.freeipa-pr-ci.yaml

@@ -13,7 +13,7 @@ topologies:
     memory: 6700
 
 jobs:
-  fedora-27/build:
+  fedora-28/build:
     requires: []
     priority: 100
     job:
@@ -21,189 +21,224 @@ jobs:
       args:
         git_repo: '{git_repo}'
         git_refspec: '{git_refspec}'
-        template: &ci-master-f27
-          name: freeipa/ci-master-f27
-          version: 1.0.3
+        template: &ci-master-f28
+          name: freeipa/ci-master-f28
+          version: 0.1.5
         timeout: 1800
         topology: *build
 
-  fedora-27/simple_replication:
-    requires: [fedora-27/build]
+  fedora-28/simple_replication:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_simple_replication.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/caless:
-    requires: [fedora-27/build]
+  fedora-28/caless:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/external_ca:
-    requires: [fedora-27/build]
+  fedora-28/external_ca_1:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_external_ca.py::TestExternalCA test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
-        template: *ci-master-f27
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_external_ca.py::TestExternalCA
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl_1client
+
+  fedora-28/external_ca_2:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_topologies:
-    requires: [fedora-27/build]
+  fedora-28/test_topologies:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_topologies.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_sudo:
-    requires: [fedora-27/build]
+  fedora-28/test_sudo:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_sudo.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_ipa_cli:
-    requires: [fedora-27/build]
+  fedora-28/test_commands:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
-        test_suite: test_integration/test_ipa_cli.py
-        template: *ci-master-f27
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_commands.py
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_kerberos_flags:
-    requires: [fedora-27/build]
+  fedora-28/test_kerberos_flags:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_kerberos_flags.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_http_kdc_proxy:
-    requires: [fedora-27/build]
+  fedora-28/test_http_kdc_proxy:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_http_kdc_proxy.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_forced_client_enrolment:
-    requires: [fedora-27/build]
+  fedora-28/test_forced_client_enrolment:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_forced_client_reenrollment.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
-  fedora-27/test_advise:
-    requires: [fedora-27/build]
+  fedora-28/test_advise:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_advise.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_testconfig:
-    requires: [fedora-27/build]
+  fedora-28/test_testconfig:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_testconfig.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_service_permissions:
-    requires: [fedora-27/build]
+  fedora-28/test_service_permissions:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_service_permissions.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_netgroup:
-    requires: [fedora-27/build]
+  fedora-28/test_netgroup:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_netgroup.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl
 
-  fedora-27/test_vault:
-    requires: [fedora-27/build]
+  fedora-28/test_vault:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_vault.py
-        template: *ci-master-f27
-        timeout: 3600
+        template: *ci-master-f28
+        timeout: 4500
         topology: *master_1repl
 
-  fedora-27/test_authconfig:
-    requires: [fedora-27/build]
+  fedora-28/test_authconfig:
+    requires: [fedora-28/build]
     priority: 50
     job:
       class: RunPytest
       args:
-        build_url: '{fedora-27/build_url}'
+        build_url: '{fedora-28/build_url}'
         test_suite: test_integration/test_authselect.py
-        template: *ci-master-f27
+        template: *ci-master-f28
         timeout: 3600
         topology: *master_1repl_1client
 
+  fedora-28/replica_promotion:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl
+
+  fedora-28/dnssec:
+    requires: [fedora-28/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-28/build_url}'
+        test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
+        template: *ci-master-f28
+        timeout: 3600
+        topology: *master_1repl

.test_runner_config.yaml

@@ -28,7 +28,7 @@ steps:
   builddep:
   - rm -rf /var/cache/dnf/*
   - "dnf makecache || :"
-  - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing
+  - dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
   - dnf install -y gdb
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
@@ -47,6 +47,7 @@ steps:
   configure:
   - ./autogen.sh
   install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   install_server:
   - ipa-server-install -U --domain ${server_domain} --realm ${server_realm} -p ${server_password}

.test_runner_config_py3_temp.yaml

@@ -30,7 +30,7 @@ steps:
   builddep:
   - rm -rf /var/cache/dnf/*
   - "dnf makecache || :"
-  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing
+  - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
   - dnf install -y gdb
   cleanup:
   - chown -R ${uid}:${gid} ${container_working_dir}
@@ -47,6 +47,7 @@ steps:
   configure:
   - ./autogen.sh
   install_packages:
+  - sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf
   - dnf install -y ${container_working_dir}/dist/rpms/*.rpm --best --allowerasing
   - dnf install -y python3-mod_wsgi --best --allowerasing  # Py3 temporary
   install_server:

