Ошибка ipa 3009

---

pvoborni

commented
6 years ago

master:

• 740099c Fix bad searching of reverse DNS zone

Metadata Update from @pvoborni:
— Issue assigned to pvomacka
— Issue set to the milestone: FreeIPA 4.4

6 years ago

Login
to comment on this ticket.

Solution Verified
— Updated 2020-07-19T14:30:12+00:00 —

Issue

• Unable to create IPA-AD trust and receiving error IPA Error 3009: ValidationError
• IPA-AD trust add fails with error Invalid 'Realm-domain mismatch':To establish trust with Active Directory: the domain name and the realm name of the IPA server must match

Environment

• Red Hat Enterprise Linux 8.1

Released 2016-07-01

The FreeIPA team would like to announce FreeIPA v4.4.0 release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 24 will be available in the official COPR repository.

Highlights in 4.4.0

Enhancements:

• Improved Topology Management

<http://www.freeipa.org/page/V4/Manage_replication_topology_4_4>

• Added Overview of IPA server roles:

<http://www.freeipa.org/page/V4/Server_Roles>

• Added support certificates for AD users:

<http://www.freeipa.org/page/V4/Certs_in_ID_overrides>

• Added support of UPN for trusted domains

<http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains>

• Added support for Kerberos Authentication Indicators

<http://www.freeipa.org/page/V4/Authentication_Indicators>

• Added DNS Location Mechanism (Howto)

<http://www.freeipa.org/page/V4/DNS_Location_Mechanism>

• Several performance improvements

<http://www.freeipa.org/page/V4/Performance_Improvements>

• Refactored IPA command line tool

<http://www.freeipa.org/page/V4/Thin_Client>

• Added support for Sub-CAs

<http://www.freeipa.org/page/V4/Sub-CAs>

• Added support for Kerberos principal aliases

<http://www.freeipa.org/page/V4/Kerberos_principal_aliases>

Known Issues

Bug fixes

Upgrading

Upgrade instructions are available on Upgrade page.

Feedback

Please provide comments, bugs and other feedback via the freeipa-users mailing list (http://www.redhat.com/mailman/listinfo/freeipa-users) or #freeipa channel on Freenode.

Resolved tickets

• #433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
• #2008 [RFE] IPA should support and manage DNS Locations
• #2795 Disabling password expiration (—maxlife=0 and —minlife=0) in the default global_policy in IPA sets user’s password expiration (krbPasswordExpiration) to be 90 days
• #2956 Define missing DNS zone attribute for default TTL value
• #3197 Use noarch RPMs for Python-only packages
• #3376 Do not do extra LDAP search for ipasshpubkey to generate fingerprints
• #3517 Incorrect *.py[co] files placement
• #3864 Adjust Kerberos Principal Aliases implementation
• #3961 [RFE] Allow multiple Principals per host entry (Kerberos aliases)
• #4022 When search hits the size limit, it should explicitly say so or message like # hosts matched suggests there are not other
• #4235 ipa-replica-manage -H does not delete DNS SRV records
• #4421 host-mod command prevents creating Kerberos principal aliases
• #4427 [RFE] New API versioning
• #4559 [RFE] Support lightweight sub-CAs
• #4602 [RFE] Offer OTP generation for host enrollment in the UI
• #4631 Add X-Frame-Options, frame-ancestors to UI webpages
• #4739 [RFE] Support API clients newer than server
• #4785 ipa-server-certinstall tracks the 3rd party cert it installs with certmonger
• #4786 ipa-server-certinstall does not accept certs signed by 3rd party CAs
• #4844 Principal canonicalization does not work for principals in IPA realm
• #4942 [RFE] Allow user authentication using cert on smart card against IPA UI
• #4955 [RFE] Allow managing certificates for AD users in IPA
• #4987 ipa-csreplica-manage: it could be nice to have also list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
• #4995 add finer control of getting members
• #5001 Make it possible to pre-fill the Username field of /ipa/ui/reset_password.html
• #5076 [WebUI] General invalid password error message appearing for «Locked user»
• #5077 [WebUI] UI error message is not appropriate for «Kerberos principal expiration»
• #5108 webui for {user|service|host}_{add|remove}_cert commands
• #5115 ipatests: registering plugins via API.register/Registrar class doesn’t work
• #5168 search by users which don’t have read rights for all attrs in search_attributes fails
• #5181 [RFE] Expand server-show/find with the list of configured components
• #5221 Installer adds NTP SRV records into DNS for IPA servers which does not have ntp configured
• #5281 3 unnecessary search operations for each user in user-find
• #5294 [tracker] certprofile-import error message is not clear
• #5307 ipa-replica-manage del —force —clean won’t clean remnant records if there is no RUV with replica ID
• #5311 Show Certificate displays in useless format
• #5315 ipa-kra-install prints incorrect errors message when kra is already installed
• #5354 [RFE] Support of UPN for trusted domains
• #5369 [UI] Stageuser capabilities — «Activate» option not available for a staged user in detailed info
• #5370 [UI] Stageuser capabilities — «Delete» option does not offer choice between permanent/preserved in detailed user info
• #5371 [UI] Stageuser capabilities — Preserved user cannot be converted to staged user — missing option
• #5376 [tracker] Replica prepare: Certificate issuance failed
• #5380 ipa-replica-manage: no way to show traceback on unexpected error
• #5381 [WebUI] Missing UI for working with multiple certificates in User, Host, Service pages
• #5383 Reduce ioblocktimeout and idletimeout defaults
• #5396 Cleanallruv task should not wait for cleanallruv result on the others replicas
• #5413 [RFE] Allow users to authenticate with alternative names
• #5428 Add tool tips for Revert, Refresh, Undo, and Undo All in the IPA UI
• #5432 Issue New Certificate dialogs do not validate data
• #5434 add context to exception on LdapEntry decode error
• #5443 ipa-server-install dies during pkispawn if /etc/hostname not properly configured
• #5448 ipa user-add slows down as more users are added
• #5523 [RFE] Update default profiles to always add SAN dnsName
• #5534 ipa-client-install fails when the client has active point to point connections
• #5547 ipa client should configure kpasswd_server directive in krb5.conf
• #5561 Unable to install replica due error during restarting dirsrv
• #5588 [RFE] change `ipa-replica-manage del` into an API method for domain level 1
• #5591 FreeIPA ipa-client-install error: Hostname (computer.company.lan) does not have A/AAAA record.
• #5599 Kerberos could take advantage of slapi-nis specific control that skip slapi-nis map evaluation
• #5620 Centralize DNS record creation in IPA services
• #5627 ipa host-del fails with —updatedns option if ost does not have a dns record
• #5642 ipa-getkeytab: extended.c:177: ldap_parse_extended_result: Assertion `res != ((void *)0)’ failed.
• #5643 WebUI: Application crashes if sesssionStorage is not available
• #5645 [WebUI] Dialog «Issue New Certificate» should mention SAN names
• #5648 webui: topology graph: add segments by drag and drop
• #5652 webui: unable to review certificate request if the request is not successful
• #5656 webui: browser setup page includes instructions for Internet Explorer
• #5659 typo in service-add
• #5675 ipa host-del —updatedns should remove related dns entries.
• #5677 API calls fail on «LimitsExceeded» error
• #5681 Residual Files After IPA Server Uninstall
• #5689 move set-renewal-master command to API from ipa-csreplica-manage
• #5694 update ipa-client-install —request-cert man page with chroot workaround
• #5702 webui: change dojo’s lang.hitch() to the javascript .bind() method
• #5703 ipa-client-install should enable ChallengeResponseAuthentication by default
• #5708 ipa-server-install manpage doesn’t contain info about —domain-level option
• #5710 Fix forward zone conficts with automatic empty zones from BIND
• #5717 Consider removing our implementation of CalledProcessError
• #5721 error installing ca-less replica with valid certificates
• #5732 Web interface not showing ipa forwarders
• #5740 ipa-replica-prepare: Traceback if reverse zone does not exists
• #5741 [tests] Admin is getting Insufficient privileges to promote the server when installing ca-less replica
• #5743 [RFE] External Trust with Active Directory domain
• #5751 Error: Unknown warnings category ‘experimental::smartmatch’ at /usr/share/dirsrv/updates/52updateAESplugin.pl line 9.
• #5757 incorrect SELinux label of second replica’s /var/log/ipareplica-conncheck.log
• #5758 Replica installation crashes on certmonger timeout
• #5759 Missing pre_callback in stageuser_add
• #5761 ipa-client-install throws Python exception on FIPS enabled servers
• #5762 [RFE] Support IdM Client in a DNS domain controlled by AD
• #5768 Include description for ‘status’ option in man page for ipactl command.
• #5772 Failures in topology tests produce unclear error messages
• #5773 [webui] option —skip-overlap-check cannot be set in DNS zone adder dialog
• #5774 ipa config-mod allows to set maxusername limit higher than 255 characters
• #5782 ipa-kdb support for krbPrincipalAuthInd
• #5783 permission plugin tests fail on 4.3 branch
• #5787 SchemaCache doesn’t work
• #5789 «no such entry» error is shown when installer does not receive password from pkcs file
• #5792 ipa-server-install: report which certificate is missing in external cert trust chain
• #5794 ipa-server-install does not completely change hostname and named-pkcs11 fails
• #5796 [webui] IPA Error 3009: Validation error: Invalid ‘ptrrecord’: Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
• #5797 host-show, host-find failed when usercertificate in LDAP is invalid
• #5800 kdestroy command in unapply_fixes function in test_integration/tasks.py causes legacy client tests to fail
• #5804 Test for «#4986 Web UI misses check box…» and «#5505 Creating a user w/o private group…» needed
• #5810 batch command can be used to trigger internal errors on server
• #5811 ipa-client-install failing with SyntaxError: Syntax Error: Unknown line format
• #5812 always qualify requests for admin
• #5815 Integrate NTP service into server roles
• #5819 ipa cert-revoke —help doesn’t provide enough info on revocation reasons
• #5820 advertise ipactl start —ignore-service-failure option
• #5826 Integrate NTP service into server roles: upgrade from older IPA versions
• #5833 cli: «gateway time out» with long running task
• #5835 ipa-replica-install man page lacks CA less options
• #5839 Tests: cleanup for host certificate does not work well in test_host_plugin.py
• #5840 ipa-replica-manage clean-dangling-ruv fails in topologies with only one CA
• #5841 upgrade: find_hostname() method should be replaced by api.env.host
• #5842 Replica installation fails with ipa-getkeytab timeouts
• #5851 DNS upgrade is broken: master zones are not transformed to forward zones properly
• #5856 ipa-nis-manage command should include status option
• #5857 ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’
• #5865 make rpms does not fail if api does not match API.txt
• #5866 [RFE] Create guidance how to setup/migrate IPA that contains big amount of data
• #5867 topology graph: display «autogenerated» placeholder while adding segment
• #5868 Upgrader sometimes returns PR_ADDRESS_NOT_SUPPORTED_ERROR from dogtag upgrade
• #5869 ipa-dns-install —auto-forwarders option does not work in unattended mode
• #5870 [tracker] DNSSEC signing is broken on Fedora 24
• #5871 ‘man ipa’ should be updated with latest commands
• #5872 [webui] authentication indicators
• #5878 Inconsistent UI and CLI options for removing certificate hold
• #5885 ipa cert-request causes internal server error while requesting certificate
• #5886 missing dependency: python3-pyusb
• #5889 Client-only build fails
• #5892 Unused code in LDAPRemoveReverseMember
• #5894 makeapi validation fails on architectures where integer is less than 32 bits
• #5898 CAInstance presented as always running
• #5899 Remove unused code from automount plugin
• #5903 always add mapping (my hostname) = (IPA realm) to krb5.conf
• #5904 [RFE] Add ‘external’ checkbox corresponding to ‘—external’ flag in ‘trust-add’ command
• #5905 [RFE] Create webui for DNS locations
• #5906 [RFE] WebUI for server roles
• #5907 deprecate ‘—domain-level’ option in ipa-server-install
• #5911 Insufficient ‘write’ privilege on some attributes for the members of the role which has «User Administrators» privilege.
• #5912 Installing freeipa client breaks crypto-policies for krb5
• #5914 invalid setting of DS lock table size
• #5920 automount.py: strings in output_for_cli method should be translated
• #5926 [RFE] add certificate field into ID Views
• #5927 Web UI for Kerberos Principal Aliases
• #5928 topology plugins sigsev when adding a managed host
• #5931 Add, remove, list hosts allowed to retrieve keytabs in Web UI
• #5937 [RFE] Support of UPN for trusted domains
• #5938 otptoken-add is not Python 3 clean
• #5939 [RFE] WebUI for sub-CA
• #5942 trusts: make sure child domains are not shown as part of the trust-find command
• #5943 dogtag-ipa-ca-renew-agent-submit cannot access api.Object.config
• #5944 ipapwd_extop should take precedence over default DS plugin
• #5946 Enable password change extop to apply on virtual entry like the entry in compat tree
• #5947 Missing nsSystemIndex attribute for some entries in index update file
• #5954 ipa passwd tracebacks
• #5958 Upgrade is broken on servers without CA
• #5960 API call dnsconfig_show returns null as value of dnssec_key_master_server
• #5961 P11 tests breaks environment, which causes changepw tests to fail
• #5962 Unable to install server without A record even if —setup-dns option is used
• #5963 Replica installation fails on domain level 0
• #5965 conncheck in ipa-ca-install running on replica asks for host/principal «password»
• #5966 Missing ‘ipa-ca’ records for replica installed by replica promotion
• #5967 «CA» segment can be created for servers without CA suffix
• #5968 renew_ca_cert helper cannot access config plugin
• #5973 adtrust-install prints ‘CRITICAL Failed to remove old key’ even during clean install
• #5975 local variable ‘ipaconf’ referenced before assigment
• #5976 replica-promotion: is possible to set invalid IPA domain
• #5977 topology plugins sigsev/heap corruption when adding a managed host
• #5978 server/client uninstall does not clean krb5.keytab properly
• #5981 Unhandled PKI error in ca-add
• #5982 [tracker] KRA: installation of second KRA fails
• #5983 Ensure that replica promotion deny to install a replica against a server with newer version
• #5985 Replica install: Failed to load replica-s4u2proxy.ldif
• #5987 Nonexistent attributes in ValidationError
• #5988 Don’t connect to memcache in session manager on module import
• #5991 Principal does not get created when I add a certificate with «Add principal» checkbox checked
• #5995 full IPA restore fails due to unsuccessful client API initialization
• #5996 ipa-replica-install failure: Insufficient access: Insufficient ‘add’ privilege to add the entry ‘krbprincipalname=ldap/…
• #5999 Some cert commands are missing the —ca option
• #6000 `test_serverroles` suite uses incorrect LDAP uri when ran together with other tests
• #6003 execution of copy-schema script fails
• #6004 Fix `Conflicts` with ipa-python
• #6009 *-show option «—all» newly requires argument
• #6011 upgrade failed for 4.4 alpha from 4.2.3.?

