.freeipa-pr-ci.yaml

@@ -13,7 +13,7 @@ topologies:
     memory: 6700
 
 jobs:
-  fedora-27/build:
+  fedora-28/build:
     requires: []
     priority: 100
     job:
@@ -21,189 +21,224 @@ jobs:
       args:
         git_repo: '{git_repo}'
         git_refspec: '{git_refspec}'
-        template: &ci-master-f27
-          name: freeipa/ci-master-f27
-          version: 1.0.3
+        template: &ci-master-f28
+          name: freeipa/ci-master-f28
+          version: 0.1.5
         timeout: 1800
         topology: *build
 
-  fedora-27/simple_replication:
-    requires: [fedora-27/build]
+  fedora-28/simple_replication:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_simple_replication.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/caless:
-    requires: [fedora-27/build]
+  fedora-28/caless:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/external_ca:
-    requires: [fedora-27/build]
+  fedora-28/external_ca_1:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
-        template: *ci-master-f27
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl_1client
+
+  fedora-28/external_ca_2:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_topologies:
-    requires: [fedora-27/build]
+  fedora-28/test_topologies:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_topologies.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_sudo:
-    requires: [fedora-27/build]
+  fedora-28/test_sudo:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_sudo.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_ipa_cli:
-    requires: [fedora-27/build]
+  fedora-28/test_commands:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_ipa_cli.py
-        template: *ci-master-f27
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_commands.py
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_kerberos_flags:
-    requires: [fedora-27/build]
+  fedora-28/test_kerberos_flags:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_kerberos_flags.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_http_kdc_proxy:
-    requires: [fedora-27/build]
+  fedora-28/test_http_kdc_proxy:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_http_kdc_proxy.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_forced_client_enrolment:
-    requires: [fedora-27/build]
+  fedora-28/test_forced_client_enrolment:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_forced_client_reenrollment.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_advise:
-    requires: [fedora-27/build]
+  fedora-28/test_advise:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_advise.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_testconfig:
-    requires: [fedora-27/build]
+  fedora-28/test_testconfig:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_testconfig.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_service_permissions:
-    requires: [fedora-27/build]
+  fedora-28/test_service_permissions:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_service_permissions.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_netgroup:
-    requires: [fedora-27/build]
+  fedora-28/test_netgroup:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_netgroup.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_vault:
-    requires: [fedora-27/build]
+  fedora-28/test_vault:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_vault.py
-        template: *ci-master-f27
-        timeout: 3600
+        template: *ci-master-f28
+        timeout: 4500
         topology: *master_1repl
 
-  fedora-27/test_authconfig:
-    requires: [fedora-27/build]
+  fedora-28/test_authconfig:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_authselect.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
+  fedora-28/replica_promotion:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl
+
+  fedora-28/dnssec:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl

.test_runner_config.yaml

@@ -28,7 +28,7 @@ steps:
   builddep:
   - rm -rf /var/cache/dnf/*
   - "dnf makecache || :"
-  - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing
+  - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
   - dnf install -y gdb
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
@@ -47,6 +47,7 @@ steps:
   configure:
   - ./autogen.sh
   install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   install_server:
   - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}

.test_runner_config_py3_temp.yaml

@@ -30,7 +30,7 @@ steps:
   builddep:
   - rm -rf /var/cache/dnf/*
   - "dnf makecache || :"
-  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
+  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
   - dnf install -y gdb
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
@@ -47,6 +47,7 @@ steps:
   configure:
   - ./autogen.sh
   install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   - dnf install -y python3-mod_wsgi --best --allowerasing  # Py3 temporary
   install_server:

.travis_run_task.sh

@@ -38,7 +38,8 @@ if [[ "$TASK_TO_RUN" == "lint" ]]
 then
     if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
     then
-        git diff origin/$TRAVIS_BRANCH -U0 | pycodestyle --diff &> $PEP8_ERROR_LOG ||:
+        git diff origin/$TRAVIS_BRANCH -U0 | \
+            pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:
     fi
 fi
 

API.txt

@@ -3962,7 +3962,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', cli_name='desc')
 option: Int('ipatokenradiusretries?', cli_name='retries')
 option: Password('ipatokenradiussecret', cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver+', cli_name='server')
+option: Str('ipatokenradiusserver', cli_name='server')
 option: Int('ipatokenradiustimeout?', cli_name='timeout')
 option: Str('ipatokenusermapattribute?', cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -3987,7 +3987,7 @@ option: Str('cn?', autofill=False, cli_name='name')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -4008,7 +4008,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -4425,9 +4425,10 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: server_role_find/1
-args: 1,8,4
+args: 1,9,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('include_master', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('role_servrole?', autofill=False, cli_name='role')
 option: Str('server_server?', autofill=False, cli_name='server')

