[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 99 commits: VERSION.m4: Set back to git snapshot
Timo Aaltonen
gitlab at salsa.debian.org
Tue Feb 5 20:15:33 GMT 2019
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
e5ff6041 by Rob Crittenden at 2018-10-05T18:28:37Z
VERSION.m4: Set back to git snapshot
- - - - -
112ea43d by Florence Blanc-Renaud at 2018-10-09T15:43:13Z
certdb: provide meaningful err msg for wrong PIN
ipa-server-install or ipa-replica-install do not provide
a meaningful error message in CA-less mode when the install
fails because of a wrong PIN.
Update the err msg so that it provides a hint to the user.
Fixes https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
c7d7638b by Florence Blanc-Renaud at 2018-10-09T15:43:13Z
ipa tests: CA less
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
193bedc5 by Alexander Bokovoy at 2018-10-10T11:51:43Z
adtrust: define Guests mapping after creating cifs/ principal
All Samba utilities load passdb modules from the configuration file. As
result, 'net groupmap' call would try to initialize ipasam passdb module
and that one would try to connect to LDAP using Kerberos authentication.
We should be running it after cifs/ principal is actually created in
ipa-adtrust-install or otherwise setting up group mapping will fail.
This only affects new installations. For older ones 'net groupmap' would
work just fine because adtrust is already configured and all principals
exist already.
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
the initial setup.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a1267bda by Thomas Woerner at 2018-10-12T07:45:21Z
ipaclient: Remove --no-sssd and --no-ac options
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
67875c3b by Thomas Woerner at 2018-10-12T07:50:29Z
Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.
A new command has been added to the ipa tool:
ipa automember-find-orphans --type={hostgroup,group} [--remove]
This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.
The IPA API version has been increased and a test case has been added.
Using ideas from a patch by: Rob Crittenden <rcritten at redhat.com>
See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
be5513ba by Rob Crittenden at 2018-10-15T08:16:49Z
Enable LDAP debug output in client to display TLS errors in join
If ipa-join fails due to a TLS connection error when doing an
LDAP-based enroll then nothing is logged by default except an
Invalid Password error which is misleading (because the failure
occurs during the bind).
The only way that debugging would have been sufficient is if
the user passed --debug to ipa-client-install which is not great.
This log level is otherwise very quiet and only logs one or two
lines on errors which is perfect.
https://pagure.io/freeipa/issue/7728
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
13b6fec0 by Stanislav Levin at 2018-10-15T12:07:12Z
Move ipa's systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.
Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d0978c8d by Florence Blanc-Renaud at 2018-10-15T12:08:59Z
Bump requires 389-ds-base
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
[error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.
Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6a066cc6 by Florence Blanc-Renaud at 2018-10-18T06:08:02Z
ipatests: fix path in expected error message
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f3e3da50 by Rob Crittenden at 2018-10-19T17:35:05Z
Handle NTP configuration in a replica server installation
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
In the first case simply pass down the options to the client
installer invocation.
If the client is pre-enrolled and NTP options are provided then
raise an exception.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9cfd07e8 by Petr Vobornik at 2018-10-23T14:48:53Z
ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.
After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.
This patch updates the url.
https://pagure.io/freeipa/issue/7731
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fb653a04 by Thomas Woerner at 2018-10-24T11:29:23Z
Update annobin to fix continuous-integration/travis-ci/pr issues
gcc is updated with the dnf builddep line, but annobin is not. Therefore
configure fails with "C compiler cannot create executables".
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478
Same change for .test_runner_config_py3_temp.yaml has been added for 4-7
branch.
See: https://pagure.io/freeipa/issue/7740
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b745b407 by Alexander Bokovoy at 2018-10-24T14:17:42Z
net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.
If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.
Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.
Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.
For upgrade code this is enough as in
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
be968ea0 by Florence Blanc-Renaud at 2018-10-24T14:21:47Z
ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.
Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
705e280e by Thomas Woerner at 2018-10-24T14:23:38Z
Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ebb14ed6 by Thomas Woerner at 2018-10-24T14:23:38Z
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
30515041 by Christian Heimes at 2018-10-24T15:46:46Z
Fix ipadb_multires resource handling
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
* ipadb_multires_free() supports NULL as no-op.