Detailed Changelog since 4.3.1

Abhijeet Kasurde (12)

• Added kpasswd_server directive in client krb5.conf
• Fixed login error message box in LoginScreen page
• Added fix for notifying user about Kerberos principal expiration in WebUI
• Added description related to ‘status’ in ipactl man page
• Added warning to user for Internet Explorer
• Added fix for notifying user about locked user account in WebUI
• Updated ipa command man page
• Fix added to ipa-compat-manage command line help
• Removed custom implementation of CalledProcessError
• Replaced find_hostname with api.env.host
• Added exception handling for mal-formatted XML Parsing
• Added missing translation to automount.py method

Alexander Bokovoy (11)

• slapi-nis: update configuration to allow external members of IPA groups
• extdom: do not fail to process error case when no request is specified
• otptoken: support Python 3 for the qr code
• trusts: Add support for an external trust to Active Directory domain
• adtrust: remove nttrustpartner parameter
• adtrust: remove nttrustpartner parameter
• adtrust: support GSSAPI authentication to LDAP as Active Directory user
• adtrust: support UPNs for trusted domain users
• webui: show UPN suffixes in trust properties
• webui: support external flag to trust-add
• adtrust: optimize forest root LDAP filter

Christian Heimes (3)

• Require Dogtag 10.2.6-13 to fix KRA uninstall
• Modernize mod_nss’s cipher suites
• Move user/group constants for PKI and DS into ipaplatform

David Kupka (35)

• installer: Propagate option values from components instead of copying them.
• installer: Fix logic of reading option values from cache.
• ipa-dns-install: Do not check for zone overlap when DNS installed.
• ipa-replica-prepare: Add ‘—auto-reverse’ and ‘—allow-zone-overlap’ options
• installer: Change reverse zones question to better reflect reality.
• Fix: Use unattended parameter instead of options.unattended
• CI: Add ‘2-connected’ topology generator.
• CI: Add simple replication test in 2-connected topology.
• CI: Add test for 2-connected topology generator.
• CI: Fix pep8 errors in 2-connected topology generator
• CI: add empty topology test for 2-connected topology generator
• CI: Add double circle topology.
• CI: Add replication test utilizing double-circle topology.
• CI: Add test for double-circle topology generator.
• CI: Make double circle topology python3 compatible
• upgrade: Match whole pre/post command not just basename.
• dsinstance: add start_tracking_certificates method
• httpinstance: add start_tracking_certificates method
• Look up HTTPD_USER’s UID and GID during installation.
• test: test_cli: Do not expect defaults in kwargs.
• man: Decribe ipa-client-install workaround for broken D-Bus enviroment.
• installer: positional_arguments must be tuple or list of strings
• installer: index() raises ValueError
• Remove unused locking «context manager»
• schema: Add fingerprint and TTL
• schema: Add known_fingerprints option to schema command
• schema: Cache schema in api instance
• schema: return fingerprint as unicode text
• env: Add ‘server’ variable to api.env
• schema: Caching on schema on client
• test: automember: Fix expected exception message
• test: cert: Reflect change in behavior in tests
• schema: Decrease schema TTL to one hour
• schema: Perform the check for schema update when force_schema_check is True
• Allow unexpiring passwords

Filip Skola (9)

• Refactor test_user_plugin, use UserTracker for tests
• Refactor test_replace
• Refactor test_attr
• Refactor test_sudocmd_plugin
• Refactor test_sudocmdgroup_plugin
• Refactor test_group_plugin, use GroupTracker for tests
• Refactor test_nesting, create HostGroupTracker
• Refactor test_hostgroup_plugin
• Refactor test_automember_plugin, create AutomemberTracker

Florence Blanc-Renaud (9)

• Add missing CA options to the manpage for ipa-replica-install
• Add the culprit line when a configuration file has an incorrect format
• add context to exception on LdapEntry decode error
• batch command can be used to trigger internal errors on server
• Always qualify requests for admin in ipa-replica-conncheck
• Report missing certificate in external trust chain
• Do not allow installation in FIPS mode
• Fix ipa-server-certinstall with certs signed by 3rd-party CA
• Do not log error when removing a non-existing file

Fraser Tweedale (37)

• Do not decode HTTP reason phrase from Dogtag
• Remove workaround for CA running check
• caacl: correctly handle full user principal name
• Prevent replica install from overwriting cert profiles
• Detect and repair incorrect caIPAserviceCert config
• Remove service and host cert issuer validation
• Allow CustodiaClient to be used by arbitrary principals
• Load server plugins in certmonger renewal helper
• Add ACIs for Dogtag custodia client
• Optionally add service name to Custodia key DNs
• Setup lightweight CA key retrieval on install/upgrade
• Authorise CA Agent to manage lightweight CAs
• Add custodia store for lightweight CA key replication
• Add ‘ca’ plugin
• Add IPA CA entry on install / upgrade
• Update ‘caacl’ plugin to support lightweight CAs
• Add CA argument to ra.request_certificate
• Update cert-request to allow specifying CA
• Add issuer options to cert-show and cert-find
• replica-install: configure key retriever before starting Dogtag
• upgrade: do not try to start CA if not configured
• restart scripts: bootstrap api with in_server=True
• Require Dogtag >= 10.3.3
• Fix IssuerDN presence check in cert search result
• Set default OCSP URI on install and upgrade
• ipaldap: turn LDAP filter utility functions into class methods
• Skip CS.cfg update if cert nickname not known
• Update lightweight CA serial after renewal
• ipa-certupdate: track lightweight CA certificates
• cert-find: fix ‘issuer’ option
• cert-request: better error msg when ‘add’ not supported
• Check for CA subject name collision before attempting creation
• Add —ca option to cert-revoke and cert-remove-hold
• Split CA replica installation steps for domain level 0
• Fix migration from pre-lightweight CAs master
• Add —cn option to cert-status
• Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3

Gabe Alford (1)

• ipa-nis-manage enable: change service name from ‘portmap’ to ‘rpcbind’

Jakub Hrozek (1)

• sudo: Fix a typo in the —help output of sudocmdgroup

James Groffen (1)

• Set close button type attribute to ‘button’.

Jan Barta (1)

• pylint: fix: multiple-statements

Jan Cholasta (139)

• ipautil: remove unused import causing cyclic import in tests
• ipalib: assume version 2.0 when skip_version_check is enabled
• ipapython: remove default_encoding_utf8
• ipapython: port p11helper C code to Python
• ipapython: use python-cryptography instead of libcrypto in p11helper
• spec file: package python-ipalib as noarch
• cert renewal: import all external CA certs on IPA CA cert renewal
• replica install: validate DS and HTTP server certificates
• replica promotion: fix AVC denials in remote connection check
• cacert install: fix trust chain validation
• client: stop using /etc/pki/nssdb
• ipalib: provide per-call command context
• ipalib: add convenient Command method for adding messages
• certdb: never use the -r option of certutil
• spec file: bump minimum required pki-core version
• build: fix client-only build
• makeapi: use the same formatting for `int` and `long` values
• replica install: do not set CA renewal master flag
• rpc: do not crash when unable to parse JSON
• parameters: remove unused ConversionError and ValidationError arguments
• rpc: include structured error information in responses
• frontend: re-raise remote RequirementError using CLI name in CLI
• frontend: remove the unused Command.soft_validate method
• frontend: perform argument value validation only on server
• batch: do not crash when no argument is specified
• ipalib: make optional positional command arguments actually optional
• frontend: do not forward unspecified positional arguments to server
• user: do not assume the preserve flags have value in user_del
• frontend: do not forward argument defaults to server
• makeapi: optimize API.txt
• ipalib: remove the unused `csv` argument of Param
• makeaci: load additional plugins using API.add_module
• plugable: replace API.import_plugins with new API.add_package
• ipalib, ipaserver: migrate all plugins to Registry-based registration
• ipalib, ipaserver: fix incorrect API.register calls in docstrings
• plugable: remove the unused deprecated API.register method
• plugable: switch API to Registry-based plugin discovery
• frontend: merge baseldap.CallbackRegistry into Command
• frontend: move the interactive_prompt callback type to Command
• automount: do not inherit automountlocation_import from LDAPQuery
• dns: move code called on client to the module level
• dns: do not rely on server data structures in code called on client
• otptoken: fix import of DN
• otptoken_yubikey: fix otptoken_add_yubikey arguments
• vault: move client-side code to the module level
• vault: copy arguments of client commands from server counterparts
• ipalib: use relative imports for cross-plugin imports
• frontend: allow commands to have an argument named `name`
• cli: make optional positional command arguments actually optional
• dns: fix dnsrecord interactive mode
• ipaclient: introduce ipaclient.plugins
• ipalib: move client-side plugins to ipaclient
• help, makeapi: allow setting command topic explicitly
• help, makeapi: specify module topic by name
• help, makeapi: do not use hardcoded plugin package name
• plugable: turn Plugin attributes into properties
• plugable: simplify API plugin initialization code
• plugable: remember overriden plugins in API
• frontend: turn Method attributes into properties
• ipaclient: add client-side command override class
• dns: move code shared by client and server to separate module
• ipalib: split off client-side plugin code into ipaclient
• parameters: introduce cli_metavar keyword argument
• parameters: introduce no_convert keyword argument
• ipalib: replace DeprecatedParam with `deprecated` Param argument
• ipalib: introduce API schema plugins
• rpc: respect API config in RPCClient.create_connection
• rpc: allow overriding NSS DB directory in API config
• rpc: specify connection options in API config
• rpc: optimize JSON-RPC response handling
• rpc: do not validate command name in RPCClient.forward
• client install: finalize API after CA certs are available
• ipactl: use server API
• ipalib: move File command arguments to ipaclient
• misc: hide the unused —all option of `env` and `plugins` in CLI
• ipaclient: implement thin client
• ipalib: move server-side plugins to ipaserver
• frontend: do not check API minor version of the client
• schema: do not validate unrequested params in command_defaults
• replica install: use remote server API to create service entries
• schema: fix topic command output
• schema: fix typo
• spec file: require correct packages to get API plugins
• plugable: allow plugins to be non-classes
• plugable: initialize plugins on demand
• schema: generate client-side commands on demand
• batch, schema: use Dict instead of Any
• misc: fix empty CLI output of `env` and `plugins` commands
• dns, passwd: fix outputs of `dns_resolve` and `passwd` commands
• frontend: call `execute` rather than `forward` in Local
• schema: exclude local commands
• schema: fix client-side dynamic defaults
• makeaci, makeapi: use in-server API
• frontend: don’t copy command arguments to output params
• frontend: skip `value` output in output_for_cli
• frontend: do not crash on missing output in output_for_cli
• automember: add object plugin for automember_rebuild
• dns: do not rely on custom param fields in record attributes
• misc: skip `count` and `total` output in env.output_for_cli
• passwd: handle sort order of passwd argument on the client
• permission: handle ipapermright deprecated CLI alias on the client
• schema: add object class schema
• schema: remove output_params
• schema: merge command args and options
• schema: remove redundant information
• schema: remove `no_cli` from command schema
• replica install: fix thin client regression
• ldap: fix handling of binary data in search filters
• cert: add object plugin
• cert: add owner information
• cert: allow search by certificate
• dns: fix dns_update_system_records to work with thin client
• schema: fix param default value handling
• schema: do not crash in command_defaults if argument is None
• automember: fix automember to work with thin client
• schema: client-side code cleanup
• misc: generate `plugins` result directly in the command
• plugable: use plugin class as the key in API namespaces
• plugable: support plugin versioning
• schema: support plugin versioning
• frontend: forward command calls using full name
• schema: fix Flag arguments on the client
• schema: properly fix Flag arguments on the client
• backup: use in-server API in ipa-backup and ipa-restore
• replica install: don’t allow install against a newer server
• session: move the session module from ipalib to ipaserver
• session: do not initialize session manager on import
• xmlserver: initialize RPC server plugins only in server context
• makeaci, makeapi, oddjob: use the default API context
• server: define missing virtual attributes
• user: add object plugin for user_status
• frontend: do not ignore client-side output params
• cert: fix CLI output of cert_remove_hold
• plugable: add option to ignore override errors
• client: ignore override errors in command overrides
• client: add placeholders for required remote plugins
• server: exclude Local commands from RPC
• client: do not crash when overriding remote command as method
• client: add support for pre-schema servers

