[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 1131 commits: Set development version to 4.7.90
Timo Aaltonen
gitlab at salsa.debian.org
Wed Sep 11 22:32:10 BST 2019
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
d9b8fa3f by Rob Crittenden at 2018-07-19T15:30:46Z
Set development version to 4.7.90
- - - - -
f3faecbb by Thomas Woerner at 2018-07-20T16:53:38Z
Fix $-style format string in ipa_ldap_init (util/ipa_ldap.c)
The second argument was not used, but the first one was used twice.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd348773 by Ganna Kaihorodova at 2018-07-20T17:03:59Z
Add check for occuring traceback during uninstallation ipa master
Modified master uninstall task for traceback check
That approach give us wide coverage and multiple scenarious
to catch traceback during uninstallation process
Add verbose option to uninstall server and set to False
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1480502
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0e9fb8ac by Petr Vobornik at 2018-07-23T12:26:50Z
webui: change indentation of freeipa/_base/debug.js
Change to use spaces for indentation as it was the the only file
which uses tabs and not spaces.
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
78cefe09 by Petr Vobornik at 2018-07-23T12:26:50Z
webui: remove mixed indentation in App and LoginScreen
Only spaces should be used for indentation.
It was introduced in commits:
* 7f9f59bae2a362ce945c49ad8342393b7a5c024f
* 5d8fde0ac1a43c8f3dbc53b44d69f3663a8b36fb
Related to: https://pagure.io/freeipa/issue/7559
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
94bcd938 by Orion Poplawski at 2018-07-25T16:38:52Z
ipaclient-install: chmod needs octal permissions
Fixes incorrect usage introduced in 792adebfabb456d154164387fb7e60acb30f4325
https://pagure.io/freeipa/issue/7650
Signed-off-by: Orion Poplawski <orion at nwra.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8f202bbd by Felipe Barreto at 2018-07-27T07:50:06Z
Making nigthly test definition editable by FreeIPA's contributors
Now the test definition of nightly tests will be on freeipa repo. The
definition that's used on every PR (previously as .freeipa-pr-ci.yaml)
is in ipatests/prci_definitions/gating and the .freeipa-pr-ci.yaml file
is just a symlink to the real file.
In the same dir there is also nightly_master and nightly_rawhide, both
to be used in nightly tests.
Divided test_topology.py into 3 subtests.
Bumped vagrant template to version 0.1.6
This PR is the result of discussion on freeipa-devel mailing list [1].
[1] https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/4VAWJ4SFKKBFFICDLQCTXJWRRQHIYJLL/
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
6212423c by Christian Heimes at 2018-07-27T07:50:06Z
Fix topology configuration of nightly runs
Some nightly runs didn't have enough resources configured.
See: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
8edde14e by Christian Heimes at 2018-07-27T07:50:06Z
Add convenient template for temp commits
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
71ba408d by Thomas Woerner at 2018-07-30T15:26:23Z
ipaserver/plugins/cert.py: Added reason to raise of errors.NotFound
In the case that enabledService is not found ipaConfigString kdc entry, a
NotFound error was raised without setting the reason. This resulted in a
traceback.
Fixes: https://pagure.io/freeipa/issue/7652
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64145093 by Christian Heimes at 2018-08-02T15:07:43Z
Rename pytest_plugins to ipatests.pytest_ipa
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.
Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7516979 by Thomas Woerner at 2018-08-03T11:23:21Z
httpinstance: Restore SELinux context of session_dir /etc/httpd/alias
The session directory /etc/httpd/alias/ could be created with the wrong
SELinux context. Therefore httpd was not able to write to this directory.
Fixes: https://pagure.io/freeipa/issue/7662
Related-to: 49b4a057f1b0459331bcec2c8d760627d00e4571 (Create missing
/etc/httpd/alias for ipasession.key)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
354d7297 by Thomas Woerner at 2018-08-03T11:23:21Z
ipa_restore: Restore SELinux context of template_dir /var/log/dirsrv/slapd-X
The template directory /var/log/dirsrv/slapd-X could be created with the
wrong SELinux context.
Related to: https://pagure.io/freeipa/issue/7662
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a71729cc by Thierry Bordaz at 2018-08-03T12:39:11Z
In IPA 4.4 when updating userpassword with ldapmodify does not update krbPasswordExpiration nor krbLastPwdChange
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
11ec43a5 by Michal Reznik at 2018-08-03T13:14:57Z
prci_definitions: fix wrong indentation in the nightly yaml
TestLineTopologyWithoutCA definition has wrong indentation.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c1a0c3c5 by Florence Blanc-Renaud at 2018-08-06T14:51:56Z
Tests: add integration test for password changes by dir mgr
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd
Related to:
https://pagure.io/freeipa/issue/7601
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
016df47d by Pavel Picka at 2018-08-07T14:31:03Z
WebUI Tests stabilize
- close notifications
- add wait in cert test case
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
b5fa64ed by Pavel Picka at 2018-08-07T21:46:10Z
PR-CI extend timeouts
extend timeout with one hour as timed out many times in PRCI nightly
- test_dnssec
- test_replication_layouts_TestLineTopologyWithCA
- test_replication_layouts_TestLineTopologyWithCAKRA
- test_replication_layouts_TestStarTopologyWithCAKRA
- test_server_del
- test_webui
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
2a9f5eaa by Florence Blanc-Renaud at 2018-08-08T11:03:47Z
PRCI: extend timeouts for gating
Some tests have been identified as frequently failing on timeouts. While
we are investigating PRCI potential issues, increase the timeouts to
make PRCI usable. The rule is to add 30min if the test involves CA/KRA
installation or 20min otherwise for the most problematic tests.
test_forced_client_enrolment: from 1h to 1h20
test_vault: from 1h15 to 1h45
external_ca_1: from 1h to 1h20
test_sudo: from 1h to 1h20
test_authconfig: from 1h to 1h20
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
0aeccc08 by Michal Reznik at 2018-08-10T15:01:45Z
ipa_tests: test ssh keys login
Integration test for:
https://pagure.io/SSSD/sssd/issue/3747
IPA ticket: https://pagure.io/freeipa/issue/7664
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5cdd5a5 by Thomas Woerner at 2018-08-13T10:23:53Z
ipaclient: Remove --no-sssd and --no-ac options
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f6fa2e94 by Thomas Woerner at 2018-08-13T10:35:06Z
Do not install ipa-replica-prepare
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
38936817 by Thomas Woerner at 2018-08-13T10:35:06Z
Increase MIN_DOMAIN_LEVEL to DOMAIN_LEVEL_1
With increasing the minimal domain level to 1 ipa-replica-install will
refuse to install if the domain has domain level 0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0ce79ec6 by Thomas Woerner at 2018-08-13T10:35:06Z
Mark replica_file option as deprecated
The replica_file option is only supported for DL0. The option will be
marked deprecated for now.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
03776457 by Thomas Woerner at 2018-08-13T10:35:06Z
Raise error if DL is set to 0 or DL0 options are used
In the case that the domain level is set to 0 or replica_file is set (not
None) an error will be raised.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a170b284 by Thomas Woerner at 2018-08-13T10:35:06Z
Remove support for replica_file option from ipa-ca-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5f5180b8 by Thomas Woerner at 2018-08-13T10:35:06Z
Remove support for replica_file option from ipa-kra-install
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9c2b0ce7 by Thomas Woerner at 2018-08-13T10:35:06Z
Remove DL0 specific sections from ipa-replica-install man page
Remove replica_file option and all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1"
prefixes and also sections specific to DL0 form the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7e172e3b by Thomas Woerner at 2018-08-13T10:35:06Z
Remove "at DL1" from ipa-replica-manage man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0eb140ea by Thomas Woerner at 2018-08-13T10:35:06Z
Remove "at DL1" from ipa-server-install man page
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b99dc46a by Thomas Woerner at 2018-08-13T10:35:06Z
Move DL0 raises outside if existing conditionals to calm down pylint
This pull should not remove code, therefore it is needed to add addtional
conditionals to calm down pylint beacuse of unreachable code.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2a788f1a by Thomas Woerner at 2018-08-13T10:35:06Z
ipatests: Drop test_password_option_DL0
DL0 is not supported anymore therefore this test is failing.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3b8c38ec by Thomas Woerner at 2018-08-13T10:35:06Z
ipatests/test_ipaserver/test_install/test_installer.py: Drop tempfile import
This is not needed anymore due to the removal of the DL0 test
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c33cbe13 by Thomas Woerner at 2018-08-13T10:35:06Z
ipaserver/install/adtrust.py: Do not use DOMAIN_LEVEL_0 for minimum
As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should
be used instead of DOMAIN_LEVEL_0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
94159bbe by Thomas Woerner at 2018-08-13T10:35:06Z
ipatests/test_xmlrpc/tracker/server_plugin.py: Increase hard coded mindomainlevel
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cb7f6b7b by Thomas Woerner at 2018-08-13T10:35:06Z
replicainstall: Make sure that domain fulfills minimal domain level requirement
The old domain level check to suggest to use ipa-replica-prepare has been
converted to make sure that domain fulfills minimal domain level
requirement (no DL0).
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1a0b0d2f by Alexander Bokovoy at 2018-08-13T11:03:13Z
ipa-extdom-extop: Update licenses to GPLv3 or later with exceptions
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
c2e1cdf8 by Serhii Tsymbaliuk at 2018-08-13T12:25:06Z
Replace logo images with new one (version 4.7)
Resolves: https://pagure.io/freeipa/issue/7362
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
de8f969f by Alexander Bokovoy at 2018-08-13T12:42:16Z
Move fips_enabled to a common library to share across different plugins
Related: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
6907a0ce by Alexander Bokovoy at 2018-08-13T12:42:16Z
ipasam: do not use RC4 in FIPS mode
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
13000e2f by Christian Heimes at 2018-08-13T16:49:05Z
Disable DL0 specific tests
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
adfd82ee by Stanislav Levin at 2018-08-14T12:07:38Z
Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1721356d by Stanislav Levin at 2018-08-14T12:07:38Z
Fix translation of "sync_otp" plugin
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
14e21047 by Stanislav Levin at 2018-08-14T12:07:38Z
Fix translation of "SyncOTPScreen" widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
f68dca24 by Rob Crittenden at 2018-08-15T10:52:52Z
Convert members into types in sudorule-*-option
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
6fa1e6f1 by Tibor Dudlák at 2018-08-16T10:45:00Z
Re-open the ldif file to prevent error message
There was an issue with ipa-server-upgrade and it was
showing an error while upgrading:
DN... does not exists or haven't been updated, caused
by not moving pointer to file begining when re-reading.
Resolves: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
89799a14 by Tibor Dudlák at 2018-08-16T10:45:00Z
Add assert to check output of upgrade
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
51240f35 by Mohammad Rizwan Yusuf at 2018-08-16T12:23:32Z
Check if user permssions and umask 0022 is set when executing ipa-restore
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3322aad7 by Alexander Scheel at 2018-08-20T21:58:16Z
Add docstring to verify_kdc_cert_validity
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fc0f6b43 by Alexander Scheel at 2018-08-20T21:58:16Z
Add missing docstrings to kernel_keyring.py
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
77286f52 by Serhii Tsymbaliuk at 2018-08-21T15:38:32Z
Replace old login screen logo with new one
Related: https://pagure.io/freeipa/issue/7362
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a1409ec by Michal Reznik at 2018-08-23T06:21:22Z
test: client uninstall fails when installed using non-existing hostname
https://pagure.io/freeipa/issue/7620
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
df8bffd9 by Rob Crittenden at 2018-08-23T09:53:30Z
Honor no-host-dns when creating client host in replica install
--no-host-dns is supposed to avoid all DNS lookups so pass
this as the force value when creating the host in a replica
installation.
https://pagure.io/freeipa/issue/7656
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
f0228fa6 by Florence Blanc-Renaud at 2018-08-23T10:06:45Z
uninstall -v: remove Tracebacks
ipa-server-install --uninstall -v -U prints Traceback in its log file.
This issue happens because it calls subprocess.Popen with close_fds=True
(which closes all file descriptors in the child process)
but it is trying to use the file logger in the child process
(preexec_fn is called in the child just before the child is executed).
The fix is using the logger only in the parent process.
Fixes: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
79fb0cc6 by Florence Blanc-Renaud at 2018-08-23T10:06:45Z
ipautil.run: add test for runas parameter
Add a test for ipautil.run() method called with runas parameter.
The test is using ipautil.run() to execute /usr/bin/id and
checks that the uid/gid are consistent with the runas parameter.
Note that the test needs to be launched by the root user
(non-privileged user may not have the rights to execute ipautil.run()
with runas parameter).
Related to: https://pagure.io/freeipa/issue/7681
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a5a619ab by Florence Blanc-Renaud at 2018-08-23T10:08:45Z
ipa commands: print 'IPA is not configured' when ipa is not setup
Some commands print tracebacks or unclear error message when
they are called on a machine where ipa packages are installed but
IPA is not configured.
Consistently report 'IPA is not configured on this system' in this
case.
Related to https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10c62589 by Florence Blanc-Renaud at 2018-08-23T10:08:45Z
Test: test ipa-* commands when IPA is not configured
Add a test checking that ipa-* commands properly display
'IPA is not configured on this system' when called on a
system without IPA.
Related to: https://pagure.io/freeipa/issue/6261
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e4a3942e by Christian Heimes at 2018-08-23T12:49:06Z
Detect and prefer platform Python
A platform Python interpreter is a special variant of the interpreter,
that is only used for system software. It's located at
/usr/libexec/platform-python.
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a347c116 by Christian Heimes at 2018-08-23T12:49:06Z
Rename Python scripts and add dynamic shebang
All Python scripts are now generated from a template with a dynamic
shebang.
ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as
$(PYTHON) ipatests/i18n.py
Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8da61b9 by Christian Heimes at 2018-08-23T12:49:06Z
Generate scripts from templates
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).
Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
02f4a7a2 by Florence Blanc-Renaud at 2018-08-24T14:50:30Z
DS replication settings: fix regression with <3.3 master
Commit 811b0fdb4620938963f1a29d3fdd22257327562c introduced a regression
when configuring replication with a master < 3.3
Even if 389-ds schema is extended with nsds5ReplicaReleaseTimeout,
nsds5ReplicaBackoffMax and nsDS5ReplicaBindDnGroupCheckInterval
attributes, it will return UNWILLING_TO_PERFORM when a mod
operation is performed on the cn=replica entry.
This patch ignores the error and logs a debug msg.
See: https://pagure.io/freeipa/issue/7617
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
79cb8ffb by Stanislav Levin at 2018-08-27T15:10:32Z
Add MigrateScreen widget
This widget is intended to integrate password migrate page into the
entire IPA Web framework. The functionality is the same as mentioned
standalone "ipa/migration/index.html".
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
13f1471c by Stanislav Levin at 2018-08-27T15:10:32Z
Add "migrate" Web UI plugin
This plugin creates and registers a facet with password migrate page.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
9bc93d30 by Stanislav Levin at 2018-08-27T15:10:32Z
Return the result of "password migration" procedure
So far "migration" end point redirected to "error"/"invalid" page as
a result of the client request. To use ajax requests and to not
reload/load the whole page the response should include the result of
request.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
05d7162b by Stanislav Levin at 2018-08-27T15:10:32Z
Integrate "migration" page to IPA Web framework.
To use all advantages of entire Web framework the "migration" page
should use "migrate" plugin. As well this allows to use IPA
translations.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
8a22c652 by Stanislav Levin at 2018-08-27T15:10:32Z
Provide translatable messages for MigrateScreen widget
Translatable messages should be marked with @i18n. Also
these messages should be presented in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
9f6d5322 by Stanislav Levin at 2018-08-27T15:10:32Z
Clean up migration "error" and "invalid" pages from project
Migration error/invalid html pages are no longer needed as their
functionality was moved to "migrate" plugin.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
4088b283 by Stanislav Levin at 2018-08-27T15:10:32Z
Add basic tests for "migration" end point
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
28f4e0e0 by Petr Vobornik at 2018-08-27T15:10:32Z
webui: redable color of invalid fields on login-screen-like pages
Pages with widgets like LoginScreen, MigrateScreen use login-pf styling.
This page has dark background instead of light. Thus styling for labels
for fields with error has color which makes the label hard to read or
almost invisible.
Change it to white so it is still readable.
Fixes: https://pagure.io/freeipa/issue/7641
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at localhost.localdomain>
- - - - -
f0c3a359 by Mohammad Rizwan Yusuf at 2018-08-27T18:31:32Z
Test if WSGI worker process count is set to 4
related ticket : https://pagure.io/freeipa/issue/7587
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6175672e by Tibor Dudlák at 2018-08-28T07:32:45Z
Do not set ca_host when --setup-ca is used
Setting ca_host caused replication failures on DL0
because it was trying to connect to wrong CA host.
Trying to avoid corner-case in ipaserver/plugins/dogtag.py
when api.env.host nor api.env.ca_host had not CA configured
and there was ca_host set to api.env.ca_host variable.
See: https://pagure.io/freeipa/issue/7566
Resolves: https://pagure.io/freeipa/issue/7629
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c3f23da4 by Stanislav Levin at 2018-08-28T08:17:26Z
Fix "get_key_index" to fit caller's expectations
The clients of "get_key_index" expect index of key in matching case
otherwise -1. But instead of this function returns the "undefined"
value.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0dcce426 by Stanislav Levin at 2018-08-28T08:17:26Z
Reindex 'key_indicies' after item delete
The "keys.splice(i, 1)" removes one item at the specified position
from an array. Thus hashes which are stored at "that._key_indicies"
are no longer valid and should be reindexed.
Fixes: https://pagure.io/freeipa/issue/7678
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ad85cc8e by Pavel Picka at 2018-08-28T08:32:30Z
PRCI failures fix
test_installation.py
- ticket 7008 closed so removing xfail
- TestInstallWithCA1
- TestInstallWithCA
- TestInstallWithCA_DNS1
- TestInstallWithCA_DNS2
nightly_master
- test_backup_and_restore_TestUser[r>R]ootFilesOwnership[Permission]
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
8af6accf by Rob Crittenden at 2018-08-29T07:03:18Z
Retrieve certificate subject base directly instead of ipa-join
The subject base is used as a fallback to find the available
CA certificates during client enrollment if the LDAP connection
fails (e.g. due to new client connecting to very old server) and
for constructing the subject if a certificate is requested.
raw=True is passed to config-show in order to avoid parsing
the server roles which will fail because the services aren't
marked as enabled until after the client installation is
successful on a master.
ipa-join providing the subject base via stderr was fragile and
would cause client enrollment to fail if any other output was
included in stderr.
https://pagure.io/freeipa/issue/7674
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8528da5 by Christian Heimes at 2018-08-30T09:37:21Z
Refactor os-release and platform information
Move the /etc/os-release parser and platform detection code out of the
private _importhook module. The ipaplatform module now contains an
osinfo module that provides distribution, os, and vendor information.
See: https://www.freedesktop.org/software/systemd/man/os-release.html
See: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1c03181e by Christian Heimes at 2018-08-30T09:37:21Z
Don't check for systemd service
ipaplatform no longer checks for the presence of a systemd service file
to detect the name of the domainname service. Instead it uses osinfo's
version to use the old name on Fedora 28 and the new name on Fedora 29.
This fixes a SELinux violation that prevented httpd from listing systemd
service files.
Fixes: https://pagure.io/freeipa/issue/7661
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
90203fb0 by Michal Reznik at 2018-08-31T10:30:46Z
Add "389-ds-base-legacy-tools" to requires.
"389-ds-base-legacy-tools" needs to be added to requires until
the switch to python installer is completed.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
fe650087 by Robbie Harwood at 2018-08-31T19:01:46Z
Clear next field when returnining list elements in queue.c
The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.
Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Related https://pagure.io/freeipa/issue/7262
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ab636682 by Robbie Harwood at 2018-08-31T19:01:46Z
Add cmocka unit tests for ipa otpd queue code
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
59df37ad by Michal Reznik at 2018-09-03T11:31:28Z
bump PRCI template version to 0.1.8
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
911416e4 by Florence Blanc-Renaud at 2018-09-03T11:56:39Z
ipa-server-install: do not perform forwarder validation with --no-dnssec-validation
ipa-server-install is checking if the forwarder(s) specified with
--forwarder argument support DNSSEC. When the --no-dnssec-validation
option is added, the installer should not perform the check.
Fixes: https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
739ddce6 by Florence Blanc-Renaud at 2018-09-03T11:56:39Z
tests: add test for server install with --no-dnssec-validation
Add 2 tests related to the checks performed by ipa-server-install
when --forwarder is specified:
- if the forwarder is not reachable and we require dnssec validation,
the installer must refuse to go on and exit on error.
- if the forwarder is not reachable but --no-dnssec-validation is
provided, the installer must continue.
Related to https://pagure.io/freeipa/issue/7666
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
1d3c308b by Thomas Woerner at 2018-09-05T09:46:31Z
Adapt freeipa.spec.in for latest Fedora, fix python2 ipatests packaging bug
New autoreconf -ivf call before configure
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cf1301fb by Armando Neto at 2018-09-05T13:14:32Z
Delete empty keytab during client installation
Client installation fails if '/etc/krb5.keytab' exists as a zero-length
file. Deleting empty keytab before proceeding with the installation
fixes the problem.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1857dc9d by Stanislav Levin at 2018-09-06T06:22:57Z
Fix render validation items on keypress event at login form
There are many no needed render callings which are performed
on each keypress event at login form. It is enough to update
validation items on "CapsLock" state change.
Fixes: https://pagure.io/freeipa/issue/7679
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2a227c24 by Florence Blanc-Renaud at 2018-09-06T09:49:53Z
ipa-replica-install: fix pkinit setup
commit 7284097 (Delay enabling services until end of installer)
introduced a regression in replica installation.
When the replica requests a cert for PKINIT, a check is done
to ensure that the hostname corresponds to a machine with a
KDC service enabled (ipaconfigstring attribute of
cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain
'enabledService').
With the commit mentioned above, the service is set to enabled only
at the end of the installation.
The fix makes a less strict check, ensuring that 'enabledService'
or 'configuredService' is in ipaconfigstring.
Fixes: https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
bcfd18f3 by Florence Blanc-Renaud at 2018-09-06T09:49:53Z
Tests: test successful PKINIT install on replica
Add a test checking that ipa-replica-install successfully configures
PKINIT on the replica
Related to https://pagure.io/freeipa/issue/7566
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
31a92c16 by Michal Reznik at 2018-09-06T11:49:34Z
tests: sssd_ssh fd leaks when user cert converted into SSH key
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c29581c9 by Michal Reznik at 2018-09-06T11:49:34Z
add strip_cert_header() to tasks.py
https://pagure.io/freeipa/issue/7687
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c7064494 by Armando Neto at 2018-09-06T12:36:15Z
Fix certificate type error when exporting to file
Commands `ipa ca-show` and `ipa cert-show` share the same code,
this commit updates the former, closing the gap between them.
Reflecting the changes done in 5a44ca638310913ab6b0c239374f4b0ddeeedeb3.
https://pagure.io/freeipa/issue/7628
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6ad11d86 by Florence Blanc-Renaud at 2018-09-06T15:32:48Z
ipa-replica-install: properly use the file store
In ipa-replica-install, many components use their own instance
of the FileStore to backup configuration files to the pre-install
state. This causes issues when the calls are mixed, like for
instance:
ds.do_task1_that_backups_file (using ds.filestore)
http.do_task2_that_backups_file (using http.filestore)
ds.do_task3_that_backups_file (using ds.filestore)
because the list of files managed by ds.filestore does not include
the files managed by http.filestore, and the 3rd call would remove
any file added on 2nd call.
The symptom of this bug is that ipa-replica-install does not save
/etc/httpd/conf.d/ssl.conf and subsequent uninstallation does not
restore the file, leading to a line referring to ipa-rewrite.conf
that prevents httpd startup.
The installer should consistently use the same filestore.
Fixes https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b2ce20c6 by Florence Blanc-Renaud at 2018-09-06T15:32:48Z
Test: scenario replica install/uninstall should restore ssl.conf
Test that the scenario ipa-replica-install/ uninstall correctly
restores the file /etc/httpd/conf.d/ssl.conf
Related to https://pagure.io/freeipa/issue/7684
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
21f14e98 by Christian Heimes at 2018-09-06T15:39:00Z
Remove Python 2 support and packages
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.
See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c049992c by Armando Neto at 2018-09-06T15:40:58Z
Add test for client installation with empty keytab file
Missing test case for cf1301fb064fc230c780c4bc5eeccb723899f7b6.
https://pagure.io/freeipa/issue/7625
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fe0cc945 by Michal Reznik at 2018-09-11T13:20:11Z
bump PRCI template version to 0.1.9
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7da50cf4 by Rob Crittenden at 2018-09-12T08:37:57Z
Update required version of dogtag to detect when FIPS is available
When it was checking for FIPS it assumed that /proc/sys/crypto
existed which it doesn't in some containers and on Ubuntu.
This was updated in dogtag, this change is just to pull in the
fix.
https://pagure.io/freeipa/issue/7608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6f386f2e by Stanislav Levin at 2018-09-12T08:44:37Z
Fix translation of "unauthorized.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c66cdf0b by Stanislav Levin at 2018-09-12T08:44:37Z
Fix translation of "ssbrowser.html" Web page
Make this page message translatable as other parts of IPA framework.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4b83227a by Stanislav Levin at 2018-09-12T08:44:37Z
Add basic tests to web pages which are located at /ipa/config/
The goal of these tests is to ensure that the translated text is
synced against a 'noscript' one.
Fixes: https://pagure.io/freeipa/issue/7640
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0ed3dfb4 by Stanislav Levin at 2018-09-12T10:41:19Z
Replace the direct URL with config's one
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4da736e7 by Stanislav Levin at 2018-09-12T10:41:19Z
Add "reset_and_login" view to LoginScreen widget
Previous "reset" view is splitted to "reset" and "reset_and_login"
ones. "reset" is used to render "just reset password" logic. And
"reset_and_login" - "reset password and then log in".
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3a43bf88 by Stanislav Levin at 2018-09-12T10:41:19Z
Use "login" plugin instead of standalone JS file
Plugin "login" already has the same functionality as a JS code in
separated javascript file. There is no need to duplicate it.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
30bcad4c by Stanislav Levin at 2018-09-12T10:41:19Z
Clean up reset_password.js file from project
reset_password.js is no longer needed as it's functionality is moved
to "login" plugin.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d5c0bae9 by Stanislav Levin at 2018-09-12T10:41:19Z
Fix translations of messages in LoginScreen widget
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5c32ac3e by Stanislav Levin at 2018-09-12T10:41:19Z
Add "bounce" logic from "reset_password.js"
This should add support for https://pagure.io/freeipa/issue/4440
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b4885d3e by Stanislav Levin at 2018-09-12T10:41:19Z
Add tests for LoginScreen widget
Add some basic tests for different aspects of LoginScreen such as
'login', 'reset_and_login', 'reset' views.
Fixes: https://pagure.io/freeipa/issue/7619
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
167791f3 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove ipa-replica-prepare script and man page
This is part of the DL0 code removal. As ipa-replica-prepare is only needed
and useful for domain level 0, the script can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
418da605 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from ipa-ca-install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed. An additional check for the new minimal
domain level has been added.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9af0b094 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from cainstance and ca in ipaserver/install
cainstance.replica_ca_install_check is only used in ca.install_check if
replica_config is not None (replica installation). As it is immediately
stopped if promote is not set, therefore it can be removed.
The check for cafile in ca.install_check has been dropped. promote is set
to True in ca.install_step_0 if replica_config is not None for
cainstance.configure_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
db5bff14 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from ipa_kra_install in ipaserver/install
Replica files are DL0 specific therefore all the code that is related to
replica files have been removed An additional check for the new minimal
domain level has been added. The use of extra args results in an error as
this was only needed for the replica file.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eaae9935 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from dsinstance ipaserver/install
Promote is now hard set to True in create_replica for later use in
_get_replication_manager.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71e19f11 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from kra in ipaserver/install
The code to add missing KRA certificates has been removed from install_check
as it was only reached if replica_config is not None and promote was False
for DL0 replica installations. Also the other places.
Promote is now hard set to True if replica_config is not None in install
for later use in krainstance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ecf80900 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove unused promote arg in krbinstance.create_replica in ipaserver/install
The argument was not used at all.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae94aae4 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from ipa_replica_install in ipaserver/install
Replica files are DL0 specific therefore the knob extension for
replica_file has been removed. Also the code that is only executed if
replica_file is not None.
The new variable replica_install has been added which is used in
ServerInstallInterface.__init__
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f7e1d18d by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from __init__ in ipaserver/install/server
The methods _is_promote has been removed from all classes as this has only
been used internally to check if the domain level is correct.
The check if the installer object has the attribute replica_file has been
modified to use the new variable replica_install defined in
CompatServerReplicaInstall instead.
The DL0 specific code from ServerInstallInterface.__init__ has been removed
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2738c5c1 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from replicainstall in ipaserver/install/server
create_replica_config is not imported anymore from
ipaserver.install.installutils.
The promote argument has been removed from these functions and function
calls:
- install_replica_ds
- ds.create_replica
- install_krb
- krbinstance.create_replica
- install_http
- httpinstance.create_instance
The function install_check has been removed completely as it is only used
to prepare the DL0 installation.
All DL0 specific code has been removed from the install function.
The varaibles promote, installer.promote/options.promote and config.promote
have bene removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a42a7113 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove create_replica_config from installutils in ipaserver/install
This function is used to load the replica file. Without DL0 support this
is not needed at all anymore.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
15bf647e by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from custodiainstance in ipaserver/install
iWithout DL0 support the custodia mode can be used to determine if a
server or replica will be installed. Therefore the use of config.promote
can be removed.
A new check has been added to make sure the mode known in
get_custodia_instance.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
842cb5f2 by Thomas Woerner at 2018-09-12T11:11:21Z
Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER
This is related to the DL0 code removal. FIRST_MASTER describes this
mode a lot better.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fbe003f5 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove options.promote from install in ipaserver/install/server/install
There is no need to set options.promote to false anymore for a server
installation in the install function.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2f50d249 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove replica_file from ClientInstall class in ipaclient/install/client.py
There is no need to set replica_file to None for client installations.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
374138d0 by Thomas Woerner at 2018-09-12T11:11:21Z
Remove replica_file knob from ipalib/install/service.py
The replica_file option is not needed anymore. Threfore the option can
be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fca1167a by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific tests from ipatests/test_integration/test_replica_promotion.py
These tests have been skipped already before. Therefore they can be removed.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7eb8695e by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from ipatests/pytest_ipa/integration/tasks.py
The functions get_replica_filename and replica_prepare are not needed anymore
with the DL0 removal. The DL0 specific code has been removed from the
functions install_replica, install_kra and install_ca.
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b689ba7e by Thomas Woerner at 2018-09-12T11:11:21Z
Remove DL0 specific code from ipatests/test_integration/test_caless.py
See: https://pagure.io/freeipa/issue/7689
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c6b3cf6d by Rob Crittenden at 2018-09-12T14:43:06Z
Advise plugin for enabling sudo for members of the admins group
Create HBAC and a sudo rule for allowing members of the admins
group to run sudo on all enrolled hosts.
https://pagure.io/freeipa/issue/7538
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
09750589 by Stanislav Levin at 2018-09-18T11:51:51Z
Drop concatenated title of remove dialog
As for now the default title of remove dialogs is set to
'Remove ${entity}', where 'entity' is also translatable text.
This construction is used via method 'create_remove_dialog'
of Search facet for the all association 'Delete' actions of
entities.
The such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5eea5354 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Users' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3921210d by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Hosts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3c26a3b8 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Services' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d06f4984 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Groups' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d23376f5 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'ID Views' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2d9cdd92 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Automember' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
46018680 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'HBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b5073e96 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Sudo' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
772e096d by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'SELinux User Maps' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8d13d4ef by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Password Policies' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dfd22e74 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Certificates' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
93eebdb5 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'OTP Tokens' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
36bfd1f8 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'RADIUS Servers' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dcd90343 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Certificate Identity Mapping Rules' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
a863cec3 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Automount Locations' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d5979fb2 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
855e138a by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'RBAC' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1f391b7c by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'ID Ranges' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
291ea453 by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Topology' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3e1a4a1d by Stanislav Levin at 2018-09-18T11:51:51Z
Add title to remove dialog of 'Trusts' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7699
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
7729bb73 by Florence Blanc-Renaud at 2018-09-19T08:13:15Z
ipa-advise: configure pam_cert_auth=True for smart card on client
ipa-advise config-client-for-smart-card-auth is now using authselect
instead of authconfig, but authselect enable-feature with-smartcard
does not set pam_cert_auth=True in /etc/sssd/sssd.conf.
As a result, smart card auth on a client fails.
The fix adds a step in ipa-advise to configure pam_cert_auth=True.
The fix also forces the use of python3 interpreter, and handles
newer versions of SSSD which use OpenSSL instead of NSS (the trusted
CA certs must be put into /etc/sssd/pki/sssd_auth_ca_db.pem
Fixes https://pagure.io/freeipa/issue/7532
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d0173c95 by Florence Blanc-Renaud at 2018-09-19T08:18:45Z
authselect: harden uninstallation of ipa client
When ipa client is uninstalled, the content of sysrestore.state
is read to restore the previous authselect profile and features.
The code should properly handle the case where sysrestore.state
contains the header for the authselect section, but the key=value
for profile and features are missing.
Fixes https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a7e4b0e by Florence Blanc-Renaud at 2018-09-19T08:18:45Z
tests: add test for uninstall with incomplete sysrestore.state
Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.
Related to https://pagure.io/freeipa/issue/7657
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2b3fd701 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Fix hardcoded CSR in test_webui/test_cert.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
95928f62 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Use random IPs and domains in test_webui/test_host.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1212402a by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Increase request timeout for WebUI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
d582484b by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Fix test_realmdomains::test_add_single_labeled_domain (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1f04c481 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Use random realmdomains in test_webui/test_realmdomains.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
685cef55 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Fix test_user::test_login_without_username (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
41258d81 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Fix unpermitted user session in test_selfservice (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2b739701 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Add SAN extension for CSR generation in test_cert (Web UI tests)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b58bc750 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Generate CSR for test_host::test_certificates (Web UI test)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
93eafaec by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Add cookies clearing for all Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
970af640 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Remove unnecessary session clearing in some Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1affddaa by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Increase some timeouts in Web UI tests
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
46eb9a38 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Fix UI_driver.has_class exception. Handle situation when element has no class attribute
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
d020fc49 by Serhii Tsymbaliuk at 2018-09-19T11:32:51Z
Change Web UI tests setup flow
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
e3820682 by Rob Crittenden at 2018-09-19T15:42:49Z
Try to resolve the name passed into the password reader to a file
Rather than comparing the value passed in by Apache to a
hostname value just see if there is a file of that name in
/var/lib/ipa/passwds.
Use realpath to see if path information was passed in as one of
the options so that someone can't try to return random files from
the filesystem.
https://pagure.io/freeipa/issue/7528
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2064c72b by Rob Crittenden at 2018-09-21T08:21:14Z
Fix uninstallation test, use different method to stop dirsrv
The API may not be initialized so using ds.is_running() may fail.
Call systemctl directly to ensure the dirsrv instance is stopped.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
11b3cdff by Rob Crittenden at 2018-09-21T08:21:14Z
Add uninstallation tests to night master and rawhide
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
- - - - -
24888132 by Florence Blanc-Renaud at 2018-09-24T06:42:40Z
ipatests: mark known failures as xfail
The tests in test_integration/test_installation.py
that inherit from InstallTestBase2 all fail in
test_replica2_ipa_kra_install because of ticket
7654: ipa-kra-install fails on DL1
This is an issue linked to dogtag (see
https://pagure.io/dogtagpki/issue/3055), where the
installation of a KRA clone creates a range depletion
when multiple clones are created from the same master.
Marking the tests as known failure, waiting for dogtag's
fix.
Related to https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
288fe328 by Florence Blanc-Renaud at 2018-09-24T10:55:48Z
Tests: remove dl0 tests from nightly definition
Commit fca1167af48651c3454c33c77ef28ec333220040 removed the following tests
from ipatests/test_integration/test_replica_promotion.py:
TestReplicaPromotionLevel0
TestKRAInstall
TestCAInstall
TestReplicaManageCommands
TestOldReplicaWorksAfterDomainUpgrade
but the nightly definition was not updated accordingly.
The fix removes the unexisting tests from nightly.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
ca68848e by Stanislav Levin at 2018-09-25T13:16:05Z
Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association' facet, is set to something like
'Remove ${other_entity} from ${entity} ${primary_key}', where
'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association' facet for the all 'Delete' actions within details
of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
35fa528c by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Users' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d97ff69e by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c4729e11 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6e839f91 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ea0e6a36 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
db6462b8 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f741c62f by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
71594466 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
9cbf16a7 by Stanislav Levin at 2018-09-25T13:16:05Z
Add a title to 'remove' dialog for details of 'Trusts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7702
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
70349753 by Alexander Bokovoy at 2018-09-26T09:40:19Z
Support Samba 4.9
Samba 4.9 became a bit more strict about creating a local NT token and a
failure to resolve or create BUILTIN\Guests group will cause a rejection
of the connection for a successfully authenticated one.
