[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master-next] 675 commits: Back to git snapshots
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Dec 15 14:46:00 GMT 2021
Timo Aaltonen pushed to branch master-next at FreeIPA packaging / freeipa
Commits:
77674077 by Alexander Bokovoy at 2020-12-04T13:14:29+02:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0cb8f065 by Alexander Bokovoy at 2020-12-04T22:31:03+02:00
Correct SELinux policy requirements
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.
Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2bc3f1c by Florence Blanc-Renaud at 2020-12-10T13:44:57+02:00
xmlrpctests: remove harcoded expiration date from test_user_plugin
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.
Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
7d1a6886 by Alexander Bokovoy at 2020-12-10T16:02:51+02:00
Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
cc51feb1 by Alexander Bokovoy at 2020-12-10T16:02:51+02:00
upgrade: provide DOMAIN to the server upgrade dictionary
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a3772cd037683ff2e08c514fd02019f.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
184997e8 by Alexander Bokovoy at 2020-12-10T17:39:42+02:00
systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet..
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
cf30cc3f by Florence Blanc-Renaud at 2020-12-10T17:57:56+02:00
Improve PKI subsystem detection
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
24f6a36b by Florence Blanc-Renaud at 2020-12-10T17:57:56+02:00
ipatests: add test for PKI subsystem detection
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
502d2910 by Alexander Bokovoy at 2020-12-10T18:05:00+02:00
Become FreeIPA 4.9.0rc3
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f5cd9d07 by Alexander Bokovoy at 2020-12-10T18:06:10+02:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d41bfea4 by Sudhir Menon at 2020-12-17T11:47:13+01:00
ipatests: Test for IPATrustDomainsCheck with external trust to AD
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
184fa809 by Sudhir Menon at 2020-12-17T11:47:13+01:00
Modified YAML files
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2efc44d0 by Alexander Scheel at 2020-12-17T14:32:37+01:00
Fix spelling mistake: filen ame -> filename
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3c965a07 by François Cami at 2020-12-18T17:47:08+02:00
ipatests: make sure dns_lookup_kdc is always true
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Make sure dns_lookup_kdc is always set to true.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
352f2bee by François Cami at 2020-12-18T17:47:08+02:00
ipa-client-install: unilaterally set dns_lookup_kdc to True
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2d1594c3 by Alexander Bokovoy at 2020-12-18T18:11:05+02:00
ipa-kdb: use predefined filters for a wild-card searches
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.
Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.
Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.
Fixes: https://pagure.io/freeipa/issue/8624
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
06fbb8b4 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
service: handle empty list of services to update their state
When there are no services in LDAP that have specified states, we don't
need to update their state.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
59432e92 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
upgrade: do not overshadow service module in upgrade_configuration
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
56c8b174 by Alexander Bokovoy at 2020-12-18T19:01:46+02:00
upgrade: ensure service state is synchronized with the server state
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role. This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
38cb763d by Timo Aaltonen at 2020-12-19T11:00:52+02:00
Debian: Fix paths and service names for bind 9.16
Got changed for 9.16 and up.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
efe767c4 by Timo Aaltonen at 2020-12-19T11:00:52+02:00
Debian: Fix chrony service name
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b46fa4e4 by Timo Aaltonen at 2020-12-19T11:00:52+02:00
ipaplatform: Use gpg instead of gpg2
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18721cc8 by Slava Aseev at 2020-12-19T11:02:16+02:00
ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
f3a1b4af by Christian Heimes at 2020-12-19T14:49:13+02:00
Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f6b4a07 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/bn_IN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
57b41e0d by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ca translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
7b63b5b8 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/cs translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9c166cfc by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/de translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
09f97d2e by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/en_GB translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
03cf8ffe by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/es translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0b02b051 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/eu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
33f4e658 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/fr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
fa4ac630 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/hi translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9d4d4d27 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/hu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
036c9675 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/id translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
12de97fc by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ja translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
162aa652 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/kn translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
58d20171 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/mr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5ea60482 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/nl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4bf0a13a by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pa translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9ed9eb7c by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
970c4050 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pt_BR translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
acd2f305 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/pt translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ad37d39e by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/ru translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
badd9551 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/sk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1bf4b41f by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/tg translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
29f797d4 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/tr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
bdb759ac by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/uk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6c58f825 by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update po/zh_CN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4db85bed by Alexander Bokovoy at 2020-12-19T14:50:23+02:00
Update IPA translation template before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e2f9912b by Vit Mojzis at 2020-12-19T23:08:05+02:00
selinux: Fix/waive issues reported by SELint
- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0b3f8719 by François Cami at 2020-12-19T23:08:05+02:00
set SELinux to Enforcing in gating.xml
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2244a7a2 by Carl George at 2020-12-21T16:51:35+02:00
Use uglifyjs on CentOS too
Only checking for ID to equal "rhel" causes build failures on CentOS
Stream. Instead check both ID and ID_LIKE. This should also work later
on when rebuilds like CentOS Linux get this update.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6f8e4886 by François Cami at 2020-12-21T22:33:54+02:00
set SELinux back to Permissive in gating.xml
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d9bdd3e9 by Alexander Bokovoy at 2020-12-22T00:12:45+02:00
tests_webui: flip leading and trailing space password test
With commit 809d9cb80f5f4471f125823888f37875aa37809e we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7d13d704 by Alexander Bokovoy at 2020-12-22T00:12:45+02:00
tests_webui: fix wrong user name key for trail space case
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.
Fix the user name data according to the test.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
eb42b109 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
opendnssecinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
eae9f0d8 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
dnskeysyncinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
eca22818 by Alexander Bokovoy at 2020-12-22T16:17:00+02:00
odsexporterinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.
We use common pattern of checking the service during uninstall:
svc = SVCClass()
if svc.is_configured():
svc.uninstall()
Thus, service class constructor must not do UID/GID resolution
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
a3058d52 by Alexander Bokovoy at 2020-12-23T16:10:26+02:00
Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1354031d by Weblate at 2020-12-23T16:30:25+02:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
- - - - -
44914cf1 by Alexander Bokovoy at 2020-12-23T16:33:22+02:00
Become FreeIPA 4.9.0
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fd4a893 by Alexander Bokovoy at 2020-12-23T16:35:08+02:00
Get back to git snapshots
Track 4.9.1 development
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8c7d1fba by Alexander Bokovoy at 2020-12-23T20:22:34+01:00
ipaplatform: add constant for systemd-run binary
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
6fe573b3 by Alexander Bokovoy at 2020-12-23T20:22:34+01:00
ipatests: fix race condition in finalizer of encrypted backup test
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.
Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
8bc34186 by Florence Blanc-Renaud at 2020-12-23T20:25:21+01:00
ipatests: fix expected error message in test_commands
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
dd1b596b by Florence Blanc-Renaud at 2020-12-23T20:27:08+01:00
ipatests: remove test_acme from gating
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
27cc011a by Sudhir Menon at 2021-01-06T16:36:26+01:00
ipatests: ipahealthcheck remove test skipped in pytest run
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.
@pytest.mark.xfail(reason='BZ 1866558', strict=False)
Also changed the assert statement to search text in
stdout_text rather than sdterr_text
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2035ba99 by Sudhir Menon at 2021-01-06T16:37:44+01:00
ipatests: Test for IPATrustControllerPrincipalCheck
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
286d0680 by Florence Blanc-Renaud at 2021-01-07T09:52:05+01:00
ipatests: clear initgroups cache in clear_sssd_cache
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.
Update the method to also remove this file.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
33481a1a by Timo Aaltonen at 2021-01-07T11:05:49+02:00
Merge branch 'upstream' into master-next
- - - - -
d323cfd5 by Timo Aaltonen at 2021-01-07T11:07:25+02:00
bump the version
- - - - -
420067e1 by Timo Aaltonen at 2021-01-07T11:09:18+02:00
rules: Build only the client for bullseye.
- - - - -
956aab35 by Timo Aaltonen at 2021-01-07T11:15:56+02:00
drop upstreamed patches
- - - - -
068131ea by Timo Aaltonen at 2021-01-07T11:29:00+02:00
rules: ipasphinx files are only built on server build
- - - - -
10ba43ad by Rob Crittenden at 2021-01-07T16:10:22+01:00
Don't change the CA profile when modifying request in ipa_certupdate
The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ad1764a1 by Rob Crittenden at 2021-01-07T16:10:22+01:00
ipatests: test that no errors are reported after ipa-certupdate
The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8d7697af by Sergey Orlov at 2021-01-07T16:16:16+01:00
ipatests: do not set dns_lookup to true
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f36e518b by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eb711f78 by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f2be8a4 by Florence Blanc-Renaud at 2021-01-08T09:47:08+01:00
ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
071b7129 by Rob Crittenden at 2021-01-09T18:09:39+01:00
Remove invalid test case for DNS SRV priority
Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.
Remove the sorting test for priority of -1.
https://pagure.io/freeipa/issue/8650
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
952b6bdc by Florence Blanc-Renaud at 2021-01-10T11:05:34+01:00
selinux: modify policy to allow one-way trust
In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.
This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.
Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.
Fixes: https://pagure.io/freeipa/issue/8508
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9ae74425 by Rob Crittenden at 2021-01-13T17:42:16+01:00
Remove virtual attributes before rolling back a permission
On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.
Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.
This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bdc383a1 by Rob Crittenden at 2021-01-13T17:42:16+01:00
ipatests: test that modifying a permission attrs handles failure
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df411f00 by Robbie Harwood at 2021-01-14T10:01:46+01:00
Set client keytab location for 389ds
Handles behavior change in
https://github.com/389ds/389-ds-base/pull/4523
Fixes: https://pagure.io/freeipa/issue/8656
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
753246f4 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc: use Samba-provided trust helper to establish trust
When establishing trust to Active Directory forest, RC4 is used to
encrypt trusted domain object credentials as an application-specific
material in a secure channel based on AES session key.
In FIPS mode it is not possible to use RC4 directly.
Samba 4.14 and backports to 4.13 in Fedora 33+ and RHEL 8.4+ now
provide a helper that wraps LSA RPC call CreateTrustedDomainEx2.
This helper ensures that in FIPS mode we first check that LSA session
key is AES before allowing RC4 use internally in Samba bindings. Thus,
it becomes possible to establish trust to Active Directory forest in
FIPS mode.
Adopt FreeIPA code to use the helper provided by Samba when it is
available. If neither the helper nor unprotected arcfour_encrypt utility
is available from Samba bindings, fail import of the ipaserver.dcerpc
module.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8ab9bf68 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc.py: use Kerberos authentication for discovery
In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.
Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3fa07a10 by Alexander Bokovoy at 2021-01-14T10:05:12+01:00
ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
We want to always use SMB encryption if it is possible on LSA pipe as we
are going to pass what accounts to a plain-text content within
CreateTrustedDomainEx2 call.
The catch is that older Samba version might not have a way to enforce
this and we need fall back to work with existing connection then.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca9f8d1c by Rob Crittenden at 2021-01-14T11:08:49+01:00
ipatests: See if nologin supports -c before asserting message
Per the ssh_config(5) man page under ProxyCommand:
"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."
<shell> -c <proxy command>
Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0db28969 by Florence Blanc-Renaud at 2021-01-15T09:57:28+01:00
ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.
Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3aeb9b8e by Rob Crittenden at 2021-01-15T14:01:45+01:00
Revert "Remove test for minimum ACME support and rely on package deps"
This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440.
This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.
ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.
https://pagure.io/freeipa/issue/8634
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec4511ec by Rob Crittenden at 2021-01-15T14:04:10+01:00
Add missing break statement to password quality switch
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f0de5570 by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa-kdb: Change mspac base RID logic from OR to AND
The purpose is to set a default if the RID doesn't match
expectations.
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93f8840e by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa-kdb: Fix logic to prevent NULL pointer dereference
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df0c2d7e by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa_kdb: Fix memory leak
ipadb_get_principal() allocates client_actual. Call
ipadb_free_principal to release it.
Rather than spreading the free() amongst the code introduce
done as a target to match behavior in similar functions.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6cfbffc by Rob Crittenden at 2021-01-15T14:04:10+01:00
ipa_pwd: Remove unnecessary conditional
It is already confirmed that item_data is not NULL so there
is no need to check it again.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
06ffc7aa by Rob Crittenden at 2021-01-15T10:48:21-05:00
ipa-rmkeytab: convert numeric return values to #defines
This makes it clearer what the return value means.
Replace closing of keytab based on the numeric return value
and do it based on whether the keytab was opened at all.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b380969 by Rob Crittenden at 2021-01-15T10:48:21-05:00
ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
The return value of functions managing the cursor in the keytab
were not checked or reported in a consistent way. This should
assure a reasonable error message in case something goes wrong.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ccdecaa9 by Armando Neto at 2021-01-19T11:27:10+01:00
ipatests: Update PR-CI definitions for ipa-4-9
Adding PR-CI definitions for gating, "previous" and "latest" nightly runs.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bd3bad88 by Florence Blanc-Renaud at 2021-01-19T16:13:15+01:00
ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed..
Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
56b84973 by Christian Heimes at 2021-01-19T17:48:41+01:00
Add ccache sweeper files to gitignore
See: https://pagure.io/freeipa/issue/8589
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
41a9cc63 by Stanislav Levin at 2021-01-19T17:51:28+01:00
ipatests: Raise log level of 389-ds replication
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other
messages that are always written to the error log. Messages at this
level are always included in the error log, regardless of the log
level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with delay, this
results in logs are not collected by this test node, but for example,
the next one.
- as of now, the changes on `cn=config` are made after the installation
of server or replica. If an error occurs during these stages, then the
actual log level will be the default and not as expected.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2a86a93e by Antonio Torres at 2021-01-19T17:52:47+01:00
Test that IPA certs are removed on server uninstall
Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2715fbd4 by Antonio Torres at 2021-01-19T17:52:47+01:00
Check that IPA cert is added to trust store after server install
Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2a207918 by Florence Blanc-Renaud at 2021-01-20T15:56:29+01:00
ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.
Fixes: https://pagure.io/freeipa/issue/8670
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
1dd4501a by Rob Crittenden at 2021-01-21T13:43:11+01:00
Add support for cgroup v2 to the installer memory checker
Support both the case where there is a limit imposed on the
container and when there isn't.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
85d944ce by Rob Crittenden at 2021-01-21T13:43:11+01:00
ipatests: test the cgroup v2 memory restrictions
Also rename a few tests to hopefully make their purpose clearer.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34add4a2 by François Cami at 2021-01-22T08:43:19+01:00
ipatests: test_ipahealthcheck: fix units
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f8bf3742 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipa-kdb: provide correct logon time in MS-PAC from authentication time
When MS-PAC structure is created, we get passed the time of
authentication from KDC. Use this to record logon time in MS-PAC
structure.
Set allow password change time to the last password change. We need to
refer to the actual password policy here in future.
Also use INT64_MAX to represent the resulting value for logoff
and kickoff times according to MS-PAC 2.6.
Fixes: https://pagure.io/freeipa/issue/8659
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
962052a0 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: implement PASSDB getgrnam call
ipasam already implemented retrieval of groups for MS-SAMR calls.
However, it did not have implementation of a group retrieval for the
path of lookup_name() function in Samba. The lookup_name() is used in
many places in smbd and winbindd.
With this change it will be possible to resolve IPA groups in Windows UI
(Security tab) and console (net localgroup ...). When Global Catalog
service is enabled, it will be possible to search for those groups as
well.
In Active Directory, security groups can be domain, domain local, local
and so on. In IPA, only domain groups exposed through ipasam because
SID generation plugin only supports adding SIDs to POSIX groups and
users. Thus, non-POSIX groups are not going to have SIDs associated and
will not be visible in both UNIX and Windows environments.
