[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 1078 commits: VERSION: back to git snapshots
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Tue Feb 21 17:53:39 GMT 2023
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
2d2784df by Alexander Bokovoy at 2020-11-17T19:12:50+02:00
VERSION: back to git snapshots
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b84f5d87 by Mohammad Rizwan at 2020-11-18T08:16:58-05:00
ipatests: Test certmonger IPA responder switched to JSONRPC
This is to test if certmonger IPA responder swithed to JSONRPC
from XMLRPC
related: https://pagure.io/freeipa/issue/3299
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
d81df964 by Alexander Bokovoy at 2020-11-18T16:23:05+02:00
util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d9b259dd by Rob Crittenden at 2020-11-18T16:27:12+02:00
Use host keytab to obtain credentials needed for ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.
It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.
Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
d30939eb by Rob Crittenden at 2020-11-18T16:27:12+02:00
ipatests: Test that ipa-certupdate can run without credentials
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
cd9b4efa by Sudhir Menon at 2020-11-20T09:27:48+01:00
ipatests: Tests for ipahealthcheck.ds.nss_ssl
test_nsscheck_cert_expiring is moved under test_ipa_healthcheck_expiring
This patch checks that the 'ipahealthcheck.ds.nss_ssl' check in
healthcheck tool reports the correct status for the "Server-Cert"
about to expire and already expired respectively.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
15b30e15 by Rob Crittenden at 2020-11-23T09:04:27+01:00
Create IPA ssh client configuration and move ProxyCommand
The ProxyCommand is non-executable if the user does not have
a valid shell (like /sbin/nologin) so skip it in that case.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
16616e57 by Rob Crittenden at 2020-11-23T09:04:27+01:00
ipatests: Test that Match ProxyCommand masks on no shell exec
Accounts without a shell should not execute ProxyCommand
otherwise the authorization will fail.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
89c846a1 by Michal Polovka at 2020-11-23T13:02:32+01:00
WebUI: Test if links are opened in new tab correctly
Test for PF#7137: [RFE]: Able to browse different links
from IPA web gui in new tabs
Test verifies whether opening target link in new tab
navigates to target (desired behaviour) compared to creation of copy of
current state of page on new tab (old behaviour).
WebUI: Add method for opening link in a new tab
Add `navigate_to_row_record_in_new_tab` method.
`navigate_to_row_record_in_new_tab` works as
`navigate_to_row_record` but opens link in new tab instead and focuses
on it.
Related: https://pagure.io/freeipa/issue/7137
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
790b7655 by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: call the CALess install method to generate the CA
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
89fddb07 by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: Configure a replica in TestACMEwithExternalCA
This subclasses TestACME which installs and configures a
replica in order to verify global enable/disable of ACME.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
70306515 by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: Clean up existing ACME registration and certs
The same base class is used for ACME setup and configuration.
Be sure to clean up any existing registraton prior to continuing
otherwise ACME register will complain.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3a9fc011 by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: configure MDStoreDir for mod_md ACME test
This directory defines the location for ACME-related files
used by mod_md. Specify and create it rather than relying
on defaults to both fix a test failure and to make the
files accessable for debugging purposes.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
e6489dcb by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: honor class inheritance in TestACMEwithExternalCA
TestACMEwithExternalCA subclasses TestACME which subclasses
CALessBase.
CALessBase is necessary to generate the certificates for the
test_third_party_certs() test.
This means that the TestACME install classmethod needs to be
called by its subclasses. But the install actually does the
installation of the servers as well so needs to be aborted
at that point in the case of a subclass.
https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
75e3803b by Rob Crittenden at 2020-11-25T16:16:12-05:00
ipatests: Increase timeout for ACME in gating.yaml
Increase to 7200 from 3600 to match other executions.
Related: https://pagure.io/freeipa/issue/8581
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
b6004cf8 by Armando Neto at 2020-11-25T16:16:12-05:00
ipatests: Bump PR-CI templates
Update box to force update dependencies on pki-* and
selinux-policy.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
9e0084ba by Robbie Harwood at 2020-11-25T18:02:25-05:00
Fix krbtpolicy tests
0d67180f7d2d0c6b5856db7061c44521f6a13c23 introduced the with_admin
fixture using class scope, which caused test failures as pytest
instantiated it before the multihost fixture.
It additionally failed to account for jitter - the issued ticket becomes
within a window of the expected lifetime, so we need to include the
ticket lifetime jitter into that calculation.
Finally, the PKINIT test could not have ever worked because PKINIT is
not set up as part of policy testing.
Related: https://pagure.io/freeipa/issue/8590
Also-authored-by: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
442038c4 by Sudhir Menon at 2020-11-26T12:00:57+02:00
ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0da6a57b by Alexander Bokovoy at 2020-11-26T12:00:57+02:00
ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f777314e by Antonio Torres Moríñigo at 2020-11-26T14:12:16+01:00
ipa-client-install manpage: add ipa.p11-kit to list of files created
Add missing ipa.p11-kit file to list of files created in
ipa-client-install manpage.
https://pagure.io/freeipa/issue/8424
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3b007b7b by Florence Blanc-Renaud at 2020-11-30T15:52:19+01:00
Always define the path DNSSEC_OPENSSL_CONF
The variable was None by default and set to /etc/ipa/dnssec/openssl.cnf
for fedora only because the code is specific to the support of pkcs11
engine for bind. As a consequence ipa-backup had a "None" value in the
list of files to backup and failed on Exception.
ipa-backup code is able to handle missing files, and the code using
the pkcs11 engine is called only when NAMED_OPENSSL_ENGINE is set
(only in fedora so far). It is safe to always define a value for
DNSSEC_OPENSSL_CONF even on os where it does not exist.
The fix also improves the method used to verify that a path exists.
Fixes: https://pagure.io/freeipa/issue/8597
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
daddcf6e by Mark Reynolds at 2020-12-01T08:45:07+01:00
Accept 389-ds JSON replication status messages
389-ds now stores a replication agreement status message in a JSON
string in a new attribute:
replicaLastInitStatusJSON
replicaLastUpdateStatusJSON
The original status attributes' values are not changing at this time,
but there are plans to do so eventually as the old status format is
confusing.
http://www.port389.org/docs/389ds/design/repl-agmt-status-design.html
Fixes: https://pagure.io/freeipa/issue/7975
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b691850c by Rob Crittenden at 2020-12-01T12:56:03+01:00
Change KRA profiles in certmonger tracking so they can renew
Internal profiles were assigned which prevented rewewals.
dogtag is providing a new profile for the audit signing cert,
caAuditSigningCert.
There are existing profiles for the transport (caTransportCert)
and storage (caStorageCert) certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0037b698 by Rob Crittenden at 2020-12-01T12:56:03+01:00
Test that the KRA profiles can renewal its three certificates
The KRA was previously configured with Internal CA profiles
which did not work with the IPA RA.
Use public, common profiles to manage renewal of the KRA
subsystem certificates.
https://pagure.io/freeipa/issue/8545
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6816de08 by Rob Crittenden at 2020-12-01T12:56:03+01:00
Require PKI 10.10+ for KRA profile and ACME support
https://pagure.io/freeipa/issue/8545
https://pagure.io/freeipa/issue/8524
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e731b272 by Rob Crittenden at 2020-12-02T14:05:36+02:00
Allow Apache to answer to ipa-ca requests without a redirect
Any request other than the FQDN is redirected with a permanent
move (301). Allowing ipa-ca as a valid name saves a round-trip.
This is only allowed on /ca, /kra, /pki, /acme and /ipa/crl.
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5d8c0444 by Rob Crittenden at 2020-12-02T14:05:36+02:00
ipatests: Test that ipa-ca.$domain can retrieve CRLs without redirect
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
81c97bb9 by Rob Crittenden at 2020-12-02T14:07:39+02:00
Remove test for minimum ACME support and rely on package deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
2068c7c4 by Rob Crittenden at 2020-12-02T14:07:39+02:00
Reorder when ACME is enabled to fix failure on upgrade
On upgrading a server without ACME to one with ACME
the RA Agent DN needs to be added as a member of the
ACME Enterprise Users group. This was previously
done as part of the creation of that entry.
So on upgrade the RA Agent wouldn't be a member so
ipa-acme-manage didn't have access to operate against
the CA REST API.
In order to add the RA Agent to this group during installation
the ACME provisioning has to come after that step so it is
moved from the middle of an installation to the end and
the group addition moved into the setup_acme() method.
https://pagure.io/freeipa/issue/8603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
ba9b9502 by Rob Crittenden at 2020-12-02T14:08:51+02:00
Move where the restore state is marked during IPA server upgrade
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.
I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.
If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
97aa70cd by Florence Blanc-Renaud at 2020-12-02T21:54:26+02:00
ipatests: fix TestTrust::test_subordinate_suffix
The test test_subordinate_suffix is failing when configuring the DNS
for the trust, because the dnsforwardzone already exists. It was
configured during the previous test for nonposix trust.
At the end of the tests for nonposix trust, unconfigure the DNS
and the trust before calling the subordinate_suffix test, and add
a test cleaning up subordinate_suffix test.
Fixes: https://pagure.io/freeipa/issue/8601
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ef2d717 by Alexander Bokovoy at 2020-12-03T12:58:55-05:00
freeipa.spec.in: unify spec files across upstream RHEL, and Fedora
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.
This gives us an opportunity to:
- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
it is better to have macro support in the common spec file.
There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
83813cf8 by Rob Crittenden at 2020-12-03T16:57:01-05:00
Convert reset_to_default_policy into a pytest fixture
This ensures that the ticket policy will be reset even on
failure.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c6644b85 by Rob Crittenden at 2020-12-03T16:57:01-05:00
Generate a unique cache for each connection
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
865c0762 by Rob Crittenden at 2020-12-03T16:57:01-05:00
ipatests: test that stale caches are removed using the sweeper
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
469274fa by Rob Crittenden at 2020-12-03T16:57:01-05:00
Enable the ccache sweep systemd timer
The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
d460f02a by Rob Crittenden at 2020-12-03T16:57:01-05:00
Increase timeout for krbtpolicy to 4800
The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
df4380c1 by Rob Crittenden at 2020-12-03T19:48:59-05:00
Skip the ACME mod_md test when the client is in enforcing mode
mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.
Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.
https://pagure.io/freeipa/issue/8514
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
acd98cab by Alexander Bokovoy at 2020-12-04T13:11:39+02:00
Update contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
29f9041b by Alexander Bokovoy at 2020-12-04T22:17:43+02:00
Correct SELinux policy requirements
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.
Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cfa1d69b by Armando Neto at 2020-12-08T16:50:03-03:00
ipatests: Update Rawhide template for PR-CI
New Rawhide aiming Fedora 34.
Template based on
`Fedora-Cloud-Base-Vagrant-Rawhide-20201116.n.0.x86_64.vagrant-libvirt.box`
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
930453b6 by Florence Blanc-Renaud at 2020-12-09T09:54:58+01:00
Improve PKI subsystem detection
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
526686ec by Florence Blanc-Renaud at 2020-12-09T09:54:58+01:00
ipatests: add test for PKI subsystem detection
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
800bafe0 by Florence Blanc-Renaud at 2020-12-10T09:45:44+02:00
xmlrpctests: remove harcoded expiration date from test_user_plugin
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.
Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
ee7dfc3d by Alexander Bokovoy at 2020-12-10T13:47:16+02:00
Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
07fa32a0 by Alexander Bokovoy at 2020-12-10T13:47:16+02:00
upgrade: provide DOMAIN to the server upgrade dictionary
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a3772cd037683ff2e08c514fd02019f.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
38a86e33 by Alexander Bokovoy at 2020-12-10T14:38:05+02:00
systemd: enforce en_US.UTF-8 locale in systemd units
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet..
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
27987093 by Sudhir Menon at 2020-12-15T16:00:04+01:00
ipatests: Test for IPATrustDomainsCheck with external trust to AD
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc53c6bb by Sudhir Menon at 2020-12-15T16:00:04+01:00
Modified YAML files
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
82e45d1f by François Cami at 2020-12-16T11:12:50+01:00
PR-CI templates: add test_integration/test_installation_client.py
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
249c76b1 by Alexander Scheel at 2020-12-17T11:48:59+01:00
Fix spelling mistake: filen ame -> filename
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
35362d30 by Alexander Bokovoy at 2020-12-18T13:32:34+02:00
ipa-kdb: use predefined filters for a wild-card searches
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.
Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.
Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.
Fixes: https://pagure.io/freeipa/issue/8624
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
b7c00f2a by Alexander Bokovoy at 2020-12-18T13:33:44+02:00
service: handle empty list of services to update their state
When there are no services in LDAP that have specified states, we don't
need to update their state.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
fccceaa2 by Alexander Bokovoy at 2020-12-18T13:33:44+02:00
upgrade: do not overshadow service module in upgrade_configuration
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f841ccb3 by Alexander Bokovoy at 2020-12-18T13:33:44+02:00
upgrade: ensure service state is synchronized with the server state
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role. This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
18a1e7ee by François Cami at 2020-12-18T13:35:06+02:00
ipatests: make sure dns_lookup_kdc is always true
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Make sure dns_lookup_kdc is always set to true.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7827a6f by François Cami at 2020-12-18T13:35:06+02:00
ipa-client-install: unilaterally set dns_lookup_kdc to True
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
809d9cb8 by Antonio Torres Moríñigo at 2020-12-18T16:47:59+02:00
Allow leading/trailing whitespaces in passwords
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.
Fixes: https://pagure.io/freeipa/issue/7599
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
57ec5f4c by Antonio Torres Moríñigo at 2020-12-18T16:47:59+02:00
ipatests: test that trailing/leading whitespaces in passwords are allowed
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.
Signed-off-by: Antonio Torres Moríñigo <atorresm at protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b9d3860c by Vit Mojzis at 2020-12-18T20:35:15+02:00
selinux: Fix/waive issues reported by SELint
- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f83195f5 by François Cami at 2020-12-18T20:35:15+02:00
set SELinux to Enforcing in gating.xml
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
7dbe6e4f by Timo Aaltonen at 2020-12-18T20:37:10+02:00
Debian: Fix paths and service names for bind 9.16
Got changed for 9.16 and up.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
48331586 by Timo Aaltonen at 2020-12-18T20:37:10+02:00
Debian: Fix chrony service name
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5783a882 by Timo Aaltonen at 2020-12-18T20:37:10+02:00
ipaplatform: Use gpg instead of gpg2
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4c039843 by Slava Aseev at 2020-12-18T20:38:40+02:00
ipa-kdb: handle dates up to 2106-02-07 06:28:16
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
- - - - -
a297097b by Christian Heimes at 2020-12-18T20:40:36+02:00
Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ef1a7009 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/bn_IN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
76bd7715 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/ca translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
68062f27 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/cs translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
daaa8bbe by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/de translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
dbfaf9b1 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/en_GB translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e5bdda24 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/es translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
db5c1665 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/eu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ffd21b01 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/fr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1c591f7d by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/hi translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
eeeb6910 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/hu translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ebebb9fa by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/id translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6a372914 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/ja translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
30d783ca by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/kn translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4567f3d8 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/mr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e382dcb4 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/nl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
762cab30 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/pa translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
de3f22ad by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/pl translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
27ca65c0 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/pt_BR translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
137dc3ce by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/pt translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
da128de1 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/ru translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
68adc9fd by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/sk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
89b1f944 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/tg translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8e8ea952 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/tr translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
447924bb by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/uk translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1376da66 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update po/zh_CN translation before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8c681a49 by Alexander Bokovoy at 2020-12-19T11:04:21+02:00
Update IPA translation template before release
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
6ae1a05e by Carl George at 2020-12-19T14:51:58+02:00
Use uglifyjs on CentOS too
Only checking for ID to equal "rhel" causes build failures on CentOS
Stream. Instead check both ID and ID_LIKE. This should also work later
on when rebuilds like CentOS Linux get this update.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9ce2fe44 by François Cami at 2020-12-19T23:11:42+02:00
set SELinux back to Permissive in gating.xml
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c98105c by Alexander Bokovoy at 2020-12-21T22:32:39+02:00
tests_webui: flip leading and trailing space password test
With commit 809d9cb80f5f4471f125823888f37875aa37809e we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
705f564e by Alexander Bokovoy at 2020-12-21T22:32:39+02:00
tests_webui: fix wrong user name key for trail space case
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.