Add a default mapping of the nobody group to BUILTIN\Guests.
BUILTIN\Guests is a special group SID that is added to the NT token for
authenticated users.
For real guests there is 'guest account' option in smb.conf which
defaults to 'nobody' user.
This was implicit behavior before as 'guest account = nobody' by
default would pick up 'nobody' group as well.
Fixes: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0659ed35 by Florence Blanc-Renaud at 2018-09-26T09:44:21Z
ipa-server-upgrade: fix inconsistency in setup_lightweight_ca_key_retrieval
The method setup_lightweight_ca_key_retrieval is called on
server upgrade and checks first if it needs to be executed or if
a previous upgrade already did the required steps.
The issue is that it looks for setup_lwca_key_retrieval in sysupgrade.state
but writes setup_lwca_key_retieval (with a missing r).
The fix consistently uses setup_lwca_key_retieval (as older installations
may already contain this key in sysupgrade.state).
Fixes https://pagure.io/freeipa/issue/7688
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4460cc5e by Rob Crittenden at 2018-09-26T11:26:42Z
Fix identifier typo in UI
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f658a3d1 by Stanislav Levin at 2018-09-26T11:50:11Z
Fix loading 'freeipa/text' at production mode
As for now 'ssbrowser.html' and 'unauthorized.html' pages are
loaded without JS error at development mode only.
There is no standalone 'freeipa/text' module as source at
production mode. Thus 'core' one have to be loaded first and
then 'text'.
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
43d9eda9 by Stanislav Levin at 2018-09-26T11:56:53Z
Drop concatenated title of remove dialog
As for now the default title of remove dialogs, which are
initialized from 'association_table' facet, is set to something
like 'Remove ${other_entity} from ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_remove_dialog'
of 'association_table' widget for the all 'Delete' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4b8509f9 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'remove' dialog for 'association_table' widget of 'Hosts' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0825170a by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'remove' dialog for 'association_table' widget of 'Services' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
79aa5920 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'remove' dialog for 'association_table' widget of 'Groups' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c2e6e010 by Stanislav Levin at 2018-09-26T11:56:53Z
Allow having a custom title of 'Remove' dialog for 'attribute_table' widget
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8657b57a by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'Automember' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1fd6817b by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'HBAC' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c2eebee3 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'Sudo' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c115efd1 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'SELinux' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ea115bf8 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'CA' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6eed6776 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'Topology' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
57e65a5c by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'Remove' dialog for 'association_table' widget of 'Vault' entity
To improve translation quality the title of 'Remove' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6b27c203 by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to 'unprovision' dialog
To improve translation quality the title of 'unprovision' dialog
should be specified explicitly in the spec and should be an entire
sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
5052641a by Stanislav Levin at 2018-09-26T11:56:53Z
Add title to remove dialog of 'DNS' entity
To improve translation quality the title of Remove dialog
should be specified explicitly in the spec and should be an
entire sentence.
Fixes: https://pagure.io/freeipa/issue/7704
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e1a30d3c by Christian Heimes at 2018-09-27T04:55:34Z
Workaround for pyasn1 0.4
pyasn1 0.4 changed handling of ANY containers in a backwards
incompatible way. For 0.3.x, keep explicit wrap and unwrap in octet
strings for ANY container members. For >= 0.4, let pyasn1 do the job.
This patch also makes sorting of extended_key_usage_bytes() stable and
adds tests.
Tested with pyasn1 0.3.7 and 0.4.4.
Fixes: https://pagure.io/freeipa/issue/7685
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4a58adf7 by Christian Heimes at 2018-09-27T08:23:03Z
Sprinkle raw strings across the code base
tox / pytest is complaining about lots and lots of invalid escape
sequences in our code base. Sprinkle raw strings or backslash escapes
across the code base to fix most occurences of:
DeprecationWarning: invalid escape sequence
There is still one warning that keeps repeating, though:
source:264: DeprecationWarning: invalid escape sequence \d
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b431e9b6 by Christian Heimes at 2018-09-27T09:49:04Z
Py3: Remove subclassing from object
Python 2 had old style and new style classes. Python 3 has only new
style classes. There is no point to subclass from object any more.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
78c722d4 by Christian Heimes at 2018-09-27T13:35:35Z
Require sssd-ipa instead of sssd meta pkg
The sssd meta package pulls in additional dependencies that are not
required by IPA clients. Only depend on sssd-ipa.
Also update SSSD to 1.16.3-2 with fixes with support for One-Way Trust
authenticated by trust secret.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1345975
See: https://pagure.io/freeipa/issue/7710
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
964a9bdc by Christian Heimes at 2018-09-27T14:11:18Z
Py3: Replace six.string_types with str
In Python 3, six.string_types is just an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ea396528 by Christian Heimes at 2018-09-27T14:11:18Z
Py3: Replace six.integer_types with int
In Python 3, six.integer_types is (int,). In most places, the alias can
be simply replaced with int. In other places, it was possible to
simplify the code by unpacking the tuple.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
61156b0a by Christian Heimes at 2018-09-27T14:11:18Z
Py3: Replace six.text_type with str
On Python 3, six.text_type (singular) is an alias for str.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ed967ec2 by Christian Heimes at 2018-09-27T14:11:18Z
Py3: Replace six.bytes_type with bytes
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
54765474 by Stanislav Levin at 2018-09-27T14:33:25Z
Fix javascript 'errors' found by jslint
There are several JavaScript errors, which have come with PRs:
2362, 2371, 2372.
JavaScript code have to follow jsl requires.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
54a0e9e9 by Stanislav Levin at 2018-09-27T14:33:25Z
Add jslint check to PR CI tests
For now, from all possible lint checks, pylint applies only.
jslint can prevent JavaScript errors at WebUI.
Fixes: https://pagure.io/freeipa/issue/7717
Fixes: https://pagure.io/freeipa/issue/7718
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5dbcc1a9 by Florence Blanc-Renaud at 2018-09-28T08:27:18Z
ipatests: mark known failure for installation_TestInstallWithCA2
The test TestInstallWithCA2 and TestInstallWithCA_DNS2 fail in
test_replica0_with_ca_kra_dns_install because they both try to
install a (first instance of) KRA.
This is a known issue, thus marking as xfail.
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4b60bc38 by Christian Heimes at 2018-10-01T06:30:10Z
Lint yaml and RPM spec
Let's catch broken YAML files (Travis, PR-CI) and spec file early.
- Use rpmlint to detect syntax errors in spec file early
- Attempt to parse all YAML files with PyYAML
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
234c71ca by Stanislav Levin at 2018-10-01T08:28:14Z
Drop concatenated title of 'add' dialog
As for now the default title of 'add' dialog is set to something
like 'Add ${entity}', where 'entity' is also translatable text.
Such construction is used via method 'adder_dialog' of Entity
for the all 'Add' actions.
This leads to a bad quality translation and should be changed to
an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c6221a51 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Users' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
70cb5ba0 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'OTP' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6881bf8d by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Host' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8a834cda by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Service' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
794a51ea by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Groups' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
348e813b by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'ID Views' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
bf49664d by Stanislav Levin at 2018-10-01T08:28:14Z
Drop concatenated title of 'add' dialog for 'attribute_table' widget
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e363fb3e by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Automember' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
fd732aaa by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'HBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8655c9be by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Sudo' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e506f266 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'SELinux' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
4bd03e47 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Password Policies' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c38aab10 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Certificates' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
38ea2dae by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'RADIUS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
98c290e4 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Certificate Identity' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
bafa0d5f by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Automount' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
8dddc003 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'DNS' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f3584661 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Vault' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
16fed6e9 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'RBAC' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
f349479f by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'ID Ranges' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e3c0c4d7 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Trusts' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
e89493e2 by Stanislav Levin at 2018-10-01T08:28:14Z
Add title to 'add' dialog for 'Topology' entity
To improve translation quality the title of 'Add' dialog should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7707
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
a2ad4174 by Fraser Tweedale at 2018-10-02T08:18:32Z
Fix writing certificate chain to file
An client-side error occurs when cert commands are instructed to
write the certificate chain (--chain option) to a file
(--certificate-out option). This regression was introduced in the
'cert' plugin in commit 5a44ca638310913ab6b0c239374f4b0ddeeedeb3,
and reflected in the 'ca' plugin in commit
c7064494e5801d5fd4670e6aab1e07c65d7a0731.
The server behaviour did not change; rather the client did not
correctly handle the DER-encoded certificates in the
'certificate_chain' response field. Fix the issue by treating the
'certificate' field as base-64 encoded DER, and the
'certificate_chain' field as an array of raw DER certificates.
Add tests for checking that the relevant commands succeed and write
PEM data to the file (both with and without --chain).
Fixes: https://pagure.io/freeipa/issue/7700
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef57be61 by Alexander Bokovoy at 2018-10-02T10:10:21Z
When stripping PO files, sort the output
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6f6cac04 by Alexander Bokovoy at 2018-10-02T10:10:21Z
Re-sort the translations before importing new ones from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
60cb8979 by Alexander Bokovoy at 2018-10-02T10:10:21Z
Import updated translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a502fa93 by Stanislav Levin at 2018-10-02T14:37:17Z
Drop concatenated title of 'Add' dialog for details of entity
As for now the 'Add' dialog title, which is initialized within
details of the entity, contains translated concatenated texts,
like:
'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'show_add_dialog' of
association_facet for the all 'Add' actions within details
of entities.
The concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dda488ef by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Certificate' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d588d3e9 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Users' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
dc9e5c57 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Hosts' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
ac52faca by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Services' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
9e4de506 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Groups' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
01eba53c by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'ID Views' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
30094d82 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'HBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
35b1b65a by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'Sudo' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
958b1057 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'OTP Tokens' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
b3ac2304 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for details of 'RBAC' entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
171c6a01 by Stanislav Levin at 2018-10-02T14:37:17Z
Drop concatenated title of add dialog for association_table widget
As for now the default title of add dialogs, which are
initialized from 'association_table' widget, is set to something
like 'Add ${other_entity} into ${entity} ${primary_key}',
where 'other_entity' and 'entity' are also translatable texts.
This construction is used via method 'create_add_dialog' of
'association_table' widget for the all 'Add' actions within
details of entities.
Such concatenation leads to a bad quality translation and
should be changed to an entire sentence.
>From now a mentioned title is taken from a spec and should be
specified explicitly.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
3c81e170 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Hosts entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
20688f0f by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Services entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c14ef573 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Groups entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
1ccafd48 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of HBAC entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
2ea8f088 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Sudo entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0e1accda by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of SELinux User Maps entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
073eac08 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Certificates entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
29ca7bf3 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Vaults entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0f30fd83 by Stanislav Levin at 2018-10-02T14:37:17Z
Add title to 'add' dialog for 'association_table' widget of Topology entity
To improve translation quality the title of 'Add' dialog,
which is initialized within details table of the entity, should be
specified explicitly in the spec and should be an entire sentence.
Fixes: https://pagure.io/freeipa/issue/7712
Fixes: https://pagure.io/freeipa/issue/7714
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
c0c8e7f5 by Rob Crittenden at 2018-10-05T10:00:41Z
Add entry for Serhii to mailmap
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
75326406 by Alexander Bokovoy at 2018-10-05T10:02:39Z
Update list of contributors
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
15d5e44e by Christian Heimes at 2018-10-05T10:06:19Z
Py3: Replace six.moves imports
Replace six.moves and six.StringIO/BytesIO imports with cannonical
Python 3 packages.
Note: six.moves.input behaves differently than builtin input function.
Therefore I left six.moves.input for now.
See: https://pagure.io/freeipa/issue/7715
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
4f04e91b by Florence Blanc-Renaud at 2018-10-05T12:59:34Z
ipatests: remove TestReplicaManageDel (dl0)
TestReplicaManageDel is a test using domain level 0
but we do not support it any more. Remove the test.
Related to https://pagure.io/freeipa/issue/7689
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
341a1205 by Christian Heimes at 2018-10-05T13:04:15Z
Fix zonemgr encoding issue
The zonemgr validator and handler performs additional encodings for IDNA
support. In Python 3, the extra steps are no longer necessary because
arguments are already proper text and stderr can handle text correctly.
This also fixes 'b' prefix in error messages like:
option zonemgr: b'empty DNS label'
Fixes: https://pagure.io/freeipa/issue/7711
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9e1c26c7 by Florence Blanc-Renaud at 2018-10-09T12:53:56Z
certdb: provide meaningful err msg for wrong PIN
ipa-server-install or ipa-replica-install do not provide
a meaningful error message in CA-less mode when the install
fails because of a wrong PIN.
Update the err msg so that it provides a hint to the user.
Fixes https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
6650d1b5 by Florence Blanc-Renaud at 2018-10-09T12:53:56Z
ipa tests: CA less
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
7f507519 by Thomas Woerner at 2018-10-10T07:56:40Z
Find orphan automember rules
If groups or hostgroups have been removed after automember rules have been
created using them, then automember-rebuild, automember-add, host-add and
more commands could fail.
A new command has been added to the ipa tool:
ipa automember-find-orphans --type={hostgroup,group} [--remove]
This command retuns the list of orphan automember rules in the same way as
automember-find. With the --remove option the orphan rules are also removed.
The IPA API version has been increased and a test case has been added.
Using ideas from a patch by: Rob Crittenden <rcritten at redhat.com>
See: https://pagure.io/freeipa/issue/6476
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f6793043 by Florence Blanc-Renaud at 2018-10-10T09:32:26Z
ipatests: mark known failures as xfail
Commit 5dbcc1a9d30cdb0bc1c4f8476be37a3ef781f9be marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail
Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ef0fe8b by Alexander Bokovoy at 2018-10-10T09:36:00Z
adtrust: define Guests mapping after creating cifs/ principal
All Samba utilities load passdb modules from the configuration file. As
result, 'net groupmap' call would try to initialize ipasam passdb module
and that one would try to connect to LDAP using Kerberos authentication.
We should be running it after cifs/ principal is actually created in
ipa-adtrust-install or otherwise setting up group mapping will fail.
This only affects new installations. For older ones 'net groupmap' would
work just fine because adtrust is already configured and all principals
exist already.
A re-run of 'ipa-server-upgrade' is a workaround too but better to fix
the initial setup.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1e76f100 by Rob Crittenden at 2018-10-12T20:55:52Z
Enable LDAP debug output in client to display TLS errors in join
If ipa-join fails due to a TLS connection error when doing an
LDAP-based enroll then nothing is logged by default except an
Invalid Password error which is misleading (because the failure
occurs during the bind).
The only way that debugging would have been sufficient is if
the user passed --debug to ipa-client-install which is not great.
This log level is otherwise very quiet and only logs one or two
lines on errors which is perfect.
https://pagure.io/freeipa/issue/7728
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
531eca43 by Stanislav Levin at 2018-10-15T08:04:33Z
Move ipa's systemd tmpfiles from /var/run to /run
systemd 239 complains about the legacy of ipa's tmpfiles which
are located on /var/run.
Fixes: https://pagure.io/freeipa/issue/7732
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3eac88a4 by Florence Blanc-Renaud at 2018-10-15T08:20:25Z
Bump requires 389-ds-base
ipa-replica-install sometimes fails with
--
[28/41]: setting up initial replication
Starting replication, please wait until this has completed.
[ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy]
[error] RuntimeError: Failed to start replication
--
which is caused by a 389-ds issue
(https://pagure.io/389-ds-base/issue/49818)
Bump requires to include the fix.
Fixes: https://pagure.io/freeipa/issue/7642
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e55d17d6 by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check range name and base ID duplication
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
369fb23e by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check adding range without primary and secondary RID bases
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
b180991a by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check primary RID base duplication
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
dde4d19f by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check adding range with overlapping of existing local range
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
70f51c0d by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check modifying ID range with invalid or missing values
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
dd590e7e by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": - check creating ID range with special characters in name - check modifying ID range with existing secondary RID base
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
6595949e by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check creating ID Range with overlapping of primary and secondary RID base
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
2d845cc7 by Serhii Tsymbaliuk at 2018-10-15T12:11:42Z
UI tests for "ID Range": check deleting primary local range
https://pagure.io/freeipa/issue/7709
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
4c3f0104 by Serhii Tsymbaliuk at 2018-10-16T07:09:02Z
UI tests for "ID Range": Clean unnecessary Python2 compatible code constructions
https://pagure.io/freeipa/issue/7709
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5466eca0 by Rob Crittenden at 2018-10-16T09:16:41Z
Remove tests which install KRA on replica w/o KRA on master
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.
A KRA can be added afterward.
https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fbcb79af by Florence Blanc-Renaud at 2018-10-17T13:51:10Z
ipatests: fix path in expected error message
The test is putting server.p12 / replica.p12 in the test_dir directory,
and the error message is printing the file name with its full path.
Related to https://pagure.io/freeipa/issue/5378
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
2fba5acc by Rob Crittenden at 2018-10-19T15:53:32Z
Handle NTP configuration in a replica server installation
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
In the first case simply pass down the options to the client
installer invocation.
If the client is pre-enrolled and NTP options are provided then
raise an exception.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0e22314c by Petr Vobornik at 2018-10-23T08:23:16Z
ipa-advise: update url of cacerdir_rehash tool
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.
After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.
This patch updates the url.
https://pagure.io/freeipa/issue/7731
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5c0885d2 by Thomas Woerner at 2018-10-23T13:55:36Z
Update annobin to fix continuous-integration/travis-ci/pr issues
gcc is updated with the dnf builddep line, but annobin is not. Therefore
configure fails with "C compiler cannot create executables".
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478
See: https://pagure.io/freeipa/issue/7740
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
389c17c5 by Thomas Woerner at 2018-10-23T14:45:22Z
Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8e98c72e by Thomas Woerner at 2018-10-23T14:45:22Z
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3b79deae by Alexander Bokovoy at 2018-10-23T14:50:43Z
net groupmap: force using empty config when mapping Guests
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.
If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.
Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.
Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.
For upgrade code this is enough as in
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.
Related: https://pagure.io/freeipa/issue/7705
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
23e33443 by Christian Heimes at 2018-10-24T08:49:12Z
Add lgtm.yml to analyzse C code with LGTM
See https://lgtm.com/help/lgtm/customizing-file-classification
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4600e62b by Florence Blanc-Renaud at 2018-10-24T12:20:29Z
ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad
When adding the option --setup-adtrust to ipa-replica-install,
we need to check that the package freeipa-server-trust-ad is
installed.
To avoid relying on OS-specific commands like yum, the check is instead
ensuring that the file /usr/share/ipa/smb.conf.empty is present
(this file is delivered by the package).
When the check is unsuccessful, ipa-replica-install exits with an error
message.
Fixes: https://pagure.io/freeipa/issue/7602
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
836e2959 by Christian Heimes at 2018-10-24T14:11:55Z
Fix ipadb_multires resource handling
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL.
* ipadb_multires_free() supports NULL as no-op.
* ipadb_multibase_search() consistently frees and NULLs
struct ipadb_multires **res on error.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5fe3198d by Christian Heimes at 2018-10-24T14:11:55Z
Don't abuse strncpy() length limitation
On two occasions C code abused strncpy()'s length limitation to copy a
string of known length without the trailing NULL byte. Recent GCC is
raising the compiler warning:
warning: ‘strncpy’ output truncated before terminating nul copying as
many bytes from a string as its length [-Wstringop-truncation]
Use memcpy() instead if strncpy() to copy data of known size.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4de97f49 by Christian Heimes at 2018-10-24T15:44:20Z
Replace hard-coded interpreter with sys.executable
Instead of hard-coding python3, the smart card advise script now uses
the current executable path from sys.executable as interpreter.
Fixes: https://pagure.io/freeipa/issue/7741
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a42ca499 by Christian Heimes at 2018-10-24T16:28:23Z
Add Coverity Scan target
Add "make cov-scan" to automate Coverity scan builds. cov-build requires
extra quirks to work with recent versions of GCC on Fedora.
The make target requires a token and Coverity's build chain. Both are
available for privileged project owners on
https://scan.coverity.com/projects/freeipa-freeipa .
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
235b5bd6 by Rob Crittenden at 2018-10-26T06:11:03Z
Remove the authselect profile warning if sssd was not configured.
On a plain uninstall there should not be a bunch of confusing
warning/error messages.
Related to https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e59ee609 by Rob Crittenden at 2018-10-26T06:11:03Z
Fix misleading errors during client install rollback
Some incorrect errors are possible if a client installation
fails and a configuration rollback is required.
These include:
1. Unconfigured automount client failed: CalledProcessError(Command
['/usr/sbin/ipa-client-automount', '--uninstall', '--debug']
returned non-zero exit status 1: '')
Caused by check_client_configuration() not returning the correct
return value (2).
2. WARNING: Unable to revert to the pre-installation state ('authconfig'
tool has been deprecated in favor of 'authselect'). The default sssd
profile will be used instead.
The authconfig arguments would have been: authconfig --disableldap
--disablekrb5 --disablesssdauth --disablemkhomedir
If installation fails before SSSD is configured there is no state
to roll back to. Detect this condition.
3. An error occurred while removing SSSD's cache.Please remove the
cache manually by executing sssctl cache-remove -o.
Again, if SSSD is not configured yet then there is no cache to
remove. Also correct the missing space after the period.
https://pagure.io/freeipa/issue/7729
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
55277729 by Rob Crittenden at 2018-10-26T06:11:03Z
Collect the client and server uninstall logs in tests
When running the integration tests capture the uninstallation
logs as well as the installation logs.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4de5ea09 by Florence Blanc-Renaud at 2018-10-26T15:21:07Z
ipa-backup: restart services before compressing the backup
ipa-backup gathers all the files needed for the backup, then compresses
the file and finally restarts the IPA services. When the backup is a
large file, the compression may take time and widen the unavailabity
window.
This fix restarts the services as soon as all the required files are
gathered, and compresses after services are restarted.
Fixes: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa559808 by Florence Blanc-Renaud at 2018-10-26T15:21:07Z
ipatest: add functional test for ipa-backup
The test ensures that ipa-backup compresses the files after the
IPA services are restarted.
Related to: https://pagure.io/freeipa/issue/7632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e7f3d1d by Christian Heimes at 2018-10-26T16:04:23Z
Improve Python configuration for LGTM
LGTM is no longer able to analyse all Python code without importing it.
Define OS and Python package dependencies and build the project for
Python, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec54fa77 by Christian Heimes at 2018-10-26T18:10:23Z
Keep Dogtag's client db in external CA step 1
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external
CA installation process. Dogtag 10.6.7 changed behavior and no longer
re-creates the client database in step 2.
Fixes: https://pagure.io/freeipa/issue/7742
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
204353e4 by Christian Heimes at 2018-10-26T18:10:23Z
Use tasks.install_master() in external_ca tests
The install_master() function performs additional steps besides just
installing a server. It also sets up log collection and performs
additional tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4b920df4 by Fraser Tweedale at 2018-10-26T19:37:39Z
Restore KRA clone installation integration test
This Dogtag issue that caused KRA clone installation failure in some
scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055).
This reverts commit 2488813260a407477c7516b33ce4238b69c8dd8d and
bumps the pki-core dependency.
Fixes: https://pagure.io/freeipa/issue/7654
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec208e97 by Christian Heimes at 2018-10-26T19:37:39Z
Require Dogtag 10.6.7-3
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on
replicas.
See: https://pagure.io/dogtagpki/issue/3073
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49df1ab1 by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": check search filter
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
63cbf629 by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": check creating and deleting of multiple rules
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
a68035dc by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": check creating and deleting of automember rule conditions
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
33a74fb2 by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": check setting default user/host group
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
cd795257 by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": Negative cases
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
8949aa64 by Serhii Tsymbaliuk at 2018-10-30T15:26:29Z
UI tests for "Automember": Extend search cases
https://pagure.io/freeipa/issue/7721
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
1d4b43ef by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check "Add Automount..." dialogs
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
e957e0ae by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check modifying map and key settings
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
97f158ae by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": Fix item deleting
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
de06bf27 by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check creating indirect automount map without some fields
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
b7a149fe by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check creating automount key without some fields
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
ba40590e by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check indirect map duplication
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
6444808f by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check some negative cases
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
8f2a75cb by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
UI tests for "Automount": check dialog confirmation using ENTER
https://pagure.io/freeipa/issue/7735
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
89545210 by Serhii Tsymbaliuk at 2018-10-31T10:55:35Z
WebUI tests: Make possible to use kwargs with @screenshot decorator
Reviewed-By: Petr Cech <pcech at redhat.com>
- - - - -
9b7a152e by Rob Crittenden at 2018-11-01T12:08:58Z
Pass a list of values into add_master_dns_records
During replica installation the local IP addresses should be
added to DNS but will fail because a string is being passed
to an argument expecting a list. Convert to a list before
passing in individual IPs.
Discovered when fixing https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
4cde696d by Rob Crittenden at 2018-11-01T12:08:58Z
Demote log message in custodia _wait_keys to debug
This was previously suppressed because of the log level in
an installation was set to error so it was never displayed
Keeping consistency and demoting it to debug since the
log level is increased to info.
Related: https://pagure.io/freeipa/issue/7408
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f4e37385 by Rob Crittenden at 2018-11-01T12:08:58Z
Enable replica install info logging to match ipa-server-install
Increase log level to info by setting verbose=True and adding
a console format.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7408
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
aa261ba5 by Christian Heimes at 2018-11-01T12:56:31Z
has_krbprincipalkey: avoid double free
Set keys to NULL after free rder to avoid potential double free.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
800e448a by Christian Heimes at 2018-11-01T12:56:31Z
ipadb_mspac_get_trusted_domains: NULL ptr deref
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains().
In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn()
does not guarantee that it returns a non-empty result.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
da2078bc by Christian Heimes at 2018-11-01T12:56:31Z
ipapwd_pre_mod: NULL ptr deref
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first
element.
See: https://pagure.io/freeipa/issue/7738
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4cd26fcb by Fraser Tweedale at 2018-11-06T09:59:06Z
ipaldap: avoid invalid modlist when attribute encoding differs
ipaldap does not take into account the possibility of the attribute
encoding returned by python-ldap differing from the attribute
encoding produced by FreeIPA. In particular this can occur with DNs
with special characters that require escaping. For example,
python-ldap (or the underlying LDAP library) escapes special
characters using hex encoding:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU
Whereas FreeIPA, when encoding the DN, escapes the character
directly:
CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU
Therefore it is possible to generate an invalid modlist. For
example, during external CA certificate renewal, if the issuer DN
includes a comma in one of the attribute values (as above), an
invalid modlist will be generated:
[ (ldap.MOD_ADD, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU'])
, (ldap.MOD_DELETE, 'ipacaissuerdn',
[b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU'])
]
Although encoded differently, these are the same value. If this
modification is applied to the object, attributeOrValueExists (error
20) occurs.
To avoid the issue, put deletes before adds in the modlist. If a
value is present (with different encodings) as both an addition and
a deletion, it must be because the original object contained the
value with a different encoding. Therefore it is safe to delete it,
then add it back.
Note that the modlist is not optimal. In the simplest case (like
above example), there should be no modification to perform. It is
considerably more complex (and more computation) to implement this
because the raw attribute values must be decoded before comparison.
Fixes: https://pagure.io/freeipa/issue/7750
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8007e14 by Fraser Tweedale at 2018-11-07T07:39:42Z
rpc: always read response
If the server responds 401 and the response body is empty, the
client raises ResponseNotReady. This occurs because:
1. For a non-200 response, the response read only if the
Content-Length header occurs.
2. The response must be read before another request (e.g. the
follow-up request with WWW-Authenticate header set), and this
condition was not met. For details see
https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321.
This situation should not arise in regular use, because the client
either has a session cookie, or, knowing the details of the server
it is contacting, it establishes the GSS-API context and includes
the WWW-Authenticate header in the initial request.
Nevertheless, this problem has been observed in the wild. I do not
know its ordinary cause(s), but one can force the issue by removing
an authenticated user's session cache from /run/ipa/ccaches, then
performing a request.
Resolve the issue by always reading the response. It is safe to
call response.read() regardless of whether the Content-Length header
appears, or whether the body is empty.
Fixes: https://pagure.io/freeipa/issue/7752
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0a5a7bde by Christian Heimes at 2018-11-07T12:11:48Z
Fix test_cli_fsencoding on Python 3.7
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now
supports UTF-8 file system encoding with non-UTF-8 C locale.
See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538
See: https://pagure.io/freeipa/issue/5887
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
324da5c3 by Sergey Orlov at 2018-11-07T12:48:54Z
ipatests: add test for ipa-advise for enabling sudo for admins group
Test that
1) sudo is not enabled for members of admins group by default
2) sudo is enabled for them after execution of script provided
by ipa-advise enable_admins_sudo
Related to https://pagure.io/freeipa/issue/7538
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b0f3595 by Christian Heimes at 2018-11-07T15:28:35Z
Allow ipaapi user to access SSSD's info pipe
For smart card authentication, ipaapi must be able to access to sss-ifp.
During installation and upgrade, the ipaapi user is now added to
[ifp]allowed_uids.
The commit also fixes two related issues:
* The server upgrade code now enables ifp service in sssd.conf. The
existing code modified sssd.conf but never wrote the changes to disk.
* sssd_enable_service() no longer fails after it has detected an
unrecognized service.
Fixes: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
82af0340 by Alexander Bokovoy at 2018-11-07T15:37:18Z
ipaserver.install.adtrust: fix CID 323644
Fix Coverity finding CID 323644: logically dead code path
The code to determine whether NetBIOS name was already set or need to be
set after deriving it from a domain or asking a user for an interactive
input, was refactored at some point to avoid retrieving the whole LDAP
entry. Instead, it was provided with the actual NetBIOS name retrieved.
As result, a part of the code got neglected and was never executed.
Fix this code and provide a test that tries to test predefined,
interactively provided and automatically derived NetBIOS name depending
on how the installer is being run.
We mock up the actual execution so that no access to LDAP or Samba is
needed.
Fixes: https://pagure.io/freeipa/issue/7753
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
da70f397 by Serhii Tsymbaliuk at 2018-11-08T07:34:13Z
Increase memory size for ipaserver topology (nightly-master.yaml)
Fix "Cannot allocate memory" error for Web UI tests
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
816783a1 by Christian Heimes at 2018-11-08T12:16:26Z
Copy-paste error in permssions plugin, CID 323649
Address a bug in the code block for attributeLevelRights for old clients.
The backward compatibility code for deprecated options was not triggered,
because the new name was checked against wrong dict.
Coverity Scan issue 323649, Copy-paste error
The copied code will not have its intended effect.
In postprocess_result: A copied piece of code is inconsistent with the
original (CWE-398)
See: Fixes: https://pagure.io/freeipa/issue/7753
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e569afb0 by Christian Heimes at 2018-11-08T15:03:21Z
Fix test_cli_fsencoding on Python 3.7, take 2
0a5a7bdef7c300cb8f8a8128ce6cf5b115683cbe introduced another problem. The
test is now failing on systems without a full IPA client or server
installation. Use IPA_CONFDIR env var to override location of
default.conf, so that the command always fails.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
41247438 by Christian Heimes at 2018-11-08T16:44:45Z
Replace messagebus with modern name dbus
"messagebus" is an old, archaic name for dbus. Upstream dbus has started
to move away from the old name. Let's use the modern term in FreeIPA,
too.
Fixes: https://pagure.io/freeipa/issue/7754
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e64ae1d0 by Christian Heimes at 2018-11-08T16:46:38Z
Add missing tests to nighly runs
Run test_customized_ds_config_install and test_dns_locations in nightly
runs.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4cede866 by Christian Heimes at 2018-11-08T16:46:38Z
Speed up test_customized_ds_config_install
Reuse master instance when installing replica with custom DS config.
This avoids one extra ipa-server-install and also tests replica
installation from a master with custom DS config.
See: https://pagure.io/freeipa/issue/7743
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
60a31d3f by Florence Blanc-Renaud at 2018-11-09T14:58:10Z
Nightly tests: add test_user_permissions.py
Run the above test in the nightly test suites
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
044ffe0d by François Cami at 2018-11-09T22:16:19Z
Add sysadm_r to default SELinux user map order
It is a standard SELinux user role included in RHEL (like
user_r, staff_r, guest_r) and used quite often.
Fixes: https://pagure.io/freeipa/issue/7658
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d731f6fd by Fraser Tweedale at 2018-11-12T10:23:16Z
certdb: ensure non-empty Subject Key Identifier
Installation or IPA CA renewal with externally-signed CA accepts an
IPA CA certificate with empty Subject Key Identifier. This is
technically legal in X.509, but is an operational issue.
Furthermore, due to an extant bug in Dogtag
(https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag
startup failure.
Reject CA certificates with empty Subject Key Identifier.
Fixes: https://pagure.io/freeipa/issue/7762
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
87474cc1 by Serhii Tsymbaliuk at 2018-11-12T11:04:27Z
Split Web UI test suite in nightly PR CI configuration
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3e8f550c by Rob Crittenden at 2018-11-13T09:44:14Z
Add tests for ipa-cacert-manage install
Some basic tests like re-loading a certificate, loading a
PKCS#7 cert and bad cert handling.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
35d1d345 by Rob Crittenden at 2018-11-13T09:44:14Z
Add support for multiple certificates/formats to ipa-cacert-manage
Only a single cert in DER or PEM format would be loaded from the
provided file. Extend this to include PKCS#7 format and load all
certificates found in the file.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/7579
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1e6a77a6 by Florence Blanc-Renaud at 2018-11-13T09:51:07Z
ipatests: fix CA less expectations
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.
The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.
Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
f7511edb by William Brown at 2018-11-13T11:07:27Z
Support the 1.4.x python installer tools in 389-ds
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f9b0fc1 by Stanislav Laznicka at 2018-11-13T11:07:27Z
Remove some basic pystyle and pylint errors
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
383311a1 by Stanislav Laznicka at 2018-11-13T11:07:27Z
Don't try legacy installs
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed955d14 by Stanislav Laznicka at 2018-11-13T11:07:27Z
Move lib389 imports to module scope
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56f8e200 by Stanislav Laznicka at 2018-11-13T11:07:27Z
DS uninstall: fix serverid missing in state restore
During uninstallation, we're using serverid which we get from
sysrestore.state. This was not set in the newer install,
return it back.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
104ef413 by Stanislav Laznicka at 2018-11-13T11:07:27Z
DS install: fix DS asking for NSS pin during install
DS now comes with nsslapd-security turned on and its own CA
cert in its NSS database. We're re-setting the NSS database
and setting our own CA cert to it, the DS pin file therefore
needs to be updated with the new password after this reset.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8342d41 by Stanislav Laznicka at 2018-11-13T11:07:27Z
DS install: don't fail if SSL already configured
DS now comes with certain SSL capabilities turned on after
installation. Previously, we did not expect this and were
blindly forcing everything on without checking, whether it
needs turning on. This would result in failures if the
config entries are already set the way we want. Relax this
configuration.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8fb63966 by Stanislav Laznicka at 2018-11-13T11:07:27Z
Use the newer way of removing the DS instance
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a606b44f by Christian Heimes at 2018-11-13T11:07:27Z
Drop dependency on 389-ds-base-legacy-tools
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d39bb65a by Christian Heimes at 2018-11-13T11:07:27Z
Remove DS perl paths from debian platform
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
19cd9603 by Florence Blanc-Renaud at 2018-11-13T11:40:44Z
ipa user-add: add optional objectclass for radius-username
The command "ipa user-add --radius-username" fails with
ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed
because it does not add the objectclass ipatokenradiusproxyuser
that is required by the attribute ipatokenradiususername.
The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod.
The fix adds the objectclass when needed in the pre_common_callback method
of baseuser_add and baseuser_mod (ensuring that user and stageuser commands
are fixed).
Fixes https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1c2c2ee6 by Florence Blanc-Renaud at 2018-11-13T11:40:44Z
tests: add xmlrpc test for ipa user-add --radius-username
Add a xmlrpc test for ipa user-add/user-mod --radius-username
The command were previously failing because the objectclass
ipatokenradiusproxyuser was not automatically added when the
attribute ipatokenRadiusUserName was added to the entry.
The test ensures that the command is now succeeding.
Related to https://pagure.io/freeipa/issue/7569
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5d603fce by Florence Blanc-Renaud at 2018-11-13T11:40:44Z
radiusproxy: add permission for reading radius proxy servers
A non-admin user which has the "User Administrator" role cannot
add a user with ipa user-add --radius=<proxy> because the
call needs to read the radius proxy server entries.