Jérôme Fenal (1)

• Fix the man page part for shorter sentences, to avoid dual understanding, and punctuation, all spotted while translating to French.

Lenka Doudova (12)

• WebUI tests: fix failing of tests due to unclicable label
• WebUI test: ID views
• WebUI: Test creating user without private group
• Test fix: Cleanup for host certificate
• Test: Maximum username length higher than 255 cannot be set
• Tests: Fix for failing location tests
• Tests: Fix ipatests/test_ipaserver/test_rpcserver.py
• Tests: Make ID views tests reflect new krbcanonicalname attribute
• Tests: Fix failing ipatests/test_ipalib/test_errors.py
• Tests: Remove DNS configuration from trust tests
• Tests: Fix failing tests in ipatests/test_ipalib/test_frontend.py
• Tests: Fix frontend tests

Ludwig Krispenz (2)

• prevent moving of topology entries out of managed scope by modrdn operations
• v2 — avoid crash in topology plugin when host list contains host with no hostname

Lukáš Slebodník (6)

• extdom: Remove unused macro
• IPA-SAM: Fix build with samba 4.4
• CONFIGURE: Replace obsolete macros
• ipa-sam: Do not redefine LDAP_PAGE_SIZE
• SPEC: Remove unused build dependency on libwbclient
• BUILD: Remove detection of libcheck

Martin Babinsky (68)

• raise more descriptive Backend connection-related exceptions
• harden domain level 1 topology connectivity checks
• ipalib/x509.py: revert deletion of ipalib api import
• prevent crash of CA-less server upgrade due to absent certmonger
• use FFI call to rpmvercmp function for version comparison
• tests for package version comparison
• fix Py3 incompatible exception instantiation in replica install code
• ipa-csreplica-manage: remove extraneous ldap2 connection
• IPA upgrade: move replication ACIs to the mapping tree entry
• uninstallation: more robust check for master removal from topology
• correctly set LDAP bind related attributes when setting up replication
• disable RA plugins when promoting a replica from CA-less master
• fix standalone installation of externally signed CA on IPA master
• reset ldap.conf to point to newly installer replica after promotion
• always start certmonger during IPA server configuration upgrade
• upgrade: unconditional import of certificate profiles into LDAP
• CI tests: use old schema when testing hostmask-based sudo rules
• use LDAPS during standalone CA/KRA subsystem deployment
• test_cert_plugin: use only first part of the hostname to construct short name
• only search for Kerberos SRV records when autodiscovery was requested
• spec: add conflict with bind-chroot to freeipa-server-dns
• spec: require python-cryptography newer than 0.9
• ipa-replica-manage: print traceback on unexpected error when in verbose mode
• otptoken-add: improve the robustness of QR code printing
• differentiate between limit types when LDAP search exceeds configured limits
• specify type of exceeded limit when warning about truncated search results
• replica-prepare: do not add PTR records if there is no IPA managed reverse zone
• Server Roles: definitions of server roles and attributes
• Server Roles: Backend plugin to query roles and attributes
• Test suite for `serverroles` backend
• Server Roles: public API for server roles
• Server Roles: make server-{show,find} utilize role information
• Server Roles: make *config-show consume relevant roles/attributes
• Server Roles: provide an API for setting CA renewal master
• Add NTP to the list of services stored in IPA masters LDAP subtree
• Introduce «NTP server» role
• ipaserver module for working with managed topology
• delegate removal of master DNS record and replica keys to separate functions
• server-del: perform full master removal in managed topology
• CI test suite for `server-del`
• ipa-replica-manage: use `server_del` when removing domain level 1 replica
• remove the master from managed topology during uninstallation
• Fix listing of enabled roles in `server-find`
• Do not update result of *-config-show with empty server attributes
• server-del: harden check for last roles
• perform case-insensitive principal search when canonicalization is requested
• mark ‘ipaKrbPrincipalAlias’ attribute as deprecated in schema
• add case-insensitive matching rule to krbprincipalname index
• add krbCanonicalName to attributes watched by MODRDN plugin
• ipa-kdb: set krbCanonicalName when creating new principals
• ipa-enrollment: set krbCanonicalName attribute on enrolled host entry
• IPA API: set krbcanonicalname instead of ipakrbprincipalalias on new entities
• set krbcanonicalname on host entry during krbinstance configuration
• account for added krbcanonicalname attribute during xmlrpc tests
• Fix incorrect construction of service principal during replica cleanup
• keep setting ipakrbprincipal objectclass on new service entries
• test_serverroles: ensure that test API is initialized with correct ldap_uri
• test-{service,host}-plugin: only expect krbcanonicalname when all=True
• ipapython module for Kerberos principal manipulation and parsing
• Test suite for `ipapython/kerberos.py`
• ipalib: introduce Principal parameter
• Migrate management framework plugins to use Principal parameter
• Add ACI for admins to modify principal attributes
• replace an ACI relying on presence of deprecated objectclass
• Allow for commands that use positional parameters to add/remove attributes
• Make framework consider krbcanonicalname as service primary key
• Provide API for management of host, service, and user principal aliases
• Unify display of principal names/aliases across entities

Martin Bašti (162)

• Fix DNS tests: dns-resolve returns warning
• Remove unused code in server installer related to KRA
• Fix version comparison
• Fix: replace mkdir with chmod
• Use module variables for timedate_services
• Remove empty test file
• Remove unused imports
• Remove wildcard imports
• Enable multiple warnings checks in Pylint
• Enable pylint lost exception check
• Enable pylint duplicated-key check
• Enable pylint trailing-whitespace check
• Enable pylint missing-final-newline check
• Enable pylint unused-format-string-key check
• Enable pylint expression-not-assigned check
• Enable pylint empty-docstring check
• Enable pylint unnecessary-pass check
• update_uniqueness plugin: fix referenced before assigment error
• Allow to used mixed case for sysrestore
• Upgrade: Fix upgrade of NIS Server configuration
• DNSSEC test: fix adding zones with —skip-overlap-check
• DNSSEC CI: add missing ldns-utils dependency
• Enable pylint unpacking-non-sequence check
• Enable pylint unbalanced-tuple-unpacking check
• CI test: fix regression in task.install_kra
• Warn about potential loss of CA, KRA, DNSSEC during uninstall
• Fix: uninstall does not stop named-pkcs11 and ipa-ods-exporter
• Exclude o=ipaca subtree from Retro Changelog (syncrepl)
• Fix DNSSEC test: add glue record
• Warn user when ipa *-find reach limit
• DNSSEC CI: fix zone delegations
• make lint: use config file and plugin for pylint
• Upgrade: log to ipaupgrade.log when IPA server is not installed
• Disable new pylint checks
• Py3: do not use dict.iteritems()
• upgrade: fix config of sidgen and extdom plugins
• trusts: use ipaNTTrustPartner attribute to detect trust entries
• Warn user if trust is broken
• fix upgrade: wait for proper DS socket after DS restart
• Revert «test: Temporarily increase timeout in vault test.»
• Remove duplicated except
• Pylint: add missing attributes of errors to definitions
• fix permission: Read Replication Agreements
• Make PTR records check optional for IPA installation
• Fix connections to DS during installation
• pylint: supress false positive no-member errors
• CI: allow customized DS install test to work with domain levels
• fix suspicious except statements
• Remove unused arguments from update_ssh_keys method
• Configure 389ds with «default» cipher suite
• krb5conf: use ‘true’ instead of ‘yes’ for forwardable option
• stageuser-activate: Normalize manager value
• Remove redundant parameters from CS.cfg in dogtaginstance
• Use platform path constant for SSSD log dir
• Fix broken trust warnings
• spec: Add missing dependencies to python*-ipalib package
• client: enable ChallengeResponseAuthentication in sshd_config
• pylint: remove bare except
• Pylint: fix definition of global variables
• Pylint: enable pointless-except check
• Pylint: enable reimported check
• Pylint: use list comprehension instead of iteration
• Pylint: import max one module per line
• Pylint: remove unnecessary-semicolon
• Pylint: enable invalid-name check
• SPEC: do not run upgrade when ipa server is not installed
• Fix: catch Exception instead of more specific exception types
• Fix stageuser-activate — managers test
• Add missing pre_common_callback to stageuser_add
• host_del: fix removal of host records
• host_del: replace dns-record find command with show
• host_del: remove unneeded dnszone-show command call
• host_del: split removing A/AAAA and PTR records to separate functions
• host_del: remove only A, AAAA, SSHFP, PTR records
• host_del: update help for —updatedns option
• host-del —updatedns: print warnings instead of error
• Use netifaces module instead of ‘ip’ command
• Limit max username length to 255 in config-mod
• Increase API version for ‘ipamaxusernamelength’ attribute change
• Configure httpd service from installer instead of directly from RPM
• Performace: don’t download password attributes in host/user-find
• Do not do extra search for ipasshpubkey to generate fingerprints
• Always set hostname
• Remove deprecated hostname restoration from Fedora18
• Remove unused hostname variables
• Log errors from backup_and_replace hostname to logger
• Tasks: raise NotImplementedError for not implemented methods
• fix stageuser tests (removal of has_keytab and has_password from find)
• make: fail when ACI.txt or API.txt differs from values in source code
• ipactl: advertise —ignore-service-failure option
• Remove unused variable and finally block in SchemaCache
• Fix referenced before assigment variables in except statements
• Upgrade: always start CA
• Remove unused variables in automount plugin
• fix pylint false positive errors
• Translations: remove deprecated locale configuration
• Make option —no-members public in CLI
• Performance: Find commands: do not process members by default
• Test: fix failing host_test
• Fix: replace incorrect no_cli with no_option flag
• Fix: topologysuffix_find doesn’t have no_members option
• DNS Locations: Always create DNS related privileges
• DNS Locations: add new attributes and objectclasses
• DNS Locations: location-* commands
• DNS Locations: API tests
• Allow to use non-Str attributes as keys for members
• DNS Locations: extend server-* command with locations
• DNS Location: location-show: return list of servers in location
• DNS Locations: when removing location remove it from servers first
• DNS Locations: extend tests with server-* commands
• Upgrade mod_wsgi socket-timeout on existing installation
• Exclude unneeded dirs and files from pylint check
• Fix resolve_rrsets: RRSet is not hashable
• Revert «adtrust: remove nttrustpartner parameter»
• Fix: Local variable s_indent might be referenced before defined
• Revert «Switch /usr/bin/ipa to Python 3»
• Use python2 for ipa cli
• DNS Locations: add index for ipalocation attribute
• DNS Locations: fix location-del
• DNS Locations: add idnsTemplateObject objectclass
• DNS Locations: DNS data management
• DNS Locations: permission: allow to read status of services
• DNS Locations: add ACI for template attribute
• DNS Locations: command dns-update-system-records
• DNS Locations: use dns_update_service_records in installers
• DNS Locations: adtrustinstance simplify dns management
• DNS Locations: use automatic records update in ipa-adtrust-install
• DNS Locations: server-mod: add automatic records update
• DNS Locations: dnsservers: add required objectclasses
• DNS Locations: dnsserver-* commands
• DNS Locations: dnsserver: put server_id option into named.conf
• DNS Locations: dnsserver: use the newer config way in installer
• DNS Locations: dnsserver: remove config when replica is removed
• DNS Locations: set proper substitution variable
• DNS Locations: require to restart named-pkcs11 affter location change
• DNS Locations: show warning if there is no DNS servers in location
• DNS Locations: prevent to remove used locations
• DNS Locations: do not generate location records for unused locations
• DNS Locations: location-del: remove location record
• DNS Locations: Rename ipalocationweight to ipaserviceweight
• DNS Locations: generate NTP records
• upgrade: don’t fail if zone does not exists in in find
• DNS Location: add list of roles and DNS servers to location-show
• DNS Locations: dnsserver: print specific error when DNS is not installed
• Fix possibly undefined variable in ipa_smb_conf_exists()
• Updated IPA translations
• Replica promotion: use the correct IPA domain for replica
• Server-del: fix system records removal
• Increase ipa-getkeytab LDAP timeout to 100sec
• DNS Locations: server-mod: fix if statement
• ipa-rmkeytab, ipa-join: don’t fail if init of gettext failed
• Revert «DNS Locations: do not generate location records for unused locations»
• DNS Locations: hide option —no-msdcs in adtrust-install
• DNS Locations: optimization: use server-find to get information
• DNS Locations: cleanup of bininstance
• CA replica promotion: add proper CA DNS records
• Fix replica install with CA
• cert.py split module docstring to multiple ugetext string
• Add option —no-log for ipa-replica-conncheck script
• Do not log to file in remote conncheck side
• Bump SSSD version in requires
• IPA 4.4.0 Translations