Fix the user name data according to the test.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8e16a1d1 by Alexander Bokovoy at 2020-12-22T14:05:13+02:00
opendnssecinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
b6a64533 by Alexander Bokovoy at 2020-12-22T14:05:13+02:00
dnskeysyncinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
4c4f16fc by Alexander Bokovoy at 2020-12-22T14:05:13+02:00
odsexporterinstance: use late binding for UID/GID resolution
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.
We use common pattern of checking the service during uninstall:
svc = SVCClass()
if svc.is_configured():
svc.uninstall()
Thus, service class constructor must not do UID/GID resolution
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
d0a1606e by Florence Blanc-Renaud at 2020-12-23T13:59:29+01:00
ipatests: remove test_acme from gating
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
e7949e2a by Florence Blanc-Renaud at 2020-12-23T14:01:43+01:00
ipatests: fix expected error message in test_commands
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
38823e90 by Alexander Bokovoy at 2020-12-23T15:37:10+02:00
ipaplatform: add constant for systemd-run binary
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
35ab6567 by Alexander Bokovoy at 2020-12-23T15:37:10+02:00
ipatests: fix race condition in finalizer of encrypted backup test
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.
Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
10dbddc4 by Alexander Bokovoy at 2020-12-23T16:10:01+02:00
Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a754a80 by Weblate at 2020-12-23T16:31:36+02:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
- - - - -
d7eece2e by Sudhir Menon at 2021-01-06T08:46:04+01:00
ipatests: Test for IPATrustControllerPrincipalCheck
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d91690d5 by Sudhir Menon at 2021-01-06T08:53:37+01:00
ipatests: ipahealthcheck remove test skipped in pytest run
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.
@pytest.mark.xfail(reason='BZ 1866558', strict=False)
Also changed the assert statement to search text in
stdout_text rather than sdterr_text
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1086f7a7 by Florence Blanc-Renaud at 2021-01-06T16:41:50+01:00
ipatests: clear initgroups cache in clear_sssd_cache
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.
Update the method to also remove this file.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b707af1c by Sergey Orlov at 2021-01-07T13:36:28+01:00
ipatests: do not set dns_lookup to true
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
53f4fd91 by Rob Crittenden at 2021-01-07T14:01:26+01:00
Don't change the CA profile when modifying request in ipa_certupdate
The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8e9fecd7 by Rob Crittenden at 2021-01-07T14:01:26+01:00
ipatests: test that no errors are reported after ipa-certupdate
The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b8ece644 by Florence Blanc-Renaud at 2021-01-07T16:21:16+01:00
ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a988ba9 by Florence Blanc-Renaud at 2021-01-07T16:21:16+01:00
ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
98711e8e by Florence Blanc-Renaud at 2021-01-07T16:21:16+01:00
ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related: https://pagure.io/freeipa/issue/8618
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
add58fb1 by Florence Blanc-Renaud at 2021-01-09T12:33:58+01:00
selinux: modify policy to allow one-way trust
In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.
This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.
Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.
Fixes: https://pagure.io/freeipa/issue/8508
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
e619c9f4 by Rob Crittenden at 2021-01-09T16:41:03+01:00
Remove invalid test case for DNS SRV priority
Upstream dnspython 2.1.0 introduced additional error checking
on SRV values and now rejects invalid priorities.
Remove the sorting test for priority of -1.
https://pagure.io/freeipa/issue/8650
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3e8e8365 by Armando Neto at 2021-01-13T09:35:43-03:00
ipatests: update PR-CI templates to Fedora 33
Gating tests are still on Fedora 32 because some tests are failing.
Rest is being updated to unblock nightly runs:
- "previous" updated to Fedora 32
- "latest" updated to Fedora 33
- 389ds, testing and pki definitions updated to Fedora 33
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
59d6c4da by Rob Crittenden at 2021-01-13T13:50:45+01:00
Remove virtual attributes before rolling back a permission
On a failed permission update if the generated ACI is
invalid then the updated permission is rolled back.
Add the virtual relationship attributes to list of attributes
to be ignored when rolling back the entry.
This relies on the current order in the LDAPObject
relationships field where member and memberof are the first
two values.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8dd2eb45 by Rob Crittenden at 2021-01-13T13:50:45+01:00
ipatests: test that modifying a permission attrs handles failure
Add a test to ensure that a change to a permission that will
result in an invalid ACI is rolled back.
https://pagure.io/freeipa/issue/8646
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dfa08421 by Rob Crittenden at 2021-01-13T17:44:20+01:00
ipatests: See if nologin supports -c before asserting message
Per the ssh_config(5) man page under ProxyCommand:
"The command string extends to the end of the line, and is
executed using the user's shell ‘exec’ directive to avoid a
lingering shell process."
<shell> -c <proxy command>
Some older versions of nologin (RHEL/CentOS) do not support
the -c option so will still fail but since nologin doesn't
actually execute properly it doesn't include the output
'This account is currently not available' so don't assert
in that case. The returncode of 1 is sufficient to know
that the login is denied.
https://pagure.io/freeipa/issue/7676
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cf17b7af by Alexander Bokovoy at 2021-01-13T20:56:13+02:00
ipaserver/dcerpc: use Samba-provided trust helper to establish trust
When establishing trust to Active Directory forest, RC4 is used to
encrypt trusted domain object credentials as an application-specific
material in a secure channel based on AES session key.
In FIPS mode it is not possible to use RC4 directly.
Samba 4.14 and backports to 4.13 in Fedora 33+ and RHEL 8.4+ now
provide a helper that wraps LSA RPC call CreateTrustedDomainEx2.
This helper ensures that in FIPS mode we first check that LSA session
key is AES before allowing RC4 use internally in Samba bindings. Thus,
it becomes possible to establish trust to Active Directory forest in
FIPS mode.
Adopt FreeIPA code to use the helper provided by Samba when it is
available. If neither the helper nor unprotected arcfour_encrypt utility
is available from Samba bindings, fail import of the ipaserver.dcerpc
module.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e157ea1e by Alexander Bokovoy at 2021-01-13T20:56:13+02:00
ipaserver/dcerpc.py: use Kerberos authentication for discovery
In FIPS mode we cannot rely on NTLMSSP at all, so we have ensure
Kerberos is used by Samba Python libraries. This is achieved by
requiring credentials objects to always use Kerberos authentication.
Additionally, we have to normalize the principal used to authenticate.
In case it was passed without realm, add forest root domain as a realm.
In case it was passed with NetBIOS domain name, remove it and replace
with a realm. Since we only know about the forest root domain as a
realm, require that for other domains' users a real Kerberos principal
is specified.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd15f602 by Alexander Bokovoy at 2021-01-13T20:56:13+02:00
ipaserver/dcerpc.py: enforce SMB encryption on LSA pipe if available
We want to always use SMB encryption if it is possible on LSA pipe as we
are going to pass what accounts to a plain-text content within
CreateTrustedDomainEx2 call.
The catch is that older Samba version might not have a way to enforce
this and we need fall back to work with existing connection then.
Fixes: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9b2f5fe6 by Robbie Harwood at 2021-01-13T21:31:31+02:00
Set client keytab location for 389ds
Handles behavior change in
https://github.com/389ds/389-ds-base/pull/4523
Fixes: https://pagure.io/freeipa/issue/8656
Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6e0634bd by Florence Blanc-Renaud at 2021-01-14T14:56:26+01:00
ipatest: fix test_upgrade.py::TestUpgrade::()::test_kra_detection
Modify the test scenario in order to be independant from PKI
behavior. The aim of the test is to ensure that the KRA
detection is not based on the presence of the directory
/var/lib/pki/pki-tomcat/kra/.
Previously the test was calling ipa-server-upgrade but this cmd
may fail even with the kra detection fix because of an issue in
pki (https://github.com/dogtagpki/pki/issues/3397).
Instead of exercising the whole ipa-server-upgrade command, the
test now checks the output of the API kra.is_installed() to validate
KRA detection mechanism.
Fixes: https://pagure.io/freeipa/issue/8653
Related: https://pagure.io/freeipa/issue/8596
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
cbf7bcbe by Rob Crittenden at 2021-01-15T10:01:28+01:00
Add missing break statement to password quality switch
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0096f4b9 by Rob Crittenden at 2021-01-15T10:01:28+01:00
ipa-kdb: Change mspac base RID logic from OR to AND
The purpose is to set a default if the RID doesn't match
expectations.
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6f46fac2 by Rob Crittenden at 2021-01-15T10:01:28+01:00
ipa-kdb: Fix logic to prevent NULL pointer dereference
Discovered by coverity
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a129e6f0 by Rob Crittenden at 2021-01-15T10:01:28+01:00
ipa_kdb: Fix memory leak
ipadb_get_principal() allocates client_actual. Call
ipadb_free_principal to release it.
Rather than spreading the free() amongst the code introduce
done as a target to match behavior in similar functions.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
99ea326b by Rob Crittenden at 2021-01-15T10:01:28+01:00
ipa_pwd: Remove unnecessary conditional
It is already confirmed that item_data is not NULL so there
is no need to check it again.
Discovered by coverity.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
85d4f2d9 by Rob Crittenden at 2021-01-15T10:07:33+01:00
Revert "Remove test for minimum ACME support and rely on package deps"
This reverts commit 81c97bb9928a88a595b3afe6fa70fcfb267b1440.
This is to make IPA installable again with older versions of dogtag
so it will install on CentOS 8 Stream.
ACME will not be deployed but on upgrade, if pki 10.10.x is available
then it will be.
https://pagure.io/freeipa/issue/8634
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
90eef4f5 by Rob Crittenden at 2021-01-15T14:06:53+01:00
ipa-rmkeytab: convert numeric return values to #defines
This makes it clearer what the return value means.
Replace closing of keytab based on the numeric return value
and do it based on whether the keytab was opened at all.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f3f9672d by Rob Crittenden at 2021-01-15T14:06:53+01:00
ipa-rmkeytab: Check return value of krb5_kt_(start|end)_seq_get
The return value of functions managing the cursor in the keytab
were not checked or reported in a consistent way. This should
assure a reasonable error message in case something goes wrong.
https://pagure.io/freeipa/issue/8658
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
54b42f72 by Peter Keresztes Schmidt at 2021-01-15T14:11:56+01:00
configure: Fix source tree detection to enable more warnings
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a355646c by Peter Keresztes Schmidt at 2021-01-15T14:11:56+01:00
build: Unify compiler warning flags used
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f9357cb9 by Peter Keresztes Schmidt at 2021-01-15T14:11:56+01:00
configure: Do not set -Wno-strict-aliasing -Wno-sign-compare
Related: https://pagure.io/freeipa/issue/8351
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4a3a39f5 by Florence Blanc-Renaud at 2021-01-19T10:29:20+01:00
ipatests: fix expected errmsg in TestTrust::test_ipa_commands_run_as_aduser
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa ping is executed with an AD user
the error message contains less info as in the past and needs to be fixed..
Fixes: https://pagure.io/freeipa/issue/8668
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
6f830ae1 by Antonio Torres at 2021-01-19T11:21:29+01:00
Test that IPA certs are removed on server uninstall
Test that IPA certs are removed after the server uninstall
process. This is needed since if these certs are not
removed from the system store, further installations
will fail.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
79d9790c by Antonio Torres at 2021-01-19T11:21:29+01:00
Check that IPA cert is added to trust store after server install
Checking that IPA cert has been added to trust
store is needed to verify that installation
of the server is correct. This cert should also
be removed on uninstall to prevent failures
on further installations.
Related: https://pagure.io/freeipa/issue/8614
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
9fb22246 by Stanislav Levin at 2021-01-19T11:23:51+01:00
ipatests: Raise log level of 389-ds replication
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other
messages that are always written to the error log. Messages at this
level are always included in the error log, regardless of the log
level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with delay, this
results in logs are not collected by this test node, but for example,
the next one.
- as of now, the changes on `cn=config` are made after the installation
of server or replica. If an error occurs during these stages, then the
actual log level will be the default and not as expected.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6b936361 by Christian Heimes at 2021-01-19T11:49:20+01:00
Add ccache sweeper files to gitignore
See: https://pagure.io/freeipa/issue/8589
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
279d8b7e by Florence Blanc-Renaud at 2021-01-20T11:19:34+01:00
ipatests: fix healthcheck test for ipahealthcheck.ds.encryption
389ds is combining the value set in dse.ldif and the current crypto
policy to evaluate the min TLS version that it will be using.
The test needs to change the crypto policy to LEGACY in order to allow
TLS 1.0, because the DEFAULT policy prevents TLS 1.0 on fc33+.
Fixes: https://pagure.io/freeipa/issue/8670
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
- - - - -
176fe83a by Rob Crittenden at 2021-01-20T15:59:27+01:00
Add support for cgroup v2 to the installer memory checker
Support both the case where there is a limit imposed on the
container and when there isn't.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
573d66e1 by Rob Crittenden at 2021-01-20T15:59:27+01:00
ipatests: test the cgroup v2 memory restrictions
Also rename a few tests to hopefully make their purpose clearer.
https://pagure.io/freeipa/issue/8635
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
69d48000 by Mohammad Rizwan at 2021-01-21T13:46:18+01:00
ipatests: Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls propelry.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
74b4d7e4 by Mohammad Rizwan at 2021-01-21T13:46:18+01:00
ipatests: Add test_uninstall.py to nightly definitions
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6518a600 by Rob Crittenden at 2021-01-21T13:51:45+01:00
Change FreeIPA references to IPA and Identity Management
In order to simplify the build process between upstream FreeIPA
and downstream builds (such as CentOS Stream) we are changing
some file references from FreeIPA to IPA (and Identity Management).
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
767232b4 by Rob Crittenden at 2021-01-21T13:51:45+01:00
Remove support for csrgen
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8021a206 by Rob Crittenden at 2021-01-21T13:51:45+01:00
Remove references to rjsmin in UI compile.sh
It specifically referenced using Python rjsmin while the
actual script would pick the minimizer based on the underlying
distribution.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6ebfbda2 by François Cami at 2021-01-21T15:46:19-05:00
ipatests: test_ipahealthcheck: fix units
df uses 1024 bytes as its default display value, but this can be
tweaked by environment variables or a CLI knob.
Force the output unit to 1024 bytes using the CLI and parse it
accordingly.