The fix adds a System permission for reading radius proxy server
entries (all attributes except the ipatokenradiussecret). This
permission is added to the already existing privileges "User
Administrators" and "Stage User Administrators", so that the role
"User Administrator" can call ipa [stage]user-add|mod --radius=<proxy>
Fixes: https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
da4c12c3 by Florence Blanc-Renaud at 2018-11-13T11:40:44Z
ipatests: add integration test for "Read radius servers" perm
Add a new integration test for the following scenario:
- create a user with the "User Administrator" role
- as this user, create a user with a --radius=<radius_proxy_server>
This scenario was previously failing because ipa user-add --radius
requires read access to the radius server entries, and there was no
permission granting this access.
Related to https://pagure.io/freeipa/issue/7570
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1be415cd by Florence Blanc-Renaud at 2018-11-13T11:42:38Z
ipatests: add missing tests for test_caless
Two tests were missing from nightly definition:
- test_caless.py::TestReplicaCALessToCAFull
- test_caless.py::TestServerCALessToExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8b7e17aa by Florence Blanc-Renaud at 2018-11-13T12:04:19Z
ipatests: update tests for ipa-server-certinstall
The test test_http_intermediate_ca was expecting success when
it should expect a failure. Scenario:
- install IPA ca-less with certs signed by rootCA
- call ipa-server-certinstall with a cert signed by a subCA
to replace http cert.
In this case, the command should refust changing the cert
(otherwise the clients won't be able any more to use
ipa * commands as the subca is not installed in /etc/ipa/nssdb
or in /etc/ipa/ca.crt).
The commit fixes the test expectation and marks the test as
xfail (see ticket 7759).
The test test_ds_intermediate_ca was expecting success when
it should expect a failure. Same scenario as above, but for
the ldap server cert.
The commit fixes the test expectation and removes the xfail
(ticket 6959 was closed as invalid).
Note:
The behavior differs for ldap and http cert because LDAP server
is using a NSSDB and http server is using openssl, hence
ipa-server-certinstall follows 2 different code paths when
changing the server cert.
Related to https://pagure.io/freeipa/issue/7759
Related to https://pagure.io/freeipa/issue/6959
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5483f9f6 by Florence Blanc-Renaud at 2018-11-13T12:04:19Z
temp commit: run test_integration/test_caless.py::TestCertInstall
Please remove before pushing
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1dd98d25 by Florence Blanc-Renaud at 2018-11-13T12:22:54Z
Revert "temp commit: run test_integration/test_caless.py::TestCertInstall"
This reverts commit 5483f9f6bb268f42b70eef227e268f8e28922f01.
- - - - -
e6d7f200 by Christian Heimes at 2018-11-13T12:37:58Z
Ignore W504 code style like in travis config
pycodestyle both complains about "W504 line break after binary operator"
and "W503 line break before binary operator" when all warnings are
enabled. FreeIPA already ignores W504 in travis config. Let's ignore it
in fastcheck, too.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8944458d by Christian Heimes at 2018-11-13T12:37:58Z
Address pylint violations in lite-server
Teach pylint that env instance has lite_* members
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
85286beb by Christian Heimes at 2018-11-13T12:37:58Z
Address inconsistent-return-statements
Pylint warns about inconsistent return statements when some paths of a
function return None implicitly. Make all implicit returns either
explicit or raise a proper exception.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7bdc9bad by Christian Heimes at 2018-11-13T12:37:58Z
Ignore consider-using-enumerate for now
Ignore new consider-using-enumerate warning for now and clean up code
later.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
496d1756 by Christian Heimes at 2018-11-13T12:37:58Z
Address consider-using-in
Replace multiple comparisons with 'in' operation.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83cdd27f by Christian Heimes at 2018-11-13T12:37:58Z
Fix comparison-with-callable
Pylint warns about comparing callable. Replace equality with identity
test.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71360776 by Christian Heimes at 2018-11-13T12:37:58Z
Fix useless-import-alias
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1e569c4f by Christian Heimes at 2018-11-13T12:37:58Z
Fix Module 'pytest' has no 'config' member
pytest.config is created dynamically.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c00dd211 by Christian Heimes at 2018-11-13T12:37:58Z
Fix various dict related pylint warnings
* dict-keys-not-iterating
* dict-values-not-iterating
* dict-items-not-iterating
* dict-iter-method
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dc2c71bf by Christian Heimes at 2018-11-13T12:37:58Z
Fix raising-format-tuple
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ec61f5de by Christian Heimes at 2018-11-13T12:37:58Z
Silence comparison-with-itself in tests
Test code performs comparison to itself in order to verify __eq__ and
__ne__ implementations.
See: https://pagure.io/freeipa/issue/7758
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3abfaa57 by Christian Heimes at 2018-11-13T12:37:58Z
Require pylint 2.1.1-2
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299:
is_subclass_of fails with AttributeError: 'NoneType' object has no
attribute 'name'
pylint 2.1.1-2 is in @freeipa/freeipa-master COPR.
See: https://github.com/PyCQA/pylint/pull/2429
See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2a293ed by Fraser Tweedale at 2018-11-13T13:19:18Z
Print correct subject on CA cert verification failure
In load_external_cert(), if verification fails for a certificate in
the trust chain, the error message contains the last subject name
from a previous iteration of the trust chain, instead of the subject
name of the current certificate.
To report the correct subject, look it up using the current
nickname.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
61e1d7a8 by Fraser Tweedale at 2018-11-13T13:19:18Z
certdb: validate certificate signatures
When verifying a CA certificate, validate its signature. This
causes FreeIPA to reject certificate chains with bad signatures,
signatures using unacceptable algorithms, or certificates with
unacceptable key sizes. The '-e' option to 'certutil -V' was the
missing ingredient.
An an example of a problem prevented by this change, a certifiate
signed by a 1024-bit intermediate CA, would previously have been
imported by ipa-cacert-manage, but would cause Dogtag startup
failure due to failing self-test. With this change,
ipa-cacert-manage will reject the certificate:
# ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7
Importing the renewed CA certificate, please wait
CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455
in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The
certificate was signed using a signature algorithm that is
disabled because it is not secure.
Fixes: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
14ad844b by Florence Blanc-Renaud at 2018-11-13T14:16:35Z
ipatests: add missing tests in test_backup_and_restore.py
3 tests were missing from this test file in the nightly tests:
- TestBackupAndRestoreWithReplica
- TestBackupAndRestoreDMPassword
- TestReplicaInstallAfterRestore
one test was having the wrong name in nightly_rawhide:
TestUserRootFilesOwnershipPermission
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ee52ceb9 by Alexander Bokovoy at 2018-11-13T16:43:28Z
Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
13917ddc by Christian Heimes at 2018-11-14T06:57:13Z
certdb: validate server cert signature
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA
cert validation. Let's also verify signature, key size, and signing algorithm
of server certs. With the '-e' option, the installer and other
tools will catch weak certs early.
Fixes: pagure.io/freeipa/issue/7761
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
1e2c4d5b by Christian Heimes at 2018-11-15T14:02:13Z
Fix pytest deprecation warning
conftest uses the Function attribute of a pytest.Function object. Latest
pytest has deprecated the attribute:
_pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function
is deprecated, please use pytest.Function instead
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
0c0a392d by sudharsanomprakash at 2018-11-15T22:52:10Z
Don't use deprecated Apache Access options.
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead.
Signed-off-by: Sudharsan Omprakash <sudharsan.omprakash at yahoo.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ec404fa by Florence Blanc-Renaud at 2018-11-16T08:22:48Z
freeipa.spec.in: add BuildRequires for python3-lib389
freeipa.spec.in is missing BuildRequires for python3-lib389. The
consequence is that make fasttest is failing.
Fixes https://pagure.io/freeipa/issue/7767
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6dc8b0c6 by Serhii Tsymbaliuk at 2018-11-16T09:55:56Z
Fix nightly PR CI configuration for Web UI tests
Add strip operator for test_suite definitions (in nightly_*.yaml) to prevent inserting line breaks.
https://pagure.io/freeipa/issue/7756
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
122f968c by Alexander Bokovoy at 2018-11-16T21:54:38Z
ipa-kdb: reduce LDAP operations timeout to 30 seconds
Since LDAP operations used by ipa-kdb driver are synchronous, the
timeout specified here is blocking entire KDC. It is worth reducing the
timeout and since AS REQ processing timeout in KDC is 1 minute, reducing
the timeout for LDAP operations down to 30 seconds allows KDC to
respond promptly in worst case scenario as well.
Fixes: https://pagure.io/freeipa/issue/7217
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
7434a329 by Christian Heimes at 2018-11-20T08:31:32Z
PR-CI: Restart rpcbind when it blocks kadmin port
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin
port 749/UDP and kadmin.service fails to start. When NFS secure port is
configured, rpcbind reserves a random low port.
A new workaround detects the blocked port and restarts rpcbind.service.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
55c0a932 by Florence Blanc-Renaud at 2018-11-20T12:34:07Z
ipatests: fix test_replica_uninstall_deletes_ruvs
test_topology.py is failing because of a wrong scenario.
Currently, test_replica_uninstall_deletes_ruvs does:
- install master + replica with CA
- ipa-replica-manage list-ruv to check that the repl is
propery setup
- ipa-replica-manage del $replica
- (on replica) ipa-server-install --uninstall -U
- ipa-replica-manage list-ruv to check that replica
does not appear any more in the RUV list
When ipa-replica-manage del is run, the topology plugin
creates 2 tasks cleanallruvs (one for the domain, one for the ca)
and they are run asynchronously. This means that the ruvs may
still be present when the test moves forward and calls list-ruv.
The test should wait for the cleanallruvs tasks to finish before
checking that list-ruv does not display replica anymore.
Fixes https://pagure.io/freeipa/issue/7545
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
23306a28 by Florence Blanc-Renaud at 2018-11-20T14:12:25Z
ipa-replica-install: password and admin-password options mutually exclusive
Currently it is possible to run ipa-replica-install in one step,
and provide --password and --admin-password simultaneously.
This is confusing as --password is intended for one-time pwd
when the ipa-replica-install command is delegated to a user
who doesn't know the admin password.
The fix makes --password and --admin-password options
mutually exclusive.
Fixes https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
26e35dca by Florence Blanc-Renaud at 2018-11-20T14:12:25Z
ipatests: add test for ipa-replica-install options
Add a test checking that --password and --admin-password
options are mutually exclusive.
Related to https://pagure.io/freeipa/issue/6353
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1e7be6fb by Florence Blanc-Renaud at 2018-11-21T06:36:01Z
ipatests: add missing tests for test_external_ca.py
Some tests were missing from nightly definition:
test_external_ca.py::TestExternalCAdirsrvStop
test_external_ca.py::TestExternalCAInvalidCert
test_external_ca.py::TestMultipleExternalCA
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
19211257 by Florence Blanc-Renaud at 2018-11-21T06:36:01Z
ipatests: add missing tests for test_installation.py
Some tests were missing in the nightly:
- test_installation.py::TestInstallWithCA_DNS3
- test_installation.py::TestInstallWithCA_DNS4
Relates to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d18b0d55 by Florence Blanc-Renaud at 2018-11-21T06:36:01Z
ipatests: add missing tests for test_replica_promotion.py
The following test was missing from nightly:
test_replica_promotion.py::TestReplicaInstallCustodia
Related to https://pagure.io/freeipa/issue/7743
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8decef33 by Christian Heimes at 2018-11-21T07:57:08Z
Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8182ebc6 by Sergey Orlov at 2018-11-21T09:29:51Z
ipatests: add test for ipa-restore in multi-master configuration
Test ensures that after ipa-restore on the master, the replica can be
re-synchronized and a new replica can be created.
https://pagure.io/freeipa/issue/7455
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
a709da67 by François Cami at 2018-11-21T14:41:00Z
Add a shared-vault-retrieve test
Add a shared-vault-retrieve test when:
* master has KRA installed
* replica has no KRA
This currently fails because of issue#7691
Related-to: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dd0490e1 by François Cami at 2018-11-21T14:41:00Z
Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
42fb0cc6 by Varun Mylaraiah at 2018-11-23T09:42:44Z
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
58053b27 by Christian Heimes at 2018-11-23T09:44:09Z
TestBackupAndRestoreWithReplica needs 2 replicas
The test case TestBackupAndRestoreWithReplica needs two replicas but
PR-CI just had topology: *master_1repl.
Fixes: https://pagure.io/freeipa/issue/7691
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
533a5b26 by Christian Heimes at 2018-11-26T15:54:43Z
pylint 2.2: Fix unnecessary pass statement
pylint 2.2.0 has a new checker for unnecessary pass statements. There is
no need to have a pass statement in functions or classes with a doc
string.
Fixes: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f800d8f8 by Christian Heimes at 2018-11-26T15:54:43Z
pylint: Fix duplicate-string-formatting-argument
pylint 2.2 has a checker for duplicate string formatting argument.
Instead of passing the same argument multiple times, reference the
argument by position.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d8791f8f by Christian Heimes at 2018-11-26T15:54:43Z
pylint: also verify scripts
Build all scripts in install/tools/ to check them with pylint, so that
``make pylint`` always checks all scripts. The script files are
generated by make.
Please note that fastlint does not check script files.
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
bb4b5581 by Christian Heimes at 2018-11-26T15:54:43Z
Address misc pylint issues in CLI scripts
The CLI script files have additional pylint issues that were not noticed
before. The violations include using dict.keys() without directly
iterating of the result, inconsistent return statements and set([])
instead of set literals.
* dict-keys-not-iterating
* inconsistent-return-statements
* onsider-using-set-comprehensio
See: https://pagure.io/freeipa/issue/7772
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07c163ca by Serhii Tsymbaliuk at 2018-11-27T13:20:34Z
Fix "ID views" tests fail after running "Automember" tests
Clear default user/host group before deleting.
https://pagure.io/freeipa/issue/7771
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3243498f by Christian Heimes at 2018-11-27T13:43:20Z
Increase debugging for blocked port 749 and 464
kadmin.service is still failing to start sometimes. List and check both
source and destination ports of listening and non-listening TCP and UDP
sockets.
See: https://pagure.io/freeipa/issue/7769
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
372c2fc9 by Florence Blanc-Renaud at 2018-11-27T22:20:35Z
ipaldap.py: fix method creating a ldap filter for IPACertificate
ipa user-find --certificate and ipa host-find --certificate
fail to return matching entries, because the method transforming
the attribute into a LDAP filter does not properly handle
IPACertificate objects.
Directory Server logs show a filter with
(usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>)
When the attribute contains a cryptography.x509.Certificate,
the method needs to extract the public bytes instead of calling str(value).
Fixes https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d2fa2ecb by Florence Blanc-Renaud at 2018-11-27T22:20:35Z
ipatests: add xmlrpc test for user|host-find --certificate
There were no xmlrpc tests for ipa user-find --certificate
or ipa host-find --certificate.
The commit adds tests for these commands.
Related to https://pagure.io/freeipa/issue/7770
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8c650add by Francisco Trivino at 2018-11-28T19:35:31Z
prci_definitions: update vagrant memory topology requirements
Memory requirements for master and replica have been increased
due to OOM issues. This PR updates prci_definitions accordingly.
This PR also roll-back ipaserver mem reqs to the previous value
since the WebUI tests were split into different blocks.
Fixes https://pagure.io/freeipa/issue/7777
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7aceca2d by Adam Williamson at 2018-11-29T15:57:33Z
Fix authselect invocations to work with 1.0.2
Since authselect 1.0.2, invoking an authselect command sequence
like this:
['authselect', 'sssd', '', '--force']
does not work: authselect barfs on the empty string arg and
errors out. We must only pass a features arg if we actually have
some text to go in it.
This broke uninstallation.
In all cases, features are now passed as separate arguments instead of one
argument separated by space.
Fixes: https://pagure.io/freeipa/issue/7776
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
25cfeea7 by Diogo Nunes at 2018-11-30T09:03:29Z
PR-CI: Move to Fedora 29 template, version 0.2.0
Enable testing (gating and nightly) to use the new F29 template.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
800f2690 by Florence Blanc-Renaud at 2018-11-30T10:05:17Z
ipa upgrade: handle double-encoded certificates
Issue is linked to the ticket
#3477 LDAP upload CA cert sometimes double-encodes the value
In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice
the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN.
The fix for 3477 is only partial as it prevents double-encoding when a
new cert is uploaded but does not fix wrong values already present in LDAP.
With this commit, the code first tries to read a der cert. If it fails,
it logs a debug message and re-writes the value caCertificate;binary
to repair the entry.
Fixes https://pagure.io/freeipa/issue/7775
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
93e3fc4d by Florence Blanc-Renaud at 2018-11-30T10:05:17Z
ipatests: add upgrade test for double-encoded cacert
Create a test for upgrade with the following scenario:
- install master
- write a double-encoded cert in the entry
cn=cacert,,cn=ipa,cn=etc,$basedn
to simulate bug 7775
- call ipa-server-upgrade
- check that the upgrade fixed the value
The upgrade should finish successfully and repair
the double-encoded cert.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2616795b by Christian Heimes at 2018-11-30T12:13:52Z
Update temp commit template to F29
The temp_commit.yaml template now uses F29 as well. It also contains all
topology configurations from the nightly jobs.
Fixes: https://pagure.io/freeipa/issue/7779
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8a835daf by Fraser Tweedale at 2018-12-03T09:32:36Z
certupdate: add commentary about certmonger behaviour
It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate. Add some commentary to explain this behaviour.
Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc70c78e by Thomas Woerner at 2018-12-03T10:26:08Z
New firewall support class in ipatests/pytest_ipa/integration/firewall
The new Firewall class provides methods to enable and disable a service,
service lists and also methods to apply a passthrough rule, also to add,
prepend and also remove a list of passthrough rules:
class Firewall
__init__(host)
Initialize with host where firewall changes should be applied
Unmasks, enables and starts firewalld
enable_service(service)
Enable firewall service in firewalld runtime and permanent
environment
disable_service(service)
Disable firewall service in firewalld runtime and permanent
environment
enable_services(services)
Enable list of firewall services in firewalld runtime and
permanent environment
disable_services(services)
Disable list of firewall services in firewalld runtime and
permanent environment
passthrough_rule(rule, ipv=None)
Generic method to get direct passthrough rules to firewalld
rule is an ip[6]tables rule without using the ip[6]tables command.
The rule will per default be added to the IPv4 and IPv6 firewall.
If there are IP version specific parts in the rule, please make
sure that ipv is set properly.
The rule is added to the direct sub chain of the chain that is
used in the rule
add_passthrough_rules(rules, ipv=None)
Add passthough rules to the end of the chain
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
prepend_passthrough_rules(rules, ipv=None)
Insert passthough rules starting at position 1 as a block
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
remove_passthrough_rules(rules, ipv=None)
Remove passthrough rules
rules is a list of ip[6]tables rules, where the first entry of each
rule is the chain. No --append/-A, --delete/-D should be added
before the chain name, beacuse these are added by the method.
If there are IP version specific parts in the rule, please make
sure that ipv is set to either ipv4 or ipv6.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e3d134e6 by Thomas Woerner at 2018-12-03T10:26:08Z
ipatests/pytest_ipa/integration/tasks.py: Configure firewall
install_master: Enable firewall services freeipa-ldap and freeipa-ldaps by
default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled after the master has been
successfully installed.
install_replica: Enable firewall services freeipa-ldap and freeipa-ldaps
by default, enable dns if setup_dns is set and enable freeipa-trust if
setup_adtrust is set. The services are enabled before the replica gets
installed and disabled if the installation failed.
install_adtrust: Enable firewall service freeipa-trust after
ipa-adtrust-install has been called.
uninstall_master: Disable services freeipa-ldap, freeipa-ldaps,
freeipa-trust and dns after ipa-server-install --uninstall -U has been
called.
install_dns: Enable firewall service dns after ipa-dns-install has been
called.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d427e4b2 by Thomas Woerner at 2018-12-03T10:26:08Z
ipatests/test_integration/test_forced_client_reenrollment.py: Use unshare
Instead of using iptables command, use "unshare --net" for uninstalling
client in the restore_client method.
The uninstall_client method has been extended with the additional argument
unshare (bool) which defaults to False. With unshare set, the call for
"ipa-client-install --uninstall -U" will be used with "unshare --net". The
uninstall command will not have network access.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
5a740144 by Thomas Woerner at 2018-12-03T10:26:08Z
ipatests/test_integration/test_http_kdc_proxy.py: Use new firewall import
Instead of using ip[6]tables commands, use new firewall class to deny
access to TCP and UDP port 88 on external machines using the OUTPUT chain.
The iptables calls in the install method are replaced by a
prepend_passthrough_rules call with the rules defined in the class.
The firewall rules are defined in the class as fw_rules without
--append/-A, --delete/-D, .. First entry of each rule is the chain name,
the argument to add or delete the rule will be added by the used Firewall
method. See firewall.py for more information.
The "iptables -F" call (IPv4 only) in the uninstall method is replaced by
a remove_passthrough_rules call with the rules defined in the class.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3ac830c7 by Thomas Woerner at 2018-12-03T10:26:08Z
ipatests/test_integration/test_dnssec.py: Enable dns firewall service
The dns firewall service needs to be enabled for the servers and replicas
where dns support has not been enabled at install time. Also it is needed
to enable the dns firewall service on the replica for migrating the dns
server to the replica.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3a7153c7 by Thomas Woerner at 2018-12-03T10:26:08Z
ipatests/test_integration/test_replica_promotion.py: Configure firewall
The tests in this file are calling ipa-[server,replica]-install directly
instead of using methods from tasks. Therefore it is required to enable
or disable the needed firewall services also.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
8c5aefc2 by Alexander Bokovoy at 2018-12-03T11:03:04Z
Revert to development after a release
- - - - -
dde2aa4b by Varun Mylaraiah at 2018-12-03T12:58:19Z
ipatests: add tests for NTP options usage on server, replica, and client
The following tests are added in test_ntp_options.py :: TestNTPoptions
- test_server_and_client_install_without_option_n
- test_server_and_client_install_with_option_n
- test_server_and_client_install_with_multiple_ntp_server
- test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
- test_server_and_client_install_with_mixed_options
- test_two_step_replica_install_using_ntp_options
- test_two_step_replica_install_without_ntp_options
Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
715d1223 by Varun Mylaraiah at 2018-12-03T12:58:19Z
nightly_master.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mavrun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
83487c49 by Varun Mylaraiah at 2018-12-03T12:58:19Z
nightly_rawhide.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
683af82d by Fraser Tweedale at 2018-12-04T16:49:33Z
certupdate: add commentary about certmonger behaviour
It is not obvious why we "renew" (reuse only) the IPA CA certificate
in ipa-certupdate. Add some commentary to explain this behaviour.
Related: https://pagure.io/freeipa/issue/7751
See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b7ae9f7a by Mohammad Rizwan Yusuf at 2018-12-05T10:00:52Z
Test KRA installtion after ca agent cert renewal
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.
related ticket: https://pagure.io/freeipa/issue/7288
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick at redhat.com>
Reviewed-By: Petr Cech <pcech at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7debb4de by Alexander Bokovoy at 2018-12-05T10:03:10Z
Update translations from Zanata
Following translations were updated:
- Spanish
- Ukranian
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ebbadc79 by Alexander Bokovoy at 2018-12-05T10:04:23Z
Update ipa-4-7 translations from Zanata
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
52c3c908 by Florence Blanc-Renaud at 2018-12-05T10:06:21Z
ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a2301538 by Florence Blanc-Renaud at 2018-12-05T10:06:21Z
PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.
Fixes https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a938adc by Florence Blanc-Renaud at 2018-12-05T10:09:23Z
ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
07e6d514 by Christian Heimes at 2018-12-05T10:35:45Z
Require Dogtag PKI 10.6.8-3
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.
Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.
Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8d746c8f by Christian Heimes at 2018-12-05T13:26:37Z
Require Dogtag PKI 10.6.8-3
pki-core 10.6.7 was unpushed and never landed in Fedora stable. The
latest release is 10.6.8-3 with additional fixes. The new versions are
in testing and FreeIPA's master COPR.
Also remove dependency on JSS. The dependency was originally added as a
workaround. The pki-core package already requires a newer version of JSS.
Fixes: https://pagure.io/freeipa/issue/7654
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f3822726 by Mohammad Rizwan Yusuf at 2018-12-06T10:28:48Z
Test KRA installtion after ca agent cert renewal
KRA installtion was failing after ca-agent cert gets renewed.
This test check if the syptoms no longer exists.
related ticket: https://pagure.io/freeipa/issue/7288
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
2a299c78 by Florence Blanc-Renaud at 2018-12-06T10:37:26Z
ipatests: fix TestUpgrade::test_double_encoded_cacert
The test is using a stale ldap connection to the master
(obtained before calling upgrade, and the upgrade stops
and starts 389-ds, breaking the connection).
The fix re-connects before using the ldap handle.
Related to https://pagure.io/freeipa/issue/7775
- - - - -
940755e3 by Florence Blanc-Renaud at 2018-12-06T10:40:02Z
ipatest: add test for ipa-pkinit-manage enable|disable
Add a test for ipa-pkinit-manage with the following scenario:
- install master with option --no-pkinit
- call ipa-pkinit-manage enable
- call ipa-pkinit-manage disable
- call ipa-pkinit-manage enable
At each step, check that the PKINIT cert is consistent with the
expectations: when pkinit is enabled, the cert is signed by IPA
CA and tracked by 'IPA' ca helper, but when pkinit is disabled,
the cert is self-signed and tracked by 'SelfSign' CA helper.
The new test is added in the nightly definitons.
Related to https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ffa04a18 by Florence Blanc-Renaud at 2018-12-06T10:40:02Z
PKINIT: fix ipa-pkinit-manage enable|disable
The command ipa-pkinit-manage enable|disable is reporting
success even though the PKINIT cert is not re-issued.
The command triggers the request of a new certificate
(signed by IPA CA when state=enable, selfsigned when disabled),
but as the cert file is still present, certmonger does not create
a new request and the existing certificate is kept.
The fix consists in deleting the cert and key file before calling
certmonger to request a new cert.
There was also an issue in the is_pkinit_enabled() function:
if no tracking request was found for the PKINIT cert,
is_pkinit_enabled() was returning True while it should not.
Fixes https://pagure.io/freeipa/issue/7200
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e7581cc0 by Mohammad Rizwan Yusuf at 2018-12-06T13:33:14Z
Test error when yubikey hardware not present
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.
related ticket : https://pagure.io/freeipa/issue/6979
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
256c11bf by Mohammad Rizwan Yusuf at 2018-12-06T19:20:50Z
Test error when yubikey hardware not present
In order to work with IPA and Yubikey, libyubikey is required.
Before the fix, if yubikey added without having packages, it used to
result in traceback. Now it the exception is handeled properly.
It needs Yubikey hardware to make command successfull. This test
just check of proper error thrown when hardware is not attached.
related ticket : https://pagure.io/freeipa/issue/6979
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
97e9e009 by Christian Heimes at 2018-12-07T10:39:23Z
Resolve user/group names in idoverride*-find
ipa idoverrideuser-find and ...group-find have an --anchor argument. The
anchor argument used to support only anchor UUIDs like
':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular
user or group names and translate them to anchors.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5a2a7151 by Christian Heimes at 2018-12-07T10:39:23Z
Add integration tests for idviews
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f52e0e31 by Christian Heimes at 2018-12-07T10:39:23Z
Run idviews integration tests in nightly
See: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
03edd82d by Diogo Nunes at 2018-12-07T11:44:34Z
PR-CI: Add gating tests to nightly_[master, f28, rawhide]
The objective of this change is to address the problem mentioned in this
thread: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/FIOWT53LJMAZQYHOTT4BEAJX5Q6422LB/
Since the concept of nightly is being a superset of gating, the gating
tests are incorporated in nightly in this commit.
Fixes: https://pagure.io/freeipa/issue/7788
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
a0e09526 by Oleg Kozlov at 2018-12-07T13:06:29Z
Check pager's executable before subprocess.Popen
Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function.
Fixes: https://pagure.io/freeipa/issue/7746
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5e6cb0ca by Christian Heimes at 2018-12-07T15:06:13Z
Resolve user/group names in idoverride*-find
ipa idoverrideuser-find and ...group-find have an --anchor argument. The
anchor argument used to support only anchor UUIDs like
':IPA:domain:UUID' or ':SID:S-sid'. The find commands now detect regular
user or group names and translate them to anchors.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
11b06d24 by Christian Heimes at 2018-12-07T15:06:13Z
Add integration tests for idviews
Add several tests to verify new anchor override and general idview
override functionality.
Fixes: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e86498ea by Christian Heimes at 2018-12-07T15:06:13Z
Run idviews integration tests in nightly
See: https://pagure.io/freeipa/issue/6594
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
228d1c81 by Thomas Woerner at 2018-12-07T16:29:59Z
ipatests integration/tasks.py: Honor clean for firewall in uninstall_master
This fix will make sure that the firewall services are only cleaned up if
the clean flag is True for example for backup and restore tests where the
clean flag is set to False for the server uninstall.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8e25ee64 by Thomas Woerner at 2018-12-07T16:29:59Z
ipatests/test_integration/test_backup_and_restore.py: No clean master uninstall
test_replica_install_after_restore is calling tasks.uninstall_master which
is disabling the firewall services for freeipa. The following ipa-restore
call is not reapplying the firewall settings. Calling tasks.uninstall_master
with clean=False will disable the firewall cleanup.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f86b410f by Thomas Woerner at 2018-12-07T16:29:59Z
ipatests/test_integration/test_replica_promotion.py: Fix firewall config
The firewall needs to be configured before installing replicas.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a6862bd7 by Thomas Woerner at 2018-12-07T16:29:59Z
ipatests/test_integration/test_server_del.py: Enable dns in fw for dnssec
test_install_dns_on_replica1_and_dnssec_on_master now also enables the
dns servive in the firewall of the master.
See: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cdfbcd40 by Diogo Nunes at 2018-12-07T16:44:05Z
Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e0315a60 by Oleg Kozlov at 2018-12-10T13:44:28Z
Check pager's executable before subprocess.Popen
Get the value of `PAGER` environment variable in case it's defined, check the executable, if it exists - use a pager, otherwise - print function.
Fixes: https://pagure.io/freeipa/issue/7746
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c646f8ad by Oleg Kozlov at 2018-12-10T13:44:28Z
Fix python2 compatibility
`which` function is ported to python2 and used in `ipalib.util.get_pager`, fixed import in `ipatests.test_ipalib.test_util` - `mock` will be imported from `python2-mock` package in case of python2
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a81ea9af by Florence Blanc-Renaud at 2018-12-10T16:04:56Z
ipatests: fix test_full_backup_and_restore
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b3d5ae58 by Diogo Nunes at 2018-12-11T08:53:35Z
Fix f52e0e31f7c76a3cd6b9b51aeba120c4ba3f38c9 typo in tests label definition.
Signed-off-by: Diogo Nunes <dnunes at redhat.com>
- - - - -
33d95d65 by Florence Blanc-Renaud at 2018-12-11T08:54:43Z
ipatests: fix test_full_backup_and_restore
The test is failing when calling (on the replica)
ipa-replica-manage re-initialize --from <master>
because the tool needs to resolve master.
The test does not set /etc/resolv.conf on the replica, as a
consequence it relies on whatever DNS server is configured in
your test environment prior to launching the test, and makes
the test unreliable.
In PR-CI env, /etc/resolv.conf points to the machine hosting
the replica vm, which is unable to resolve master.ipa.test.
The fix is modifying the replica's /etc/resolv.conf to use the
master as DNS.
Fixes https://pagure.io/freeipa/issue/7778
- - - - -
c09927d1 by Christian Heimes at 2018-12-11T11:14:32Z
Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.
check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.
Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
39eaf2fa by Christian Heimes at 2018-12-11T11:16:00Z
Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d6fd2ad4 by Christian Heimes at 2018-12-11T12:46:52Z
Remove dead code
set_sssd_domain_option() is no longer used. Changes are handled by
sssd_update().
See: https://pagure.io/freeipa/issue/7751
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
917d81b8 by Christian Heimes at 2018-12-11T12:46:52Z
Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.
Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a2222ea by Christian Heimes at 2018-12-11T12:46:52Z
Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a86abd37 by Christian Heimes at 2018-12-11T12:46:52Z
Log stderr in run_command
pytest_multihost's run_command() does not log stderr when a command
fails. Wrap the function call to log stderr so it's easier to debug
failing tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f0e11dac by Christian Heimes at 2018-12-11T12:46:52Z
Test smart card advise scripts
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f330c59d by Christian Heimes at 2018-12-11T12:46:52Z
Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a9f34c76 by Christian Heimes at 2018-12-13T13:53:38Z
Disable nss-p11-kit crypto policy for tests
NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all
PKCS#11 providers including the default SoftHSM2 token. On Fedora 28
OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is
protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because
it is waiting for PIN.
Delete the p11-kit policy and regenerate crypto policy.
OpenLDAP debug output:
ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
18f610ca by Christian Heimes at 2018-12-13T15:55:41Z
Always collect test logs
mh.install() is the default multi host installer. Most integration test
classes use it to install master, replicas, and clients. In case of a
failed installation, the test collector step is skipped.
Guard log collection with a try/finally block so logs are always
collected.
Also collect journald output for mh.install() steps. The journal output
was missing from installation logs and were only available in each test
step.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
0fb87bfe by Christian Heimes at 2018-12-13T16:04:00Z
LDAPUpdate: Batch index tasks
The LDAPUpdate framework now keeps record of all changed/added indices
and batches all changed attribute in a single index task. It makes
updates much faster when multiple indices are added or modified.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed436e4b by Christian Heimes at 2018-12-13T16:04:00Z
Add more LDAP indices
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.
* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq
automountMapKey and autoMountMapName filters are used for automount.
Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.
SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.
ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.
Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a34d92d2 by Christian Heimes at 2018-12-13T16:04:00Z
Create reindex task for ipaca DB
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.
See: https://pagure.io/dogtagpki/issue/3083
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ee4c0f0e by Christian Heimes at 2018-12-13T17:14:30Z
Disable nss-p11-kit crypto policy for tests
NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all
PKCS#11 providers including the default SoftHSM2 token. On Fedora 28
OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is
protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because
it is waiting for PIN.
Delete the p11-kit policy and regenerate crypto policy.
OpenLDAP debug output:
ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
faa122a8 by Florence Blanc-Renaud at 2018-12-13T19:29:41Z
replication: check remote ds version before editing attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.
Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).
Fixes https://pagure.io/freeipa/issue/7796
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18cac460 by Serhii Tsymbaliuk at 2018-12-13T20:14:57Z
WebUI: Temporary fix for UnexpectedAlertPresentException
It is regression in Firefox 55
Fixed in Firefox 65:
https://bugzilla.mozilla.org/show_bug.cgi?id=1503015
https://pagure.io/freeipa/issue/7809
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
f28a8177 by Oleg Kozlov at 2018-12-14T08:15:42Z
Replace nss.conf with zero-length file instead of removing
Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag.
Fixes: https://pagure.io/freeipa/issue/7745
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
eb0136ea by Christian Heimes at 2018-12-14T08:53:01Z
Remove dead code
set_sssd_domain_option() is no longer used. Changes are handled by
sssd_update().
See: https://pagure.io/freeipa/issue/7751
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
415295a6 by Christian Heimes at 2018-12-14T08:53:01Z
Allow HTTPd user to access SSSD IFP
For smart card and certificate authentication, Apache's
mod_lookup_identity module must be able to acess SSSD IFP. The module
accesses IFP as Apache user, not as ipaapi user.
Apache is not allowed to use IFP by default. The update code uses the
service's ok-to-auth-as-delegate flag to detect smart card / cert auth.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d7d17ece by Christian Heimes at 2018-12-14T08:53:01Z
Smart card auth advise: Allow Apache user
Modify the smard card auth advise script to use sssd_enable_ifp() in
order to allow Apache to access SSSD IFP.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b56db8da by Christian Heimes at 2018-12-14T08:53:01Z
Log stderr in run_command
pytest_multihost's run_command() does not log stderr when a command
fails. Wrap the function call to log stderr so it's easier to debug
failing tests.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
97776d2c by Christian Heimes at 2018-12-14T08:53:01Z
Test smart card advise scripts
Create and execute the server and client smart card advise scripts.
See: See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6ed90a2a by Christian Heimes at 2018-12-14T08:53:01Z
Add install/remove package helpers to advise
The smart card advise scripts assume that yum is installed. However
Fedora has dnf and the yum wrapper is not installed by default.
Installation and removal of packages is now provided by two helper
methods that detect the package manager.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e05ce4a2 by Christian Heimes at 2018-12-14T08:53:01Z
Python 2 compatibility
Make new test helpers and test code compatible with Python 2.7.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
76052d5a by Christian Heimes at 2018-12-14T08:54:59Z
Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc6b9498 by Christian Heimes at 2018-12-14T08:56:41Z
Handle service_del with bad service name
The command 'ipa service-del badservice' used to fail with an internal
server error, because check_required_principal() could not handle a
principal that is not a service principal. All del commands have less
strict error checking of primary keys so they can reference any stored
key, even illegal ones.
check_required_principal() skips required principal check if the
principal is not a service principal. A non-service principal can never
be a required principal.