.travis_run_task.sh

@@ -38,8 +38,9 @@ if [[ "$TASK_TO_RUN" == "lint" ]]
 then
     if [[ "$TRAVIS_EVENT_TYPE" == "pull_request" ]]
     then
-        git diff origin/$TRAVIS_BRANCH -U0 | pycodestyle --diff &> $PEP8_ERROR_LOG ||:
-    fi 
+        git diff origin/$TRAVIS_BRANCH -U0 | \
+            pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:
+    fi
 fi
 
 if [[ -n "$TESTS_TO_RUN" ]]

API.txt

@@ -3962,7 +3962,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('description?', cli_name='desc')
 option: Int('ipatokenradiusretries?', cli_name='retries')
 option: Password('ipatokenradiussecret', cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver+', cli_name='server')
+option: Str('ipatokenradiusserver', cli_name='server')
 option: Int('ipatokenradiustimeout?', cli_name='timeout')
 option: Str('ipatokenusermapattribute?', cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -3987,7 +3987,7 @@ option: Str('cn?', autofill=False, cli_name='name')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('pkey_only?', autofill=True, default=False)
@@ -4008,7 +4008,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Int('ipatokenradiusretries?', autofill=False, cli_name='retries')
 option: Password('ipatokenradiussecret?', autofill=False, cli_name='secret', confirm=True)
-option: Str('ipatokenradiusserver*', autofill=False, cli_name='server')
+option: Str('ipatokenradiusserver?', autofill=False, cli_name='server')
 option: Int('ipatokenradiustimeout?', autofill=False, cli_name='timeout')
 option: Str('ipatokenusermapattribute?', autofill=False, cli_name='userattr')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -4425,9 +4425,10 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: server_role_find/1
-args: 1,8,4
+args: 1,9,4
 arg: Str('criteria?')
 option: Flag('all', autofill=True, cli_name='all', default=False)
+option: Flag('include_master', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Str('role_servrole?', autofill=False, cli_name='role')
 option: Str('server_server?', autofill=False, cli_name='server')

BUILD.txt

@@ -7,7 +7,7 @@ For more information, see http://www.freeipa.org/page/Build
 
 The quickest way to get the dependencies needed for building is:
 
-# dnf builddep -b -D "with_python3 1" -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing
+# dnf builddep -b -D "with_wheels 1" -D "with_lint 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
 
 TIP: For building with latest dependencies for freeipa master enable copr repo:
 

Contributors.txt

@@ -29,6 +29,7 @@ Developers:
 	Nalin Dahyabhai
 	Rishabh Dave
 	Don Davis
+	Nikhil Dehadrai
 	John Dennis
 	Jason Gerard DeRose
 	Günther Deschner
@@ -71,6 +72,7 @@ Developers:
 	Peter Lacko
 	Stanislav Laznicka
 	Ade Lee
+	Stanislav Levin
 	Ben Lipton
 	Karl MacMillan
 	Niranjan Mallapadi
@@ -81,17 +83,23 @@ Developers:
 	Kevin McCarthy
 	Mark McLoughlin
 	Rich Megginson
+	Sudhir Menon
 	Jim Meyering
 	Adam Misnyovszki
+	Takeshi MIZUTA
+	Anuja More
 	John Morris
 	Niranjan MR
 	Brian J. Murrell
+	Varun Mylaraiah
 	Marko Myllynen
 	Martin Nagy
+	Armando Neto
 	David O'Brien
 	Dmitri Pal
 	Jan Pazdziora
 	W. Michael Petullo
+	Pavel Picka
 	Gowrishankar Rajaiyan
 	realsobek
 	Michal Reznik
@@ -102,6 +110,7 @@ Developers:
 	Lenka Ryznarova
 	Thorsten Scherf
 	shanyin
+	Kaleemullah Siddiqui
 	Michael Simacek
 	Lars Sjostrom
 	Filip Skola
@@ -110,6 +119,7 @@ Developers:
 	Simo Sorce
 	Petr Špaček
 	David Spångberg
+	Justin Stephenson
 	Diane Trout
 	Fraser Tweedale
 	Petr Viktorin

