Skip to content
Commits on Source (390)
Hide whitespace changes
Inline Side-by-side
.freeipa-pr-ci.yaml deleted 100644 → 0
View file @ 2107952c
topologies:
build: &build
name: build
cpu: 2
memory: 3800
master_1repl: &master_1repl
name: master_1repl
cpu: 4
memory: 5750
master_1repl_1client: &master_1repl_1client
name: master_1repl_1client
cpu: 4
memory: 6700
jobs:
fedora-28/build:
requires: []
priority: 100
job:
class: Build
args:
git_repo: '{git_repo}'
git_refspec: '{git_refspec}'
template: &ci-master-f28
name: freeipa/ci-master-f28
version: 0.1.5
timeout: 1800
topology: *build
fedora-28/simple_replication:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_simple_replication.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/caless:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_caless.py::TestServerReplicaCALessToCAFull
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/external_ca_1:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_external_ca.py::TestExternalCA
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/external_ca_2:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_external_ca.py::TestSelfExternalSelf test_integration/test_external_ca.py::TestExternalCAInstall
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_topologies:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_topologies.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_sudo:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_sudo.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/test_commands:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_commands.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_kerberos_flags:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_kerberos_flags.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/test_http_kdc_proxy:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_http_kdc_proxy.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/test_forced_client_enrolment:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_forced_client_reenrollment.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/test_advise:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_advise.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_testconfig:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_testconfig.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_service_permissions:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_service_permissions.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_netgroup:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_netgroup.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/test_vault:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_vault.py
template: *ci-master-f28
timeout: 4500
topology: *master_1repl
fedora-28/test_authconfig:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_authselect.py
template: *ci-master-f28
timeout: 3600
topology: *master_1repl_1client
fedora-28/replica_promotion:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_replica_promotion.py::TestSubCAkeyReplication
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
fedora-28/dnssec:
requires: [fedora-28/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-28/build_url}'
test_suite: test_integration/test_dnssec.py::TestInstallDNSSECFirst
template: *ci-master-f28
timeout: 3600
topology: *master_1repl
.freeipa-pr-ci.yaml 0 → 120000
View file @ 01de245c
ipatests/prci_definitions/gating.yaml
\ No newline at end of file
.gitignore
View file @ 01de245c
......@@ -119,3 +119,56 @@ freeipa2-dev-doc
/ipapython/.DEFAULT_PLUGINS
/ipatests/.cache/
# Python scripts with auto-generated shebang
ipa
makeaci
makeapi
client/ipa-certupdate
client/ipa-client-automount
client/ipa-client-install
daemons/dnssec/ipa-dnskeysyncd
daemons/dnssec/ipa-dnskeysync-replica
daemons/dnssec/ipa-ods-exporter
install/certmonger/dogtag-ipa-ca-renew-agent-submit
install/certmonger/ipa-server-guard
install/oddjob/com.redhat.idm.trust-fetch-domains
install/restart_scripts/renew_ca_cert
install/restart_scripts/renew_kdc_cert
install/restart_scripts/renew_ra_cert
install/restart_scripts/renew_ra_cert_pre
install/restart_scripts/restart_dirsrv
install/restart_scripts/restart_httpd
install/restart_scripts/stop_pkicad
install/tools/ipa-adtrust-install
install/tools/ipa-advise
install/tools/ipa-backup
install/tools/ipa-cacert-manage
install/tools/ipa-ca-install
install/tools/ipa-compat-manage
install/tools/ipa-csreplica-manage
install/tools/ipactl
install/tools/ipa-custodia
install/tools/ipa-custodia-check
install/tools/ipa-dns-install
install/tools/ipa-httpd-kdcproxy
install/tools/ipa-kra-install
install/tools/ipa-ldap-updater
install/tools/ipa-managed-entries
install/tools/ipa-nis-manage
install/tools/ipa-otptoken-import
install/tools/ipa-pkinit-manage
install/tools/ipa-pki-retrieve-key
install/tools/ipa-replica-conncheck
install/tools/ipa-replica-install
install/tools/ipa-replica-manage
install/tools/ipa-replica-prepare
install/tools/ipa-restore
install/tools/ipa-server-certinstall
install/tools/ipa-server-install
install/tools/ipa-server-upgrade
install/tools/ipa-winsync-migrate
ipatests/i18n.py
ipatests/ipa-run-tests
ipatests/ipa-test-config
ipatests/ipa-test-task
.test_runner_config.yaml
View file @ 01de245c
......@@ -30,6 +30,7 @@ steps:
- "dnf makecache || :"
- dnf builddep -y ${builddep_opts} -D "with_wheels 1" --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
- dnf install -y gdb
- dnf update -y annobin
cleanup:
- chown -R ${uid}:${gid} ${container_working_dir}
- journalctl -b --no-pager > systemd_journal.log
......