Fixes: https://pagure.io/freeipa/issue/7793
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
97f87513 by François Cami at 2018-12-14T09:15:04Z
Fix NFS unit names
NFS unit names were renamed.
Compatibility was maintained with older unit names
through symlinks. When these symlinks are removed
only new unit names work, so changing to using non-
symlink unit names is required.
Fixes: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6a56aa6d by François Cami at 2018-12-14T09:15:04Z
ipa-client-automount: use nfs-utils unit
- remove nfs-idmapd from units we enable & start as:
- it is not used on NFS clients anymore
- it is a static unit
- remove rpc-gssd as well as it is a static unit
- restart nfs-utils and rpc-gssd
- manage systemctl-related exceptions during uninstall
Fixes: https://pagure.io/freeipa/issue/7780
Fixes: https://pagure.io/freeipa/issue/7781
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7c0b0f34 by François Cami at 2018-12-14T09:15:04Z
ipatests: add a test for ipa-client-automount
Add an automount location then configure a client
to use it. Only runs nightly.
Related-to: https://pagure.io/freeipa/issue/7780
Related-to: https://pagure.io/freeipa/issue/7781
Related to: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93cbab63 by Christian Heimes at 2018-12-14T09:50:34Z
Always collect test logs
mh.install() is the default multi host installer. Most integration test
classes use it to install master, replicas, and clients. In case of a
failed installation, the test collector step is skipped.
Guard log collection with a try/finally block so logs are always
collected.
Also collect journald output for mh.install() steps. The journal output
was missing from installation logs and were only available in each test
step.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
dc067c89 by Serhii Tsymbaliuk at 2018-12-14T09:51:54Z
WebUI: Temporary fix for UnexpectedAlertPresentException
It is regression in Firefox 55
Fixed in Firefox 65:
https://bugzilla.mozilla.org/show_bug.cgi?id=1503015
https://pagure.io/freeipa/issue/7809
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
65f6c8dc by François Cami at 2018-12-14T10:58:30Z
Fix NFS unit names
NFS unit names were renamed.
Compatibility was maintained with older unit names
through symlinks. When these symlinks are removed
only new unit names work, so changing to using non-
symlink unit names is required.
Fixes: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0687e486 by François Cami at 2018-12-14T10:58:30Z
ipa-client-automount: use nfs-utils unit
- remove nfs-idmapd from units we enable & start as:
- it is not used on NFS clients anymore
- it is a static unit
- remove rpc-gssd as well as it is a static unit
- restart nfs-utils and rpc-gssd
- manage systemctl-related exceptions during uninstall
Fixes: https://pagure.io/freeipa/issue/7780
Fixes: https://pagure.io/freeipa/issue/7781
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dfd741d3 by François Cami at 2018-12-14T10:58:30Z
ipatests: add a test for ipa-client-automount
Add an automount location then configure a client
to use it. Only runs nightly.
Related-to: https://pagure.io/freeipa/issue/7780
Related-to: https://pagure.io/freeipa/issue/7781
Related to: https://pagure.io/freeipa/issue/7783
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
690a8103 by Florence Blanc-Renaud at 2018-12-14T11:05:08Z
replication: check remote ds version before editing attributes
When the remote server has an old DS version, update of the
replication attributes nsds5ReplicaReleaseTimeout nsds5ReplicaBackoffMax
and nsDS5ReplicaBindDnGroupCheckInterval fails even if the remote
schema has been updated.
Check first the remote server version and update the attributes only if
the version is high enough.
A previous fix was already performing this check (commit 02f4a7a),
but not in all the cases. This fix also handles when the remote server
already has a cn=replica entry (for instance because it has already
established replication with another host).
Fixes https://pagure.io/freeipa/issue/7796
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ad37e0c2 by Christian Heimes at 2018-12-14T11:51:57Z
LDAPUpdate: Batch index tasks
The LDAPUpdate framework now keeps record of all changed/added indices
and batches all changed attribute in a single index task. It makes
updates much faster when multiple indices are added or modified.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
903cfe39 by Christian Heimes at 2018-12-14T11:51:57Z
Add more LDAP indices
An index is used to optimize an LDAP operation. Without an index, 389-DS
has to perform a partial or even full table scan. A full database scan can
easily take 10 seconds or more in a large installation.
* automountMapKey: eq, pres (was: eq)
* autoMountMapName: eq
* ipaConfigString: eq
* ipaEnabledFlag: eq
* ipaKrbAuthzData: eq, sub
* accessRuleType: eq
* hostCategory: eq
automountMapKey and autoMountMapName filters are used for automount.
Installation and service discovery (CA, KRA) use ipaConfigString to find
active services and CA renewal master.
SSSD filters with ipaEnabledFlag, accessRuleType, and hostCategory to
find and cache HBAC rules for each host.
ipaKrbAuthzData is used by ipa host-del. The framework performs a
'*arg*' query, therefore a sub index is required, too.
Partly fixes: https://pagure.io/freeipa/issue/7786
Fixes: https://pagure.io/freeipa/issue/7787
Fixes: https://pagure.io/freeipa/issue/7790
Fixes: https://pagure.io/freeipa/issue/7792
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e484c4ba by Christian Heimes at 2018-12-14T11:51:57Z
Create reindex task for ipaca DB
pkispawn sometimes does not run its indextasks. This leads to slow
unindexed filters on attributes such as description, which is used
to log in with a certificate. Explicitly reindex attribute that
should have been reindexed by CA's indextasks.ldif.
See: https://pagure.io/dogtagpki/issue/3083
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8fde7b81 by Oleg Kozlov at 2018-12-14T11:57:40Z
Replace nss.conf with zero-length file instead of removing
Empty nss.conf avoids recreation of nss.conf in case `mod_nss` package is reinstalled. It is needed because by default (e.g. recreated) nss.conf has `Listen 8443` while this port is used by dogtag.
Fixes: https://pagure.io/freeipa/issue/7745
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
caffe2e8 by Christian Heimes at 2018-12-14T12:44:28Z
Fix test_advise in nightly runs
test_advise now needs one client, too.
See: https://pagure.io/freeipa/issue/7751
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
e62eb000 by Alexander Bokovoy at 2018-12-14T13:04:02Z
ipa-sidgen: make internal fetch_attr helper really internal
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.
Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.
Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2b30b637 by Alexander Bokovoy at 2018-12-14T14:03:50Z
ipa-sidgen: make internal fetch_attr helper really internal
With 389-ds landing a change for
https://pagure.io/389-ds-base/issue/49950, fetch_attr() helper function
is exposed in slapi-plugin.h. However, in order to be able to build
FreeIPA plugins against older 389-ds versions, prefer using a local
variant of it.
Rename fetch_attr() to ipa_sidgen_fetch_attr() so that it doesn't
conflict at all.
Fixes: https://pagure.io/freeipa/issue/7811
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d7107342 by Christian Heimes at 2018-12-17T12:35:13Z
Require 3.41.0-3 on Fedora 28
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.
nss-3.41.0-1.fc29 is available in F29 stable.
See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
224e2c45 by Christian Heimes at 2018-12-18T09:07:44Z
Require 3.41.0-3 on Fedora 28
nss-3.41.0-3.fc28 fixes an issue with p11-kit crypto policy that caused
OpenLDAP to fail when SoftHSM2 is installed. The build is available in
Fedora updates-testing and @freeipa/freeipa-master COPR.
nss-3.41.0-1.fc29 is available in F29 stable.
See: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c0fd5e39 by Florence Blanc-Renaud at 2018-12-19T13:19:46Z
replica install: set the same master as preferred source for domain and CA
During ipa-replica-install, the installer creates a ReplicaConfig
object that contains a config.ca_host_name attribute, built from
api.env.ca_host.
This attribute is used as preferred source when asking the DNS for a CA
master from which to initialize the CA instance
(see commit 8decef33 for master selection and preferred host).
In most of the cases, /etc/ipa/default.conf does not contain any
definition for ca_host. In this case, api.env.ca_host is set to
the local hostname.
As a consequence, replica install is trying to use the local host
as preferred source (which does not have any CA yet), and the method
to find the CA source randomly picks the CA in the DNS.
With the fix, the master picked for domain replication is also used as
preferred source for CA/KRA.
Fixes: https://pagure.io/freeipa/issue/7744
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0e5a8fbb by Oleg Kozlov at 2018-12-21T14:54:00Z
Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.
Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2eb92a7 by Oleg Kozlov at 2018-12-23T09:37:35Z
Remove stale kdc requests info files when upgrading IPA server
Added removing of stale /var/lib/sss/pubconf/kdcinfo.* and /var/lib/sss/pubconf/kpasswdinfo.* files generated by SSSD during IPA server upgrade.
Fixes: https://pagure.io/freeipa/issue/7578
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7688808d by Christian Heimes at 2019-01-03T11:44:10Z
Add index on idnsName
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.
The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.
Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
98460bbe by Christian Heimes at 2019-01-03T13:08:24Z
Add index on idnsName
The data structures for the internal DNS server use the attribute idnsName
instead of cn in the DN. It's also used to search for entries when entries
are added, modified, or removed.
The new index speeds up dnsrecord and dnszone related commands as well
as commands like host-add and host-del --updatedns.
Fixes: https://pagure.io/freeipa/issue/7803
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
670bcc01 by Christian Heimes at 2019-01-08T16:25:56Z
Require 389-DS = 1.4.0.16
CI is failing with 389-DS 1.4.0.20-1. Pin dependency to 1.4.0.16 for
now.
Note: RPM/DNF don't like a pin with dash. Therefore I had to change
ds_version from 1.4.0.16-1 to 1.4.0.16.
Fixes: https://github.com/freeipa/freeipa/pull/2731
See: https://pagure.io/389-ds-base/pull-request/50121
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e5be4092 by Christian Heimes at 2019-01-08T16:25:56Z
Make conftest compatible with pytest 4.x
pytest 3.6 has deprecated get_marker in 3.6. The method was removed in 4.x
and replaced with get_closest_marker.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
77852105 by Florence Blanc-Renaud at 2019-01-09T08:51:31Z
pkinit enable: use local dogtag only if host has CA
ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
64be3141 by Florence Blanc-Renaud at 2019-01-09T08:51:31Z
ipatests: add integration test for pkinit enable on replica
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
80e6b684 by Christian Heimes at 2019-01-09T09:39:17Z
Make conftest compatible with pytest 4.x
pytest 3.6 has deprecated get_marker in 3.6. The method was removed in 4.x
and replaced with get_closest_marker.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
3bed3d4d by Christian Heimes at 2019-01-09T10:15:35Z
Use debug logger in ntpd_cleanup()
ipa-server-update shows spurious warnings when updating a server, e.g.
No such file name in the index
Warning: NTP service entry was not found in LDAP.
Lower all log levels in ntpd_cleanup() to debug to not confuse the user.
Fixes: https://pagure.io/freeipa/issue/7829
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20b0a7a9 by Florence Blanc-Renaud at 2019-01-09T18:17:24Z
pkinit enable: use local dogtag only if host has CA
ipa-pkinit-manage enable is failing if called on a master
that does not have a CA instance, because it is trying to
contact dogtag on the localhost.
The command should rather use certmonger in this case, and
let certmonger contact the right master to request the KDC
certificate.
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
36364600 by Florence Blanc-Renaud at 2019-01-09T18:17:24Z
ipatests: add integration test for pkinit enable on replica
ipa-pkinit-manage enable was failing when run on a replica
without a CA instance.
Add a test with the following scenario:
- install a replica with --no-pkinit
- check that the KDC cert is self signed
- call ipa-pkinit-manage enable
- check that the KDC cert is signed by IPA CA
Related to https://pagure.io/freeipa/issue/7795
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
fe4707d0 by Christian Heimes at 2019-01-10T09:43:31Z
Use debug logger in ntpd_cleanup()
ipa-server-update shows spurious warnings when updating a server, e.g.
No such file name in the index
Warning: NTP service entry was not found in LDAP.
Lower all log levels in ntpd_cleanup() to debug to not confuse the user.
Fixes: https://pagure.io/freeipa/issue/7829
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3c38aea6 by Alexander Bokovoy at 2019-01-10T10:24:08Z
ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
When looking through the topology of a trusted forest, we should support
all types of forest trust records. Since Samba Python bindings parse the
data into a typed structure, a type of the record has to be taken into
account or there will be type mismatch when accessing elements of the
union:
typedef [switch_type(lsa_ForestTrustRecordType)] union {
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
[case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
[default] lsa_ForestTrustBinaryData data;
} lsa_ForestTrustData;
typedef struct {
lsa_ForestTrustRecordFlags flags;
lsa_ForestTrustRecordType type;
NTTIME_hyper time;
[switch_is(type)] lsa_ForestTrustData forest_trust_data;
} lsa_ForestTrustRecord;
typedef [public] struct {
[range(0,4000)] uint32 count;
[size_is(count)] lsa_ForestTrustRecord **entries;
} lsa_ForestTrustInformation;
Each entry in the lsa_ForestTrustInformation has forest_trust_data
member but its content depends on the value of a type member
(forest_trust_data is a union of all possible structures).
Previously we assumed only TLN or TLN exclusion record which were
of the same type (lsa_StringLarge). Access to forest_trust_data.string
fails when forest_trust_data's type is lsa_ForestTrustDomainInfo as it
has no string member.
Fix the code by properly accessing the dns_domain_name from the
lsa_ForestTrustDomainInfo structure.
Fixes: https://pagure.io/freeipa/issue/7828
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2aa24eed by Alexander Bokovoy at 2019-01-10T10:24:08Z
make sure IPA_CONFDIR is used to check that client is configured
Fixes a test ipatests/test_cmdline/test_cli.py:test_cli_fs_encoding()
which sets IPA_CONFDIR and attempts to interpret the resulting error
message. However, if the test is run on an enrolled machine (a
developer's laptop, for example), check_client_configuration() will
succeed because it ignores IPA_CONFDIR and, as result, api.finalize()
will fail later with a stacktrace.
Pass an environment object and test an overridden config file existence
in this case to fail with a proper and expected message.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8276caf8 by Christian Heimes at 2019-01-10T11:57:14Z
Don't use Python dependency generator yet
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
39c70578 by Christian Heimes at 2019-01-11T07:25:56Z
Don't use Python dependency generator yet
Fedora 30 started to have python_enable_dependency_generator by default.
Some packages like python3-dbus don't have the new dist names yet. This
fix enables testing on rawhide.
https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c26cb5af by Christian Heimes at 2019-01-11T11:00:31Z
Require krb5 with fix for CVE-2018-20217
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.
See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed912266 by Christian Heimes at 2019-01-11T14:18:10Z
Require krb5 with fix for CVE-2018-20217
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5
(aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker
can crash the KDC by making an S4U2Self request.
1.16.1-24 comes without Fix-bugs-with-concurrent-use-of-MEMORY-ccaches,
which caused a regression with IPA.
See: https://nvd.nist.gov/vuln/detail/CVE-2018-20217
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ef6e14c by Christian Heimes at 2019-01-11T15:45:05Z
Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user at .service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e5471e66 by Alexander Bokovoy at 2019-01-11T15:55:14Z
ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned
When looking through the topology of a trusted forest, we should support
all types of forest trust records. Since Samba Python bindings parse the
data into a typed structure, a type of the record has to be taken into
account or there will be type mismatch when accessing elements of the
union:
typedef [switch_type(lsa_ForestTrustRecordType)] union {
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME)] lsa_StringLarge top_level_name;
[case(LSA_FOREST_TRUST_TOP_LEVEL_NAME_EX)] lsa_StringLarge top_level_name_ex;
[case(LSA_FOREST_TRUST_DOMAIN_INFO)] lsa_ForestTrustDomainInfo domain_info;
[default] lsa_ForestTrustBinaryData data;
} lsa_ForestTrustData;
typedef struct {
lsa_ForestTrustRecordFlags flags;
lsa_ForestTrustRecordType type;
NTTIME_hyper time;
[switch_is(type)] lsa_ForestTrustData forest_trust_data;
} lsa_ForestTrustRecord;
typedef [public] struct {
[range(0,4000)] uint32 count;
[size_is(count)] lsa_ForestTrustRecord **entries;
} lsa_ForestTrustInformation;
Each entry in the lsa_ForestTrustInformation has forest_trust_data
member but its content depends on the value of a type member
(forest_trust_data is a union of all possible structures).
Previously we assumed only TLN or TLN exclusion record which were
of the same type (lsa_StringLarge). Access to forest_trust_data.string
fails when forest_trust_data's type is lsa_ForestTrustDomainInfo as it
has no string member.
Fix the code by properly accessing the dns_domain_name from the
lsa_ForestTrustDomainInfo structure.
Fixes: https://pagure.io/freeipa/issue/7828
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
736d2e00 by Alexander Bokovoy at 2019-01-11T15:55:14Z
make sure IPA_CONFDIR is used to check that client is configured
Fixes a test ipatests/test_cmdline/test_cli.py:test_cli_fs_encoding()
which sets IPA_CONFDIR and attempts to interpret the resulting error
message. However, if the test is run on an enrolled machine (a
developer's laptop, for example), check_client_configuration() will
succeed because it ignores IPA_CONFDIR and, as result, api.finalize()
will fail later with a stacktrace.
Pass an environment object and test an overridden config file existence
in this case to fail with a proper and expected message.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
aaf93830 by Christian Heimes at 2019-01-11T17:32:14Z
Create systemd-user HBAC service and rule
authselect changed pam_systemd session from optional to required. When
the HBAC rule allow_all is disabled and replaced with more fine grained
rules, loginsi now to fail, because systemd's user at .service is able to
create a systemd session.
Add systemd-user HBAC service and a HBAC rule that allows systemd-user
to run on all hosts for all users by default. ipa-server-upgrade creates
the service and rule, too. In case the service already exists, no
attempt is made to create the rule. This allows admins to delete the
rule permanently.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ee68740 by Thomas Woerner at 2019-01-11T19:01:54Z
Enable firewall in the tests for PR CI
The firewall has not been enabled in the tests for PR CI so far. With these
steps this is done now:
install_packages: Install firewalld, enable and start firewalld service.
install_server: Enable firewalld services freeipa-ldap freeipa-ldaps and
dns after server installation.
run_tests: Disable firewalld services freeipa-ldap freeipa-ldaps and dns
after server uninstallation.
Related-to: https://pagure.io/freeipa/issue/7755
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef7a9037 by Serhii Tsymbaliuk at 2019-01-14T09:16:58Z
Fix "Configured size limit exceeded" warning on Web UI
Suppress size limit warning in 'refresh' command.
Ticket: https://pagure.io/freeipa/issue/7603
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a48069e by Serhii Tsymbaliuk at 2019-01-14T14:17:31Z
Fix "Configured size limit exceeded" warning on Web UI
Suppress size limit warning in 'refresh' command.
Ticket: https://pagure.io/freeipa/issue/7603
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b90ebf4 by Rob Crittenden at 2019-01-15T08:41:22Z
Remove 389-ds templates now that lib389 is used for installs
The templates created the inf files for calling the 389-ds
installer setup-ds.pl. Now that lib389 is being used for installation
these are no longer necessary.
Related: https://pagure.io/freeipa/issue/4491
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
96518136 by Christian Heimes at 2019-01-15T19:29:22Z
Fix systemd-user HBAC rule
2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that
encoded the service wrongly.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e3f37960 by Stanislav Levin at 2019-01-16T07:57:51Z
Don't use cross-origin request
'Origin' for IPA login page is 'httpS://xxx'. But 'configured' link
has URL like 'http://xxx/ssbrowser.html'.
Since IPA web server doesn't use any kind of Access-Control-Allow-Origin
rules Mozilla Firefox blocks Cross-Origin request due to the Same Origin
policy violation.
So, just follow the Same Origin policy.
Fixes: https://pagure.io/freeipa/issue/7832
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
456abbc0 by Christian Heimes at 2019-01-16T08:56:56Z
Fix systemd-user HBAC rule
2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that
encoded the service wrongly.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
Fixes: https://pagure.io/freeipa/issue/7831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
256f2982 by Christian Heimes at 2019-01-17T13:29:34Z
Mark failing NTP test as expected failure
See: https://pagure.io/freeipa/issue/7719
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
49cc72d5 by Sergey Orlov at 2019-01-17T13:36:27Z
Remove unused tests
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.
Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ad37b483 by Sergey Orlov at 2019-01-17T16:23:47Z
Remove unused tests
Two tests in test_intgration/test_authselect.py were marked as
skipped in c5cdd5a5f0 due to removing of --no-sssd and --no-ac options.
Tests are not needed any more.
Fixes: https://pagure.io/freeipa/issue/7841
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
165a9411 by Christian Heimes at 2019-01-18T10:33:11Z
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.
Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.
Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
b149fff8 by Christian Heimes at 2019-01-21T12:56:41Z
Don't configure KEYRING ccache in containers
Kernel keyrings are not namespaced yet. Keyrings can leak into other
containers. Therefore keyrings should not be used in containerized
environment.
Don't configure Kerberos to use KEYRING ccache backen when a container
environment is detected by systemd-detect-virt --container.
Fixes: https://pagure.io/freeipa/issue/7807
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
63fa87a3 by Florence Blanc-Renaud at 2019-01-22T15:38:59Z
replica installation: add master record only if in managed zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.
The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.
During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a91e645a by Florence Blanc-Renaud at 2019-01-22T15:38:59Z
ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
60f4a259 by Florence Blanc-Renaud at 2019-01-25T08:02:54Z
ipatests: fix CA less expectations
The test TestServerInstall::test_ca_2_certs has a
wrong expectation. Scenario:
install a CA-less master with
ipa-server-install --ca-cert-file root.pem
where root.pem contains the CA that signed the http and ldap
certificates + an additional (unneeded) CA cert.
The test was expecting a failure, but this scenario is not
problematic as long as the unneeded CA cert is not added.
Related to https://pagure.io/freeipa/issue/6289 which has been
closed as won't fix
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
6b18e8a4 by Florence Blanc-Renaud at 2019-01-28T11:04:34Z
replica installation: add master record only if in managed zone
Scenario: install a replica with DNS, whose IP address is part of a
forward zone.
Currently, the replica installation fails because the installer is
trying to add a A/AAAA record for the replica in the zone
when setting up the bind instance, and addition of records in a
forward zone is forbidden.
The bind installer should check if the IP address is in a master zone
(i.e. a DNS zone managed by IdM, not a forward zone), and avoid
creating the record if it's not the case.
During uninstallation, perform the same check before removing the
DNS record (if in a forward zone, no need to call dnsrecord-del).
Fixes: https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
493cdc4f by Florence Blanc-Renaud at 2019-01-28T11:04:34Z
ipatests: add test for replica in forward zone
Scenario:
install a replica with DNS, with the replica part of a forward zone.
The replica installation should proceed successfully and avoid
trying to add a DNS record for the replica in the forward zone,
as the forward zone is not managed by IPA DNS.
Test added to nightly definitions.
Related to https://pagure.io/freeipa/issue/7369
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
19b1eb1f by Christian Heimes at 2019-01-29T11:44:19Z
Use expanduser instead of HOME env var
The HOME directory may not be available in containers. It's also the
wrong variable on some platforms. Use os.path.expanduser() instead of
HOME.
Fixes: https://pagure.io/freeipa/issue/7837
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ba969da by Christian Heimes at 2019-01-29T11:44:19Z
Add workaround for lib389 HOME bug
lib389 <= 1.4.0.20 needs HOME env var. Temporary set env var until
lib389 is fixed.
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae74d348 by Christian Heimes at 2019-01-29T11:47:15Z
Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.
The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cd37542 by Christian Heimes at 2019-01-29T11:47:15Z
Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
76437dc8 by Serhii Tsymbaliuk at 2019-01-29T15:19:02Z
Split test_webui_hosts PRCI tests
Web UI test_host is too heavy and causes timeout errors during night runs,
so it is moved to separate configuration.
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
b8522da3 by Christian Heimes at 2019-01-29T19:36:48Z
Use expanduser instead of HOME env var
The HOME directory may not be available in containers. It's also the
wrong variable on some platforms. Use os.path.expanduser() instead of
HOME.
Fixes: https://pagure.io/freeipa/issue/7837
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
13f20854 by Sergey Orlov at 2019-01-29T19:42:13Z
Remove obsolete tests from test_caless.py
Related issue #4270 is closed as "won't fix" after 4 years.
The tests are obsolete now.
See: https://pagure.io/freeipa/issue/4271
See: https://pagure.io/freeipa/issue/4270
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
53e0b225 by Christian Heimes at 2019-01-30T07:06:02Z
ipa-getkeytab: resolve symlink
Resolve one level of symbolic links to support a dangling symlink as
keytab target. To prevent symlink attacks, only resolve symlink when the
symlink is owned by the current effective user and group, or by root.
Fixes: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a243bd56 by Christian Heimes at 2019-01-30T07:08:44Z
Add workaround for slow host/service del
host-del and service-del are slow because cert revokation is implemented
inefficiently. The internal cert_find() call retrieves all certificates
from Dogtag.
The workaround special cases service and host find without additional RA
search options. A search for service and host certs limits the scope to
certificate with matching subject common name.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2ccd4da4 by Christian Heimes at 2019-01-30T07:08:44Z
Optimize cert remove case
The cert_remove and mod subcommands for service and host now pass in the
name to cert_find() to benefit from special cases.
See: https://pagure.io/freeipa/issue/7835
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20d8286b by Sergey Orlov at 2019-01-30T07:16:55Z
ipatests: fix ldap server url
master.external_hostname was used to construct ldap url
which caused ldappasswd utility to exit with error due to host name
mismatch in client certificate. master.hostname should be used instead
as this name is used to generate certificate.
Fixes https://pagure.io/freeipa/issue/7844
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
089eb1ad by Sergey Orlov at 2019-01-30T12:38:04Z
ipatests: fix ldap server url
master.external_hostname was used to construct ldap url
which caused ldappasswd utility to exit with error due to host name
mismatch in client certificate. master.hostname should be used instead
as this name is used to generate certificate.
Fixes https://pagure.io/freeipa/issue/7844
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f65f7259 by Christian Heimes at 2019-01-30T13:23:12Z
ipa-getkeytab: resolve symlink
Resolve one level of symbolic links to support a dangling symlink as
keytab target. To prevent symlink attacks, only resolve symlink when the
symlink is owned by the current effective user and group, or by root.
Fixes: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0439537f by Sergey Orlov at 2019-01-31T17:00:28Z
Remove obsolete tests from test_caless.py
Related issue #4270 is closed as "won't fix" after 4 years.
The tests are obsolete now.
See: https://pagure.io/freeipa/issue/4271
See: https://pagure.io/freeipa/issue/4270
Signed-off-by: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
146168d4 by Mohammad Rizwan Yusuf at 2019-02-01T12:27:10Z
Check if issuer DN is updated after external-ca > self-signed
This test checks if issuer DN is updated properly after CA is
renewed back from external-ca to self-signed
related ticket : https://pagure.io/freeipa/issue/7762
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fde6ef5b by Mohammad Rizwan Yusuf at 2019-02-01T18:51:53Z
Check if issuer DN is updated after external-ca > self-signed
This test checks if issuer DN is updated properly after CA is
renewed back from external-ca to self-signed
related ticket : https://pagure.io/freeipa/issue/7762
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fd4b84d6 by Rob Crittenden at 2019-02-01T18:54:49Z
tests: Don't provide explicit hostname to ldapmodify
Manual revert of bbac233b5ee487ab0e035cf0b861144769a0b738
The assumption was that ldap.conf was hosed and it couldn't
tell what hostname to use so one was hardcoded. This code
doesn't explicitly test that ldap.conf is sane but it is
a nice side-effect I suppose.
https://pagure.io/freeipa/issue/5880
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ed74b898 by Rob Crittenden at 2019-02-04T08:12:29Z
Update mod_nss cipher list so there is overlap with a 4.x master
dogtag updated its cipher list, disabling a lot of ciphers, which
causes an overlap problem with a RHEL 6.x IPA master.
This update script adds the two available ciphers to the nss.conf
so that creating a CA replica is possible.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
88795fb9 by Serhii Tsymbaliuk at 2019-02-04T13:14:26Z
Fix certificate revocation tests for Web UI
- correct revocation date before search
- increase timeouts
https://pagure.io/freeipa/issue/7834
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
0b17ae90 by Christian Heimes at 2019-02-04T19:24:15Z
Require 389-ds 1.4.0.21
1.4.0.21 fixes a problem with create_suffix_entry and uses
os.path.expanduser() instead of getenv('HOME').
See: https://pagure.io/389-ds-base/pull-request/50121
See: https://pagure.io/389-ds-base/issue/49984
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dc33be73 by Christian Heimes at 2019-02-04T19:24:15Z
Mark two failing automember tests as xfail
Two automember tests of the XML-RPC test suite have started to fail with
389-DS 1.4.0.21 update. The test failure seems to be related to a change of
389-DS' automember plugin,
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html.
See: https://pagure.io/freeipa/issue/7855
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5845fed7 by Christian Heimes at 2019-02-05T10:06:40Z
Mark two failing automember tests as xfail
Two automember tests of the XML-RPC test suite have started to fail with
389-DS 1.4.0.21 update. The test failure seems to be related to a change of
389-DS' automember plugin,
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html.
See: https://pagure.io/freeipa/issue/7855
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
77737829 by Christian Heimes at 2019-02-05T10:06:40Z
Require 389-ds 1.4.0.21
1.4.0.21 fixes a problem with create_suffix_entry and uses
os.path.expanduser() instead of getenv('HOME').
See: https://pagure.io/389-ds-base/pull-request/50121
See: https://pagure.io/389-ds-base/issue/49984
See: https://pagure.io/389-ds-base/issue/50152
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bcfd61e8 by Rob Crittenden at 2019-02-05T13:25:35Z
Update mod_nss cipher list so there is overlap with a 4.x master
dogtag updated its cipher list, disabling a lot of ciphers, which
causes an overlap problem with a RHEL 6.x IPA master.
This update script adds the two available ciphers to the nss.conf
so that creating a CA replica is possible.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
034d2010 by Rob Crittenden at 2019-02-05T13:30:01Z
tests: Don't provide explicit hostname to ldapmodify
Manual revert of bbac233b5ee487ab0e035cf0b861144769a0b738
The assumption was that ldap.conf was hosed and it couldn't
tell what hostname to use so one was hardcoded. This code
doesn't explicitly test that ldap.conf is sane but it is
a nice side-effect I suppose.
https://pagure.io/freeipa/issue/5880
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
24b97b31 by Pavel Picka at 2019-02-05T13:35:14Z
PRCI failures fix
test_installation.py
- ticket 7008 closed so removing xfail
- TestInstallWithCA1
- TestInstallWithCA
- TestInstallWithCA_DNS1
- TestInstallWithCA_DNS2
nightly_master
- test_backup_and_restore_TestUser[r>R]ootFilesOwnership[Permission]
Signed-off-by: Pavel Picka <ppicka at redhat.com>
Reviewed-By: Michal Reznik <mreznik at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d5d9233b by Christian Heimes at 2019-02-05T13:39:13Z
Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5be9341f by Christian Heimes at 2019-02-05T13:39:13Z
Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.
The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.
LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a3934a21 by Christian Heimes at 2019-02-05T13:39:13Z
Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
https://tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a2ceb15 by Christian Heimes at 2019-02-05T13:39:13Z
Use secure LDAP connection in tests
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e4fff900 by Christian Heimes at 2019-02-05T13:39:13Z
Use LDAPS when installing CA on replica
On a replica, 389-DS is already configured for secure connections when
the CA is installed.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d87a3b01 by Christian Heimes at 2019-02-05T13:39:13Z
Let 389-DS configure LDAPI for us
The new lib389 installer configures LDAPI with correct socket path by
default. Use LDAPI to boot strap the IPA domain and autobind.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
73bc11a2 by Christian Heimes at 2019-02-05T13:39:13Z
Add ldapmodify/search helper functions
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bf1875a0 by Serhii Tsymbaliuk at 2019-02-06T17:11:56Z
Web UI tests: Get rid of *_cert_path and *_csr_path config variables
Web UI tests now don't require additional configuration to test certificates.
Self-signed certificates and CSR are generated on fly.
Next variables from ~/.ipa/ui_test.conf for now are deprecated:
- arbitrary_cert_path
- service_csr_path
- user_csr_path
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b763bc79 by Serhii Tsymbaliuk at 2019-02-06T17:11:56Z
Fix test_arbitrary_certificates for Web UI
- fix selector for "Add" button in the certificate dialog
- specify selector for the certificate dialog
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
0376d704 by Florence Blanc-Renaud at 2019-02-06T18:13:46Z
Tests: fix option name for dsctl
389-ds-base has modified one option name in dsctl, and our test
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
is still using the old option (--doit) instead of the new one
(--do-it).
Fixes: https://pagure.io/freeipa/issue/7856
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
93fb037d by Christian Heimes at 2019-02-07T11:33:45Z
Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
Samba's ZERO_STRUCT() macro, see
https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
instead of generic __typeof__().
Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4d0b8a0 by Christian Heimes at 2019-02-07T12:21:18Z
Update build requirements on twine
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
272837f1 by Christian Heimes at 2019-02-07T12:38:34Z
Remove ZERO_STRUCT() call
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().
During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
06c0b05c by Serhii Tsymbaliuk at 2019-02-07T13:32:32Z
Web UI tests: Get rid of *_cert_path and *_csr_path config variables
Web UI tests now don't require additional configuration to test certificates.
Self-signed certificates and CSR are generated on fly.
Next variables from ~/.ipa/ui_test.conf for now are deprecated:
- arbitrary_cert_path
- service_csr_path
- user_csr_path
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
c746ecd1 by Serhii Tsymbaliuk at 2019-02-07T13:32:32Z
Fix test_arbitrary_certificates for Web UI
- fix selector for "Add" button in the certificate dialog
- specify selector for the certificate dialog
Ticket: https://pagure.io/freeipa/issue/7843
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
546b6b46 by Christian Heimes at 2019-02-07T14:01:31Z
Compile IPA modules with C11 extensions
- define __STDC_WANT_LIB_EXT1__ to get C11 extensions like memset_s() for
Samba's ZERO_STRUCT() macro, see
https://en.cppreference.com/w/c/string/byte/memset
- _DEFAULT_SOURCE enables features like htole16() from endian.h, see
http://man7.org/linux/man-pages/man3/endian.3.html
- _POSIX_C_SOURCE >= 200809 enables features like strndup() from string.h,
see http://man7.org/linux/man-pages/man3/strndup.3.html
- time_t is no longer implicitly defined, include time.h
- typeof() is only available as GNU extension. Use explicit types
instead of generic __typeof__().
Fixes: https://pagure.io/freeipa/issue/7858
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c009e55 by Christian Heimes at 2019-02-07T14:10:56Z
Update build requirements on twine
On Fedora >= 29 the command 'twine' is provied by the twine package. On
F28 it's in python3-twine. F30 no longer has python3-twine.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
13555887 by Christian Heimes at 2019-02-07T14:11:55Z
Remove ZERO_STRUCT() call
ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in
memory. On F30 ZERO_STRUCT() is currently broken, because it uses the
undefined C11 function memset_s().
During investigation of the bug, it turned out that
ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct
is allocated with talloc_zero(), so td->security_identifier is already
zeroed.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
089f9e7a by Florence Blanc-Renaud at 2019-02-07T16:32:21Z
ipatests: mark known failures as xfail
Commit 5dbcc1a9d30cdb0bc1c4f8476be37a3ef781f9be marked
the base class method test_replica0_with_ca_kra_dns_install
as known failure, but this does not work with inherited
classes. The child class methods need to be marked
themselves as known failures with @pytest.mark.xfail
Furthermore, TestInstallWithCA_KRA2 and TestInstallWithCA_KRA_DNS2
tests should succeed because the master is installed with KRA
(issue 7651 is related to replica install with --setup-kra
when it is the first KRA instance).
Related to https://pagure.io/freeipa/issue/7651
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
56f84ae0 by Rob Crittenden at 2019-02-07T16:32:21Z
Remove tests which install KRA on replica w/o KRA on master
The KRA installation code explicity quits if trying to
install a KRA during a replica installation if there is not
already a KRA in the topology.
A KRA can be added afterward.
https://pagure.io/freeipa/issue/7651
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fbcdb8c0 by Serhii Tsymbaliuk at 2019-02-08T09:45:48Z
Split Web UI test suite in nightly PR CI configuration (IPA 4.7)
Manually apply changes from PRs:
https://github.com/freeipa/freeipa/pull/2538
https://github.com/freeipa/freeipa/pull/2774
WebUI test suite configuration is split to 11 bunches of tests to avoid unexpected timeouts.
test_webui/test_host.py runs standalone because it is unstable and heaviest one.
Original task: https://pagure.io/freeipa/issue/7756
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5c8c00a4 by Christian Heimes at 2019-02-11T17:06:25Z
Test --external-ca-type=ms-cs
Verify that ipa-server-install with external CA and CA type ms-cs adds
the correct extension to the CSR.