Fixes: https://pagure.io/freeipa/issue/8674
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ce2e41ab by Christian Heimes at 2021-01-21T15:47:51-05:00
Don't install csrgen extra dependencies
See: https://pagure.io/freeipa/issue/8669
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9b2c05af by Florence Blanc-Renaud at 2021-01-22T18:07:46+01:00
ipatests: fix discrepancies in nightly defs
- Build is using a prio of 100 while tests use 50, use consistent
values
- fix the requires for test_installation_client
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
968f8ada by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipa-kdb: provide correct logon time in MS-PAC from authentication time
When MS-PAC structure is created, we get passed the time of
authentication from KDC. Use this to record logon time in MS-PAC
structure.
Set allow password change time to the last password change. We need to
refer to the actual password policy here in future.
Also use INT64_MAX to represent the resulting value for logoff
and kickoff times according to MS-PAC 2.6.
Fixes: https://pagure.io/freeipa/issue/8659
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6f8d8bc by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipasam: implement PASSDB getgrnam call
ipasam already implemented retrieval of groups for MS-SAMR calls.
However, it did not have implementation of a group retrieval for the
path of lookup_name() function in Samba. The lookup_name() is used in
many places in smbd and winbindd.
With this change it will be possible to resolve IPA groups in Windows UI
(Security tab) and console (net localgroup ...). When Global Catalog
service is enabled, it will be possible to search for those groups as
well.
In Active Directory, security groups can be domain, domain local, local
and so on. In IPA, only domain groups exposed through ipasam because
SID generation plugin only supports adding SIDs to POSIX groups and
users. Thus, non-POSIX groups are not going to have SIDs associated and
will not be visible in both UNIX and Windows environments.
Group retrieval in Samba is implemented as a mapping between NT and
POSIX groups. IPA doesn't have explicit mapping tables. Instead, any
POSIX group in IPA that has a SID associated with it is considered a
domain group for Samba.
Finally, additional ACI is required to ensure attributes looked up by
ipasam are always readable by the trust agents.
Fixes: https://pagure.io/freeipa/issue/8660
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75882516 by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipasam: allow search of users by user principal name (UPN)
lookup_name() in Samba may call PASSDB API to search by a UPN (e.g.
username at suffix). Support this call by detecting '@' in the passed name
and setting up filter to be
(&(objectClass=ipaNTUserAttrs)(objectClass=krbPrincipalAux)(krbPrincipalName:caseIgnoreIA5Match:=%s))
instead of
(&(objectClass=ipaNTUserAttrs)(uid=%s))
The result of the search would still contain a proper user entry as we
always have krbPrincipalName in LDAP entries of IPA users. Note that the
match must be case-insensitive because otherwise krbPrincipalName is
matched with exact case in the schema. We use the same matching override
in KDB driver already.
Fixes: https://pagure.io/freeipa/issue/8661
Signed-of-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a1e2fe9c by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipasam: free trusted domain context on failure
The context is hanging off a talloc memory context passed into the
function so it will eventually be freed. It is better, though, to free
it immediately when we exit from the fill_pdb_trusted_domain() function.
Related: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
08d7d90a by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipasam: derive parent domain for subdomains automatically
[MS-ADTS] 6.1.6.7.13 defines 'trustPartner' attribute as containing a
FQDN of the trusted domain. In practice, for a subdomain of a forest, it
would be FQDN of the subdomain itself in the trusted domain entry in the
parent domain. This is reflected as ipaNTTrustPartner attribute in
FreeIPA.
Remove ipaNTTrustPartner from the searches that use NetBIOS name. We
match cn of that entry already.
Use RDN value of the entry to derive DNS domain name in case
ipaNTTrustPartner is missing.
For subdomains, set trust attributes to 0 and trust flags to mark them
as being within the forest. This will trigger winbindd to not ask for
credentials to reach those domain controllers directly.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
214aeb72 by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
ipaserver/dcerpc: store forest topology as a blob in ipasam
winbindd expects forest topology information blob to find out child
domains. We should store it in LDAP and let ipasam to retrieve it.
In fact, ipasam already supports updating and loading this information
but during 'ipa trust-fetch-domains' we didn't provide it.
Make sure the blob is preserved after it was retrieved and also updated
when we fetch forest topology information.
Fixes: https://pagure.io/freeipa/issue/8576
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9d19c082 by Sergey Orlov at 2021-01-22T12:21:33-05:00
ipatests: use fully qualified name for AD admin when establishing trust
Changes in https://pagure.io/freeipa/issue/8655 made it impossible
to use AD admin name without domain part in "ipa trust-add" command to
establish external trust with an AD tree domain.
Also use fully qualified admin name by default in all trust related tests
to reduce abiguity
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
94242563 by JoeDrane at 2021-01-22T12:21:33-05:00
Update ipa_sam.c
fixed typo in debug message on line 4040.
Signed-off-by: JoeDrane <joe at drane.io>
Reviewed-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ae7cd470 by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
trust-fetch-domains: use custom krb5.conf overlay for all trust operations
Operations in FIPS mode make impossible use of NTLMSSP when
authenticating to trusted Active Directory domain controllers because
RC4 cipher is not allowed. Instead, Kerberos authentication have to be
used. We switched to enforce Kerberos authentication when communicating
with trusted domains' domain controllers everywhere.
Kerberos library uses system wide configuration which in IPA defaults to
resolving location of KDCs via DNS SRV records. Once trust is
established, SSSD will populate a list of closest DCs and provide them
through the KDC locator plugin. But at the time the trust is established
performing DNS SRV-based discovery of Kerberos KDCs might fail due to
multiple reasons. It might also succeed but point to a DC that doesn't
know about the account we have to use to establish trust.
One edge case is when DNS SRV record points to an unreachable DC,
whether due to a firewall or a network topology limitations. In such
case an administrator would pass --server <server> option to
'ipa trust-add' or 'ipa trust-fetch-domains' commands.
'ipa trust-fetch-domains' runs a helper via oddjobd. This helper was
already modified to support --server option and generated custom
krb5.conf overlay to pin to a specific AD DC. However, this
configuration was removed as soon as we finished talking to AD DCs.
With switch to always use Kebreros to authenticate in retrieval of the
topology information, we have to use the overlay everywhere as well.
Convert the code that generated the overlay file into a context that
generates the overlay and sets environment. Reuse it in other
trust-related places where this matters.
Oddjob helper runs as root and can write to /run/ipa for the krb5.conf
overlay.
Server side of 'ipa trust-add' code calls into ipaserver/dcerpc.py and
runs under ipaapi so can only write to /tmp. Since it is a part of the
Apache instance, it uses private /tmp mounted on tmpfs.
Fixes: https://pagure.io/freeipa/issue/8664
Related: https://pagure.io/freeipa/issue/8655
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
54e5ffc0 by Alexander Bokovoy at 2021-01-22T12:21:33-05:00
use a constant instead of /var/lib/sss/keytabs
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0801d4c0 by Florence Blanc-Renaud at 2021-01-22T12:53:44-05:00
ipatests: fix expected output for ipahealthcheck.ipa.files
With ipa-healthcheck 0.8, the test ipahealthcheck.ipa.files is able
to return a list of possible owners/groups as a comma-separated string
instead of a single owner/group (see commit 930ec5f).
The test output needs to be fixed accordingly.
Fixes: https://pagure.io/freeipa/issue/8662
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
afcb0600 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
Add design document for using AD users/groups in SUDO rules
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
172e4b97 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
baseldap: refactor validator support in add_external_pre_callback
baseldap.py:add_external_pre_callback() allows to redefine validators
used to validate member names. Originally this was done to allow
hostname validation and reused default validators associated with other
parameter types.
Provide extension of the validator callbacks to allow fine grained
validation strategy. This is helpful in case we want to apply an
alternative validation strategy in case default validator fails.
New validators can be added to 'member_validator' registry in a similar
way to how API objects are registered:
from .baseldap import member_validator
@member_validator(membertype='foo')
def my_new_validator(ldap, dn, keys, options, value):
<validate value here>
Arguments passed to the validator are arguments passed to the
add_external_pre_callback() augmented with the value to validate.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Peter Keresztes Schmidt <carbenium at outlook.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5fae809d by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
baseldap: when adding external objects, differentiate between them and failures
It was possible to add external members without any validation. Any
object that was not found in IPA LDAP was considered an external object
and a command such as sudorule could have added it to the list of values
for externalUser attribute.
With member validator support, real external members from trusted
domains can be differentiated from the objects that were not found in
IPA and in trusted domains.
Use information from the ID Views plugin to treat external objects
accordingly. Not found objects will be part of the error messaging
instead.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0ffdfc70 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
idviews: add extended validator for users from trusted domains
Register extended validator for users from trusted domains to be called
through add_external_pre_callback() in sudorules and other plugins.
The callbacks allow to validate user names as following:
- if user name passes basic user name validator it is accepted, otherwise
- if user name can be resolved to any user in IPA or in a trusted
domain, it is accepted
- otherwise the name is rejected
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a37db297 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
sudorule-add-user: allow to reference users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-user` family of commands.
SSSD uses single attribute 'externalUser' for IPA to pull 'external'
objects referenced in SUDO rules. This means both users and groups are
represented within the same attribute, with groups prefixed with '%',
as described in sudoers(5) man page.
Add member type validators to 'ipa sudorule-add/remove-user' family
commands and rely on member type validators from 'idviews' plugin to
resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in 'externalUser' attribute of SUDO rules is
supported in SSSD 2.4 or later.
RN: IPA now supports adding users and groups from trusted Active
RN: Directory domains in SUDO rules without an intermediate non-POSIX
RN: group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
349322e3 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
sudorule runAs: allow to add users and groups from trusted domains directly
Allow specifying AD users and groups from trusted Active Directory
forests in `ipa sudorule-add/remove-runasuser/runasgroup` family of
commands.
IPA provides 'ipasudorunasextuser' and 'ipasudorunasextusergroup' LDAP
attributes to record 'external' objects referenced in SUDO rules for
specifying the target user and group to run the commands allowed in the
SUDO rule.
Use member type validators to 'ipa sudorule-add/remove-runasuser/runasgroup'
family of commands and rely on member type validators from 'idviews'
plugin to resolve trusted objects.
Referencing fully qualified names for users and groups from trusted
Active Directory domains in IPA SUDOERs schema attributes is supported
in SSSD 2.4 or later.
RN: IPA now supports users and groups from trusted Active Directory
RN: domains in SUDO rules to specify runAsUser/runAsGroup properties
RN: without an intermediate non-POSIX group membership
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
09e06e05 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
ipatests: fix test_sudorule_plugin's wrong argument use
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
642b81e9 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
test_trust: add tests for using AD users and groups in SUDO rules
Tests test_integration/test_trust.py::TestTrust::test_sudorules_ad_*
check that a user from a trusted AD domain can perform SUDO
authentication without a password for any command based on a direct user
reference or on indirect AD group reference. The test suite also ensures
an AD user and group can be used for runAsUser/runAsGroup settings.
Due to https://github.com/SSSD/sssd/issues/5475 anything added to
'ipaSudoRunAsExtUserGroup' attribute will be prefixed with '%' and thus
any relying on the value of this attribute displayed by 'sudo -l'
command will fail. The test only validates that a proper group name
appears in the 'sudo' output, so we handle both prefixes in the
corresponding test check. It is not possible to differ by the SSSD
version as a fix to the issue is only a patch on top of 2.4.0 in RHEL.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c91a1a07 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
ipatests: when talking to AD DCs, use FQDN credentials
Samba 4.13+ in Fedora 33+ and RHEL 8.4+ defaults to Kerberos
authentication. This means user name used for authentication must be
mapped to a target realm.
We have to remove trust on AD side first before removing it locally or
otherwise MIT Kerberos might not be able to locate DCs from AD as
removal of the trust information would cause SSSD to clear the details
for a KDC locator plugin as well.
For the test that modifies AD DNS zone on IPA side to inject unreachable
DCs addresses, the configuration has to be reverted first, to allow
plain 'kinit' during removal of trust to reach AD DCs directly.
Fixes: https://pagure.io/freeipa/issue/8678
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
08d72098 by Alexander Bokovoy at 2021-01-26T13:05:27-05:00
baseldap: allow rejecting unknown objects instead of adding to an external attr
IPA traditionally allowed to add names not found in IPA LDAP to external
attributes. This is used to allow, for example, a local system user or
group be present in a SUDO rule.
With membership validator, we can actually check validity of the names
against both IPA users/groups and users/groups from trusted domains.
If in future we decide to reject a local system's objects, then all it
would take is to switch reject_failures to True.
Fixes: https://pagure.io/freeipa/issue/3226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fdd5ba3f by Stanislav Levin at 2021-01-26T19:57:17+01:00
ipatests: Don't assume sshd flush its logs immediately
sshd logs are not displayed immediately in journalctl, this results
in the tests checked the corresponding system logs are racy. I can't
find a way to flush ones. So, the best is the periodical reading of
the system log.
Related: https://pagure.io/freeipa/issue/8682
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
01caf2d9 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
36670986 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be0652e2 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
771f55b9 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/hu.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f61b2e88 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/id.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc7680dd by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
11f71687 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/ru.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3294c363 by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/uk.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7cc7756d by Alexander Bokovoy at 2021-01-27T10:33:19+02:00
Force-update translation po/zh_CN.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e074a594 by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/de.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f8addc30 by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/es.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
90a92b28 by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/fr.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d1ce5c4 by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
70f4e7ab by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/ru.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df79f2d2 by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/uk.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
75ef8afd by Alexander Bokovoy at 2021-01-27T10:49:06+02:00
Force-update translation after FreeIPA to IPA change: po/zh_CN.po
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
031c354e by Alexander Bokovoy at 2021-01-27T11:09:33+02:00
Update contributors list
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c499e06 by Sergey Orlov at 2021-01-27T17:50:49+01:00
fix collecting log files which are symlinks
One of the files that are collected after each test is /etc/resolv.conf.
In Fedora 33 this file is actually a symlink. `tar` does not follow
symlinks by default which results in either a broken link in test
artifacts or a symlink pointing to local file on the tests controller
machine.
Fixed by instructing `tar` to resolve the symlinks, so that actual file
pointed by symlink is stored in test artifacts.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
693ac709 by Rob Crittenden at 2021-01-28T09:19:32+01:00
Report the NSS database directory if it cannot be opened
If the system lacks DBM support and an older database is
opened then an exception is raised. Include the directory in
the exception so it is clearer which database cannot be opened.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
43222cb8 by Rob Crittenden at 2021-01-28T09:19:32+01:00
Ignore database errors when trying to extract ipaCert on upgrade
If NSSDatabase() throws a ValueError it means we can't open it
to look for an existing ipaCert to migrate. Chances are there is
no certificate to migrate at this point in Fedora so don't let
it blow up the entire installation/upgrade. Warn the user and let
them figure it out.