VERSION.m4

@@ -20,8 +20,8 @@
 #  ->  "1.0.0"                                         #
 ########################################################
 define(IPA_VERSION_MAJOR, 4)
-define(IPA_VERSION_MINOR, 6)
-define(IPA_VERSION_RELEASE, 90)
+define(IPA_VERSION_MINOR, 7)
+define(IPA_VERSION_RELEASE, 0)
 
 ########################################################
 # For 'pre' releases the version will be               #
@@ -31,7 +31,7 @@ define(IPA_VERSION_RELEASE, 90)
 # e.g. define(IPA_VERSION_PRE_RELEASE, rc1)            #
 #  ->  "1.0.0rc1"                                      #
 ########################################################
-define(IPA_VERSION_PRE_RELEASE, .pre2)
+define(IPA_VERSION_PRE_RELEASE, )
 
 ########################################################
 # To mark GIT snapshots this should be set to 'yes'    #

client/Makefile.am

@@ -80,6 +80,7 @@ ipa_join_SOURCES =		\
 	$(NULL)
 
 ipa_join_LDADD = 		\
+	$(top_builddir)/util/libutil.la	\
 	$(KRB5_LIBS)		\
 	$(LDAP_LIBS)		\
 	$(SASL_LIBS)		\
@@ -89,6 +90,7 @@ ipa_join_LDADD = 		\
 	$(NULL)
 
 SUBDIRS =			\
+	share		\
 	man			\
 	$(NULL)
 

client/ipa-client-automount

@@ -43,6 +43,8 @@ from six.moves.urllib.parse import urlsplit
 from optparse import OptionParser  # pylint: disable=deprecated-module
 
 from ipaclient.install import ipachangeconf, ipadiscovery
+from ipaclient.install.client import (CLIENT_NOT_CONFIGURED,
+    CLIENT_ALREADY_CONFIGURED)
 from ipalib import api, errors
 from ipalib.install import sysrestore
 from ipalib.install.kinit import kinit_keytab
@@ -189,7 +191,8 @@ def configure_autofs_sssd(fstore, statestore, autodiscover, options):
             domain.add_provider('ipa', 'autofs')
             try:
                 domain.get_option('ipa_automount_location')
-                sys.exit('An automount location is already configured')
+                print('An automount location is already configured')
+                sys.exit(CLIENT_ALREADY_CONFIGURED)
             except SSSDConfig.NoOptionError:
                 domain.set_option('ipa_automount_location', options.location)
                 break
@@ -252,17 +255,31 @@ def configure_autofs_common(fstore, statestore, options):
                      autofs.service_name, str(e))
 
 def uninstall(fstore, statestore):
+    RESTORE_FILES=[
+       paths.SYSCONFIG_AUTOFS,
+       paths.NSSWITCH_CONF,
+       paths.AUTOFS_LDAP_AUTH_CONF,
+       paths.SYSCONFIG_NFS,
+       paths.IDMAPD_CONF,
+    ]
+    STATES=['autofs', 'rpcidmapd', 'rpcgssd']
+
+    # automount only touches /etc/nsswitch.conf if LDAP is
+    # used. Don't restore it otherwise.
+    if (statestore.get_state('authconfig', 'sssd') or
+            (statestore.get_state('authselect', 'profile') == 'sssd')):
+        RESTORE_FILES.remove(paths.NSSWITCH_CONF)
+
+    if (not any(fstore.has_file(f) for f in RESTORE_FILES) or
+             not any(statestore.has_state(s) for s in STATES)):
+        print("IPA automount is not configured on this system")
+        return CLIENT_NOT_CONFIGURED
+
     print("Restoring configuration")
-    if fstore.has_file(paths.SYSCONFIG_AUTOFS):
-        fstore.restore_file(paths.SYSCONFIG_AUTOFS)
-    if fstore.has_file(paths.NSSWITCH_CONF):
-        fstore.restore_file(paths.NSSWITCH_CONF)
-    if fstore.has_file(paths.AUTOFS_LDAP_AUTH_CONF):
-        fstore.restore_file(paths.AUTOFS_LDAP_AUTH_CONF)
-    if fstore.has_file(paths.SYSCONFIG_NFS):
-        fstore.restore_file(paths.SYSCONFIG_NFS)
-    if fstore.has_file(paths.IDMAPD_CONF):
-        fstore.restore_file(paths.IDMAPD_CONF)
+
+    for filepath in RESTORE_FILES:
+        if fstore.has_file(filepath):
+            fstore.restore_file(filepath)
     if statestore.has_state('autofs'):
         enabled = statestore.restore_state('autofs', 'enabled')
         running = statestore.restore_state('autofs', 'running')
@@ -382,7 +399,8 @@ def main():
     try:
         check_client_configuration()
     except ScriptError as e:
-        sys.exit(e)
+        print(e.msg)
+        sys.exit(e.rval)
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
@@ -412,7 +430,8 @@ def main():
         ca_cert_path = paths.IPA_CA_CRT
 