.test_runner_config_py3_temp.yaml
View file @ 01de245c
......@@ -32,6 +32,7 @@ steps:
- "dnf makecache || :"
- dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing --setopt=install_weak_deps=False
- dnf install -y gdb
- dnf update -y annobin
cleanup:
- chown -R ${uid}:${gid} ${container_working_dir}
- >
......
ACI.txt
View file @ 01de245c
......@@ -234,6 +234,8 @@ dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=IPA.EXAMPLE,cn=kerberos,dc=ipa,dc=example
aci: (targetattr = "cn || cospriority || createtimestamp || entryusn || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || modifytimestamp || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=radiusproxy,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || ipatokenradiusretries || ipatokenradiusserver || ipatokenradiustimeout || ipatokenusermapattribute || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipatokenradiusconfiguration)")(version 3.0;acl "permission:System: Read Radius Servers";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Radius Servers,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=Realm Domains,cn=ipa,cn=etc,dc=ipa,dc=example
......
API.txt
View file @ 01de245c
......@@ -186,6 +186,20 @@ output: Output('count', type=[<type 'int'>])
output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: automember_find_orphans/1
args: 1,7,4
arg: Str('criteria?')
option: Flag('all', autofill=True, cli_name='all', default=False)
option: Str('description?', autofill=False, cli_name='desc')
option: Flag('pkey_only?', autofill=True, default=False)
option: Flag('raw', autofill=True, cli_name='raw', default=False)
option: Flag('remove?', autofill=True, default=False)
option: StrEnum('type', values=[u'group', u'hostgroup'])
option: Str('version?')
output: Output('count', type=[<type 'int'>])
output: ListOfEntries('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: Output('truncated', type=[<type 'bool'>])
command: automember_mod/1
args: 1,9,3
arg: Str('cn', cli_name='automember_rule')
......@@ -6503,6 +6517,7 @@ default: automember_default_group_set/1
default: automember_default_group_show/1
default: automember_del/1
default: automember_find/1
default: automember_find_orphans/1
default: automember_mod/1
default: automember_rebuild/1
default: automember_remove_condition/1
......
Contributors.txt
View file @ 01de245c
......@@ -100,6 +100,7 @@ Developers:
Jan Pazdziora
W. Michael Petullo
Pavel Picka
Orion Poplawski
Gowrishankar Rajaiyan
realsobek
Michal Reznik
......@@ -108,6 +109,7 @@ Developers:
Lynn Root
Pete Rowley
Lenka Ryznarova
Alexander Scheel
Thorsten Scherf
shanyin
Kaleemullah Siddiqui
......@@ -121,12 +123,14 @@ Developers:
David Spångberg
Justin Stephenson
Diane Trout
Serhii Tsymbaliuk
Fraser Tweedale
Petr Viktorin
Petr Voborník
Felipe Volpone
Pavel Vomáčka
Andrew Wnuk
Thomas Woerner
Jason Woods
Adam Young
Mohammad Rizwan Yusuf
......@@ -157,15 +161,26 @@ Testing:
Yi Zhang
Translators:
Héctor Daniel Cabrera
Yuri Chornoivan
Teguh DC
Piotr Drąg
Jérôme Fenal
Abhijeet Kasurde
Andi Chandler
Andrew Martynov
A S Alam
Emilio Herrera
Gundachandru
Héctor Daniel Cabrera
Jake Li
Andrew Martynov
Jérôme Fenal
Marco Aurélio Krause
Martin Bašti
Olesya Gerasimenko
Paul Ritter
Pavel Vomacka
Piotr Drąg
Robert Antoni Buj Gelonch
Sankarshan Mukhopadhyay
Teguh DC
Yuri Chornoivan
Zdenek
Wiki, Solution and Idea Contributors:
James Hogarth
......