Fixes: https://pagure.io/freeipa/issue/7548
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
5d9822d0 by Christian Heimes at 2019-02-11T18:42:06Z
Test --external-ca-type=ms-cs
Verify that ipa-server-install with external CA and CA type ms-cs adds
the correct extension to the CSR.
Fixes: https://pagure.io/freeipa/issue/7548
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
425dff1e by Sergey Orlov at 2019-02-12T10:07:19Z
ipatests: add test for correct modlist when value encoding differs
See: https://pagure.io/freeipa/issue/7750
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ec29a7f by Christian Heimes at 2019-02-12T10:14:06Z
Disable dependency on dogtag-pki PyPI package
The dependency on 'dogtag-pki' PyPI package causes problems.
For one it's not the full pki package. It only provides the client part,
but ipaserver also needs the pki.server subpackage with pkispawn command.
The Fedora package dependency generator turns the requirement into a
package requirement, but python3-pki does not provide the package name
python3.7dist(dogtag-pki).
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
144a9c74 by Mohammad Rizwan Yusuf at 2019-02-12T11:00:29Z
ipatests: check if username are not optimized out in semanage context
ipa users having default semanage context were optimized out.
This test checks if those users are listed.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1dc2287a by Francisco Trivino at 2019-02-12T11:03:55Z
prci_definitions: Add nightly flow for pki dep testing
This commit adds PKI nightly flow definition. It executes relevant
freeipa tests in order to catch PKI regressions.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
06ca78eb by Timo Aaltonen at 2019-02-12T14:04:00Z
rules: Build the server for experimental.
- - - - -
67aa9999 by Timo Aaltonen at 2019-02-12T14:04:00Z
releasing package freeipa version 4.7.2-1+exp1
- - - - -
8c0f5f9a by Timo Aaltonen at 2019-02-12T14:05:55Z
upload rebase
- - - - -
7a8b875c by Sergey Orlov at 2019-02-12T15:36:39Z
ipatests: add test for correct modlist when value encoding differs
See: https://pagure.io/freeipa/issue/7750
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e63c6b20 by Florence Blanc-Renaud at 2019-02-15T17:21:47Z
tests: mark xfail for test_selinux_user_optimized on fed<=28
The test TestUserPermissions::test_selinux_user_optimized is
testing the fix for SSSD issue 3819, but the fix is not
available in fedora 28. Hence mark the test as xfail when
executed on fedora <=28 (our nightly tests also run on fed 28).
For full ref: fixed in sssd 1.16.4, Fedora 28 provides
1.16.3-2.fc28 only, while Fedora 29 provides 2.0.0-3.fc29.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1fced5c4 by Christian Heimes at 2019-02-15T17:29:02Z
Disable dependency on dogtag-pki PyPI package
The dependency on 'dogtag-pki' PyPI package causes problems.
For one it's not the full pki package. It only provides the client part,
but ipaserver also needs the pki.server subpackage with pkispawn command.
The Fedora package dependency generator turns the requirement into a
package requirement, but python3-pki does not provide the package name
python3.7dist(dogtag-pki).
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
5e7f82db by Serhii Tsymbaliuk at 2019-02-18T13:53:06Z
Web UI: Increase timeouts for UI tests in Nightly PR configuration
Some test suites for WebUI in Nightly PR configuration have timeouts without any reserve.
So these tests fails randomly.
Timeout values for these test was increased to {real duration} + ~30%
https://pagure.io/freeipa/issue/7864
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
- - - - -
55253228 by François Cami at 2019-02-19T00:16:34Z
ipa-server-install: fix ca setup when fs.protected_regular=1
/tmp is a sticky directory. When the OS is configured with
fs.protected_regular=1, this means that O_CREATE open is forbidden
for files in /tmp if the calling user is not owner of the file,
except if the file is owned by the owner of the directory.
The installer (executed as root) currently creates a file in /tmp,
then modifies its owner to pkiuser and finally writes the pki config
in the file. With fs.protected_regular=1, the write is denied because
root is not owner of the file at this point.
The fix performs the ownership change after the file has been written.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1677027
Fixes: https://pagure.io/freeipa/issue/7866
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
87496d64 by François Cami at 2019-02-19T06:03:45Z
ipa-server-install: fix ca setup when fs.protected_regular=1
/tmp is a sticky directory. When the OS is configured with
fs.protected_regular=1, this means that O_CREATE open is forbidden
for files in /tmp if the calling user is not owner of the file,
except if the file is owned by the owner of the directory.
The installer (executed as root) currently creates a file in /tmp,
then modifies its owner to pkiuser and finally writes the pki config
in the file. With fs.protected_regular=1, the write is denied because
root is not owner of the file at this point.
The fix performs the ownership change after the file has been written.
Fedora bug: https://bugzilla.redhat.com/show_bug.cgi?id=1677027
Fixes: https://pagure.io/freeipa/issue/7866
Signed-off-by: François Cami <fcami at redhat.com>
- - - - -
cb14883a by Florence Blanc-Renaud at 2019-02-19T13:51:56Z
tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
d1f5ed64 by Sumit Bose at 2019-02-19T14:36:55Z
ipa_sam: remove dependency to talloc_strackframe.h
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
0cc732eb by Florence Blanc-Renaud at 2019-02-19T17:11:03Z
tests: fix failure in test_topology_TestTopologyOptions:test_add_remove_segment
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
65898379 by Florence Blanc-Renaud at 2019-02-20T08:18:38Z
pkinit setup: fix regression on master install
The commit 7785210 intended to fix ipa-pkinit-manage enable
on a replica without any CA but introduced a regression:
ipa-server-install fails to configure pkinit with the fix.
This commit provides a proper fix without the regression:
pkinit needs to contact Dogtag directly only in case there is
no CA instance yet (for ex. because we are installing the
first master).
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
a25de958 by Florence Blanc-Renaud at 2019-02-20T08:18:38Z
test: add non-reg test checking pkinit after server install
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
fcf3fd70 by Florence Blanc-Renaud at 2019-02-20T10:43:35Z
test: add non-reg test checking pkinit after server install
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
acc38494 by Florence Blanc-Renaud at 2019-02-20T10:43:35Z
pkinit setup: fix regression on master install
The commit 7785210 intended to fix ipa-pkinit-manage enable
on a replica without any CA but introduced a regression:
ipa-server-install fails to configure pkinit with the fix.
This commit provides a proper fix without the regression:
pkinit needs to contact Dogtag directly only in case there is
no CA instance yet (for ex. because we are installing the
first master).
Fixes: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c32bdcb1 by Serhii Tsymbaliuk at 2019-02-20T13:46:58Z
Web UI: Increase timeouts for UI tests in Nightly PR configuration
Some test suites for WebUI in Nightly PR configuration have timeouts without any reserve.
So these tests fails randomly.
Timeout values for these test was increased to {real duration} + ~30%
https://pagure.io/freeipa/issue/7864
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c69875c8 by François Cami at 2019-02-27T20:42:39Z
ipa-client-automount: handle NFS configuration file changes
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
behavior
* avoids backing up the new NFS configuration file as we do
not have to modify it.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981
Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2ee160d1 by François Cami at 2019-02-27T22:32:48Z
ipa-client-automount: handle NFS configuration file changes
nfs-utils in Fedora 30 and later switched its configuration
file from /etc/sysconfig/nfs to /etc/nfs.conf, providing a
conversion service (nfs-convert.service) for upgrades.
However, for new installs the original configuration file
is missing. This change:
* adds a tuple-based osinfo.version_number method to handle
more kinds of OS versioning schemes
* detects RHEL and Fedora versions with the the new nfs-utils
behavior
* avoids backing up the new NFS configuration file as we do
not have to modify it.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1676981
Fixes: https://pagure.io/freeipa/issue/7868
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4fd4cf68 by François Cami at 2019-02-28T17:27:58Z
pylintrc: ignore R1720 no-else-raise errors
Newer pylint trips on unnecessary else/elif after raise.
Ignore that error for now as it breaks our build.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
052a3d20 by François Cami at 2019-02-28T19:37:22Z
pylintrc: ignore R1720 no-else-raise errors
Newer pylint trips on unnecessary else/elif after raise.
Ignore that error for now as it breaks our build.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
40dd0979 by François Cami at 2019-03-01T07:38:11Z
ipatests: remove all occurrences of osinfo.version_id
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.
Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e6d560af by Christian Heimes at 2019-03-01T10:44:27Z
Make IPADiscovery available in PyPI packages
The ipaclient PyPI package does not ship the ipaclient.install
subpackage. The ipaclient.install.ipadiscovery module with IPADiscovery
is now available as ipaclient.discovery, so it can be used by consumers
of PyPI packages.
The module ipaclient.install.ipadiscovery provides a backwards
compatibility shim with deprecation warning.
Fixes: https://pagure.io/freeipa/issue/7861
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b5f1d33f by Christian Heimes at 2019-03-01T10:44:27Z
Reformat and PEP8 ipaclient.discovery
Since the moved code is detected as new/modified code, make fastlint is
complaining about PEP 8 violations.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fe4054da by François Cami at 2019-03-04T10:17:54Z
ipatests: remove all occurrences of osinfo.version_id
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.
Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dccb2e0e by Ian Pilcher at 2019-03-04T18:35:49Z
Allow issuing certificates with IP addresses in subjectAltName
Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.
* One of the DNS names in the SAN resolves to the IP address
(possibly through a CNAME).
* All of the DNS entries in the resolution chain are managed by
this IPA instance.
* The IP address has a (correct) reverse DNS entry that is managed
by this IPA instance
https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8ec4868a by Fraser Tweedale at 2019-03-04T18:35:49Z
cert-request: restrict IPAddress SAN to host/service principals
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
eb70e64c by Fraser Tweedale at 2019-03-04T18:35:49Z
cert-request: collect only qualified DNS names for IPAddress validation
Collect only qualified DNS names for IPAddress validation. This is
necessary because it is undecidable whether the name 'ninja' refers
to 'ninja.my.domain.' or 'ninja.' (assuming both exist). Remember
that even a TLD can have A records.
Now that we are only checking qualified names for the purpose of
IPAddressName validation, remove the name length hack from
_san_dnsname_ips().
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9c750f07 by Fraser Tweedale at 2019-03-04T18:35:49Z
cert-request: generalise _san_dnsname_ips for arbitrary cname depth
Generalise _san_dnsname_ips to allow arbitrary cname depths. This
also clarifies the code and avoids boolean blindness. Update the
call site to maintain the existing behvaiour (one cname allowed).
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e37c025d by Fraser Tweedale at 2019-03-04T18:35:49Z
cert-request: report all unmatched SAN IP addresses
During SAN validation, it is possible that more than one
iPAddressName does not match a known IP address for the DNS names in
the SAN. But only one unmatched IP address is reported. Update the
error message to mention all unmatched iPAddressName values.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
474a2e69 by Fraser Tweedale at 2019-03-04T18:35:49Z
Add tests for cert-request IP address SAN support
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a65c12d0 by Fraser Tweedale at 2019-03-04T18:35:49Z
cert-request: more specific errors in IP address validation
Update the IP address validation to raise different error messages
for:
- inability to reach IP address from a DNS name
- missing PTR records for IP address
- asymmetric PTR / forward records
If multiple scenarios apply, indicate the first error (from list
above).
The code should now be a bit easier to follow. We first build dicts
of forward and reverse DNS relationships, keyed by IP address. Then
we check that entries for each iPAddressName are present in both
dicts. Finally we check for PTR-A/AAAA symmetry.
Update the tests to check that raised ValidationErrors indicate the
expected error.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
24c77bc4 by Sergey Orlov at 2019-03-05T08:25:25Z
ipatests: fix host name for ssh connection from controller to master
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".
Fixes https://pagure.io/freeipa/issue/7874
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f8d91b99 by Sergey Orlov at 2019-03-05T12:57:07Z
ipatests: fix host name for ssh connection from controller to master
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".
Fixes https://pagure.io/freeipa/issue/7874
- - - - -
f6489117 by François Cami at 2019-03-07T14:19:37Z
ipa-client-automount: fix PEP8 issues
Commit 6a56aa6d4987bc4856997351a413c014e14abdd6 introduced
C0303, W1201 and R1710 errors in ipa-client-automount.in.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
faa3016d by François Cami at 2019-03-07T17:18:18Z
ipa-client-automount: fix PEP8 issues
Commit 6a56aa6d4987bc4856997351a413c014e14abdd6 introduced
C0303, W1201 and R1710 errors in ipa-client-automount.in.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
8327e11b by Fraser Tweedale at 2019-03-08T07:17:36Z
cert-request: handle missing zone
SAN IP address validation, while determining the zone for a DNS name
or IP address, does not handle missing zones. The resulting
dns.resolver.NoNameservers exception is not caught. As a result,
InternalError is returned to client.
Update cert-request IP address name validation to handle this case.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
142b0dde by Ian Pilcher at 2019-03-11T00:34:03Z
Allow issuing certificates with IP addresses in subjectAltName
Allow issuing certificates with IP addresses in the subject
alternative name (SAN), if all of the following are true.
* One of the DNS names in the SAN resolves to the IP address
(possibly through a CNAME).
* All of the DNS entries in the resolution chain are managed by
this IPA instance.
* The IP address has a (correct) reverse DNS entry that is managed
by this IPA instance
https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f34f099f by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: restrict IPAddress SAN to host/service principals
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7107eb1c by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: collect only qualified DNS names for IPAddress validation
Collect only qualified DNS names for IPAddress validation. This is
necessary because it is undecidable whether the name 'ninja' refers
to 'ninja.my.domain.' or 'ninja.' (assuming both exist). Remember
that even a TLD can have A records.
Now that we are only checking qualified names for the purpose of
IPAddressName validation, remove the name length hack from
_san_dnsname_ips().
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8dc25eb2 by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: generalise _san_dnsname_ips for arbitrary cname depth
Generalise _san_dnsname_ips to allow arbitrary cname depths. This
also clarifies the code and avoids boolean blindness. Update the
call site to maintain the existing behvaiour (one cname allowed).
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ba93f55b by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: report all unmatched SAN IP addresses
During SAN validation, it is possible that more than one
iPAddressName does not match a known IP address for the DNS names in
the SAN. But only one unmatched IP address is reported. Update the
error message to mention all unmatched iPAddressName values.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b5324b5d by Fraser Tweedale at 2019-03-11T00:34:03Z
Add tests for cert-request IP address SAN support
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d0b915cb by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: more specific errors in IP address validation
Update the IP address validation to raise different error messages
for:
- inability to reach IP address from a DNS name
- missing PTR records for IP address
- asymmetric PTR / forward records
If multiple scenarios apply, indicate the first error (from list
above).
The code should now be a bit easier to follow. We first build dicts
of forward and reverse DNS relationships, keyed by IP address. Then
we check that entries for each iPAddressName are present in both
dicts. Finally we check for PTR-A/AAAA symmetry.
Update the tests to check that raised ValidationErrors indicate the
expected error.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d07ca488 by Fraser Tweedale at 2019-03-11T00:34:03Z
cert-request: handle missing zone
SAN IP address validation, while determining the zone for a DNS name
or IP address, does not handle missing zones. The resulting
dns.resolver.NoNameservers exception is not caught. As a result,
InternalError is returned to client.
Update cert-request IP address name validation to handle this case.
Part of: https://pagure.io/freeipa/issue/7451
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2a638dcd by Armando Neto at 2019-03-12T12:56:51Z
Add missing nightly test definitions from master
Copy current test definitions from `master` branch to `ipa-4-7`.
Test case `fedora-29/test_ntp_options` was not copied because its
associated test suite is not available in the `ipa-4-7` branch.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f2e7c3f6 by François Cami at 2019-03-13T15:09:24Z
ipatests: add too-restritive mask tests
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.
Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f90a4b95 by François Cami at 2019-03-13T15:09:24Z
ipa-{server,replica}-install: add too-restritive mask detection
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.
Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0d23fa92 by Florence Blanc-Renaud at 2019-03-14T08:39:55Z
CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4e3a64f7 by Florence Blanc-Renaud at 2019-03-14T08:39:55Z
Test: add new tests for ipa-crlgen-manage
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2e73c964 by Florence Blanc-Renaud at 2019-03-14T08:39:55Z
ipa server: prevent uninstallation if the server is CRL master
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.
Related to https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
33af8c75 by Sumit Bose at 2019-03-14T13:42:35Z
ipa-extdom-exop: add instance counter and limit
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.
To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.
By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.
If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
270ccca7 by François Cami at 2019-03-14T13:59:02Z
ipatests: add too-restritive mask tests
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.
Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d82388bc by François Cami at 2019-03-14T13:59:02Z
ipa-{server,replica}-install: add too-restritive mask detection
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.
Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0ae19c5c by Sumit Bose at 2019-03-15T15:41:11Z
ipa-extdom-exop: add instance counter and limit
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.
To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.
By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.
If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
52770aa5 by Florence Blanc-Renaud at 2019-03-15T15:44:46Z
CRL generation master: new utility to enable|disable
Implement a new command ipa-clrgen-manage to enable, disable, or check
the status of CRL generation on the localhost.
The command automates the manual steps described in the wiki
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
Fixes: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
67533b3a by Florence Blanc-Renaud at 2019-03-15T15:44:46Z
Test: add new tests for ipa-crlgen-manage
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e654a1b9 by Florence Blanc-Renaud at 2019-03-15T15:44:46Z
ipa server: prevent uninstallation if the server is CRL master
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.
Related to https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6defe320 by Rob Crittenden at 2019-03-19T15:00:43Z
Send only the path and not the full URI to httplib.request
Sending the full uri was causing httplib to send requests as:
POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1
>From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.
https://pagure.io/freeipa/issue/7883
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d9a64ee7 by Rob Crittenden at 2019-03-19T19:01:45Z
Send only the path and not the full URI to httplib.request
Sending the full uri was causing httplib to send requests as:
POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1
>From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.
https://pagure.io/freeipa/issue/7883
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e12e3e84 by Serhii Tsymbaliuk at 2019-03-20T10:33:50Z
WebUI test: Fix automember tests according to new behavior
After deleting user/host from group "rebuild" task is triggered,
so the entity returns to the group. And we check if it exists.
Also the order of cleaning test resources are changed:
groups are being deleted only after corresponding rules.
New automembership design description:
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
Ticket: https://pagure.io/freeipa/issue/7881
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
55004225 by Peter Keresztes Schmidt at 2019-03-20T16:32:43Z
README: Update link to freeipa-devel archive
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
33378403 by Florence Blanc-Renaud at 2019-03-20T16:45:00Z
XML RPC test: fix test_automember_plugin
With 389-DS 1.4.0.21, automember plugin also gets triggered on modify ops
by default. This means that a member manually removed gets automatically
re-added by the plugin.
This behavior can be disabled by setting autoMemberProcessModifyOps=off in
the entry cn=Auto Membership Plugin,cn=plugins,cn=config.
Before 389-DS 1.4.0.21, it was possible to remove a member and the member
did not get re-added (unless automember-rebuild was called). This former
behavior can be forced by setting autoMemberProcessModifyOps=off.
This commit fixes the test and checks the behavior when
autoMemberProcessModifyOps=off and when autoMemberProcessModifyOps=on.
Fixes: https://pagure.io/freeipa/issue/7855
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
1b8ba573 by Florence Blanc-Renaud at 2019-03-21T08:25:45Z
XML RPC test: fix test_automember_plugin
With 389-DS 1.4.0.21, automember plugin also gets triggered on modify ops
by default. This means that a member manually removed gets automatically
re-added by the plugin.
This behavior can be disabled by setting autoMemberProcessModifyOps=off in
the entry cn=Auto Membership Plugin,cn=plugins,cn=config.
Before 389-DS 1.4.0.21, it was possible to remove a member and the member
did not get re-added (unless automember-rebuild was called). This former
behavior can be forced by setting autoMemberProcessModifyOps=off.
This commit fixes the test and checks the behavior when
autoMemberProcessModifyOps=off and when autoMemberProcessModifyOps=on.
Fixes: https://pagure.io/freeipa/issue/7855
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3ae38973 by Florence Blanc-Renaud at 2019-03-21T14:18:56Z
Coverity: fix issue in ipa_extdom_extop.c
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
The comparison is using the pointer while it should use the pointed value.
Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
133b199f by Serhii Tsymbaliuk at 2019-03-21T15:01:11Z
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
It allows to avoid confusion with identical short hostnames.
There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone
https://pagure.io/freeipa/issue/7206
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c2043506 by Serhii Tsymbaliuk at 2019-03-22T07:45:31Z
WebUI test: Fix automember tests according to new behavior
After deleting user/host from group "rebuild" task is triggered,
so the entity returns to the group. And we check if it exists.
Also the order of cleaning test resources are changed:
groups are being deleted only after corresponding rules.
New automembership design description:
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
Ticket: https://pagure.io/freeipa/issue/7881
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
da31c639 by Serhii Tsymbaliuk at 2019-03-22T08:03:39Z
Web UI (topology graph): Show FQDN for nodes if they have no common DNS zone
It allows to avoid confusion with identical short hostnames.
There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone
https://pagure.io/freeipa/issue/7206
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
20a8dd8b by Florence Blanc-Renaud at 2019-03-22T12:15:25Z
Coverity: fix issue in ipa_extdom_extop.c
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
The comparison is using the pointer while it should use the pointed value.
Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0a7c2726 by Christian Heimes at 2019-03-22T14:50:51Z
GIT: ignore ipa-crlgen-manage
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
19068f9e by Christian Heimes at 2019-03-25T07:37:43Z
GIT: ignore ipa-crlgen-manage
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6e8d38ca by Florence Blanc-Renaud at 2019-03-25T08:46:36Z
ipa-replica-manage: fix force-sync
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".
force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).
In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.
The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.
Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b9dc9757 by Alexander Bokovoy at 2019-03-25T08:48:31Z
domainlevel-get: fix various issues when running as non-admin
Use proper filter that is caught up by the ACI for 'permission:System:
Read Domain Level' to allow any authenticated user to see the domain
level.
If the server doesn't have domain level set, callers in replica
installer expect errors.NotFound but never get it.
Return the right exception here and change the other caller to follow
the same convention.
Inability to retrieve ipaDomainLevel attribute due to a filter mismatch
casues ipa-replica-install to fail if run as a replica host principal.
Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code.
Fixes: https://pagure.io/freeipa/issue/7876
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e5244fbe by Stanislav Levin at 2019-03-25T08:49:45Z
Completely drop /var/cache/ipa/sessions
This directory has been already dropped in @6d66e826c,
but not entirely.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6856b17f by Florence Blanc-Renaud at 2019-03-25T12:55:35Z
ipa-replica-manage: fix force-sync
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".
force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).
In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.
The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.
Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
556bf2f9 by Alexander Bokovoy at 2019-03-25T12:59:04Z
domainlevel-get: fix various issues when running as non-admin
Use proper filter that is caught up by the ACI for 'permission:System:
Read Domain Level' to allow any authenticated user to see the domain
level.
If the server doesn't have domain level set, callers in replica
installer expect errors.NotFound but never get it.
Return the right exception here and change the other caller to follow
the same convention.
Inability to retrieve ipaDomainLevel attribute due to a filter mismatch
casues ipa-replica-install to fail if run as a replica host principal.
Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code.
Fixes: https://pagure.io/freeipa/issue/7876
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
885af7fe by Christian Heimes at 2019-03-25T13:30:37Z
Fix assign instead of compare
Commit 53e0b2255d92c9c21c19306cf37cc8de0476dc9c introduced a minor bug.
Instead of comparing errno to ENOENT, the check assigned ENOENT to
errno.
Coverity: CID 337082
See: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
77d0996c by Christian Heimes at 2019-03-25T15:39:10Z
Fix assign instead of compare
Commit 53e0b2255d92c9c21c19306cf37cc8de0476dc9c introduced a minor bug.
Instead of comparing errno to ENOENT, the check assigned ENOENT to
errno.
Coverity: CID 337082
See: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
52e5ef81 by Christian Heimes at 2019-03-27T14:09:30Z
replica install: acknowledge ca_host override
Fixup for commit c0fd5e39c726ef4dc12e87a2f9c08ebb32ed27fe. Only set
ca_host to source master hostname if ca_host points to the local host.
This permits users to override ca_host in /etc/ipa/default.conf when
installing a replica.
Related: https://pagure.io/freeipa/issue/7744
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
74532146 by Christian Heimes at 2019-03-27T18:14:51Z
replica install: acknowledge ca_host override
Fixup for commit c0fd5e39c726ef4dc12e87a2f9c08ebb32ed27fe. Only set
ca_host to source master hostname if ca_host points to the local host.
This permits users to override ca_host in /etc/ipa/default.conf when
installing a replica.
Related: https://pagure.io/freeipa/issue/7744
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
d76dccc0 by Christian Heimes at 2019-03-27T23:21:00Z
Use api.env.container_masters
Replace occurences of ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')
with api.env.container_masters.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e9fd8adf by Christian Heimes at 2019-03-27T23:21:00Z
Consolidate container_masters queries
Replace manual queries of container_masters with new APIs get_masters()
and is_service_enabled().
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b4bade06 by Christian Heimes at 2019-03-28T13:07:11Z
Unify and simplify LDAP service discovery
Move LDAP service discovery and service definitions from
ipaserver.install to ipaserver. Simplify and unify different
implementations in favor of a single implementation.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
885cb17f by Christian Heimes at 2019-03-28T13:07:11Z
Use api.env.container_masters
Replace occurences of ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')
with api.env.container_masters.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
99eb7e09 by Christian Heimes at 2019-03-28T13:07:11Z
Consolidate container_masters queries
Replace manual queries of container_masters with new APIs get_masters()
and is_service_enabled().
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
2a8176ee by Alexander Bokovoy at 2019-03-28T13:08:19Z
Add design page for one-way trust to AD with shared secret
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
120bab0d by Alexander Bokovoy at 2019-03-28T13:08:19Z
trust: allow trust agents to read POSIX identities of trust
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dc8f074c by Alexander Bokovoy at 2019-03-28T13:08:19Z
trusts: add support for one-way shared secret trust
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.
Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.
Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18cb30d4 by Alexander Bokovoy at 2019-03-28T13:08:19Z
upgrade: upgrade existing trust agreements to new layout
Existing trust agreements will lack required Kerberos principals and
POSIX attributes expected to allow Active Directory domain controllers
to query IPA master over LSA and NETLOGON RPC pipes.
Upgrade code is split into two parts:
- upgrade trusted domain object to have proper POSIX attributes
- generate required Kerberos principals for AD DC communication
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dca901c0 by Alexander Bokovoy at 2019-03-28T13:08:19Z
upgrade: add trust upgrade to actual upgrade code
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
50c0d6dc by Alexander Bokovoy at 2019-03-28T13:10:59Z
Add design page for one-way trust to AD with shared secret
(cherry picked from commit b3911ade55eec139e07f8b4ea83612f1b2794857)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f6183c80 by Alexander Bokovoy at 2019-03-28T13:10:59Z
trust: allow trust agents to read POSIX identities of trust
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
(cherry picked from commit 8908b5085179d07cff45ebb11d498b872d28eee7)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0b5ae1bd by Alexander Bokovoy at 2019-03-28T13:10:59Z
trusts: add support for one-way shared secret trust
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.
Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.
Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
https://pagure.io/SSSD/sssd/c/14faec9cd9437ef116ae054412d25ec2e820e409
Fixes: https://pagure.io/freeipa/issue/6077
(cherry picked from commit f30f7e380ef9d327ced3e1b0e5c800a8b1069097)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2a7731c5 by Alexander Bokovoy at 2019-03-28T13:10:59Z
upgrade: upgrade existing trust agreements to new layout
Existing trust agreements will lack required Kerberos principals and
POSIX attributes expected to allow Active Directory domain controllers
to query IPA master over LSA and NETLOGON RPC pipes.
Upgrade code is split into two parts:
- upgrade trusted domain object to have proper POSIX attributes
- generate required Kerberos principals for AD DC communication
Fixes: https://pagure.io/freeipa/issue/6077
(cherry picked from commit 090e09df130f27fb30a986529ef0944383e668e1)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
595f42af by Alexander Bokovoy at 2019-03-28T13:10:59Z
upgrade: add trust upgrade to actual upgrade code
Fixes: https://pagure.io/freeipa/issue/6077
(cherry picked from commit f51f90e4b4bac032e076ab0f6cb3dfecb5ae12ce)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
025facb8 by Christian Heimes at 2019-03-28T16:57:58Z
Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>:
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
0770d8a0 by François Cami at 2019-03-28T16:57:58Z
ipatests: Exercise hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>
Signed-off-by: Francois Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
99133eb1 by Christian Heimes at 2019-03-28T16:57:58Z
Simplify and improve tests
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
94b86354 by Christian Heimes at 2019-03-28T16:57:58Z
Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d810e1ff by Christian Heimes at 2019-03-28T16:57:58Z
Consider hidden servers as role provider
Hidden services are now considered as associated role providers, too. This
fixes the issue of:
invalid 'PKINIT enabled server': all masters must have IPA
master role enabled
and similar issues with CA and DNS.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
56d97f94 by Christian Heimes at 2019-03-28T16:57:58Z
Improve config-show to show hidden servers
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f839d3c9 by Christian Heimes at 2019-03-28T16:57:58Z
More test fixes
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e7e0f190 by Christian Heimes at 2019-03-28T16:57:58Z
Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
8b1bb211 by Christian Heimes at 2019-03-28T16:57:58Z
Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e04dc9a8 by Christian Heimes at 2019-03-28T16:57:58Z
Test replica installation from hidden replica
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d727321c by Christian Heimes at 2019-03-28T16:57:58Z
Add design draft
The design draft explains implementation details, limitations, and API
changes for the new feature.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
713c9b0c by Christian Heimes at 2019-03-28T16:57:58Z
Don't fail if config-show does not return servers
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
ddf8e16a by Christian Heimes at 2019-03-29T08:55:13Z
Add hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>:
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f96f4a19 by François Cami at 2019-03-29T08:55:13Z
ipatests: Exercise hidden replica feature
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami at redhat.com>
Signed-off-by: Francois Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
585bc52b by Christian Heimes at 2019-03-29T08:55:13Z
Simplify and improve tests
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f3daa45c by Christian Heimes at 2019-03-29T08:55:13Z
Implement server-state --state=enabled/hidden
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0bf26c59 by Christian Heimes at 2019-03-29T08:55:13Z
Consider hidden servers as role provider
Hidden services are now considered as associated role providers, too. This
fixes the issue of:
invalid 'PKINIT enabled server': all masters must have IPA
master role enabled
and similar issues with CA and DNS.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
de1a075b by Christian Heimes at 2019-03-29T08:55:13Z
Improve config-show to show hidden servers
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3e2fb215 by Christian Heimes at 2019-03-29T08:55:13Z
More test fixes
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
dc2a5ece by Christian Heimes at 2019-03-29T08:55:13Z
Don't allow to hide last server for a role
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
87f9119a by Christian Heimes at 2019-03-29T08:55:13Z
Synchronize hidden state from IPA master role
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
467ceaff by Christian Heimes at 2019-03-29T08:55:13Z
Test replica installation from hidden replica
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
66c961da by Christian Heimes at 2019-03-29T08:55:13Z
Add design draft
The design draft explains implementation details, limitations, and API
changes for the new feature.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c76620ef by Christian Heimes at 2019-03-29T08:55:13Z
Don't fail if config-show does not return servers
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
19db292e by Thomas Woerner at 2019-03-29T08:59:55Z
Extend test for orphan automember rules (issue/6476)
The test was not executing ipa automember-rebuild --type hostgroup.
The test has been extended to execute it twice: Once when it needs to fail
because there is an orphan automember rule. Also after this orphan
automember rule has been removed. Here the test needs to succeed.
Fixes: https://pagure.io/freeipa/issue/7891
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
98b7fbec by Fraser Tweedale at 2019-03-29T09:23:32Z
Fix installation when CA subject DN has escapes
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a376b613 by Christian Heimes at 2019-03-29T10:35:26Z
Add test case for configure_openldap_conf
IPAChangeConf doesn't handle lines with mixed assignment values
correctly.
See: https://pagure.io/freeipa/issue/7838
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
5b337a54 by Oleg Kozlov at 2019-03-29T13:04:04Z
Show a notification that sssd needs restarting after idrange-mod
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.
Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.
Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
487ab52e by Fraser Tweedale at 2019-03-29T15:10:45Z
Fix installation when CA subject DN has escapes
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
692cbc5d by Tibor Dudlák at 2019-03-29T17:56:40Z
Fix test_ntp_options to use tasks' methods
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5cacd135 by Varun Mylaraiah at 2019-03-29T17:58:49Z
ipatests: add tests for NTP options usage on server, replica, and client
The following tests are added in test_ntp_options.py :: TestNTPoptions
- test_server_and_client_install_without_option_n
- test_server_and_client_install_with_option_n
- test_server_and_client_install_with_multiple_ntp_server
- test_server_replica_and_client_install_with_ntp_pool_and_ntp_server
- test_server_and_client_install_with_mixed_options
- test_two_step_replica_install_using_ntp_options
- test_two_step_replica_install_without_ntp_options
Details in the ticket: https://pagure.io/freeipa/issue/7719
and https://pagure.io/freeipa/issue/7723
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
4714c543 by Varun Mylaraiah at 2019-03-29T17:58:49Z
nightly_master.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mavrun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d02e0c36 by Varun Mylaraiah at 2019-03-29T17:58:49Z
nightly_rawhide.yaml Added test_integration/test_ntp_options.py
Signed-off-by: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
657fc760 by Tibor Dudlák at 2019-03-29T17:58:49Z
Fix test_ntp_options to use tasks' methods
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
ca42f2f5 by Oleg Kozlov at 2019-03-29T18:31:28Z
Show a notification that sssd needs restarting after idrange-mod
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.
Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.
Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
52394ebc by Christian Heimes at 2019-03-29T19:04:34Z
Add test case for configure_openldap_conf
IPAChangeConf doesn't handle lines with mixed assignment values
correctly.
See: https://pagure.io/freeipa/issue/7838
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
ffcbb835 by Alexander Bokovoy at 2019-04-01T10:08:12Z
ipasam: use SID formatting calls to libsss_idmap
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d60122f9 by Florence Blanc-Renaud at 2019-04-01T10:35:42Z
ipa-server-upgrade: fix add_systemd_user_hbac
During upgrade, the method add_systemd_user_hbac is creating
a hbacsvc and a hbacrule, but fails in python2 because of
unicode conversion errors.
The arguments should be defined as u'value'.
Fixes: https://pagure.io/freeipa/issue/7896
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
23ae171d by Florence Blanc-Renaud at 2019-04-01T10:55:46Z
ipa-setup-kra: fix python2 parameter
ipa-setup-kra is failing in python2 with
invalid 'role_servrole': must be Unicode text
because of a unicode conversion error.
The method api.Command.server_role_find is called with the parameter
role_servrole='IPA master' but it should rather be
role_servrole=u'IPA master'
Fixes: https://pagure.io/freeipa/issue/7897
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
de4a9875 by Alexander Bokovoy at 2019-04-01T11:27:41Z
oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.
This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.
It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.
Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
137af1d2 by Alexander Bokovoy at 2019-04-01T11:29:59Z
ipasam: use SID formatting calls to libsss_idmap
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
84197a03 by Florence Blanc-Renaud at 2019-04-01T12:20:51Z
ipa-server-upgrade: fix add_systemd_user_hbac
During upgrade, the method add_systemd_user_hbac is creating
a hbacsvc and a hbacrule, but fails in python2 because of
unicode conversion errors.
The arguments should be defined as u'value'.
Fixes: https://pagure.io/freeipa/issue/7896
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
53594b9d by Florence Blanc-Renaud at 2019-04-01T12:39:45Z
ipa-setup-kra: fix python2 parameter
ipa-setup-kra is failing in python2 with
invalid 'role_servrole': must be Unicode text
because of a unicode conversion error.
The method api.Command.server_role_find is called with the parameter
role_servrole='IPA master' but it should rather be
role_servrole=u'IPA master'
Fixes: https://pagure.io/freeipa/issue/7897
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
12bc3fd1 by Alexander Bokovoy at 2019-04-01T13:53:33Z
oddjob: allow to pass options to trust-fetch-domains
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.
This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.
It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.
Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c3fc551c by Christian Heimes at 2019-04-01T14:10:59Z
Disable flaky hidden replica backup test
The test case for hidden replica restore is flaky and sometimes fails.
The general issues is covered by upstream bug 7894.
See: https://pagure.io/freeipa/issue/7894
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
cc1fb2fa by Sergey Orlov at 2019-04-01T14:24:46Z
Revert "Tests: Remove DNS configuration from trust tests"
This reverts commit 1d9e1521c59a5b43c2322892ce5cbe8cceff2790.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3e01d261 by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
It was changed in f487233df002bf73dd48d5c87a146b90542bd034
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c59a5b43c2322892ce5cbe8cceff2790. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
14f27d29 by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: disable bind dns validation when preparing to establish AD trust
Before establishing trust with AD it is recommended in documentation
(and for many setups necessary) to create add DNS forwarder for AD domain.
