...
 
Commits (180)
......@@ -13,7 +13,7 @@ topologies:
memory: 6700
jobs:
fedora-27/build:
fedora-28/build:
requires: []
priority: 100
job:
......@@ -21,189 +21,224 @@ jobs:
args:
git_repo: '{git_repo}'
git_refspec: '{git_refspec}'
template: &ci-master-f27
name: freeipa/ci-master-f27
version: 1.0.3
template: &ci-master-f28
name: freeipa/ci-master-f28
version: 0.1.5
timeout: 1800
topology: *build
fedora-27/simple_replication:
requires: [fedora-27/build]
fedora-28/simple_replication:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_simple_replication.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/caless:
requires: [fedora-27/build]
fedora-28/caless:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/external_ca:
requires: [fedora-27/build]
fedora-28/external_ca_1:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
template: *ci-master-f27
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_external_ca.py::TestExternalCA
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/external_ca_2:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_topologies:
requires: [fedora-27/build]
fedora-28/test_topologies:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_topologies.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_sudo:
requires: [fedora-27/build]
fedora-28/test_sudo:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_sudo.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-27/test_ipa_cli:
requires: [fedora-27/build]
fedora-28/test_commands:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
test_suite: test_integration/test_ipa_cli.py
template: *ci-master-f27
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_commands.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_kerberos_flags:
requires: [fedora-27/build]
fedora-28/test_kerberos_flags:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_kerberos_flags.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-27/test_http_kdc_proxy:
requires: [fedora-27/build]
fedora-28/test_http_kdc_proxy:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_http_kdc_proxy.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-27/test_forced_client_enrolment:
requires: [fedora-27/build]
fedora-28/test_forced_client_enrolment:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_forced_client_reenrollment.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-27/test_advise:
requires: [fedora-27/build]
fedora-28/test_advise:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_advise.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_testconfig:
requires: [fedora-27/build]
fedora-28/test_testconfig:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_testconfig.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_service_permissions:
requires: [fedora-27/build]
fedora-28/test_service_permissions:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_service_permissions.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_netgroup:
requires: [fedora-27/build]
fedora-28/test_netgroup:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_netgroup.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-27/test_vault:
requires: [fedora-27/build]
fedora-28/test_vault:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_vault.py
template: *ci-master-f27
timeout: 3600
template: *ci-master-f28
timeout: 4500
topology: *master_1repl
fedora-27/test_authconfig:
requires: [fedora-27/build]
fedora-28/test_authconfig:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-27/build_url}'
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_authselect.py
template: *ci-master-f27
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/replica_promotion:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/dnssec:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
......@@ -28,7 +28,7 @@ steps:
builddep:
- rm -rf /var/cache/dnf/*
- "dnf makecache || :"
- dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing
- dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
- dnf install -y gdb
cleanup:
- chown -R ${uid}:${gid} ${container_working_dir}
......@@ -47,6 +47,7 @@ steps:
configure:
- ./autogen.sh
install_packages:
- sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
- dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
install_server:
- ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}
......
......@@ -30,7 +30,7 @@ steps:
builddep:
- rm -rf /var/cache/dnf/*
- "dnf makecache || :"
- dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
- dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
- dnf install -y gdb
cleanup:
- chown -R ${uid}:${gid} ${container_working_dir}
......@@ -47,6 +47,7 @@ steps:
configure:
- ./autogen.sh
install_packages:
- sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
- dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
- dnf install -y python3-mod_wsgi --best --allowerasing # Py3 temporary
install_server:
......
......@@ -38,8 +38,9 @@ if [[ "$TASK_TO_RUN" == "lint" ]]
then
if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
then
git diff origin/$TRAVIS_BRANCH -U0 | pycodestyle --diff &> $PEP8_ERROR_LOG ||:
fi
git diff origin/$TRAVIS_BRANCH -U0 | \
pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:
fi
fi
if [[ -n "$TESTS_TO_RUN" ]]
......