Makefile.am
View file @ 01de245c
NULL =
ACLOCAL_AMFLAGS = -I m4
if ENABLE_SERVER
......@@ -16,20 +18,35 @@ SUBDIRS = asn1 util client contrib po pypi $(PYTHON_SUBDIRS) $(SERVER_SUBDIRS)
GENERATED_PYTHON_FILES = \
$(top_builddir)/ipaplatform/override.py \
$(top_builddir)/ipapython/version.py
$(top_builddir)/ipapython/version.py \
$(top_builddir)/makeaci \
$(top_builddir)/makeapi \
$(NULL)
MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
pylint_plugins.pyc pylint_plugins.pyo
# user-facing scripts
dist_bin_SCRIPTS = ipa
nodist_bin_SCRIPTS = ipa
# files required for build but not installed
dist_noinst_SCRIPTS = makeapi \
makeaci \
make-doc \
make-test \
pylint_plugins.py
nodist_noinst_SCRIPTS = \
makeapi \
makeaci \
$(NULL)
dist_noinst_SCRIPTS = \
make-doc \
make-test \
pylint_plugins.py \
$(NULL)
# templates
dist_noinst_DATA = \
ipa.in \
makeaci.in \
makeapi.in \
$(NULL)
ipasetup.py: ipasetup.py.in $(CONFIG_STATUS)
$(AM_V_GEN)sed \
......@@ -63,7 +80,6 @@ clean-local:
rm -rf "$(top_srcdir)/__pycache__"
rm -f "$(top_builddir)"/$(PACKAGE)-*.tar.gz
# convenience targets for RPM build
.PHONY: rpmroot rpmdistdir version-update _dist-version-bakein _rpms-prep \
rpms _rpms-body srpms _srpms-body
......@@ -178,7 +194,7 @@ if WITH_PYTHON3
@ # just tests, aci, api and pylint on Python 3
PYTHONPATH=$(abspath $(top_srcdir)) $(PYTHON3) ipatests/ipa-run-tests \
--ipaclient-unittests
$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint
$(MAKE) $(AM_MAKEFLAGS) PYTHON=$(PYTHON3) acilint apilint polint pylint jslint check
else
@echo "WARNING: python3 not available"
endif
......@@ -259,6 +275,8 @@ polint:
if WITH_PYLINT
pylint: $(GENERATED_PYTHON_FILES) ipasetup.py
@# build CLI scripts
$(MAKE) -C $(top_builddir)/install/tools
FILES=`find $(top_srcdir) \
-type d -exec test -e '{}/__init__.py' \; -print -prune -o \
-path './rpmbuild' -prune -o \
......@@ -368,3 +386,13 @@ python_install:
.PHONY:
strip-po:
$(MAKE) -C po strip-po
PYTHON_SHEBANG = \
ipa \
makeaci \
makeapi \
$(NULL)
CLEANFILES = $(PYTHON_SHEBANG)
include $(top_srcdir)/Makefile.pythonscripts.am
Makefile.pythonscripts.am 0 → 100644
View file @ 01de245c
# special handling of Python scripts with auto-generated shebang line
$(PYTHON_SHEBANG):%: %.in Makefile
$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
$(AM_V_GEN)chmod +x $@
VERSION.m4
View file @ 01de245c
......@@ -21,7 +21,7 @@
########################################################
define(IPA_VERSION_MAJOR, 4)
define(IPA_VERSION_MINOR, 7)
define(IPA_VERSION_RELEASE, 0)
define(IPA_VERSION_RELEASE, 2)
########################################################