Bind config supplied by ipa server has dnssec validation enabled.
If Windows server DNS does not have DNSSEC enabled with valid certificate,
then bind will not be able to use it as forwarder and trust will not be
established.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d0a612a by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: in test_trust.py fix parent class
TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8955cc7 by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: fix expectations of `ipa trust-find` output for trust with root domain
Test was expecting that when trust is established with forest root, than all
three AD domains should be found when quering trust-find for that domain.
Actually only root domain and its subdomain should be returned, without
the tree domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
03e2693a by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: relax requirements for time server quality
When synchronizing time with windows server using chronyd I often see
error "No suitable source for synchronisation". This happens because chronyd
with default options refuses to use time servers with big jitter and delay.
For some reasons Windows time server does have big jitter. In some test setups
delay also can be rathe big.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
35a4642a by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: allow AD hosts to be placed in separate domain config objects
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94a6cb11 by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: adapt test_trust.py for changes in multihost fixture
AD hosts can now be extracted from list in respective class attributes and host
domain names -- from properties provided by multihost plugin (host.domain.name).
Also removed conditional skips of tests when test configuration contains only
part of required AD machines as this feature never worked:
multihost plugin removes all machines from config which are not explicitly
requested.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8197165 by Sergey Orlov at 2019-04-01T14:24:46Z
ipatests: refactor test_trust.py
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.
Additional changes:
* TestEnforcedPosixADTrust was totally removed as it was duplicate of
TestPosixADTrust
* code of repeated checks was moved to methods
* A task was cretated for cleaning up DNS configuration changes made for
establishing trust
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a1b7547 by Sergey Orlov at 2019-04-02T13:53:41Z
Revert "Tests: Remove DNS configuration from trust tests"
This reverts commit 1d9e1521c59a5b43c2322892ce5cbe8cceff2790.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d3b6f2ae by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: in test_trust.py fix prameters in invocation of tasks.configure_dns_for_trust
It was changed in f487233df002bf73dd48d5c87a146b90542bd034
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c59a5b43c2322892ce5cbe8cceff2790. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c3d4254 by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: disable bind dns validation when preparing to establish AD trust
Before establishing trust with AD it is recommended in documentation
(and for many setups necessary) to create add DNS forwarder for AD domain.
Bind config supplied by ipa server has dnssec validation enabled.
If Windows server DNS does not have DNSSEC enabled with valid certificate,
then bind will not be able to use it as forwarder and trust will not be
established.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
81f8fbd7 by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: in test_trust.py fix parent class
TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1547f9de by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: fix expectations of `ipa trust-find` output for trust with root domain
Test was expecting that when trust is established with forest root, than all
three AD domains should be found when quering trust-find for that domain.
Actually only root domain and its subdomain should be returned, without
the tree domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d518756 by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: relax requirements for time server quality
When synchronizing time with windows server using chronyd I often see
error "No suitable source for synchronisation". This happens because chronyd
with default options refuses to use time servers with big jitter and delay.
For some reasons Windows time server does have big jitter. In some test setups
delay also can be rathe big.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cfa2e391 by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: allow AD hosts to be placed in separate domain config objects
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
37ef3bdf by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: adapt test_trust.py for changes in multihost fixture
AD hosts can now be extracted from list in respective class attributes and host
domain names -- from properties provided by multihost plugin (host.domain.name).
Also removed conditional skips of tests when test configuration contains only
part of required AD machines as this feature never worked:
multihost plugin removes all machines from config which are not explicitly
requested.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3f4fc3d9 by Sergey Orlov at 2019-04-02T13:53:41Z
ipatests: refactor test_trust.py
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.
Additional changes:
* TestEnforcedPosixADTrust was totally removed as it was duplicate of
TestPosixADTrust
* code of repeated checks was moved to methods
* A task was cretated for cleaning up DNS configuration changes made for
establishing trust
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3cb1ccb3 by Christian Heimes at 2019-04-02T17:35:38Z
Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e4621f12 by Christian Heimes at 2019-04-02T17:35:38Z
Add tasks.systemd_daemon_reload()
systemd daemon must be reloaded after a config file is added, changed,
or removed. Provide a common API endpoint in ipaplatform.tasks.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1dfac4f5 by Christian Heimes at 2019-04-02T17:35:38Z
Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9f01f52 by Christian Heimes at 2019-04-03T08:54:19Z
Add option to remove lines from a file
config_replace_variables() can now also remove lines from a file.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9b3fc1f by Christian Heimes at 2019-04-03T08:54:19Z
Add tasks.systemd_daemon_reload()
systemd daemon must be reloaded after a config file is added, changed,
or removed. Provide a common API endpoint in ipaplatform.tasks.
Related: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b6c810e9 by Christian Heimes at 2019-04-03T08:54:19Z
Move DS's Kerberos env vars to unit file
The IPA specific env vars KRB5_KTNAME and KRB5CCNAME are now defined in
a instance specific ipa-env.conf unit file.
Fixes: https://pagure.io/freeipa/issue/7860
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
35095458 by Christian Heimes at 2019-04-03T13:16:21Z
Require a minimum SASL security factor of 56
SSF_MINX 56 level ensures data integrity and confidentiality for SASL
GSSAPI and SASL GSS SPNEGO connections.
Although at least AES128 is enforced pretty much everywhere, 56 is required
for backwards compatibility with systems that announce wrong SSF.
Related: https://pagure.io/freeipa/issue/7140
Related: https://pagure.io/freeipa/issue/4580
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
3c354e74 by Christian Heimes at 2019-04-04T08:05:10Z
Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.
Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18623d49 by Christian Heimes at 2019-04-04T10:33:54Z
Verify external CA's basic constraint pathlen
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.
Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
0c50cc39 by Alexander Bokovoy at 2019-04-07T10:26:09Z
Remove DsInstance.request_service_keytab as it is not needed anymore
DsInstance.request_service_keytab() used to configure
/etc/sysconfig/dirsrv which is not needed anymore with 389-ds-base
1.4.1.2. Thus, the method became indistinguishable from the parent and
can be removed completely.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
64ce8f0c by Alexander Bokovoy at 2019-04-08T05:35:35Z
Remove DsInstance.request_service_keytab as it is not needed anymore
DsInstance.request_service_keytab() used to configure
/etc/sysconfig/dirsrv which is not needed anymore with 389-ds-base
1.4.1.2. Thus, the method became indistinguishable from the parent and
can be removed completely.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a241a81b by Rob Crittenden at 2019-04-08T08:22:45Z
Add interactive prompt for the LDAP bind password to ipa-getkeytab
This provides a mechanism to bind over LDAP without exposing
the password on the command-line.
https://pagure.io/freeipa/issue/631
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3fdbf48f by Christian Heimes at 2019-04-08T12:53:35Z
Skip orphan automember rule test
389-DS 1.4.0.22 was pushed to Fedora over the weekend. The new versin
breaks test_find_orphan_automember_rules. Skip the test case for now
until we have more time to investigate the issue.
Related: https://pagure.io/freeipa/issue/7902
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10b99ac7 by Christian Heimes at 2019-04-08T15:31:50Z
Skip orphan automember rule test
389-DS 1.4.0.22 was pushed to Fedora over the weekend. The new versin
breaks test_find_orphan_automember_rules. Skip the test case for now
until we have more time to investigate the issue.
Related: https://pagure.io/freeipa/issue/7902
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cb0f24bf by Alexander Bokovoy at 2019-04-08T15:51:38Z
Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.
Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).
To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].
Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b903df96 by Alexander Bokovoy at 2019-04-08T17:10:51Z
Bypass D-BUS interface definition deficiences for trust-fetch-domains
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.
Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).
To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].
Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8a5dc1b3 by Christian Heimes at 2019-04-09T07:13:27Z
Adapt cert-find performance workaround for users
ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.
Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a5213140 by Christian Heimes at 2019-04-09T09:28:37Z
Make netifaces optional
netifaces is a binary Python extension. Outside of the installer, it's
only used by CheckedIPAddress.get_matching_interface, which is only
called from installer code.
Make the import of netifaces optional to reduce the amount of
dependencies for PyPI package use case. Binary extensions are especially
annoying, because they depend on shared libraries, compiler, and header
files to be present.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
6fed1700 by Christian Heimes at 2019-04-09T09:48:22Z
automount: rmtree temp directory
ipa-client-automount uses the host keytab to acquire a TGT. The script
sets up a temporary directory for its ccache. At the end of the script
it removes the ccache and temp directory again.
In case of a failed kinit, the ccache is not created and the removal of
the ccache causes an exception. The automount installer now uses
shutil.rmtree() to remove the temporary directory and all its content.
Fixes: https://pagure.io/freeipa/issue/7862
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
12bfb86f by Christian Heimes at 2019-04-09T10:32:31Z
Make netifaces optional
netifaces is a binary Python extension. Outside of the installer, it's
only used by CheckedIPAddress.get_matching_interface, which is only
called from installer code.
Make the import of netifaces optional to reduce the amount of
dependencies for PyPI package use case. Binary extensions are especially
annoying, because they depend on shared libraries, compiler, and header
files to be present.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
11907edc by Christian Heimes at 2019-04-09T10:33:21Z
Adapt cert-find performance workaround for users
ipa cert-find --users=NAME was slow on system with lots of certificates.
User certificates have CN=$username, therefore the performance tweak
from ticket 7835 also works for user certificates.
Related: https://pagure.io/freeipa/issue/7835
Fixes: https://pagure.io/freeipa/issue/7901
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
eccdcf61 by Christian Heimes at 2019-04-09T11:17:42Z
automount: rmtree temp directory
ipa-client-automount uses the host keytab to acquire a TGT. The script
sets up a temporary directory for its ccache. At the end of the script
it removes the ccache and temp directory again.
In case of a failed kinit, the ccache is not created and the removal of
the ccache causes an exception. The automount installer now uses
shutil.rmtree() to remove the temporary directory and all its content.
Fixes: https://pagure.io/freeipa/issue/7862
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
fdc3554d by Christian Heimes at 2019-04-09T11:38:28Z
Gating: remove vault and kdcproxy tests
Vault and KDC proxy are neither critical subsystems nor are they likely to
fail. They have been pretty stable and don't see any major development.
It's sufficient to run them in nightly tests only.
The removal speed up gating a bit. Especially vault tests are slow and
usually take more than 30 minutes to complete
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
39b3b016 by Christian Heimes at 2019-04-09T12:37:09Z
Gating: remove vault and kdcproxy tests
Vault and KDC proxy are neither critical subsystems nor are they likely to
fail. They have been pretty stable and don't see any major development.
It's sufficient to run them in nightly tests only.
The removal speed up gating a bit. Especially vault tests are slow and
usually take more than 30 minutes to complete
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
66873e2b by Christian Heimes at 2019-04-10T09:21:25Z
Improve error handling in DNSSEC helpers
* ipa-dnskeysyncd now handles CONNECT_ERROR during bind
* ipa-dnskeysyncd no longer logs full traceback on connection error.
* ipa-dnskeysync-replica now handles SERVER_DOWN/CONNECT_ERROR
exceptions and turns them into pretty error messages.
Fixes: https://pagure.io/freeipa/issue/7905
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
06426d0d by Christian Heimes at 2019-04-10T10:44:23Z
Improve error handling in DNSSEC helpers
* ipa-dnskeysyncd now handles CONNECT_ERROR during bind
* ipa-dnskeysyncd no longer logs full traceback on connection error.
* ipa-dnskeysync-replica now handles SERVER_DOWN/CONNECT_ERROR
exceptions and turns them into pretty error messages.
Fixes: https://pagure.io/freeipa/issue/7905
Signed-off-by: Christian Heimes <cheimes at redhat.com>
- - - - -
8c4d75fd by Christian Heimes at 2019-04-10T11:43:23Z
Add current default.cfg from Dogtag
base/server/etc/default.cfg from commit
https://github.com/dogtagpki/pki/commit/b93183406c0be6ce233eb4ed4c116aa858635cdf
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a2b02fc by Christian Heimes at 2019-04-10T11:43:23Z
Simplify and slim down ipaca_default.ini
* Remove internal stuff from DEFAULT section
* Remove all non-user modifiable paths
* Remove OCSP, RA, TKS, TPS sections
* Remove deprecated options and replace them with current options
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
70beccad by Christian Heimes at 2019-04-10T11:43:23Z
Add IPA specific vars to ipaca_default.ini
Common settings like "pki_*_signing_key_algorithm" now use an IPA
specific template variable. The approach makes it easier to change all
signing parameters to use a different algorithm.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f847d775 by Christian Heimes at 2019-04-10T11:43:23Z
Use new pki_ipaca.ini to spawn instances
Note: Some configuration stanzas are deprecated and have been replaced
with new stanzas, e.g. pki_cert_chain_path instead of
pki_external_ca_cert_chain_path.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd47cfc7 by Christian Heimes at 2019-04-10T11:43:23Z
Add pki.ini override option
Allow to specify a pki.ini overlay file on the command line. The override
file can be used to override pkispawn settings.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
94937424 by Christian Heimes at 2019-04-10T11:43:23Z
Simplify and consolidate ipaca.ini
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dba89712 by Christian Heimes at 2019-04-10T11:43:23Z
Verify pki ini override early
ipa-server-install now verifies the pki ini override file earlier
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42efdc7b by Christian Heimes at 2019-04-10T11:43:23Z
Add test case for pki config override
Install CA with 4096bit RSA key and SHA-384 signature.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b2c5d6c by Christian Heimes at 2019-04-10T11:43:23Z
Add --pki-config-override to man pages
Mention the new option in the man pages for CA, KRA, replica, and server
installation. The documentation must be improved once we have figured
out which options are going to be supported.
Fixes: pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2826da2 by Florence Blanc-Renaud at 2019-04-10T18:54:43Z
ipa-client-install: autodiscovery must refuse single-label domains
Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.
Fixes: https://pagure.io/freeipa/issue/7598
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf42dc1f by François Cami at 2019-04-11T08:04:00Z
ipaserver/install/krainstance.py: chown after write
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.
Refactoring suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
536e7da6 by Tibor Dudlák at 2019-04-11T08:19:32Z
Support interactive prompt for ntp options
As the FreeIPA server is no longer a NTP service
providing instance its clients and replicas
configuration of time service can not be handled
as it was before change to chrony. Configuration
using master FQDN or autodiscovery for DNS record
would make no difference because every FreeIPA
instance is only chrony client now and does not
update DNS _ntp._udp record.
FreeIPA now asks user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.
Resolves: https://pagure.io/freeipa/issue/7747
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3567367b by Tibor Dudlák at 2019-04-11T10:04:36Z
Support interactive prompt for ntp options
As the FreeIPA server is no longer a NTP service
providing instance its clients and replicas
configuration of time service can not be handled
as it was before change to chrony. Configuration
using master FQDN or autodiscovery for DNS record
would make no difference because every FreeIPA
instance is only chrony client now and does not
update DNS _ntp._udp record.
FreeIPA now asks user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.
Resolves: https://pagure.io/freeipa/issue/7747
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4bc8bc28 by Florence Blanc-Renaud at 2019-04-11T11:42:27Z
ipa-client-install: autodiscovery must refuse single-label domains
Since commit 905ab93, ipa-server-install refuses single-label domains,
but older IPA server versions could be installed with a single-label
domain/realm.
ipa-client-install is already refusing single-label domain/realm when
provided to the CLI with --domain / --realm but does not perform the same
check when the domain is discovered.
This commit adds a check to domain names automatically discovered and skips
single-label domains. Same check for realm names.
Fixes: https://pagure.io/freeipa/issue/7598
- - - - -
d68fe6b9 by François Cami at 2019-04-11T11:56:15Z
ipaserver/install/cainstance.py: unlink before creating new file in /tmp
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So unlink temporary file before shutil.copy to it.
Fixes: https://pagure.io/freeipa/issue/7907
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a0973db2 by François Cami at 2019-04-11T19:38:28Z
ipaserver/install/krainstance.py: chown after write
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.
Refactoring suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
eeeed847 by François Cami at 2019-04-11T19:40:01Z
ipaserver/install/cainstance.py: unlink before creating new file in /tmp
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So unlink temporary file before shutil.copy to it.
Fixes: https://pagure.io/freeipa/issue/7907
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b79ea6a6 by Florence Blanc-Renaud at 2019-04-15T10:05:22Z
Fix wrong evaluation of attributes in check_repl_update
The method check_repl_update in ipaserver/install/replication.py badly
handles the attributes nsds5ReplicaLastUpdateStart and
nsds5ReplicaLastUpdateEnd as it expects them to contain an int.
These attributes are defined as GeneralizedTime
(OID 1.3.6.1.4.1.1466.115.121.1.24, for instance
nsds5ReplicaLastUpdateEnd='20190412122523Z') but older versions of 389-ds can
also return the value 0 for uninitialized values (see 389-ds ticket 47836).
The code must be able to handle the generalized time format or the 0 value.
The fix removes the 'Z' from the GeneralizedTime and converts to an int,
or assigns 0.
Fixes: https://pagure.io/freeipa/issue/7909
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
80928ba6 by Christian Heimes at 2019-04-16T08:45:59Z
Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.
On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.
On systems without NM, fall back to create /etc/resolv.conf directly.
Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
45b8cc1d by Christian Heimes at 2019-04-16T14:51:40Z
Increase default key size for CA to 3072 bits
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
00a7868f by Christian Heimes at 2019-04-16T14:51:40Z
Reuse key type and size in certmonger resubmit
Certmonger has hard-coded defaults for key size and key type. In case a
request does not contain these values, certmonger uses 2048 RSA keys.
Since the CA now has 3072, it will also rekey the CA to 2048 instead of
resubmitting with the existing 2048 bit key.
Use key-size and key-type from the existing request when resubmitting.
Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2bad9fd0 by Christian Heimes at 2019-04-16T14:51:40Z
Explain why tests still use 2048bit external CA
The test case verifies that IPA supports external CAs with weaker keys.
Related: Related: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
adc79ceb by Christian Heimes at 2019-04-16T14:56:41Z
Use Network Manager to configure resolv.conf
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.
On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.
On systems without NM, fall back to create /etc/resolv.conf directly.
Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
0ba25c7e by François Cami at 2019-04-16T14:58:54Z
ipatests: add nfs tests
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.
This extends the existing automount location test and must be
run nightly.
Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Peter Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5ecede78 by Robbie Harwood at 2019-04-17T11:56:05Z
Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.
On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
931608a9 by Robbie Harwood at 2019-04-17T15:35:59Z
Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.
On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
044a94c7 by François Cami at 2019-04-18T15:13:13Z
ipatests: add nfs tests
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.
This extends the existing automount location test and must be
run nightly.
Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Peter Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Peter Cech <pcech at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
36c65c4a by Christian Heimes at 2019-04-23T10:55:35Z
Remove deprecated object logger
The object logger methods been deprecated for about two years since release
4.6.0. The log manager used to moneky-patch additional log methods like
info(), warning(), and error() into API plugin objects. The methods have
been replaced by calls to module logger objects in 4.6.0.
Remove monkey-patch logger methods, log manager, and its root logger from
ipapython.ipa_log_manager.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
921d803d by Stanislav Levin at 2019-04-24T06:10:45Z
Add missing deps for `make pylint`
The make target `pylint` hasn't a full list of its dependencies.
This leads to problems like:
- different build results
- PR tests just do not run pylint over some Python scripts.
The new build target (`python_scripts`) was implemented.
It's intended for building all Python scripts (files, containing
@PYTHONSHEBANG@ as a shebang placeholder).
The make `pylint` should require it.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
edd53d8c by Stanislav Levin at 2019-04-24T06:10:45Z
Fix `inconsistent-return-statements` in ipa-dnskeysync-replica
This problem was discovered by pylint.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3f9e23f1 by Christian Heimes at 2019-04-24T07:09:28Z
Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.
Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.
Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5452eb6e by Christian Heimes at 2019-04-24T07:09:28Z
Reduce startup_timeout to 120sec as documented
man(5) default.conf says that startup_timeout has a default value of 120
seconds. Even 120 seconds are not effective unless systemd is also
reconfigured to have a larger DefaultTimeoutStartSec.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a631997a by Stanislav Levin at 2019-04-24T07:37:57Z
Add missing deps for `make pylint`
The make target `pylint` hasn't a full list of its dependencies.
This leads to problems like:
- different build results
- PR tests just do not run pylint over some Python scripts.
The new build target (`python_scripts`) was implemented.
It's intended for building all Python scripts (files, containing
@PYTHONSHEBANG@ as a shebang placeholder).
The make `pylint` should require it.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
aecf8418 by Stanislav Levin at 2019-04-24T07:37:57Z
Fix `inconsistent-return-statements` in ipa-dnskeysync-replica
This problem was discovered by pylint.
Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6c361d74 by Alexander Bokovoy at 2019-04-24T07:47:31Z
Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e05008d1 by Alexander Bokovoy at 2019-04-24T07:47:31Z
Update mailmap
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
993fd4d7 by Alexander Bokovoy at 2019-04-24T07:47:31Z
Update list of contributors and sort them alphabetically
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d5c400a9 by Christian Heimes at 2019-04-24T11:32:53Z
Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.
Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.
Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9c307108 by Christian Heimes at 2019-04-24T11:32:53Z
Reduce startup_timeout to 120sec as documented
man(5) default.conf says that startup_timeout has a default value of 120
seconds. Even 120 seconds are not effective unless systemd is also
reconfigured to have a larger DefaultTimeoutStartSec.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a9808ff2 by Alexander Bokovoy at 2019-04-24T11:54:43Z
Update mailmap
Reviewed-By: Christian Heimes <cheimes at redhat.com>
(cherry picked from commit e05008d10484858b4c482953e30df5194aeee7ed)
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1df0ec1e by Alexander Bokovoy at 2019-04-24T11:54:43Z
Update translations in ipa-4-7
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5c4c255f by Alexander Bokovoy at 2019-04-24T11:54:43Z
Update list of contributors and sort it alphabetically
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d796c37f by Christian Heimes at 2019-04-24T12:08:20Z
Debian: use -m lesscpy instead of hard-coded name
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ff41a09e by Christian Heimes at 2019-04-24T12:08:20Z
Debian doesn't have authselect
Skip authselect configuration and migration on Debian/Ubuntu.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
da2cf1c5 by Christian Heimes at 2019-04-24T12:08:20Z
Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
750e658d by Christian Heimes at 2019-04-24T12:08:20Z
Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8592603e by Christian Heimes at 2019-04-24T12:08:20Z
Debian: Use different paths for KDC cert and key
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
edaea886 by Christian Heimes at 2019-04-24T12:08:20Z
Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.
Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d703f3db by Christian Heimes at 2019-04-24T12:08:20Z
Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
81d0108a by Christian Heimes at 2019-04-24T12:08:20Z
Debian: auto-generate config files for oddjobd
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0fa692a5 by Christian Heimes at 2019-04-24T12:08:20Z
Debian: Use RedHatCAService for pki-tomcatd
The RedHatCAService service class contains extra logic to wait for CA
service to be up and running. Debian now correctly waits for Dogtag before
proceeding with the installation process.
Fixes: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
411e6c37 by Christian Heimes at 2019-04-24T14:23:17Z
Deprecate ipa-client-install --request-cert
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.
Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd58a705 by Christian Heimes at 2019-04-24T15:08:24Z
Fix and extend pki config override test
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab71555f by Christian Heimes at 2019-04-24T15:11:28Z
Debian: use -m lesscpy instead of hard-coded name
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
336d77bc by Christian Heimes at 2019-04-24T15:11:28Z
Debian doesn't have authselect
Skip authselect configuration and migration on Debian/Ubuntu.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
beb12cad by Christian Heimes at 2019-04-24T15:11:28Z
Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7227fdc by Christian Heimes at 2019-04-24T15:11:28Z
Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a942d19 by Christian Heimes at 2019-04-24T15:11:28Z
Debian: Use different paths for KDC cert and key
Co-authored-by: Timo Aaltonen <tjaalton at debian.org>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
55ae022e by Christian Heimes at 2019-04-24T15:11:28Z
Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.
Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
44a03eab by Christian Heimes at 2019-04-24T15:11:28Z
Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
17ee04a0 by Christian Heimes at 2019-04-24T15:11:28Z
Debian: auto-generate config files for oddjobd
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c9033d74 by Christian Heimes at 2019-04-24T15:11:28Z
Debian: Use RedHatCAService for pki-tomcatd
The RedHatCAService service class contains extra logic to wait for CA
service to be up and running. Debian now correctly waits for Dogtag before
proceeding with the installation process.
Fixes: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c860a4f1 by Christian Heimes at 2019-04-24T15:11:28Z
Fix pylint error with absolute_import
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4ba88869 by Alexander Bokovoy at 2019-04-24T19:47:19Z
Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.
Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.
Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b2c5691e by Alexander Bokovoy at 2019-04-24T19:47:19Z
Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.
There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fad7cad4 by Alexander Bokovoy at 2019-04-25T06:47:34Z
Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.
Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.
Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b530dad4 by Alexander Bokovoy at 2019-04-25T06:47:34Z
Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.
There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.
Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
444f05c4 by Christian Heimes at 2019-04-25T06:49:45Z
Deprecate ipa-client-install --request-cert
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.
Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8686cd3b by Christian Heimes at 2019-04-25T06:57:58Z
Pass token_name to certmonger
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74e09087 by Christian Heimes at 2019-04-25T10:53:08Z
Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f5912d00 by Sergey Orlov at 2019-04-25T12:46:11Z
ipatests: new tests for ipa-winsync-migrate utility
Fixes https://pagure.io/freeipa/issue/7857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
23d5c052 by Oleg Kozlov at 2019-04-25T12:47:09Z
Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.
If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.
Fixes: https://pagure.io/freeipa/issue/7630
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ae5831b0 by Christian Heimes at 2019-04-25T12:50:45Z
Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
60b61d90 by Timo Aaltonen at 2019-04-25T21:12:12Z
Merge branch 'upstream' into master-next
- - - - -
d2298049 by Timo Aaltonen at 2019-04-25T21:13:20Z
bump the version
- - - - -
a9a54b78 by Timo Aaltonen at 2019-04-25T21:31:53Z
Drop upstreamed patches.
- - - - -
38c31503 by Timo Aaltonen at 2019-04-25T22:02:51Z
install: Updated.
- - - - -
75ebfa1c by Sumit Bose at 2019-04-26T06:15:05Z
ipa_sam: remove dependency to talloc_strackframe.h
Recent Samba versions removed some header files which did include
non-public APIs. As a result talloc_strackframe.h and memory.h (for
SAFE_FREE) are not available anymore. This patch replaces the use of the
non-public APIs with public ones.
Resolves: rhbz#1678670
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
(cherry picked from commit d1f5ed64e16d65b9df45cc0eac7d2724dcae7b67)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dcd488b3 by Christian Heimes at 2019-04-26T07:50:23Z
Refactor tasks to include is_selinux_enabled()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d7e17655 by Christian Heimes at 2019-04-26T07:50:23Z
Check for SELinux AVCs after installation
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a22b4a35 by Christian Heimes at 2019-04-26T07:56:44Z
chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning
Configuration file /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2c5ce1a by François Cami at 2019-04-26T08:25:00Z
ipaplatform: add more services
Healthcheck needs to check more services than currently defined
in ipaplatform. Add these services.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
beffa7bc by Christian Heimes at 2019-04-26T10:09:22Z
Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.
Except for DMLDAP, handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.
The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.
Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4f3c4f87 by Christian Heimes at 2019-04-26T10:47:51Z
Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5d4a8017 by Christian Heimes at 2019-04-26T10:47:51Z
Add helper to look for missing binaries
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.
A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c3144111 by Christian Heimes at 2019-04-26T10:47:51Z
Correct path to systemd-detect-virt
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
92315611 by François Cami at 2019-04-26T10:51:30Z
ipaplatform: add more services
Healthcheck needs to check more services than currently defined
in ipaplatform. Add these services.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6d75967d by Christian Heimes at 2019-04-26T10:52:20Z
Refactor tasks to include is_selinux_enabled()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b72f54d2 by Christian Heimes at 2019-04-26T10:52:20Z
Check for SELinux AVCs after installation
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2a459ce0 by Christian Heimes at 2019-04-26T10:53:23Z
Make python-ldap optional for PyPI packages
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.
A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.
Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d59f155e by Christian Heimes at 2019-04-26T10:53:23Z
Make IPADiscovery work without ldap
ipaclient.discover.IPADiscovery skips LDAP discovery when python-ldap is
not present.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bdce9164 by Christian Heimes at 2019-04-26T10:53:23Z
Make ipaclient.discovery usable from command line
For debugging and testing make it possible to run a simple domain
discovery from the command line
```
$ python3 -m ipaclient.discovery demo1.freeipa.org
realm DEMO1.FREEIPA.ORG (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
domain demo1.freeipa.org (Discovered LDAP SRV records from demo1.freeipa.org)
basedn dc=demo1,dc=freeipa,dc=org (From IPA server ldap://ipa.demo1.freeipa.org:389)
server ipa.demo1.freeipa.org (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
servers ['ipa.demo1.freeipa.org']
Success
$ python3 -m ipaclient.discovery freeipa.org
realm None
domain None
basedn None
server None
servers []
NO_LDAP_SERVER
```
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
818f94d8 by Sergey Orlov at 2019-04-26T12:28:31Z
ipa console: catch proper exception when history file can not be open
When history file could not be open we were catching OSError. This worked
for python3, as it raises FileNotFoundError, which is a subclass of
OSError. But in python2 IOError is raised when file does not exist and
as this exception was not catched, "ipa conosle" command was crashing.
As far as in pyton3 IOError and OSError have been merged
(OSError is IOError) we can safely catch only IOError.
Fixes: https://pagure.io/freeipa/issue/7922
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3df837de by Christian Heimes at 2019-04-26T12:34:52Z
chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning
Configuration file /etc/systemd/system/pki-tomcatd at pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
38228055 by Christian Heimes at 2019-04-26T13:07:41Z
Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
45316e47 by Christian Heimes at 2019-04-26T13:07:41Z
Add helper to look for missing binaries
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.
A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c8b7d22 by Christian Heimes at 2019-04-26T13:07:41Z
Correct path to systemd-detect-virt
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
161008d5 by Florence Blanc-Renaud at 2019-04-26T15:26:00Z
ipactl restart: fix wrong logic when checking service list
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.
Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.
Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d792544d by Florence Blanc-Renaud at 2019-04-29T06:24:49Z
ipactl restart: fix wrong logic when checking service list
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.
Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.
Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3c981879 by Christian Heimes at 2019-04-29T14:51:40Z
Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.
A new test verifies that config-show works with hidden and configured HTTP
service.
Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.
Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
628ec088 by Alexander Bokovoy at 2019-04-29T14:55:04Z
Become FreeIPA 4.7.90.pre1
- - - - -
dc113a0a by Alexander Bokovoy at 2019-04-29T14:58:14Z
Turn master branch back after pre-release tagging
- - - - -
e73fdcf8 by Christian Heimes at 2019-04-30T14:32:43Z
Import urllib submodules
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b63b88d by Christian Heimes at 2019-04-30T15:15:12Z
Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.
A new test verifies that config-show works with hidden and configured HTTP
service.
Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.
Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
294aa3a3 by Alexander Bokovoy at 2019-05-02T09:39:23Z
Revert "Require a minimum SASL security factor of 56"
This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.
The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.
We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
bd9c7939 by Sergey Orlov at 2019-05-02T13:30:58Z
ipatests: new tests for ipa-winsync-migrate utility
Fixes https://pagure.io/freeipa/issue/7857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1f46bb1d by Sergey Orlov at 2019-05-02T13:30:58Z
ipatests: make encoding to base64 compatible with python2
base64.encodebytes is present only in python3, but base64.encodestring
can be used both in python2 and python3 to encode byte-strings.
Relates https://pagure.io/freeipa/issue/7857
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
78652a52 by Adam Williamson at 2019-05-02T13:36:54Z
Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.
Signed-off-by: Adam Williamson <awilliam at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e70bbdab by Timo Aaltonen at 2019-05-05T10:54:49Z
Merge branch 'upstream' into master-next
- - - - -
e93f9f9c by Timo Aaltonen at 2019-05-05T10:55:16Z
bump the version
- - - - -
b870539b by Timo Aaltonen at 2019-05-05T10:56:35Z
fix-ods-conf-template.diff: Drop an obsolete conf option.
- - - - -
174a225f by Timo Aaltonen at 2019-05-05T11:10:01Z
rules: Rework gentarball target.
- - - - -
660c4984 by François Cami at 2019-05-06T15:46:19Z
ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
ipa-client-automount assumes the NFS domain to be the same as the IPA domain.
This is not always the case.
This commit adds a --idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Fixes: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d76737e4 by François Cami at 2019-05-06T15:46:19Z
ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6415ec3 by François Cami at 2019-05-07T07:00:42Z
ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.
Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
5331510e by François Cami at 2019-05-07T07:08:40Z
ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
98b4c710 by Alexander Bokovoy at 2019-05-11T19:15:37Z
upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured
Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
ac6568dc by Stanislav Levin at 2019-05-12T21:49:07Z
Fix `build_requestinfo` in OpenSSL1.1.0+ environments
Since OpenSSL 1.1.0 the `req_info` field of X509_REQ structure is
no longer a pointer to X509_REQ_INFO. This results in a crash of
`build_requestinfo` in environments having OpenSSL1.1.0+ (libcrypto).
With this patch, the X509_REQ definition becomes the version dependent.
Both OpenSSL1.0.x and OpenSSL1.1.x are supported.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64dc92cc by Christian Heimes at 2019-05-14T10:27:55Z
Load libldap_r-*.so.2
libldap_r.so is only available in the OpenLDAP development packages. The
openldap package provides libldap_r-*.so.2.
Fixes: https://pagure.io/freeipa/issue/7941
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7b8a2af2 by Stanislav Levin at 2019-05-14T13:58:40Z
Fix `build_requestinfo` in LibreSSL environments
`build_requestinfo` was broken in @ac6568dcf.
In this case LibreSSL behavior is the same as OpenSSL < 1.1.x.
Thus, an additional check for SSL implementation was added.
Fixes: https://pagure.io/freeipa/issue/7937
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
2042b5a0 by Christian Heimes at 2019-05-14T15:11:54Z
Use PKCS#8 instead of traditional privkey format
The modern PKCS#8 private key format supports better encryption standard
and is preferable over traditional, weak PKCS#1 key format.
Fixes: https://pagure.io/freeipa/issue/7943
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
ecc08e39 by Rob Crittenden at 2019-05-14T16:46:56Z
Use AES-128-CBC for PKCS#12 encryption when creating files (FIPS)
A PKCS#12 file is generated from a set of input files in various
formats. This file is then used to provide the public and private
keys and certificate chain fro importing into an NSS database.
In order to work in FIPS mode stronger encryption is required.
The default OpenSSL certificate algo is 40-bit RC2 which is not
allowed in FIPS mode. The default private key algo is 3DES.
Use AES-128 instead for both.
Fixes: https://pagure.io/freeipa/issue/7948
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b7533d9c by Alexander Bokovoy at 2019-05-14T18:52:29Z
Use nodejs 1.10 to avoid current issues with nodejs 1.11 in Fedora 30
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
58fe6fac by Alexander Bokovoy at 2019-05-14T18:52:29Z
Set up CI with Azure Pipelines
Sets up a pipeline to run FreeIPA build and tests in Azure Pipelines.
Azure Pipelines provides 10 parallel free runners for open source projects.
Use them to run following jobs:
- Build: build RPMs and Fedora 30 container with them
- Lint: run linting of the source code
- Tox: run py36,pypi,pylint tests using Tox
- Web UI unit tests: run Web UI unit tests with Grunt/QUnit/PhantomJS
- XMLRPC tests: install FreeIPA server and run XMLRPC tests against it
All jobs are running in Fedora 30 containers. Build, Lint, Tox, and Web
UI unit tests run inside f30/fedora-toolbox container. Build job
generates a container with pre-installed FreeIPA packages using official
fedora:30 container. All containers are picked up from
registry.fedoraproject.org.
Artifacts from the build job are pushed to a pipeline storage and reused
in the XMLRPC tests. They also are accessible in the 'Summary' tab to
download.
XUnit and QUnit outputs from the tests that produce it are reported in
the 'Tests' tab.
Logs from individual steps from each job are available for review in
the 'Logs' tab. They also can be downloaded.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9cb6817b by Alexander Bokovoy at 2019-05-16T06:51:45Z
azure-run-tests: handle single unexpanded parameter too
If TESTS_TO_RUN contains a single parameter that cannot be expanded,
bash will not perform brace elimination. Remove braces manually.