BUILD.txt

@@ -7,7 +7,7 @@ For more information, see http://www.freeipa.org/page/Build
 
 The quickest way to get the dependencies needed for building is:
 
-# dnf builddep -b -D "with_python3 1" -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing
+# dnf builddep -b -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
 
 TIP: For building with latest dependencies for freeipa master enable copr repo:
 

Contributors.txt

@@ -29,6 +29,7 @@ Developers:
 	Nalin Dahyabhai
 	Rishabh Dave
 	Don Davis
+	Nikhil Dehadrai
 	John Dennis
 	Jason Gerard DeRose
 	Günther Deschner
@@ -71,6 +72,7 @@ Developers:
 	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
+	Stanislav Levin
 	Ben Lipton
 	Karl MacMillan
 	Niranjan Mallapadi
@@ -81,17 +83,23 @@ Developers:
 	Kevin McCarthy
 	Mark McLoughlin
 	Rich Megginson
+	Sudhir Menon
 	Jim Meyering
 	Adam Misnyovszki
+	Takeshi MIZUTA
+	Anuja More
 	John Morris
 	Niranjan MR
 	Brian J. Murrell
+	Varun Mylaraiah
 	Marko Myllynen
 	Martin Nagy
+	Armando Neto
 	David O'Brien
 	Dmitri Pal
 	Jan Pazdziora
 	W. Michael Petullo
+	Pavel Picka
 	Gowrishankar Rajaiyan
 	realsobek
 	Michal Reznik
@@ -102,6 +110,7 @@ Developers:
 	Lenka Ryznarova
 	Thorsten Scherf
 	shanyin
+	Kaleemullah Siddiqui
 	Michael Simacek
 	Lars Sjostrom
 	Filip Skola
@@ -110,6 +119,7 @@ Developers:
 	Simo Sorce
 	Petr Špaček
 	David Spångberg
+	Justin Stephenson
 	Diane Trout
 	Fraser Tweedale
 	Petr Viktorin

VERSION.m4

@@ -20,8 +20,8 @@
 #  ->  "1.0.0"                                         #
 ########################################################
 define(IPA_VERSION_MAJOR, 4)
-define(IPA_VERSION_MINOR, 6)
-define(IPA_VERSION_RELEASE, 90)
+define(IPA_VERSION_MINOR, 7)
+define(IPA_VERSION_RELEASE, 0)
 
 ########################################################
 # For 'pre' releases the version will be               #
@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
 # e.g. define(IPA_VERSION_PRE_RELEASE, rc1)            #
 #  ->  "1.0.0rc1"                                      #
 ########################################################
-define(IPA_VERSION_PRE_RELEASE, .pre2)
+define(IPA_VERSION_PRE_RELEASE, )
 
 ########################################################
 # To mark GIT snapshots this should be set to 'yes'    #

client/Makefile.am

@@ -80,6 +80,7 @@ ipa_join_SOURCES =		\
 	$(NULL)
 
 ipa_join_LDADD = 		\
+	$(top_builddir)/util/libutil.la	\
 	$(KRB5_LIBS)		\
 	$(LDAP_LIBS)		\
 	$(SASL_LIBS)		\
@@ -89,6 +90,7 @@ ipa_join_LDADD = 		\
 	$(NULL)
 
 SUBDIRS =			\
+	share		\
 	man			\
 	$(NULL)
 

client/ipa-client-automount

@@ -43,6 +43,8 @@ from six.moves.urllib.parse import urlsplit
 from optparse import OptionParser  # pylint: disable=deprecated-module
 
 from ipaclient.install import ipachangeconf, ipadiscovery
+from ipaclient.install.client import (CLIENT_NOT_CONFIGURED,
+    CLIENT_ALREADY_CONFIGURED)
 from ipalib import api, errors
 from ipalib.install import sysrestore
 from ipalib.install.kinit import kinit_keytab
@@ -189,7 +191,8 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
             domain.add_provider('ipa', 'autofs')
             try:
                 domain.get_option('ipa_automount_location')
-                sys.exit('An automount location is already configured')
+                print('An automount location is already configured')
+                sys.exit(CLIENT_ALREADY_CONFIGURED)
             except SSSDConfig.NoOptionError:
                 domain.set_option('ipa_automount_location', options.location)
                 break
@@ -252,17 +255,31 @@ def configure_autofs_common(fstore, statestore, options):
                      autofs.service_name, str(e))
 
