP search. https://fedorahosted.org/freeipa/ticket/5855 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
In integration trust tests some values are checked using regular expressions. Some of these expressions from recently added coverage have minor mistakes which causes the comparisons to fail. Providing fix for these regular expressions. https://fedorahosted.org/freeipa/ticket/6285 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Trust tests fail if they are executed after external trust tests. This is caused my missing cleanup. Providing cleanup that would enable correct execution of the tests regardless of their order. https://fedorahosted.org/freeipa/ticket/6306 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Test ipatests/test_ipaserver/test_ldap::test_Backend fails claiming service cannot be found. Fixing this by not using api with in_tree parameter. https://fedorahosted.org/freeipa/ticket/6312 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix a regression in recent change to request cert via Dogtag REST API. 'ra.request_certificate' was no longer raising CertificateOperationError when the cert request failed. Inspect the request result to determine if the request completed, and raise if it did not. Fixes: https://fedorahosted.org/freeipa/ticket/6309 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The server installation in most cases returns response code 0 no matter what happens except for really severe errors. In this case when we try to uninstall the middle replica of a line topology, it fails, notifies us that we should use '--ignore-topology-disconnect', but returns 0 https://fedorahosted.org/freeipa/ticket/6300 Reviewed-By: Martin Basti <mbasti@redhat.com>
In test_one_command_installation the ipa-replica-install was missing '--server' and '-U' options which resulted in false negative result. In test_client_enrollment_by_unprivileged_user '--server' option was messing. test_replica_promotion_after_adding_to_admin_group lacked '-U' option. It leaded to 3 failed cases. https://fedorahosted.org/freeipa/ticket/6301 Reviewed-By: Martin Basti <mbasti@redhat.com>
https://fedorahosted.org/freeipa/ticket/6287 Reviewed-By: Martin Basti <mbasti@redhat.com>
The code should always contact forest root DCs when requesting trust domain info. In the case of one-way or external trusts `com.redhat.idm.trust-fetch-domains` helper is leveraged, otherwise forest root domain is contacted directly through Samba using the credentials of HTTP principal. https://fedorahosted.org/freeipa/ticket/6328 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Adding 'defaults' sudorule to prevent requesting further user authentication. Adding checks that if a user should be rejected access, a proper error message is displayed. https://fedorahosted.org/freeipa/ticket/6262 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Commit c2af032 introduced a regression in the handling of user principals supplied to the`ipa passwd` command. This patch restores the original behavior which lowercases the username portion of the principal. https://fedorahosted.org/freeipa/ticket/6329 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Some upgrade steps require bind running, to be succesfull. Upgrader makes sure that bind starts. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
For some reasons named may not be runnig and this cause fail of this upgrade step. This step is not critical so only ERROR message with recommendation is shown. https://fedorahosted.org/freeipa/ticket/6205 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Originaly there should be only two occurencees of this warning, one for server, one for client. But obviously is not possible with current installers to achive this goal, so I have to extract code to not mess with 5 times copy and paste. https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
When replica is installed with --setup-dns config.ips is not defined. https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
https://fedorahosted.org/freeipa/ticket/5814 Reviewed-By: David Kupka <dkupka@redhat.com>
If ipa-client-install is executed with --no-sssd, check if pam_krb5 is available before proceeding with the install. https://fedorahosted.org/freeipa/ticket/5557 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The flag was removed in commit ff52c25 because it is unused. Add it back for compatibility with old clients. https://fedorahosted.org/freeipa/ticket/5644 Reviewed-By: Martin Basti <mbasti@redhat.com>
Regexp should not enforce lenght of string, we have different checks for that. Secondly regexp with length specified produces an incorrect error message. https://fedorahosted.org/freeipa/ticket/5822 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
User and groups regexp are the same and constant should be used to avoid any future misconfigurations. https://fedorahosted.org/freeipa/ticket/5822 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
Pull Requests are intended for contributing code to FreeIPA upstream. If you need help with your deployment or have a question about FreeIPA please use our public mailing list (https://www.redhat.com/mailman/listinfo/freeipa-users) or ask at #freeipa irc channel on freenode. |
Ok, but PR is still not a good place to report bugs or ask for fix. If you want to discuss this issue and possibly find a solution with upstream developers please use freeipa-users@ mailing list. It's the preferred communication medium because it allows us to ask further questions (outputs, logs, results of suggested changes, ...) and is asynchronous so people all over the world can join the discussion without problems. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
we have implemented IPA in our our environment and we got an issue when it comes to DNS service reload, we have more than 25k records across multiple domains "quite few". when we do dns service reload the DNS stops replying for approx. 45 sec which is causing a down time to a number of services.
hi, my issue is not in deployment my issue is a bug in the software itself i have already submitted a ticket with redhat support which is taking too much time so i hoped you guys can see this since you are the developers of the application"my deployment is based on official redhat recommendation"