# For 'pre' releases the version will be #
......@@ -55,8 +55,8 @@ define(IPA_VERSION_IS_GIT_SNAPSHOT, no)
# - ipa-X-X: define(IPA_GIT_BRANCH, #
# ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR) #
########################################################
define(IPA_GIT_BRANCH, master)
dnl define(IPA_GIT_BRANCH, ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)
dnl define(IPA_GIT_BRANCH, master)
define(IPA_GIT_BRANCH, ipa-IPA_VERSION_MAJOR-IPA_VERSION_MINOR)
########################################################
# The version of IPA data. This is used to identify #
......@@ -83,8 +83,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
define(IPA_API_VERSION_MINOR, 229)
# Last change: Added the Certificate parameter
define(IPA_API_VERSION_MINOR, 230)
# Last change: Added `automember-find-orphans' command
########################################################
......
client/Makefile.am
View file @ 01de245c
......@@ -40,9 +40,9 @@ sbin_PROGRAMS = \
$(NULL)
sbin_SCRIPTS = \
ipa-client-install \
ipa-client-automount \
ipa-certupdate \
ipa-client-automount \
ipa-client-install \
$(NULL)
ipa_getkeytab_SOURCES = \
......@@ -98,10 +98,17 @@ noinst_HEADERS = \
ipa-client-common.h
EXTRA_DIST = \
$(sbin_SCRIPTS) \
ipa-certupdate.in \
ipa-client-automount.in \
ipa-client-install.in \
$(NULL)
install-data-hook:
$(INSTALL) -d -m 755 $(DESTDIR)$(IPA_SYSCONF_DIR)/nssdb
$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/pki
$(INSTALL) -d -m 755 $(DESTDIR)$(localstatedir)/lib/ipa-client/sysrestore
PYTHON_SHEBANG = $(sbin_SCRIPTS)
include $(top_srcdir)/Makefile.pythonscripts.am
client/config.c
View file @ 01de245c
......@@ -123,17 +123,18 @@ get_config_entry(char * in_data, const char *section, const char *key)
line++;
p = strchr(line, ']');
if (p) {
tmp = strndup(line, p - line);
if (in_section) {
/* We exited the matching section without a match */
free(data);
return NULL;
}
tmp = strndup(line, p - line);
if (strcmp(section, tmp) == 0) {
free(tmp);
in_section = 1;
continue;
}
free(tmp);
}
} /* [ */
......
client/ipa-certupdate client/ipa-certupdate.in 100755 → 100644
View file @ 01de245c
#!/usr/bin/python3 -E
@PYTHONSHEBANG@
# Authors: Jan Cholasta <jcholast@redhat.com>
#
# Copyright (C) 2014 Red Hat
......
client/ipa-client-automount client/ipa-client-automount.in 100755 → 100644
View file @ 01de245c
#!/usr/bin/python3 -E
@PYTHONSHEBANG@
#
# Authors:
# Rob Crittenden <rcritten@redhat.com>
......
client/ipa-client-install client/ipa-client-install.in 100755 → 100644
View file @ 01de245c
#!/usr/bin/python3 -E
@PYTHONSHEBANG@
# Authors: Simo Sorce <ssorce@redhat.com>
# Karl MacMillan <kmacmillan@mentalrootkit.com>
#
......