We have no real path forward on this and by proceeding it could
lead to more errors (like no RA) but it is extremely unlikely and
would require a user to upgrade from very old Fedora to very
new Fedora in one step.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
296f27dc by Florence Blanc-Renaud at 2021-01-28T16:30:55+01:00
ipatests: fix incomplete nightly def in nightly_previous
The job definition for fedora-previous/test_installation_client
is missing the .py in the test file:
test_suite: test_integration/test_installation_client
should be instead:
test_suite: test_integration/test_installation_client.py
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
4a1cb7e7 by Sergey Orlov at 2021-01-29T16:50:43+01:00
ipatests: rewrite test for requests routing to subordinate suffixes
The original test had some issues:
* it was doing many actions not related to the tested issue which obscured
actual test scenario
* subordinate suffix was hard coded in the test which prevented the test
from checking original issue in case AD domain name did not match this
hard coded value
* Invocation of commands on AD controller was failing in some environments
Other improvements:
* added docstring with test details
* added guard assertions for test preliminary conditions
Related to https://pagure.io/freeipa/issue/8554
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bd7214b9 by Rob Crittenden at 2021-01-29T18:06:15+01:00
ipatests: Update NSSDatabase DBM test on non-DBM-capable installs
The string was updated to include the directory the for the database
but this was not reflected in the test and not picked up because
the tests were executed on Fedora 32 which supports dbm so the
test wasn't executed.
https://pagure.io/freeipa/issue/8675
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
24a5d4d0 by Christian Heimes at 2021-01-29T13:36:41-05:00
Ensure that KDC cert has SAN DNS entry
The dns parameter of request_and_wait_for_cert() must be a string of
hostnames.
* Enforce list/tuple type so that API misuse no longer passes silently.
* Add commonNameToSANDefaultImpl to KDCs_PKINIT_Certs profile
* Explicitly pass hostname for service certs
Fixes: https://pagure.io/freeipa/issue/8685
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
98a88bd7 by Christian Heimes at 2021-01-29T13:37:36-05:00
Fix cert_request for KDC cert
ca_kdc_check() expects an API object, not an LDAP connection. Issue was
introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.
See: https://pagure.io/freeipa/issue/6739
Fixes: https://pagure.io/freeipa/issue/8686
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75c1b7ed by Rob Crittenden at 2021-02-01T10:35:16-05:00
Provide more detailed logging around memory detection
This should make it easier to troubleshoot low memory installation
failures from the logs.
https://pagure.io/freeipa/issue/8404
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
43f344b9 by Rob Crittenden at 2021-02-01T10:37:17-05:00
Only build the UI with uglifyjs on RHEL 8
The previous expression tested for RHEL or RHEL-like
systems to use uglifyjs. Tighten that up to only RHEL 8
so future RHEL can use rjsmin.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f621d607 by Mohammad Rizwan at 2021-02-01T10:38:30-05:00
Revert "ipatests: Test if server setup without dns uninstall properly"
This reverts commit 69d480003bc6a7c75280c3c1a5e30cd252edcaec.
this test will be moved to existing test_uninstallation.py file
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
776d575c by Mohammad Rizwan at 2021-02-01T10:38:30-05:00
Revert "ipatests: Add test_uninstall.py to nightly definitions"
This reverts commit 74b4d7e4df3b5406bc62ed1663318430e1739d1c.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3a584803 by Mohammad Rizwan at 2021-02-01T10:38:30-05:00
ipatests: Test if server setup without dns uninstall properly
IPA server uninstall was failing if dns was not setup.
This test check if it uninstalls propelry.
related: https://pagure.io/freeipa/issue/8630
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
578e4df6 by Alexander Bokovoy at 2021-02-02T09:41:00+02:00
ipa-sam: return NetBIOS domain name instead of DNS one
[MS-NRPC] section 2.2.1.4.11 requires that the structure
NETLOGON_VALIDATION_SAM_INFO has the same values as defined in the
KERB_VALIDATION_INFO structure from [MS-PAC] section 2.5.
Samba's netr_SamBaseInfo.domain_name corresponds to
KERB_VALIDATION_INFO.LogonDomainName and must be a NetBIOS name of the
domain, not a DNS one.
Failure to provide NetBIOS name here actually breaks
netr_LogonSamLogonEx call issued by IPA-enrolled Samba domain member
which is confused by the returned value:
[2021/01/30 16:36:36.636010, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c: 175(add_trusted_domain)
add_trusted_domain: SID [S-1-5-21-3342930694-1632731913-1318603033]
already used by domain [INTERNAL], expected [internal.example.test]
[2021/01/30 16:36:36.636050, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_util.c:362(add_trusted_domain_from_auth)
add_trusted_domain_from_auth: Adding domain [internal.example.test]
with sid [S-1-5-21-3342930694-1632731913-1318603033] failed
[2021/01/30 16:36:36.636060, 0, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd_pam_auth_crap.c:169(winbindd_pam_auth_crap_done)
winbindd_pam_auth_crap_done: add_trusted_domain_from_auth failed
[2021/01/30 16:36:36.636079, 10, pid=1633, effective(0, 0), real(0, 0), class=winbind]
../../source3/winbindd/winbindd.c:814(process_request_done)
process_request_done: [smbd(1650):PAM_AUTH_CRAP]: NT_STATUS_LOGON_FAILURE
Fixes: https://pagure.io/freeipa/issue/8636
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
7363c4b2 by Sergey Orlov at 2021-02-03T09:06:12+02:00
ipatests: add a tests-oriented wrapper for pexpect module
The pexpect module can be used for controlling and testing interactive
command-line programs. The wrapper adds testing-oriented features like
logging and automatic process termination and default check for process
exit status.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1b252706 by Sergey Orlov at 2021-02-03T09:06:12+02:00
ipatests: use pexpect to invoke ktutil
`ktutil` is a REPL-style utility that can be controlled only interactively.
The common approach of sending commands to stdin does not work with it on
systems where `readline` library has version less then 8.0 due to a bug
in that version.
With `pexpect` we avoid this bug because it emulates the terminal
when interacting with spawned process instead of simply sending all input
to stdin.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
caeed7e2 by Sergey Orlov at 2021-02-03T09:06:12+02:00
ipatests: use pexpect to control inetractive session of ipa-adtrust-install
During interactive session of `ipa-adtrust-install` the user needs to
answer several questions. This was done by sending all answers to
the processes stdin without analyzing the questions.
If the installation scenario changes at some point we can get on of the
following results:
* the test fails in the end and the root cause is not obvious
* if a new question was added
* test does not fail but answers are provided for wrong questions -
in this case scope of test case changes without being noticed
If we use `pexpect` for controlling the session, the test will fail
immediately when it encounters unexpected question.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3231c6fc by Alexander Bokovoy at 2021-02-03T14:21:31-05:00
client: synchronize ignored return codes with ipa-rmkeytab
Refactoring ipa-rmkeytab with commit
f3f9672d527008dc741ac90aa465bac842eea08d led to new error code 7 when
MIT Kerberos fails to iterate through the keys. It appears now in places
where in past error code 3 was returned.
Related: https://pagure.io/freeipa/issue/8658
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
62521edc by Rob Crittenden at 2021-02-04T01:29:53+01:00
Change CA profile migration message from info to debug
This is an informational message and clutters the installation
screen with no end-user benefit. Logging it as debug is
sufficient to know what is going on.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
daf2ca3e by Rob Crittenden at 2021-02-04T01:29:53+01:00
Use the new API introduced in PKI 10.8
https://www.dogtagpki.org/wiki/PKI_10.8_Python_Changes
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
928ab51b by Rob Crittenden at 2021-02-04T01:29:53+01:00
ipactl: support script status 3, program is not running
Return status 3 if ipactl status can't start 389-ds or if
any of the expected services is not running.
https://pagure.io/freeipa/issue/8588
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1870c933 by Rob Crittenden at 2021-02-04T01:29:53+01:00
Ensure IPA is running (ideally) before uninstalling the KRA
The KRA attempts to unregister itself from the security domain
which requires that IPA be running for this to succeed.
1. Move the KRA uninstall call prior to stopping all IPA
services
2. Try to start IPA if it isn't running and a KRA is configured
It isn't mandatory that IPA be running for the KRA uninstall to
succeed but it will suppress a pretty scary backtrace and error
message.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ed217871 by Rob Crittenden at 2021-02-04T01:29:53+01:00
Add exit status to the ipactl man page
The existing return codes were undocumented but basically
followed the LSB. Document those along with the new
options for status.
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8082a2d9 by Rob Crittenden at 2021-02-04T01:29:53+01:00
ipatests: Handle non-zero return code in test_ipactl_scenario_check
https://pagure.io/freeipa/issue/8550
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d0269f23 by Michal Polovka at 2021-02-04T13:23:19+01:00
test_webui: test_hostgroup: Wait for modal dialog to appear
Modal dialog transition is currently set to 300ms, we have to wait
for it to appear in order to interact with it. Double that time is a
safe value.
Resolves: https://pagure.io/freeipa/issue/8684
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
d6ccb9b5 by Antonio Torres at 2021-02-04T14:19:16+01:00
Update samba configuration on IPA master to explicitly use 'server role' setting
The default for this setting is 'auto', which may affect
IPA Samba configuration on future Samba versions. By explicitly
setting this parameter in the template, future manual
intervention is prevented.
Fixes: https://pagure.io/freeipa/issue/8452
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cdfc8636 by Florence Blanc-Renaud at 2021-02-04T14:20:59+01:00
dnssec: fix the key type with OpenDNSSEC 2.1
The database storing the keys with OpenDNSSEC 2.1 has a
different schema from OpenDNSSEC 1.4, and the keytype
(ZSK, KSK) is stored in a different table column: "role"
instead of "keytype".
With OpenDNSSEC 1.4, keytype can be 256 (ZSK) or 257 (KSK), while
with OpenDNSSEC 2.1, role can be 1 (KSK) or 2 (ZSK).
The schema migration can be seen in opendnssec source code:
enforcer/utils/1.4-2.0_db_convert/sqlite_convert.sql
INSERT INTO hsmKey
SELECT DISTINCT REMOTE.keypairs.id, 1, REMOTE.keypairs.policy_id,
REMOTE.keypairs.HSMkey_id, 2, REMOTE.keypairs.size,
REMOTE.keypairs.algorithm, (~(REMOTE.dnsseckeys.keytype)&1)+1,
CASE WHEN REMOTE.keypairs.generate IS NOT NULL THEN
strftime('%s', REMOTE.keypairs.generate)
ELSE strftime("%s", "now") END,
0,
1, --only RSA supported
REMOTE.securitymodules.name,
0 --assume no backup
FROM REMOTE.keypairs
JOIN REMOTE.dnsseckeys
ON REMOTE.keypairs.id = REMOTE.dnsseckeys.keypair_id
JOIN REMOTE.securitymodules
ON REMOTE.securitymodules.id = REMOTE.keypairs.securitymodule_id;
and the schema for the table is defined in enforcer/src/db/kasp.sqlite:
CREATE TABLE HsmKey (
locator VARCHAR(255) NOT NULL,
candidate_for_sharing TINYINT UNSIGNED DEFAULT 0,
bits INT UNSIGNED DEFAULT 2048,
policy VARCHAR(255) DEFAULT 'default',
algorithm INT UNSIGNED DEFAULT 1,
role VARCHAR(3) DEFAULT 'ZSK',
inception INT UNSIGNED,
isrevoked TINYINT UNSIGNED DEFAULT 0,
key_type VARCHAR(255),
repository VARCHAR(255),
backmeup TINYINT UNSIGNED DEFAULT 0,
backedup TINYINT UNSIGNED DEFAULT 0,
requirebackup TINYINT UNSIGNED DEFAULT 0,
id INTEGER PRIMARY KEY AUTOINCREMENT
);
Fixes: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7902c784 by Florence Blanc-Renaud at 2021-02-04T14:20:59+01:00
ipatests: add a test for ZSK/KSK keytype in DNSKEY record
When DNS is enabled for a zone, 2 DNSKEYs should be created:
one KSK and one ZSK.
Add a test ensuring that they can be queried on the master and
the replica.
Related: https://pagure.io/freeipa/issue/8647
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca17a81a by Florence Blanc-Renaud at 2021-02-04T14:20:59+01:00
OpenDNSSEC: fix timezone in key creation date
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fcfefe0a by François Cami at 2021-02-04T14:28:45+01:00
freeipa.spec: client: depend on libsss_sudo and sudo
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
a912bbbe by François Cami at 2021-02-04T14:28:45+01:00
ipa-client-install: output a warning if sudo is not present
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
ed8a9e4e by François Cami at 2021-02-04T14:28:45+01:00
ipatests: tasks: handle uninstalling packages with nodeps
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
82216bfa by François Cami at 2021-02-04T14:28:45+01:00
ipatests: add TestInstallWithoutSudo
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
27ae8a93 by Florence Blanc-Renaud at 2021-02-05T15:39:07+01:00
ipatests: fix ipahealthcheck fixture _modify_permission
The test is storing the initial file permissions obtained with 'stat',
then modifies them, calls ipa-healthcheck and reverts the permissions
to the original value.
When the file is a symlink, stat returns the permissions of the link,
not of the pointed-to file. But chmod modifies the permissions of the
pointed-to file, not of the link.
As a consequence, the fixture does not properly restore the original
file permissions.
The fix consists in calling 'stat -L' because the command follows
links.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
610d542c by Florence Blanc-Renaud at 2021-02-08T09:55:01+01:00
ipatests: ipactl status now exits with 3 when a service is stopped
Some tests are individually stopping a service and call
ipactl status to ensure it is stopped. They need to use
run_command with raiseonerr=False as ipactl status now
exits with 3 when one of the IPA services is down
(since commit 928ab51).
Related: https://pagure.io/freeipa/issue/8588
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5ca91894 by Christian Heimes at 2021-02-09T09:47:00-05:00
configure: ipaplatform falls back to ID_LIKE
The auto-detection code for IPAPLATFORM now falls back to ID_LIKE.
CentOS platform will now be treated as rhel-like, Ubuntu platforms as
debian-like automatically.
Fixes: https://pagure.io/freeipa/issue/8689
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bf065798 by Rob Crittenden at 2021-02-09T09:49:22-05:00
Add RHEL 9 UI branding patch reference
The UI in RHEL has a different set of logos and different
background colors. Some direct adjustments were made that
are not buildable so apply them as a patch.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
46b0746f by Alexander Bokovoy at 2021-02-11T09:09:46+01:00
test_installutils: run gpg-agent under a specific SELinux context
system_u:system_r:init_t:s0 cannot execute gpg=agent when SELinux is in
enforcing mode. Use SELinux context that allows this execution:
system_u:system_r:initrc_t:s0 and wrap the whole execution into a bash
run to make sure init_t -> initrc_t transition.
Fixes: https://pagure.io/freeipa/issue/8699
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ec6698f0 by Florence Blanc-Renaud at 2021-02-12T17:49:02+01:00
cert plugin: propagate the error for non-existent cert
ipa cert-show, ipa cert-revoke and ipa cert-remove-hold do not
print meaningful info when called on a non-existent cert id:
Certificate operation cannot be completed: Unable to communicate
with CMS
Propagate the reason from the HTTP message in order to print
'Certificate ID 0x.. not found'
Fixes: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4672d61c by Florence Blanc-Renaud at 2021-02-12T17:49:02+01:00
xmlrpc tests: add a test for cert-remove-hold
Add tests for the ipa cert-remove-hold command.
Scenario 1:
add host entry, request cert, revoke cert with "hold" reason, remove hold
Scenario 2:
call ipa cert-move-hold with a non-existent cert ID and ensure that
the exception mentions 'Certificate ID .. not found'
Related: https://pagure.io/freeipa/issue/8704
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b8810c8 by Antonio Torres at 2021-02-12T12:50:08-05:00
WebUI: change FreeIPA naming to IPA in About dialog
As part of the effort for reducing differences between
upstream and downstream releases, product naming in WebUI
About dialog is changed from FreeIPA to IPA.