......@@ -3962,7 +3962,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('description?', cli_name='desc')
option: Int('ipatokenradiusretries?', cli_name='retries')
option: Password('ipatokenradiussecret', cli_name='secret', confirm=True)
option: Str('ipatokenradiusserver+', cli_name='server')
option: Str('ipatokenradiusserver', cli_name='server')
option: Int('ipatokenradiustimeout?', cli_name='timeout')
option: Str('ipatokenusermapattribute?', cli_name='userattr')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
......@@ -3987,7 +3987,7 @@ option: Str('cn?', autofill=False, cli_name='name')
option: Str('description?', autofill=False, cli_name='desc')
option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
option: Flag('pkey_only?', autofill=True, default=False)
......@@ -4008,7 +4008,7 @@ option: Str('delattr*', cli_name='delattr')
option: Str('description?', autofill=False, cli_name='desc')
option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
option: Flag('raw', autofill=True, cli_name='raw', default=False)
......@@ -4425,9 +4425,10 @@ output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
command: server_role_find/1
args: 1,8,4
args: 1,9,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Flag('include_master', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Str('role_servrole?', autofill=False, cli_name='role')
option: Str('server_server?', autofill=False, cli_name='server')
......
......@@ -7,7 +7,7 @@ For more information, see http://www.freeipa.org/page/Build
The quickest way to get the dependencies needed for building is:
# dnf builddep -b -D "with_python3 1" -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing
# dnf builddep -b -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
TIP: For building with latest dependencies for freeipa master enable copr repo:
......
......@@ -29,6 +29,7 @@ Developers:
Nalin Dahyabhai
Rishabh Dave
Don Davis
Nikhil Dehadrai
John Dennis
Jason Gerard DeRose
Günther Deschner
......@@ -71,6 +72,7 @@ Developers:
Peter Lacko
Stanislav Laznicka
Ade Lee
Stanislav Levin
Ben Lipton
Karl MacMillan
Niranjan Mallapadi
......@@ -81,17 +83,23 @@ Developers:
Kevin McCarthy
Mark McLoughlin
Rich Megginson
Sudhir Menon
Jim Meyering
Adam Misnyovszki
Takeshi MIZUTA
Anuja More
John Morris
Niranjan MR
Brian J. Murrell
Varun Mylaraiah
Marko Myllynen
Martin Nagy
Armando Neto
David O'Brien
Dmitri Pal
Jan Pazdziora
W. Michael Petullo
Pavel Picka
Gowrishankar Rajaiyan
realsobek
Michal Reznik
......@@ -102,6 +110,7 @@ Developers:
Lenka Ryznarova
Thorsten Scherf
shanyin
Kaleemullah Siddiqui
Michael Simacek
Lars Sjostrom
Filip Skola
......@@ -110,6 +119,7 @@ Developers:
Simo Sorce
Petr Špaček
David Spångberg
Justin Stephenson
Diane Trout
Fraser Tweedale
Petr Viktorin
......
......@@ -20,8 +20,8 @@
# -> "1.0.0" #
########################################################
define(IPA_VERSION_MAJOR, 4)
define(IPA_VERSION_MINOR, 6)
define(IPA_VERSION_RELEASE, 90)
define(IPA_VERSION_MINOR, 7)
define(IPA_VERSION_RELEASE, 0)
########################################################
# For 'pre' releases the version will be #
......@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
# e.g. define(IPA_VERSION_PRE_RELEASE, rc1) #
# -> "1.0.0rc1" #
########################################################
define(IPA_VERSION_PRE_RELEASE, .pre2)
define(IPA_VERSION_PRE_RELEASE, )
########################################################
# To mark GIT snapshots this should be set to 'yes' #
......