* ipadb_multibase_search() consistently frees and NULLs
struct ipadb_multires **res on error.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4ca3120b by Christian Heimes at 2018-10-24T15:46:46Z
Don't abuse strncpy() length limitation
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:
warning: ‘strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
Use memcpy() instead if strncpy() to copy data of known size.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64045c5d by Christian Heimes at 2018-10-25T07:26:01Z
Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.
Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c64030a3 by Rob Crittenden at 2018-10-26T15:18:38Z
Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.
Related to https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ec5e821f by Rob Crittenden at 2018-10-26T15:18:38Z
Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
db960e32 by Rob Crittenden at 2018-10-26T15:18:38Z
Collect the client and server uninstall logs in tests
When running the integration tests capture the uninstallation
logs as well as the installation logs.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
78bf80e5 by Christian Heimes at 2018-10-26T19:13:23Z
Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.
Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6214fc51 by Christian Heimes at 2018-10-26T19:13:23Z
Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75cb16f1 by Florence Blanc-Renaud at 2018-10-26T19:40:05Z
ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.
This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.
Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cec39f52 by Florence Blanc-Renaud at 2018-10-26T19:40:05Z
ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.
Related to: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de6a10c8 by Rob Crittenden at 2018-11-06T13:51:51Z
Pass a list of values into add_master_dns_records
During replica installation the local IP addresses should be
added to DNS but will fail because a string is being passed
to an argument expecting a list. Convert to a list before
passing in individual IPs.
Discovered when fixing https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1d23d101 by Rob Crittenden at 2018-11-06T13:51:51Z
Demote log message in custodia _wait_keys to debug
This was previously suppressed because of the log level in
an installation was set to error so it was never displayed
Keeping consistency and demoting it to debug since the
log level is increased to info.
Related: https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7dc732f by Rob Crittenden at 2018-11-06T13:51:51Z
Enable replica install info logging to match ipa-server-install
Increase log level to info by setting verbose=True and adding
a console format.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7408
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0344354c by Fraser Tweedale at 2018-11-07T12:08:06Z
Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260a407477c7516b33ce4238b69c8dd8d and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
795fe62c by Christian Heimes at 2018-11-07T12:08:06Z
Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.
See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a06fb8d0 by Christian Heimes at 2018-11-07T13:22:07Z
has_krbprincipalkey: avoid double free
Set keys to NULL after free rder to avoid potential double free.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2884ab69 by Christian Heimes at 2018-11-07T13:22:07Z
ipadb_mspac_get_trusted_domains: NULL ptr deref
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
does not guarantee that it returns a non-empty result.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
28b89df5 by Christian Heimes at 2018-11-07T13:22:07Z
ipapwd_pre_mod: NULL ptr deref
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4c0e7d69 by Fraser Tweedale at 2018-11-07T13:40:25Z
rpc: always read response
If the server responds 401 and the response body is empty, the
client raises ResponseNotReady. This occurs because:
1. For a non-200 response, the response read only if the
Content-Length header occurs.
2. The response must be read before another request (e.g. the
follow-up request with WWW-Authenticate header set), and this
condition was not met. For details see
https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.
This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.
Nevertheless, this problem has been observed in the wild. I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.
Resolve the issue by always reading the response. It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.
Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9e7e9c10 by Fraser Tweedale at 2018-11-07T13:51:59Z
ipaldap: avoid invalid modlist when attribute encoding differs
ipaldap does not take into account the possibility of the attribute
encoding returned by python-ldap differing from the attribute
encoding produced by FreeIPA. In particular this can occur with DNs
with special characters that require escaping. For example,
python-ldap (or the underlying LDAP library) escapes special
characters using hex encoding:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU
Whereas FreeIPA, when encoding the DN, escapes the character
directly:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU
Therefore it is possible to generate an invalid modlist. For
example, during external CA certificate renewal, if the issuer DN
includes a comma in one of the attribute values (as above), an
invalid modlist will be generated:
[ (ldap.MOD_ADD, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
, (ldap.MOD_DELETE, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
]
Although encoded differently, these are the same value. If this
modification is applied to the object, attributeOrValueExists (error
20) occurs.