Related: https://pagure.io/freeipa/issue/8669
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5d8cb1dd by Antonio Torres at 2021-02-12T14:08:11-05:00
ipa-cacert-manage: add prune option
Add prune option to ipa-cacert-manage, allowing
to remove all expired certificates from the certificate store.
Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8a2e6ec3 by Antonio Torres at 2021-02-12T14:08:11-05:00
ipatests: add test for ipa-cacert-manage prune
Add test for prune option of ipa-cacert-manage.
After a certificate is installed, a jump in time
is performed to a date where the certificate is expired,
and then it is pruned.
Related: https://pagure.io/freeipa/issue/7404
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3e33e546 by Stanislav Levin at 2021-02-15T09:54:51+02:00
Azure: Populate containers with self-AAAA records
IPA server's AAAA records at embedded DNS mode depend on result of
`get_server_ip_address` function(`ipaserver.install.installutils`),
which in turn, relies on NSS.
In case of Azure Pipelines, there are neither IPv6 records in
'/etc/hosts' nor external DNS, which may provide such. This leads to
the missing AAAA records for master and missing AAAA records for `ipa-ca`
pointing to master in embedded DNS.
In particular, tests `test_ipa_healthcheck_no_errors`,
`test_ipa_dns_systemrecords_check` fail with:
```
[
{
"source": "ipahealthcheck.ipa.idns",
"check": "IPADNSSystemRecordsCheck",
"result": "WARNING",
"uuid": "b979a88a-6373-4990-bc83-ce724e9730b4",
"when": "20210120055054Z",
"duration": "0.032740",
"kw": {
"msg": "Got {count} ipa-ca AAAA records, expected {expected}",
"count": 1,
"expected": 2
}
}
]
```
where `ipa-ca` record exists only for replica.
Note: since the most of the code in setup_containers was touched it has
been reformatted.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
596bb320 by Stanislav Levin at 2021-02-15T09:54:51+02:00
ipatests: Handle AAAA records in test_ipa_dns_systemrecords_check
This test assumes that the current environment has only IPv4, but
for example, Azure Pipelines provides both IPv4 and IPv6.
Fixes: https://pagure.io/freeipa/issue/8683
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
778ef959 by Stanislav Levin at 2021-02-15T09:54:51+02:00
rpm-spec: Require crypto-policies-scripts
`update-crypto-policies` tool from RPM package `crypto-policies-scripts`
is required for tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2d487bc by Rob Crittenden at 2021-02-15T09:57:07+02:00
Set the ACME baseURL in order to pin a client to a single IPA server
ACME uses nonce values to prevent replay attacks. Since the
ipa-ca name can go to any of the IPA servers in order to verify the
nonce the servers need to know the value that was set which
relies on replication. Sometimes the client is faster than
replication so a request can fail.
This change returns the baseURL to the client as the name of the
ACME server during discovery which should pin all requests to this
one IPA server and alleviate the replication issue.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b1e72cb1 by Rob Crittenden at 2021-02-15T09:57:07+02:00
Add versions to the ACME config templates and update on upgrade
Put the ACME config files under normal IPA versioning so we
can more seamlessly do updates to them.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3d2d0671 by Rob Crittenden at 2021-02-15T09:57:07+02:00
Add some logging around initial ACME deployment
>From the upgrade log it was not possible to see the current
state of ACME which makes troubleshooting difficult.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Related: https://pagure.io/freeipa/issue/8712
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d6c5a926 by Antonio Torres at 2021-02-15T09:59:41+02:00
sudocmd: ensure command doesn't contain trailing dot before adding it
Trailing dots aren't permitted in sudo commands, as
enforced explicitly in `get_dn`. Performing this check
before adding the command prevents the user from
entering invalid commands, which would otherwise trigger
errors when accessing them afterwards.
RN: ipa sudocmd-* commands now validate SUDO command name to not end with a dot.
RN: Previously a trailing dot was stripped away in when addressing a SUDO command's LDAP object.
RN: As a result, a SUDO command was created but it was not possible to refer to it in other IPA commands.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1925410
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
89135830 by Antonio Torres at 2021-02-15T09:59:41+02:00
ipatests: test addition of invalid sudo command
Check that sudocmd-add fails when trying to add
a command containing a trailing dot.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7d691f07 by Armando Neto at 2021-02-15T10:04:23+02:00
ipatests: Update PR-CI templates
Update "previous" and "latest" templates with updated dependencies.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
84f52ea8 by Thorsten Scherf at 2021-02-15T10:04:55+02:00
man: fix ipa-client-samba.1 typos
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
137b39cf by Florence Blanc-Renaud at 2021-02-15T15:22:19+02:00
ipatests: update expected error message
With commit ec6698f , the error message has changed from
Unable to communicate with CMS (503)
to
Request failed with status 503: Non-2xx response from CA REST API: 503. (503)
Related: https://pagure.io/freeipa/issue/8704
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71047f68 by Rob Crittenden at 2021-02-15T17:13:53+02:00
Remove the option stop_certmonger from stop_tracking_*
This option was inconsistent between invocations and there is
no need to stop certmonger after stopping tracking. It was also
apparently causing dbus timeout errors, probably due to the amount
of work that certmonger does at startup.
https://pagure.io/freeipa/issue/8506
https://pagure.io/freeipa/issue/8533
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2f8d46c by Alexander Bokovoy at 2021-02-15T20:33:38+02:00
po: update translations template
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7cfd44d3 by Rob Crittenden at 2021-02-18T16:41:03+01:00
ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
be4195cf by Rob Crittenden at 2021-02-18T16:41:03+01:00
ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
146db28e by Rob Crittenden at 2021-02-18T16:41:03+01:00
Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
dea2b8af by Rob Crittenden at 2021-02-18T16:41:03+01:00
Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ab13cf52 by Rob Crittenden at 2021-02-18T16:43:04+01:00
Remove a remaining file used with csrgen
This file was missed in the first pass to remove support for
csrgen.
This was never feature complete and currently has issues and
we lack the resources to maintain it.
Drop it for now. It can be revived from git history in the
future if we see the need.
https://pagure.io/freeipa/issue/8669
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5e49910b by Kaleemullah Siddiqui at 2021-02-18T16:44:29+01:00
ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ea58c757 by Rob Crittenden at 2021-02-18T16:52:05+01:00
Suppress error message if the CRL directory doesn't exist
If the CA fails to deploy then the CRL directory will not exist
but will report an error that it has failed to be removed.
There is no need to try to navigate a directory if it doesn't exist.
Related: https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c0e63429 by Rob Crittenden at 2021-02-18T16:52:05+01:00
Don't double-report any errors from pki-spawn failures
The output from pki-spawn is already displayed to the user
as well as a short traceback so re-displaying the CalledProcess
error provides no value and only provokes confusion,
particularly because it is condensed and includes embedded
newlines.
Re-raise the exception from None so that the traceback is
removed and while there is still an immense traceback from
the admintool class it is significantly shorter than before
and removes:
"During handling of the above exception, another exception occurred"
The handling is in fact expected.
This changes the user-facing installer output from:
[1/28]: configuring certificate server instance
Failed to configure CA instance: CalledProcessError(Command ['/usr/sbin/pkispawn', '-s', 'CA', '-f', '/tmp/tmpr5x2l0gm', '--debug'] returned non-zero exit status 1: 'INFO: Connecting to LDAP server at ldap://ipa.example.test:389\nINFO: Connecting to LDAP server at ldap://ipa.example.test:389\nDEBUG: Installing Maven dependencies: False\nERROR: KeyError: \'CA\'\n File "/usr/lib/python3.9/site-packages/pki/server/pkispawn.py", line 575, in main\n raise KeyError(\'CA\')\n\n')
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
to
[1/28]: configuring certificate server instance
Failed to configure CA instance
See the installation logs and the following files/directories for more information:
/var/log/pki/pki-tomcat
[error] RuntimeError: CA configuration failed.
CA configuration failed.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The output is similarly reduced in the installer log. There is no
reason to acknowledge that a CalledProcessError was raised since
the output is already available and it's just an intermediary.
Hopefully this will encourage users to focus on the logs rather than
the malformed traceback.
https://pagure.io/freeipa/issue/8565
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4d87982b by Sergey Orlov at 2021-02-19T13:31:28+01:00
ipatests: skip tests for AD trust with shared secret in FIPS mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
178dec8f by Florence Blanc-Renaud at 2021-02-22T16:18:11-05:00
pylint: fix inconsistent-return-statements
pylint 2.7.0 now emits inconsistent-return-statements if one of
try/except statement is not returning explicitly while the other do.
Fixes: https://pagure.io/freeipa/issue/8720
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f49c7daf by Mohammad Rizwan at 2021-02-23T13:25:26+01:00
ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
f7ef6d5a by Mohammad Rizwan at 2021-02-23T13:25:26+01:00
Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
0904bb23 by Mohammad Rizwan at 2021-02-23T13:25:26+01:00
ipatests: Test if ipa-cert-fix renews expired certs with kra installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
1197e2ef by Mohammad Rizwan at 2021-02-23T13:25:26+01:00
ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
d11acaf4 by Troy Dawson at 2021-02-23T11:54:30-05:00
platform-python only on RHEL8
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f3cd85ea by Florence Blanc-Renaud at 2021-02-25T14:42:01+01:00
freeipa.spec: bump the required version of 389ds
In order to get the fix for sync_repl, the following versions
are required:
on fedora32: 1.4.3.19-1
on fedora33 and above: 1.4.4.12-1
on rhel 8.4: 1.4.3.16-11
Note: the fix is not available yet on fedora32 as the build has
been marked as obsolete due to a pkispawn regression
(https://github.com/dogtagpki/pki/issues/3458).
The version will need to be updated in a later commit.
Fixes: https://pagure.io/freeipa/issue/8496
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
04e57e6f by Antonio Torres at 2021-02-25T20:24:55+01:00
ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4fc1e15c by Antonio Torres at 2021-02-25T20:24:55+01:00
ipatests: check that zonemgr is set correctly during server install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8c2c6f82 by Fraser Tweedale at 2021-03-01T11:23:35+11:00
ipa-cert-fix: improve handling of 'pki-server cert-fix' failure
'pki-server cert-fix' has a known and expected failure when the DS
certificate is expired. 'ipa-cert-fix' handles this by
optimistically ignoring the CalledProcessError and continuing when
the DS certificate was up for renewal.
This heuristic is a bit too optimistic. If 'pki-server cert-fix'
fails due and returns nonzero due to some other, more serious error
(as has been seen in the wild[1]), 'ipa-cert-fix' continues then
fails later with a more confusing error, for example:
[Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/27-renewed.crt'
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1930586
Improve the heuristic by also checking whether output files
corresponding ot all of the "extra" certificate that we asked
'ipa-cert-fix' to renew, do indeed exist and are X.509 certificates.
Fixes: https://pagure.io/freeipa/issue/8721
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0b60408d by Sergey Orlov at 2021-03-01T12:55:58+01:00
ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
47d49aa7 by Alexander Bokovoy at 2021-03-01T10:44:25-05:00
ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1d2a14a2 by Alexander Bokovoy at 2021-03-01T10:44:25-05:00
ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f996c21e by Alexander Bokovoy at 2021-03-01T10:44:25-05:00
ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3037de28 by Alexander Bokovoy at 2021-03-01T10:44:25-05:00
ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3fc75b15 by Alexander Bokovoy at 2021-03-01T10:44:25-05:00
ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5cd3944b by Florence Blanc-Renaud at 2021-03-02T11:47:09+01:00
ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
4b2c50ae by François Cami at 2021-03-02T11:48:59+01:00
ipa-replica-manage: always display nsds5replicalastinitstatus
If nsds5replicalastinitstatus is none, the status is not displayed.
Always displaying the last init status is more useful to the end-user.
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bc3906f9 by François Cami at 2021-03-02T11:48:59+01:00
ipa-replica-manage: handle missing attributes
If nsds5replicalastupdateend is not yet present,
ipa-replica-manage will backtrace as it tries to retrieve that
attribute unconditionally.
Gracefully handle that situation.
Fixes: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
82e32433 by François Cami at 2021-03-02T11:48:59+01:00
ipalib/util.py: add print_replication_status
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
216720af by François Cami at 2021-03-02T11:48:59+01:00
ipa-csreplica-manage, ipa-replica-manage: refactor
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
271fd162 by Stanislav Levin at 2021-03-04T14:17:01+02:00
ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.
Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7972d282 by Stanislav Levin at 2021-03-04T14:17:01+02:00
cleanup: Drop never used path for httpd's ccache
`HTTP_CCACHE` path was introduced in [0], but hasn't been set as
gssproxy's cred_store option(`ccache`) and nowhere is really
used besides the removing of this not existed path. It is safe to
drop all referencies for `HTTP_CCACHE`.
As of 0.8.0[1] gssproxy uses `MEMORY` credentials type for cred_store
as default.
[0]: https://github.com/freeipa/freeipa/commit/d2f5fc304f1938d23171ae330fa20b213ceed54e
[1]: https://github.com/gssapi/gssproxy/commit/0e1b4a0c8400f1c9c6cc4915942a8df47e0c1410
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fe3c6657 by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: collect config files for NetworkManager and systemd-resolved
Those config files are valuable for debugging issues relate to DNS
resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2e92d083 by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: add utility for managing domain name resolvers
Many test scenarios need to configure resolvers on test machines. Most
notable patterns are:
* using IPA master as DNS resolver on clients and replicas
* intentionally breaking name resolution
Now it is done by directly editing /etc/resolv.conf file. While being
simple this approach has following issues:
* NetworkManager restores this file periodically and on specific events
* This is not how users are expected to manage resolvers on modern
systems with NetworkManager and systemd-resolved.
This patch introduces three classes for main types of resolvers management:
* plain file
* NetworkManager
* systemd-resolved
For each resolver manager the native way of configuring of nameserves is
used: direct editing for /etc/resolv.conf or drop-in config files for
NM and resolved.
The type of resolver is automatically detected for each host and an
appropriate instance is added to Host object.
The Resolver class (and it's subclasses) provide convenience functions
for changing nameservers and restoring the original config.
During all operations (backup, modify, restore) it checks that resolver
configuration has not been altered unexpectedly and raises exception if it
was. This helps to detect unexpected changes in resolvers.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cd066ba8 by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: setup resolvers during replica and client installations
Set IPA master as nameserver on replica and client machines during default
installation. This will help to avoid manual configuration in test cases
which require members of IPA domain to be resolvable.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
01f455f4 by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: do not manually modify /etc/resolv.conf in tests
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1853695d by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: disable systemd-resolved cache
systemd-resolved enables positive and negative cache by default which
affects test scenarios where dns records are being created and deleted and
then verified using any tools that utilize default system resolver
(i.e. `dig` or `curl`).
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
dc423661 by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: mock resolver factory
test_testconfig is using hardcoded hostnames which do not match ones
provided in real test config. This causes resolver factory to fail
when trying to detect resolver type of the host.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ad5ce7b by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: always try to create A records for hosts in IPA domain
Do not check that host is resolvable.
systemd-resolved creates synthetic records for hosts in /etc/hosts.
If test hosts are listed in /etc/hosts on controller, no A records will
be created.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
881eea4e by Sergey Orlov at 2021-03-04T18:47:32+01:00
ipatests: do not configure nameserver when installing client and replica
When IPA master is installed without DNS, using it as nameserver creates
invalid configuration.