......@@ -80,6 +80,7 @@ ipa_join_SOURCES = \
$(NULL)
ipa_join_LDADD = \
$(top_builddir)/util/libutil.la \
$(KRB5_LIBS) \
$(LDAP_LIBS) \
$(SASL_LIBS) \
......@@ -89,6 +90,7 @@ ipa_join_LDADD = \
$(NULL)
SUBDIRS = \
share \
man \
$(NULL)
......
......@@ -43,6 +43,8 @@ from six.moves.urllib.parse import urlsplit
from optparse import OptionParser # pylint: disable=deprecated-module
from ipaclient.install import ipachangeconf, ipadiscovery
from ipaclient.install.client import (CLIENT_NOT_CONFIGURED,
CLIENT_ALREADY_CONFIGURED)
from ipalib import api, errors
from ipalib.install import sysrestore
from ipalib.install.kinit import kinit_keytab
......@@ -189,7 +191,8 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
domain.add_provider('ipa', 'autofs')
try:
domain.get_option('ipa_automount_location')
sys.exit('An automount location is already configured')
print('An automount location is already configured')
sys.exit(CLIENT_ALREADY_CONFIGURED)
except SSSDConfig.NoOptionError:
domain.set_option('ipa_automount_location', options.location)
break
......@@ -252,17 +255,31 @@ def configure_autofs_common(fstore, statestore, options):
autofs.service_name, str(e))
def uninstall(fstore, statestore):
RESTORE_FILES=[
paths.SYSCONFIG_AUTOFS,
paths.NSSWITCH_CONF,
paths.AUTOFS_LDAP_AUTH_CONF,
paths.SYSCONFIG_NFS,
paths.IDMAPD_CONF,
]
STATES=['autofs', 'rpcidmapd', 'rpcgssd']
# automount only touches /etc/nsswitch.conf if LDAP is
# used. Don't restore it otherwise.
if (statestore.get_state('authconfig', 'sssd') or
(statestore.get_state('authselect', 'profile') == 'sssd')):
RESTORE_FILES.remove(paths.NSSWITCH_CONF)
if (not any(fstore.has_file(f) for f in RESTORE_FILES) or
not any(statestore.has_state(s) for s in STATES)):
print("IPA automount is not configured on this system")
return CLIENT_NOT_CONFIGURED
print("Restoring configuration")
if fstore.has_file(paths.SYSCONFIG_AUTOFS):
fstore.restore_file(paths.SYSCONFIG_AUTOFS)
if fstore.has_file(paths.NSSWITCH_CONF):
fstore.restore_file(paths.NSSWITCH_CONF)
if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
if fstore.has_file(paths.SYSCONFIG_NFS):
fstore.restore_file(paths.SYSCONFIG_NFS)
if fstore.has_file(paths.IDMAPD_CONF):
fstore.restore_file(paths.IDMAPD_CONF)
for filepath in RESTORE_FILES:
if fstore.has_file(filepath):
fstore.restore_file(filepath)
if statestore.has_state('autofs'):
enabled = statestore.restore_state('autofs', 'enabled')
running = statestore.restore_state('autofs', 'running')
......@@ -382,7 +399,8 @@ def main():
try:
check_client_configuration()
except ScriptError as e:
sys.exit(e)
print(e.msg)
sys.exit(e.rval)
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
......@@ -412,7 +430,8 @@ def main():
ca_cert_path = paths.IPA_CA_CRT
if statestore.has_state('autofs'):
sys.exit('automount is already configured on this system.\n')
print('An automount location is already configured')
sys.exit(CLIENT_ALREADY_CONFIGURED)
autodiscover = False
ds = ipadiscovery.IPADiscovery()
......