Group retrieval in Samba is implemented as a mapping between NT and
POSIX groups. IPA doesn't have explicit mapping tables. Instead, any
POSIX group in IPA that has a SID associated with it is considered a
domain group for Samba.
Finally, additional ACI is required to ensure attributes looked up by
ipasam are always readable by the trust agents.
Fixes: https://pagure.io/freeipa/issue/8660
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e8eb0f5 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: allow search of users by user principal name (UPN)
lookup_name() in Samba may call PASSDB API to search by a UPN (e.g.
username at suffix). Support this call by detecting '@' in the passed name
and setting up filter to be
(&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux)(krbPrincipalName:caseIgnoreIA5Match:=%s))
instead of
(&(objectClass=ipaNTUserAttrs)(uid=%s))
The result of the search would still contain a proper user entry as we
always have krbPrincipalName in LDAP entries of IPA users. Note that the
match must be case-insensitive because otherwise krbPrincipalName is
matched with exact case in the schema. We use the same matching override
in KDB driver already.
Fixes: https://pagure.io/freeipa/issue/8661
Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e8f927db by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: free trusted domain context on failure
The context is hanging off a talloc memory context passed into the
function so it will eventually be freed. It is better, though, to free
it immediately when we exit from the fill_pdb_trusted_domain() function.
Related: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f1031729 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipasam: derive parent domain for subdomains automatically
[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a
FQDN of the trusted domain. In practice, for a subdomain of a forest, it
would be FQDN of the subdomain itself in the trusted domain entry in the
parent domain. This is reflected as ipaNTTrustPartner attribute in
FreeIPA.
Remove ipaNTTrustPartner from the searches that use NetBIOS name. We
match cn of that entry already.
Use RDN value of the entry to derive DNS domain name in case
ipaNTTrustPartner is missing.
For subdomains, set trust attributes to 0 and trust flags to mark them
as being within the forest. This will trigger winbindd to not ask for
credentials to reach those domain controllers directly.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3d706b6f by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
ipaserver/dcerpc: store forest topology as a blob in ipasam
winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.
Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc16c248 by Sergey Orlov at 2021-01-22T21:10:58-05:00
ipatests: use fully qualified name for AD admin when establishing trust
Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b5359249 by JoeDrane at 2021-01-22T21:10:58-05:00
Update ipa_sam.c
fixed typo in debug message on line 4040.
Signed-off-by: JoeDrane <joe at drane.io>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c842d4b5 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
trust-fetch-domains: use custom krb5.conf overlay for all trust operations
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.
Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.
One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.
'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.
With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.
Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.
Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.
Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp. Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.
Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9f63afb4 by Alexander Bokovoy at 2021-01-22T21:10:58-05:00
use a constant instead of /var/lib/sss/keytabs
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc2a52ab by Florence Blanc-Renaud at 2021-01-22T21:13:23-05:00
ipatests: fix expected output for ipahealthcheck.ipa.files
With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).
The test output needs to be fixed accordingly.
Fixes: https://pagure.io/freeipa/issue/8662
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
89eba7d3 by Antonio Torres Moríñigo at 2021-01-26T12:53:36-05:00
Allow leading/trailing whitespaces in passwords
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.
Fixes: https://pagure.io/freeipa/issue/7599
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3f3762ef by Antonio Torres Moríñigo at 2021-01-26T12:53:36-05:00
ipatests: test that trailing/leading whitespaces in passwords are allowed
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
16b30cbe by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
Add design document for using AD users/groups in SUDO rules
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
132d7fb0 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: refactor validator support in add_external_pre_callback
baseldap.py:add_external_pre_callback() allows to redefine validators
used to validate member names. Originally this was done to allow
hostname validation and reused default validators associated with other
parameter types.
Provide extension of the validator callbacks to allow fine grained
validation strategy. This is helpful in case we want to apply an
alternative validation strategy in case default validator fails.
New validators can be added to 'member_validator' registry in a similar
way to how API objects are registered:
from .baseldap import member_validator
@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
<validate value here>
Arguments passed to the validator are arguments passed to the
add_external_pre_callback() augmented with the value to validate.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ffc2edf6 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: when adding external objects, differentiate between them and failures
It was possible to add external members without any validation. Any
object that was not found in IPA LDAP was considered an external object
and a command such as sudorule could have added it to the list of values
for externalUser attribute.
With member validator support, real external members from trusted
domains can be differentiated from the objects that were not found in
IPA and in trusted domains.
Use information from the ID Views plugin to treat external objects
accordingly. Not found objects will be part of the error messaging
instead.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a3563d1c by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
idviews: add extended validator for users from trusted domains
Register extended validator for users from trusted domains to be called
through add_external_pre_callback() in sudorules and other plugins.
The callbacks allow to validate user names as following:
- if user name passes basic user name validator it is accepted, otherwise
- if user name can be resolved to any user in IPA or in a trusted
domain, it is accepted
- otherwise the name is rejected
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
054a068f by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
sudorule-add-user: allow to reference users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-user` family of commands.
SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.
Add member type validators to 'ipa sudorule-add/remove-user' family
commands and rely on member type validators from 'idviews' plugin to
resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.
RN: IPA now supports adding users and groups from trusted Active
RN: Directory domains in SUDO rules without an intermediate non-POSIX
RN: group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
78043bfb by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
sudorule runAs: allow to add users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.
IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.
Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.
RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f4d3c91e by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
ipatests: fix test_sudorule_plugin's wrong argument use
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a7c56fde by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
test_trust: add tests for using AD users and groups in SUDO rules
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.
Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
64b70be6 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
ipatests: when talking to AD DCs, use FQDN credentials
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.
We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.
For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.
Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
51ca3877 by Alexander Bokovoy at 2021-01-26T16:31:25-05:00
baseldap: allow rejecting unknown objects instead of adding to an external attr
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.
With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bb786934 by Florence Blanc-Renaud at 2021-01-27T09:44:17+02:00
ipatests: fix discrepancies in nightly defs
- Build is using a prio of 100 while tests use 50, use consistent
values
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
cbe7d225 by Stanislav Levin at 2021-01-27T09:46:06+02:00
ipatests: Don't assume sshd flush its logs immediately
sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.
Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
2ac8028e by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Update contributors list
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6f6dd624 by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Force-update translation po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1c43ac3 by Alexander Bokovoy at 2021-01-27T10:38:44+02:00
Force-update translation po/hu.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cb583ac1 by Alexander Bokovoy at 2021-01-27T10:38:50+02:00
Force-update translation po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a97967ff by Alexander Bokovoy at 2021-01-27T10:38:50+02:00
Force-update translation po/uk.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa58fad8 by Alexander Bokovoy at 2021-01-27T10:53:40+02:00
Become FreeIPA 4.9.1
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9690659d by Alexander Bokovoy at 2021-01-27T10:55:04+02:00
Back to git commits
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5517aa69 by Sergey Orlov at 2021-01-27T16:26:47-05:00
fix collecting log files which are symlinks
One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0d9f988f by Sergey Orlov at 2021-01-29T22:32:46+01:00
ipatests: rewrite test for requests routing to subordinate suffixes
The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
from checking original issue in case AD domain name did not match this
hard coded value
* Invocation of commands on AD controller was failing in some environments
Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions
Related to https://pagure.io/freeipa/issue/8554
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c48897e by Christian Heimes at 2021-01-31T14:57:59+01:00
Fix cert_request for KDC cert
ca_kdc_check() expects an API object, not an LDAP connection. Issue was
introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.
See: https://pagure.io/freeipa/issue/6739
Fixes: https://pagure.io/freeipa/issue/8686
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5ab290a0 by Christian Heimes at 2021-01-31T15:02:48+01:00
Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b71c0c67 by Rob Crittenden at 2021-01-31T15:07:57+01:00
Report the NSS database directory if it cannot be opened
If the system lacks DBM support and an older database is
opened then an exception is raised. Include the directory in
the exception so it is clearer which database cannot be opened.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
348d4eef by Rob Crittenden at 2021-01-31T15:07:57+01:00
Ignore database errors when trying to extract ipaCert on upgrade
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.
We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7f1849e7 by Rob Crittenden at 2021-01-31T15:07:57+01:00
ipatests: Update NSSDatabase DBM test on non-DBM-capable installs
The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6eff5b95 by Rob Crittenden at 2021-02-01T14:33:05-05:00
Provide more detailed logging around memory detection
This should make it easier to troubleshoot low memory installation
failures from the logs.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5fb0cc43 by Rob Crittenden at 2021-02-01T14:33:45-05:00
Only build the UI with uglifyjs on RHEL 8
The previous expression tested for RHEL or RHEL-like
systems to use uglifyjs. Tighten that up to only RHEL 8
so future RHEL can use rjsmin.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8a4cf218 by Alexander Bokovoy at 2021-02-03T08:58:11+02:00
ipa-sam: return NetBIOS domain name instead of DNS one
[MS-NRPC] section 2.2.1.4.11 requires that the structure
NETLOGON_VALIDATION_SAM_INFO has the same values as defined in the
KERB_VALIDATION_INFO structure from [MS-PAC] section 2.5.
Samba's netr_SamBaseInfo.domain_name corresponds to
KERB_VALIDATION_INFO.LogonDomainName and must be a NetBIOS name of the
domain, not a DNS one.
Failure to provide NetBIOS name here actually breaks
netr_LogonSamLogonEx call issued by IPA-enrolled Samba domain member
which is confused by the returned value:
[2021/01/30 16:36:36.636010, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c: 175(add_trusted_domain)
add_trusted_domain: SID [S-1-5-21-3342930694-1632731913-1318603033]
already used by domain [INTERNAL], expected [internal.example.test]
[2021/01/30 16:36:36.636050, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c:362(add_trusted_domain_from_auth)
add_trusted_domain_from_auth: Adding domain [internal.example.test]
with sid [S-1-5-21-3342930694-1632731913-1318603033] failed
[2021/01/30 16:36:36.636060, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
[2021/01/30 16:36:36.636079, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd.c:814(process_request_done)
process_request_done: [smbd(1650):PAM_AUTH_CRAP]: NT_STATUS_LOGON_FAILURE
Fixes: https://pagure.io/freeipa/issue/8636
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
85674f16 by Mohammad Rizwan at 2021-02-03T09:02:39+02:00
ipatests: Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls properly.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
29377901 by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c15447e by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: use pexpect to invoke ktutil
`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34d72d16 by Sergey Orlov at 2021-02-03T17:41:31+01:00
ipatests: use pexpect to control inetractive session of ipa-adtrust-install
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.
If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
in this case scope of test case changes without being noticed
If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.
Related to: https://pagure.io/freeipa/issue/8690
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5a1ad476 by Alexander Bokovoy at 2021-02-04T01:22:30+01:00
client: synchronize ignored return codes with ipa-rmkeytab
Refactoring ipa-rmkeytab with commit
f3f9672d527008dc741ac90aa465bac842eea08d led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.
Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b99bc2d8 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4d26ce50 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ddb5414d by Rob Crittenden at 2021-02-04T14:14:51+01:00
ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
87ede26c by Rob Crittenden at 2021-02-04T14:14:51+01:00
Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
302f9377 by Rob Crittenden at 2021-02-04T14:14:51+01:00
Add exit status to the ipactl man page
The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
00226ada by Rob Crittenden at 2021-02-04T14:14:51+01:00
ipatests: Handle non-zero return code in test_ipactl_scenario_check
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2b64a4e8 by Antonio Torres at 2021-02-04T14:29:32-05:00
Update samba configuration on IPA master to explicitly use 'server role' setting
The default for this setting is 'auto', which may affect
IPA Samba configuration on future Samba versions. By explicitly
setting this parameter in the template, future manual
intervention is prevented.
Fixes: https://pagure.io/freeipa/issue/8452
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
44762369 by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd21d068 by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
ipatests: add a test for ZSK/KSK keytype in DNSKEY record
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.
Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2a51892a by Florence Blanc-Renaud at 2021-02-05T09:05:19+01:00
OpenDNSSEC: fix timezone in key creation date
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b784e1f8 by Florence Blanc-Renaud at 2021-02-08T09:53:21+01:00
ipatests: fix ipahealthcheck fixture _modify_permission
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.
When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.
The fix consists in calling 'stat -L' because the command follows
links.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8d306298 by Florence Blanc-Renaud at 2021-02-09T09:40:25+01:00
ipatests: ipactl status now exits with 3 when a service is stopped
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).
Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f05ee29d by Rob Crittenden at 2021-02-09T09:48:23-05:00
Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e35bec9a by Rob Crittenden at 2021-02-09T09:48:23-05:00
Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1478db89 by Rob Crittenden at 2021-02-09T09:48:23-05:00
Remove references to rjsmin in UI compile.sh
It specifically referenced using Python rjsmin while the
actual script would pick the minimizer based on the underlying
distribution.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
de351021 by Christian Heimes at 2021-02-09T09:48:23-05:00
Don't install csrgen extra dependencies
See: https://pagure.io/freeipa/issue/8669
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7d00ad4b by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d8398815 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cf054fc1 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e77d6890 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation po/id.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
12d92fe5 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc965210 by Alexander Bokovoy at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
936f98e9 by Rob Crittenden at 2021-02-09T09:48:23-05:00
Force-update translation after FreeIPA to IPA change: po/ipa.pot
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dffe6957 by Rob Crittenden at 2021-02-10T08:21:15+01:00
Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
55180f6e by Christian Heimes at 2021-02-10T08:23:16+01:00
configure: ipaplatform falls back to ID_LIKE
The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.
CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.
Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ca2797e by Alexander Bokovoy at 2021-02-11T12:45:33+01:00
test_installutils: run gpg-agent under a specific SELinux context
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.
Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
45d7d15c by Florence Blanc-Renaud at 2021-02-15T10:01:10+02:00
cert plugin: propagate the error for non-existent cert
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS
Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'
Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
55c7e212 by Florence Blanc-Renaud at 2021-02-15T10:01:10+02:00
xmlrpc tests: add a test for cert-remove-hold
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold
Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'
Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f63dc99 by Antonio Torres at 2021-02-15T10:02:58+02:00
WebUI: change FreeIPA naming to IPA in About dialog
As part of the effort for reducing differences between
upstream and downstream releases, product naming in WebUI
About dialog is changed from FreeIPA to IPA.
Related: https://pagure.io/freeipa/issue/8669
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a16dc594 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Set the ACME baseURL in order to pin a client to a single IPA server
ACME uses nonce values to prevent replay attacks. Since the
ipa-ca name can go to any of the IPA servers in order to verify the
nonce the servers need to know the value that was set which
relies on replication. Sometimes the client is faster than
replication so a request can fail.
This change returns the baseURL to the client as the name of the
ACME server during discovery which should pin all requests to this
one IPA server and alleviate the replication issue.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
31061c60 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Add versions to the ACME config templates and update on upgrade
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6526ab48 by Rob Crittenden at 2021-02-15T13:11:56+02:00
Add some logging around initial ACME deployment
>From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
63b14839 by Stanislav Levin at 2021-02-15T13:47:45+02:00
Azure: Populate containers with self-AAAA records
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.
In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.
In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has
been reformatted.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
151fa504 by Stanislav Levin at 2021-02-15T13:47:45+02:00
ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0b11a7ce by Stanislav Levin at 2021-02-15T13:47:45+02:00
rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
602a4fa3 by Antonio Torres at 2021-02-15T13:52:54+02:00
sudocmd: ensure command doesn't contain trailing dot before adding it
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.
RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
029daa5f by Antonio Torres at 2021-02-15T13:52:54+02:00
ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b290bc12 by Thorsten Scherf at 2021-02-15T14:24:42+02:00
man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9872610f by Rob Crittenden at 2021-02-15T19:06:21+02:00
Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9854c399 by Florence Blanc-Renaud at 2021-02-15T20:29:42+02:00
ipatests: update expected error message
With commit ec6698f , the error message has changed from
Unable to communicate with CMS (503)
to
Request failed with status 503: Non-2xx response from CA REST API: 503. (503)
Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d1313a59 by Alexander Bokovoy at 2021-02-15T20:35:53+02:00
po: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
66ffc9a6 by Alexander Bokovoy at 2021-02-15T20:36:53+02:00
po: refresh translations to remove outdated strings
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
34600a0e by Alexander Bokovoy at 2021-02-15T20:38:54+02:00
Become IPA 4.9.2
- - - - -
811d130c by Alexander Bokovoy at 2021-02-15T20:40:10+02:00
Back to git commits
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b590dcef by François Cami at 2021-02-16T12:51:11-05:00
ipatests: add TestInstallWithoutSudo
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0c2741af by François Cami at 2021-02-16T12:51:11-05:00
ipatests: tasks: handle uninstalling packages with nodeps
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fe157ca3 by François Cami at 2021-02-16T12:51:11-05:00
ipa-client-install: output a warning if sudo is not present
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ee0ba2df by François Cami at 2021-02-16T12:51:11-05:00
freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
584151d1 by Rob Crittenden at 2021-02-19T08:39:44+01:00
Suppress error message if the CRL directory doesn't exist
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.
Related: https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f1e12c75 by Rob Crittenden at 2021-02-19T08:39:44+01:00
Don't double-report any errors from pki-spawn failures
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.
Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:
"During handling of the above exception, another exception occurred"
The handling is in fact expected.
This changes the user-facing installer output from:
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
to
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.
Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.
https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6b25cd32 by Kaleemullah Siddiqui at 2021-02-19T08:42:17+01:00
ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fe4b1545 by Rob Crittenden at 2021-02-19T08:44:08+01:00
Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6d7b2d7d by Sergey Orlov at 2021-02-19T16:14:11+01:00
ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2fae28f9 by Florence Blanc-Renaud at 2021-02-22T23:55:41+01:00
pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.
Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1bcacd80 by Florence Blanc-Renaud at 2021-02-23T13:19:18+01:00
ipatests: Update PRCI templates for ipa-4-9
The new templates include updated versions of pki and 389ds.
- pki 10.10.3-3
- 389-ds 1.4.3.18-1 on fc32 and 1.4.4.12-1 on fc33
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
a0626e09 by Rob Crittenden at 2021-02-23T16:05:25+01:00
ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
660507fd by Rob Crittenden at 2021-02-23T16:05:25+01:00
ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4cb6f0ba by Rob Crittenden at 2021-02-23T16:05:25+01:00
Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f3463728 by Rob Crittenden at 2021-02-23T16:05:25+01:00
Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
026e0ca8 by Troy Dawson at 2021-02-23T13:18:36-05:00
platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1c1c469f by Florence Blanc-Renaud at 2021-02-25T18:41:16+01:00
freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11
Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.
Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f2b1b5b0 by Fraser Tweedale at 2021-03-01T15:06:31+11:00
ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired. 'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.
This heuristic is a bit too optimistic. If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
80ccac79 by Sergey Orlov at 2021-03-01T15:37:10+01:00
ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20bb855a by Antonio Torres at 2021-03-02T11:52:03+01:00
ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
82043e1f by Antonio Torres at 2021-03-02T11:52:03+01:00
ipatests: check that zonemgr is set correctly during server install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
28328108 by Alexander Bokovoy at 2021-03-02T13:44:36+01:00
ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0da9de49 by Alexander Bokovoy at 2021-03-02T13:44:36+01:00
ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c7ce801b by Alexander Bokovoy at 2021-03-02T13:44:36+01:00
ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f340baa4 by Alexander Bokovoy at 2021-03-02T13:44:36+01:00
ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2968609f by Alexander Bokovoy at 2021-03-02T13:44:36+01:00
ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f30ddb1 by Mohammad Rizwan at 2021-03-02T13:52:42+01:00
ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
36a60dbb by Mohammad Rizwan at 2021-03-02T13:52:42+01:00
Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
c84e0547 by Mohammad Rizwan at 2021-03-02T13:52:42+01:00
ipatests: Test if ipa-cert-fix renews expired certs with kra installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
260fbcb0 by Mohammad Rizwan at 2021-03-02T13:52:42+01:00
ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
f6204b0d by François Cami at 2021-03-02T18:50:34+01:00
ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
85484d31 by François Cami at 2021-03-02T18:50:34+01:00
ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5f2f97a6 by François Cami at 2021-03-02T18:50:34+01:00
ipalib/util.py: add print_replication_status
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
25cbae4d by François Cami at 2021-03-02T18:50:34+01:00
ipa-csreplica-manage, ipa-replica-manage: refactor
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
caf74886 by Florence Blanc-Renaud at 2021-03-02T18:52:27+01:00
ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2c5b7064 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1a394c6a by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:
* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution
Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:
* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
systems with NetworkManager and systemd-resolved.
This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved
For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.
The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.
The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
64f2a408 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f5d7f85b by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
28af4542 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b3abb2c6 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b0ee8e00 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1ca7cb65 by Sergey Orlov at 2021-03-04T20:00:50+01:00
ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cf80bb33 by Stanislav Levin at 2021-03-05T08:42:45+01:00
ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.
Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
99a65e3e by Stanislav Levin at 2021-03-05T08:42:45+01:00
cleanup: Drop never used path for httpd's ccache
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.
As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.
[0]: https://github.com/freeipa/freeipa/commit/d2f5fc304f1938d23171ae330fa20b213ceed54e
[1]: https://github.com/gssapi/gssproxy/commit/0e1b4a0c8400f1c9c6cc4915942a8df47e0c1410
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9fb26688 by Sudhir Menon at 2021-03-05T10:40:12+01:00
ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
fbbfce11 by Stanislav Levin at 2021-03-05T13:47:15+01:00
ipatests: Fix expectation about GSS error in test for healthcheck
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.
Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0dfd4b7e by Armando Neto at 2021-03-09T12:47:26+01:00
ipatests: Update gating to Fedora 33
Bump template image to include updated packages.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
cc3e3cd8 by Thorsten Scherf at 2021-03-09T16:50:19+01:00
Fix lgtm file classification
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9cfcbc67 by Florence Blanc-Renaud at 2021-03-10T09:31:43+02:00
dnssec: fix ipa-ods-exporter crash when master key missing
When a master key is missing from the local HSM, ipa-ods-exporter crashes..
This can happen when the DNSSEC master role is moved from one node to
another with the following scenario:
- install server1 with dns + dnssec
- install server2 without dns
- disable dnssec from server1
- install dns + dnssec on server2
With the above scenario, server2 never had the opportunity to get
the master key (this happens only when the replica is already
configured as DNS server and has put its public replica key in LDAP +
the current DNSSEC master wraps its master key with the replica key).
ipa-ods-exporter can only log an error instead of crashing.
Related: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7616f1da by Florence Blanc-Renaud at 2021-03-10T09:31:43+02:00
dnssec: concurrency issue when disabling old replica key
When dnssec role is removed from the local node, the uninstaller
creates a new replica key and marks the older replica keys as disabled
(both in the local HSM and in LDAP).
If ipa-ods-exporter runs in the middle of this operation, the old replica
key may be disabled in the local HSM but not yet in LDAP and
ipa-ods-exporter believes that it is a new replica key that needs to be
imported from LDAP to local hsm. The op fails as there is already the key
in the local HSM.
The error can be ignored, ipa-ods-exporter simply needs to log a warning.
Fixes: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ce45cec by Sergey Orlov at 2021-03-10T14:44:46+01:00
ipatests: use proper template for TestMaskInstall
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a63c6e02 by Alexander Bokovoy at 2021-03-10T14:46:23+01:00
freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609
- Dogtag PKI adopted to work with 389-ds with the fix,
https://github.com/dogtagpki/pki/issues/3458
FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.
RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.
In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.
Fixes: https://pagure.io/freeipa/issue/8705
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6aac4d5 by Thorsten Scherf at 2021-03-11T10:04:02-05:00
Update 10-ssh-key-management.rst
Removing conclusion statement since we now have more than 10 units.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
061e0b63 by François Cami at 2021-03-17T08:41:45+01:00
ipa-client-install: output a warning if sudo is not present (2)
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
4b917833 by François Cami at 2021-03-17T08:41:45+01:00
ipatests: check for the "no sudo present" string absence
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
1b8de48f by Mohammad Rizwan at 2021-03-17T10:32:05+01:00
ipatests: introduce wait_for_replication in test_rolecheck_Trust
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.
related: https://pagure.io/freeipa/issue/8553
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5221f4c2 by Florence Blanc-Renaud at 2021-03-17T20:08:10+01:00
ipatests: filter_users belongs to nss section
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.
Fixes: https://pagure.io/freeipa/issue/8747
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ab23ecda by Florence Blanc-Renaud at 2021-03-18T08:30:14+01:00
ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
The test was temporarily removed because of a known issue
but the issue is now fixed.
Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5af57432 by Florence Blanc-Renaud at 2021-03-18T08:30:14+01:00
ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".
Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
462dc75f by Sergey Orlov at 2021-03-18T15:36:07+01:00
ipatests: return result of kinit_as_user, pass raiseonerr parameter
Similar to kinit_admin, this allows to check for error values returned
by kinit.
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
643a70a2 by Sergey Orlov at 2021-03-18T15:36:07+01:00
ipatests: add test for kdcproxy handling reply split to several TCP packets
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
When the reply from AD is split into several TCP packets the kdc
proxy software cannot handle it and returns a false error message
indicating it cannot contact the KDC server.
This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets
This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
single 88 port we now block all outgoing traffic except few essential
ports
* add basic tests for using kdcproxy to communicate between IPA client
and AD DC.
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
305d6f22 by Sergey Orlov at 2021-03-18T15:36:07+01:00
ipatests: update prci definitions for test_http_kdc_proxy
the new tests require an AD instance
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
e880d38b by Antonio Torres at 2021-03-23T08:37:57+01:00
Extend logging to include execution time
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
44d7cce3 by Jan Pazdziora at 2021-03-23T10:17:34+01:00
Avoid comparing 'max' with 'max\n'.
Fixes https://pagure.io/freeipa/issue/8764.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
339152c1 by Mohammad Rizwan at 2021-03-24T08:20:10+01:00
ipatests: Enable certbot test on rhel
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
60389f53 by Alexander Scheel at 2021-03-26T10:57:55+01:00
Handle multiple AJP adapters during upgrade
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d3e4bd9e by Rob Crittenden at 2021-03-26T10:57:55+01:00
Allow overriding is_newer_tomcat_version()
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
16fbe095 by Rob Crittenden at 2021-03-26T10:57:55+01:00
ipatests: Test secure_ajp_connector works with multiple connectors
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.
The Apache password will be updated if needed elsewhere in the
upgrade process.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8defcb0c by Mohammad Rizwan at 2021-03-26T10:59:42+01:00
ipatests: Don't rely on certmonger's assigned request id
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.
This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.
fixes: https://pagure.io/freeipa/issue/8725
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b70e30db by Rob Crittenden at 2021-03-26T18:14:25+01:00
Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.
certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.
A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.
A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).
During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.
This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.
This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d15e577b by Rob Crittenden at 2021-03-26T18:14:25+01:00
Increase timeout for TestIpaHealthCheck to 5400s
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8272da74 by Florence Blanc-Renaud at 2021-03-29T11:09:55+02:00
Adapt redhat ipaplatform to RHEL9/ELN
On RHEL8, ipa is using named-pkcs11.service but RHEL9 is based on
fedora34 and uses named.service instead. There is already some support
for this distinction in ipaplatform, and the patch relies on the
specific settings that can be configured in ipaplatform/xx/services.py
and ipaplatform/xx/constants.py
On RHEL9 ipa also needs to define NAMED_OPENSSL_ENGINE for named
to use openssl's okcs11 engine.
Fixes: https://pagure.io/freeipa/issue/8753
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c441397b by Stanislav Levin at 2021-03-29T13:55:19+03:00
configure: Make rpmlint optional
Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.
With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.
Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8c38c57f by Stanislav Levin at 2021-03-29T13:55:19+03:00
Azure: Run rpmlint on Fedora
Template the autoconf phase.
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
39153f9b by Antonio Torres at 2021-03-29T13:56:35+03:00
Return nsaccountlock in user-add as boolean
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.
Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cfff1f67 by Antonio Torres at 2021-03-29T13:56:35+03:00
ipatests: expect boolean type for nsaccountlock in user module
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.
Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
28d310d5 by Antonio Torres at 2021-03-29T14:00:53+03:00
Enhance error message when adding non-posix group with a GID
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.
Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d8bc3e40 by Antonio Torres at 2021-03-29T14:00:53+03:00
ipatests: add test for group creation with GID and nonposix option
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3dc58965 by Antonio Torres at 2021-03-29T14:51:48+03:00
Allow multiple permitopen/permitlisten in SSH keys
SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.
Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dc799a5f by Antonio Torres at 2021-03-29T14:51:48+03:00
ipatests: add test for multiple permitopen entries in SSH keys
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
74638edb by Antonio Torres at 2021-03-29T14:53:18+03:00
ipa passwd: make help for `--otp` option clearer
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.
Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9f0c4830 by Sergey Orlov at 2021-03-29T18:25:26+02:00
ipatests: allocate pseudo-terminal only for specific command
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c52cf213 by Sergey Orlov at 2021-03-29T18:25:26+02:00
ipatests: log command spawned by pexpect
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c9ed6272 by Florence Blanc-Renaud at 2021-03-30T09:56:10+02:00
ipatests: update expected message
The test TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
is expecting a specific message for the RIPluginCheck
but the message has been updated to fix
4656 - Remove problematic language from UI/CLI/lib389
("enable referint on all suppliers" instead of
"enable referint on all masters").
Shorten the expected msg so that it fits both situations.
Fixes: https://pagure.io/freeipa/issue/8779
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
380336d6 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Make it possible to pass additional Pytest args
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
adc4d8d7 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Show disk usage
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e80ff6f9 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Template docs build
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
255be047 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Run chronyd in Docker
The syncing time stuff is required by IPA NTP tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8cdc7bf0 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Collect Host's systemd journal
The journal of Host is useful for AVC/SECCOMP analyzing.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d47847b1 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Warn about Host's AVC and SECCOMP
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.
It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
572f203c by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Disable AppArmor profile for chrony
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2 capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1 capname="dac_override"
So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
reference it in container's configuration. This requires the
knowledge of profile syntax at least, not to difficult, but
potentially hard to maintain.
2) disable conflicting profile on Host;
Azure will warn about AVC in either case.
The second one was chosen as more simple.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c1dc1b2 by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Don't install pypi's docker
Ubuntu 20.04's docker meets the requirement(4+).
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2bec09aa by Stanislav Levin at 2021-03-30T13:18:09+03:00
pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
188a279c by Stanislav Levin at 2021-03-30T13:18:09+03:00
Azure: Run Lint task as separate job
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8552faba by Antonio Torres at 2021-03-31T09:04:43+03:00
sudorule: reduce number of LDAP searches during modification
Combining the existence check with the sudoorder handling
allows to reduce the number of searches during a sudorule
modification by removing a call to sudorule-show.
Related: https://pagure.io/freeipa/issue/8780
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3eb8b304 by Stanislav Levin at 2021-03-31T09:07:47+03:00
ipatests: Skip test_jsplugins in server less environments
This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.
Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.
Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ef4a2f30 by Alexander Bokovoy at 2021-03-31T09:14:35+03:00
Update ipa.pot translations file
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8cb32381 by Alexander Bokovoy at 2021-03-31T09:15:33+03:00
Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dab3706c by Alexander Bokovoy at 2021-03-31T09:17:09+03:00
Become FreeIPA 4.9.3
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
50d986b9 by Alexander Bokovoy at 2021-03-31T09:18:24+03:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
43344381 by Florence Blanc-Renaud at 2021-04-01T08:53:14-04:00
ipatests: collect PKI config files and NSSDB
To ease debugging, also collect:
- /etc/pki/pki-tomcat/server.xml
- /etc/pki/pki-tomcat/ca/CS.cfg
- /etc/pki/pki-tomcat/kra/CS.cfg
- /etc/pki/pki-tomcat/alias
- /etc/pki/pki-tomcat/alias/pwdfile.txt
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8c5eb88f by Sudhir Menon at 2021-04-01T18:17:58+02:00
ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client
The testcase checks that when ipa-healthcheck tool is run
on ipa-client it will display warning message "IPA is not configured"
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f598c8d by François Cami at 2021-04-02T09:48:49+02:00
ipatests: tasks.py: add wait_for_ipa_to_start
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
18b03506 by François Cami at 2021-04-02T09:48:49+02:00
ipatests: tasks.py: add dns_update_system_records
Add a frontend to "ipa dns-update-system-records" to tasks.py.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
9ad9c38e by François Cami at 2021-04-02T09:48:49+02:00
ipatests: hiddenreplica: use wait_for_ipa_to_start after restore
Use wait_for_ipa_to_start to wait until the restored replica is online.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
834adfc2 by François Cami at 2021-04-02T09:48:49+02:00
ipatests: use wait_for_replication for hidden replica checks
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b1fef6b8 by François Cami at 2021-04-02T09:48:49+02:00
ipatests: hidden replica: use dns_update_system_records
Use dns_update_system_records after restoring the replica
to force-update the DNS records.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
45fa1043 by François Cami at 2021-04-02T09:48:49+02:00
ipatests: hidden replica: misc fixes
Rename a test and split a test in two.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
0ffaf29a by François Cami at 2021-04-02T09:48:49+02:00
ipatests: mark test_ipahealthcheck_hidden_replica as expected failure
test_ipahealthcheck_hidden_replica fails due to:
https://pagure.io/freeipa/issue/8582
Mark it as expected failure.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
a8c3f5f4 by Carl George at 2021-04-02T09:51:55+02:00
Also use uglifyjs on CentOS Stream 8
This conditional was recently changed to match VERSION_ID "8." to only
apply to RHEL 8 releases, but it should also match CentOS Stream 8 which
has VERSION_ID "8".
https://pagure.io/freeipa/c/43f344b931db3f72f50e1620443be9f21623e29a
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c7271ea2 by Florence Blanc-Renaud at 2021-04-07T08:27:21+02:00
ipatests: call server-del before replica uninstall
The test test_replica_promotion.py::TestRenewalMaster::
test_automatic_renewal_master_transfer_ondelete is calling
ipa-server-install --uninstall directly without performing first
ipa server-del. This can lead to incomplete uninstallation and
test failures.
Call tasks.uninstall_replica instead of tasks.uninstall_master.
This is equivalent to ipa-replica-manage del + uninstall
(ipa-replica-manage del works in DL0 and DL1 and internally calls
ipa server-del in DL1).
Fixes: https://pagure.io/freeipa/issue/8792
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
03dfd01e by Florence Blanc-Renaud at 2021-04-07T08:30:05+02:00
ipatests: TestIpaHealthCheck now needs 1 client
The test TestIpaHealthCheck has been updated with commit
e86ff48 and now needs 1 master, 1 replica and 1 client
in order to execute.
Update the nightly definitions accordingly.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de5fffd3 by Florence Blanc-Renaud at 2021-04-07T09:22:17+02:00
Bumps openssl requires
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.
On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.
Fixes: https://pagure.io/freeipa/issue/8632
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
07fe32e2 by Christian Heimes at 2021-04-07T12:40:30-04:00
Better mod_wsgi configuration
* Remove WSGIImportScript
* Configure process-group in WSGIScriptAlias
* Run WSGI app in main interpreter of daemon script
See: https://github.com/GrahamDumpleton/mod_wsgi/issues/642#issuecomment-749498828
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b7700b9c by Christian Heimes at 2021-04-07T12:40:30-04:00
Improve wsgi app loading
* move WSGI app code to main code base so it can be used with other
WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b8bea216 by Timo Aaltonen at 2021-04-12T17:46:08+03:00
Revert "rules: Build only the client for bullseye."
This reverts commit 420067e108b8803d41e0b3863a7491dbec5184a1.
- - - - -
aea2c9fb by Alexander Bokovoy at 2021-04-13T17:53:20+02:00
ipaserver/install/dns: handle SERVFAIL when checking reverse zone
systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.
Fixes: https://pagure.io/freeipa/issue/8794
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7fa80acf by Florence Blanc-Renaud at 2021-04-15T18:30:20+02:00
client install: do not capture sudo -V stdout
ipa-client-install is checking if the sudo command is available
by calling 'sudo -V'. The call is currently using subprocess.popen
which redirects the output to the default stdout.
Use ipautil.run instead of subprocess.popen as this does not
capture stdout (the command output is just logged in the debug file).
Fixes: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3499fdee by Florence Blanc-Renaud at 2021-04-15T18:30:20+02:00
ipatests: check that the output of sudo -V is not displayed
During client installation, the installer calls sudo -V
to check if sudo command is installed. The output must not
be displayed in stdout.
Related: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b3488b21 by Michal Polovka at 2021-04-16T22:38:36+02:00
WebUI: test_user: test if user is enabled by default
Test checks if the user is enabled, able to reset their password and
authentication types in both CA and CA-less environment.
Related: https://pagure.io/freeipa/issue/8203
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
7e0626a9 by Rob Crittenden at 2021-04-19T09:13:39+02:00
Add pkey_only to the service_find calls in host del and disable
The pkey of services is krbprincipalname. The host plugin passes
this full value to service_del and service_disable if the service
hostname matches the requested host.
This limits the amount of data and post-processing done
when host_del and host_disable call service_find. It also saves
a presence query for keytab in each service found.
https://pagure.io/freeipa/issue/8787
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
74130f86 by Rob Crittenden at 2021-04-19T09:15:48+02:00
Cache the value of ca_is_enabled in the request context
This may be called multiple times in a request and should
be impossible to change.
https://pagure.io/freeipa/issue/8797
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
58c73a71 by Rob Crittenden at 2021-04-19T19:38:15+02:00
Retrieve the user objectclasses when checking for existence
This saves at least one search per user-mod because the current
set of objectclasses are verified to ensure they are complete
on each update.
So always retrieve them in get_either_dn(). They are used by
every call but there is negligible overhead in retrieving
this from LDAP.
https://pagure.io/freeipa/issue/8801
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9d341428 by Florence Blanc-Renaud at 2021-04-19T15:04:06-04:00
Design doc for idrange option "auto-private-groups"
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42b8fa60 by Florence Blanc-Renaud at 2021-04-19T15:04:06-04:00
LDAP schema: new attribute ipaautoprivategroups
Add definition for a new attributeType: ipaautoprivategroups
Add the new attribute to ipaTrustedADDomainRange objectclass
as optional attribute
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cada918c by Florence Blanc-Renaud at 2021-04-19T15:04:06-04:00
Trust: add auto private groups option
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.
Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ddc1914 by Florence Blanc-Renaud at 2021-04-19T15:04:06-04:00
xmlrpc tests: add test for idrange auto-private-groups option
Scenarii:
- idrange-add prevents --auto-private-groups with a local id range
- idrange-mod prevents --auto-private-groups with a local id range
- auto-private-groups accepts only true/false/hybrid/empty values
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
33404a62 by Alexander Bokovoy at 2021-04-23T17:55:50+02:00
ipa-otpd: handle LDAP timeout in a better way
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.
Fixes: https://pagure.io/freeipa/issue/6587
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
bd2a14a2 by Michal Polovka at 2021-04-24T14:04:52+02:00
WebUI: Handle assertion if multiple notifications are present
If multiple notifications of the same type are shown at the same
time, assertion works for only the first one. This change enables to
search for notification's content in all shown notifications.
Fixes: https://pagure.io/freeipa/issue/8641
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0244a060 by Christian Heimes at 2021-04-26T15:51:34+02:00
Use PyCA crypto provider for KRAClient
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.
The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.
Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eefbe855 by Stanislav Levin at 2021-04-27T18:08:59-04:00
pylint: Adapt to new Pylint 2.8
- globally ignore `consider-using-with`
- fix `consider-using-max-builtin`
- explicitly enable pylint on project configuration
- unpin Pylint
- added transformation for IntegrationTest attributes(will work
unless explicitly defined)
Fixes: https://pagure.io/freeipa/issue/8818
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0c3a2dbf by Christian Heimes at 2021-04-28T17:11:15+02:00
Add max/min safe integer
JSON cannot safely handle integers outside range ``-(2**53) - 1`` to
``(2**53) - 1``. Add constants for safe integers and limit the Int
parameter to safe JSON values.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
See: https://pagure.io/freeipa/issue/8802
See: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
5afe830e by Stanislav Levin at 2021-05-06T15:31:37-04:00
pkispawn: Make timeout consistent with IPA's startup_timeout
This is the experimental fix to workaround the issue with
PKI on Azure Pipelines. PKI is the most sensitive to slow
systems(at least, appropriate delays and timeouts should be
adjusted for such).
Somehow Azure's test envs became slower then they were earlier
(for example, CA subsystem start changed
~(20-30)sec -> ~(45-60)sec). This triggered various issues with
subsystems of PKI in CI.
PKI honors `PKISPAWN_STARTUP_TIMEOUT_SECONDS` env variable (if
not set the timeout is 60sec) for pkispawn tool. The default
timeout is inconsistent with IPA's one (startup_timeout=120sec), which in
particular, is used in ipa-pki-wait-running tool).
Related: https://pagure.io/freeipa/issue/8830
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a7ff4089 by Mohammad Rizwan at 2021-05-06T15:40:40-04:00
ipatests: Test if ACME renews the issued cert with cerbot
This test is to check if ACME certificate renews upon
reaching expiry
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
ipatests: remove skipif for minimum pki dependency
Remove skipif from ACME tests as required pki version
updated in freeipa.spec file (pki 10.10.5)
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
ipatests: move common code to separate method
Move the code from prepare_acme_client, TestACME/test_certbot_register
and TestACME/test_certbot_certonly_standalone to separate method so
that it can be re-used in TestACMERenew.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
35198bed by Christian Heimes at 2021-05-06T15:43:16-04:00
Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.
Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2131109 by Michal Polovka at 2021-05-07T08:48:36+02:00
ipatests: test_installation: add install test scenarios
test_hostname_parameter: Test for issue 2692 ipa-server-install ignores --hostname:
check whether hostname provided in `--hostname` parameter is being taken into account and set as new hostname without prompting for it again
test_ad_subpackage_dependency: Test for issue 4011 ipa-server-install crashes when AD subpackage is not installed:
test if ipa-server installation succeeds without `freeipa-ipa-server-trust-ad` installed
test_backup_of_cs_cfg_should_be_created: Test for issue 4166 Backup CS.cfg before modifying it:
test if ipa-server installer backs up CS.cfg before modifying it
test_installer_wizard_should_prompt_for_DNS: Test for issue 2575 [RFE] Installer wizard should prompt for DNS:
test if installer is asking for DNS setup details if not provided as parameter
Related: https://pagure.io/freeipa/issue/2692
Related: https://pagure.io/freeipa/issue/4011
Related: https://pagure.io/freeipa/issue/4166
Related: https://pagure.io/freeipa/issue/2575
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
046012ec by Antonio Torres at 2021-05-07T10:53:13+02:00
hbacrule: reduce number of LDAP searches during deletion
The `hbacrule` module performs a call to `selinuxusermap-find`
during entry deletion. This can be optimized by passing pkey_only=True
to the search, skipping the post-callback function. Passing the full
DN of the hbacrule and detecting it in the selinuxusermap find
also saves one call to hbacrule-show, further reducing the searches.
Related: https://pagure.io/freeipa/issue/8784
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bae02a7e by Rob Crittenden at 2021-05-07T10:59:22+02:00
Parse Apache log etime and display average per command
Including execution time (etime) was added in commit
4d716d3fbc69760bc0f7bd1a7c83ab14f1a62f18
This is a parser that will collect API executions and
average them by command.
If > 5 requests of the same type then the fastest and slowest
results will be dropped to try to smooth the average.
These averages will be used for two purposes:
1. Identify potential bottlenecks in API performance
2. Provide a baseline so that future performance changes can be
measured.
It is included in contrib because this is not going to be shipped
with a distribution but is useful to have with the code.
A sample execution is:
Successful commands:
Mean user_show: 12234152.5 of 2 executions
Mean command_defaults: 3284363.0 of 3 executions
Mean user_add: 594369554.5 of 2 executions
Exceptions:
Mean user_del: 232540327 ns of 2 executions
The parselog command was successful
Times are in nanoseconds.
https://pagure.io/freeipa/issue/8809
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4dd9d079 by Florence Blanc-Renaud at 2021-05-07T11:00:48+02:00
Spec file: bump augeas-libs version
Older augeas does not support new options provided by chrony:
sourcedir /run/chrony-dhcp
ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.
Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise
Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1aa3f7a7 by Rob Crittenden at 2021-05-12T11:22:14-04:00
Only attempt to upgrade ACME configuration files if deployed
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d6637b2f by Rob Crittenden at 2021-05-12T11:55:50-04:00
Call the LDAPClient layer when modifying values
For add/remove member and remove_principal the LDAP connection
was being used directly, bypassing the LDAPClient overlay.
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
63767ec0 by Rob Crittenden at 2021-05-12T11:55:50-04:00
Unify installer context to be 'installer'
'install' was being used in some places.
The context can be used to limit what configuration is
used for a given request so having consistency is
valuable.
This affected the force_schema_updates value in LDAPClient
which looks for api.env.context in ('installer', 'updates')
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
b37d679f by Rob Crittenden at 2021-05-12T11:55:50-04:00
Implement simple LDAP cache layer
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
00c99cce by Rob Crittenden at 2021-05-12T11:55:50-04:00
Add LDAP cache options to the default.conf man page
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
951720d4 by Rob Crittenden at 2021-05-12T11:55:50-04:00
Add a unit test for the LDAP cache layer
This mostly confirms that when an entry is added, modified or
deleted it is expunged from the cache.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
0307d222 by Rob Crittenden at 2021-05-12T11:55:50-04:00
Parse the debugging cache log to determine the read savings
Read the FINAL lines from the Apache error log, optionally from
a start time, and calculate the total cache hits and misses and
calculate the average read savings.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
1647afa9 by Armando Neto at 2021-05-12T15:22:28-03:00
ipatests: Bump PR-CI templates to Fedora 34
Move 'latest' to Fedora 34 and 'previous' Fedora 33 for nightly runs.
Keep gating on Fedora 33 for now.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a1ed05d7 by Sergey Orlov at 2021-05-18T14:36:50+02:00
ipatests: increase timeout for test_commands up to 1.5 hours
Normally it takes 50 minutes for test_commands test suite
to complete. But due to fluctuations in virtualized environment
sometimes it exceeds 60 minutes which produces random failures
in nightly runs.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74889cf3 by Christian Heimes at 2021-05-18T15:15:53+02:00
Fix update_dna_shared_config to wait for both entries
update_dna_shared_config plugin now waits for presence of both
``dnaHostname=fqdn+dnaPortNum=0`` and
``dnaHostname=fqdn+dnaPortNum=389`` entries before it updates the
entries.