Related to https://pagure.io/freeipa/issue/8703
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
735355ad by Sudhir Menon at 2021-03-05T08:45:18+01:00
ipatests: Test to check sosreport collects healthcheck.log file
This test creates healthcheck.log file in /var/log/ipa/healthcheck/
directory if its not present and then checks that when sosreport command
is run it collects the healthcheck log file by checking the console log
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
87304c78 by François Cami at 2021-03-05T10:34:35+01:00
ipatests: fix nightly_latest_testing_selinux template
The TestInstallWithoutSudo entry referenced fedora-latest instead
of testing-fedora for its build dependency. Fix it.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2c4a160f by Stanislav Levin at 2021-03-05T10:41:48+01:00
ipatests: Fix expectation about GSS error in test for healthcheck
As of 1.19.1 MIT krb changed the error returned if no valid
credentials could be obtained(GSS_S_CRED_UNAVAIL->GSS_S_NO_CRED).
To be compatible with previous versions of krb the new expected
error message has been added.
Fixes: https://pagure.io/freeipa/issue/8737
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
886c0dcb by Thorsten Scherf at 2021-03-08T08:31:41+01:00
Fix lgtm file classification
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a6b48713 by Armando Neto at 2021-03-09T12:46:21+01:00
ipatests: Update gating to Fedora 33
* Update template images to include updated packages
* Bump rawhide to use branched F34 template
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3b1a56f5 by Florence Blanc-Renaud at 2021-03-09T16:52:38+01:00
dnssec: fix ipa-ods-exporter crash when master key missing
When a master key is missing from the local HSM, ipa-ods-exporter crashes..
This can happen when the DNSSEC master role is moved from one node to
another with the following scenario:
- install server1 with dns + dnssec
- install server2 without dns
- disable dnssec from server1
- install dns + dnssec on server2
With the above scenario, server2 never had the opportunity to get
the master key (this happens only when the replica is already
configured as DNS server and has put its public replica key in LDAP +
the current DNSSEC master wraps its master key with the replica key).
ipa-ods-exporter can only log an error instead of crashing.
Related: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
73ced07e by Florence Blanc-Renaud at 2021-03-09T16:52:38+01:00
dnssec: concurrency issue when disabling old replica key
When dnssec role is removed from the local node, the uninstaller
creates a new replica key and marks the older replica keys as disabled
(both in the local HSM and in LDAP).
If ipa-ods-exporter runs in the middle of this operation, the old replica
key may be disabled in the local HSM but not yet in LDAP and
ipa-ods-exporter believes that it is a new replica key that needs to be
imported from LDAP to local hsm. The op fails as there is already the key
in the local HSM.
The error can be ignored, ipa-ods-exporter simply needs to log a warning.
Fixes: https://pagure.io/freeipa/issue/8654
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
886506f8 by Sergey Orlov at 2021-03-09T19:41:10+01:00
ipatests: use proper template for TestMaskInstall
TestMaskInstall is a usual integration tests and should
install freeipa server during test run.
"ipaserver" template provides pre-install freeipa server and
is intended for use with webui and xmlrpc tests.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
fed2e399 by Alexander Bokovoy at 2021-03-10T09:28:18+02:00
freeipa.spec: synchronize with Fedora for 389-ds and PKI versions
- 389-ds fixes an information disclosure during unsuccessful LDAP BIND
operation, CVE-2020-35518, https://github.com/389ds/389-ds-base/issues/4609
- Dogtag PKI adopted to work with 389-ds with the fix,
https://github.com/dogtagpki/pki/issues/3458
FreeIPA needs to require new Dogtag and 389-ds versions on all Fedora
and RHEL versions.
RHEL 8 version is set to 1.4.3.16-12 which is the official build after
pki-core was fixed to work with the CVE fixes.
In order to avoid excessive %if/%endif conditionals in the spec file, I
have added a short Lua table with 389-ds versions for F32-33. F34 and
Rawhide will fallback to the same newer 389-ds 2.0.3 version. We do not
support building on F31 or older Fedora anymore as they are EOLed
already.
Fixes: https://pagure.io/freeipa/issue/8705
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
5a1f8e76 by Thorsten Scherf at 2021-03-10T09:30:26+02:00
Update 10-ssh-key-management.rst
Removing conclusion statement since we now have more than 10 units.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
abaa614a by François Cami at 2021-03-16T08:44:03-04:00
ipa-client-install: output a warning if sudo is not present (2)
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
1ef54f2b by François Cami at 2021-03-16T08:44:03-04:00
ipatests: check for the "no sudo present" string absence
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
40aeec97 by Mohammad Rizwan at 2021-03-17T09:04:30+01:00
ipatests: introduce wait_for_replication in test_rolecheck_Trust
Test was randomly failing if the query for the server role is
executed before the replication had time to replicate the
changes on cn=adtrust agents,cn=sysaccounts,cn=etc,dc=ipa,dc=test,
as the server role is read using this entry.
related: https://pagure.io/freeipa/issue/8553
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
96a297f3 by Florence Blanc-Renaud at 2021-03-17T16:16:26+01:00
ipatests: add test_acme.py in nightly previous
The nightly_latest.yaml file is missing the test test_acme.py
Add the job definition.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6d39ef7d by Florence Blanc-Renaud at 2021-03-17T16:20:37+01:00
ipatests: filter_users belongs to nss section
In the test test_sssd.py::TestSSSDWithAdTrust::test_is_user_filtered
the config file sssd.conf is modified with a parameter
filter_users written in the [domain/..] section but
the parameter should appear in [nss] section instead.
Fixes: https://pagure.io/freeipa/issue/8747
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a9b4ed4f by Florence Blanc-Renaud at 2021-03-17T16:28:19+01:00
ipatests: re-add test_dnssec.py::TestInstallDNSSECFirst in gating
The test was temporarily removed because of a known issue
but the issue is now fixed.
Related: https://pagure.io/freeipa/issue/8496
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
fb107b91 by Florence Blanc-Renaud at 2021-03-17T16:28:19+01:00
ipatests: fix TestInstalDNSSECFirst::test_resolvconf logic
The test test_dnssec.py::TestInstallDNSSECFirst::test_resolvconf
checks that /etc/resolv.conf points to the localhost and
fails on fedora33 because systemd-resolved is in place
(and /etc/resolv.conf contains 127.0.0.53).
The test logic needs to be adapted. When systemd-resolved is
used, the test can check the output of "resolvectl dns".
Fixes: https://pagure.io/freeipa/issue/8695
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
38c897f9 by Sergey Orlov at 2021-03-18T13:41:49+01:00
ipatests: return result of kinit_as_user, pass raiseonerr parameter
Similar to kinit_admin, this allows to check for error values returned
by kinit.
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
40a686ca by Sergey Orlov at 2021-03-18T13:41:49+01:00
ipatests: add test for kdcproxy handling reply split to several TCP packets
This is a regression test for the bug in python-kdcproxy mentioned in
https://github.com/latchset/kdcproxy/pull/44
When the reply from AD is split into several TCP packets the kdc
proxy software cannot handle it and returns a false error message
indicating it cannot contact the KDC server.
This could be observed as login failures of AD user on IPA clients
when:
* IPA client was configured to use kdcproxy to communicate with AD
* kdcproxy used TCP to communicate with AD
* response from AD to kdcproxy was split into several packets
This patch also refactors and improves existing tests:
* switch to using pytest fixtures for test setup and cleanup steps to make
them isolated and reusable
* simulate a much more restricted network environment: instead of blocking
single 88 port we now block all outgoing traffic except few essential
ports
* add basic tests for using kdcproxy to communicate between IPA client
and AD DC.
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
76dd9a97 by Sergey Orlov at 2021-03-18T13:41:49+01:00
ipatests: update prci definitions for test_http_kdc_proxy
the new tests require an AD instance
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
4d716d3f by Antonio Torres at 2021-03-22T10:55:56-04:00
Extend logging to include execution time
Adding execution time in logs provides useful information
for identifying API operations that impact IPA performance.
Related: https://pagure.io/freeipa/issue/8759
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4769c15f by Jan Pazdziora at 2021-03-23T08:35:32+01:00
Avoid comparing 'max' with 'max\n'.
Fixes https://pagure.io/freeipa/issue/8764.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c572697d by Armando Neto at 2021-03-23T10:18:59+01:00
ipatests: Bump PR-CI Rawhide template
Template based on Fedora 35.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
19da4a76 by Mohammad Rizwan at 2021-03-23T15:57:51+01:00
ipatests: Enable certbot test on rhel
With this change, certbot test will be running on rhel.
certbot is not avilable on rhel through repository.
Plan is to install certbot using pip/epel on rhel and increase the
test coverage on rhel
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
8a715feb by Alexander Scheel at 2021-03-25T15:43:22+01:00
Handle multiple AJP adapters during upgrade
In this patch, we ensure we upgrade all AJP adapters with the same
secret value if any are missing. This ensures that both IPv4 and IPv6
adapters have the same secret value, so whichever httpd connects to
will be in sync. This is consistent with what Dogtag does when
provisioning them.
Notably missing from this patch is handling of multiple unrelated AJP
adapters. In an IPA scenario (and default PKI scenario) this shouldn't
be necessary. However, with external load balancing, this might happen.
This patch benefits IPA in the scenario when:
1. pkispawn runs on an older PKI version (pre-AJP secret, so ~8.2?)
2. pki gets upgraded to 10.10.1 before IPA can provision a secret,
resulting in split IPv4/IPv6 adapters -- this would only happen
on a direct migration from 8.2 -> 8.4
3. ipa upgrade script then runs to provision an AJP secret value for
use with both Dogtag and IPA.
Without this patch, only the first (IPv4) adapter would have a secret
value provisioned in the above scenario.
Signed-off-by: Alexander Scheel <ascheel at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fd66a74a by Rob Crittenden at 2021-03-25T15:43:22+01:00
Allow overriding is_newer_tomcat_version()
This is needed so we can mock the DogtagInstance class
and have control over the version of tomcat.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ee30aa0 by Rob Crittenden at 2021-03-25T15:43:22+01:00
ipatests: Test secure_ajp_connector works with multiple connectors
There may be both IPv4 and IPv6 AJP connectors. Test that both
are upgraded with the new tomcat attribute and the passwords are
kept in sync.
The Apache password will be updated if needed elsewhere in the
upgrade process.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
34af8099 by Mohammad Rizwan at 2021-03-25T15:46:54+01:00
ipatests: Don't rely on certmonger's assigned request id
There are failure observed in test_rekey_keytype_DSA(test_cert.py)
It is due to the fact that there is no guarantee that the request id
will match the filename that certmonger assigns.
This fix assigns the request id with -I option to command (and make
use of existing fixture) and get the file name by grepping the
certmonger's directory with specified req id.
fixes: https://pagure.io/freeipa/issue/8725
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fb58b76a by Rob Crittenden at 2021-03-26T10:54:08+01:00
Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.
certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.
A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.
A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).
During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.
This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.
This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8c93e2fb by Rob Crittenden at 2021-03-26T10:54:08+01:00
Increase timeout for TestIpaHealthCheck to 5400s
During development of a fix to workaround certmonger effectivly
hanging server uninstallation the test was re-worked to force
uninstall during the test execution itself.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c2c533b7 by Florence Blanc-Renaud at 2021-03-29T10:03:21+03:00
Adapt redhat ipaplatform to RHEL9/ELN
On RHEL8, ipa is using named-pkcs11.service but RHEL9 is based on
fedora34 and uses named.service instead. There is already some support
for this distinction in ipaplatform, and the patch relies on the
specific settings that can be configured in ipaplatform/xx/services.py
and ipaplatform/xx/constants.py
On RHEL9 ipa also needs to define NAMED_OPENSSL_ENGINE for named
to use openssl's okcs11 engine.
Fixes: https://pagure.io/freeipa/issue/8753
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c8b5779e by Antonio Torres at 2021-03-29T10:06:07+03:00
Allow multiple permitopen/permitlisten in SSH keys
SSH keys allow to have multiple entries for
the permitopen and permitlisten options. Prior
to this change, only one of each could be configured.
Fixes: https://pagure.io/freeipa/issue/8423
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cd544d3 by Antonio Torres at 2021-03-29T10:06:07+03:00
ipatests: add test for multiple permitopen entries in SSH keys
Add test to ensure that IPA allows to introduce multiple
permitopen and permitlisten entries.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e820e2d1 by Antonio Torres at 2021-03-29T10:07:38+03:00
ipa passwd: make help for `--otp` option clearer
Update help for the `--otp` option in `ipa passwd`
to actually explain its usage.
Fixes: https://pagure.io/freeipa/issue/8244
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c0216fb2 by Antonio Torres at 2021-03-29T10:09:22+03:00
Enhance error message when adding non-posix group with a GID
Enhance error message when adding non-posix group
with a GID so the user knows that a GID should not
be passed when adding a group with the --nonposix option.
Fixes: https://pagure.io/freeipa/issue/8155
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5984f144 by Antonio Torres at 2021-03-29T10:09:22+03:00
ipatests: add test for group creation with GID and nonposix option
Add test to ensure group creation fails when passing the --nonposix
option and a GID number at the same time. Failure shows a message
to warn the user that this is not allowed.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
45de2d7f by Antonio Torres at 2021-03-29T10:11:56+03:00
Return nsaccountlock in user-add as boolean
The `nsaccountlock` attribute was being returned as a
list of string ("TRUE"/"FALSE") instead of a boolean.
Use the convert function used in `user-find` and `user-mod`
for consistency, since these commands return the parameter as a boolean.
Fixes: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8caac841 by Antonio Torres at 2021-03-29T10:11:56+03:00
ipatests: expect boolean type for nsaccountlock in user module
user-add now returns the `nsaccountlock` parameter as
a boolean instead of as a list of string, meaning tests
have to be adapted to expect the correct type.
Related: https://pagure.io/freeipa/issue/8743
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7fc0c04d by Stanislav Levin at 2021-03-29T10:16:12+03:00
configure: Make rpmlint optional
Distributions may want to run comprehensive fastcheck or lint tasks,
but rpmlint tool is mandatory for these targets while some platforms
don't have it at all.
With this change the rpmlint becomes optional for fastcheck, devcheck
and lint make targets.
Note: rpmlint option is disabled by default.
To enable: ./configure --enable-rpmlint
To explicitly disable: ./configure --disable-rpmlint
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83e16a4e by Stanislav Levin at 2021-03-29T10:16:12+03:00
Azure: Run rpmlint on Fedora
Template the autoconf phase.
Fixes: https://pagure.io/freeipa/issue/8768
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ae533e29 by Sergey Orlov at 2021-03-29T14:55:23+03:00
ipatests: allocate pseudo-terminal only for specific command
While "ktutil" does require a pseudo-terminal on particular systems to
operate, majority of programs do not need it.
At the same time invoking `ssh` with forced pseudo-terminal allocation
interferes with sessions multiplexing feature and increases connection
time. The increase can be as large as 10 seconds in certain cases which
leads to unexpected EOFs of pexpect utility.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
947167d8 by Sergey Orlov at 2021-03-29T14:55:23+03:00
ipatests: log command spawned by pexpect
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ebf92857 by Florence Blanc-Renaud at 2021-03-30T07:39:47+02:00
ipatests: update expected message
The test TestIpaHealthCheck::test_ipahealthcheck_ds_riplugincheck
is expecting a specific message for the RIPluginCheck
but the message has been updated to fix
4656 - Remove problematic language from UI/CLI/lib389
("enable referint on all suppliers" instead of
"enable referint on all masters").