Martin Košek (2)

• Update Developers in Contributors.txt
• Update Contributors.txt

Matt Rogers (1)

• ipa_kdb: add krbPrincipalAuthInd handling

Michael Simacek (1)

• Fix bytes/string handling in rpc

Milan Kubík (11)

• ipatests: replace the test-example.com domain in tests
• ipatests: Roll back the forwarder config after a test case
• ipatests: Fix configuration problems in dns tests
• ipatests: Make the A record for hosts in topology conditional
• ipatests: fix the install of external ca
• ipatests: Add missing certificate profile fixture
• ipatests: extend permission plugin test with new expected output
• spec file: rename the python-polib dependency name to python2-polib
• ipatests: fix for change_principal context manager
• ipatests: Add test case for requesting a certificate with full principal.
• spec: Add python-sssdconfig dependency for python-ipatests package

Nathaniel McCallum (8)

• Don’t error when find_base() fails if a base is not required
• Rename syncreq.[ch] to otpctrl.[ch]
• Ensure that ipa-otpd bind auths validate an OTP
• Return password-only preauth if passwords are allowed
• Enable authentication indicators for OTP and RADIUS
• Migrate from #ifndef guards to #pragma once
• Enable service authentication indicator management
• Add authentication indicators support to Host objects

Oleg Fayans (26)

• CI tests: Enabled automatic creation of reverse zone during master installation
• CI tests: Added domain realm as a parameter to master installation in integration tests
• Fixed install_ca and install_kra under domain level 0
• fixed an issue with master installation not creating reverse zone
• Enabled recreation of test directory in apply_common_fixes function
• Updated connect/disconnect replica to work with both domainlevels
• Removed —ip-address option from replica installation
• Removed messing around with resolv.conf
• Integration tests for replica promotion feature
• Enabled setting domain level explicitly in test class
• Removed a constantly failing call to prepare_host
• Made apply_common_fixes call at replica installation independent on domain_level
• Workaround for ticket 5627
• Added copyright info to replica promotion tests
• rewrite a misprocessed teardown_method method as a custom decorator
• Reverted changes in mh fixture causing some tests to fail
• Fixed a bug with prepare_host failing upon existing ipatests folder
• Added a kdestroy call to clean ccache at master/client uninstallation
• Added 5 more tests to Replica Promotion testsuite
• Fixed a failure in legacy_client tests
• Add test if replica is working after domain upgrade
• Improve reporting of failed tests in topology test suite
• Bugfixes in managed topology tests
• A workaround for ticket N 5348
• Added necessary A record for the replica to root zone
• Increased certmonger timeout

Patrice Duc-Jacquet (2)

• Incorrect message when KRA already installed
• Add more information regarding where to find revocation reason in «ipa cert_revoke -h» and «ipa cert_find -h».

Pavel Vomacka (69)

• Add tool tips for Revert, Refresh, Undo, and Undo All
• Add support for the ‘user’ url parameter for the reset_password.html
• Add validation to Issue new certificate dialog
• Add pan and zoom functionality to the topology graph
• Nodes stay fixed after initial animation.
• Add field for group id in user add dialog
• Resize topology graph canvas according to window size
• Add X-Frame-Options and frame-ancestors options
• Add activate option to stage user details page
• Add ‘skip overlap check’ checkbox into add zone dialog
• Add ‘skip overlap check’ checkbox to the add dns forward zone dialog
• Add option to show OTP when adding host
• Update the delete dialog on details user page
• Add ability to stage multiple users
• Add option to stage user from details page
• Change lang.hitch to javascript bind method
• Change ‘Restore’ to ‘Remove Hold’
• Extend the certificate request dialog
• Auth Indicators WebUI part
• Fix bad searching of reverse DNS zone
• Add adapter attribute for choosing record
• DNS Locations: WebUI part
• Add lists of hosts allowed to create or retrieve keytabs
• Correct a jslint warning
• Association table can be read only
• Extend table facet
• Add server roles on topology page
• Search facet can be without search field
• Add ability to review cert request dialog
• Add new webui plugin — ca
• Extend certificate entity page
• Extend caacl entity
• Make Actions string translatable
• Extend DNS config page
• Extend trust config page
• Add creating a segment using mouse
• Add listener which opens add segment dialog
• Add placeholder to add segment dialog
• Add DNS default TTL field
• Allow to set weight of a server without location
• DNS Servers: Web UI part
• Add support for custom menu in multivalued widget
• Extends functionality of DropdownWidget
• Add working widget
• Add ability to turn off activity icon
• Add Object adapter
• Refactored certificate view and remove hold dialog
• Changed the way how to handle remove hold and revoke actions
• Remove old useless actions — get and view
• Add widget for showing multiple certificates
• Add certificate widget
• Add new certificates widget to the user details page
• Add new certificates widget to the host details page. Also extends evaluator and add support for adapters.
• Add new certificates widget to the service details page
• Updated certificates table
• Add new custom command multivalued widget
• Add button for dns_update_system_records command
• Add certificate widget to ID override user details page.
• Add authentication identificator to host page
• Change paths of strings in auth indicators widget on service page
• Simplify the confirmation messages
• Add support to change button css class on confirm dialog
• Add button for server-del command
• Change error handling in custom_command_multivalued_widget
• Set default confirmation button label to ‘Remove’
• Add widgets for kerberos aliases
• Add widget for kerberos aliases to user page
• Add widget for kerberos aliases to hosts page
• Add widget for kerberos aliases to service page

Peter Lacko (1)

• Ping module tests.

Petr Viktorin (46)

• Package ipapython, ipalib, ipaplatform, ipatests for Python 3
• Use explicit truncating division
• Don’t index exceptions directly
• Use print_function future definition wherever print() is used
• Alias «unicode» to «str» under Python 3
• Avoid builtins that were removed in Python 3
• dnsutil: Rename __nonzero__ to __bool__
• Remove deprecated contrib/RHEL4
• make-lint: Allow running pylint —py3k to detect Python3 issues
• Split ipa-client/ into ipaclient/ (Python library) and client/ (C, scripts)
• test_parameters: Ignore specific error message
• ipaldap, ldapupdate: Encoding fixes for Python 3
• ipautil.run, kernel_keyring: Encoding fixes for Python 3
• tests: Use absolute imports
• ipautil: Use mode ‘w+’ in write_tmp_file
• test_util: str/bytes check fixes for Python 3
• p11helper: Port to Python 3
• cli: Don’t encode/decode for stdin/stdout on Python 3
• Package python3-ipaclient
• Move get_ipa_basedn from ipautil to ipadiscovery
• ipadiscovery: Decode to unicode in ipacheckldap(), get_ipa_basedn()
• ipapython.sysrestore: Use str methods instead of functions from the string module
• ipalib.x809: Accept bytes for make_pem
• dns plugin: Fix zone normalization under Python 3
• sysrestore: Iterate over a list of dict keys
• test_xmlrpc: Use absolute imports
• xmlrpc_test: Rename exception instance before working with it
• radiusproxy plugin: Use str(error) rather than error.message
• xmlrpc_test: Expect bytes rather than strings for binary attributes
• ipalib.rpc: Send base64-encoded data as string under Python 3
• range plugin tests: Use bytes with MockLDAP under Python 3
• radiusproxy plugin tests: Expect bytes, not text, for ipatokenradiussecret
• certprofile plugin: Use binary mode for file with binary data
• test_add_remove_cert_cmd: Use bytes for base64.b64encode()
• Switch /usr/bin/ipa to Python 3
• Fix remaining relative import and enable Pylint check
• ipalib.cli: Improve reporting of binary values in the CLI
• test_cert_plugin: Encode ‘certificate’ for comparison with ‘usercertificate’
• ipaldap: Keep attribute names as text, not bytes
• ipapython.secrets.kem: Use ConfigParser from six.moves
• test_topology_plugin: Don’t rely on order of an attribute’s values
• test_rpcserver: Expect updated error message under Python 3
• ipaplatform.redhat: Use bytestrings when calling rpm.so for version comparison
• test_ipaserver.test_ldap: Use bytestrings for raw LDAP values
• ipaldap: Convert dict items to list before iterating
• test_ipaserver.test_ldap: Adjust tests to Python 3’s KeyView

Petr Voborník (19)

• Bump 4.4 development version to 4.3.90
• webui: add examples to network address validator error message
• webui: pwpolicy cospriority field was marked as required
• spec: do not require arch specific ipalib package from noarch packages
• webui: dislay server suffixes in server search page
• stop installer when setup-ds.pl fail
• webui: crash nicely if sessionStorage is not available
• webui: remove moot error from webui build
• webui: use API call ca_is_enabled instead of enable_ra env variable.
• webui: fixed showing of success message after password change on login
• advise: configure TLS in redhat_nss_pam_ldapd and redhat_nss_ldap plugins
• cookie parser: do not fail on cookie with empty value
• fix incorrect name of ipa-winsync-migrate command in help
• webui: fail nicely if cookies are disabled
• ipa-client-install: fix typo in nslcd service name
• Become IPA 4.4.0 Alpha 1
• mod_auth_gssapi: enable unique credential caches names
• webui: prevent infinite reload for users with krbbprincipal alias set
• Become IPA 4.4.0

Petr Špaček (60)