     if statestore.has_state('autofs'):
-        sys.exit('automount is already configured on this system.\n')
+        print('An automount location is already configured')
+        sys.exit(CLIENT_ALREADY_CONFIGURED)
 
     autodiscover = False
     ds = ipadiscovery.IPADiscovery()

client/ipa-getkeytab.c

@@ -43,14 +43,8 @@
 #include "ipa_krb5.h"
 #include "ipa_asn1.h"
 #include "ipa-client-common.h"
+#include "ipa_ldap.h"
 
-#define DEFAULT_CA_CERT_FILE "/etc/ipa/ca.crt"
-
-#define LDAP_SASL_EXTERNAL "EXTERNAL"
-#define LDAP_SASL_GSSAPI "GSSAPI"
-
-#define SCHEMA_LDAP "ldap://"
-#define SCHEMA_LDAPS "ldaps://"
 
 static int check_sasl_mech(const char *mech)
 {
@@ -178,42 +172,6 @@ static int ipa_server_to_uri(const char *servername, const char *mech,
     return 0;
 }
 
-static int ipa_ldap_init(LDAP **ld, const char *ldap_uri)
-{
-    int rc = 0;
-    rc = ldap_initialize(ld, ldap_uri);
-
-    return rc;
-}
-
-static int ipa_tls_ssl_init(LDAP *ld, const char *ldap_uri)
-{
-    int ret = LDAP_SUCCESS;
-    int tls_hard = LDAP_OPT_X_TLS_HARD;
-    int tls_demand = LDAP_OPT_X_TLS_DEMAND;
-
-    if (strncmp(ldap_uri, SCHEMA_LDAP, sizeof(SCHEMA_LDAP) - 1) == 0) {
-        ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &tls_demand);
-        if (ret != LDAP_OPT_SUCCESS) {
-            fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_REQUIRE_CERT\n"));
-            return ret;
-        }
-        ret = ldap_start_tls_s(ld, NULL, NULL);
-        if (ret != LDAP_SUCCESS) {
-            fprintf(stderr, _("Unable to initialize STARTTLS session\n"));
-            return ret;
-        }
-    } else if (strncmp(ldap_uri, SCHEMA_LDAPS, sizeof(SCHEMA_LDAPS) - 1) == 0) {
-        ret = ldap_set_option(ld, LDAP_OPT_X_TLS, &tls_hard);
-        if (ret != LDAP_OPT_SUCCESS) {
-            fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS\n"));
-            return ret;
-        }
-    }
-    return ret;
-
-}
-
 static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
                          const char *bind_dn, const char *bind_pw,
                          const char *mech, const char *ca_cert_file,
@@ -221,20 +179,12 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
 {
     char *msg = NULL;
     struct berval bv;
-    int version;
     LDAP *ld;
     int ret;
 
     /* TODO: support referrals ? */
-    ret = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, ca_cert_file);
-    if (ret != LDAP_OPT_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP_OPT_X_TLS_CERTIFICATE\n"));
-        return ret;
-    }
-
     ret = ipa_ldap_init(&ld, ldap_uri);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to init connection to %s\n"), ldap_uri);
         return ret;
     }
 
@@ -243,23 +193,7 @@ static int ipa_ldap_bind(const char *ldap_uri, krb5_principal bind_princ,
         return LDAP_OPERATIONS_ERROR;
     }
 