......@@ -43,14 +43,8 @@
#include "ipa_krb5.h"
#include "ipa_asn1.h"
#include "ipa-client-common.h"
#include "ipa_ldap.h"
#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
#define LDAP_SASL_EXTERNAL "EXTERNAL"
#define LDAP_SASL_GSSAPI "GSSAPI"
#define SCHEMA_LDAP "ldap://"
#define SCHEMA_LDAPS "ldaps://"
static int check_sasl_mech(const char *mech)
{
......@@ -178,42 +172,6 @@ static int ipa_server_to_uri(const char *servername, const char *mech,
return 0;
}
static int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
{
int rc = 0;
rc = ldap_initialize(ld, ldap_uri);
return rc;
}
static int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri)
{
int ret = LDAP_SUCCESS;
int tls_hard = LDAP_OPT_X_TLS_HARD;
int tls_demand = LDAP_OPT_X_TLS_DEMAND;
if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
return ret;
}
ret = ldap_start_tls_s(ld, NULL, NULL);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
return ret;
}
} else if (strncmp(ldap_uri, SCHEMA_LDAPS, sizeof(SCHEMA_LDAPS) - 1) == 0) {
ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_hard);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
return ret;
}
}
return ret;
}
static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
const char *bind_dn, const char *bind_pw,
const char *mech, const char *ca_cert_file,
......@@ -221,20 +179,12 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
{
char *msg = NULL;
struct berval bv;
int version;
LDAP *ld;
int ret;
/* TODO: support referrals ? */
ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
return ret;
}
ret = ipa_ldap_init(&ld, ldap_uri);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to init connection to %s\n"), ldap_uri);
return ret;
}
......@@ -243,23 +193,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
return LDAP_OPERATIONS_ERROR;
}
#ifdef LDAP_OPT_X_SASL_NOCANON
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto done;
}
#endif
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
goto done;
}
ret = ipa_tls_ssl_init(ld, ldap_uri);
ret = ipa_tls_ssl_init(ld, ldap_uri, ca_cert_file);
if (ret != LDAP_OPT_SUCCESS) {
goto done;
}
......
......@@ -39,13 +39,12 @@
#include "xmlrpc-c/client.h"
#include "ipa-client-common.h"
#include "ipa_ldap.h"
#define NAME "ipa-join"
#define JOIN_OID "2.16.840.1.113730.3.8.10.3"
#define CAFILE "/etc/ipa/ca.crt"
#define IPA_CONFIG "/etc/ipa/default.conf"
char * read_config_file(const char *filename);
......@@ -200,8 +199,6 @@ callRPC(char * user_agent,
static LDAP *
connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
LDAP *ld = NULL;
int ssl = LDAP_OPT_X_TLS_HARD;
int version = LDAP_VERSION3;
int ret;
int ldapdebug = 0;
char *uri;
......@@ -215,40 +212,23 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
}
}
if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
goto fail;
ret = asprintf(&uri, "ldaps://%s:636", hostname);
if (ret == -1) {
fprintf(stderr, _("Out of memory!"));
goto fail;
}
ret = ldap_initialize(&ld, uri);
free(uri);
if(ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
ldap_err2string(ret));
goto fail;
}
if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail;
}
/* Don't do DNS canonicalization */
ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
ret = ipa_ldap_init(&ld, uri);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
goto fail;
}
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP version\n"));
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail;
}
free(uri);
uri = NULL;
if (bindpw) {
bindpw_bv.bv_val = discard_const(bindpw);
......@@ -276,6 +256,9 @@ fail:
if (ld != NULL) {
ldap_unbind_ext(ld, NULL, NULL);
}
if (uri != NULL) {
free(uri);
}
return NULL;
}
......
......@@ -87,3 +87,7 @@ Files that will be configured when using the ldap automount client:
0 if the installation was successful
1 if an error occurred
2 if uninstalling and automount is not configured
3 if installing and automount already configured
NULL =
appdir = $(IPA_DATA_DIR)/client
dist_app_DATA = \
freeipa.template \
$(NULL)
......@@ -504,6 +504,7 @@ AC_CONFIG_FILES([
asn1/Makefile
asn1/asn1c/Makefile
client/Makefile
client/share/Makefile
client/man/Makefile
contrib/completion/Makefile
contrib/Makefile
......