• dns: Handle SERVFAIL in check if domain already exists.
• DNSSEC: Improve error reporting from ipa-ods-exporter
• DNSSEC: Make sure that current state in OpenDNSSEC matches key state in LDAP
• DNSSEC: Make sure that current key state in LDAP matches key state in BIND
• DNSSEC: remove obsolete TODO note
• DNSSEC: add debug mode to ldapkeydb.py
• DNSSEC: logging improvements in ipa-ods-exporter
• DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP
• DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP
• DNSSEC: ipa-ods-exporter: add ldap-cleanup command
• DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
• DNSSEC: Log debug messages at log level DEBUG
• Fix —auto-reverse option in —unattended mode.
• Fix dns_is_enabled() API command to throw exceptions as appropriate
• Fix DNS zone overlap check to allow ipa-replica-install to work
• Fix ipa-adtrust-install to always generate SRV records with FQDNs
• Fix URL for reporting bugs in strings
• Pylint: enable parallelism
• Makefile: replace perl with sed
• Remove function ipapython.ipautil.host_exists()
• Extend installers with —forward-policy option
• Move automatic empty zone list into ipapython.dnsutil and make it reusable
• Add assert_absolute_dnsname() helper to ipapython.dnsutil
• Move function is_auto_empty_zone() into ipapython.dnsutil
• Use shared sanity check and tests ipapython.dnsutil.is_auto_empty_zone()
• Add function ipapython.dnsutil.inside_auto_empty_zone()
• Auto-detect default value for —forward-policy option in installers
• ipa-nis-manage: Replace text references to compat plugin with NIS
• ipa-nis-manage: mention return code 3 in man page
• DNS: Fix upgrade — master to forward zone transformation
• DNS installer: accept —auto-forwarders option in unattended mode
• Remove unused file install/share/fedora-ds.init.patch
• Batch command: avoid accessing potentially undefined context.principal
• pylint: replace Refactor category with individual check names
• ipa-nis-manage: add status option
• DNS: Warn if forwarding policy conflicts with automatic empty zones
• Move check_zone_overlap() from ipapython.ipautil to ipapython.dnsutil
• Use root_logger for verify_host_resolvable()
• Move IP address resolution from ipaserver.install.installutils to ipapython.dnsutil
• Turn verify_host_resolvable() into a wrapper around ipapython.dnsutil
• Add ipaDNSVersion option to dnsconfig* commands and use new attribute
• DNS upgrade: separate backup logic to make it reusable
• Add function ipapython.dnsutil.related_to_auto_empty_zone()
• DNS upgrade: change forwarding policy to = only for conflicting forward zones
• DNS upgrade: change global forwarding policy in LDAP to «only» if private IPs are used
• DNS upgrade: change global forwarding policy in named.conf to «only» if private IPs are used
• Require 389-ds-base >= 1.3.5.6
• DNS Locations: make ipa-ca record generation more robust
• DNS: Support default TTL setting for master DNS zones
• DNS: Warn about restart when default TTL setting DNS is changed
• DNS: Fix realm domains integration with DNS zone add.
• client: Share validator and domain name normalization with server install
• DNS: Fix tests for realm domains integration with DNS zone add
• client-install: do not fail if DNS times out during DNS update generation
• Use NSS for name->resolution in IPA installer
• DNS: Remove unnecessary DNS check from installer
• DNS: Reinitialize DNS resolver after changing resolv.conf
• Fix `Conflicts` with ipa-python
• Remove unused is_local(), interface, and defaultnet from CheckedIPAddress
• Fix internal errors in host-add and other commands caused by DNS resolution

Simo Sorce (6)

• Use only AES enctypes by default
• Always verify we have a valid ldap context.
• Improve keytab code to select the right principal.
• Convert ipa-sam to use the new getkeytab control
• Allow admins to disable preauth for SPNs.
• Allow to specify Kerberos authz data type per user

Stanislav Laznicka (31)

• Listing and cleaning RUV extended for CA suffix
• Automatically detect and remove dangling RUVs
• Cosmetic changes to the code
• Fixes minor issues
• replica-manage: fail nicely when DM psswd required
• ipa-replica-manage refactoring
• abort-clean/list/clean-ruv now work for both suffixes
• Moved password check from clean_dangling_ruv
• Fix to clean-dangling-ruv for single CA topologies
• Added pyusb as a dependency
• Added some attributes to Modify Users permission
• Deprecated the domain-level option in ipa-server-install
• Increased mod_wsgi socket-timeout
• Added <my_hostname>=<IPA REALM> mapping to krb5.conf
• Decreased timeout for IO blocking for DS
• fixes premature sys.exit in ipa-replica-manage del
• Remove dangling RUVs even if replicas are offline
• Added krb5.conf.d/ to included dirs in krb5.conf
• Removed dead code from LDAP{Remove,Add}ReverseMember
• Fixes CA always being presented as running
• Increase nsslapd-db-locks to 50000
• host/service-show/find shouldn’t fail on invalid certificate
• Fix to ipa-ca-install asking for host principal password
• Fix topologysuffix-verify failing connections
• topo segment-add: validate that both masters support target suffix
• Add missing nsSystemIndex attributes
• Revert «Removed dead code from LDAP{Remove,Add}ReverseMember»
• The LDAP*ReverseMember shouldn’t imply —all is always specified
• Fix wrong imports in copy-schema-to-ca.py
• host: Added permissions for auth. indicators read/modify
• service: Added permissions for auth. indicators read/modify

Sumit Bose (3)

• ipa-kdb: get_authz_data_types() make sure entry can be NULL
• ipa-kdb: map_groups() consider all results
• extdom: add certificate request

Thierry Bordaz (5)

• configure DNA plugin shared config entries to allow connection with GSSAPI
• DS deadlock when memberof scopes topology plugin updates
• Make sure ipapwd_extop takes precedence over passwd_modify_extop
• Topology plugins sigsev/heap corruption when adding a managed host
• ipapwd_extop should use TARGET_DN defined by a pre-extop plugin

Thorsten Scherf (1)

• Fixed typo in service-add

Timo Aaltonen (6)

• Use HTTPD_USER in dogtaginstance.py
• Move freeipa certmonger helpers to libexecdir.
• ipa_restore: Import only FQDN from ipalib.constants
• ipaplatform: Move remaining user/group constants to ipaplatform.constants.
• Use ODS_USER/ODS_GROUP in opendnssec_conf.template
• Fix kdc.conf.template to use ipaplatform.paths.

Tomáš Babej (10)

• py3: Remove py3 incompatible exception handling
• logger: Use warning instead of warn
• Loggger: Use warning instead of warn — dns plugin
• ipa-getkeytab: Handle the possibility of not obtaining a result
• ipa-adtrust-install: Allow dash in the NETBIOS name
• spec: Bump required sssd version to 1.13.3-5
• adtrustinstance: Make sure smb.conf exists
• l10n: Remove Transifex configuration
• ipalib: Fix user certificate docstrings
• idviews: Add user certificate attribute to user ID overrides

Yuri Chornoivan (4)

• Fix minor typo
• Fix minor typos
• Fix minor typos
• Fix minor typo

# Authors: 

#   Jason Gerard DeRose <jderose@redhat.com> 

# 

# Copyright (C) 2008  Red Hat 

# see file ‘COPYING’ for use and warranty inmsgion 

# 

# This program is free software; you can redistribute it and/or modify 

# it under the terms of the GNU General Public License as published by 

# the Free Software Foundation, either version 3 of the License, or 

# (at your option) any later version. 

# 

# This program is distributed in the hope that it will be useful, 

# but WITHOUT ANY WARRANTY; without even the implied warranty of 

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 

# GNU General Public License for more details. 

# 

# You should have received a copy of the GNU General Public License 

# along with this program.  If not, see <http://www.gnu.org/licenses/>. 

«»» 

Custom exception classes (some which are RPC transparent). 

`PrivateError` and its subclasses are custom IPA excetions that will *never* be 

forwarded in a Remote Procedure Call (RPC) response. 

On the other hand, `PublicError` and its subclasses can be forwarded in an RPC 

response.  These public errors each carry a unique integer error code as well as 

a gettext translated error message (translated at the time the exception is 

raised).  The purpose of the public errors is to relay information about 

*expected* user errors, service availability errors, and so on.  They should 

*never* be used for *unexpected* programmatic or run-time errors. 

For security reasons it is *extremely* important that arbitrary exceptions *not* 

be forwarded in an RPC response.  Unexpected exceptions can easily contain 

compromising information in their error messages.  Any time the server catches 

any exception that isn’t a `PublicError` subclass, it should raise an 

`InternalError`, which itself always has the same, static error message (and 

therefore cannot be populated with information about the true exception). 

The public errors are arranging into five main blocks of error code ranges: 

    =============  ======================================== 

     Error codes                 Exceptions 

    =============  ======================================== 

    1000 — 1999    `AuthenticationError` and its subclasses 

    2000 — 2999    `AuthorizationError` and its subclasses 

    3000 — 3999    `InvocationError` and its subclasses 

    4000 — 4999    `ExecutionError` and its subclasses 

    5000 — 5999    `GenericError` and its subclasses 

    =============  ======================================== 

Within these five blocks some sub-ranges are already allocated for certain types 

of error messages, while others are reserved for future use.  Here are the 

current block assignments: 

    — **900-5999** `PublicError` and its subclasses 

        — **901 — 907**  Assigned to special top-level public errors 

        — **908 — 999**  *Reserved for future use* 

        — **1000 — 1999**  `AuthenticationError` and its subclasses 

            — **1001 — 1099**  Open for general authentication errors 

            — **1100 — 1199**  `KerberosError` and its subclasses 

            — **1200 — 1299**  `SessionError` and its subclasses 

            — **1300 — 1999**  *Reserved for future use* 

        — **2000 — 2999**  `AuthorizationError` and its subclasses 

            — **2001 — 2099**  Open for general authorization errors 

            — **2100 — 2199**  `ACIError` and its subclasses 

            — **2200 — 2999**  *Reserved for future use* 

        — **3000 — 3999**  `InvocationError` and its subclasses 

            — **3001 — 3099**  Open for general invocation errors 

            — **3100 — 3199**  *Reserved for future use* 

        — **4000 — 4999**  `ExecutionError` and its subclasses 

            — **4001 — 4099**  Open for general execution errors 

            — **4100 — 4199**  `BuiltinError` and its subclasses 

            — **4200 — 4299**  `LDAPError` and its subclasses 

            — **4300 — 4399**  `CertificateError` and its subclasses 

            — **4400 — 4999**  *Reserved for future use* 

        — **5000 — 5999**  `GenericError` and its subclasses 

            — **5001 — 5099**  Open for generic errors 

            — **5100 — 5999**  *Reserved for future use* 

«»» 

from inspect import isclass 

from text import _ as ugettext, ngettext as ungettext 

from text import Gettext, NGettext 

from constants import TYPE_ERROR 

class PrivateError(StandardError): 

    «»» 

    Base class for exceptions that are *never* forwarded in an RPC response. 

    «»» 

    format = » 

    def __init__(self, **kw): 

        self.msg = self.format % kw 

        self.kw = kw 

        for (key, value) in kw.iteritems(): 

            assert not hasattr(self, key), ‘conflicting kwarg %s.%s = %r’ % ( 

                self.__class__.__name__, key, value, 

            ) 

            setattr(self, key, value) 

        StandardError.__init__(self, self.msg) 

class SubprocessError(PrivateError): 

    «»» 

    Raised when «subprocess.call()« returns a non-zero exit status. 

    This custom exception is needed because Python 2.4 doesn’t have the 

    «subprocess.CalledProcessError« exception (which was added in Python 2.5). 

    For example: 

    >>> raise SubprocessError(returncode=2, argv=(‘ls’, ‘-lh’, ‘/no-foo/’)) 

    Traceback (most recent call last): 

      … 

    SubprocessError: return code 2 from (‘ls’, ‘-lh’, ‘/no-foo/’) 

    The exit code of the sub-process is available via the «returncode« 

    instance attribute.  For example: 

    >>> e = SubprocessError(returncode=1, argv=(‘/bin/false’,)) 

    >>> e.returncode 

    1 

    >>> e.argv  # argv is also available 

    (‘/bin/false’,) 

    «»» 

    format = ‘return code %(returncode)d from %(argv)r’ 

class PluginSubclassError(PrivateError): 

    «»» 

    Raised when a plugin doesn’t subclass from an allowed base. 

    For example: 

    >>> raise PluginSubclassError(plugin=’bad’, bases=(‘base1’, ‘base2’)) 

    Traceback (most recent call last): 

      … 

    PluginSubclassError: ‘bad’ not subclass of any base in (‘base1’, ‘base2’) 

    «»» 

    format = ‘%(plugin)r not subclass of any base in %(bases)r’ 

class PluginDuplicateError(PrivateError): 

    «»» 

    Raised when the same plugin class is registered more than once. 

    For example: 

    >>> raise PluginDuplicateError(plugin=’my_plugin’) 

    Traceback (most recent call last): 

      … 

    PluginDuplicateError: ‘my_plugin’ was already registered 

    «»» 

    format = ‘%(plugin)r was already registered’ 

class PluginOverrideError(PrivateError): 

    «»» 

    Raised when a plugin overrides another without using «override=True«. 

    For example: 

    >>> raise PluginOverrideError(base=’Command’, name=’env’, plugin=’my_env’) 

    Traceback (most recent call last): 

      … 

    PluginOverrideError: unexpected override of Command.env with ‘my_env’ 

    «»» 

    format = ‘unexpected override of %(base)s.%(name)s with %(plugin)r’ 

class PluginMissingOverrideError(PrivateError): 

    «»» 

    Raised when a plugin overrides another that has not been registered. 

