[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 106 commits: Back to git snapshots

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Tue Sep 7 14:55:33 BST 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa


Commits:
9f16174c by Alexander Bokovoy at 2021-06-14T15:52:10+03:00
Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
22f0d8c5 by Rob Crittenden at 2021-06-15T13:24:29-04:00
When loading certificates verify that it is X.509 v3

Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.

https://pagure.io/freeipa/issue/8817

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
7b278b63 by Florence Blanc-Renaud at 2021-06-17T08:11:43+02:00
CA-less install: non-ASCII chars in CA cert subject

In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.

The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.

Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
4b040e10 by Florence Blanc-Renaud at 2021-06-17T08:11:43+02:00
ipatests: use non-ascii chars in CA-less install

The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.

Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1be15d20 by Christian Heimes at 2021-06-17T09:51:45+02:00
Add Custodia 0.6.0 to ipaserver package

Incorporate Custodia into IPA.

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
d804f1fe by Christian Heimes at 2021-06-17T09:51:45+02:00
Remove unused Custodia modules

The CLI, IPA integration and storage backends are not used by IPA.

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
02ece292 by Christian Heimes at 2021-06-17T09:51:45+02:00
Fix Custodia imports

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0ec775fc by Christian Heimes at 2021-06-17T09:51:45+02:00
Fix Custodia pylint issues

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7cb2c89d by Christian Heimes at 2021-06-17T09:51:45+02:00
Remove more unused Custodia code

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
cde5e2d4 by Christian Heimes at 2021-06-17T09:51:45+02:00
Add Custodia tests

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
62647ff3 by Christian Heimes at 2021-06-17T09:51:45+02:00
Also drop Custodia client and forwarder

See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7bed7e4b by Antonio Torres at 2021-06-18T10:43:39-04:00
Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server

When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).

Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
48370cb3 by Antonio Torres at 2021-06-21T10:54:41+02:00
host: try to resolve FQDN before command execution

Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.

Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
27a65a1a by Antonio Torres at 2021-06-21T10:54:41+02:00
ipatests: test host update using shortname

Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.

Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
45d8118e by Rob Crittenden at 2021-06-22T09:26:18+02:00
Use get_replication_plugin_name in LDAP updater

This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.

Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.

It was moved to installutils.py to avoid circular import.

https://pagure.io/freeipa/issue/8885

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2aa77992 by Sudhir Menon at 2021-06-23T10:00:29+02:00
ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted

Pagure: https://pagure.io/freeipa/issue/7752

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
d744ff3c by Stanislav Levin at 2021-06-25T13:35:28-04:00
ipatests: healthcheck: Update IPAHostKeytab assumptions

As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.

Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
52e60889 by Serhii Tsymbaliuk at 2021-06-25T21:33:56+02:00
WebUI: Fix certificate serial number representation

Big numbers are automatically translated to scientific notation in JavaScript.
It causes an issue with some certificate serial numbers.
The fix normalizes the notation base on original value from serial_number_hex.

The implementation works only for browsers that support BigInt.
It would not work for old browsers like Internet Explorer.

Ticket: https://pagure.io/freeipa/issue/8754

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
32eb409c by Stanislav Levin at 2021-06-28T15:47:29+03:00
plugins: Don't treat keys of api as bytes

The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
15d71024 by Stanislav Levin at 2021-06-28T15:47:29+03:00
ipatests: Add tests for `plugins` plugin

Previously there were no tests for `ipalib.misc` module.

Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0abae791 by Stanislav Levin at 2021-06-28T15:47:29+03:00
ipatests: Add tests for `env` plugin

Previously there were no tests for `ipalib.misc` module.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e82f2538 by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: remove fsync in do_nsupdate()

No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.

Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a8588c50 by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)

ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3cbd24dd by François Cami at 2021-06-29T10:01:01+03:00
ipa-client-install: update sssd.conf if nsupdate requires -g

If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.

Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5d995b8c by Sudhir Menon at 2021-06-29T11:06:36+02:00
Increase timeout for test_commands.py

test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
ae4478de by Rob Crittenden at 2021-06-29T11:04:56-04:00
Return a copy of cached entries, only with requested attributes

Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.