For example, TESTS_TO_RUN='test_xmlrpc/test_*.py' will not expand
outside of ipatests and the script would generate
tests_to_run=-k{test_xmlrpc/test_*.py}
Braces then will prevent actual ipa-run-tests execution from matching
any of XMLRPC tests.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c41b3ae9 by Alexander Bokovoy at 2019-05-16T06:51:45Z
fix selenium imports in automount web UI test
Fixes: https://pagure.io/freeipa/issue/7942
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
245a8bcd by Alexander Bokovoy at 2019-05-16T06:51:45Z
test_legacy_clients: fix class inheritance
Fixes: https://pagure.io/freeipa/issue/7940
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
74f3ca5d by Alexander Bokovoy at 2019-05-16T06:51:45Z
i18n_messages: get back a locale needed for testing
Commit f49fac7bda8150aee2086be9afdbe4eb81c3f18a added a special
workaround to get fr-fr locale translations installed when running
tests in Travis CI.
Get it back to Azure Pipelines.
Fixes: https://pagure.io/freeipa/issue/7951
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
289f9c7e by Christian Heimes at 2019-05-16T11:20:38Z
Delay import of SSSDConfig
SSSDConfig is not available on PyPI.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b7e81fb by Christian Heimes at 2019-05-16T11:20:38Z
Replace imports from ipaserver
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8bd469c5 by Christian Heimes at 2019-05-16T11:20:38Z
Don't import ipaserver in conf.py
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
984a44a4 by Christian Heimes at 2019-05-16T11:20:38Z
integration plugins import ldif
Make ipatests depend on python-ldap.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2d22fdaf by Christian Heimes at 2019-05-16T11:20:38Z
Forbid imports of ipaserver and install packages
ipatests' plugin and integration tests must no longer import ipaserver
or ipa*.install packages.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4254489 by Florence Blanc-Renaud at 2019-05-16T12:28:00Z
Fix expected file permissions for ghost files
File permissions from the rpm freeipa-server-common and
freeipa-client-common do not match the runtime permissions. This results
in mode failures on rpm -Va.
Fix the expected file permissions on rpm spec file for
/var/lib/ipa/pki-ca/publish
/var/named/dyndb-ldap/ipa
/etc/ipa/pwdfile.txt
/etc/pki/ca-trust/source/ipa.p11-kit
(new format SQLite)
/etc/ipa/nssdb/cert9.db
/etc/ipa/nssdb/key4.db
/etc/ipa/pkcs11.txt
(old format DBM)
/etc/ipa/cert8.db
/etc/ipa/key3.db
/etc/ipa/secmod.db
The commit also fixes the file permissions for
/etc/httpd/conf.d/ipa-pki-proxy.conf (644)
during server installation, and the group ownership.
Fixes: https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7fe10d99 by Florence Blanc-Renaud at 2019-05-16T12:28:00Z
ipatests: add integration test checking the files mode
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.
Related to https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6662e99e by Rob Crittenden at 2019-05-16T18:38:43Z
Add knob to limit hostname length
On Linux systems the length limit for hostnames is hardcoded
at 64 in MAXHOSTNAMELEN
Solaris, for example, allows 255 characters, and DNS allows the
total length to be up to 255 (with each label < 64).
Add a knob to allow configuring the maximum hostname length (FQDN)
The same validators are used between hosts and DNS to apply
the knob only when dealing with a FQDN as a hostname.
The maxlen option is included so installers can limit the length
of allowed hostnames when the --hostname option is used.
https://pagure.io/freeipa/issue/2018
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6a9c20a8 by Serhii Tsymbaliuk at 2019-05-21T12:45:27Z
Fix occasional 'whoami.data is undefined' error in FreeIPA web UI
'Metadata' phase (Web UI initialization flow) doesn't wait "whoami" response.
It causes the error when on the next phase "whoami" data is undefined.
To avoid this "whoami" request now has flag async = false,
so init_metadata waits until it will be completed.
Ticket: https://pagure.io/freeipa/issue/7917
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5263c36c by Stanislav Levin at 2019-05-21T17:07:45Z
Respect TMPDIR, TEMP or TMP environment variables during testing
The FreeIPA uses its own classes for managing temp files and
directories for tests. One of its underlying low-level functions
is `mkdtemp`.
According to documentation for `mkdtemp`:
```
If dir is not None, the file will be created in that directory; otherwise, a
default directory is used. The default directory is chosen from a
platform-dependent list, but the user of the application can control the
directory location by setting the TMPDIR, TEMP or TMP environment variables.
```
It's actually the truth,
/usr/lib64/python3.7/tempfile.py:
```
def _candidate_tempdir_list():
"""Generate a list of candidate temporary directories which
_get_default_tempdir will try."""
dirlist = []
# First, try the environment.
for envname in 'TMPDIR', 'TEMP', 'TMP':
dirname = _os.getenv(envname)
if dirname: dirlist.append(dirname)
# Failing that, try OS-specific locations.
if _os.name == 'nt':
dirlist.extend([ _os.path.expanduser(r'~\AppData\Local\Temp'),
_os.path.expandvars(r'%SYSTEMROOT%\Temp'),
r'c:\temp', r'c:\tmp', r'\temp', r'\tmp' ])
else:
dirlist.extend([ '/tmp', '/var/tmp', '/usr/tmp' ])
```
For now, there is a hardcoded assertion of a temp directory (`/tmp`) in
IPA tests. But some systems use the mentioned environment variables
(for example, pam_mktemp https://www.openhub.net/p/pam_mktemp).
It's easy to check an actual temp dir via `gettempdir`.
Fixes: https://pagure.io/freeipa/issue/7956
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9cd88587 by Florence Blanc-Renaud at 2019-05-22T15:53:13Z
CA: set ipaconfigstring:compatCA in cn=DOMAIN IPA CA
Commit fa50068 introduced a regression. Previously, the
upgrade plugin upload_cacrt was setting the attribute
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN
After commit fa50068, the value is not set any more. As a
consequence, the LDAP entry is not identified as the CA and
CA renewal does not update the entry
cn=CAcert,cn=certificates,cn=ipa,cn=etc,BASEDN.
RHEL 6 client rely on this entry to retrieve the CA and
client install fails because cn=CAcert is out-of-date.
The fix makes sure that upload_cacrt plugin properly sets
ipaconfigstring: compatCA in the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN
Fixed: https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
48041033 by Florence Blanc-Renaud at 2019-05-22T15:53:13Z
ipatests: CA renewal must refresh cn=CAcert
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
ipaconfigstring: ipaCA
Related to https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e3f35843 by Tibor Dudlák at 2019-05-22T16:20:22Z
Moving prompt for NTP options to install_check
In a interactive installation of freeipa server a promt asks for NTP related
options after install_check has been called. As it may cause confusion to users
moving to install_check methods where the prompt for other options is being done.
Refactored sync_time() method to use passed parameters ntp_servers and ntp_pool.
Resolves: https://pagure.io/freeipa/issue/7930
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
be39d3a9 by Tibor Dudlák at 2019-05-22T16:20:22Z
ipatests: Add Unattended option to external ca task
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
c9c8b3e0 by Kaleemullah Siddiqui at 2019-05-23T07:58:18Z
Order of master and replica corrected in logger.info
Order of master/replica was incorect which has been
corrected
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
67490acb by Thierry Bordaz at 2019-05-24T10:42:51Z
Switch nsslapd-unhashed-pw-switch to nolog
389-ds will change the default value of nsslapd-unhashed-pw-switch from 'on' to 'off'
For new or upgraded IPA instance, in case of winsync deployment the attribute is set
to 'on' and a warning is displayed. Else the attribute is set to 'nolog'
https://pagure.io/freeipa/issue/4812
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
64d187e5 by Florence Blanc-Renaud at 2019-05-24T21:18:56Z
NSSDatabase: fix get_trust_chain
In the get_trust_chain method, use certutil -O with the option
--simple-self-signed to make sure that self-signed certs properly
get processed.
Note: this option has been introduced in nss 3.38 and our spec file
already requires nss >= 3.41.
Scenario: when IPA CA is switched from self-signed to externally-signed,
then back to self-signed, the same nickname can be used in
/etc/pki/pki-tomcat/alias for the initial cert and the renewed certs. If
the original and renewed certs are present in the NSS db, running
$ certutil -O -n <IPA CA alias>
produces a complex output like the following (this command is used to find
the trust chain):
"CN=Cert Auth,O=ExtAuth" [CN=Cert Auth,O=ExtAuth]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
The renewal code is disturbed by this output.
If, on the contrary, certutil -O --simple-self-signed -n <IPA CA alias> is
used to extract the trust chain, the output is as expected for a self-signed
cert:
"caSigningCert cert-pki-ca" [CN=Certificate Authority,O=DOMAIN.COM]
As a result, the scenario self-signed > externally signed > self-signed
works.
Fixes: https://pagure.io/freeipa/issue/7926
Reviewed-By: Oleg Kozlov <okozlov at redhat.com>
- - - - -
6a2c356d by Alexander Bokovoy at 2019-05-28T06:55:51Z
ipa-run-tests: add support of globs for test targets and ignores
ipa-run-tests expands arguments passed with their full paths. However,
it doesn't support expanding globs, so targets like 'test_ipa*' cannot
be specified.
Expand the code that replaces '--ignore foo' and 'foo' positional
arguments with support for '--ignore foo*' and 'foo*'.
This allows to reduce a number of additional steps in the CI pipeline
preparation.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
c8ef093e by Alexander Bokovoy at 2019-05-28T06:55:51Z
Azure Pipelines: simplify test job definitions
Rewrite templates to make test job declarations simpler and easier to
work with.
A test job template can be instantiated this way:
- template: templates/test-jobs.yml
parameters:
jobName: Base
jobTitle: Base tests
testsToRun:
- test_cmdline
- test_install
- test_ipaclient
- test_ipalib
- test_ipaplatform
- test_ipapython
testsToIgnore:
- test_integration
- test_webui
- test_ipapython/test_keyring.py
taskToRun: run-tests
Both 'testsToRun' and 'testsToIgnore' accept arrays of test matches.
Wildcards also supported:
....
testsToRun:
- test_xmlrpc/test_hbac*
....
'taskToRun' specifies a script ipatests/azure/azure-${taskToRun}.sh that
will be executed in the test environment to actually start tests.
Parameters 'testsToRun' and 'testsToIgnore' define TESTS_TO_{RUN,IGNORE}
variables that will be set in the environment of the test script. These
variables will have entries from the parameters separated by a space.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5230e2a1 by Alexander Bokovoy at 2019-05-28T06:55:51Z
Azure Pipelines: run fast linter in case of a pull request build
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
53a0fa91 by Alexander Bokovoy at 2019-05-28T06:55:51Z
LDAPCreate: allow callers to override objectclasses
LDAPCreate class explicitly allows use of --setattr/--addattr options to
pass-in additional configuration or override some of the framework
decisions. However, changes to objectclasses are ignored.
We have a number of plugins where additional attributes and their values
are generated at creation time. For example, ipa-sidgen plugin generates
ipaNTSecurityIdentifier value on LDAP ADD operation when objectclasses
include a specific object class and some other attributes (uidNumber,
gidNumber) do present in the LDAP mods.
Allow to override object-specific LDAP objectclasses by the
--setattr/--addattr option values.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
ef67dece by Alexander Bokovoy at 2019-05-28T06:55:51Z
ldap2.can_read: fix py3 compatibility
As with commit b37d18288d, can_read() method does not need to decode
a string in Python 3. can_read() wasn't used anywhere in the code,
apparently.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6163cbc1 by Alexander Bokovoy at 2019-05-28T06:55:51Z
test_ipagetkeytab: allow testing LDAP connection beyond bind operation
Convert use_keytab() function into a context manager to allow additional
operations to be done as part of the test. Also pass proper credentials
cache file to the backend while connecting to LDAP so that right creds
are in use.
This is required to perform actual tests for use of the retrieved keys.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
0f891c6a by Alexander Bokovoy at 2019-05-28T06:55:51Z
test_ipagetkeytab: factor out DM password reader
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b5fbbd19 by Alexander Bokovoy at 2019-05-28T06:55:51Z
Keytab retrieval: allow requesting arcfour-hmac for SMB services
With system-wide crypto policy in use, arcfour-hmac encryption type
might be removed from the list of permitted encryption types in the MIT
Kerberos library. Applications aren't prevented to use the arcfour-hmac
enctype if they operate on it directly.
Since FreeIPA supported and default encryption types stored in LDAP, on
the server side we don't directly use a set of permitted encryption
types provided by the MIT Kerberos library. However, this set will be
trimmed to disallow arcfour-hmac and other weaker types by default.
While the arcfour-hmac key can be generated and retrieved, MIT Kerberos
library will still not allow its use in Kerberos protocol if it is not
on the list of permitted encryption types. We only need this workaround
to allow setting up arcfour-hmac key for SMB services where arcfour-hmac
key is used to validate communication between a domain member and its
domain controller. Without this fix it will not be possible to request
setting up a machine account credential from the domain member side. The
latter is needed for Samba running on IPA client.
Thus, extend filtering facilities in ipa-pwd-extop plugin to explicitly
allow arcfour-hmac encryption type for SMB services (Kerberos principal
name starts with cifs/).
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
46234f0c by Alexander Bokovoy at 2019-05-28T06:55:51Z
test_ipagetkeytab: test retrieval of explicit encryption types
In order to test a fix for https://pagure.io/freeipa/issue/7953,
we need to create a keytab with a particular encryption type
(arcfour-hmac) and attempt to request generation of ipaNTHash attribute
from Kerberos keys in LDAP.
Add a test case that performs this operation.
Related: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a9bcf531 by Alexander Bokovoy at 2019-05-28T06:55:51Z
ipa-pwd-extop: do not remove MagicRegen mod, replace it
In 2012, ldbm backend in 389-ds started checking entry modification
after running betxnpreop plugins by comparing a number of modifications
before and after. If that number didn't change, it is considered that
plugins didn't modify the list.
ipa-pwd-extop actually removed and re-added modification to ipaNTHash if
it contained 'MagicRegen' value. This did not work since commit
https://pagure.io/389-ds-base/c/6c17ec56076d34540929acbcf2f3e65534060a43
but we were lucky nothing in FreeIPA code actually relied on that except
some code paths in ipasam Samba passdb driver. However, Samba didn't
reach the point where the code was triggered -- until now.
With support to run Samba as a domain member in IPA domain, that code
path is triggered for Kerberos service principals of domain members
(cifs/client.example.test, ...) and NT hash extraction from Kerberos
keys does not work.
Fix ipa-pwd-extop to follow recommendations in
https://pagure.io/389-ds-base/issue/387#comment-120145 and
https://pagure.io/389-ds-base/issue/50369#comment-570696
Fixes: https://pagure.io/freeipa/issue/7953
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
3f33ac88 by Stanislav Levin at 2019-05-28T07:01:23Z
Make `pycodestyle` results identical
Currently, pycodestyle is running on:
- make fastlint:
`$(PYTHON) -m pycodestyle --diff`
According to docs:
```
The project options are read from the [pycodestyle] section of the
tox.ini file or the setup.cfg file located in any parent folder of the
path(s) being processed.
```
So, pycodestyle respects tox.ini:
```
[pycodestyle]
# E402 module level import not at top of file
# W504 line break after binary operator
ignore = E402, W504
```
- PR Travis `lint`:
`pycodestyle --ignore=W504 --diff &> $PEP8_ERROR_LOG ||:`
According to docs:
```
Please note that if the option –ignore=errors is used, the
default configuration will be overridden and ignore only the
check(s) you skip.
```
So, pycodestyle doesn't respect tox.ini.
For now, fastlint ignores E402, W504, while Travis lint ignores only W504.
This issue is exposed by Azure Pipelines, which employs fastlint.
Fixes: https://pagure.io/freeipa/issue/7962
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
891d54e4 by Fraser Tweedale at 2019-05-28T07:03:00Z
dn: handle multi-valued RDNs in Name conversion
When applying DN to a cryptography.x509.Name, multi-valued RDNs get
"flattened" into separate RDNs. Update the constructor to correctly
handle Name values with multi-valued RDNs.
Fixes: https://pagure.io/freeipa/issue/7963
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9b22283 by Fraser Tweedale at 2019-05-28T07:04:30Z
add test for external CA key size sanity check
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.
Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
581b7148 by Mohammad Rizwan Yusuf at 2019-05-28T07:43:40Z
Test if ipactl restart restarts the pki-tomcatd
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.
related ticket : https://pagure.io/freeipa/issue/7927
Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
ef324a7f by German Parente at 2019-05-28T07:47:55Z
ipa-replica-manage: remove "last init status" if it's None.
we remove the "last init status" section in the output of
ipa-replica-manage to avoid confusion and show epoch date
when status is None
Fixes: https://pagure.io/freeipa/issue/7716
Signed-off-by: German Parente <gparente at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0b21e2ab by Florence Blanc-Renaud at 2019-05-28T19:02:49Z
ipatests: add integration test for ipa-replica-manage list
The command
ipa-replica-manage list -v <node>
can display:
last init ended: 1970-01-01 00:00:00+00:00
last init status: None
when called on a node that never had total update.
The fix for 7716 modifies the command so that it doesn't print
those lines when there is no last init status.
This commit adds a new test checking the output of
ipa-replica-manage list -v <node>.
Related to: https://pagure.io/freeipa/issue/7716
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2a006c7 by Fraser Tweedale at 2019-05-29T02:49:27Z
Extract ca_renewal cert update subroutine
When the CA renewal master renews certificates that are shared
across CA replicas, it puts them in LDAP for the other CA replicas
to see. The code to create/update these entries lives in the
dogtag-ipa-ca-renew-agent renewal helper, but it will be useful for
the ipa-cert-fix program too. Extract it to a subroutine in the
cainstance module.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c28a42e2 by Fraser Tweedale at 2019-05-29T02:49:27Z
cainstance: add function to determine ca_renewal nickname
The ipa-cert-fix program needs to know where to put shared
certificates. Extract the logic that computes the nickname from
dogtag-ipa-ca-renew-agent to new subroutine
cainstance.get_ca_renewal_nickname().
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a3becc76 by Fraser Tweedale at 2019-05-29T02:49:27Z
constants: add ca_renewal container
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
09aa3d1f by Fraser Tweedale at 2019-05-29T02:49:27Z
Add ipa-cert-fix tool
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing
additional certificate requests for non-Dogtag IPA certificates and
performing additional actions. In particular:
- Run cert-fix with arguments particular to the IPA deployment.
- Update IPA RA certificate in the ipara user entry (if renewed).
- Add shared certificates (if renewed) to the ca_renewal LDAP
container for replication.
- Become the CA renewal master if shared certificates were renewed.
This ensures other CA replicas, including the previous CA renewal
master if not the current host, pick up those new certificates
when Certmonger attempts to renew them.
Fixes: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a9f09fee by Fraser Tweedale at 2019-05-29T02:49:27Z
ipa-cert-fix: add man page
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e41b7457 by Fraser Tweedale at 2019-05-29T02:49:27Z
ipa-cert-fix: use customary exit statuses
It is customary to return 2 when IPA is not configured, and 1 when
other required bits are not installed or configured. Update
ipa-cert-fix exit statuses accordingly.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
72027226 by Fraser Tweedale at 2019-05-29T02:49:27Z
require Dogtag 10.7.0-1
Dogtag 10.7 includes the 'pki-server cert-fix' enhancements required
by ipa-cert-fix. Bump the dep min bound.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
582cc7da by Fraser Tweedale at 2019-05-29T02:49:27Z
ipa-cert-fix: handle 'pki-server cert-fix' failure
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart). When this case arises, ignore the
CalledProcessError and continue.
We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier. But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
162dce1c by Fraser Tweedale at 2019-05-29T02:49:27Z
ipa-cert-fix: fix spurious renewal master change
We only want to become the renewal master if we actually renewed a
shared certificate. But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset. Fix the
bug.
A static type system would have excluded this bug.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f30f040d by Fraser Tweedale at 2019-05-29T02:49:27Z
avoid realm_to_serverid deprecation warning
ipaserver.installutils.realm_to_serverid was deprecated. Use
ipapython.ipaldap.realm_to_serverid instead.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3f02fc94 by Sergey Orlov at 2019-05-29T07:44:41Z
ipatests: new tests for establishing one-way AD trust with shared secret
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
c0d40880 by Armando Neto at 2019-06-04T12:42:41Z
Bump PR-CI template version
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8f4ca395 by Alexander Bokovoy at 2019-06-05T07:47:40Z
azure tests: make sure /etc/docker folder exists
Azure tests fail because we couldn't configure docker for IPv6 anymore.
This happened because we weren't able to copy our configuration file to
/etc/docker -- looks like the docker directory does not exist.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cd2b2443 by Sergey Orlov at 2019-06-05T12:45:57Z
ipatests: allow to relax security of LDAP connection from controller to IPA host
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f606d820 by Rob Crittenden at 2019-06-05T17:18:45Z
Stop using 389-ds legacy backup and restoration utilities
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.
https://pagure.io/freeipa/issue/7965
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
21777e4b by Rob Crittenden at 2019-06-05T19:28:57Z
When reading SSH pub key don't assume last character is newline
The code was attempting to strip off any trailing newline and then
calling lstrip() on the rest.
This assumes that the key has a trailing newline. At best this
can cause the last character of the comment to be lost. If there
is no comment it will fail to load the key because it is invalid.
Patch by Félix-Antoine Fortin <felix-antoine.fortin at calculquebec.ca>
https://pagure.io/freeipa/issue/7959
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
1d03afc9 by Kaleemullah Siddiqui at 2019-06-06T14:51:55Z
Tests for autounmembership feature
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077
Tests for autounmembership feature has been added in
this PR
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
1284bf15 by Rob Crittenden at 2019-06-07T09:24:45Z
Drop list of return values to be ignored in AdminTool
This was an attempt to suppress client uninstallation failure
messages in the server uninstallation script. This method
inadvertently also suppressed client uninstallation messages and
was generally confusing.
This reverts part of b96906156be37a7b29ee74423b82f04070c84e22
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c1c50650 by Rob Crittenden at 2019-06-07T09:24:45Z
Return 0 on uninstall when on_master for case of not installed
This is to suppress the spurious error message:
The ipa-client-install command failed.
when the client is not configured.
This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cef4edd3 by Rob Crittenden at 2019-06-07T09:24:45Z
Fix expected return code in tests when server is uninstalled
It is likely that these were fixed by the original change
b96906156be37a7b29ee74423b82f04070c84e22 but was uncaught because
these tests are not executed in CI because the server is configured.
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
07f7e3ea by Florence Blanc-Renaud at 2019-06-10T10:02:17Z
ipatests: fix test_caless.py
Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".
The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.
This commit answers 'no' to the question and allows to proceed with
the ipa server installation.
Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
df99680e by Fraser Tweedale at 2019-06-11T05:52:06Z
.gitignore: add ipa-cert-fix program
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ad747297 by Fraser Tweedale at 2019-06-11T06:14:44Z
dn: sort AVAs when converting from x509.Name
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ec0976c by Rob Crittenden at 2019-06-11T13:25:31Z
tests: Wait for automember rebuild --no-wait tasks to finish
The behavior of automember changed with the design
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
such that members are "cleaned up" first then re-added. This has
the effect of removing members that no longer apply to a rule.
This was breaking the automember rebuild tests because sometimes
the tests were faster than 389-ds causing memberships to be missed.
This does a client-side wait for the task to finish up so still
exercises the rebuild code.
https://pagure.io/freeipa/issue/7972
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
10b721d1 by Rob Crittenden at 2019-06-11T17:42:50Z
admintool: don't display log file on errors unless logging is setup
The admintool will display the message when something goes wrong:
See %s for more information" % self.log_file_name
This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.
This can happen if validation catches and raises an exception.
Fixes: https://pagure.io/freeipa/issue/7952
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6ec3c84c by Florence Blanc-Renaud at 2019-06-11T19:40:58Z
ipatests: fix test_backup_and_restore.py::TestBackupAndRestore
The test test_backup_and_restore.py::TestBackupAndRestore
test_full_backup_and_restore_with_selinux_booleans_off
requires SELinux to be enabled because it's using
getsebool command.
Skip the test if SELinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7970
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c191c257 by François Cami at 2019-06-13T21:13:43Z
Hidden replica documentation: fix typo
The hidden replica documentation mentioned using
$ ipa server-state <hostname> --state=enable
whereas the right command is
$ ipa server-state <hostname> --state=enabled
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
910ff25b by Florence Blanc-Renaud at 2019-06-13T21:24:01Z
ipatests: fix TestUserPermissions::test_selinux_user_optimized
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).
The vagrant images currently in use in the nightly tests
are configured with selinux disabled. Add skipif marker when
selinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
77bfd5f9 by Stanislav Levin at 2019-06-16T17:32:31Z
Resolve tox substitutions to absolute paths
Since tox-3.8.0 the substituted virtualenv-paths of tox
(like {envpython} or {envsitepackagesdir}) have become relative.
The documentation says nothing about this. Thus, these paths
should always be resolved as absolute.
https://github.com/tox-dev/tox/issues/1339
Fixes: https://pagure.io/freeipa/issue/7977
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
02d6fc74 by Christian Heimes at 2019-06-17T04:31:12Z
Bump release number to 4.7.91
rpm sorts pre1 release after dev releases. To have dev releases override
pre releases in upstream, the patch level must be bumped after every pre
release.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
854d3053 by Fraser Tweedale at 2019-06-18T00:36:24Z
Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**. This can occur in
normal operation, and should be a temporary condition. Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
c027b933 by Christian Heimes at 2019-06-18T00:36:24Z
Fix CustodiaClient ccache handling
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.
Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
e08a340a by Armando Neto at 2019-06-18T04:15:15Z
Add Fedora 30 test definitions and bump template version
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
3a233a90 by François Cami at 2019-06-19T01:09:53Z
nfs.py: fix user creation
nfs.py calls "ipa user-add" without inputting the password twice
leading to a timeout. Input password twice then.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d16dd2fd by Stanislav Levin at 2019-06-19T09:20:14Z
Fix Pytest4.1+ warnings about pytest.config
pytest.config global is deprecated since Pytest4.1:
https://docs.pytest.org/en/latest/deprecations.html#pytest-config-global
https://github.com/pytest-dev/pytest/issues/3050
Fixes: https://pagure.io/freeipa/issue/7981
Co-authored-by: Christian Heimes <cheimes at redhat.com>
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
9836511a by Stanislav Levin at 2019-06-19T09:20:14Z
Fix Pytest4.x warning about `message`
"message" parameter of pytest.raises is deprecated since Pytest4.1:
```
It is a common mistake to think this parameter will match the
exception message, while in fact it only serves to provide a custom
message in case the pytest.raises check fails.
```
That was the truth for test_unrecognised_attr_type_raises, which has
wrongly checked an exception message.
Fixes: https://pagure.io/freeipa/issue/7981
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d86b57c0 by Stanislav Levin at 2019-06-19T09:39:51Z
Make use of the single configuration point for the default shells
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6d02eddd by Christian Heimes at 2019-06-24T07:35:57Z
Replace PYTHONSHEBANG with valid shebang
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.
The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.
Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ac86707d by Christian Heimes at 2019-06-24T08:00:37Z
Increase default debug level of certmonger
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.
Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0184e967 by Rob Crittenden at 2019-06-24T12:04:03Z
Log the raised message when DNS check_zone_overlap fails
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.
This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8f7d3335 by Stanislav Levin at 2019-06-25T13:33:06Z
Make use of `named` well-known service
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9c4dcdb by Florence Blanc-Renaud at 2019-06-25T15:02:59Z
stageuser-find: fix search with non-posix user
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.
Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0294ad21 by Florence Blanc-Renaud at 2019-06-25T15:02:59Z
ipatests: add a test for stageuser-find with non-posix account
Add a new XMLRPC test with the following scenario:
- ldapadd a user without the posixaccount objectclass
- call ipa stageuser-find <user>
- check that 1 entry is returned
Related: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
34bfffd1 by Alexander Bokovoy at 2019-06-26T08:50:45Z
adtrust upgrade: fix wrong primary principal name
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT at REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT at REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc348b99 by François Cami at 2019-06-26T10:55:06Z
ipa-client-automount: fix '--idmap-domain DNS' logic
Previously '--idmap-domain DNS' would assume the Domain
parameter of idmapd.conf was already absent. With this
fix, the Domain parameter is always removed and the
configuration file is always backuped.
Related-to: https://pagure.io/freeipa/issue/7918
Fixes: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
694c3667 by François Cami at 2019-06-26T10:55:06Z
ipatests: add proper timeouts to nfs.py
When tests for https://pagure.io/freeipa/issue/7918 were
written no sleep interval was provided between calls to
ipa-client-automount leading to random test failures.
Add sleep intervals.
Related-to: https://pagure.io/freeipa/issue/7918
Related-to: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami at redhat.com
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b5bb436e by Stanislav Levin at 2019-06-26T17:47:58Z
Exit on fail in azure multiline script
By default, the `last` exit code returned from Azure script will be
checked and, if non-zero, treated as a step failure. Luckily,
for Linux script is a shortcut for Bash. Hence errexit/e option
could be applied. But Azure pipelines doesn't set it by default:
https://github.com/microsoft/azure-pipelines-agent/issues/1803
For multiline script this is a problem, unless otherwise designed.
Some of benefits of checking the result of each subcommand:
- preventing subsequent issues (broken packages, container images, etc.)
- time saving (next steps will not run)
- good diagnostics (tells which part of script fails)
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
881ec5a3 by Serhii Tsymbaliuk at 2019-06-27T08:10:40Z
WebUI: Fix 'user not found' traceback on user ID override details page
Disable link to user page from user ID override in case it is in 'Default Trust View'
Ticket: https://pagure.io/freeipa/issue/7139
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7af4c7d4 by Alexander Bokovoy at 2019-06-27T13:50:15Z
adtrust upgrade: fix wrong primary principal name, part 2
Second part of the trust principals upgrade
For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT at REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
54836bce by François Cami at 2019-06-27T17:49:50Z
test_nfs.py: change pr-ci configuration to run on master_2repl_1client
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c0cf65c4 by François Cami at 2019-06-28T08:53:07Z
Move ipa-client-automount.in and ipactl into modules
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b49c627a by François Cami at 2019-06-28T08:53:07Z
ipa_client_automount.py and ipactl.py: fix codestyle
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
37ab150c by François Cami at 2019-06-28T08:53:07Z
Introduce minimal ipa-client-automount.in and ipactl.in
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6c9fcccf by Alexander Bokovoy at 2019-06-28T11:30:59Z
trust-fetch-domains: make sure we use right KDC when --server is specified
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.
The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.
trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.
Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.
Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
986e16da by Anuja More at 2019-06-28T12:26:20Z
ipatests: POSIX attributes are no longer overwritten or missing
Added test which validates that POSIX attributes, such
as shell or home directory, are no longer overwritten or missing.
Related Ticket : https://pagure.io/SSSD/sssd/issue/2474
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
84201e1d by Alexander Bokovoy at 2019-06-29T08:00:28Z
adtrust: add design document for Samba domain member on IPA client
Document general design for Samba file server running on IPA client as a
domain member in IPA domain.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
cdb94e0f by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipaserver.install.installutils: move commonly used utils to ipapython.ipautil
When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d85e0550 by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipapython.ipautil.run: allow skipping stdout/stderr logging
There are cases when output from a utility run contains sensitive
content that is better to avoid logging. For example, klist can be told
to show actual encryption keys with -K option. Redacting them out with
nolog option to ipapython.ipautil.run() is not possible because
replacement routine expects exact matches.
Introduce two boolean options that allow to skip printing output from
the utility being run:
-- nolog_output: skip printing captured stdout
-- nolog_error: skip printing captured stderr
These options default to False (thus, stdout/stderr content will
continue to be printed). In case they were set to True, corresponding
line will contain
stdout=<REDACTED>
or
stderr=<REDACTED>
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a4235262 by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipasam: add lookup of an account by SID
Samba may ask for an account based on a SID value. Implement a callback
to return a result of such lookup since we should have SID for every
domain account that is supposed to be usable through SMB protocol.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
91abd1f6 by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipasam: add handling of machine accounts
Domain member is represented for SMB as a machine account with
NetBIOS name ending with '$', e.g. 'FILESERVER$'. Such name will need to
be resolved as a POSIX account by smbd at some point but first we need
to make sure it is returned as a machine account through PASSDB layer.
In addition to that, machine accounts are normal Kerberos services,
named as 'cifs/<hostname>@REALM'. This name also will need to be
resolved as a POSIX account by smbd on the domain controller.
These two factors mean that LDAP entry for SMB kerberos service has to
have multiple 'uid' values. This is allowed by the LDAP schema and we
need to support it in ipasam.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
653f7207 by Alexander Bokovoy at 2019-06-29T08:00:28Z
kdb: support SMB services on IPA domain members
SMB service on IPA domain member will have both ipaIDOjbect and ipaUser
object classes. Such service will have to be treated as a user in order
to issue MS-PAC record for it.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
d631e008 by Alexander Bokovoy at 2019-06-29T08:00:28Z
adtrust: update Samba domain controller keytab with host keys
When DCERPC clients use Kerberos authentication, they use a service
ticket to host/domain.controller because in Active Directory any
service on the host is an alias to the machine account object.
In FreeIPA each Kerberos service has own keys so host/.. and cifs/..
do not share the same keys. It means Samba suite needs to have access to
host/.. keytab entries to validate incoming DCERPC requests.
Unfortunately, MIT Kerberos has no means to operate on multiple keytabs
at the same time and Samba doesn't implement this either. We cannot use
GSS-Proxy as well because Samba daemons are running under root.
As a workaround, copy missing aes256 and aes128 keys from the host
keytab. SMB protocol doesn't use other encryption types and we don't
have rc4-hmac for the host either.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
afb8305a by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipaserver.plugins.service: add service-add-smb to set up an SMB service
SMB service has a number of predefined properties that must be set at a
creation time. Thus, we provide a special command that handles all the
needed changes. In addition, since SMB principal name is predefined, it
is generated automatically based on the machine hostname.
Since we generate the service's object primary key, its argument/option
should be removed from the list of the command's arguments and options.
We also remove those options that make no sense in the context of SMB
service.
Most controversial would probably be a lack of the authentication
indicator that could be associated with the service. However, this is
intended: SMB service on the domain member is used by both humans and
other SMB services in the domain. Thus, it is not possible to require a
specific authentication indicator to be present: automated acquisition
of the credentials by a domain controller or other domain member machine
accounts is based on a single factor creds and cannot be changed.
Access to SMB service should be regulated on the SMB protocol level,
with access controls in share ACLs.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
814592cf by Alexander Bokovoy at 2019-06-29T08:00:28Z
ipa-client-samba: a tool to configure Samba domain member on IPA client
Introduces new utility to configure Samba on an IPA domain member.
The tool sets up Samba configuration and internal databases, creates
cifs/... Kerberos service and makes sure that a keytab for this service
contains the key with the same randomly generated password that is set
in the internal Samba databases.
Samba configuration is created by querying an IPA master about details
of trust to Active Directory configuration. All known identity ranges
added to the configuration to allow Samba to properly handle them
(read-only) via idmap_sss.
Resulting configuration allows connection with both NTLMSSP and Kerberos
authentication for IPA users. Access controls for the shared content
should be set by utilizing POSIX ACLs on the file system under a
specific share.
The utility is packaged as freeipa-client-samba package to allow pulling
in all required dependencies for Samba and cifs.ko (smb3.ko) kernel
module. This allows an IPA client to become both an SMB server and an
SMB client.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e25392e9 by Alexander Bokovoy at 2019-06-29T08:00:28Z
prci: add test_integration/test_smb to the gating set
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6b2efdfa by François Cami at 2019-06-29T09:29:46Z
Makefile.am: add .in files to fastlint target
Previously fastlint would only process .py files.
Detect which .in files are in fact Python files and add
them to the list of files to process during the fastlint
Makefile target.
Original change suggested by Alexander Bokovoy.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93dc2d56 by Serhii Tsymbaliuk at 2019-07-01T07:05:07Z
WebUI: Disable 'Unlock' action for users with no password
Administrator should reset user password to make the unlock option available.
Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd7198ac by Serhii Tsymbaliuk at 2019-07-01T07:10:01Z
WebUI: Fix automount maps pagination
Apply pagination filter for cases when all table data is already loaded.
Ticket: https://pagure.io/freeipa/issue/6627
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bb91fcab by Florence Blanc-Renaud at 2019-07-01T07:16:21Z
dnsrecord-mod: allow to modify ttl without passing the record
The command
ipa dnsrecord-mod <zone> <record> --ttl
requires to provide at least one record to modify. When none
is specified, it prompts by proposing each of the existing records,
for instance:
ipa dnsrecord-mod ZZZZZ.org ns11 --ttl=86400
No option to modify specific record provided.
Current DNS record contents:
A record: xxx.xxx.xxx.xxx
AAAA record: xxxx:xx
Modify A record 'xxxx.xxxx.xxxx.xxxx'? Yes/No (default No):
Modify AAAA record 'xxxx:xx'? Yes/No (default No):
ipa: ERROR: No options to modify a specific record provided.
The admin should be able to modify the TTL value without
re-entering the record information. The issue happens because of an
internal check that forgot to consider 'dnsttl' as a valid standalone
modification.