......@@ -155,7 +155,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
for (item = q->head, prev = &q->head;
item != NULL;
item = item->next, prev = &item->next) {
prev = &item->next, item = item->next) {
if (item->msgid == msgid) {
*prev = item->next;
if (q->head == NULL)
......
#!/usr/bin/python3
#
# FreeIPA 2FA companion daemon
#
......
......@@ -595,7 +595,8 @@ parse_req_done:
} else {
principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
}
ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
if (principal)
ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
/* Free anything that we allocated above */
free_and_return:
......
File mode changed from 100755 to 100644
<?xml version="1.0"?>
<?xml-stylesheet type="text/xsl"?>
<rdf:RDF xml:lang="en" xmlns="http://usefulinc.com/ns/doap#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:foaf="http://xmlns.com/foaf/0.1/">
<Project rdf:about="https://www.freeipa.org">
<created>2005-06-01</created>
<name>FreeIPA Project</name>
<shortname>FreeIPA</shortname>
<homepage rdf:resource="https://www.freeipa.org" />
<shortdesc>FreeIPA is the upstream open-source project for Red Hat Identity Manager</shortdesc>
<description>FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, Chronyd, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.</description>
<bug-database rdf:resource="https://pagure.io/freeipa/" />
<mailing-list rdf:resource="https://www.freeipa.org/page/Contribute" />
<mailing-list>freeipa-interest@redhat.com</mailing-list>
<mailing-list>freeipa-devel@lists.fedorahosted.org</mailing-list>
<mailing-list>freeipa-users@lists.fedorahosted.org</mailing-list>
<download-page rdf:resource="https://www.freeipa.org/page/Downloads" />
<programming-language>C</programming-language>
<programming-language>Python</programming-language>
<repository>
<GitBranch>
<location rdf:resource="https://github.com/freeipa/freeipa.git" />
<browse rdf:resource="https://github.com/freeipa/freeipa" />
</GitBranch>
</repository>
</Project>
</rdf:RDF>
This diff is collapsed.
......@@ -28,11 +28,12 @@ import shutil
import traceback
from ipalib.install import certstore
from ipapython import directivesetter
from ipapython import ipautil
from ipalib import api, errors
from ipalib import x509
from ipalib.install.kinit import kinit_keytab
from ipaserver.install import certs, cainstance, installutils
from ipaserver.install import certs, cainstance
from ipaserver.plugins.ldap2 import ldap2
from ipaplatform import services
from ipaplatform.paths import paths
......@@ -104,22 +105,22 @@ def _main():
elif nickname == 'caSigningCert cert-pki-ca':
# Update CS.cfg
cfg_path = paths.CA_CS_CFG_PATH
config = installutils.get_directive(
config = directivesetter.get_directive(
cfg_path, 'subsystem.select', '=')
if config == 'New':
syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
if cert.is_self_signed():
installutils.set_directive(
directivesetter.set_directive(
cfg_path, 'hierarchy.select', 'Root',
quotes=False, separator='=')
installutils.set_directive(
directivesetter.set_directive(
cfg_path, 'subsystem.count', '1',
quotes=False, separator='=')
else:
installutils.set_directive(
directivesetter.set_directive(
cfg_path, 'hierarchy.select', 'Subordinate',
quotes=False, separator='=')
installutils.set_directive(
directivesetter.set_directive(
cfg_path, 'subsystem.count', '0',
quotes=False, separator='=')
else:
......
File mode changed from 100644 to 100755
File mode changed from 100644 to 100755
File mode changed from 100644 to 100755
File mode changed from 100644 to 100755
......@@ -51,7 +51,6 @@ dist_app_DATA = \
kdc_req.conf.template \
krb5.conf.template \
krb5.ini.template \
freeipa.template \
krb.con.template \
krbrealm.con.template \
smb.conf.template \
......