Shorten the expected msg so that it fits both situations.
Fixes: https://pagure.io/freeipa/issue/8779
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3ac2cdfd by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Make it possible to pass additional Pytest args
Some tests require its specific Pytest args. With this change
they can be specified in tests definitions.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
85c63fbe by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Show disk usage
Collect disk usage information may be helpful, for example, for
debugging code required free space such as healthcheck tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
908e8cf3 by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Template docs build
The distros may use different sphinx builder paths,
for example, by exporting of SPHINXBUILD env var.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5afe1379 by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Run chronyd in Docker
The syncing time stuff is required by IPA NTP tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
45d23810 by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Collect Host's systemd journal
The journal of Host is useful for AVC/SECCOMP analyzing.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5daa41fc by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Warn about Host's AVC and SECCOMP
Azure's VM distro is Ubuntu, which has enabled AppArmor.
This security module sometimes interferes with CI Docker containers,
but to be completely disabled it requires reboot(this is impossible,
at least for now). So, Azure will warn about AVC records in Host's
journal as a possible clue.
It will be equally important to be warned about SECCOMP records to
see possible blocked syscalls(requires SCMP_ACT_LOG as defaultAction in
seccomp profile).
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
72adb327 by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Disable AppArmor profile for chrony
The security option 'apparmor:unconfined' tells Docker to not
apply AppArmor profiles for containers at all. This will not
replace or remove any existing profile. For example, this happens
on Ubuntu 20.04 which switched to chrony and brings its AppArmor
profile. Container's chronyd get blocked by AppArmor:
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=2 capname="dac_read_search"
fv-az26-252 audit[11304]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/chronyd" pid=11304 comm="chronyd" capability=1 capname="dac_override"
So, any of AppArmor profiles can block container's processes by
matching executable name. There are two ways:
1) prepare custom AppArmor unconfined profile, load it on Host and
reference it in container's configuration. This requires the
knowledge of profile syntax at least, not to difficult, but
potentially hard to maintain.
2) disable conflicting profile on Host;
Azure will warn about AVC in either case.
The second one was chosen as more simple.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
056c5116 by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Don't install pypi's docker
Ubuntu 20.04's docker meets the requirement(4+).
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
91e74523 by Stanislav Levin at 2021-03-30T09:58:42+02:00
pylint: Fix several warnings
Fixes Pylint warnings:
- R1729(use-a-generator)
- R1710(inconsistent-return-statements)
- R1727(condition-evals-to-constant)
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7855c77f by Stanislav Levin at 2021-03-30T09:58:42+02:00
Azure: Run Lint task as separate job
Lint task uses PyPI to get the latest Pylint, which may pull in
any other packages as dependencies. For distro isolation the Lint
job should not produce any meaningful artifacts or they should not
be used in subsequent jobs. So, this job have to be isolated from
the others.
Fixes: https://pagure.io/freeipa/issue/8772
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ffff9f8d by Antonio Torres at 2021-03-30T10:03:04+02:00
sudorule: reduce number of LDAP searches during modification
Combining the existence check with the sudoorder handling
allows to reduce the number of searches during a sudorule
modification by removing a call to sudorule-show.
Related: https://pagure.io/freeipa/issue/8780
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68a5fe82 by Stanislav Levin at 2021-03-30T13:16:36+03:00
ipatests: Skip test_jsplugins in server less environments
This test assumes that IPA server is installed and configured.
But test_jsplugins is the subtask of fasttest which is designed
(unittest) to be run in server less environment.
Note: `needs_ipaapi` is not completely suitable because there is
no direct IPA API usage. `xmlrpc_setup` fixture is also not
suitable because it assumes XMLRPC.
Fixes: https://pagure.io/freeipa/issue/8781
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
44456b9a by Alexander Bokovoy at 2021-03-31T09:13:28+03:00
Update ipa.pot
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1f9194c6 by Alexander Bokovoy at 2021-03-31T09:15:47+03:00
Update list of contributors
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d832736f by Florence Blanc-Renaud at 2021-04-01T08:35:23+02:00
ipatests: collect PKI config files and NSSDB
To ease debugging, also collect:
- /etc/pki/pki-tomcat/server.xml
- /etc/pki/pki-tomcat/ca/CS.cfg
- /etc/pki/pki-tomcat/kra/CS.cfg
- /etc/pki/pki-tomcat/alias
- /etc/pki/pki-tomcat/alias/pwdfile.txt
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e86ff48b by Sudhir Menon at 2021-04-01T08:42:58+02:00
ipatests: Test to check ipa-healthcheck tool displays warning when run on ipa-client
The testcase checks that when ipa-healthcheck tool is run
on ipa-client it will display warning message "IPA is not configured"
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2c83b1e7 by Carl George at 2021-04-01T08:51:41-04:00
Also use uglifyjs on CentOS Stream 8
This conditional was recently changed to match VERSION_ID "8." to only
apply to RHEL 8 releases, but it should also match CentOS Stream 8 which
has VERSION_ID "8".
https://pagure.io/freeipa/c/43f344b931db3f72f50e1620443be9f21623e29a
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ef752bf2 by François Cami at 2021-04-01T18:21:55+02:00
ipatests: tasks.py: add wait_for_ipa_to_start
wait_for_ipa_to_start(host) waits for ipactl to return RUNNING for all
IPA services on the specified host.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
d02ec409 by François Cami at 2021-04-01T18:21:55+02:00
ipatests: tasks.py: add dns_update_system_records
Add a frontend to "ipa dns-update-system-records" to tasks.py.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
d5ee7528 by François Cami at 2021-04-01T18:21:55+02:00
ipatests: hiddenreplica: use wait_for_ipa_to_start after restore
Use wait_for_ipa_to_start to wait until the restored replica is online.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
acf31d04 by François Cami at 2021-04-01T18:21:55+02:00
ipatests: use wait_for_replication for hidden replica checks
Previously, hidden replica checks were run without waiting for replication
to complete, potentially leading to unstable behavior.
Use wait_for_replication.
Fixes: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b9b7175d by François Cami at 2021-04-01T18:21:55+02:00
ipatests: hidden replica: use dns_update_system_records
Use dns_update_system_records after restoring the replica
to force-update the DNS records.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
4c7f148c by François Cami at 2021-04-01T18:21:55+02:00
ipatests: hidden replica: misc fixes
Rename a test and split a test in two.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
7eb50d4e by François Cami at 2021-04-01T18:21:55+02:00
ipatests: mark test_ipahealthcheck_hidden_replica as expected failure
test_ipahealthcheck_hidden_replica fails due to:
https://pagure.io/freeipa/issue/8582
Mark it as expected failure.
Related: https://pagure.io/freeipa/issue/8534
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
bd84796a by Florence Blanc-Renaud at 2021-04-06T08:40:00+02:00
Bumps openssl requires
openssl-1.1.1i introduced a regression preventing WebUI
login when the server is installed with --no-pkinit option.
On fedora 32/33/34/rawhide openssl-1.1.1k-1 is now available.
On RHEL8, openssl-1.1.1g is still shipped and doesn't have the
issue.
Fixes: https://pagure.io/freeipa/issue/8632
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e8e456e3 by Florence Blanc-Renaud at 2021-04-06T15:30:36+02:00
ipatests: TestIpaHealthCheck now needs 1 client
The test TestIpaHealthCheck has been updated with commit
e86ff48 and now needs 1 master, 1 replica and 1 client
in order to execute.
Update the nightly definitions accordingly.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
56639861 by Florence Blanc-Renaud at 2021-04-06T17:02:11-04:00
ipatests: call server-del before replica uninstall
The test test_replica_promotion.py::TestRenewalMaster::
test_automatic_renewal_master_transfer_ondelete is calling
ipa-server-install --uninstall directly without performing first
ipa server-del. This can lead to incomplete uninstallation and
test failures.
Call tasks.uninstall_replica instead of tasks.uninstall_master.
This is equivalent to ipa-replica-manage del + uninstall
(ipa-replica-manage del works in DL0 and DL1 and internally calls
ipa server-del in DL1).
Fixes: https://pagure.io/freeipa/issue/8792
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
931d92d3 by Christian Heimes at 2021-04-07T11:43:23+03:00
Better mod_wsgi configuration
* Remove WSGIImportScript
* Configure process-group in WSGIScriptAlias
* Run WSGI app in main interpreter of daemon script
See: https://github.com/GrahamDumpleton/mod_wsgi/issues/642#issuecomment-749498828
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
28326215 by Christian Heimes at 2021-04-07T11:43:23+03:00
Improve wsgi app loading
* move WSGI app code to main code base so it can be used with other
WSGI servers that expect a Python package.
* populate LDAP schema early to speed up first request by ~200ms
* gc.collect() and gc.freeze() to improve memory handling and GC
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
48ef179e by Alexander Bokovoy at 2021-04-13T15:51:33+02:00
ipaserver/install/dns: handle SERVFAIL when checking reverse zone
systemd-resolved in Fedora 34+ returns SERVFAIL for reverse zone that
does not yet exist when we attempt to look it up before installation.
Assume that this is OK -- we are going to create the zone ourselves
during installation.
Fixes: https://pagure.io/freeipa/issue/8794
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ec8d72cf by Florence Blanc-Renaud at 2021-04-15T15:41:39+02:00
client install: do not capture sudo -V stdout
ipa-client-install is checking if the sudo command is available
by calling 'sudo -V'. The call is currently using subprocess.popen
which redirects the output to the default stdout.
Use ipautil.run instead of subprocess.popen as this does not
capture stdout (the command output is just logged in the debug file).
Fixes: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
058a9c01 by Florence Blanc-Renaud at 2021-04-15T15:41:39+02:00
ipatests: check that the output of sudo -V is not displayed
During client installation, the installer calls sudo -V
to check if sudo command is installed. The output must not
be displayed in stdout.
Related: https://pagure.io/freeipa/issue/8767
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a0d11517 by Michal Polovka at 2021-04-16T18:25:57+02:00
WebUI: test_user: test if user is enabled by default
Test checks if the user is enabled, able to reset their password and
authentication types in both CA and CA-less environment.
Related: https://pagure.io/freeipa/issue/8203
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
9cb65b4e by Rob Crittenden at 2021-04-16T14:47:48-04:00
Cache the value of ca_is_enabled in the request context
This may be called multiple times in a request and should
be impossible to change.
https://pagure.io/freeipa/issue/8797
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a3b606c0 by Rob Crittenden at 2021-04-16T14:49:55-04:00
Add pkey_only to the service_find calls in host del and disable
The pkey of services is krbprincipalname. The host plugin passes
this full value to service_del and service_disable if the service
hostname matches the requested host.
This limits the amount of data and post-processing done
when host_del and host_disable call service_find. It also saves
a presence query for keytab in each service found.
https://pagure.io/freeipa/issue/8787
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bf1f66c0 by Rob Crittenden at 2021-04-19T16:05:47+02:00
Retrieve the user objectclasses when checking for existence
This saves at least one search per user-mod because the current
set of objectclasses are verified to ensure they are complete
on each update.
So always retrieve them in get_either_dn(). They are used by
every call but there is negligible overhead in retrieving
this from LDAP.
https://pagure.io/freeipa/issue/8801
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a0509eb9 by Florence Blanc-Renaud at 2021-04-19T17:14:23+02:00
Design doc for idrange option "auto-private-groups"
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3844f5b3 by Florence Blanc-Renaud at 2021-04-19T17:14:23+02:00
LDAP schema: new attribute ipaautoprivategroups
Add definition for a new attributeType: ipaautoprivategroups
Add the new attribute to ipaTrustedADDomainRange objectclass
as optional attribute
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ba7ab24b by Florence Blanc-Renaud at 2021-04-19T17:14:23+02:00
Trust: add auto private groups option
Add a new option --auto-private-groups to the command
ipa idrange-add / ipa idrange-mod.
The option can take true/false/hybrid values.
Fixes: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f45a79a7 by Florence Blanc-Renaud at 2021-04-19T17:14:23+02:00
xmlrpc tests: add test for idrange auto-private-groups option
Scenarii:
- idrange-add prevents --auto-private-groups with a local id range
- idrange-mod prevents --auto-private-groups with a local id range
- auto-private-groups accepts only true/false/hybrid/empty values
Related: https://pagure.io/freeipa/issue/8807
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
09426f8e by Rob Crittenden at 2021-04-22T09:19:21+02:00
Add ability to search on certificate revocation status
This can be used to narrow the candidate list of
certificates when deleting objects like hosts and
service.
Related: https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
aa135038 by Rob Crittenden at 2021-04-22T09:19:21+02:00
Only request VALID certs when revoking certs for a host/service
This utilizes the new status option so that we only retrieve
VALID certificates when revoking certificates issued for a
specific host or service.
ae74d348c3da580264c56441c136af3fc6ae58df made a special case
in cert_find when searching for hosts and services so that if only
one host/service was searched on do a subject search. It only
works when there is exactly one option requested.
Since we want to restrict to only VALID certificates, pass
the hostname as subject directly when revoking certs when deleting
an entry to limit the number of certificates to consider.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
99e7ad0f by Mohammad Rizwan at 2021-04-22T09:22:46+02:00
ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.
related: https://pagure.io/freeipa/issue/7885
ipatests: refactor expire_cert_critical fixture
Defined method to move the date and refactor
expire_cert_critical fixture using it
ipatests: PEP8 fixes
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1cc26711 by Alexander Bokovoy at 2021-04-23T11:13:36+03:00
ipa-otpd: handle LDAP timeout in a better way
When LDAP server disconnects ipa-otpd client connection due to a
timeout, ipa-otpd instance would stop and report an issue. This confuses
systemd service reporting, so for these situations we better to shut
down gracefully.
Fixes: https://pagure.io/freeipa/issue/6587
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
- - - - -
1d80048e by Christian Heimes at 2021-04-23T17:57:50+02:00
Use PyCA crypto provider for KRAClient
The Dogtag KRA backend now uses CryptographyCryptoProvider instead of
NSSCryptoProvider for KRAClient connections. The
CryptographyCryptoProvider uses PyCA cryptography to provide wrapping
and unwrapping. The change will allow Dogtag to remove the
NSSCryptoProvider and drop python-nss as a dependency.
The code in ipaserver.plugins.dogtag creates a Certificate object to
work around a bug in Dogtag. Dogtag supports paths but passes the wrong
type to PyCA cryptography.
Fixes: https://pagure.io/freeipa/issue/8814
See: https://github.com/dogtagpki/pki/issues/3499
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
180af784 by Michal Polovka at 2021-04-24T10:20:51+02:00
WebUI: Handle assertion if multiple notifications are present
If multiple notifications of the same type are shown at the same
time, assertion works for only the first one. This change enables to
search for notification's content in all shown notifications.
Fixes: https://pagure.io/freeipa/issue/8641
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Serhii Tsymbaliuk <stsymbal at redhat.com>
- - - - -
bdb26968 by Stanislav Levin at 2021-04-27T13:28:42+02:00
pylint: Adapt to new Pylint 2.8
- globally ignore `consider-using-with`
- fix `consider-using-max-builtin`
- explicitly enable pylint on project configuration
- unpin Pylint
- added transformation for IntegrationTest attributes(will work
unless explicitly defined)
Fixes: https://pagure.io/freeipa/issue/8818
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
a297ebbb by Christian Heimes at 2021-04-27T13:10:26-04:00
Add max/min safe integer
JSON cannot safely handle integers outside range ``-(2**53) - 1`` to
``(2**53) - 1``. Add constants for safe integers and limit the Int
parameter to safe JSON values.