The commit also refactors the code of update_dna_shared_config for
subordinate id support.
Fixes: https://pagure.io/freeipa/issue/8831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7e9407d9 by Christian Heimes at 2021-05-18T15:15:53+02:00
Move constants, document timeout loop
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9d37d077 by MIZUTA Takeshi at 2021-05-19T11:25:17+02:00
man: fix typos in ipa-epn.1
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8799df53 by MIZUTA Takeshi at 2021-05-19T11:27:06+02:00
Add -d option to match in the ipa-client-samba usage and man-page
The ipa-client-samba man-page describes the -d option, but the -d option cannot actually be used.
Fix ipa-client-samba to enable the -d option.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7c17e27b by MIZUTA Takeshi at 2021-05-19T11:28:16+02:00
Fix the option to match in the ipa-client-automount usage and man-page
The command usage and man-page options may not match.
In ipa-client-automount, fix to match usage and man-page.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
25c4da9e by MIZUTA Takeshi at 2021-05-19T11:30:12+02:00
Add arguments to the description of OPTIONS in ipa-winsync-migrate.1
ipa-winsync-migrate.1 has an explanation of options, but no arguments.
Therefore, add the arguments for --realm and --server.
Also, add a short option -U for --unattended.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7239864b by Rob Crittenden at 2021-05-19T14:16:58+02:00
Load dogtag RA plugin in installers so profiles can be loaded
In order to call import_included_profiles the dogtag RA plugin
needs to have been loaded. Modify the requirements to also allow
the installer context along with the ra_plugin value.
This lets us add missing profiles during a replica installation.
This is needed for ACME when installing a new replica in a
cluster of older servers that don't have support for ACME.
https://pagure.io/freeipa/issue/8738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
190f8b62 by MIZUTA Takeshi at 2021-05-20T15:59:29+02:00
Add argument for --schema-file option in ipa-ldap-updater.1
There are no arguments in the --schema-file option,
but the Schema file in LDIF format must actually be specified.
Therefore, add FILE.ldif as an argument
In addition, the --schema option no longer exists, so remove the description.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6031b8a2 by Rob Crittenden at 2021-05-21T08:54:05+02:00
Add ability to search on certificate revocation status
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.
Related: https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
25e0f4af by MIZUTA Takeshi at 2021-05-21T09:15:28+02:00
Remove -s option from ipa-ldap-updater usage
The -s option no longer exists, so remove it from the command usage.
Also, due to this fix, E128 occurred in pycodestyle, so the coding style was changed.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9a9373d5 by MIZUTA Takeshi at 2021-05-21T09:34:00+02:00
Add argument for --entry option in ipa-managed-entries.1
There are no arguments in the --entry option,
but DN for the managed entry definition must actually be specified.
Therefore, add MANAGED_ENTRY as an argument.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bfd7b6e0 by Rob Crittenden at 2021-05-21T10:27:44+02:00
ipatests: kinit on server for test_proxycommand_invalid_shell
We've seen some intermittent failures of this test with warnings
about passwords about to expire. We suspect there may be a time
difference between the client and server so set the passwords
on the server instead to be sure that time is correct.
https://pagure.io/freeipa/issue/8785
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b9fd47a7 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: bump F32->F34
Fixes: https://pagure.io/freeipa/issue/8848
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18563bc8 by Alexander Bokovoy at 2021-05-25T16:45:37+03:00
freeipa.spec: do not use jsl for linting on Fedora 34+
jsl package is orphaned in Fedora 34+ as it cannot be built.
Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c711292b by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Collect systemd boot log
If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c26907bc by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Enforce multi-user.target as default systemd's target
This may speed up boot process.
For example, 'fedora:34' set graphical.target as default,
while multi-user one will be more appropriate.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eb0a5db3 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Wait for systemd booted
The calling of systemd's utils during systemd boot may lead to
unpredictable results. For example, if DBus(dbus-broker) service
is not started then DBus request goes nowhere and eventually will
be timeouted. So, it's safer to wait fully booted system.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e243b956 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Remove no longer needed repo
libseccomp2 2.5.1 is on focal-updates(Ubuntu 20.04LTS):
https://packages.ubuntu.com/focal-updates/libseccomp2
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d53d9fd by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Mask systemd-resolved
The initial value of NS of resolv.conf is 127.0.0.11, this
is the embedded NS of docker-compose. The disabling of
this feature is not currently supported by Docker.
On startup systemd-resolved caches the /etc/resolv.conf
(docker-compose version), which is later modified by
setup_containers.py script.
This results in resolving error occurs:
```console
[root at replica1 /]# getent ahosts master1.ipa.test
... can't resolve
[root at replica1 /]# grep 'hosts:' /etc/nsswitch.conf
hosts: files myhostname resolve [!UNAVAIL=return] dns
[root at replica1 /]# resolvectl status
Global
LLMNR setting: resolve
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 127.0.0.11
DNS Servers: 127.0.0.11
Fallback DNS Servers: 1.1.1.1
8.8.8.8
1.0.0.1
8.8.4.4
2606:4700:4700::1111
2001:4860:4860::8888
2606:4700:4700::1001
2001:4860:4860::8844
```
According to docs:
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
our case is 4(managed by other packages).
So, restart of systemd-resolved is enough for its re-initialization,
but not for services that already received DNS results. To speed up
the overall process and to no restart each service which wants
internet connection(or wait until service retries connection)
systemd-resolved is masked.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c90a3636 by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: Update expectations for test_detect_container
Since https://github.com/systemd/systemd/pull/17902/commits/a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
systemd improves the detection of Docker and Podman containers based
on the presence of files-markers.
```console
[slev at test systemd]$ git describe --contains --tags a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
v248-rc1~155^2~1
```
Note: on Azure unit tests are run as non-privileged user in non-systemd
inited container.
This worked on F32 because:
```console
[root at 6d2aad38f62c /]# rpm -q systemd
systemd-245.9-1.fc32.x86_64
```
So, actual comparison in test was `assert None == None`.
But F34 has:
```console
[root at 1ff1325f5a61 /]# rpm -q systemd
systemd-248-2.fc34.x86_64
```
So, the test's expectations should be updated.
Unfortunately, this is incompatible with older versions of systemd
(< v248).
See https://github.com/systemd/systemd/pull/17902 for details.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa0c8c83 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Add workaround for PhantomJS against OpenSSL 1.1.1
WebUI unit tests fail with:
```
PhantomJS threw an error:ERROR
>> Auto configuration failed 0 [
>> 'Auto configuration failed',
>> '140613066520384:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory',
>> '140613066520384:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:',
>> '140613066520384:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf',
>> '140613066520384:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf'
>> ]
...
Warning: PhantomJS exited unexpectedly with exit code 1.� Use --force to continue.
Aborted due to warnings.
```
See https://github.com/wch/webshot/pull/93 for details.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6164bfb5 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Warn about memory issues
The nonzero number of memory/memory+Swap usage hits limits may
indicate the possible env instability(crashes, random failures, etc.).
> memory.failcnt # show the number of memory usage hits limits
memory.memsw.failcnt # show the number of memory+Swap hits limits
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0932c921 by Stanislav Levin at 2021-05-25T16:45:37+03:00
BIND: Setup logging
- allow BIND's logging customization
- preconfig logging with ISC recommendations:
https://kb.isc.org/docs/aa-01526
Fixes: https://pagure.io/freeipa/issue/8856
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64c0f900 by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: Setup and collect BIND logs
For Base/XMLRPC tests BIND's logs are already collected.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5501fda5 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Run Base and XMLRPC tests is isolated network
The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.
In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.
By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a192c21b by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: Handle network-isolated mode
Since the dns plugin's tests have no access to wild resolvers
nobody answer such requests but authoritative NS.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b4876292 by Stanislav Levin at 2021-05-25T16:45:37+03:00
dnsutil: Improvements for IPA DNS Resolver
- check only IPv6 address of local NS if specified
- increase request timeout(2sec is too small, BIND resolver's
default 10sec)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9e153118 by Stanislav Levin at 2021-05-25T16:45:37+03:00
dns: get_reverse_zone: Ignore resolver's timeout
The DNS server may not process a query in a its internal timeout for
a some reason or don't answer for a query at all. This may indicate
a high load on DNS server. For example, if IPA DNS server is
configured with 'none' forward policy (read as resolver), then
SERVFAIL/Timeout errors will be normal until the hot cache for zones.
Resolver's timeout in turn, indicates that it queried a server, but
didn't received an answer in specified timeout.
Related: https://pagure.io/freeipa/issue/7397
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
645f90a8 by Stanislav Levin at 2021-05-25T16:45:37+03:00
pytest: Show extra summary information for all except passed tests
By default pytest reports in summary section about tests failures and errors.
It will be helpful to see skipped, xfailed and xpassed tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
535131d6 by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: Ignore warnings on failed to read files on tarring
There are tons of useless warnings about missing files on collecting
logs, such as:
```
tar: /var/log/ipaserver-kra-install.log: Warning: Cannot stat: No such file or directory
tar: /var/log/ipaepn.log: Warning: Cannot stat: No such file or directory
tar: /etc/NetworkManager/NetworkManager.conf: Warning: Cannot stat: No such file or directory
tar: /var/log/ipabackup.log: Warning: Cannot stat: No such file or directory
tar: /var/log/iparestore.log: Warning: Cannot stat: No such file or directory
...
```
Since `--ignore-failed-read` option is passed to tar the caller
doesn't care about not readable(mostly missing) files and these warnings
may be filtered out.
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c92f1002 by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: Suppress list trust or certificates
There are tons of useless information in test's runner log on
server uninstallation about list trust and certificates, such
as:
```
RUN ['trust', 'list']
pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert
type: certificate
label: ACCVRAIZ1
trust: anchor
category: authority
pkcs11:id=%F7%7D%C5%FD%C4%E8%9A%1B%77%64%A7%F5%1D%A0%CC%BF%87%60%9A%6D;type=cert
type: certificate
label: AC RAIZ FNMT-RCM
trust: anchor
category: authority
pkcs11:id=%52%D8%88%3A%C8%9F%78%66%ED%89%F3%7B%38%70%94%C9%02%02%36%D0;type=cert
type: certificate
label: Actalis Authentication Root CA
trust: anchor
category: authority
...
```
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3049b958 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Collect installed packages
The list of installed packages may be useful for checking the
versions of packages for analysis. Previously, only the newly
installed packages can be observed on Build phase.
This is convenient for experienced users of PR-CI.
Note: the read-only access provided for non-master containers
to be able to execute Azure scripts. The logs are still collected
only on controller.
Only RPM-based collection is implemented for Fedora. By default
nothing is collected.
Users may want to override `installed_packages` function
in the corresponding `ipatests/azure/scripts/variables-DISTRO.sh`.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ada2d98 by Stanislav Levin at 2021-05-25T16:45:37+03:00
ipatests: dnssec: Add alternative approach for checking chain of trust
drill is currently broken on F34. Fortunately, there are another
tools for checking DNSSEC trust. One of them is `delv`:
> delv is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as named.
delv sends to a specified name server all queries needed to fetch and
validate the requested data; this includes the original requested query,
subsequent queries to follow CNAME or DNAME chains, queries for DNSKEY,
and DS records to establish a chain of trust for DNSSEC validation. It
does not perform iterative resolution, but simulates the behavior of a
name server configured for DNSSEC validating and forwarding.
Related: https://pagure.io/freeipa/issue/8793
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0dd0631b by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Warn about extra and missing gating tests compared to PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4d27947 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Re-balance tests envs
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
692f42dc by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: coredump: Wait for systemd fully booted
Otherwise, 'Check for coredumps' task fails with:
```
Verifying : samba-debugsource-2:4.14.4-0.fc34.x86_64 20/20
[Errno 2] No such file or directory: '/var/lib/dnf/rpmdb_lock.pid'
Finishing: Check for coredumps
```
This is due to systemd-tmpfiles(not ready yet).
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
391ca8b9 by Stanislav Levin at 2021-05-25T16:45:37+03:00
azure: Make it possible to adjust Docker resources per test env
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
986e2d7d by Florence Blanc-Renaud at 2021-05-27T09:15:48+03:00
pkispawn: override AJP connector address
Since commit 1906afbeb3c8b7140601be7f9bee2f7fef5b0a5e, in order to fix
rhbz#1780082, pki defines AJP connectors using localhost4 and localhost6:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="..."/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost6" name="Connector2" secret="..."/>
When /etc/hosts only defines the following:
127.0.0.1 localhost
::1 localhost
the connector initialization may fail with
java.net.BindException: Address already in use
The installer can add the following definitions to pkispawn cfg file:
pki_ajp_host_ipv4=127.0.0.1
pki_ajp_host_ipv6=::1
in order to force the value to an IP address instead of localhost4/6.
Fixes: https://pagure.io/freeipa/issue/8851
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ab5aba2b by Alexander Bokovoy at 2021-05-29T13:21:06+03:00
Update IRC links to point to Libera.chat
Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
51932838 by MIZUTA Takeshi at 2021-05-29T13:21:52+03:00
Add --keyfile option to ipa-otptoken-import.1
ipa-otptoken-import.1 describes the -k option.
However, the long option --keyfile option is also available.
Therefore, add the --keyfile option to ipa-otptoken-import.1.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
04a6583c by Alexander Bokovoy at 2021-06-01T21:12:14+03:00
ds: Support renaming of a replication plugin in 389-ds
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute
See https://github.com/389ds/389-ds-base/issues/4786 for details
Fixes: https://pagure.io/freeipa/issue/8799
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d933123e by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/bn_IN.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7cb4ee0d by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/ca.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
626c7f7d by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/cs.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ed8987f by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/de.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9c34f7ea by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/en_GB.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9c667e8 by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/es.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f68174c by Alexander Bokovoy at 2021-06-03T09:49:28+03:00
po/eu.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
00a0cb3a by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/fr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1de25fb8 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/hi.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3eca1f91 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/hu.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
87150c2b by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/id.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0feda3dd by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/ipa.pot: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
44c57c27 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/ja.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8c5ca861 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/kn.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4679b8b by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/mr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fa15bf13 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/nl.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8ba9170 by Alexander Bokovoy at 2021-06-03T09:50:03+03:00
po/pa.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7bfe72c by Alexander Bokovoy at 2021-06-03T09:50:40+03:00
po/pt.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
468c4852 by Alexander Bokovoy at 2021-06-03T09:50:40+03:00
po/pt_BR.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d3ef07ad by Alexander Bokovoy at 2021-06-03T09:50:40+03:00
po/ru.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9905e383 by Alexander Bokovoy at 2021-06-03T09:50:53+03:00
po/sk.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3f74383c by Alexander Bokovoy at 2021-06-03T09:50:53+03:00
po/tg.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5cf13401 by Alexander Bokovoy at 2021-06-03T09:50:53+03:00
po/tr.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94831c34 by Alexander Bokovoy at 2021-06-03T09:51:22+03:00
po/zh_CN.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8e05170f by Stanislav Levin at 2021-06-03T13:07:10+03:00
ipatests: Fetch sudo rules without time offset
As of 2.5.0 SSSD introduces a random timeout for the refresh
of the SUDO rules [0]. With that change it's no longer possible
to immediate fetch of SUDO rules unless the feature is disabled
[1].
[0]: https://github.com/SSSD/sssd/issues/5609
[1]: https://github.com/SSSD/sssd/issues/5635
Related: https://pagure.io/freeipa/issue/8844
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d7f3c1ff by Alexander Bokovoy at 2021-06-03T14:58:47+02:00
service: enforce keytab user when retrieving the keytab
HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.