-#ifdef LDAP_OPT_X_SASL_NOCANON
-    /* Don't do DNS canonicalization */
-    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
-    if (ret != LDAP_SUCCESS) {
-	fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
-        goto done;
-    }
-#endif
-
-    version = LDAP_VERSION3;
-    ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
-    if (ret != LDAP_SUCCESS) {
-	fprintf(stderr, _("Unable to set LDAP_OPT_PROTOCOL_VERSION\n"));
-	goto done;
-    }
-
-    ret = ipa_tls_ssl_init(ld, ldap_uri);
+    ret = ipa_tls_ssl_init(ld, ldap_uri, ca_cert_file);
     if (ret != LDAP_OPT_SUCCESS) {
         goto done;
     }

client/ipa-join.c

@@ -39,13 +39,12 @@
 #include "xmlrpc-c/client.h"
 
 #include "ipa-client-common.h"
+#include "ipa_ldap.h"
 
 #define NAME "ipa-join"
 
 #define JOIN_OID "2.16.840.1.113730.3.8.10.3"
 
-#define CAFILE "/etc/ipa/ca.crt"
-
 #define IPA_CONFIG "/etc/ipa/default.conf"
 
 char * read_config_file(const char *filename);
@@ -200,8 +199,6 @@ callRPC(char * user_agent,
 static LDAP *
 connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
     LDAP *ld = NULL;
-    int ssl = LDAP_OPT_X_TLS_HARD;
-    int version = LDAP_VERSION3;
     int ret;
     int ldapdebug = 0;
     char *uri;
@@ -215,40 +212,23 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
         }
     }
 
-    if (ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, CAFILE) != LDAP_OPT_SUCCESS)
-        goto fail;
-
     ret = asprintf(&uri, "ldaps://%s:636", hostname);
     if (ret == -1) {
         fprintf(stderr, _("Out of memory!"));
         goto fail;
     }
 
-    ret = ldap_initialize(&ld, uri);
-    free(uri);
-    if(ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to initialize connection to ldap server: %s"),
-                        ldap_err2string(ret));
-        goto fail;
-    }
-
-    if (ldap_set_option(ld, LDAP_OPT_X_TLS, &ssl) != LDAP_OPT_SUCCESS) {
-        fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
-        goto fail;
-    }
-
-    /* Don't do DNS canonicalization */
-    ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+    ret = ipa_ldap_init(&ld, uri);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
         goto fail;
     }
-
-    ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
+    ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
     if (ret != LDAP_SUCCESS) {
-        fprintf(stderr, _("Unable to set LDAP version\n"));
+        fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
         goto fail;
     }
+    free(uri);
+    uri = NULL;
 
     if (bindpw) {
         bindpw_bv.bv_val = discard_const(bindpw);
@@ -276,6 +256,9 @@ fail:
     if (ld != NULL) {
         ldap_unbind_ext(ld, NULL, NULL);
     }
+    if (uri != NULL) {
+        free(uri);
+    }
     return NULL;
 }
 

client/man/ipa-client-automount.1

@@ -87,3 +87,7 @@ Files that will be configured when using the ldap automount client:
 0 if the installation was successful
 
 1 if an error occurred
+
+2 if uninstalling and automount is not configured
+
+3 if installing and automount already configured

client/share/Makefile.am

+NULL =
+
+appdir = $(IPA_DATA_DIR)/client
+dist_app_DATA =				\
+	freeipa.template		\
+	$(NULL)

configure.ac

@@ -504,6 +504,7 @@ AC_CONFIG_FILES([
     asn1/Makefile
     asn1/asn1c/Makefile
     client/Makefile
+    client/share/Makefile
     client/man/Makefile
     contrib/completion/Makefile
     contrib/Makefile

daemons/ipa-otpd/queue.c

@@ -155,7 +155,7 @@ struct otpd_queue_item *otpd_queue_pop_msgid(struct otpd_queue *q, int msgid)
 
     for (item = q->head, prev = &q->head;
          item != NULL;
-         item = item->next, prev = &item->next) {
+         prev = &item->next, item = item->next) {
         if (item->msgid == msgid) {
             *prev = item->next;
             if (q->head == NULL)

daemons/ipa-otpd/test.py

-#!/usr/bin/python3
 #
 # FreeIPA 2FA companion daemon
 #

daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

@@ -595,7 +595,8 @@ parse_req_done:
     } else {
         principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
     }
-    ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
+    if (principal)
+        ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);
 