Fixes: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f25a7c2e by Florence Blanc-Renaud at 2019-07-01T07:16:21Z
XMLRPC tests: add new test for ipa dsnrecord-mod $ZONE $RECORD --ttl
The test suite did not have any test for modification of the TTL
of an existing DNS record.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
339771b0 by Tibor Dudlák at 2019-07-01T11:21:21Z
Remove unreachable code
Removing same elsif from install_check method.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
c18ee9b6 by Tibor Dudlák at 2019-07-01T11:21:21Z
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
215e8f76 by Stanislav Levin at 2019-07-01T11:44:57Z
Fix a typo in `replace` rule of 50-ipaconfig.update
According to ipaserver/install/ldapupdate.py, the format of `replace`
action (during a parsing of update files) should be `old::new`.
By now, the value to be replaced on is 'ipaSELinuxUserMapOrder: guest_u$$...',
while it should be 'guest_u$$...'.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b2acd650 by Stanislav Levin at 2019-07-01T11:44:57Z
Make use of single configuration point for SELinux
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.
This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER
and applies corresponding changes to the test code.
Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c484d79e by Rob Crittenden at 2019-07-01T12:55:29Z
For Fedora and RHEL use system-wide crypto policy for mod_ssl
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.
For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.
Fixes: https://pagure.io/freeipa/issue/7667
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b57c818f by Christian Heimes at 2019-07-01T12:55:29Z
Use only TLS 1.2 by default
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.
TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.
TLS 1.2 works everywhere and supports PFS.
Related: https://pagure.io/freeipa/issue/7667
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a43100ba by Rob Crittenden at 2019-07-02T07:35:00Z
Don't configure disabled krb5 enctypes in FIPS mode
The only permitted ciphers are the AES family (called aes, which
is the combination of: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and
aes128-cts-hmac-sha256-128).
DES, RC4, and Camellia are not permitted in FIPS mode. While 3DES
is permitted, the KDF used for it in krb5 is not, and Microsoft
doesn't implement 3DES anyway.
This is only applied on new installations because we don't
allow converting a non-FIPS install into a FIPS one.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dd9fd097 by Rob Crittenden at 2019-07-02T07:35:00Z
Remove DES3 and RC4 enctypes from Kerberos
These are already marked as deprecated by the KDC.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
258cacb1 by Rob Crittenden at 2019-07-02T07:35:00Z
Add test_smb to night Fedora 30 test suite
This exercises the removal of 3DES and RC4 via Samba.
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6b28947 by Alexander Bokovoy at 2019-07-02T07:36:28Z
translations: update from Zanata Spanish and Ukrainian translations
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
71884176 by Florence Blanc-Renaud at 2019-07-02T07:41:25Z
ipatests: fix ipatests/test_xmlrpc/test_dns_plugin.py
The test is calling dnsrecord-mod --ttl and should expect a unicode
value in order to be python2/python3 compatible.
Related: https://pagure.io/freeipa/issue/7982
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
672d808e by Armando Neto at 2019-07-02T10:16:24Z
prci: bump ci-master-f30 template
No major changes, dependencies updated.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
b5534488 by Christian Heimes at 2019-07-02T14:38:00Z
Use system-wide crypto policy for TLS ciphers
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.
Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6b07c19 by Armando Neto at 2019-07-03T06:07:32Z
prci: fix nightly_master test definitions
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
7027f791 by François Cami at 2019-07-03T06:13:39Z
Make dnf more robust and faster
Sometimes the prepare-build step of azure pipelines fails
with download errors:
"configure: error: Package requirements (nspr) were not met:"
This can be due to fastestmirror not being used to check
mirror availability and sometimes speed. Combined with a
too-low default number of retries, and a high timeout this
can lead to download failures that could be avoided.
Activate fastestmirror, add more download workers, and tune
timeout/retries to make dnf more reliable.
Fixes: https://pagure.io/freeipa/issue/7999
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
15db8785 by Alexander Bokovoy at 2019-07-03T06:29:22Z
Become IPA 4.8.0
- - - - -
c2ac85ac by Christian Heimes at 2019-07-04T11:41:19Z
Use nis-domainname.service on all RH platforms
RHEL 8 and Fedora >= 29 use "nis-domainname.service" as service name for
domainname service. Remove special code in ipaplatform.rhel and for Fedora
< 28. Only Fedora 29+ is supported by IPA 4.8.
Fixes: https://pagure.io/freeipa/issue/8004
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64a2b3fd by Sergey Orlov at 2019-07-08T11:02:09Z
ipatests: add test for sudo with runAsUser and domain resolution order.
Running commands with sudo as specific user should succeed
when sudo rule has ipasudorunas field defined with value of that user
and domain-resolution-order is defined in ipa config.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
50d8a400 by Sergey Orlov at 2019-07-08T11:02:09Z
ipatests: mark test_domain_resolution_order as expectedly failing
SSSD fix have not yet landed in Fedora 29 and below.
Relates to https://pagure.io/SSSD/sssd/issue/3957
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fe8cd4f5 by François Cami at 2019-07-08T19:02:42Z
ipatests/azure: display actual dnf repo URLs
Display which dnf repositories were available at the
prepare-build step via metalink.
Also display the fastestmirror cache.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
96af5394 by Stanislav Levin at 2019-07-16T06:56:46Z
Fix `test_webui.test_selinuxusermap`
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0587718b by Florence Blanc-Renaud at 2019-07-16T07:18:10Z
upgrade: remove ipaCert and key from /etc/httpd/alias
With ipa 4.5+, the RA cert is stored in files in
/var/lib/ipa/ra-agent.{key|pem}. The upgrade code handles
the move from /etc/httpd/alias to the files but does not remove
the private key from /etc/httpd/alias.
The fix calls certutil -F -n ipaCert to remove cert and key,
instead of -D -n ipaCert which removes only the cert.
Fixes: https://pagure.io/freeipa/issue/7329
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
14407bb9 by Sergey Orlov at 2019-07-16T10:18:40Z
ipatests: new test for trust with partially unreachable AD topology
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.
Relates to: https://pagure.io/freeipa/issue/7895.
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
8aa3ef06 by Stanislav Levin at 2019-07-16T15:25:16Z
Simplify ipa-run-tests script
This is a sort of rollback to the pre #93c158b05 state with
several improvements.
For now, the nodeids calculation by ipa-run-tests is not stable,
since it depends on current working directory. Nodeids (tests
addresses) are utilized by the other plugins, for example.
Unfortunately, the `pytest_load_initial_conftests` hook doesn't
correctly work with pytest internal paths, since it is called
after the calculation of rootdir was performed, for example.
Eventually, it's simpler to follow the default convention for
Python test discovery.
There is at least one drawback of new "old" implementation.
The ignore rules don't support globs, because pytest 4.3.0+
has the same facility via `--ignore-glob`:
> Add the `--ignore-glob` parameter to exclude test-modules with
> Unix shell-style wildcards. Add the collect_ignore_glob for
> conftest.py to exclude test-modules with Unix shell-style
> wildcards.
Upon switching to pytest4 it will be possible to utilize this.
Anyway, tests for checking current basic facilities of
ipa-run-tests were added.
Fixes: https://pagure.io/freeipa/issue/8007
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5780d6ab by Stanislav Levin at 2019-07-16T15:25:16Z
Make use of Azure Pipeline slicing
The unit tests execution time within Azure Pipelines(AP) is not
balanced. One test job(Base) takes ~13min, while another(XMLRPC)
~28min. Fortunately, AP supports slicing:
> An agent job can be used to run a suite of tests in parallel. For
example, you can run a large suite of 1000 tests on a single agent.
Or, you can use two agents and run 500 tests on each one in parallel.
To leverage slicing, the tasks in the job should be smart enough to
understand the slice they belong to.
>The step that runs the tests in a job needs to know which test slice
should be run. The variables System.JobPositionInPhase and
System.TotalJobsInPhase can be used for this purpose.
Thus, to support this pytest should know how to split the test suite
into groups(slices). For this, a new internal pytest plugin was added.
About plugin.
- Tests within a slice are grouped by test modules because not all of
the tests within the module are independent from each other.
- Slices are balanced by the number of tests within test module.
- To run some module within its own environment there is a dedicated
slice option (could help with extremely slow tests)
Examples.
- To split `test_cmdline` tests into 2 slices and run the first one:
ipa-run-tests --slices=2 --slice-num=1 test_cmdline
- To split tests into 2 slices, then to move one module out to its own slice
and run the second one:
ipa-run-tests --slices=2 --slice-dedicated=test_cmdline/test_cli.py \
--slice-num=2 test_cmdline
Fixes: https://pagure.io/freeipa/issue/8008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ec908bd by Stanislav Levin at 2019-07-16T15:25:16Z
Avoid use of '/tmp' for pip operations
`ipa-run-tests` is not an entry_point script, so
pip during an installation of ipatests package checks
if the file path is executable. If not - just don't set
the executable permission bits.
pip's working directory defaults to /tmp/xxx.
Thus, if /tmp is mounted with noexec such scripts lose
their executable ability after an installation into
virtualenv. This was found on Travis +
freeipa/freeipa-test-runner:master-latest docker image.
Build directory of pip could be changed via env variable
PIP_BUILD, for example.
Fixes: https://pagure.io/freeipa/issue/8009
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7d3d3078 by Alexander Bokovoy at 2019-07-17T12:11:49Z
Fix rpmlint errors for Rawhide
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
2d348aa5 by Alexander Bokovoy at 2019-07-17T12:11:49Z
Use any nodejs version instead of forcing a version before nodejs 11
Fedora nodejs builds were fixed, we don't need to limit ourselves
anymore.
Also, make sure python3-pyyaml is installed because pylint in Fedora 31
detects its use in contribs/
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
800545c4 by Alexander Bokovoy at 2019-07-17T12:11:49Z
Use stage and phase attempt counters when saving test artifacts
Azure Pipelines provide counters for running test jobs, these split into
System.StageAttempt and System.PhaseAttempt. Use them to make test
artifacts unique.
For XML test results we don't need to name them differently as they
aren't uploaded as artifacts but rather presented in a separate test
pane.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
f9551453 by Alexander Bokovoy at 2019-07-18T06:57:30Z
Add altSecurityIdentities attribute from MS-WSPP schema definition
Active Directory schema includes altSecurityIdentities attribute
which presents alternative security identities for a bindable object in
Active Directory.
FreeIPA doesn't currently use this attribute. However, SSSD certmap
library may generate searches referencing the attribute if it is
specified in the certificate mapping rule. Such search might be
considered unindexed in 389-ds.
Define altSecurityIdentities attribute to allow specifying indexing
rules for it.
Fixes: https://pagure.io/freeipa/issue/7932
Related: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0841d8b4 by Alexander Bokovoy at 2019-07-18T06:57:30Z
Create indexes for altSecurityIdentities and ipaCertmapData attributes
During an investigation into filter optimisation in 389DS it was
discovered that two attributes of the certmap query are unindexed.
Due to the nature of LDAP filters, if any member of an OR query is
unindexed, the entire OR becomes unindexed.
This is then basically a full-table scan, which applies the filter test
to the contained members.
Fixes: https://pagure.io/freeipa/issue/7932
Fixes: https://pagure.io/freeipa/issue/7933
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
14ddf7b8 by Alexander Bokovoy at 2019-07-18T06:57:30Z
certmap rules: altSecurityIdentities should only be used for trusted domains
IPA LDAP has no altSecurityIdentities in use, it only should apply to
identities in trusted Active Directory domains.
Add checks to enforce proper certmap rule attribution for specific
Active Directory domains.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2e372053 by Alexander Bokovoy at 2019-07-18T06:57:30Z
certmaprule: add negative test for altSecurityIdentities
Try to create a certmap rule that mentiones altSecurityIdentities in its
mapping rule but uses IPA domain to apply to. It should fail with
ValidationError.
Related: https://pagure.io/freeipa/issue/7932
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d0d29ccc by Fraser Tweedale at 2019-07-18T07:01:25Z
move MSCSTemplate classes to ipalib
As we expand the integration tests for external CA functionality, it
is helpful (and avoids duplication) to use the MSCSTemplate*
classes. These currently live in ipaserver.install.cainstance, but
ipatests is no longer permitted to import from ipaserver (see commit
81714976e5e13131654c78eb734746a20237c933). So move these classes to
ipalib.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e632b220 by Fraser Tweedale at 2019-07-18T07:01:25Z
install: fix --external-ca-profile option
Commit dd47cfc75a69618f486abefb70f2649ebf8264e7 removed the ability
to set pki_req_ext_oid and pki_req_ext_data in the pkispawn config.
This results in the --external-ca-profile option never setting the
requested values in the CSR (the default V1 template type specifying
"SubCA" is always used).
Remove relevant fields from both ipaca_default.ini and
ipaca_customize.ini. This allows the IPA framework to set the
values (i.e. when --external-ca-type=ms-cs and
--external-ca-profile=... demand it). It also allows users to
override the pki_req_ext_* settings.
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
71af731b by Fraser Tweedale at 2019-07-18T07:01:25Z
Fix use of incorrect variable
Part of: https://pagure.io/freeipa/issue/7548
Related: https://pagure.io/freeipa/issue/5608
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
83ed0572 by Fraser Tweedale at 2019-07-18T07:01:25Z
Add more tests for --external-ca-profile handling
Add tests for remaining untested scenarios of --external-ca-profile
handling in ipa-server-install.
ipa-ca-install and ipa-cacert-manage remain untested at present.
Fixes: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a627df87 by Fraser Tweedale at 2019-07-18T07:01:25Z
Collapse --external-ca-profile tests into single class
To avoid having to spawn new CI hosts for each kind of
--external-ca-profile argument we are testing, collapse the three
separate test classes into one. Uninstall the half-installed IPA
after each section of tests.
This change is in response to review comment
https://github.com/freeipa/freeipa/pull/2852#pullrequestreview-220442170.
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
740964c3 by Fraser Tweedale at 2019-07-18T07:01:25Z
ci: add --external-ca-profile tests to nightly
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
011c5283 by Fraser Tweedale at 2019-07-18T07:01:25Z
ci: add --external-ca-profile tests to gating
Part of: https://pagure.io/freeipa/issue/7548
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2f9cbffb by Rob Crittenden at 2019-07-19T19:16:16Z
Remove posixAccount from service_find search filter
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.
This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.
https://pagure.io/freeipa/issue/8013
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
29064494 by Fraser Tweedale at 2019-07-22T06:00:18Z
dogtaginstance: add profile to tracking requests
Enabling "fresh" renewals (c.f. "renewal"-based renewals that
reference the expired certificate and its associated request object)
will improve renewal robustness.
To use fresh renewals the tracking request must record the profile
to be used. Make dogtaginstance record the profile when creating
tracking requests for both CA and KRA.
Note that 'Server-Cert cert-pki-ca' and the 'IPA RA' both use
profile 'caServerCert', which is the default (according to
dogtag-ipa-renew-agent which is part of Certmonger). So we do not
need any special handling for those certificates.
This commit does not handle upgrade. It will be handled in a
subsequent commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6fc44bdc by Fraser Tweedale at 2019-07-22T06:00:18Z
upgrade: add profile to Dogtag tracking requests
To use profile-based renewal (rather than "renewal existing cert"
renewal which is brittle against database corruption or deleted
certificate / request objects), Certmonger tracking requests for
Dogtag system certs must record the profile to be used.
Update the upgrade method that checks tracking requests to look for
the profile. Tracking requests will be recreated if the expected
data are not found. The code that actually adds the tracking
requests was updated in a previous commit.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
34c51eaa by Fraser Tweedale at 2019-07-22T06:00:18Z
certmonger: use long options when invoking dogtag-ipa-renew-agent
To aid reader comprehension, use long options instead of short
options when invoking dogtag-ipa-renew-agent.
-N -> --force-new
-O -> --approval-option
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec5eb844 by Fraser Tweedale at 2019-07-22T06:00:18Z
dogtag-ipa-ca-renew-agent: always use profile-based renewal
Update the renewal helper to always request a new certificate
("enrollment request") instead of using "renewal request". The
latter is brittle in the face of:
- missing certificate record in database
- missing original request record in database (pointed to by
certificate record)
- "mismatched" certificate or request records (there have been many
cases of this; it is suspected that request/serial range conflicts,
or something similar, may be the cause)
The Dogtag tracking request must know what profile to use, except
where the certificate uses the default profile ("caServerCert" per
'dogtag-ipa-renew-agent' implementation in Certmonger itself).
This part of the puzzle was dealt with in previous commits.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
19f1f102 by Fraser Tweedale at 2019-07-22T06:00:18Z
dogtaginstance: avoid special cases for Server-Cert
The Dogtag "Server-Cert cert-pki-ca" certificate is treated
specially, with its own track_servercert() method and other special
casing. But there is no real need for this - the only (potential)
difference is the token name. Account for the token name difference
with a lookup method and treat all Dogtag system certs equally
w.r.t. tracking request creation and removal.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1f9d1ba2 by Fraser Tweedale at 2019-07-22T06:00:18Z
upgrade: always add profile to tracking requests
The profile for every Dogtag system cert tracking request is now
explicitly specified. So remove the code that handled unspecified
profiles.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
80895dd6 by Fraser Tweedale at 2019-07-22T06:00:18Z
upgrade: update KRA tracking requests
The upgrade routine checks tracking requests for CA system
certificates, IPA RA and HTTP/LDAP/KDC service certificates. If a
tracking request matching our expectations is not found, we stop
tracking all certificates, then create new tracking requests with
the correct configuration.
But the KRA was left out. Add checks for KRA certificates, and
remove/recreate KRA tracking requests when appropriate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f64c3690 by Fraser Tweedale at 2019-07-22T06:00:18Z
upgrade: log missing/misconfigured tracking requests
For better diagnostics during upgrade, log the Certmonger tracking
requests that were not found (either because they do not exist, or
do not have the expected configuration).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5194bec9 by Fraser Tweedale at 2019-07-22T06:00:18Z
upgrade: fix spurious certmonger re-tracking
The search for the HTTP Certmonger tracking request uses an
incorrect parameter ('key-storage'), triggering removal and
recreation of tracking requests on every upgrade. Replace
'key-storage' with the correct parameter, 'key-file'.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4758a4a0 by Fraser Tweedale at 2019-07-22T06:00:18Z
cainstance: add profile to IPA RA tracking request
Profile-based renewal means we should always explicitly specify the
profile in tracking requests that use the dogtag-ipa-ca-renew-agent
renewal helper. This includes the IPA RA agent certificate. Update
CAInstance.configure_agent_renewal() to add the profile to the
tracking request. This also covers the upgrade scenario (because
the same method gets invoked).
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
27ea7dbf by Fraser Tweedale at 2019-07-22T06:00:18Z
Use RENEWAL_CA_NAME and RA_AGENT_PROFILE constants
Replace renewal CA and profile name literals with corresponding
symbols from ipalib.constants.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f8f8289c by Fraser Tweedale at 2019-07-22T06:00:18Z
ipatests: test ipa-server-upgrade in CA-less deployment
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
46792fbc by Rob Crittenden at 2019-07-22T06:00:18Z
httpinstance: add pinfile when tracking certificate
When the HTTP certificate gets untracked then tracked again, it
loses its pin file. Ensure we add the pin file when (re-)tracking
the HTTP certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
860b6f64 by Fraser Tweedale at 2019-07-22T06:00:18Z
dsinstance: add proflie when tracking certificate
When the DS certificate gets untracked then tracked again (via
dsinstance.start_tracking_certificate()), it loses its profile
configuration. Although it is the default profile, we want to
retain the explicit reference. Ensure we add the profile when
re-tracking the DS certificate.
Part of: https://pagure.io/freeipa/issue/7991
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6ddd3b89 by Serhii Tsymbaliuk at 2019-07-22T11:33:54Z
WebUI tests: Fix timeout issues for reset password tests
- Increase wait timeout after password reset
- Wait for server response after login in TestLoginScreen.test_reset_password_and_login_view
Ticket: https://pagure.io/freeipa/issue/8012
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
279bb8fb by Florence Blanc-Renaud at 2019-07-26T09:53:13Z
Azure pipeline: report failure in prepare-build step
The azure pipeline defines a "prepare build" step that
installs the FreeIPA development dependencies but the
step does not report failures of the dnf builddep command.
As a consequence, subsequent steps may fail (for instance
because of components not installed such as tox) but are
hard to diagnose.
The fix reports the command failure.
Fixes: https://pagure.io/freeipa/issue/8022
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
184b60b3 by Sumedh Sidhaye at 2019-07-26T09:57:04Z
Test: To check ipa replica-manage del <FQDN> does not fail
Problem:
If a replica installation fails before all the services have been enabled then
it could leave things in a bad state.
ipa-replica-manage del <replica> --cleanup --force
invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Test Steps:
1. Setup server
2. Setup replica
3. modify the replica entry on Master:
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
changetype: modify
delete: ipaconfigstring
ipaconfigstring: enabledService
dn: cn=KDC,cn=<replica hostname>,cn=masters,cn=ipa,cn=etc,dc=<test>,dc=<realm>
add: ipaconfigstring
ipaconfigstring: configuredService
4. On master,
run ipa-replica-manage del <replicaFQDN> --cleanup --force
Related Ticket: https://pagure.io/freeipa/issue/7929
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b9b98097 by François Cami at 2019-07-26T13:09:42Z
ipatests: test multiple invocations of ipa-client-samba --uninstall
Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
256a6a87 by François Cami at 2019-07-26T13:09:42Z
ipa-client-samba: remove and restore smb.conf only on first uninstall
Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
00ba2ae6 by François Cami at 2019-07-26T13:09:42Z
ipatests: test ipa-client-samba after --uninstall
Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
551cd68d by François Cami at 2019-07-26T13:09:42Z
ipa-client-samba: remove state on uninstall
The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.
Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami at redhat.com>
https://pagure.io/freeipa/issue/8021
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
04c6d834 by Christian Heimes at 2019-07-26T13:16:47Z
Add PKCS#11 module name to p11helper errors
The p11helper module now includes the name of the PKCS#11 shared library
in error messages.
Fixes: https://pagure.io/freeipa/issue/8015
Co-Authored-By: Mikhail Novosyolov <m.novosyolov at rosalinux.ru>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
146fd91d by Sumedh Sidhaye at 2019-07-26T16:13:49Z
Test: Test to check whether ssh from ipa client to ipa master is successful after adding ldap_deref_threshold=0 in sssd.conf
Problem: After adding ldap_deref_threshold=0 setting for sssd on master for
performance enhancement ssh from ipa client was failing
Test Procedure:
1. setup a master
2. add ldap_deref_threshold=0 to sssd.conf on master
3. add an ipa user
4. ssh from controller to master using the user created in step 3
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a46383ff by Serhii Tsymbaliuk at 2019-07-26T20:36:58Z
WebUI: Add PKINIT status field to 'Configuration' page
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'
Ticket: https://pagure.io/freeipa/issue/7305
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
667db0c4 by Serhii Tsymbaliuk at 2019-07-29T20:50:28Z
WebUI tests: Fix request timeout for test_trust
Because of intergration with AD server response can take time more then 1 minute.
So request_timeout is increased to 120s.
Ticket: https://pagure.io/freeipa/issue/8024
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
- - - - -
edb1ae5e by Florence Blanc-Renaud at 2019-07-30T10:04:00Z
test_xmlrpc: fix TestAutomemberFindOrphans.test_find_orphan_automember_rules
Test scenario:
- create a hostgroup
- create a host
- create an automember rule for the hostgroup with a condition fulfilled
by the host
- delete the hostgroup
- call automember-rebuild (1)
- call automember-find-orphans to remove the orphan automember group
- call automember-rebuild(2)
The test was expecting the first rebuild command to fail but this
assumption is not true if the DS version is >= 1.4.0.22 because of the
fix for https://pagure.io/389-ds-base/issue/50077
Modify the test so that it expects failure only when DS is older.
Fixes: https://pagure.io/freeipa/issue/7902
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fa08e961 by François Cami at 2019-07-30T14:09:57Z
ipapython/admintool.py: use SERVER_NOT_CONFIGURED
Commit 9182917280a5c2590fa677729db54b38a9ac4d1f introduced
SUCCESS, SERVER_INSTALL_ERROR and SERVER_NOT_CONFIGURED to
deal with cases when server is not configured.
Actually use SERVER_NOT_CONFIGURED in log_failure instead of 2.
Related-to: https://pagure.io/freeipa/issue/6843
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
317787bc by Florence Blanc-Renaud at 2019-07-31T08:27:09Z
user-stage: transfer all attributes from preserved to stage user
The user-stage command is internally implemented as:
- user_show(all=True) in order to read the user attributes
- loop on the attributes defined as possible to add using stageuser-add and
transform them into new options for stageuser_add (for instance stageuser-add
provides the option --shell for the attribute loginshell, but there is no
option for the attribute businesscategory).
- call stageuser_add in order to create a new entry in the active users subtree
- user-del to remove the previous entry in the staged users subtree
The issue is in the 2nd step. Only the attributes with a stageuser-add option
are processed.
The logic of the code should be slightly modified, so that all the attributes
read in the first step are processed:
- if they correspond to an option of stageuser-add, process them like it's
currently done. For instance if the entry contains displayname, then it
should be processed as --displayName=value in the stageuser-add cmd
- if they do not correspond to an option of stageuser-add, add them with
--setattr=<attrname>=<attrvalue>
Note that some attributes may need to be filtered, for instance user-show
returns has_password or has_keytab, which do not correspond to attributes
in the LDAP entry.
Fixes: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
17b97ae1 by Florence Blanc-Renaud at 2019-07-31T08:27:09Z
xmlrpc test: add test for preserved > stage user
When moving a preserved user to the stage area, check that the
custom attributes are not lost ( = the attr for which there is
no specific user_stage option).
Test scenario:
- add a stage user with --setattr "businesscategory=value"
- activate the user, check that businesscategory is still present
- delete (preserve) the user, check that attr is still present
- stage the user, check that attr is still present
Related: https://pagure.io/freeipa/issue/7597
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0231d873 by François Cami at 2019-07-31T10:10:32Z
prci_definitions: add master_3client topology
Some tests would benefit from using a multi-client topology.
As PR-CI now supports master_3client, use it.
Fixes: https://pagure.io/freeipa/issue/8026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
68f98e29 by François Cami at 2019-07-31T12:16:40Z
test_nfs.py: switch to tasks.config_replica_resolvconf_with_master_data()
Previously test_nfs.py would implement its own method to configure
resolv.conf leading to cleanup failures in some cases.
Use tasks.config_replica_resolvconf_with_master_data() instead.
Also simplify and fix client uninstall.
Fixes: https://pagure.io/freeipa/issue/7949
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0fdfce52 by François Cami at 2019-07-31T12:16:40Z
ipatests: rename config_replica_resolvconf_with_master_data()
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1ad3bf48 by François Cami at 2019-07-31T12:16:40Z
test_nfs.py: switch to master_3repl
test_nfs.py historically used master_2repl_1client.
Now that master_3client exists, switch to that as it allows removal
of custom install/cleanup steps.
Fixes: https://pagure.io/freeipa/issue/8027
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cbb4b65c by Tibor Dudlák at 2019-07-31T13:20:26Z
ipatests: Update test tasks for client to be interactive
Related: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1c6efcd9 by Tibor Dudlák at 2019-07-31T13:20:26Z
ipatests: Add tests for interactive chronyd config
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.
Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
708528e1 by Tibor Dudlák at 2019-07-31T13:20:26Z
ipatests: refactor TestNTPoptions
Move common and error messages to class scope to be reused again.
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
744b820e by Tibor Dudlák at 2019-07-31T13:20:26Z
Increase ntp_options test timeout
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d1457fb6 by Armando Neto at 2019-08-01T14:44:29Z
travis: update container used for testing ipa-4-8 branch
Based on the new Dockerfile included in
https://github.com/freeipa/ipa-docker-test-runner/commit/809dde3cd5b04bf9306f3be0ef459d503288b02b
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f4bbe000 by François Cami at 2019-08-02T21:30:05Z
azure-pipelines.yml: switch to Python 3.7
* switch to Python 3.7 (UsePythonVersion at 0 task)
* use "pip install --user"
Fixes: https://pagure.io/freeipa/issue/8030
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3d0e3fb9 by Theodor van Nahl at 2019-08-06T10:43:40Z
Fix UnboundLocalError in ipa-replica-manage on errors
If ipa-replica-manage is unable to retrieve e.g. due to certificate
validity problem. An UnboundLocalError is thrown for `type1`. This fixes
the issue with a clean exit.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
e539a29d by Rob Crittenden at 2019-08-07T09:46:36Z
Don't return SSH keys with ipa host-find --pkey-only
This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82
https://pagure.io/freeipa/issue/8029
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6bef8678 by Christian Hermann at 2019-08-07T11:02:13Z
configure.ac: don't rely on bashisms
93fb037d8409d9d46606c31d8a240e3963b72651 introduced unportable shell
syntax, which led to erros like
./configure: 3179: ./configure: CFLAGS+= -D__STDC_WANT_LIB_EXT1__=1: not found
in case a posix shell is used.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
86fe7100 by Christian Heimes at 2019-08-08T04:45:39Z
Test external CA with DNS name constraints
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
a0996ca3 by Alexander Bokovoy at 2019-08-08T10:51:27Z
Change RA agent certificate profile to caSubsystemCert
Currently, RA agent certificate is issued using caServerCert profile.
This has unfortunate side effect of asserting id-pk-serverAuth EKU which
is not really needed for RA agent. If IPA CA certificate adds SAN DNS
constraints into issued certificates, presence of id-pk-serverAuth EKU
forces NSS (and other crypto libraries) to validate CN value with
regards to SAN DNS constraints, due to historical use of CN bearing DNS
name.
Since RA agent certificate has 'CN=IPA RA', it is guaranteed to fail
the check.
Default IPA CA configuration does *not* add SAN DNS constraints into RA
agent certificate. However, it is better to be prepared to such
behavior.
Related: https://bugzilla.redhat.com/1670239
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
b0f7e651 by Christian Heimes at 2019-08-08T10:51:27Z
Update comments to explain caSubsystemCert switch
Related: https://bugzilla.redhat.com/1670239
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
79e7ca43 by Timo Aaltonen at 2019-08-08T17:45:51Z
Merge branch 'master' into master-next
- - - - -
ac0bce61 by Timo Aaltonen at 2019-08-08T17:47:33Z
Merge commit '1f46bb1d81f3bfa' into m
- - - - -
b92d82ef by Timo Aaltonen at 2019-08-08T17:47:42Z
Merge branch 'master-next' into m
- - - - -
3db7d846 by Timo Aaltonen at 2019-08-08T17:48:17Z
bump the version
- - - - -
d08213f9 by Timo Aaltonen at 2019-08-08T17:50:28Z
control: Bump policy to 4.4.0.
- - - - -
4bd4837d by Timo Aaltonen at 2019-08-08T17:50:55Z
Bump debhelper compat to 12.
- - - - -
6130f190 by Timo Aaltonen at 2019-08-08T20:37:45Z
Migrate to python3.
- - - - -
98855246 by Timo Aaltonen at 2019-08-08T20:38:07Z
d/s/local-options: Updated.
- - - - -
b8362503 by Timo Aaltonen at 2019-08-08T20:59:27Z
install: Updated.
- - - - -
33d54dda by Timo Aaltonen at 2019-08-08T21:09:13Z
control, install: Add freeipa-client-samba.
- - - - -
fb05db5b by Timo Aaltonen at 2019-08-08T21:15:25Z
update python3-ipaserver.install
- - - - -
50e4687b by Timo Aaltonen at 2019-08-08T21:19:40Z
rules: fix interpreter for python3
- - - - -
00d2cdb9 by Timo Aaltonen at 2019-08-08T21:21:22Z
samba client fixes
- - - - -
57b52fe3 by Timo Aaltonen at 2019-08-08T21:22:25Z
tests: enable tests
- - - - -
20e4d418 by Timo Aaltonen at 2019-08-08T21:28:22Z
d/pydist-overrides: Updated.
- - - - -
fd0386f0 by Alexander Bokovoy at 2019-08-09T21:49:17Z
Restore SELinux context for p11-kit config overrides
When 74e09087 started disabling softshm2 module in p11-kit-proxy,
we missed to restore SELinux context on the configuration override
creation.
We don't need an explicit restore_context() when removing the override
because restore_file() already calls restore_context().
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0fa20347 by Timo Aaltonen at 2019-08-09T21:53:54Z
releasing package freeipa version 4.8.0-1
- - - - -
27586cb7 by Timo Aaltonen at 2019-08-11T09:52:56Z
install: Add missing scripts to app_DATA.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f6c2a9de by Christian Heimes at 2019-08-13T10:34:10Z
Don't move keys when key backup is disabled
The CA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is
set to False. It's the case when FreeIPA is configured with HSM support.
Related: https://pagure.io/freeipa/issue/7677
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
8e207fd3 by Christian Heimes at 2019-08-13T18:58:26Z
Allow insecure binds for migration
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
9d751dc1 by Alexander Bokovoy at 2019-08-13T19:08:55Z
Update translations for FreeIPA 4.8.1
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e7762aef by Alexander Bokovoy at 2019-08-13T19:08:55Z
Add Theodor van Nahl to the Contributors.txt
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
47e2152b by Alexander Bokovoy at 2019-08-14T11:18:58Z
Update translations for FreeIPA 4.8 branch
When releasing FreeIPA 4.8.0, I forgot to create ipa-4-8 branch in
Zanata. As result, we were tracking changes for master branch in the
released one. Fix this and bring translations from Ukrainian team that
happened since 4.8.0 release.
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
89f99eba by Alexander Bokovoy at 2019-08-14T11:18:58Z
Switch ipa-4-8 branch to track Zanata ipa-4-8 branch
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
96ac8920 by Alexander Bokovoy at 2019-08-14T11:18:58Z
Update translation and code contributors for FreeIPA 4.8.1
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
179e0406 by Florence Blanc-Renaud at 2019-08-14T15:14:01Z
Nightly test definition: add missing tests
The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py
The following tests was missing from nightly_f29:
- test_integration/test_smb.py
The following test was missing from nightly_rawhide:
- test_integration/test_smb.py
Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
828fdc0e by Alexander Bokovoy at 2019-08-14T15:32:45Z
Become FreeIPA 4.8.1
- - - - -
aefaae8c by Timo Aaltonen at 2019-09-07T20:16:50Z
Merge tag 'release-4-8-1' into master-next
tagging FreeIPA 4.8.1
- - - - -
ad6b9125 by Timo Aaltonen at 2019-09-07T20:25:39Z
bump the version
- - - - -
afb0d069 by Timo Aaltonen at 2019-09-07T20:51:24Z
4.8.0-1 wasn't actually released
- - - - -
1d341249 by Timo Aaltonen at 2019-09-07T21:19:28Z
releasing package freeipa version 4.8.1-1
- - - - -
c5a8d7ce by Timo Aaltonen at 2019-09-08T20:58:20Z
{server,client}.postinst: Migrate checks to python3.
- - - - -
cebc309b by Timo Aaltonen at 2019-09-08T21:46:13Z
control: Add python3-pki-base to python3-ipaserver depends.
- - - - -
2311af0d by Timo Aaltonen at 2019-09-09T11:20:33Z
tests: Add ssl-cert to depends.
- - - - -
41a59aad by Timo Aaltonen at 2019-09-09T14:33:08Z
move ssl-cert to server depends from tests
- - - - -
1887573a by Timo Aaltonen at 2019-09-09T14:35:15Z
server.postinst: Let ipactl run the upgrader
- - - - -
e3f69f4e by Timo Aaltonen at 2019-09-11T21:31:12Z
releasing package freeipa version 4.8.1-2
- - - - -
30 changed files:
- .gitignore
- + .lgtm.yml
- .mailmap
- .test_runner_config.yaml
- − .test_runner_config_py3_temp.yaml
- .tox-install.sh
- .travis.yml
- .travis_run_task.sh
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- Makefile.pythonscripts.am
- README.md
- VERSION.m4
- client/Makefile.am
- client/ipa-certupdate.in
- client/ipa-client-automount.in
- client/ipa-client-install.in
- + client/ipa-client-samba.in
- client/ipa-getkeytab.c
- client/man/Makefile.am
- client/man/ipa-client-automount.1
- client/man/ipa-client-install.1
- + client/man/ipa-client-samba.1
- client/man/ipa-getkeytab.1
- + client/sysconfig/Makefile.am
- + client/sysconfig/certmonger
- configure.ac
- contrib/copy-schema-to-ca-RHEL6.py
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/4d268205e7003706c3d8473b0a79b96697364950...e3f69f4ef7eee420ac083193d19ff43e90914258
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/4d268205e7003706c3d8473b0a79b96697364950...e3f69f4ef7eee420ac083193d19ff43e90914258
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20190911/7064867f/attachment-0001.html>
More information about the Pkg-freeipa-devel
mailing list