To avoid the issue, put deletes before adds in the modlist. If a
value is present (with different encodings) as both an addition and
a deletion, it must be because the original object contained the
value with a different encoding. Therefore it is safe to delete it,
then add it back.
Note that the modlist is not optimal. In the simplest case (like
above example), there should be no modification to perform. It is
considerably more complex (and more computation) to implement this
because the raw attribute values must be decoded before comparison.
Fixes: https://pagure.io/freeipa/issue/7750
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
55e7a582 by Christian Heimes at 2018-11-07T14:14:45Z
Fix test_cli_fsencoding on Python 3.7
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now
supports UTF-8 file system encoding with non-UTF-8 C locale.
See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538
See: https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eca02e1c by Sergey Orlov at 2018-11-07T15:10:00Z
ipatests: add test for ipa-advise for enabling sudo for admins group
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo
Related to https://pagure.io/freeipa/issue/7538
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
785c496d by Christian Heimes at 2018-11-08T07:16:50Z
Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5abe3d9f by Alexander Bokovoy at 2018-11-08T11:14:42Z
ipaserver.install.adtrust: fix CID 323644
Fix Coverity finding CID 323644: logically dead code path
The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.
As result, a part of the code got neglected and was never executed.
Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.
We mock up the actual execution so that no access to LDAP or Samba is
needed.
Backport to ipa-4-7 takes into account Python 2.7 differences:
- uses mock instead of unittest.mock if the latter is not available
- derives ApiMockup from object
Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit 82af034023b03ae64f005c8160b9e961e7b9fd55)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
48a6048b by Christian Heimes at 2018-11-08T13:53:40Z
Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.
Coverity Scan issue 323649, Copy-paste error
The copied code will not have its intended effect.
In postprocess_result: A copied piece of code is inconsistent with the
original (CWE-398)
See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
27344b33 by Christian Heimes at 2018-11-08T18:53:46Z
Replace messagebus with modern name dbus
"messagebus" is an old, archaic name for dbus. Upstream dbus has started
to move away from the old name. Let's use the modern term in FreeIPA,
too.
Fixes: https://pagure.io/freeipa/issue/7754
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7b7efe95 by Christian Heimes at 2018-11-08T18:55:38Z
Fix test_cli_fsencoding on Python 3.7, take 2
0a5a7bdef7c300cb8f8a8128ce6cf5b115683cbe introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1853e2ec by François Cami at 2018-11-12T07:52:27Z
Add sysadm_r to default SELinux user map order
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c7cc9896 by Fraser Tweedale at 2018-11-12T12:11:37Z
certdb: ensure non-empty Subject Key Identifier
Installation or IPA CA renewal with externally-signed CA accepts an
IPA CA certificate with empty Subject Key Identifier. This is
technically legal in X.509, but is an operational issue.
Furthermore, due to an extant bug in Dogtag
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
startup failure.
Reject CA certificates with empty Subject Key Identifier.
Fixes: https://pagure.io/freeipa/issue/7762
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b0f7496 by Rob Crittenden at 2018-11-13T11:43:47Z
Add tests for ipa-cacert-manage install
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
30995f8f by Rob Crittenden at 2018-11-13T11:43:47Z
Add support for multiple certificates/formats to ipa-cacert-manage
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
79b7f07c by Florence Blanc-Renaud at 2018-11-13T13:26:23Z
ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.
The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.
The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).
Fixes https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10ccc3ba by Florence Blanc-Renaud at 2018-11-13T13:26:23Z
tests: add xmlrpc test for ipa user-add --radius-username
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.
The test ensures that the command is now succeeding.
Related to https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
22be7b4d by Florence Blanc-Renaud at 2018-11-13T13:26:23Z
radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.