 	/* Free anything that we allocated above */
 free_and_return:

freeipa.doap.rdf

+<?xml version="1.0"?>
+<?xml-stylesheet type="text/xsl"?>
+<rdf:RDF xml:lang="en" xmlns="http://usefulinc.com/ns/doap#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:foaf="http://xmlns.com/foaf/0.1/">
+    <Project rdf:about="https://www.freeipa.org">
+        <created>2005-06-01</created>
+        <name>FreeIPA Project</name>
+        <shortname>FreeIPA</shortname>
+        <homepage rdf:resource="https://www.freeipa.org" />
+        <shortdesc>FreeIPA is the upstream open-source project for Red Hat Identity Manager</shortdesc>
+        <description>FreeIPA is an integrated security information management solution combining Linux (Fedora), 389 Directory Server, MIT Kerberos, Chronyd, DNS, Dogtag (Certificate System). It consists of a web interface and command-line administration tools.</description>
+        <bug-database rdf:resource="https://pagure.io/freeipa/" />
+        <mailing-list rdf:resource="https://www.freeipa.org/page/Contribute" />
+        <mailing-list>freeipa-interest@redhat.com</mailing-list>
+        <mailing-list>freeipa-devel@lists.fedorahosted.org</mailing-list>
+        <mailing-list>freeipa-users@lists.fedorahosted.org</mailing-list>
+        <download-page rdf:resource="https://www.freeipa.org/page/Downloads" />
+        <programming-language>C</programming-language>
+        <programming-language>Python</programming-language>
+        <repository>
+          <GitBranch>
+            <location rdf:resource="https://github.com/freeipa/freeipa.git" />
+            <browse rdf:resource="https://github.com/freeipa/freeipa" />
+          </GitBranch>
+        </repository>
+    </Project>
+</rdf:RDF>

install/restart_scripts/renew_ca_cert

@@ -28,11 +28,12 @@ import shutil
 import traceback
 
 from ipalib.install import certstore
+from ipapython import directivesetter
 from ipapython import ipautil
 from ipalib import api, errors
 from ipalib import x509
 from ipalib.install.kinit import kinit_keytab
-from ipaserver.install import certs, cainstance, installutils
+from ipaserver.install import certs, cainstance
 from ipaserver.plugins.ldap2 import ldap2
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -104,22 +105,22 @@ def _main():
         elif nickname == 'caSigningCert cert-pki-ca':
             # Update CS.cfg
             cfg_path = paths.CA_CS_CFG_PATH
-            config = installutils.get_directive(
+            config = directivesetter.get_directive(
                 cfg_path, 'subsystem.select', '=')
             if config == 'New':
                 syslog.syslog(syslog.LOG_NOTICE, "Updating CS.cfg")
                 if cert.is_self_signed():
-                    installutils.set_directive(
+                    directivesetter.set_directive(
                         cfg_path, 'hierarchy.select', 'Root',
                         quotes=False, separator='=')
-                    installutils.set_directive(
+                    directivesetter.set_directive(
                         cfg_path, 'subsystem.count', '1',
                         quotes=False, separator='=')
                 else:
-                    installutils.set_directive(
+                    directivesetter.set_directive(
                         cfg_path, 'hierarchy.select', 'Subordinate',
                         quotes=False, separator='=')
-                    installutils.set_directive(
+                    directivesetter.set_directive(
                         cfg_path, 'subsystem.count', '0',
                         quotes=False, separator='=')
             else:

install/share/Makefile.am

@@ -51,7 +51,6 @@ dist_app_DATA =				\
 	kdc_req.conf.template		\
 	krb5.conf.template		\
 	krb5.ini.template		\
-	freeipa.template		\
 	krb.con.template		\
 	krbrealm.con.template		\
 	smb.conf.template		\

install/share/bind.named.conf.template

@@ -4,9 +4,9 @@ options {
 
 	// Put files that named is allowed to write in the data/ directory:
 	directory "$NAMED_VAR_DIR"; // the default
-	dump-file		"data/cache_dump.db";
-	statistics-file		"data/named_stats.txt";
-	memstatistics-file	"data/named_mem_stats.txt";
+	dump-file		"${NAMED_DATA_DIR}cache_dump.db";
+	statistics-file		"${NAMED_DATA_DIR}named_stats.txt";
+	memstatistics-file	"${NAMED_DATA_DIR}named_mem_stats.txt";
 
 	// Any host is permitted to issue recursive queries
 	allow-recursion { any; };
@@ -32,16 +32,16 @@ options {
  */
 logging {
 	channel default_debug {
-		file "data/named.run";
+		file "${NAMED_DATA_DIR}named.run";
 		severity dynamic;
 		print-time yes;
 	};
 };
 