 def uninstall(fstore, statestore):
+    RESTORE_FILES=[
+       paths.SYSCONFIG_AUTOFS,
+       paths.NSSWITCH_CONF,
+       paths.AUTOFS_LDAP_AUTH_CONF,
+       paths.SYSCONFIG_NFS,
+       paths.IDMAPD_CONF,
+    ]
+    STATES=['autofs', 'rpcidmapd', 'rpcgssd']
+
+    # automount only touches /etc/nsswitch.conf if LDAP is
+    # used. Don't restore it otherwise.
+    if (statestore.get_state('authconfig', 'sssd') or
+            (statestore.get_state('authselect', 'profile') == 'sssd')):
+        RESTORE_FILES.remove(paths.NSSWITCH_CONF)
+
+    if (not any(fstore.has_file(f) for f in RESTORE_FILES) or
+             not any(statestore.has_state(s) for s in STATES)):
+        print("IPA automount is not configured on this system")
+        return CLIENT_NOT_CONFIGURED
+
     print("Restoring configuration")
-    if fstore.has_file(paths.SYSCONFIG_AUTOFS):
-        fstore.restore_file(paths.SYSCONFIG_AUTOFS)
-    if fstore.has_file(paths.NSSWITCH_CONF):
-        fstore.restore_file(paths.NSSWITCH_CONF)
-    if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
-        fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
-    if fstore.has_file(paths.SYSCONFIG_NFS):
-        fstore.restore_file(paths.SYSCONFIG_NFS)
-    if fstore.has_file(paths.IDMAPD_CONF):
-        fstore.restore_file(paths.IDMAPD_CONF)
+
+    for filepath in RESTORE_FILES:
+        if fstore.has_file(filepath):
+            fstore.restore_file(filepath)
     if statestore.has_state('autofs'):
         enabled = statestore.restore_state('autofs', 'enabled')
         running = statestore.restore_state('autofs', 'running')
@@ -382,7 +399,8 @@ def main():
     try:
         check_client_configuration()
     except ScriptError as e:
-        sys.exit(e)
+        print(e.msg)
+        sys.exit(e.rval)
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
@@ -412,7 +430,8 @@ def main():
         ca_cert_path = paths.IPA_CA_CRT
 
     if statestore.has_state('autofs'):
-        sys.exit('automount is already configured on this system.\n')
+        print('An automount location is already configured')
+        sys.exit(CLIENT_ALREADY_CONFIGURED)
 
     autodiscover = False
     ds = ipadiscovery.IPADiscovery()

client/ipa-getkeytab.c

@@ -43,14 +43,8 @@
 #include "ipa_krb5.h"
 #include "ipa_asn1.h"
 #include "ipa-client-common.h"
+#include "ipa_ldap.h"
 
-#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
-
-#define LDAP_SASL_EXTERNAL "EXTERNAL"
-#define LDAP_SASL_GSSAPI "GSSAPI"
-
-#define SCHEMA_LDAP "ldap://"
-#define SCHEMA_LDAPS "ldaps://"
 
 static int check_sasl_mech(const char *mech)
 {
@@ -178,42 +172,6 @@ static int ipa_server_to_uri(const char *servername, const char *mech,
     return 0;
 }
 
-static int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
-{
-    int rc = 0;
-    rc = ldap_initialize(ld, ldap_uri);
-
-    return rc;
-}
-
-static int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri)
-{
-    int ret = LDAP_SUCCESS;
-    int tls_hard = LDAP_OPT_X_TLS_HARD;
-    int tls_demand = LDAP_OPT_X_TLS_DEMAND;
-
-    if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
-        ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
-        if (ret != LDAP_OPT_SUCCESS) {
-            fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
-            return ret;
-        }
-        ret = ldap_start_tls_s(ld, NULL, NULL);
-        if (ret != LDAP_SUCCESS) {
-            fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
-            return ret;
-        }
-    } else if (strncmp(ldap_uri, SCHEMA_LDAPS, sizeof(SCHEMA_LDAPS) - 1) == 0) {
-        ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_hard);
-        if (ret != LDAP_OPT_SUCCESS) {
-            fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
-            return ret;
-        }
-    }
-    return ret;
-
-}
-
 static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
                          const char *bind_dn, const char *bind_pw,
                          const char *mech, const char *ca_cert_file,
@@ -221,20 +179,12 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
 {
     char *msg = NULL;
     struct berval bv;
-    int version;
     LDAP *ld;
     int ret;
 