The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.
Fixes: https://pagure.io/freeipa/issue/8872
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
15b47c8b by Serhii Tsymbaliuk at 2021-06-03T20:10:57+03:00
WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page
Add 'Auto private groups' field on 'Add ID range' form with the following options: true, false, hybrid.
The field is optional and can be omitted.
Its value can be also modified on 'Range Settings' page after the range is added.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
dfbafafc by Serhii Tsymbaliuk at 2021-06-03T20:10:57+03:00
WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page
Add test_range_auto_private_groups test case to test_trust WebUI test suite to cover the field.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
63d20c44 by Rob Crittenden at 2021-06-04T10:57:26+02:00
Catch ValueError when trying to retrieve existing credentials
get_credentials() was changed to raise ValueError instead of
gssapi.exceptions.GSSError as part of the sweeper to clean up
expired credentials caches.
For WebUI users, this will prevent a 500 error if their
associated credentials cache is expired or missing.
https://pagure.io/freeipa/issue/8873
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3dd8c4d5 by Alexander Bokovoy at 2021-06-04T12:23:16+03:00
Depend on system-logos-ipa on RHEL/CentOS Stream
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.
This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.
Fixes: https://pagure.io/freeipa/issue/8874
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1157c5b1 by Alexander Bokovoy at 2021-06-04T12:25:16+03:00
po/es.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
45232145 by Alexander Bokovoy at 2021-06-04T12:25:16+03:00
po/ipa.pot: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d6de84e7 by Alexander Bokovoy at 2021-06-04T12:25:16+03:00
po/ru.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5b6a6561 by Alexander Bokovoy at 2021-06-04T12:25:16+03:00
po/uk.po: Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d64d74df by Alexander Bokovoy at 2021-06-04T12:26:34+03:00
Become FreeIPA 4.9.4
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b25f5bd9 by Alexander Bokovoy at 2021-06-04T12:27:55+03:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5238651d by Alexander Bokovoy at 2021-06-04T15:38:36+03:00
get_credentials: return ValueError for missing creds
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
79e09191 by Armando Neto at 2021-06-07T10:54:28+02:00
ipatests: Bump PR-CI boxes
Update Fedora 34 and 33 boxes to include new packages.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
13b257d7 by Florence Blanc-Renaud at 2021-06-08T08:31:56+02:00
ipatests: set selinux context for fips mode
In order to test FIPS mode, the test is faking a user-space
FIPS environment by creating a file /var/tmp/userspace-fips
and bind-mounting this file as /proc/sys/crypto/fips_enabled
The security context needs to be properly set otherwise
/proc/sys/crypto/fips_enabled inherits the security context
unconfined_u:object_r:user_tmp_t:s0 and cannot be read,
resulting in the test seeing fips_mode=false.
Fixes: https://pagure.io/freeipa/issue/8868
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2b22450d by Florence Blanc-Renaud at 2021-06-08T10:48:18+02:00
ipatests: delete the replica before uninstallation
The test
test_installation.py::TestInstallWithCA1::test_install_with_bad_ldap_conf
is uninstalling a replica by calling ipa-server-install --uninstall
directly, instead of deleting the replica first.
Use tasks.uninstall_replica instead of tasks.uninstall_master
to perform a proper uninstallation.
Fixes: https://pagure.io/freeipa/issue/8876
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6ee14f51 by Sergey Orlov at 2021-06-09T09:18:25+02:00
ipatests: temporary disable execution of test_nfs.py::TestNFS in nightly runs
During test run on Fedora 34 and 35 sssd produces multi-gigabyte log file
which causes test runners to run out of disk space.
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6eb53533 by Florence Blanc-Renaud at 2021-06-10T09:38:52+02:00
freeipa.spec: bump 389-ds version
IPA depends on the 389-ds version with the fix for
https://github.com/389ds/389-ds-base/issues/4700
Regression in winsync replication agreement
The same 389-ds version also fixes
https://github.com/389ds/389-ds-base/issues/4670
389ds coredump in IPA nightly test
test_caless.py::TestReplicaInstall::test_wildcard_http
Fixes: https://pagure.io/freeipa/issue/8691
Fixes: https://pagure.io/freeipa/issue/8756
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c9f5acc0 by Sergey Orlov at 2021-06-10T20:55:30+02:00
ipatests: disable test_nfs.py::TestNFS in nightly runs on Fedora 33
Also disable in Fedora 33 as it also has the faulty version of sssd
which produces multi-gigabyte log file
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
06a445af by Florence Blanc-Renaud at 2021-06-12T11:21:04+03:00
ipa-cert-fix man page: add note about certmonger renewal
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.
Also add a similar note at the end of ipa-cert-fix.
Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
700be749 by Stanislav Levin at 2021-06-14T10:14:34+03:00
krb_utils: Simplify get_credentials
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.
With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fd06f33 by Stanislav Levin at 2021-06-14T10:14:34+03:00
gssproxy: Don't refresh expired delegated credentials
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
and pass down that path as `KRB5CCNAME` env variable to WSGI worker.
GSSProxy in turn, protects these credentials from direct usage of
`ipa-api`. But the configuration of `service/ipa-api` (in particular,
'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
default GSS name ('=None') dictates to refresh expired credentials
with the client's keytab overwriting the origin credentials with
initial credentials of keytab's principal.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e045f118 by Alexander Bokovoy at 2021-06-14T15:51:15+03:00
Become FreeIPA 4.9.5
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9f16174c by Alexander Bokovoy at 2021-06-14T15:52:10+03:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
22f0d8c5 by Rob Crittenden at 2021-06-15T13:24:29-04:00
When loading certificates verify that it is X.509 v3
Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.
https://pagure.io/freeipa/issue/8817
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b278b63 by Florence Blanc-Renaud at 2021-06-17T08:11:43+02:00
CA-less install: non-ASCII chars in CA cert subject
In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.
The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.
Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4b040e10 by Florence Blanc-Renaud at 2021-06-17T08:11:43+02:00
ipatests: use non-ascii chars in CA-less install
The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.
Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1be15d20 by Christian Heimes at 2021-06-17T09:51:45+02:00
Add Custodia 0.6.0 to ipaserver package
Incorporate Custodia into IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d804f1fe by Christian Heimes at 2021-06-17T09:51:45+02:00
Remove unused Custodia modules
The CLI, IPA integration and storage backends are not used by IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
02ece292 by Christian Heimes at 2021-06-17T09:51:45+02:00
Fix Custodia imports
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0ec775fc by Christian Heimes at 2021-06-17T09:51:45+02:00
Fix Custodia pylint issues
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7cb2c89d by Christian Heimes at 2021-06-17T09:51:45+02:00
Remove more unused Custodia code
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cde5e2d4 by Christian Heimes at 2021-06-17T09:51:45+02:00
Add Custodia tests
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
62647ff3 by Christian Heimes at 2021-06-17T09:51:45+02:00
Also drop Custodia client and forwarder
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3698c620 by Timo Aaltonen at 2021-06-17T13:00:32+03:00
Merge branch 'upstream'
- - - - -
0a952abd by Timo Aaltonen at 2021-06-17T13:01:14+03:00
bump the version
- - - - -
2b0c6fe0 by Timo Aaltonen at 2021-06-17T13:11:43+03:00
client: Drop csrgen
- - - - -
acee2a29 by Timo Aaltonen at 2021-06-17T13:33:15+03:00
control: Drop dependency on custodia, not needed.
- - - - -
e911f28d by Timo Aaltonen at 2021-06-17T16:59:24+03:00
add wsgi to python3-ipaserver
- - - - -
7bed7e4b by Antonio Torres at 2021-06-18T10:43:39-04:00
Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server
When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).
Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
48370cb3 by Antonio Torres at 2021-06-21T10:54:41+02:00
host: try to resolve FQDN before command execution
Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.
Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
27a65a1a by Antonio Torres at 2021-06-21T10:54:41+02:00
ipatests: test host update using shortname
Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.
Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
45d8118e by Rob Crittenden at 2021-06-22T09:26:18+02:00
Use get_replication_plugin_name in LDAP updater
This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.
Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.
It was moved to installutils.py to avoid circular import.
https://pagure.io/freeipa/issue/8885
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2aa77992 by Sudhir Menon at 2021-06-23T10:00:29+02:00
ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted
Pagure: https://pagure.io/freeipa/issue/7752
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d744ff3c by Stanislav Levin at 2021-06-25T13:35:28-04:00
ipatests: healthcheck: Update IPAHostKeytab assumptions
As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.
Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
52e60889 by Serhii Tsymbaliuk at 2021-06-25T21:33:56+02:00
WebUI: Fix certificate serial number representation
Big numbers are automatically translated to scientific notation in JavaScript.
It causes an issue with some certificate serial numbers.
The fix normalizes the notation base on original value from serial_number_hex.
The implementation works only for browsers that support BigInt.
It would not work for old browsers like Internet Explorer.
Ticket: https://pagure.io/freeipa/issue/8754
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
32eb409c by Stanislav Levin at 2021-06-28T15:47:29+03:00
plugins: Don't treat keys of api as bytes
The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
15d71024 by Stanislav Levin at 2021-06-28T15:47:29+03:00
ipatests: Add tests for `plugins` plugin
Previously there were no tests for `ipalib.misc` module.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0abae791 by Stanislav Levin at 2021-06-28T15:47:29+03:00
ipatests: Add tests for `env` plugin
Previously there were no tests for `ipalib.misc` module.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e82f2538 by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: remove fsync in do_nsupdate()
No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.
Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a8588c50 by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3cbd24dd by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d995b8c by Sudhir Menon at 2021-06-29T11:06:36+02:00
Increase timeout for test_commands.py
test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ae4478de by Rob Crittenden at 2021-06-29T11:04:56-04:00
Return a copy of cached entries, only with requested attributes
Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.
In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.
The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:
old_entry = ldap.get_entry(dn, [attr])
for regex in old_entry.keys():
if not isinstance(entry_attrs[regex], (list, tuple)):
old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.
To return a copy of the entry and requested attributes on a
search HIT.
Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.
This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.
Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.
https://pagure.io/freeipa/issue/8897
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
6b3496a7 by Alexander Bokovoy at 2021-06-29T18:27:20+03:00
Become IPA v.4.9.6
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b7e8841 by Alexander Bokovoy at 2021-06-29T18:29:14+03:00
Back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e713c227 by François Cami at 2021-07-02T11:47:02-04:00
paths: add IPA_SERVER_CONF
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ee4be290 by François Cami at 2021-07-02T11:47:02-04:00
ipatests: smoke test for server debug mode.
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1539c738 by François Cami at 2021-07-02T11:47:02-04:00
rpcserver.py: perf_counter_ns is Python 3.7+
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9cfae262 by Florence Blanc-Renaud at 2021-07-05T16:45:19+02:00
Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.
Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a5d28572 by Antonio Torres at 2021-07-06T17:36:15+02:00
Add checks to prevent adding auth indicators to internal IPA services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
28484c3d by Antonio Torres at 2021-07-06T17:36:15+02:00
ipatests: ensure auth indicators can't be added to internal IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
06468b2f by Florence Blanc-Renaud at 2021-07-06T18:12:54+02:00
stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a5a0fe7 by Florence Blanc-Renaud at 2021-07-06T18:12:54+02:00
XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
076e499f by Florence Blanc-Renaud at 2021-07-08T17:32:56+02:00
augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.
Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
195035ce by Florence Blanc-Renaud at 2021-07-08T18:10:50+02:00
man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2c0a123e by Florence Blanc-Renaud at 2021-07-08T22:44:11+02:00
Server install: do not use unchecked ip addr for ipa-ca record
At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.
For each address, make sure that it's neither reserved nor a
link-local address.
Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ca8c7010 by Rob Crittenden at 2021-07-12T09:01:59+02:00
Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.
This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg
The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.
So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.
https://pagure.io/freeipa/issue/8906
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b2e62923 by Florence Blanc-Renaud at 2021-07-12T12:48:12+02:00
ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
26be7ffd by Sudhir Menon at 2021-07-12T13:43:04+02:00
ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Related: https://pagure.io/freeipa/issue/8889
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3540986a by Christian Heimes at 2021-07-12T17:17:51-04:00
Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d4fe066 by Christian Heimes at 2021-07-12T17:17:51-04:00
Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ef115b04 by Christian Heimes at 2021-07-12T17:17:51-04:00
Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6e3fb60 by Christian Heimes at 2021-07-12T17:17:51-04:00
Fix ipa-server-upgrade
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
44ccc0f6 by Christian Heimes at 2021-07-12T17:17:51-04:00
Fix oid of ipaUserDefaultSubordinateId
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9f4b8982 by Serhii Tsymbaliuk at 2021-07-12T17:17:51-04:00
WebUI: Improve subordinate ids user workflow
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b53a52a1 by Christian Heimes at 2021-07-12T17:17:51-04:00
Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f910eb2 by Michal Polovka at 2021-07-13T09:29:29+02:00
ipatests: test_ipahealthcheck: print a message if a system is healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).
Related: https://pagure.io/freeipa/issue/8892
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e5df4dc4 by Michal Polovka at 2021-07-13T19:30:55+02:00
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8ad535b6 by Rob Crittenden at 2021-07-14T09:54:14-04:00
Fall back to krbprincipalname when validating host auth indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d456649f by Florence Blanc-Renaud at 2021-07-14T10:05:59-04:00
pr-ci definitions: add subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
40e4ccf1 by Florence Blanc-Renaud at 2021-07-15T08:02:15+02:00
webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.
Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
02c0da3e by Mohammad Rizwan at 2021-07-15T08:25:32+02:00
ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1a4f459b by Florence Blanc-Renaud at 2021-07-15T18:22:21+02:00
spec file: Trust controller role should pull sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1a5159b2 by Alexander Bokovoy at 2021-07-16T19:18:34+02:00
rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
b132956e by Florence Blanc-Renaud at 2021-07-17T16:20:44+02:00
Index: Fix definition for memberOf
The index definition for memberOf is inconsistent:
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
The cn attribute should be memberOf, not member. Fix the definition.
Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7997ed0 by Florence Blanc-Renaud at 2021-07-18T14:00:58+02:00
webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.
With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
161d5844 by François Cami at 2021-07-20T13:58:57+02:00
ipatests: smbclient "-k" => "--use-kerberos=desired"
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
86869364 by François Cami at 2021-07-22T13:26:45-04:00
test_acme: refactor with tasks
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
701adb91 by François Cami at 2021-07-22T13:26:45-04:00
test_acme: make password renewal more robust
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
5b826ab3 by François Cami at 2021-07-22T14:36:55-04:00
tasks.py: fix flake8-reported issues
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
0b9adf1d by Rob Crittenden at 2021-07-22T18:19:58-04:00
Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8ea8f8b6 by Rob Crittenden at 2021-07-22T18:19:58-04:00
ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
eb1d509f by François Cami at 2021-07-23T11:21:23-04:00
Azure: temporarily disable problematic tests, #1
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
18ccaea7 by François Cami at 2021-07-23T11:21:23-04:00
Azure: temporarily disable problematic tests, #2
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061
The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1
Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
33c561dc by François Cami at 2021-07-23T11:21:23-04:00
gating.yaml: Fix TestInstallMaster timeout
test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
89ca5c88 by Rob Crittenden at 2021-07-26T13:11:38-04:00
Display all orphaned keys in automountlocation-tofiles
Only the first key was being displayed for any orphaned map.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
dbe4159e by Rob Crittenden at 2021-07-26T13:11:38-04:00
ipatests: Add test for ipa automountlocation-tofiles
Only the first key of orphaned automount keys was being
displayed.
tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ded3cd3f by Rob Crittenden at 2021-07-26T13:11:38-04:00
Fix automountlocation-tofiles expected output in xmlrpc test
The previous output matched the bad behavior of only displaying
one orphaned key.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
02447762 by Armando Neto at 2021-07-27T15:23:36+02:00
ipatests: bump prci boxes + move gating to f34
Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.