-zone "." IN {
-	type hint;
-	file "named.ca";
-};
+${NAMED_ZONE_COMMENT}zone "." IN {
+${NAMED_ZONE_COMMENT}	type hint;
+${NAMED_ZONE_COMMENT}	file "named.ca";
+${NAMED_ZONE_COMMENT}};
 
 include "$RFC1912_ZONES";
 include "$ROOT_KEY";

install/share/ipa.conf.template

 #
-# VERSION 28 - DO NOT REMOVE THIS LINE
+# VERSION 29 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -41,7 +41,7 @@ WSGISocketPrefix $WSGI_PREFIX_DIR
 
 
 # Configure mod_wsgi handler for /ipa
-WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
+WSGIDaemonProcess ipa processes=$WSGI_PROCESSES threads=1 maximum-requests=500 \
   user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 \
   lang=C.UTF-8 locale=C.UTF-8
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
@@ -100,6 +100,11 @@ WSGIScriptReloading Off
 # Target for login with internal connections
 Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 
+# Turn off Apache authentication for i18n messages
+<Location "/ipa/i18n_messages">
+  Require all granted
+</Location>
+
 # Turn off Apache authentication for password/token based login pages
 <Location "/ipa/session/login_password">
   Satisfy Any

install/tools/ipa-adtrust-install

@@ -32,7 +32,7 @@ import six
 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module
 
 from ipalib.install import sysrestore
-from ipaserver.install import adtrust
+from ipaserver.install import adtrust, service
 from ipaserver.install.installutils import (
     read_password,
     check_server_configuration,
@@ -212,6 +212,10 @@ def main():
     adtrust.install_check(True, options, api)
     adtrust.install(True, options, fstore, api)
 
+    # Enable configured services and update DNS SRV records
+    service.enable_services(api.env.host)
+    api.Command.dns_update_system_records()
+
     print("""
 =============================================================================
 Setup complete

install/tools/ipa-ca-install

@@ -342,18 +342,26 @@ def main():
     )
     api.finalize()
     api.Backend.ldap2.connect()
-
     domain_level = dsinstance.get_domain_level(api)
+
     if domain_level > DOMAIN_LEVEL_0:
         promote(safe_options, options, filename)
     else:
         install(safe_options, options, filename)
 
+    # pki-spawn restarts 389-DS, reconnect
+    api.Backend.ldap2.close()
+    api.Backend.ldap2.connect()
+
+    # Enable configured services and update DNS SRV records
+    service.enable_services(api.env.host)
+    api.Command.dns_update_system_records()
+    api.Backend.ldap2.disconnect()
+
     # execute ipactl to refresh services status
     ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
                 raiseonerr=False)
 
-    api.Backend.ldap2.disconnect()
 
 fail_message = '''
 Your system may be partly configured.

install/tools/ipa-dns-install

@@ -141,6 +141,7 @@ def main():
 
     dns_installer.install_check(True, api, False, options, hostname=api.env.host)
     dns_installer.install(True, False, options)
+    # Services are enabled in dns_installer.install()
 
     # execute ipactl to refresh services status
     ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],

install/tools/man/ipa-backup.1

@@ -43,10 +43,7 @@ A backup can not be restored in a different version of IPA.
 Back up data only. The default is to back up all IPA files plus data.
 .TP
 \fB\-\-gpg\fR
-Encrypt the back up file.
-.TP
-\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
-The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
+Encrypt the back up file. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
 .TP
 \fB\-\-logs\fR
 Include the IPA service log files in the backup.
@@ -71,6 +68,10 @@ Log to the given file
 1 if an error occurred
 
 2 if IPA is not configured
+.SH "ENVIRONMENT VARIABLES"
+.PP
+\fBGNUPGHOME\fR
+Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
 .SH "FILES"
 .PP
 \fI/var/lib/ipa/backup\fR
@@ -83,4 +84,5 @@ The default directory for storing backup files.
 The log file for backups
 .PP
 .SH "SEE ALSO"
-ipa\-restore(1).
+.BR ipa\-restore(1)
+.BR gpg2(1)
\ No newline at end of file