     /* TODO: support referrals ? */
-    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
-    if (ret != LDAP_OPT_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
-        return ret;
-    }
-
     ret = ipa_ldap_init(&ld, ldap_uri);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to init connection to %s\n"), ldap_uri);
         return ret;
     }
 
@@ -243,23 +193,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
         return LDAP_OPERATIONS_ERROR;
     }
 
-#ifdef LDAP_OPT_X_SASL_NOCANON
-    /* Don't do DNS canonicalization */
-    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
-    if (ret != LDAP_SUCCESS) {
-	fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
-        goto done;
-    }
-#endif
-
-    version = LDAP_VERSION3;
-    ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-    if (ret != LDAP_SUCCESS) {
-	fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
-	goto done;
-    }
-
-    ret = ipa_tls_ssl_init(ld, ldap_uri);
+    ret = ipa_tls_ssl_init(ld, ldap_uri, ca_cert_file);
     if (ret != LDAP_OPT_SUCCESS) {
         goto done;
     }

client/ipa-join.c

@@ -39,13 +39,12 @@
 #include "xmlrpc-c/client.h"
 
 #include "ipa-client-common.h"
+#include "ipa_ldap.h"
 
 #define NAME "ipa-join"
 
 #define JOIN_OID "2.16.840.1.113730.3.8.10.3"
 
-#define CAFILE "/etc/ipa/ca.crt"
-
 #define IPA_CONFIG "/etc/ipa/default.conf"
 
 char * read_config_file(const char *filename);
@@ -200,8 +199,6 @@ callRPC(char * user_agent,
 static LDAP *
 connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
     LDAP *ld = NULL;
-    int ssl = LDAP_OPT_X_TLS_HARD;
-    int version = LDAP_VERSION3;
     int ret;
     int ldapdebug = 0;
     char *uri;
@@ -215,40 +212,23 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         }
     }
 
-    if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
-        goto fail;
-
     ret = asprintf(&uri, "ldaps://%s:636", hostname);
     if (ret == -1) {
         fprintf(stderr, _("Out of memory!"));
         goto fail;
     }
 
-    ret = ldap_initialize(&ld, uri);
-    free(uri);
+    ret = ipa_ldap_init(&ld, uri);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
-                        ldap_err2string(ret));
         goto fail;
     }
-
-    if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
-        fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
-        goto fail;
-    }
-
-    /* Don't do DNS canonicalization */
-    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
-        goto fail;
-    }
-
-    ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-    if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP version\n"));
+        fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
         goto fail;
     }
+    free(uri);
+    uri = NULL;
 
     if (bindpw) {
         bindpw_bv.bv_val = discard_const(bindpw);
@@ -276,6 +256,9 @@ fail:
     if (ld != NULL) {
         ldap_unbind_ext(ld, NULL, NULL);
     }
+    if (uri != NULL) {
+        free(uri);
+    }
     return NULL;
 }
 

client/man/ipa-client-automount.1

@@ -87,3 +87,7 @@ Files that will be configured when using the ldap automount client:
 0 if the installation was successful
 
 1 if an error occurred
+
+2 if uninstalling and automount is not configured
+
+3 if installing and automount already configured

client/share/Makefile.am

+NULL =
+
+appdir = $(IPA_DATA_DIR)/client
+dist_app_DATA =				\
+	freeipa.template		\
+	$(NULL)

configure.ac

@@ -504,6 +504,7 @@ AC_CONFIG_FILES([
     asn1/Makefile
     asn1/asn1c/Makefile
     client/Makefile
+    client/share/Makefile
     client/man/Makefile
     contrib/completion/Makefile
     contrib/Makefile

daemons/ipa-otpd/queue.c

@@ -155,7 +155,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
 
     for (item = q->head, prev = &q->head;
          item != NULL;
-         item = item->next, prev = &item->next) {
+         prev = &item->next, item = item->next) {
         if (item->msgid == msgid) {
             *prev = item->next;
             if (q->head == NULL)

daemons/ipa-otpd/test.py

-#!/usr/bin/python3
 #
 # FreeIPA 2FA companion daemon
 #

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -595,6 +595,7 @@ parse_req_done:
     } else {
         principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
     }
+    if (principal)
         ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
 
 	/* Free anything that we allocated above */