In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.

The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:

    old_entry = ldap.get_entry(dn, [attr])
    for regex in old_entry.keys():
        if not isinstance(entry_attrs[regex], (list, tuple)):

old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.

To return a copy of the entry and requested attributes on a
search HIT.

Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.

This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.

Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.

https://pagure.io/freeipa/issue/8897

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
6b3496a7 by Alexander Bokovoy at 2021-06-29T18:27:20+03:00
Become IPA v.4.9.6

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
2b7e8841 by Alexander Bokovoy at 2021-06-29T18:29:14+03:00
Back to git snapshots

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e713c227 by François Cami at 2021-07-02T11:47:02-04:00
paths: add IPA_SERVER_CONF

Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ee4be290 by François Cami at 2021-07-02T11:47:02-04:00
ipatests: smoke test for server debug mode.

Add a smoke test to make sure the server can be set in debug mode
without issue.

Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
1539c738 by François Cami at 2021-07-02T11:47:02-04:00
rpcserver.py: perf_counter_ns is Python 3.7+

perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.

Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9cfae262 by Florence Blanc-Renaud at 2021-07-05T16:45:19+02:00
Remove unneeded dependency on python-coverage

The spec file requires python3-coverage although it is not
used in the project.

Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
a5d28572 by Antonio Torres at 2021-07-06T17:36:15+02:00
Add checks to prevent adding auth indicators to internal IPA services

Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.

Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
28484c3d by Antonio Torres at 2021-07-06T17:36:15+02:00
ipatests: ensure auth indicators can't be added to internal IPA services

Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.

Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
06468b2f by Florence Blanc-Renaud at 2021-07-06T18:12:54+02:00
stageuser: add ipauserauthtypeclass when required

The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.

There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.

Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4a5a0fe7 by Florence Blanc-Renaud at 2021-07-06T18:12:54+02:00
XMLRPC test: add a test for stageuser-add --user-auth-type

Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
076e499f by Florence Blanc-Renaud at 2021-07-08T17:32:56+02:00
augeas: bump version for rhel9

augeas 1.12.1-0.1 adds support for the new chony configuration
settings.

Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
195035ce by Florence Blanc-Renaud at 2021-07-08T18:10:50+02:00
man page: update ipa-server-upgrade.1

The man page needs to clarify in which case the command needs
to be run.

Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
2c0a123e by Florence Blanc-Renaud at 2021-07-08T22:44:11+02:00
Server install: do not use unchecked ip addr for ipa-ca record

At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.

For each address, make sure that it's neither reserved nor a
link-local address.

Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
ca8c7010 by Rob Crittenden at 2021-07-12T09:01:59+02:00
Add SHA384withRSA as a certificate signing algorithm

It required support in dogtag which was added in 10.5.0.

This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg

The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.

So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.

https://pagure.io/freeipa/issue/8906

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b2e62923 by Florence Blanc-Renaud at 2021-07-12T12:48:12+02:00
ipatests: use whole date when calling journalctl --since

The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
26be7ffd by Sudhir Menon at 2021-07-12T13:43:04+02:00
ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab

Related: https://pagure.io/freeipa/issue/8889

Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3540986a by Christian Heimes at 2021-07-12T17:17:51-04:00
Add basic support for subordinate user/group ids

New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount

New self-service permission to add subids.

New command user-auto-subid to auto-assign subid

The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.

Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5d4fe066 by Christian Heimes at 2021-07-12T17:17:51-04:00
Redesign subid feature

Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ef115b04 by Christian Heimes at 2021-07-12T17:17:51-04:00
Use 389-DS' dnaInterval setting to assign intervals

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e6e3fb60 by Christian Heimes at 2021-07-12T17:17:51-04:00
Fix ipa-server-upgrade

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
44ccc0f6 by Christian Heimes at 2021-07-12T17:17:51-04:00
Fix oid of ipaUserDefaultSubordinateId

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9f4b8982 by Serhii Tsymbaliuk at 2021-07-12T17:17:51-04:00
WebUI: Improve subordinate ids user workflow

- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings

Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b53a52a1 by Christian Heimes at 2021-07-12T17:17:51-04:00
Test DNA plugin configuration

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
7f910eb2 by Michal Polovka at 2021-07-13T09:29:29+02:00
ipatests: test_ipahealthcheck: print a message if a system is healthy

Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).