    For example: 

    >>> raise PluginMissingOverrideError(base=’Command’, name=’env’, plugin=’my_env’) 

    Traceback (most recent call last): 

      … 

    PluginMissingOverrideError: Command.env not registered, cannot override with ‘my_env’ 

    «»» 

    format = ‘%(base)s.%(name)s not registered, cannot override with %(plugin)r’ 

class SkipPluginModule(PrivateError): 

    «»» 

    Raised to abort the loading of a plugin module. 

    «»» 

    format = ‘%(reason)s’ 

class PluginsPackageError(PrivateError): 

    «»» 

    Raised when «package.plugins« is a module instead of a sub-package. 

    «»» 

    format = ‘%(name)s must be sub-package, not module: %(file)r’ 

############################################################################## 

# Public errors: 

__messages = [] 

def _(message): 

    __messages.append(message) 

    return message 

class PublicError(StandardError): 

    «»» 

    **900** Base class for exceptions that can be forwarded in an RPC response. 

    «»» 

    errno = 900 

    rval = 1 

    format = None 

    def __init__(self, format=None, message=None, **kw): 

        self.kw = kw 

        name = self.__class__.__name__ 

        if self.format is not None and format is not None: 

            raise ValueError( 

                ‘non-generic %r needs format=None; got format=%r’ % ( 

                    name, format) 

            ) 

        if message is None: 

            if self.format is None: 

                if format is None: 

                    raise ValueError( 

                        ‘%s.format is None yet format=None, message=None’ % name 

                    ) 

                self.format = format 

            self.forwarded = False 

            self.msg = self.format % kw 

            if isinstance(self.format, basestring): 

                self.strerror = ugettext(self.format) % kw 

            else: 

                self.strerror = self.format % kw 

            if ‘instructions’ in kw: 

                def convert_instructions(value): 

                    if isinstance(value, list): 

                        result=u’n’.join(map(lambda line: unicode(line), value)) 

                        return result 

                    return value 

                instructions = u’n’.join((unicode(_(‘Additional instructions:’)), 

                                          convert_instructions(kw[‘instructions’]))) 

                self.strerror = u’n’.join((self.strerror, instructions)) 

        else: 

            if isinstance(message, (Gettext, NGettext)): 

                message = unicode(message) 

            elif type(message) is not unicode: 

                raise TypeError( 

                    TYPE_ERROR % (‘message’, unicode, message, type(message)) 

                ) 

            self.forwarded = True 

            self.msg = message 

            self.strerror = message 

        for (key, value) in kw.iteritems(): 

            assert not hasattr(self, key), ‘conflicting kwarg %s.%s = %r’ % ( 

                name, key, value, 

            ) 

            setattr(self, key, value) 

        StandardError.__init__(self, self.msg) 

class VersionError(PublicError): 

    «»» 

    **901** Raised when client and server versions are incompatible. 

    For example: 

    >>> raise VersionError(cver=’2.0′, sver=’2.1′, server=’https://localhost’) 

    Traceback (most recent call last): 

      … 

    VersionError: 2.0 client incompatible with 2.1 server at ‘https://localhost’ 

    «»» 

    errno = 901 

    format = _(«%(cver)s client incompatible with %(sver)s server at ‘%(server)s'») 

class UnknownError(PublicError): 

    «»» 

    **902** Raised when client does not know error it caught from server. 

    For example: 

    >>> raise UnknownError(code=57, server=’localhost’, error=u’a new error’) 

    … 

    Traceback (most recent call last): 

      … 

    UnknownError: unknown error 57 from localhost: a new error 

    «»» 

    errno = 902 

    format = _(‘unknown error %(code)d from %(server)s: %(error)s’) 

class InternalError(PublicError): 

    «»» 

    **903** Raised to conceal a non-public exception. 

    For example: 

    >>> raise InternalError() 

    Traceback (most recent call last): 

      … 

    InternalError: an internal error has occurred 

    «»» 

    errno = 903 

    format = _(‘an internal error has occurred’) 

    def __init__(self, message=None): 

        «»» 

        Security issue: ignore any information given to constructor. 

        «»» 

        PublicError.__init__(self) 

class ServerInternalError(PublicError): 

    «»» 

    **904** Raised when client catches an `InternalError` from server. 

    For example: 

    >>> raise ServerInternalError(server=’https://localhost’) 

    Traceback (most recent call last): 

      … 

    ServerInternalError: an internal error has occurred on server at ‘https://localhost’ 

    «»» 

    errno = 904 

    format = _(«an internal error has occurred on server at ‘%(server)s'») 

class CommandError(PublicError): 

    «»» 

    **905** Raised when an unknown command is called. 

    For example: 

    >>> raise CommandError(name=’foobar’) 

    Traceback (most recent call last): 

      … 

    CommandError: unknown command ‘foobar’ 

    «»» 

    errno = 905 

    format = _(«unknown command ‘%(name)s'») 

class ServerCommandError(PublicError): 

    «»» 

    **906** Raised when client catches a `CommandError` from server. 

    For example: 

    >>> e = CommandError(name=’foobar’) 

    >>> raise ServerCommandError(error=e.message, server=’https://localhost’) 

    Traceback (most recent call last): 

      … 

    ServerCommandError: error on server ‘https://localhost’: unknown command ‘foobar’ 

    «»» 

    errno = 906 

    format = _(«error on server ‘%(server)s’: %(error)s») 

class NetworkError(PublicError): 

    «»» 

    **907** Raised when a network connection cannot be created. 

    For example: 

    >>> raise NetworkError(uri=’ldap://localhost:389′, error=_(u’Connection refused’)) 

    Traceback (most recent call last): 

      … 

    NetworkError: cannot connect to ‘ldap://localhost:389’: Connection refused 

    «»» 

    errno = 907 

    format = _(«cannot connect to ‘%(uri)s’: %(error)s») 

class ServerNetworkError(PublicError): 

    «»» 

    **908** Raised when client catches a `NetworkError` from server. 

    «»» 

    errno = 908 

    format = _(«error on server ‘%(server)s’: %(error)s») 

class JSONError(PublicError): 

    «»» 

    **909** Raised when server recieved a malformed JSON-RPC request. 

    «»» 

    errno = 909 

    format = _(‘Invalid JSON-RPC request: %(error)s’) 

class XMLRPCMarshallError(PublicError): 

    «»» 

    **910** Raised when the XML-RPC lib cannot marshall the request 

    For example: 

    >>> raise XMLRPCMarshallError(error=_(‘int exceeds XML-RPC limits’)) 

    Traceback (most recent call last): 

      … 

    XMLRPCMarshallError: error marshalling data for XML-RPC transport: int exceeds XML-RPC limits 

    «»» 

    errno = 910 

    format = _(‘error marshalling data for XML-RPC transport: %(error)s’) 

class RefererError(PublicError): 

    «»» 

    **911** Raised when the request does not contain an HTTP referer 

    For example: 

    >>> raise RefererError(referer=’referer’) 

    Traceback (most recent call last): 

      … 

    RefererError: Missing or invalid HTTP Referer, referer 

    «»» 

    errno = 911 

    format = _(‘Missing or invalid HTTP Referer, %(referer)s’) 

############################################################################## 

# 1000 — 1999: Authentication errors 

class AuthenticationError(PublicError): 

    «»» 

    **1000** Base class for authentication errors (*1000 — 1999*). 

    «»» 

    errno = 1000 

class KerberosError(AuthenticationError): 

    «»» 

    **1100** Base class for Kerberos authentication errors (*1100 — 1199*). 

    For example: 

    >>> raise KerberosError(major=_(‘Unspecified GSS failure.  Minor code may provide more information’), minor=_(‘No credentials cache found’)) 

    Traceback (most recent call last): 

      … 

    KerberosError: Kerberos error: Unspecified GSS failure.  Minor code may provide more information/No credentials cache found 

    «»» 

    errno = 1100 

    format= _(‘Kerberos error: %(major)s/%(minor)s’) 

class CCacheError(KerberosError): 

    «»» 

    **1101** Raised when sever does not recieve Kerberose credentials. 

    For example: 

    >>> raise CCacheError() 

    Traceback (most recent call last): 

      … 

    CCacheError: did not receive Kerberos credentials 

    «»» 

    errno = 1101 

    format = _(‘did not receive Kerberos credentials’) 

class ServiceError(KerberosError): 

    «»» 

    **1102** Raised when service is not found in Kerberos DB. 

    For example: 

    >>> raise ServiceError(service=’HTTP@localhost’) 

    Traceback (most recent call last): 

      … 

    ServiceError: Service ‘HTTP@localhost’ not found in Kerberos database 

    «»» 

    errno = 1102 

    format = _(«Service ‘%(service)s’ not found in Kerberos database») 

class NoCCacheError(KerberosError): 

    «»» 

    **1103** Raised when a client attempts to use Kerberos without a ccache. 

    For example: 

    >>> raise NoCCacheError() 

    Traceback (most recent call last): 

      … 

    NoCCacheError: No credentials cache found 

    «»» 

    errno = 1103 

    format = _(‘No credentials cache found’) 

class TicketExpired(KerberosError): 

    «»» 

    **1104** Raised when a client attempts to use an expired ticket 

    For example: 

    >>> raise TicketExpired() 

    Traceback (most recent call last): 

      … 

    TicketExpired: Ticket expired 

    «»» 

    errno = 1104 

    format = _(‘Ticket expired’) 

class BadCCachePerms(KerberosError): 

    «»» 

    **1105** Raised when a client has bad permissions on their ccache 

    For example: 

    >>> raise BadCCachePerms() 

    Traceback (most recent call last): 

      … 

    BadCCachePerms: Credentials cache permissions incorrect 

    «»» 

    errno = 1105 

    format = _(‘Credentials cache permissions incorrect’) 

class BadCCacheFormat(KerberosError): 

    «»» 

    **1106** Raised when a client has a misformated ccache 

    For example: 

    >>> raise BadCCacheFormat() 

    Traceback (most recent call last): 

      … 

    BadCCacheFormat: Bad format in credentials cache 

    «»» 

    errno = 1106 

    format = _(‘Bad format in credentials cache’) 

class CannotResolveKDC(KerberosError): 

    «»» 

    **1107** Raised when the KDC can’t be resolved 

    For example: 

    >>> raise CannotResolveKDC() 

    Traceback (most recent call last): 

      … 

    CannotResolveKDC: Cannot resolve KDC for requested realm 

    «»» 

    errno = 1107 

    format = _(‘Cannot resolve KDC for requested realm’) 

class SessionError(AuthenticationError): 

    «»» 

    **1200** Base class for Session errors (*1200 — 1299*). 

    For example: 

    «»» 

    errno = 1200 

    format= _(‘Session error’) 

class InvalidSessionPassword(SessionError): 

    «»» 

    **1201** Raised when we cannot obtain a TGT for a principal. 

    «»» 

    errno = 1201 

    format= _(‘Principal %(principal)s cannot be authenticated: %(message)s’) 

############################################################################## 

# 2000 — 2999: Authorization errors 

class AuthorizationError(PublicError): 

    «»» 

    **2000** Base class for authorization errors (*2000 — 2999*). 

    «»» 

    errno = 2000 

class ACIError(AuthorizationError): 

    «»» 

    **2100** Base class for ACI authorization errors (*2100 — 2199*). 

    «»» 

    errno = 2100 

    format = _(‘Insufficient access: %(info)s’) 

############################################################################## 

# 3000 — 3999: Invocation errors 

class InvocationError(PublicError): 

    «»» 

    **3000** Base class for command invocation errors (*3000 — 3999*). 

    «»» 

    errno = 3000 

class EncodingError(InvocationError): 

    «»» 

    **3001** Raised when received text is incorrectly encoded. 

    «»» 

    errno = 3001 

class BinaryEncodingError(InvocationError): 

    «»» 

    **3002** Raised when received binary data is incorrectly encoded. 

    «»» 

    errno = 3002 

class ZeroArgumentError(InvocationError): 

    «»» 

    **3003** Raised when a command is called with arguments but takes none. 

    For example: 

    >>> raise ZeroArgumentError(name=’ping’) 

    Traceback (most recent call last): 

      … 

    ZeroArgumentError: command ‘ping’ takes no arguments 

    «»» 

    errno = 3003 

    format = _(«command ‘%(name)s’ takes no arguments») 

class MaxArgumentError(InvocationError): 

    «»» 

    **3004** Raised when a command is called with too many arguments. 

    For example: 

    >>> raise MaxArgumentError(name=’user_add’, count=2) 

    Traceback (most recent call last): 