The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>
Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
918dbdfe by Florence Blanc-Renaud at 2018-11-13T13:26:23Z
ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
595c8eef by Christian Heimes at 2018-11-13T14:23:25Z
Ignore W504 code style like in travis config
pycodestyle both complains about "W504 line break after binary operator"
and "W503 line break before binary operator" when all warnings are
enabled. FreeIPA already ignores W504 in travis config. Let's ignore it
in fastcheck, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5250c1fe by Christian Heimes at 2018-11-13T14:23:25Z
Address pylint violations in lite-server
Teach pylint that env instance has lite_* members
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
74c8ac9b by Christian Heimes at 2018-11-13T14:23:25Z
Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b0b3215 by Christian Heimes at 2018-11-13T14:23:25Z
Ignore consider-using-enumerate for now
Ignore new consider-using-enumerate warning for now and clean up code
later.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f4f0fe24 by Christian Heimes at 2018-11-13T14:23:25Z
Address consider-using-in
Replace multiple comparisons with 'in' operation.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
28fb5cca by Christian Heimes at 2018-11-13T14:23:25Z
Fix comparison-with-callable
Pylint warns about comparing callable. Replace equality with identity
test.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ece66ba by Christian Heimes at 2018-11-13T14:23:25Z
Fix useless-import-alias
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8cce2c27 by Christian Heimes at 2018-11-13T14:23:25Z
Fix Module 'pytest' has no 'config' member
pytest.config is created dynamically.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
204032d7 by Christian Heimes at 2018-11-13T14:23:25Z
Fix various dict related pylint warnings
* dict-keys-not-iterating
* dict-values-not-iterating
* dict-items-not-iterating
* dict-iter-method
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
984fd02e by Christian Heimes at 2018-11-13T14:23:25Z
Fix raising-format-tuple
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2011a427 by Christian Heimes at 2018-11-13T14:23:25Z
Silence comparison-with-itself in tests
Test code performs comparison to itself in order to verify __eq__ and
__ne__ implementations.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fdbd4633 by Christian Heimes at 2018-11-13T14:23:25Z
Require pylint 2.1.1-2
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:
is_subclass_of fails with AttributeError: 'NoneType' object has no
attribute 'name'
pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.
See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b8a1ca0e by Fraser Tweedale at 2018-11-13T16:44:54Z
Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.
To report the correct subject, look it up using the current
nickname.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1c7e179c by Fraser Tweedale at 2018-11-13T16:44:54Z
certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6032285b by Alexander Bokovoy at 2018-11-13T16:48:34Z
ipa-4-7: merge translations from zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c2ae6380 by Christian Heimes at 2018-11-14T09:34:37Z
certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.
Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3e7d12f5 by Christian Heimes at 2018-11-15T22:55:09Z
Fix pytest deprecation warning
conftest uses the Function attribute of a pytest.Function object. Latest
pytest has deprecated the attribute:
_pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function
is deprecated, please use pytest.Function instead
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
97e07f18 by sudharsanomprakash at 2018-11-16T15:13:11Z
Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash at yahoo.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb062cc4 by Florence Blanc-Renaud at 2018-11-16T15:15:03Z
freeipa.spec.in: add BuildRequires for python3-lib389
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.
Fixes https://pagure.io/freeipa/issue/7767
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
86d4b1c0 by Alexander Bokovoy at 2018-11-19T08:45:55Z
ipa-kdb: reduce LDAP operations timeout to 30 seconds
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.
Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
fd3f5153 by Florence Blanc-Renaud at 2018-11-21T03:21:29Z
ipa-replica-install: password and admin-password options mutually exclusive
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.
The fix makes --password and --admin-password options
mutually exclusive.
Fixes https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2b155f98 by Florence Blanc-Renaud at 2018-11-21T03:21:29Z
ipatests: add test for ipa-replica-install options
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1f6bed48 by Florence Blanc-Renaud at 2018-11-21T06:41:17Z
ipatests: fix test_replica_uninstall_deletes_ruvs
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
- - - - -
1189634d by Sergey Orlov at 2018-11-21T12:31:54Z
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
85885918 by François Cami at 2018-11-23T09:54:46Z
Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d57d97ea by François Cami at 2018-11-23T09:54:46Z
Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a20fe7c1 by Christian Heimes at 2018-11-23T11:58:41Z
PR-CI: Restart rpcbind when it blocks kadmin port
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.
A new workaround detects the blocked port and restarts rpcbind.service.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d3c90b32 by Varun Mylaraiah at 2018-11-26T09:30:10Z
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bc3e24c1 by Christian Heimes at 2018-11-28T16:17:00Z
pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
0ae08969 by Christian Heimes at 2018-11-28T16:17:00Z
pylint: Fix duplicate-string-formatting-argument
pylint 2.2 has a checker for duplicate string formatting argument.