install/tools/man/ipa-restore.1

@@ -32,7 +32,7 @@ The type of backup is automatically detected. A data restore can be done from ei
 .TP
 \fBWARNING\fR: A full restore will restore files like /etc/passwd, /etc/group, /etc/resolv.conf as well. Any file that IPA may have touched is backed up and restored.
 .TP
-An encrypted backup is also automatically detected and the root keyring is used by default. The \-\-keyring option can be used to define the full path to the private and public keys.
+An encrypted backup is also automatically detected and the root keyring and gpg-agent is used by default. Set \fBGNUPGHOME\fR environment variable to use a custom keyring and gpg2 configuration.
 .TP
 Within the subdirectory is file, header, that describes the back up including the type, system, date of backup, the version of IPA, the version of the backup and the services on the master.
 .TP
@@ -61,9 +61,6 @@ The Directory Manager password.
 \fB\-\-data\fR
 Restore the data only. The default is to restore everything in the backup.
 .TP
-\fB\-\-gpg\-keyring\fR=\fIGPG_KEYRING\fR
-The full path to a GPG keyring. The keyring consists of two files, a public and a private key (.sec and .pub respectively). Specify the path without an extension.
-.TP
 \fB\-\-no\-logs\fR
 Exclude the IPA service log files in the backup (if they were backed up).
 .TP
@@ -91,6 +88,10 @@ Log to the given file
 0 if the command was successful
 
 1 if an error occurred
+.SH "ENVIRONMENT VARIABLES"
+.PP
+\fBGNUPGHOME\fR
+Use custom GnuPG keyring and settings (default: \fB~/.gnupg\fR).
 .SH "FILES"
 .PP
 \fI/var/lib/ipa/backup\fR
@@ -103,4 +104,5 @@ The default directory for storing backup files.
 The log file for restoration
 .PP
 .SH "SEE ALSO"
-ipa\-backup(1).
+.BR ipa\-backup(1)
+.BR gpg2(1)

install/ui/README-LICENSE.txt

@@ -27,10 +27,6 @@ QUnit - dual licensed under MIT and GPLv2 licenses
 Font Awesome - code licensed under MIT license
  * less/font-awesome
 
-UglifyJS - licensed under BSD license
- * util/uglifyjs/uglify-js.js
- * utli/uglifyjs/lib/*
-
 Dojo, Dojo Builder - dual licensed under BSD license and AFL version 2.1
  * full license text in util/build/LICENSE
  * util/build/build.js

install/ui/src/build.profile.js

@@ -17,9 +17,9 @@ var profile = (function(){
         selectorEngine: "lite",
 
         staticHasFeatures: {
-            "host-rhino":1,
+            "host-rhino":0,
             "host-browser":0,
-            "host-node":0,
+            "host-node":1,
             "dom":0,
             "dojo-has-api":1,
             "dojo-xhr-factory":0,

install/ui/src/freeipa/config.js

@@ -43,6 +43,11 @@ define([
          */
         url: '/ipa/ui/',
 
+        /**
+         * i18n messages url
+         */
+        i18n_messages_url: '/ipa/i18n_messages',
+
         /**
          * RPC url
          */

install/ui/src/freeipa/ipa.js

@@ -76,13 +76,6 @@ var IPA = function () {
         processData: false
     };
 
-    /**
-     * i18n messages
-     * @deprecated
-     * @property {Object}
-     */
-    that.messages = {};
-
     /**
      * User information
      *
@@ -175,14 +168,6 @@ var IPA = function () {
             }
         });
 
-        batch.add_command(rpc.command({
-            method: 'i18n_messages',
-            on_success: function(data, text_status, xhr) {
-                that.messages = data.texts;
-                i18n.source = that.messages;
-            }
-        }));
-
         batch.add_command(rpc.command({
             entity: 'config',
             method: 'show',

install/ui/src/freeipa/plugins/load_page.js

@@ -24,10 +24,10 @@ define([
     'dojo/on',
     '../facets/Facet',
     '../phases',
-    '../reg'
-
+    '../reg',
+    '../text'
    ],
-   function(declare, lang, on, Facet, phases, reg) {
+   function(declare, lang, on, Facet, phases, reg, text) {
 
     /**
      * Load Facet plugin
@@ -46,7 +46,7 @@ define([
             {
                 $type: 'activity',
                 name: 'activity',
-                text: 'Loading',
+                text: text.get('@i18n:login.loading', 'Loading'),
                 visible: true
             }
         ]
@@ -64,4 +64,4 @@ define([
     });
 
     return load;
-});