Issue: https://pagure.io/freeipa/issue/8935
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
ab4720d9 by Antonio Torres at 2021-07-27T17:38:45+02:00
ipa-kra-install: exit if ca_host is overriden
ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.
Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a4e13a33 by Antonio Torres at 2021-07-27T17:38:45+02:00
ipatests: test if KRA install fails when ca_host is overriden
KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.
Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a1eb13cd by Christian Heimes at 2021-08-02T09:53:36-04:00
Fix ldapupdate.get_sub_dict() for missing named user
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Co-authored-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e0e1d6f9 by François Cami at 2021-08-03T08:17:10+02:00
freeipa.spec.in: remove python3-pexpect from Requires
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
fbbff3ed by Rob Crittenden at 2021-08-03T08:23:59+02:00
Provide more information in ipa-certupdate on ccache failure
ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.
Include the principal being retrieved and the keytab being
used.
This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.
https://pagure.io/freeipa/issue/8257
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
42206df6 by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:
- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0114d24e by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.
Use correct datatype of return value for ber_scanf to
correct different signedness comparision.
Fixed while working on https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7a13200f by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
25a4acf3 by Anuja More at 2021-08-04T08:39:03+02:00
ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
Related : https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
018ee09c by Rob Crittenden at 2021-08-04T08:42:18+02:00
ipa-advise: if p11-kit provides opensc, don't add to NSS db
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9a4a6cdd by Rob Crittenden at 2021-08-04T08:42:18+02:00
ipa-advise: Define the domain used when looking up ipa-ca
The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.
Discovered while working on https://pagure.io/freeipa/issue/8934
Related: https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
826b5825 by Rob Crittenden at 2021-08-04T08:44:46+02:00
ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.
Verify that it is present in the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4c0dcabd by Antonio Torres at 2021-08-04T15:25:28+02:00
dnszone: deprecate option for setting SOA serial
Since IPA 3 [1] SOA serial is managed automatically via autoincrement,
and the option of disabling this behavior was deprecated in IPA 3.3.3 [2]..
As a result, the option '--serial' during DNS zone addition would be
ignored as it is set during the creation. This commit adds a deprecation
warning if this option is used.
[1]: https://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
[2]: https://www.freeipa.org/page/Releases/3.3.3
Fixes: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>
- - - - -
1d751249 by Antonio Torres at 2021-08-04T15:25:28+02:00
ipatests: expect SOA serial option deprecation warning
Tests must be updated to expect the new deprecation warning.
Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>
- - - - -
96dd8ac1 by Mohammad Rizwan at 2021-08-04T15:30:17+02:00
ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
05261749 by Rob Crittenden at 2021-08-04T16:28:24+02:00
Add index for sudoorder
sudorule-mod <rule> --order=<num> does a search for an existing
order and this search is unindexed.
https://pagure.io/freeipa/issue/8939
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9ae23e12 by François Cami at 2021-08-05T14:38:06-04:00
ipatests: use krb5_trace in TestIpaAdTrustInstall
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
97a2a925 by Rob Crittenden at 2021-08-05T17:54:07-04:00
Don't assume that plugin attributes and objectclasses are lowercase
A user wrote their own plugin to add custom attributes which was
failing with an incorrect error that the attribute wasn't allowed.
It wasn't allowed because it wasn't being treated as case-insensitive
so wasn't being found in the schema.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e28e4540 by Rob Crittenden at 2021-08-05T17:54:07-04:00
ipatests: add suite for testing custom plugins
Ensure that attributes and objectclasses are case-insensitive.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
78c48199 by Rob Crittenden at 2021-08-05T17:54:07-04:00
pr-ci definitions: add custom plugin-related jobs
Related: https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7fb95cc6 by Chris Kelley at 2021-08-06T07:57:39+02:00
Parse getStatus as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5b5bc90 by Christian Heimes at 2021-08-09T14:53:19+02:00
Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.
Also check for 'debian' platform.
Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a3d71eb7 by Anuja More at 2021-08-09T14:24:28-04:00
ipatests: Test ldapsearch with base scope works with compat tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d4062e40 by Anuja More at 2021-08-09T14:24:28-04:00
ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
40f76a53 by Chris Kelley at 2021-08-09T14:26:04-04:00
Parse cert chain as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eac03d68 by Anuja More at 2021-08-10T13:50:20+02:00
ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.
Related: https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4fdab0c9 by Anuja More at 2021-08-13T08:14:24+02:00
ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c9bc471e by Stanislav Levin at 2021-08-13T08:17:00+02:00
ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.
Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
488ac7e3 by Michal Polovka at 2021-08-15T10:01:18+02:00
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
Resolves: https://pagure.io/freeipa/issue/8949
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
be3a0f32 by Rob Crittenden at 2021-08-17T17:48:04-04:00
Clean up the PKI securitydomain when removing a server
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.
Removing entries is straightforward using the PKI REST API.
In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.
Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.
These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.
In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a417810d by Rob Crittenden at 2021-08-17T17:48:04-04:00
ipatests: Verify that securitydomain is updated on server-del
For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3cb6b5c8 by François Cami at 2021-08-18T17:56:52+02:00
Update list of contributors
Signed-off-by: François Cami <fcami at redhat.com>
- - - - -
da1d543c by Rob Crittenden at 2021-08-18T12:03:35-04:00
Only call add_agent_to_security_domain_admins() when CA is installed
This allows the RA agent to manage the pki security domain and is
only needed if a CA has been configured. Only call it in a CA-ful
installation.
https://pagure.io/freeipa/issue/8956
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d2df13d8 by François Cami at 2021-08-19T16:13:49+02:00
Become IPA 4.9.7
- - - - -
60745116 by François Cami at 2021-08-19T19:00:08+02:00
Back to git snapshots
Signed-off-by: François Cami <fcami at redhat.com>
- - - - -
210c53dd by François Cami at 2021-08-20T16:02:28+02:00
freeipa.spec.in: update 389-DS version
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
e0aef529 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.
related: https://pagure.io/freeipa/issue/7885
ipatests: refactor expire_cert_critical fixture
Defined method to move the date and refactor
expire_cert_critical fixture using it
ipatests: PEP8 fixes
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a620e5e9 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: wait while http/ldap/pkinit cert get renew on replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1b38afc0 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4a3a15f4 by François Cami at 2021-08-20T16:04:42+02:00
ipatests: refactor test_ipa_cert_fix with tasks
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0b359fbd by Stanislav Levin at 2021-08-24T18:32:14+02:00
Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.
- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.
- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.
- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
31afc004 by Stanislav Levin at 2021-08-24T18:32:14+02:00
pycodestyle: Check *.in Python files
Many of IPA Python scripts are shebang configurable scripts and
have special suffix '.in' for that. Pycodestyle by default check
only '*.py' files [0].
[0]: https://pycodestyle.pycqa.org/en/latest/intro.html
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
b5036b5c by Florence Blanc-Renaud at 2021-08-25T13:59:07+02:00
ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
939d0f5d by Stanislav Levin at 2021-08-25T18:54:35+02:00
schema plugin: Generate stable fingerprint
If some Param defines several values for `exclude` or `include`
attributes then API schema hash will be unstable.
First, these Param's attributes are converted to frozenset
(ipalib/parameters.py), then `ipaserver.plugins.schema` plugin
converts `exclude` and `include` attrs to list. Set/frozenset in
turn, is unordered collection [0]. So, the end order of values is
undefined.
But due to the nature of sets:
> two sets are equal if and only if every element of each set is
contained in the other (each is a subset of the other)
the order of values can be ignored.
Note: other Param's attrs with type frozenset are not affected because
they are not processed by the schema plugin.
[0]: https://docs.python.org/3/library/stdtypes.html#set-types-set-frozenset
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
14ad5223 by Stanislav Levin at 2021-08-25T18:54:35+02:00
ipatests: Add tests for `schema` Command
- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered
- allow testing of the plugin in `development` mode(locked API).
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5abf1bc7 by Endi S. Dewata at 2021-08-27T09:46:01+02:00
Specify PKI installation log paths
The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.
This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.
Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
- - - - -
07e2bf73 by Florence Blanc-Renaud at 2021-08-31T16:47:16+02:00
selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2cf0ad5c by Christian Heimes at 2021-09-01T09:18:20+02:00
Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.
Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.
See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4fca9575 by Sumit Bose at 2021-09-02T20:48:41+02:00
extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a6e708ab by Rob Crittenden at 2021-09-02T21:09:29+02:00
Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4785a909 by François Cami at 2021-09-03T09:33:22+02:00
subid: subid-match: display the owner's ID not DN
Previously, the subid-match command would output the full
DN of the owner of the matched range.
With this change, the UID of the owner is displayed, just like
for other subid- commands.
Fixes: https://github.com/freeipa/freeipa/pull/6001
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3fb0f533 by Rob Crittenden at 2021-09-05T11:53:10+02:00
Increase default limit on LDAP searches to 100k
A similar change was attempted years ago in commit
9724251292e4c0797367fcc351a9f16f30c6aefe but it was
never applied because it used the wrong DN and because
nsslapd-timelimit is already present in the entry
the default keyword won't trigger.
Use replace instead to increase the value to 100k from
the default as originally intended.
nsslapd-sizelimit can be changed only with a MOD_REPLACE
otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA
only uses MOD_REPLACE for single-value attributes but
nsslapd-sizelimit is not yet in schema. Add it to
the known set of exceptions for single-value attributes.
https://pagure.io/freeipa/issue/8962
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
10dfc437 by Timo Aaltonen at 2021-09-06T11:50:34+03:00
Merge branch 'upstream'
- - - - -
13627cb2 by Timo Aaltonen at 2021-09-06T11:50:48+03:00
bump the version
- - - - -
5aa83b96 by Timo Aaltonen at 2021-09-07T16:41:01+03:00
control: Bump 389-ds-base depends.
- - - - -
427b6f95 by Timo Aaltonen at 2021-09-07T16:45:53+03:00
control: Drop python3-coverage depends, it's not used.
- - - - -
d56fd209 by Timo Aaltonen at 2021-09-07T16:55:07+03:00
Add new files for the server
- - - - -
9d6821c8 by Timo Aaltonen at 2021-09-07T17:24:04+03:00
control: Bump dogtag depends.
- - - - -
8acdf1f1 by Timo Aaltonen at 2021-09-07T17:25:06+03:00
control: Drop more of custodia.
- - - - -
395b0d26 by Florence Blanc-Renaud at 2021-09-08T10:34:00+02:00
ipatests: rpcclient now uses --use-kerberos=desired
The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)
Adapt the test to be compatible with both old and new versions.
Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
3c4f9e73 by Florence Blanc-Renaud at 2021-09-08T14:47:14+02:00
migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f569c68 by Florence Blanc-Renaud at 2021-09-09T07:53:48+02:00
ipatests: fix logic waiting for repl in TestIPACommand
The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master
The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
Note that this waits for updates originating on this host, not those
coming from other hosts.
Fixes: https://pagure.io/freeipa/issue/8975
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
d1343e8f by Stanislav Levin at 2021-09-09T07:56:09+02:00
docs: Make use of `text` highlighting
As of 4.9.7 FreeIPA makes use of raw lexer in doc/designs/subordinate-ids.md.
raw alias has been removed in Pygments 2.8.0:
https://pygments.org/docs/changelog/#version-2-8-0
https://github.com/pygments/pygments/pull/1643
This causes the failure of Azure Docs job.
I think that the original goal of `raw` was the disabling of block
highlighting, which can be done with `text` lexer:
https://pygments.org/docs/lexers/#pygments.lexers.special.TextLexer
Fixes: https://pagure.io/freeipa/issue/8985
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ef58efe7 by Florence Blanc-Renaud at 2021-09-15T09:50:09+02:00
ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).
As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.
Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dfe94640 by Stanislav Levin at 2021-09-15T12:08:36+02:00
azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```
This is expected failure since processes are not stopped during logs
collection and can flush their logs.
Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8fcc0f07 by Stanislav Levin at 2021-09-15T12:10:25+02:00
krb5: Pin kpasswd server to a primary one
There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.
Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)
So, `kpasswd_server` serves as fallback for the offlined locator.
Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.
Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
12ebc658 by Stanislav Levin at 2021-09-15T12:10:25+02:00
ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.
It's useful to see what is happening during kinit in case of any
issues.
Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be1e3bbf by Rob Crittenden at 2021-09-16T15:04:41-04:00
Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
86588640 by Rob Crittenden at 2021-09-16T15:04:41-04:00
ipatests: Test that a user can be issued multiple certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a9f73007 by Stanislav Levin at 2021-09-21T08:28:41+02:00
schema plugin: Fix commands without metaobject arg
Previously, all the commands of schema plugin derived from
BaseMetaSearch require metaobject as their argument
(by implementation), but the spec for some of them only optionally
asks for search criteria arg. This patch fixes this inconsistency.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e4839b04 by Stanislav Levin at 2021-09-21T08:28:41+02:00
command_defaults: Don't crash on nonexistent command
It's common for ipa commands to raise NotFound in such a case.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
83405a75 by Stanislav Levin at 2021-09-21T08:28:41+02:00
test_schema_plugin: Drop dependency on Tracker
Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
973334c9 by Stanislav Levin at 2021-09-21T08:28:41+02:00
test_schema_plugin: Add missing tests for command, class and topic commands
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bdf479e8 by Pavel Březina at 2021-09-22T13:02:02+02:00
kdb: fix typo in ipa_kdcpolicy_check_as
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
186497cb by Vit Mojzis at 2021-09-27T11:45:17-04:00
selinux: Fix file context definition for /var/run
There is a file context equivalence rule assigning /run the same
contexts as /var/run. Because of it it's necessary to use /var/run
instead of /run in file context definitions.
See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#File_contexts_and_equivalency_rules
Signed-off-by: Vit Mojzis <vmojzis at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
01dfce68 by Florence Blanc-Renaud at 2021-09-29T17:31:26+02:00
ipatests: update expected error message for openssl verify
The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.
Fixes: https://pagure.io/freeipa/issue/8999
- - - - -
fc384b07 by Florence Blanc-Renaud at 2021-09-30T09:08:43+02:00
ipatests: increase sosreport verbosity
With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
https://github.com/sosreport/sos/commit/1d0729a9dcfe3f3cebb961114c9bc05136cf8cfb
Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.
Fixes: https://pagure.io/freeipa/issue/9000
- - - - -
b706483c by Florence Blanc-Renaud at 2021-10-04T17:47:08+02:00
webui test: close notification after selinux user map update
The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.
After saving the modification on the record, close any notification
to make sure the test succeeds.
Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
e6007669 by Sergey Orlov at 2021-10-05T12:39:40+02:00
ipatests: check for message in sssd log only during actual test action
Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.
Fixes https://pagure.io/freeipa/issue/8987
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bbda3590 by Chris Kelley at 2021-10-08T10:44:58+02:00
Make Dogtag return XML for ipa cert-find
Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.
Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
34d6f51f by Florence Blanc-Renaud at 2021-10-08T14:10:46+02:00
ipatests: Update the subca used in TestIPACommand::test_cacert_manage
The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.
Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
7f2d46b6 by Timo Aaltonen at 2021-10-13T15:30:13+03:00
releasing package freeipa version 4.9.7-1
- - - - -
30cf9dc9 by Timo Aaltonen at 2021-10-13T15:45:44+03:00
lintian: Drop override on python-script-but-no-python-dep, which doesn't exist anymore.