Related: https://pagure.io/freeipa/issue/8892

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e5df4dc4 by Michal Polovka at 2021-07-13T19:30:55+02:00
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency

KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.

Related: https://pagure.io/freeipa/issue/8795

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8ad535b6 by Rob Crittenden at 2021-07-14T09:54:14-04:00
Fall back to krbprincipalname when validating host auth indicators

When adding a new host the principal cannot be determined because it
relies on either:

a) an entry to already exist
b) krbprincipalname be a component of the dn

As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.

Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.

https://pagure.io/freeipa/issue/8206

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d456649f by Florence Blanc-Renaud at 2021-07-14T10:05:59-04:00
pr-ci definitions: add subid-related jobs

Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
40e4ccf1 by Florence Blanc-Renaud at 2021-07-15T08:02:15+02:00
webui tests: close notification when revoking cert

When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.

Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
02c0da3e by Mohammad Rizwan at 2021-07-15T08:25:32+02:00
ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg

Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1a4f459b by Florence Blanc-Renaud at 2021-07-15T18:22:21+02:00
spec file: Trust controller role should pull sssd-winbind-idmap package

ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
1a5159b2 by Alexander Bokovoy at 2021-07-16T19:18:34+02:00
rhel platform: add a named crypto-policy support

RHEL 8+ provides bind system-wide crypto policy support, enable it.

Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
b132956e by Florence Blanc-Renaud at 2021-07-17T16:20:44+02:00
Index: Fix definition for memberOf

The index definition for memberOf is inconsistent:

dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex

The cn attribute should be memberOf, not member. Fix the definition.

Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
f7997ed0 by Florence Blanc-Renaud at 2021-07-18T14:00:58+02:00
webui tests: fix algo for finding available idrange

The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.

With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.

Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
161d5844 by François Cami at 2021-07-20T13:58:57+02:00
ipatests: smbclient "-k" => "--use-kerberos=desired"

Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt

As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".

Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
86869364 by François Cami at 2021-07-22T13:26:45-04:00
test_acme: refactor with tasks

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
701adb91 by François Cami at 2021-07-22T13:26:45-04:00
test_acme: make password renewal more robust

A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.

Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
5b826ab3 by François Cami at 2021-07-22T14:36:55-04:00
tasks.py: fix flake8-reported issues

Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
0b9adf1d by Rob Crittenden at 2021-07-22T18:19:58-04:00
Use new method in check to prevent removal of last KRA

It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.

Use server roles instead to determine if the last KRA server
is to be removed.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
8ea8f8b6 by Rob Crittenden at 2021-07-22T18:19:58-04:00
ipatests: test removing last KRA when it is not running

Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
eb1d509f by François Cami at 2021-07-23T11:21:23-04:00
Azure: temporarily disable problematic tests, #1

test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
18ccaea7 by François Cami at 2021-07-23T11:21:23-04:00
Azure: temporarily disable problematic tests, #2

test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061

The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1

Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.

Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
33c561dc by François Cami at 2021-07-23T11:21:23-04:00
gating.yaml: Fix TestInstallMaster timeout

test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
89ca5c88 by Rob Crittenden at 2021-07-26T13:11:38-04:00
Display all orphaned keys in automountlocation-tofiles

Only the first key was being displayed for any orphaned map.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
dbe4159e by Rob Crittenden at 2021-07-26T13:11:38-04:00
ipatests: Add test for ipa automountlocation-tofiles

Only the first key of orphaned automount keys was being
displayed.

tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
ded3cd3f by Rob Crittenden at 2021-07-26T13:11:38-04:00
Fix automountlocation-tofiles expected output in xmlrpc test

The previous output matched the bad behavior of only displaying
one orphaned key.

https://pagure.io/freeipa/issue/7814

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
02447762 by Armando Neto at 2021-07-27T15:23:36+02:00
ipatests: bump prci boxes + move gating to f34

Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.