client/ipa-join.c
View file @ 01de245c
......@@ -197,33 +197,31 @@ callRPC(char * user_agent,
/* The caller is responsible for unbinding the connection if ld is not NULL */
static LDAP *
connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
connect_ldap(const char *hostname, const char *binddn, const char *bindpw,
int *ret) {
LDAP *ld = NULL;
int ret;
int ldapdebug = 0;
char *uri;
int ldapdebug = 2;
char *uri = NULL;
struct berval bindpw_bv;
if (debug) {
ldapdebug = 2;
ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
if (ret != LDAP_OPT_SUCCESS) {
goto fail;
}
*ret = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &ldapdebug);
if (*ret != LDAP_OPT_SUCCESS) {
goto fail;
}
ret = asprintf(&uri, "ldaps://%s:636", hostname);
if (ret == -1) {
*ret = asprintf(&uri, "ldaps://%s:636", hostname);
if (*ret == -1) {
fprintf(stderr, _("Out of memory!"));
*ret = LDAP_NO_MEMORY;
goto fail;
}
ret = ipa_ldap_init(&ld, uri);
if (ret != LDAP_SUCCESS) {
*ret = ipa_ldap_init(&ld, uri);
if (*ret != LDAP_SUCCESS) {
goto fail;
}
ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
if (ret != LDAP_SUCCESS) {
*ret = ipa_tls_ssl_init(ld, uri, DEFAULT_CA_CERT_FILE);
if (*ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to enable SSL in LDAP\n"));
goto fail;
}
......@@ -238,15 +236,11 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
bindpw_bv.bv_len = 0;
}
ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
int err;
*ret = ldap_sasl_bind_s(ld, binddn, LDAP_SASL_SIMPLE, &bindpw_bv,
NULL, NULL, NULL);
ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err);
if (debug)
fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(err));
if (*ret != LDAP_SUCCESS) {
fprintf(stderr, _("Bind failed: %s\n"), ldap_err2string(*ret));
goto fail;
}
......@@ -309,7 +303,7 @@ get_root_dn(const char *ipaserver, char **ldap_base)
struct berval **defvals;
int ret, rval = 0;
ld = connect_ldap(ipaserver, NULL, NULL);
ld = connect_ldap(ipaserver, NULL, NULL, &ret);
if (!ld) {
rval = 14;
goto done;
......@@ -371,62 +365,6 @@ done:
return rval;
}
/*
* Get the certificate subject base from the IPA configuration.
*
* Not considered a show-stopper if this fails for some reason.
*
* The caller is responsible for binding/unbinding to LDAP.
*/
static int
get_subject(LDAP *ld, char *ldap_base, const char **subject, int quiet)
{
char *attrs[] = {"ipaCertificateSubjectBase", NULL};
char *base = NULL;
LDAPMessage *entry, *res = NULL;
struct berval **ncvals;
int ret, rval = 0;
ret = asprintf(&base, "cn=ipaconfig,cn=etc,%s", ldap_base);
if (ret == -1)
{
if (!quiet)
fprintf(stderr, _("Out of memory!\n"));
rval = 3;
goto done;
}
ret = ldap_search_ext_s(ld, base, LDAP_SCOPE_BASE,
"objectclass=*", attrs, 0,
NULL, NULL, NULL, 0, &res);
if (ret != LDAP_SUCCESS) {
fprintf(stderr,
_("Search for ipaCertificateSubjectBase failed with error %d"),
ret);
rval = 14;
goto done;
}
entry = ldap_first_entry(ld, res);
ncvals = ldap_get_values_len(ld, entry, attrs[0]);
if (!ncvals) {
fprintf(stderr, _("No values for %s"), attrs[0]);
rval = 14;
goto done;
}
*subject = strdup(ncvals[0]->bv_val);
ldap_value_free_len(ncvals);
done:
free(base);
if (res) ldap_msgfree(res);
return rval;
}
/* Join a host to the current IPA realm.
*
* There are several scenarios for this:
......@@ -446,7 +384,7 @@ done:
* the state of the entry.