- - - - -
dda9a60f by Timo Aaltonen at 2021-10-13T16:23:09+03:00
rules: Add fortify flag to CFLAGS, as CPPFLAGS isn't used by the project.
- - - - -
c835560a by Timo Aaltonen at 2021-10-13T16:44:38+03:00
ci: Drop allowed failure for blhc, it passes now.
- - - - -
b3ae6b9d by Timo Aaltonen at 2021-10-14T20:47:10+03:00
control: Build-depend on libcurl4-openssl-dev.
- - - - -
488fb104 by Stanislav Levin at 2021-10-19T14:01:05-04:00
seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.
More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750
See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087
Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json
Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3f36ae2a by Timo Aaltonen at 2021-10-20T00:13:50+03:00
fix-paths.diff: Fix some paths in ipaplatform/base.
- - - - -
799d5e3f by Timo Aaltonen at 2021-10-20T01:20:28+03:00
fix-apache-group.diff: Fix apache group name in ipa.conf tmpfile.
- - - - -
8dd788da by Stanislav Levin at 2021-10-21T12:38:25+02:00
azure: Don't customize pip's builddir
As of 21.3 pip:
> Remove the --build-dir option and aliases, one last time. (pypa/pip#10485)
https://pip.pypa.io/en/stable/news/#v21-3
Previous versions warn about deprecation.
The builddir is provided to pip via env variable PIP_BUILD in Tox task.
The purpose of changing of default builddir was noexec mount option for
/tmp in Travis (see 17d571c961). Since Travis is no longer used and
Azure lacks this issue the PIP_BUILD can be safely removed.
Note: pip 21.3 just ignores this env variable, which is more than can be
said for the command line option. It's better to clean it up, since the
behaviour may be changed in future.
This is effectively the revert of 17d571c961.
Fixes: https://pagure.io/freeipa/issue/9011
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
17ba2732 by Michal Polovka at 2021-10-21T12:40:19+02:00
ipatests: webui: Specify configuration loader
Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.
Fixes: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
- - - - -
82eaa2ea by Florence Blanc-Renaud at 2021-10-21T15:58:19-04:00
ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6302769b by Florence Blanc-Renaud at 2021-10-21T15:58:19-04:00
ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4afdb7f2 by Timo Aaltonen at 2021-10-23T11:54:38+03:00
control: Depend on gpg instead of gnupg.
- - - - -
b3bee9b5 by Sergey Orlov at 2021-11-01T15:14:05+01:00
ipatests: use AD domain name from config instead of hardcoded value
The test fails when test config contains AD domain value other than one
hardcoded in the test code.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c1baae84 by Rob Crittenden at 2021-11-01T11:51:15-04:00
On redhat-based platforms rely on authselect to enable sudo
The default platform task enable_sssd_sudo() writes directly
to nsswitch.conf to enable sudo. This isn't necessary to do on
systems with authselect where we already pass in with-sudo as a
profile option.
Override the default function with does a direct write with a no-op.
https://pagure.io/freeipa/issue/8755
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
74808447 by Stanislav Levin at 2021-11-01T11:55:13-04:00
ipatests: TestMultipleExternalCA: Create tempfiles on remote host
Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.
The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.
Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd07db29 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
SID generation: define SIDInstallInterface
Move the SID-related options into a separate InstallInterface
(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
make ADTrustInstallInterface inherit from SIDInstallInterface.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e527857d by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
Installers: configure sid generation in server/replica installer
ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.
Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a91e6712 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
adtrust install: define constants for rid bases
Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b98ecabb by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME
The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.
--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.
This command can be run multiple times.
Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5bb56f91 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: add test ensuring SIDs are generated for new installs
The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
31d095ea by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
efc9df08 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: adapt expected output with SID
>From now on, new users/groups automatically get a SID.
Update the expect test outputs.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
86d1683e by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
User lifecycle: ignore SID when moving from preserved to staged
When a preserved user entry is moved to staged state, the SID
attribute must not be provided to user-stage command (the option
does not exist and the SID will be re-generated anyway).
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c6fd0d00 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: backup-reinstall-restore needs to clear sssd cache
The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9c7e8c66 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
Webui tests: new idrange now requires base RID
Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
61f42aef by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
User plugin: do not return the SID on user creation
The SID is not part of the default user attributes and does not
need to be returned in the user-add output.
Related: https://pagure.io/freeipa/issue/8995
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
009a8cdf by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: update the expected output of user-add cmd
The SID is not expected to be returned by ipa user-add.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
331cadd8 by Rob Crittenden at 2021-11-04T09:44:39+01:00
Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.
This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.
If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.
Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.
https://pagure.io/freeipa/issue/8492
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d3edc039 by Mohammad Rizwan at 2021-11-04T09:49:18+01:00
ipatests: remove redundant kinit from test
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4c14b8cf by Sumedh Sidhaye at 2021-11-09T10:25:13+01:00
Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain)
where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
421e1246 by Florence Blanc-Renaud at 2021-11-10T17:17:19+01:00
ipatests: fix get_user_result method
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9ded98b6 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: store SID in the principal entry
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.
Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ecbdd8e by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: enforce SID checks when generating PAC
Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eb5a93dd by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: use entry DN to compare aliased entries in S4U operations
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.
Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).
Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8b5e4961 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: S4U2Proxy target should use a service name without realm
According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.
Fixes: https://pagure.io/freeipa/issue/9031
Pair-programmed-with: Andreas Schneider <asn at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andreas Schneider <asn at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4cafdac1 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add support for PAC_UPN_DNS_INFO_EX
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.
The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
879ef1b1 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add support for PAC_REQUESTER_SID buffer
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal..
The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b71467e2 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
adf5ab73 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: Use proper account flags for Kerberos principal in PAC
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
693c165c by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
SMB: switch IPA domain controller role
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations. This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a95ccd90 by Alexander Bokovoy at 2021-11-15T14:51:24+01:00
ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5213c1e4 by Alexander Bokovoy at 2021-11-15T14:51:24+01:00
ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ed817485 by Timo Aaltonen at 2021-11-17T15:31:33+02:00
control: Drop libwbclient-sssd from freeipa-client-samba Depends.
- - - - -
a0d1c51f by Timo Aaltonen at 2021-11-17T15:39:07+02:00
patches: Import a patch to fix ipa cert-find. (Closes: #997952)
- - - - -
832131bf by Timo Aaltonen at 2021-11-17T15:41:37+02:00
releasing package freeipa version 4.9.7-2
- - - - -
19261b37 by Timo Aaltonen at 2021-11-17T16:34:29+02:00
tests: Set KRB5_TRACE to use stderr.
- - - - -
b086da4d by Timo Aaltonen at 2021-11-17T16:36:02+02:00
wrap a changelog entry
- - - - -
0428e800 by Timo Aaltonen at 2021-11-18T10:59:22+02:00
patches: Fix apache group properly.
- - - - -
118b06e9 by Timo Aaltonen at 2021-11-18T11:15:28+02:00
client: Move .tmpfile -> .tmpfiles.
- - - - -
2644cba6 by Timo Aaltonen at 2021-11-18T11:16:17+02:00
control: Bump debhelper to 13, gain dh_installtmpfiles being run.
- - - - -
038c24af by Timo Aaltonen at 2021-11-18T17:25:29+02:00
control, rules: Add --without-ipa-join-xml and drop libxmlrpc from depends.
- - - - -
2b5cb6c3 by Timo Aaltonen at 2021-11-18T18:50:16+02:00
server.postinst: Drop creating old ccaches for mod_auth_gssapi, obsolete.
- - - - -
7bba5e75 by Timo Aaltonen at 2021-11-18T18:52:43+02:00
server.postinst: Drop old upgrade rules.
- - - - -
97062538 by Timo Aaltonen at 2021-11-18T19:11:43+02:00
patches: Fix named keytab name.
- - - - -
9fe1b05e by Timo Aaltonen at 2021-11-18T21:20:45+02:00
releasing package freeipa version 4.9.7-3
- - - - -
8ca5b094 by Florence Blanc-Renaud at 2021-11-18T20:24:03+01:00
ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail
The test failure is a known issue, happening on f33+. Mark as xfail
until 8700 is fixed.
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c850cd52 by Alexander Bokovoy at 2021-11-18T20:25:24+01:00
freeipa.spec.in: -server subpackage should require samba-client-libs
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.
There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
d97250fa by Armando Neto at 2021-11-18T19:59:18-03:00
ipatests: Bump PR-CI latest templates to Fedora 35
Moving 'latest' to Fedora 35 and 'previous' to Fedora 34.
Based on https://github.com/freeipa/freeipa-pr-ci/pull/445.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bb5ef716 by Armando Neto at 2021-11-19T22:14:45+01:00
ipatests: Fix UI_driver method after Selenium upgrade
`WebDriver.switch_to_active_element()` was deprecated in favour of
`driver.switch_to.active_element`.
Method was deprecated a long time ago, however deprecation message and
proxy method were removed recently and are not present in latest
version.
https://selenium-python.readthedocs.io/api.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to_active_element
https://www.selenium.dev/selenium/docs/api/py/webdriver_remote/selenium.webdriver.remote.webdriver.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to
Issue: https://pagure.io/freeipa/issue/9029
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
76afa643 by François Cami at 2021-11-22T12:35:55+01:00
pwpolicy: change lifetime error message
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4f5ed837 by Petr Vobornik at 2021-11-22T17:58:20+01:00
fix(webui): create correct PTR record when navigated from host page
In scenario:
1. make sure that reverse zone doesn't have the desired PTR record
2. open host page of the host with matchnig the A record, e.g.: https://server.pvoborni.test/ipa/ui/#/e/host/details/test2.pvoborni.test
3. click on the "Host name" link, it will bring us to it's DNS record page. E.g., https://server.pvoborni.test/ipa/ui/#/e/dnsrecord/details/pvoborni.test&test2
! notice the missing '.' in the URL after zone name (pvoborni.test)
4. click on the A record , dialog will show up, saying "record not found"
5. click on the "create DNS record"
PTR record created by Web UI doesn't have trailing '.' (is not fully
qualified record) even if the DNS zone is.
This patch is fixing the link to the DNS Record page so that the
page then correctly gets the DNS Zone name and thus creates a correct
fully qualified PTR record.
https://bugzilla.redhat.com/show_bug.cgi?id=2009114
https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a286cd31 by Petr Vobornik at 2021-11-22T17:58:20+01:00
webui tests: remove unnecessary code in add_record
Pkeys are not used anywhere in the method thus can be removed.
Related: https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1c66226e by Rob Crittenden at 2021-11-23T10:23:09+01:00
Don't limit role-find by hostname when searching for last KRA
The "is this the last KRA" test did a role-find including the
current server. This skewed the result if the server to be
removed has a KRA installed, it would always return "not allowed"
because len(roles) == 1 and the name matched, regardless of
whether other servers also provided a KRA.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1660cfa3 by Jochen Kellner at 2021-11-23T16:13:00+01:00
Remove duplicate _() in the error path
When running IPA in locale de_DE.UTF-8 I got an internal error:
jochen at freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten
This is not the complete messages. Using en_US.UTF-8 would be ok.
In the httpd error_log:
] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext'
] Traceback (most recent call last):
] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute
] result = command(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
] return self.__do_call(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
] ret = self.run(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run
] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute
] delete_entry(pkey)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry
] dn = callback(self, ldap, dn, *nkeys, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback
] self._ensure_last_of_role(
] File
"/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line
520, in _ensure_last_of_role
] handler(
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler
] raise errors.ServerRemovalError(reason=_(msg))
] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__
] messages.process_message_arguments(self, format, message, **kw)
] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments
] kw[key] = unicode(value)
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__
] return unicode(self.as_unicode())
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode
] return t.gettext(self.msg)
] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext
] tmsg = self._catalog.get(message, missing)
] TypeError: unhashable type: 'Gettext'
] ipa: INFO: [jsonserver_session] admin at EXAMPLE.ORG:
server_del/1(['freeipa4.example.org'], version='2.245'): InternalError
Alexander suggested to remove _() in local handler() function in
_ensure_last_of_role():
else:
raise errors.ServerRemovalError(reason=_(msg))
Looks like all the callers give already gettext-enabled message (wrapped
with _() already).
At least for my case I now get a complete error message.
Fixes: https://pagure.io/freeipa/issue/9046
Signed-off-by: Jochen Kellner <jochen at jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a9c08073 by Florence Blanc-Renaud at 2021-11-23T17:41:13+01:00
ipatests: remove xfail on f35+ for test_number_of_zones
systemd-resolved fixed the issue on f35+
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f89d59b6 by François Cami at 2021-11-25T18:35:13+01:00
freeipa.spec: depend on bind-dnssec-utils
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Antonio Torres Moríñigo <antorres at redhat.com>
- - - - -
c587db88 by Antonio Torres at 2021-11-25T18:50:24+01:00
Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
b4f9026e by Antonio Torres at 2021-11-25T18:53:53+01:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
a9620a5d by Antonio Torres at 2021-11-25T19:17:03+01:00
Become IPA 4.9.8
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
d19214ab by Timo Aaltonen at 2021-11-26T09:43:46+02:00
Merge branch 'upstream'
- - - - -
01d1c90e by Timo Aaltonen at 2021-11-26T09:45:36+02:00
patches: Drop upstreamed patch.
- - - - -
bc3519e3 by Timo Aaltonen at 2021-11-26T09:49:44+02:00
server.install: Updated.
- - - - -
dfae1514 by Timo Aaltonen at 2021-11-26T09:54:06+02:00
bump the version
- - - - -
b813540e by Timo Aaltonen at 2021-12-15T16:32:08+02:00
Build only the client, in order to be able to backport to bullseye. (Closes: #996946)
- - - - -
90ebba04 by Timo Aaltonen at 2021-12-15T16:33:18+02:00
control: Depend on librpm9 instead of librpm8.
- - - - -
10646b64 by Timo Aaltonen at 2021-12-15T16:37:06+02:00
tests: Disabled for a client-only build.
- - - - -
99aa1043 by Timo Aaltonen at 2021-12-15T16:41:56+02:00
releasing package freeipa version 4.9.8-1
- - - - -
5fac1153 by Timo Aaltonen at 2021-12-15T16:44:12+02:00
Upload to experimental, build the server and enable tests.
- - - - -
ae0ca698 by Timo Aaltonen at 2021-12-15T16:44:25+02:00
releasing package freeipa version 4.9.8-1+exp1
- - - - -
30 changed files:
- .gitignore
- .lgtm.yml
- .tox-install.sh
- .wheelconstraints.in
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- README.md
- VERSION.m4
- client/Makefile.am
- client/ipa-getkeytab.c
- client/ipa-rmkeytab.c
- client/man/default.conf.5
- client/man/epn.conf.5
- client/man/ipa-certupdate.1
- client/man/ipa-client-automount.1
- client/man/ipa-client-install.1
- client/man/ipa-client-samba.1
- client/man/ipa-epn.1
- client/man/ipa-getkeytab.1
- client/man/ipa-join.1
- client/man/ipa-rmkeytab.1
- client/man/ipa.1
- client/systemd/ipa-epn.service.in
- configure.ac
- + contrib/cachelog
- + contrib/perflog
- daemons/dnssec/ipa-dnskeysyncd.service.in
- daemons/dnssec/ipa-ods-exporter.in
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/d63a654c38b747c49adb867697693195f9799a66...ae0ca69844cdfbf92735368cae934c0e5513d790
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/d63a654c38b747c49adb867697693195f9799a66...ae0ca69844cdfbf92735368cae934c0e5513d790
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211215/cd8af73e/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list