Issue: https://pagure.io/freeipa/issue/8935

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
ab4720d9 by Antonio Torres at 2021-07-27T17:38:45+02:00
ipa-kra-install: exit if ca_host is overriden

ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.

Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a4e13a33 by Antonio Torres at 2021-07-27T17:38:45+02:00
ipatests: test if KRA install fails when ca_host is overriden

KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.

Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a1eb13cd by Christian Heimes at 2021-08-02T09:53:36-04:00
Fix ldapupdate.get_sub_dict() for missing named user

The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.

Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Co-authored-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
e0e1d6f9 by François Cami at 2021-08-03T08:17:10+02:00
freeipa.spec.in: remove python3-pexpect from Requires

python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.

Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
fbbff3ed by Rob Crittenden at 2021-08-03T08:23:59+02:00
Provide more information in ipa-certupdate on ccache failure

ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.

Include the principal being retrieved and the keytab being
used.

This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.

https://pagure.io/freeipa/issue/8257

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
42206df6 by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipa-getkeytab: add option to discover servers using DNS SRV

The basic flow is:

- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
  the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0114d24e by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipa-getkeytab: fix compiler warnings

Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.

Use correct datatype of return value for ber_scanf to
correct different signedness comparision.

Fixed while working on https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
7a13200f by Rob Crittenden at 2021-08-03T08:53:50+02:00
ipatests: test ipa-getkeytab server option

Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery

https://pagure.io/freeipa/issue/8478

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
25a4acf3 by Anuja More at 2021-08-04T08:39:03+02:00
ipatests: Test for OTP when the LDAP connection timed out.

Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.

Related : https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
018ee09c by Rob Crittenden at 2021-08-04T08:42:18+02:00
ipa-advise: if p11-kit provides opensc, don't add to NSS db

p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.

https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
9a4a6cdd by Rob Crittenden at 2021-08-04T08:42:18+02:00
ipa-advise: Define the domain used when looking up ipa-ca

The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.

Discovered while working on https://pagure.io/freeipa/issue/8934

Related: https://pagure.io/freeipa/issue/8934

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
826b5825 by Rob Crittenden at 2021-08-04T08:44:46+02:00
ipatests: verify that getcert output includes the issued date

certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.

Verify that it is present in the output.

https://bugzilla.redhat.com/show_bug.cgi?id=1940261

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
4c0dcabd by Antonio Torres at 2021-08-04T15:25:28+02:00
dnszone: deprecate option for setting SOA serial

Since IPA 3 [1] SOA serial is managed automatically via autoincrement,
and the option of disabling this behavior was deprecated in IPA 3.3.3 [2]..
As a result, the option '--serial' during DNS zone addition would be
ignored as it is set during the creation. This commit adds a deprecation
warning if this option is used.

[1]: https://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
[2]: https://www.freeipa.org/page/Releases/3.3.3

Fixes: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>

- - - - -
1d751249 by Antonio Torres at 2021-08-04T15:25:28+02:00
ipatests: expect SOA serial option deprecation warning

Tests must be updated to expect the new deprecation warning.

Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>

- - - - -
96dd8ac1 by Mohammad Rizwan at 2021-08-04T15:30:17+02:00
ipatests: Look for warning into stderr instead of stdout

In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.

related: https://pagure.io/freeipa/issue/8890

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
05261749 by Rob Crittenden at 2021-08-04T16:28:24+02:00
Add index for sudoorder

sudorule-mod <rule> --order=<num> does a search for an existing
order and this search is unindexed.

https://pagure.io/freeipa/issue/8939

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9ae23e12 by François Cami at 2021-08-05T14:38:06-04:00
ipatests: use krb5_trace in TestIpaAdTrustInstall

tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.

Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
97a2a925 by Rob Crittenden at 2021-08-05T17:54:07-04:00
Don't assume that plugin attributes and objectclasses are lowercase

A user wrote their own plugin to add custom attributes which was
failing with an incorrect error that the attribute wasn't allowed.