      … 

    MaxArgumentError: command ‘user_add’ takes at most 2 arguments 

    «»» 

    errno = 3004 

    def __init__(self, message=None, **kw): 

        if message is None: 

            format = ungettext( 

                «command ‘%(name)s’ takes at most %(count)d argument», 

                «command ‘%(name)s’ takes at most %(count)d arguments», 

                kw[‘count’] 

            ) 

        else: 

            format = None 

        InvocationError.__init__(self, format, message, **kw) 

class OptionError(InvocationError): 

    «»» 

    **3005** Raised when a command is called with unknown options. 

    «»» 

    errno = 3005 

class OverlapError(InvocationError): 

    «»» 

    **3006** Raised when arguments and options overlap. 

    For example: 

    >>> raise OverlapError(names=[‘givenname’, ‘login’]) 

    Traceback (most recent call last): 

      … 

    OverlapError: overlapping arguments and options: [‘givenname’, ‘login’] 

    «»» 

    errno = 3006 

    format = _(«overlapping arguments and options: %(names)s») 

class RequirementError(InvocationError): 

    «»» 

    **3007** Raised when a required parameter is not provided. 

    For example: 

    >>> raise RequirementError(name=’givenname’) 

    Traceback (most recent call last): 

      … 

    RequirementError: ‘givenname’ is required 

    «»» 

    errno = 3007 

    format = _(«‘%(name)s’ is required») 

class ConversionError(InvocationError): 

    «»» 

    **3008** Raised when parameter value can’t be converted to correct type. 

    For example: 

    >>> raise ConversionError(name=’age’, error=_(u’must be an integer’)) 

    Traceback (most recent call last): 

      … 

    ConversionError: invalid ‘age’: must be an integer 

    «»» 

    errno = 3008 

    format = _(«invalid ‘%(name)s’: %(error)s») 

class ValidationError(InvocationError): 

    «»» 

    **3009** Raised when a parameter value fails a validation rule. 

    For example: 

    >>> raise ValidationError(name=’sn’, error=_(u’can be at most 128 characters’)) 

    Traceback (most recent call last): 

      … 

    ValidationError: invalid ‘sn’: can be at most 128 characters 

    «»» 

    errno = 3009 

    format = _(«invalid ‘%(name)s’: %(error)s») 

class NoSuchNamespaceError(InvocationError): 

    «»» 

    **3010** Raised when an unknown namespace is requested. 

    For example: 

    >>> raise NoSuchNamespaceError(name=’Plugins’) 

    Traceback (most recent call last): 

      … 

    NoSuchNamespaceError: api has no such namespace: ‘Plugins’ 

    «»» 

    errno = 3010 

    format = _(«api has no such namespace: ‘%(name)s'») 

class PasswordMismatch(InvocationError): 

    «»» 

    **3011** Raise when password and password confirmation don’t match. 

    «»» 

    errno = 3011 

    format = _(‘Passwords do not match’) 

class NotImplementedError(InvocationError): 

    «»» 

    **3012** Raise when a function hasn’t been implemented. 

    «»» 

    errno = 3012 

    format = _(‘Command not implemented’) 

class NotConfiguredError(InvocationError): 

    «»» 

    **3013** Raise when there is no configuration 

    «»» 

    errno = 3013 

    format = _(‘Client is not configured. Run ipa-client-install.’) 

class PromptFailed(InvocationError): 

    «»» 

    **3014** Raise when an interactive prompt failed. 

    «»» 

    errno = 3014 

    format = _(‘Could not get %(name)s interactively’) 

############################################################################## 

# 4000 — 4999: Execution errors 

class ExecutionError(PublicError): 

    «»» 

    **4000** Base class for execution errors (*4000 — 4999*). 

    «»» 

    errno = 4000 

class NotFound(ExecutionError): 

    «»» 

    **4001** Raised when an entry is not found. 

    For example: 

    >>> raise NotFound(reason=’no such user’) 

    Traceback (most recent call last): 

      … 

    NotFound: no such user 

    «»» 

    errno = 4001 

    rval = 2 

    format = _(‘%(reason)s’) 

class DuplicateEntry(ExecutionError): 

    «»» 

    **4002** Raised when an entry already exists. 

    For example: 

    >>> raise DuplicateEntry 

    Traceback (most recent call last): 

      … 

    DuplicateEntry: This entry already exists 

    «»» 

    errno = 4002 

    format = _(‘This entry already exists’) 

class HostService(ExecutionError): 

    «»» 

    **4003** Raised when a host service principal is requested 

    For example: 

    >>> raise HostService 

    Traceback (most recent call last): 

      … 

    HostService: You must enroll a host in order to create a host service 

    «»» 

    errno = 4003 

    format = _(‘You must enroll a host in order to create a host service’) 

class MalformedServicePrincipal(ExecutionError): 

    «»» 

    **4004** Raised when a service principal is not of the form: service/fully-qualified host name 

    For example: 

    >>> raise MalformedServicePrincipal(reason=_(‘missing service’)) 

    Traceback (most recent call last): 

      … 

    MalformedServicePrincipal: Service principal is not of the form: service/fully-qualified host name: missing service 

    «»» 

    errno = 4004 

    format = _(‘Service principal is not of the form: service/fully-qualified host name: %(reason)s’) 

class RealmMismatch(ExecutionError): 

    «»» 

    **4005** Raised when the requested realm does not match the IPA realm 

    For example: 

    >>> raise RealmMismatch 

    Traceback (most recent call last): 

      … 

    RealmMismatch: The realm for the principal does not match the realm for this IPA server 

    «»» 

    errno = 4005 

    format = _(‘The realm for the principal does not match the realm for this IPA server’) 

class RequiresRoot(ExecutionError): 

    «»» 

    **4006** Raised when a command requires the unix super-user to run 

    For example: 

    >>> raise RequiresRoot 

    Traceback (most recent call last): 

      … 

    RequiresRoot: This command requires root access 

    «»» 

    errno = 4006 

    format = _(‘This command requires root access’) 

class AlreadyPosixGroup(ExecutionError): 

    «»» 

    **4007** Raised when a group is already a posix group 

    For example: 

    >>> raise AlreadyPosixGroup 

    Traceback (most recent call last): 

      … 

    AlreadyPosixGroup: This is already a posix group 

    «»» 

    errno = 4007 

    format = _(‘This is already a posix group’) 

class MalformedUserPrincipal(ExecutionError): 

    «»» 

    **4008** Raised when a user principal is not of the form: user@REALM 

    For example: 

    >>> raise MalformedUserPrincipal(principal=’jsmith@@EXAMPLE.COM’) 

    Traceback (most recent call last): 

      … 

    MalformedUserPrincipal: Principal is not of the form user@REALM: ‘jsmith@@EXAMPLE.COM’ 

    «»» 

    errno = 4008 

    format = _(«Principal is not of the form user@REALM: ‘%(principal)s'») 

class AlreadyActive(ExecutionError): 

    «»» 

    **4009** Raised when an entry is made active that is already active 

    For example: 

    >>> raise AlreadyActive() 

    Traceback (most recent call last): 

      … 

    AlreadyActive: This entry is already enabled 

    «»» 

    errno = 4009 

    format = _(‘This entry is already enabled’) 

class AlreadyInactive(ExecutionError): 

    «»» 

    **4010** Raised when an entry is made inactive that is already inactive 

    For example: 

    >>> raise AlreadyInactive() 

    Traceback (most recent call last): 

      … 

    AlreadyInactive: This entry is already disabled 

    «»» 

    errno = 4010 

    format = _(‘This entry is already disabled’) 

class HasNSAccountLock(ExecutionError): 

    «»» 

    **4011** Raised when an entry has the nsAccountLock attribute set 

    For example: 

    >>> raise HasNSAccountLock() 

    Traceback (most recent call last): 

      … 

    HasNSAccountLock: This entry cannot be enabled or disabled 

    «»» 

    errno = 4011 

    format = _(‘This entry cannot be enabled or disabled’) 

class NotGroupMember(ExecutionError): 

    «»» 

    **4012** Raised when a non-member is attempted to be removed from a group 

    For example: 

    >>> raise NotGroupMember() 

    Traceback (most recent call last): 

      … 

    NotGroupMember: This entry is not a member 

    «»» 

    errno = 4012 

    format = _(‘This entry is not a member’) 

class RecursiveGroup(ExecutionError): 

    «»» 

    **4013** Raised when a group is added as a member of itself 

    For example: 

    >>> raise RecursiveGroup() 

    Traceback (most recent call last): 

      … 

    RecursiveGroup: A group may not be a member of itself 

    «»» 

    errno = 4013 

    format = _(‘A group may not be a member of itself’) 

class AlreadyGroupMember(ExecutionError): 

    «»» 

    **4014** Raised when a member is attempted to be re-added to a group 

    For example: 

    >>> raise AlreadyGroupMember() 

    Traceback (most recent call last): 

      … 

    AlreadyGroupMember: This entry is already a member 

    «»» 

    errno = 4014 

    format = _(‘This entry is already a member’) 

class Base64DecodeError(ExecutionError): 

    «»» 

    **4015** Raised when a base64-encoded blob cannot decoded 

    For example: 

    >>> raise Base64DecodeError(reason=_(‘Incorrect padding’)) 

    Traceback (most recent call last): 

      … 

    Base64DecodeError: Base64 decoding failed: Incorrect padding 

    «»» 

    errno = 4015 

    format = _(‘Base64 decoding failed: %(reason)s’) 

class RemoteRetrieveError(ExecutionError): 

    «»» 

    **4016** Raised when retrieving data from a remote server fails 

    For example: 

    >>> raise RemoteRetrieveError(reason=_(«Failed to get certificate chain.»)) 

    Traceback (most recent call last): 

      … 

    RemoteRetrieveError: Failed to get certificate chain. 

    «»» 

    errno = 4016 

    format = _(‘%(reason)s’) 

class SameGroupError(ExecutionError): 

    «»» 

    **4017** Raised when adding a group as a member of itself 

    For example: 

    >>> raise SameGroupError() 

    Traceback (most recent call last): 

      … 

    SameGroupError: A group may not be added as a member of itself 

    «»» 

    errno = 4017 

    format = _(‘A group may not be added as a member of itself’) 

class DefaultGroupError(ExecutionError): 

    «»» 

    **4018** Raised when removing the default user group 

    For example: 

    >>> raise DefaultGroupError() 

    Traceback (most recent call last): 

      … 

    DefaultGroupError: The default users group cannot be removed 

    «»» 

    errno = 4018 

    format = _(‘The default users group cannot be removed’) 

class DNSNotARecordError(ExecutionError): 

    «»» 

    **4019** Raised when a hostname is not a DNS A record 

    For example: 

    >>> raise DNSNotARecordError() 

    Traceback (most recent call last): 

      … 

    DNSNotARecordError: Host does not have corresponding DNS A record 

    «»» 

    errno = 4019 

    format = _(‘Host does not have corresponding DNS A record’) 

class ManagedGroupError(ExecutionError): 

    «»» 

    **4020** Raised when a managed group is deleted 

    For example: 

    >>> raise ManagedGroupError() 

    Traceback (most recent call last): 

      … 

    ManagedGroupError: Deleting a managed group is not allowed. It must be detached first. 

    «»» 

    errno = 4020 

    format = _(‘Deleting a managed group is not allowed. It must be detached first.’) 

class ManagedPolicyError(ExecutionError): 

    «»» 

    **4021** Raised when password policy is assigned to a managed group 

    For example: 

    >>> raise ManagedPolicyError() 

    Traceback (most recent call last): 

      … 

    ManagedPolicyError: A managed group cannot have a password policy. 

    «»» 

    errno = 4021 

    format = _(‘A managed group cannot have a password policy.’) 

class FileError(ExecutionError): 

    «»» 

    **4022** Errors when dealing with files 

    For example: 

    >>> raise FileError(reason=_(«cannot write file ‘test'»)) 

    Traceback (most recent call last): 

      … 

    FileError: cannot write file ‘test’ 

    «»» 

    errno = 4022 

    format = _(‘%(reason)s’) 

class NoCertificateError(ExecutionError): 

    «»» 

    **4023** Raised when trying to retrieve a certificate that doesn’t exist. 

    For example: 

    >>> raise NoCertificateError(entry=’ipa.example.com’) 

    Traceback (most recent call last): 

      … 

    NoCertificateError: ‘ipa.example.com’ doesn’t have a certificate. 

    «»» 

    errno = 4023 

    format = _(»%(entry)s’ doesn’t have a certificate.’) 

class ManagedGroupExistsError(ExecutionError): 

    «»» 

    **4024** Raised when adding a user and its managed group exists 

    For example: 

    >>> raise ManagedGroupExistsError(group=u’engineering’) 

    Traceback (most recent call last): 

      … 

    ManagedGroupExistsError: Unable to create private group. A group ‘engineering’ already exists. 