*/
static int
join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, const char **subject, int quiet)
join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bindpw, const char *basedn, const char **princ, int quiet)
{
LDAP *ld;
int rval = 0;
......@@ -458,7 +396,6 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
*binddn = NULL;
*princ = NULL;
*subject = NULL;
if (NULL != basedn) {
ldap_base = strdup(basedn);
......@@ -486,20 +423,24 @@ join_ldap(const char *ipaserver, char *hostname, char ** binddn, const char *bin
rval = 3;
goto done;
}
ld = connect_ldap(ipaserver, *binddn, bindpw);
ld = connect_ldap(ipaserver, *binddn, bindpw, &ret);
if (!ld) {
if (!quiet)
fprintf(stderr, _("Incorrect password.\n"));
rval = 15;
goto done;
}
if (quiet)
goto done;
if (get_subject(ld, ldap_base, subject, quiet) != 0) {
if (!quiet)
fprintf(stderr,
_("Unable to determine certificate subject of %s\n"),
ipaserver);
/* Not a critical failure */
switch(ret) {
case LDAP_NO_MEMORY:
rval = 3;
break;
case LDAP_INVALID_CREDENTIALS: /* incorrect password */
case LDAP_INAPPROPRIATE_AUTH: /* no password set */
rval = 15;
break;
default: /* LDAP connection error catch-all */
rval = 14;
break;
}
goto done;
}
valrequest.bv_val = (char *)hostname;
......@@ -538,7 +479,7 @@ done:
}
static int
join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, const char **subject, int force, int quiet) {
join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **princ, int force, int quiet) {
xmlrpc_env env;
xmlrpc_value * argArrayP = NULL;
xmlrpc_value * paramArrayP = NULL;
......@@ -550,7 +491,6 @@ join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **pri
struct utsname uinfo;
xmlrpc_value *princP = NULL;
xmlrpc_value *krblastpwdchangeP = NULL;
xmlrpc_value *subjectP = NULL;
xmlrpc_value *hostdnP = NULL;
const char *krblastpwdchange = NULL;
char * url = NULL;
......@@ -559,7 +499,6 @@ join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **pri
int ret;
*hostdn = NULL;
*subject = NULL;
*princ = NULL;
/* Start up our XML-RPC client library. */
......@@ -658,18 +597,6 @@ join_krb5(const char *ipaserver, char *hostname, char **hostdn, const char **pri
goto cleanup;
}
xmlrpc_struct_find_value(&env, structP, "ipacertificatesubjectbase", &subjectP);
if (subjectP) {
xmlrpc_value * singleprincP = NULL;
/* FIXME: all values are returned as lists currently. Once this is
* fixed we can read the string directly.
*/
xmlrpc_array_read_item(&env, subjectP, 0, &singleprincP);
xmlrpc_read_string(&env, singleprincP, *&subject);
xmlrpc_DECREF(subjectP);
}
cleanup:
if (argArrayP) xmlrpc_DECREF(argArrayP);
if (paramArrayP) xmlrpc_DECREF(paramArrayP);
......@@ -922,7 +849,6 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
char *iparealm = NULL;
char * host = NULL;
const char * princ = NULL;
const char * subject = NULL;
char * hostdn = NULL;
struct utsname uinfo;
......@@ -963,7 +889,7 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
}
if (bindpw)
rval = join_ldap(ipaserver, host, &hostdn, bindpw, basedn, &princ, &subject, quiet);
rval = join_ldap(ipaserver, host, &hostdn, bindpw, basedn, &princ, quiet);
else {
krberr = krb5_init_context(&krbctx);
if (krberr) {
......@@ -987,7 +913,7 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
rval = 6;
goto cleanup;
}
rval = join_krb5(ipaserver, host, &hostdn, &princ, &subject, force,
rval = join_krb5(ipaserver, host, &hostdn, &princ, force,
quiet);
}
......@@ -1049,11 +975,7 @@ join(const char *server, const char *hostname, const char *bindpw, const char *b
}
cleanup:
if (NULL != subject && !quiet && rval == 0)
fprintf(stderr, _("Certificate subject base is: %s\n"), subject);
free((char *)princ);
free((char *)subject);
free(host);
if (bindpw)
......