It wasn't allowed because it wasn't being treated as case-insensitive
so wasn't being found in the schema.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
e28e4540 by Rob Crittenden at 2021-08-05T17:54:07-04:00
ipatests: add suite for testing custom plugins

Ensure that attributes and objectclasses are case-insensitive.

https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
78c48199 by Rob Crittenden at 2021-08-05T17:54:07-04:00
pr-ci definitions: add custom plugin-related jobs

Related: https://pagure.io/freeipa/issue/8415

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
7fb95cc6 by Chris Kelley at 2021-08-06T07:57:39+02:00
Parse getStatus as JSON not XML

On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+

The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c5b5bc90 by Christian Heimes at 2021-08-09T14:53:19+02:00
Fix string check in uninstall helper

The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.

Also check for 'debian' platform.

Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a3d71eb7 by Anuja More at 2021-08-09T14:24:28-04:00
ipatests: Test ldapsearch with base scope works with compat tree.

Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d4062e40 by Anuja More at 2021-08-09T14:24:28-04:00
ipatests: skip test_basesearch_compat_tree on fedora.

slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
40f76a53 by Chris Kelley at 2021-08-09T14:26:04-04:00
Parse cert chain as JSON not XML

On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+

The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
eac03d68 by Anuja More at 2021-08-10T13:50:20+02:00
ipatests: Refactor test_check_otpd_after_idle_timeout

Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.

Related: https://pagure.io/freeipa/issue/6587

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4fdab0c9 by Anuja More at 2021-08-13T08:14:24+02:00
ipatests: Test unsecure nsupdate.

The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.

When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.

Related : https://pagure.io/freeipa/issue/8402

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c9bc471e by Stanislav Levin at 2021-08-13T08:17:00+02:00
ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser

Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.

Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
488ac7e3 by Michal Polovka at 2021-08-15T10:01:18+02:00
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files

Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.

Resolves: https://pagure.io/freeipa/issue/8949

Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
be3a0f32 by Rob Crittenden at 2021-08-17T17:48:04-04:00
Clean up the PKI securitydomain when removing a server

PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.

Removing entries is straightforward using the PKI REST API.

In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.

Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.

These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.

In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
a417810d by Rob Crittenden at 2021-08-17T17:48:04-04:00
ipatests: Verify that securitydomain is updated on server-del

For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.

https://pagure.io/freeipa/issue/8930

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
3cb6b5c8 by François Cami at 2021-08-18T17:56:52+02:00
Update list of contributors

Signed-off-by: François Cami <fcami at redhat.com>

- - - - -
da1d543c by Rob Crittenden at 2021-08-18T12:03:35-04:00
Only call add_agent_to_security_domain_admins() when CA is installed

This allows the RA agent to manage the pki security domain and is
only needed if a CA has been configured. Only call it in a CA-ful
installation.

https://pagure.io/freeipa/issue/8956

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
d2df13d8 by François Cami at 2021-08-19T16:13:49+02:00
Become IPA 4.9.7

- - - - -


30 changed files:

- .gitignore
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/Makefile.am
- client/ipa-getkeytab.c
- client/man/ipa-client-install.1
- client/man/ipa-getkeytab.1
- configure.ac
- doc/designs/index.rst
- + doc/designs/subordinate-ids.md
- freeipa.spec.in
- install/share/60basev2.ldif
- + install/share/60basev4.ldif
- install/share/60ipaconfig.ldif
- install/share/Makefile.am
- install/share/bootstrap-template.ldif
- install/share/custodia.conf.template
- install/share/dna.ldif
- install/share/memberof-conf.ldif
- install/share/profiles/IECUserRoles.cfg
- install/share/profiles/KDCs_PKINIT_Certs.cfg
- install/share/profiles/acmeIPAServerCert.cfg
- install/share/profiles/caIPAserviceCert.UPGRADE.cfg
- install/share/profiles/caIPAserviceCert.cfg
- install/tools/Makefile.am
- install/tools/ipa-ca-install.in
- install/tools/ipa-custodia-check.in


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e045f118c87346bfab5b5634fd23f3054f082f7f...d2df13d8f0e8b417356fef2af7310b75e46e2699

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e045f118c87346bfab5b5634fd23f3054f082f7f...d2df13d8f0e8b417356fef2af7310b75e46e2699
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20210907/28ece42e/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list