Instead of passing the same argument multiple times, reference the
argument by position.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
f991319d by Christian Heimes at 2018-11-28T16:17:00Z
pylint: also verify scripts
Build all scripts in install/tools/ to check them with pylint, so that
``make pylint`` always checks all scripts. The script files are
generated by make.
Please note that fastlint does not check script files.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
fa78de9a by Christian Heimes at 2018-11-28T16:17:00Z
Address misc pylint issues in CLI scripts
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.
* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
77d814b7 by Florence Blanc-Renaud at 2018-11-28T23:15:57Z
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).
Fixes https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
76900307 by Florence Blanc-Renaud at 2018-11-28T23:15:57Z
ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0e3a9f68 by Christian Heimes at 2018-11-29T09:09:32Z
Increase debugging for blocked port 749 and 464
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
05c5be1b by Adam Williamson at 2018-11-29T15:58:38Z
Fix authselect invocations to work with 1.0.2
Since authselect 1.0.2, invoking an authselect command sequence
like this:
['authselect', 'sssd', '', '--force']
does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.
This broke uninstallation.
In all cases, features are now passed as separate arguments instead of one
argument separated by space.
Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ba636cec by Francisco Trivino at 2018-11-30T09:28:38Z
prci_definitions: update vagrant memory topology requirements
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8ee3779d by Florence Blanc-Renaud at 2018-11-30T14:20:59Z
ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
#3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.
Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2b0f3a1a by Florence Blanc-Renaud at 2018-11-30T14:20:59Z
ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e224a317 by Francisco Trivino at 2018-11-30T19:04:56Z
PR-CI: Move to Fedora 29 template, version 0.2.0
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Diogo Nunes <dnunes at redhat.com>
- - - - -
83e2c011 by Christian Heimes at 2018-12-03T09:38:49Z
Update temp commit template to F29
The temp_commit.yaml template now uses F29 as well. It also contains all
topology configurations from the nightly jobs.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
bf646a6e by Alexander Bokovoy at 2018-12-03T10:29:09Z
Become IPA 4.7.2
- - - - -
f933185d by Timo Aaltonen at 2019-02-05T07:36:16Z
Merge branch 'upstream'
- - - - -
e11da3d7 by Timo Aaltonen at 2019-02-05T07:37:51Z
bump the version
- - - - -
2615ca14 by Timo Aaltonen at 2019-02-05T07:45:01Z
fix-fontawesome-path.diff: Refreshed.
- - - - -
46a46472 by Timo Aaltonen at 2019-02-05T10:39:29Z
rules: Build only the client until Dogtag works again.
- - - - -
5a06e28a by Timo Aaltonen at 2019-02-05T10:39:41Z
releasing package freeipa version 4.7.2-1
- - - - -
30 changed files:
- .test_runner_config.yaml
- .test_runner_config_py3_temp.yaml
- ACI.txt
- API.txt
- Makefile.am
- VERSION.m4
- client/config.c
- client/ipa-join.c
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb_common.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
- daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
- debian/changelog
- debian/patches/fix-fontawesome-path.diff
- debian/rules
- freeipa.spec.in
- init/tmpfilesd/Makefile.am
- init/tmpfilesd/ipa.conf.in
- install/share/bootstrap-template.ldif
- install/share/ipa-kdc-proxy.conf.template
- install/share/ipa.conf.template
- install/share/wsgi.py
- install/tools/ipa-csreplica-manage.in
- install/tools/ipa-httpd-kdcproxy.in
- install/tools/ipa-replica-conncheck.in
- install/tools/ipa-replica-manage.in
- install/tools/man/ipa-cacert-manage.1
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/7bde22a2e9186a0f366b6049e0e0bbcb97d94491...5a06e28a80747ccaf6ee6b05e44433f3d1075713
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/7bde22a2e9186a0f366b6049e0e0bbcb97d94491...5a06e28a80747ccaf6ee6b05e44433f3d1075713
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190205/f89dcee2/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list