......@@ -4,9 +4,9 @@ options {
// Put files that named is allowed to write in the data/ directory:
directory "$NAMED_VAR_DIR"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
dump-file "${NAMED_DATA_DIR}cache_dump.db";
statistics-file "${NAMED_DATA_DIR}named_stats.txt";
memstatistics-file "${NAMED_DATA_DIR}named_mem_stats.txt";
// Any host is permitted to issue recursive queries
allow-recursion { any; };
......@@ -32,16 +32,16 @@ options {
*/
logging {
channel default_debug {
file "data/named.run";
file "${NAMED_DATA_DIR}named.run";
severity dynamic;
print-time yes;
};
};
zone "." IN {
type hint;
file "named.ca";
};
${NAMED_ZONE_COMMENT}zone "." IN {
${NAMED_ZONE_COMMENT} type hint;
${NAMED_ZONE_COMMENT} file "named.ca";
${NAMED_ZONE_COMMENT}};
include "$RFC1912_ZONES";
include "$ROOT_KEY";
......
#
# VERSION 28 - DO NOT REMOVE THIS LINE
# VERSION 29 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
......@@ -41,7 +41,7 @@ WSGISocketPrefix $WSGI_PREFIX_DIR
# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
lang=C.UTF-8 locale=C.UTF-8
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
......@@ -100,6 +100,11 @@ WSGIScriptReloading Off
# Target for login with internal connections
Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
# Turn off Apache authentication for i18n messages
<Location "/ipa/i18n_messages">
Require all granted
</Location>
# Turn off Apache authentication for password/token based login pages
<Location "/ipa/session/login_password">
Satisfy Any
......
......@@ -32,7 +32,7 @@ import six
from optparse import SUPPRESS_HELP # pylint: disable=deprecated-module
from ipalib.install import sysrestore
from ipaserver.install import adtrust
from ipaserver.install import adtrust, service
from ipaserver.install.installutils import (
read_password,
check_server_configuration,
......@@ -212,6 +212,10 @@ def main():
adtrust.install_check(True, options, api)
adtrust.install(True, options, fstore, api)
# Enable configured services and update DNS SRV records
service.enable_services(api.env.host)
api.Command.dns_update_system_records()
print("""
=============================================================================
Setup complete
......
......@@ -342,18 +342,26 @@ def main():
)
api.finalize()
api.Backend.ldap2.connect()
domain_level = dsinstance.get_domain_level(api)
if domain_level > DOMAIN_LEVEL_0:
promote(safe_options, options, filename)
else:
install(safe_options, options, filename)
# pki-spawn restarts 389-DS, reconnect
api.Backend.ldap2.close()
api.Backend.ldap2.connect()
# Enable configured services and update DNS SRV records
service.enable_services(api.env.host)
api.Command.dns_update_system_records()
api.Backend.ldap2.disconnect()
# execute ipactl to refresh services status
ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
raiseonerr=False)
api.Backend.ldap2.disconnect()
fail_message = '''
Your system may be partly configured.
......
File mode changed from 100644 to 100755
......@@ -141,6 +141,7 @@ def main():
dns_installer.install_check(True, api, False, options, hostname=api.env.host)
dns_installer.install(True, False, options)
# Services are enabled in dns_installer.install()
# execute ipactl to refresh services status
ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
......
File mode changed from 100644 to 100755
File mode changed from 100644 to 100755
......@@ -43,10 +43,7 @@ A backup can not be restored in a different version of IPA.
Back up data only. The default is to back up all IPA files plus data.
.TP
\fB\-\-gpg\fR
Encrypt the back up file.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
Encrypt the back up file. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
.TP
\fB\-\-logs\fR
Include the IPA service log files in the backup.
......@@ -71,6 +68,10 @@ Log to the given file
1 if an error occurred
2 if IPA is not configured
.SH "ENVIRONMENT VARIABLES"
.PP
\fBGNUPGHOME\fR
Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
......@@ -83,4 +84,5 @@ The default directory for storing backup files.