    «»» 

    errno = 4024 

    format = _(‘Unable to create private group. A group ‘%(group)s’ already exists.’) 

class ReverseMemberError(ExecutionError): 

    «»» 

    **4025** Raised when verifying that all reverse members have been added or removed. 

    For example: 

    >>> raise ReverseMemberError(verb=_(‘added’), exc=_(«Group ‘foo’ not found.»)) 

    Traceback (most recent call last): 

      … 

    ReverseMemberError: A problem was encountered when verifying that all members were added: Group ‘foo’ not found. 

    «»» 

    errno = 4025 

    format = _(‘A problem was encountered when verifying that all members were %(verb)s: %(exc)s’) 

class AttrValueNotFound(ExecutionError): 

    «»» 

    **4026** Raised when an Attribute/Value pair is not found. 

    For example: 

    >>> raise AttrValueNotFound(attr=’ipasudoopt’, value=’authenticate’) 

    Traceback (most recent call last): 

      … 

    AttrValueNotFound: ipasudoopt does not contain ‘authenticate’ 

    «»» 

    errno = 4026 

    rval = 1 

    format = _(‘%(attr)s does not contain ‘%(value)s») 

class SingleMatchExpected(ExecutionError): 

    «»» 

    **4027** Raised when a search should return a single match 

    For example: 

    >>> raise SingleMatchExpected(found=9) 

    Traceback (most recent call last): 

      … 

    SingleMatchExpected: The search criteria was not specific enough. Expected 1 and found 9. 

    «»» 

    errno = 4027 

    rval = 1 

    format = _(‘The search criteria was not specific enough. Expected 1 and found %(found)d.’) 

class AlreadyExternalGroup(ExecutionError): 

    «»» 

    **4028** Raised when a group is already an external member group 

    For example: 

    >>> raise AlreadyExternalGroup 

    Traceback (most recent call last): 

      … 

    AlreadyExternalGroup: This group already allows external members 

    «»» 

    errno = 4028 

    format = _(‘This group already allows external members’) 

class ExternalGroupViolation(ExecutionError): 

    «»» 

    **4029** Raised when a group is already an external member group 

             and an attempt is made to use it as posix group 

    For example: 

    >>> raise ExternalGroupViolation 

    Traceback (most recent call last): 

      … 

    ExternalGroupViolation: This group cannot be posix because it is external 

    «»» 

    errno = 4029 

    format = _(‘This group cannot be posix because it is external’) 

class PosixGroupViolation(ExecutionError): 

    «»» 

    **4030** Raised when a group is already a posix group 

             and cannot be converted to external 

    For example: 

    >>> raise PosixGroupViolation 

    Traceback (most recent call last): 

      … 

    PosixGroupViolation: This is already a posix group and cannot be converted to external one 

    «»» 

    errno = 4030 

    format = _(‘This is already a posix group and cannot be converted to external one’) 

class BuiltinError(ExecutionError): 

    «»» 

    **4100** Base class for builtin execution errors (*4100 — 4199*). 

    «»» 

    errno = 4100 

class HelpError(BuiltinError): 

    «»» 

    **4101** Raised when requesting help for an unknown topic. 

    For example: 

    >>> raise HelpError(topic=’newfeature’) 

    Traceback (most recent call last): 

      … 

    HelpError: no command nor help topic ‘newfeature’ 

    «»» 

    errno = 4101 

    format = _(«no command nor help topic ‘%(topic)s'») 

class LDAPError(ExecutionError): 

    «»» 

    **4200** Base class for LDAP execution errors (*4200 — 4299*). 

    «»» 

    errno = 4200 

class MidairCollision(ExecutionError): 

    «»» 

    **4201** Raised when a change collides with another change 

    For example: 

    >>> raise MidairCollision() 

    Traceback (most recent call last): 

      … 

    MidairCollision: change collided with another change 

    «»» 

    errno = 4201 

    format = _(‘change collided with another change’) 

class EmptyModlist(ExecutionError): 

    «»» 

    **4202** Raised when an LDAP update makes no changes 

    For example: 

    >>> raise EmptyModlist() 

    Traceback (most recent call last): 

      … 

    EmptyModlist: no modifications to be performed 

    «»» 

    errno = 4202 

    format = _(‘no modifications to be performed’) 

class DatabaseError(ExecutionError): 

    «»» 

    **4203** Raised when an LDAP error is not otherwise handled 

    For example: 

    >>> raise DatabaseError(desc=_(«Can’t contact LDAP server»), info=_(‘Info goes here’)) 

    Traceback (most recent call last): 

      … 

    DatabaseError: Can’t contact LDAP server: Info goes here 

    «»» 

    errno = 4203 

    format = _(‘%(desc)s: %(info)s’) 

class LimitsExceeded(ExecutionError): 

    «»» 

    **4204** Raised when search limits are exceeded. 

    For example: 

    >>> raise LimitsExceeded() 

    Traceback (most recent call last): 

      … 

    LimitsExceeded: limits exceeded for this query 

    «»» 

    errno = 4204 

    format = _(‘limits exceeded for this query’) 

class ObjectclassViolation(ExecutionError): 

    «»» 

    **4205** Raised when an entry is missing a required attribute or objectclass 

    For example: 

    >>> raise ObjectclassViolation(info=_(‘attribute «krbPrincipalName» not allowed’)) 

    Traceback (most recent call last): 

      … 

    ObjectclassViolation: attribute «krbPrincipalName» not allowed 

    «»» 

    errno = 4205 

    format = _(‘%(info)s’) 

class NotAllowedOnRDN(ExecutionError): 

    «»» 

    **4206** Raised when an RDN value is modified. 

    For example: 

    >>> raise NotAllowedOnRDN() 

    Traceback (most recent call last): 

      … 

    NotAllowedOnRDN: modifying primary key is not allowed 

    «»» 

    errno = 4206 

    format = _(‘modifying primary key is not allowed’) 

class OnlyOneValueAllowed(ExecutionError): 

    «»» 

    **4207** Raised when trying to set more than one value to single-value attributes 

    For example: 

    >> raise OnlyOneValueAllowed(attr=’ipasearchtimelimit’) 

    Traceback (most recent call last): 

      … 

    OnlyOneValueAllowed: ipasearchtimelimit: Only one value allowed. 

    «»» 

    errno = 4207 

    format = _(‘%(attr)s: Only one value allowed.’) 

class InvalidSyntax(ExecutionError): 

    «»» 

    **4208** Raised when an value does not match the required syntax 

    For example: 

    >> raise InvalidSyntax(attr=’ipahomesrootdir’) 

    Traceback (most recent call last): 

      … 

    InvalidSyntax: ipahomesrootdir: Invalid syntax 

    «»» 

    errno = 4208 

    format = _(‘%(attr)s: Invalid syntax.’) 

class BadSearchFilter(ExecutionError): 

    «»» 

    **4209** Raised when an invalid LDAP search filter is used 

    For example: 

    >>> raise BadSearchFilter(info=_(‘invalid syntax’)) 

    Traceback (most recent call last): 

      … 

    BadSearchFilter: Bad search filter invalid syntax 

    «»» 

    errno = 4209 

    format = _(‘Bad search filter %(info)s’) 

class NotAllowedOnNonLeaf(ExecutionError): 

    «»» 

    **4210** Raised when operation is not allowed on a non-leaf entry 

    For example: 

    >>> raise NotAllowedOnNonLeaf() 

    Traceback (most recent call last): 

      … 

    NotAllowedOnNonLeaf: Not allowed on non-leaf entry 

    «»» 

    errno = 4210 

    format = _(‘Not allowed on non-leaf entry’) 

class CertificateError(ExecutionError): 

    «»» 

    **4300** Base class for Certificate execution errors (*4300 — 4399*). 

    «»» 

    errno = 4300 

class CertificateOperationError(CertificateError): 

    «»» 

    **4301** Raised when a certificate operation cannot be completed 

    For example: 

    >>> raise CertificateOperationError(error=_(u’bad serial number’)) 

    Traceback (most recent call last): 

      … 

    CertificateOperationError: Certificate operation cannot be completed: bad serial number 

    «»» 

    errno = 4301 

    format = _(‘Certificate operation cannot be completed: %(error)s’) 

class CertificateFormatError(CertificateError): 

    «»» 

    **4302** Raised when a certificate is badly formatted 

    For example: 

    >>> raise CertificateFormatError(error=_(u’improperly formated DER-encoded certificate’)) 

    Traceback (most recent call last): 

      … 

    CertificateFormatError: Certificate format error: improperly formated DER-encoded certificate 

    «»» 

    errno = 4302 

    format = _(‘Certificate format error: %(error)s’) 

class MutuallyExclusiveError(ExecutionError): 

    «»» 

    **4303** Raised when an operation would result in setting two attributes which are mutually exlusive. 

    For example: 

    >>> raise MutuallyExclusiveError(reason=_(u’hosts may not be added when hostcategory=all’)) 

    Traceback (most recent call last): 

      … 

    MutuallyExclusiveError: hosts may not be added when hostcategory=all 

    «»» 

    errno = 4303 

    format = _(‘%(reason)s’) 

class NonFatalError(ExecutionError): 

    «»» 

    **4304** Raised when part of an operation succeeds and the part that failed isn’t critical. 

    For example: 

    >>> raise NonFatalError(reason=_(u’The host was added but the DNS update failed’)) 

    Traceback (most recent call last): 

      … 

    NonFatalError: The host was added but the DNS update failed 

    «»» 

    errno = 4304 

    format = _(‘%(reason)s’) 

class AlreadyRegisteredError(ExecutionError): 

    «»» 

    **4305** Raised when registering a user that is already registered. 

    For example: 

    >>> raise AlreadyRegisteredError() 

    Traceback (most recent call last): 

      … 

    AlreadyRegisteredError: Already registered 

    «»» 

    errno = 4305 

    format = _(‘Already registered’) 

class NotRegisteredError(ExecutionError): 

    «»» 

    **4306** Raised when not registered and a registration is required 

    For example: 

    >>> raise NotRegisteredError() 

    Traceback (most recent call last): 

      … 

    NotRegisteredError: Not registered yet 

    «»» 

    errno = 4306 

    format = _(‘Not registered yet’) 

class DependentEntry(ExecutionError): 

    «»» 

    **4307** Raised when an entry being deleted has dependencies 

    For example: 

    >>> raise DependentEntry(label=u’SELinux User Map’, key=u’test’, dependent=u’test1′) 

    Traceback (most recent call last): 

      … 

    DependentEntry: test cannot be deleted because SELinux User Map test1 requires it 

    «»» 

    errno = 4307 

    format = _(‘%(key)s cannot be deleted because %(label)s %(dependent)s requires it’) 

class LastMemberError(ExecutionError): 

    «»» 

    **4308** Raised when an entry being deleted or disabled is last member of a protected group 

    For example: 

    >>> raise LastMemberError(key=u’admin’, label=u’group’, container=u’admins’) 

    Traceback (most recent call last): 

      … 

    LastMemberError: admin cannot be deleted or disabled because it is the last member of group admins 

    «»» 

    errno = 4308 

    format = _(‘%(key)s cannot be deleted or disabled because it is the last member of %(label)s %(container)s’) 

class ProtectedEntryError(ExecutionError): 

    «»» 

    **4309** Raised when an entry being deleted or modified in a forbidden way is protected 

    For example: 

    >>> raise ProtectedEntryError(label=u’group’, key=u’admins’, reason=_(u’privileged group’)) 

    Traceback (most recent call last): 

      … 

    ProtectedEntryError: group admins cannot be deleted/modified: privileged group 

    «»» 

    errno = 4309 

    format = _(‘%(label)s %(key)s cannot be deleted/modified: %(reason)s’) 

############################################################################## 

# 5000 — 5999: Generic errors 

class GenericError(PublicError): 

    «»» 

    **5000** Base class for errors that don’t fit elsewhere (*5000 — 5999*). 

    «»» 

    errno = 5000 

def __errors_iter(): 

    «»» 

    Iterate through all the `PublicError` subclasses. 

    «»» 

    for (key, value) in globals().items(): 

        if key.startswith(‘_’) or not isclass(value): 

            continue 

        if issubclass(value, PublicError): 

            yield value 

public_errors = tuple( 

    sorted(__errors_iter(), key=lambda E: E.errno) 

) 

if __name__ == ‘__main__’: 

    for klass in public_errors: 

        print ‘%dt%s’ % (klass.errno, klass.__name__) 

    print ‘(%d public errors)’ % len(public_errors)