configure.ac
View file @ 01de245c
......@@ -100,11 +100,27 @@ PKG_CHECK_MODULES([CRYPTO], [libcrypto])
dnl ---------------------------------------------------------------------------
dnl - Check for Python
dnl - Check for platform Python interpreter
dnl - Check for Python 2/3 for devcheck
dnl ---------------------------------------------------------------------------
AS_IF([test "x${PYTHON}" != "x"], [
AC_MSG_NOTICE([Python user override detected, ${PYTHON}])
])
AC_MSG_NOTICE([Checking for platform Python])
AC_PATH_PROG(PLATFORM_PYTHON, platform-python, [], [/usr/libexec$PATH_SEPARATOR$PATH])
AC_MSG_NOTICE([Checking for Python 3])
AC_PATH_PROG(PYTHON3, python3)
AC_PATH_PROGS(PYTHON3, python3)
dnl Only use platform-python when there is no override
if test \( "x${PLATFORM_PYTHON}" != "x" -a "x${PYTHON}" = "x" \); then
dnl platform-python executable detected (it's always Python 3)
AC_MSG_NOTICE([Using platform Python as default Python 3 interpreter])
PYTHON3=${PLATFORM_PYTHON}
PYTHON=${PLATFORM_PYTHON}
fi
AC_SUBST([PYTHON3])
AM_CONDITIONAL([WITH_PYTHON3], [test "x${PYTHON3}" != "x"])
......@@ -123,6 +139,7 @@ elif test "x${PYTHON3}" != "x"; then
AM_PATH_PYTHON(3.6)
fi
dnl ---------------------------------------------------------------------------
dnl - Check for cmocka unit test framework http://cmocka.cryptomilk.org/
dnl ---------------------------------------------------------------------------
......
daemons/dnssec/Makefile.am
View file @ 01de245c
......@@ -3,7 +3,7 @@
AUTOMAKE_OPTIONS = 1.7
appdir = $(libexecdir)/ipa/
dist_app_SCRIPTS = \
nodist_app_SCRIPTS = \
ipa-dnskeysyncd \
ipa-dnskeysync-replica \
ipa-ods-exporter
......@@ -11,14 +11,18 @@ dist_app_SCRIPTS = \
dist_noinst_DATA = \
ipa-dnskeysyncd.service.in \
ipa-ods-exporter.service.in \
ipa-ods-exporter.socket.in
ipa-ods-exporter.socket.in \
ipa-dnskeysyncd.in \
ipa-dnskeysync-replica.in \
ipa-ods-exporter.in
systemdsystemunit_DATA = \
ipa-dnskeysyncd.service \
ipa-ods-exporter.service \
ipa-ods-exporter.socket
CLEANFILES = $(systemdsystemunit_DATA)
CLEANFILES = $(systemdsystemunit_DATA) $(nodist_app_SCRIPTS)
%: %.in Makefile
sed \
......@@ -32,3 +36,9 @@ CLEANFILES = $(systemdsystemunit_DATA)
dnssecconfdir = $(IPA_SYSCONF_DIR)/dnssec
install-data-hook:
$(INSTALL) -d -m 755 $(DESTDIR)$(dnssecconfdir)
PYTHON_SHEBANG = \
$(nodist_app_SCRIPTS) \
$(NULL)
include $(top_srcdir)/Makefile.pythonscripts.am
daemons/dnssec/ipa-dnskeysync-replica daemons/dnssec/ipa-dnskeysync-replica.in 100755 → 100644
View file @ 01de245c
#!/usr/bin/python3
@PYTHONSHEBANG@
#
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
......