The log file for backups
.PP
.SH "SEE ALSO"
ipa\-restore(1).
.BR ipa\-restore(1)
.BR gpg2(1)
\ No newline at end of file
......@@ -32,7 +32,7 @@ The type of backup is automatically detected. A data restore can be done from ei
.TP
\fBWARNING\fR: A full restore will restore files like /etc/passwd, /etc/group, /etc/resolv.conf as well. Any file that IPA may have touched is backed up and restored.
.TP
An encrypted backup is also automatically detected and the root keyring is used by default. The \-\-keyring option can be used to define the full path to the private and public keys.
An encrypted backup is also automatically detected and the root keyring and gpg-agent is used by default. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
.TP
Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
.TP
......@@ -61,9 +61,6 @@ The Directory Manager password.
\fB\-\-data\fR
Restore the data only. The default is to restore everything in the backup.
.TP
\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
.TP
\fB\-\-no\-logs\fR
Exclude the IPA service log files in the backup (if they were backed up).
.TP
......@@ -91,6 +88,10 @@ Log to the given file
0 if the command was successful
1 if an error occurred
.SH "ENVIRONMENT VARIABLES"
.PP
\fBGNUPGHOME\fR
Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
.SH "FILES"
.PP
\fI/var/lib/ipa/backup\fR
......@@ -103,4 +104,5 @@ The default directory for storing backup files.
The log file for restoration
.PP
.SH "SEE ALSO"
ipa\-backup(1).
.BR ipa\-backup(1)
.BR gpg2(1)
......@@ -27,10 +27,6 @@ QUnit - dual licensed under MIT and GPLv2 licenses
Font Awesome - code licensed under MIT license
* less/font-awesome
UglifyJS - licensed under BSD license
* util/uglifyjs/uglify-js.js
* utli/uglifyjs/lib/*
Dojo, Dojo Builder - dual licensed under BSD license and AFL version 2.1
* full license text in util/build/LICENSE
* util/build/build.js
......
This source diff could not be displayed because it is too large. You can view the blob instead.
File mode changed from 100755 to 100644
......@@ -17,9 +17,9 @@ var profile = (function(){
selectorEngine: "lite",
staticHasFeatures: {
"host-rhino":1,
"host-rhino":0,
"host-browser":0,
"host-node":0,
"host-node":1,
"dom":0,
"dojo-has-api":1,
"dojo-xhr-factory":0,
......
File mode changed from 100755 to 100644
......@@ -43,6 +43,11 @@ define([
*/
url: '/ipa/ui/',
/**
* i18n messages url
*/
i18n_messages_url: '/ipa/i18n_messages',
/**
* RPC url
*/
......
......@@ -76,13 +76,6 @@ var IPA = function () {
processData: false
};
/**
* i18n messages
* @deprecated
* @property {Object}
*/
that.messages = {};
/**
* User information
*
......@@ -175,14 +168,6 @@ var IPA = function () {
}
});
batch.add_command(rpc.command({
method: 'i18n_messages',
on_success: function(data, text_status, xhr) {
that.messages = data.texts;
i18n.source = that.messages;
}
}));
batch.add_command(rpc.command({
entity: 'config',
method: 'show',
......
......@@ -24,10 +24,10 @@ define([
'dojo/on',
'../facets/Facet',
'../phases',
'../reg'
'../reg',
'../text'
],
function(declare, lang, on, Facet, phases, reg) {
function(declare, lang, on, Facet, phases, reg, text) {
/**
* Load Facet plugin
......@@ -46,7 +46,7 @@ define([
{
$type: 'activity',
name: 'activity',
text: 'Loading',
text: text.get('@i18n:login.loading', 'Loading'),
visible: true
}
]
......@@ -64,4 +64,4 @@ define([
});
return load;
});