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
See: https://pagure.io/freeipa/issue/8802
See: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
d2ca7915 by Mohammad Rizwan at 2021-04-30T11:02:44+02:00
ipatests: Test if ACME renews the issued cert with cerbot
This test is to check if ACME certificate renews upon
reaching expiry
related: https://pagure.io/freeipa/issue/4751
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
ipatests: remove skipif for minimum pki dependency
Remove skipif from ACME tests as required pki version
updated in freeipa.spec file (pki 10.10.5)
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
ipatests: move common code to separate method
Move the code from prepare_acme_client, TestACME/test_certbot_register
and TestACME/test_certbot_certonly_standalone to separate method so
that it can be re-used in TestACMERenew.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6d0d1c70 by Christian Heimes at 2021-05-03T09:16:14+02:00
Constrain pylint to supported versions
Two, three times a year PR-CI starts failing because tox tests pull in a
newer version of pylint with new warnings. To reduce breakage this
change constraints pylint (and indirectly astroid) to latest tested
minor version. The constraint should be updated when FreeIPA starts to
support a new Fedora version with more recent pylint.
Related: https://pagure.io/freeipa/issue/8818
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b8ebce7b by Michal Polovka at 2021-05-06T16:51:18+02:00
ipatests: test_installation: add install test scenarios
test_hostname_parameter: Test for issue 2692 ipa-server-install ignores --hostname:
check whether hostname provided in `--hostname` parameter is being taken into account and set as new hostname without prompting for it again
test_ad_subpackage_dependency: Test for issue 4011 ipa-server-install crashes when AD subpackage is not installed:
test if ipa-server installation succeeds without `freeipa-ipa-server-trust-ad` installed
test_backup_of_cs_cfg_should_be_created: Test for issue 4166 Backup CS.cfg before modifying it:
test if ipa-server installer backs up CS.cfg before modifying it
test_installer_wizard_should_prompt_for_DNS: Test for issue 2575 [RFE] Installer wizard should prompt for DNS:
test if installer is asking for DNS setup details if not provided as parameter
Related: https://pagure.io/freeipa/issue/2692
Related: https://pagure.io/freeipa/issue/4011
Related: https://pagure.io/freeipa/issue/4166
Related: https://pagure.io/freeipa/issue/2575
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2410fd25 by Stanislav Levin at 2021-05-06T11:05:14-04:00
pkispawn: Make timeout consistent with IPA's startup_timeout
This is the experimental fix to workaround the issue with
PKI on Azure Pipelines. PKI is the most sensitive to slow
systems(at least, appropriate delays and timeouts should be
adjusted for such).
Somehow Azure's test envs became slower then they were earlier
(for example, CA subsystem start changed
~(20-30)sec -> ~(45-60)sec). This triggered various issues with
subsystems of PKI in CI.
PKI honors `PKISPAWN_STARTUP_TIMEOUT_SECONDS` env variable (if
not set the timeout is 60sec) for pkispawn tool. The default
timeout is inconsistent with IPA's one (startup_timeout=120sec), which in
particular, is used in ipa-pki-wait-running tool).
Related: https://pagure.io/freeipa/issue/8830
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5be6bfeb by Rob Crittenden at 2021-05-06T15:33:00-04:00
Parse Apache log etime and display average per command
Including execution time (etime) was added in commit
4d716d3fbc69760bc0f7bd1a7c83ab14f1a62f18
This is a parser that will collect API executions and
average them by command.
If > 5 requests of the same type then the fastest and slowest
results will be dropped to try to smooth the average.
These averages will be used for two purposes:
1. Identify potential bottlenecks in API performance
2. Provide a baseline so that future performance changes can be
measured.
It is included in contrib because this is not going to be shipped
with a distribution but is useful to have with the code.
A sample execution is:
Successful commands:
Mean user_show: 12234152.5 of 2 executions
Mean command_defaults: 3284363.0 of 3 executions
Mean user_add: 594369554.5 of 2 executions
Exceptions:
Mean user_del: 232540327 ns of 2 executions
The parselog command was successful
Times are in nanoseconds.
https://pagure.io/freeipa/issue/8809
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d8f246d8 by Florence Blanc-Renaud at 2021-05-06T15:38:39-04:00
Spec file: bump augeas-libs version
Older augeas does not support new options provided by chrony:
sourcedir /run/chrony-dhcp
ntsdumpdir /var/lib/chrony
and is failing to update /etc/chrony.conf in ipa installer.
Bump augeas-libs version to require the fix:
1.12.0-6 on fedora 33+
1.12.0-3 otherwise
Fixes: https://pagure.io/freeipa/issue/8676
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1a539984 by Antonio Torres at 2021-05-06T17:05:17-04:00
hbacrule: reduce number of LDAP searches during deletion
The `hbacrule` module performs a call to `selinuxusermap-find`
during entry deletion. This can be optimized by passing pkey_only=True
to the search, skipping the post-callback function. Passing the full
DN of the hbacrule and detecting it in the selinuxusermap find
also saves one call to hbacrule-show, further reducing the searches.
Related: https://pagure.io/freeipa/issue/8784
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8dac8ad8 by Rob Crittenden at 2021-05-12T08:59:03-04:00
Only attempt to upgrade ACME configuration files if deployed
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d1f3ff55 by Rob Crittenden at 2021-05-12T10:45:57-04:00
Call the LDAPClient layer when modifying values
For add/remove member and remove_principal the LDAP connection
was being used directly, bypassing the LDAPClient overlay.
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
8365d5e7 by Rob Crittenden at 2021-05-12T10:45:57-04:00
Unify installer context to be 'installer'
'install' was being used in some places.
The context can be used to limit what configuration is
used for a given request so having consistency is
valuable.
This affected the force_schema_updates value in LDAPClient
which looks for api.env.context in ('installer', 'updates')
Related: https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
a4675f6f by Rob Crittenden at 2021-05-12T10:45:57-04:00
Implement simple LDAP cache layer
Insert a class before LDAPClient to cache the return value
of get_entry() and certain exceptions (NotFound and
EmptyResult). The cache uses an OrderedDict for the cases
where a large cache might result an LRU model can be used.
The cache be enabled (default) or disabled using
ldap_cache=True/False.
This cache is per-request so is not expected to grow
particularly large except in the case of a large batch
command.
The key to the cache entry is the dn of the object
being requested.
Any write to or referencing a cached dn is evicted from
the cache.
The set of attributes is somewhat taken into consideration.
"*" does not always match everything being asked for by
a plugin so unless the requested set of attributes is a
direct subset of what is cached it will be re-fetched. Err
on the side of safety.
Despite this rather conserative approach to caching 29%
of queries are saved with ipatests/xmlrpc_tests/*
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
3539857e by Rob Crittenden at 2021-05-12T10:45:57-04:00
Add LDAP cache options to the default.conf man page
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
8d21df93 by Rob Crittenden at 2021-05-12T10:45:57-04:00
Add a unit test for the LDAP cache layer
This mostly confirms that when an entry is added, modified or
deleted it is expunged from the cache.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
1e9a238f by Rob Crittenden at 2021-05-12T10:45:57-04:00
Parse the debugging cache log to determine the read savings
Read the FINAL lines from the Apache error log, optionally from
a start time, and calculate the total cache hits and misses and
calculate the average read savings.
https://pagure.io/freeipa/issue/8798
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
45d9a66f by Christian Heimes at 2021-05-12T13:29:31-04:00
Fix update_dna_shared_config to wait for both entries
update_dna_shared_config plugin now waits for presence of both
``dnaHostname=fqdn+dnaPortNum=0`` and
``dnaHostname=fqdn+dnaPortNum=389`` entries before it updates the
entries.
The commit also refactors the code of update_dna_shared_config for
subordinate id support.
Fixes: https://pagure.io/freeipa/issue/8831
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c92a718 by Christian Heimes at 2021-05-12T13:29:31-04:00
Move constants, document timeout loop
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4484762f by Armando Neto at 2021-05-12T15:21:22-03:00
ipatests: Bump PR-CI templates to Fedora 34
Move 'latest' to Fedora 34 and 'previous' Fedora 33 for nightly runs.
Keep gating on Fedora 33 for now.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
47d0ef40 by Sergey Orlov at 2021-05-13T10:44:36+03:00
ipatests: increase timeout for test_commands up to 1.5 hours
Normally it takes 50 minutes for test_commands test suite
to complete. But due to fluctuations in virtualized environment
sometimes it exceeds 60 minutes which produces random failures
in nightly runs.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
41481677 by MIZUTA Takeshi at 2021-05-18T14:59:10+02:00
man: fix typos in ipa-epn.1
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6ed80ee1 by MIZUTA Takeshi at 2021-05-18T15:01:36+02:00
Add -d option to match in the ipa-client-samba usage and man-page
The ipa-client-samba man-page describes the -d option, but the -d option cannot actually be used.
Fix ipa-client-samba to enable the -d option.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e357153e by MIZUTA Takeshi at 2021-05-18T15:02:59+02:00
Fix the option to match in the ipa-client-automount usage and man-page
The command usage and man-page options may not match.
In ipa-client-automount, fix to match usage and man-page.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ec73436 by MIZUTA Takeshi at 2021-05-18T15:14:14+02:00
Add arguments to the description of OPTIONS in ipa-winsync-migrate.1
ipa-winsync-migrate.1 has an explanation of options, but no arguments.
Therefore, add the arguments for --realm and --server.
Also, add a short option -U for --unattended.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b01547da by Rob Crittenden at 2021-05-18T15:19:00+02:00
Load dogtag RA plugin in installers so profiles can be loaded
In order to call import_included_profiles the dogtag RA plugin
needs to have been loaded. Modify the requirements to also allow
the installer context along with the ra_plugin value.
This lets us add missing profiles during a replica installation.
This is needed for ACME when installing a new replica in a
cluster of older servers that don't have support for ACME.
https://pagure.io/freeipa/issue/8738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
120983bb by MIZUTA Takeshi at 2021-05-20T14:19:22+02:00
Add argument for --schema-file option in ipa-ldap-updater.1
There are no arguments in the --schema-file option,
but the Schema file in LDIF format must actually be specified.
Therefore, add FILE.ldif as an argument
In addition, the --schema option no longer exists, so remove the description.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5b87f587 by MIZUTA Takeshi at 2021-05-20T14:43:38-04:00
Add argument for --entry option in ipa-managed-entries.1
There are no arguments in the --entry option,
but DN for the managed entry definition must actually be specified.
Therefore, add MANAGED_ENTRY as an argument.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64d6c6cc by MIZUTA Takeshi at 2021-05-20T14:45:27-04:00
Remove -s option from ipa-ldap-updater usage
The -s option no longer exists, so remove it from the command usage.
Also, due to this fix, E128 occurred in pycodestyle, so the coding style was changed.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5e82740 by Rob Crittenden at 2021-05-20T16:11:01-04:00
Revert "Only request VALID certs when revoking certs for a host/service"
This reverts commit aa1350384ad6a7d6b2f6056d99fbb43c5c5a6be7.
The search for certificates is a complex, three-step process,
which filters results in subsequent searches. This filters out
non-relevant certificates when deleting a host or service.
This patch breaks that so deleting one service of a host will
revoke *all* certificates for that host.
Another attempt will be made separately to implement this.
https://pagure.io/freeipa/issue/7835
Signed-off-by: Rob Crittenden rcritten at redhat.com
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4f301306 by Rob Crittenden at 2021-05-21T08:52:19+02:00
ipatests: kinit on server for test_proxycommand_invalid_shell
We've seen some intermittent failures of this test with warnings
about passwords about to expire. We suspect there may be a time
difference between the client and server so set the passwords
on the server instead to be sure that time is correct.
https://pagure.io/freeipa/issue/8785
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6fe86206 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: bump F32->F34
Fixes: https://pagure.io/freeipa/issue/8848
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a8fd65be by Alexander Bokovoy at 2021-05-25T10:45:49+03:00
freeipa.spec: do not use jsl for linting on Fedora 34+
jsl package is orphaned in Fedora 34+ as it cannot be built.
Related: https://pagure.io/freeipa/issue/8847
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be2f659a by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Collect systemd boot log
If an error occured while containers setup phase then no logs will
be collected and it is hard(impossible?) to debug such issues on
remote Azure host. With this change in case of such error all the
container's journals will be collected in `systemd_boot_logs`.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
09a4918f by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Enforce multi-user.target as default systemd's target
This may speed up boot process.
For example, 'fedora:34' set graphical.target as default,
while multi-user one will be more appropriate.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c82895c by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Wait for systemd booted
The calling of systemd's utils during systemd boot may lead to
unpredictable results. For example, if DBus(dbus-broker) service
is not started then DBus request goes nowhere and eventually will
be timeouted. So, it's safer to wait fully booted system.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ed21f15 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Remove no longer needed repo
libseccomp2 2.5.1 is on focal-updates(Ubuntu 20.04LTS):
https://packages.ubuntu.com/focal-updates/libseccomp2
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
06d7c7f1 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Mask systemd-resolved
The initial value of NS of resolv.conf is 127.0.0.11, this
is the embedded NS of docker-compose. The disabling of
this feature is not currently supported by Docker.
On startup systemd-resolved caches the /etc/resolv.conf
(docker-compose version), which is later modified by
setup_containers.py script.
This results in resolving error occurs:
```console
[root at replica1 /]# getent ahosts master1.ipa.test
... can't resolve
[root at replica1 /]# grep 'hosts:' /etc/nsswitch.conf
hosts: files myhostname resolve [!UNAVAIL=return] dns
[root at replica1 /]# resolvectl status
Global
LLMNR setting: resolve
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 127.0.0.11
DNS Servers: 127.0.0.11
Fallback DNS Servers: 1.1.1.1
8.8.8.8
1.0.0.1
8.8.4.4
2606:4700:4700::1111
2001:4860:4860::8888
2606:4700:4700::1001
2001:4860:4860::8844
```
According to docs:
https://www.freedesktop.org/software/systemd/man/systemd-resolved.service.html#/etc/resolv.conf
our case is 4(managed by other packages).
So, restart of systemd-resolved is enough for its re-initialization,
but not for services that already received DNS results. To speed up
the overall process and to no restart each service which wants
internet connection(or wait until service retries connection)
systemd-resolved is masked.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1aff24e8 by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: Update expectations for test_detect_container
Since https://github.com/systemd/systemd/pull/17902/commits/a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
systemd improves the detection of Docker and Podman containers based
on the presence of files-markers.
```console
[slev at test systemd]$ git describe --contains --tags a4a9a6f7c6e9cd9e219c56d08434a04bc2f395ff
v248-rc1~155^2~1
```
Note: on Azure unit tests are run as non-privileged user in non-systemd
inited container.
This worked on F32 because:
```console
[root at 6d2aad38f62c /]# rpm -q systemd
systemd-245.9-1.fc32.x86_64
```
So, actual comparison in test was `assert None == None`.
But F34 has:
```console
[root at 1ff1325f5a61 /]# rpm -q systemd
systemd-248-2.fc34.x86_64
```
So, the test's expectations should be updated.
Unfortunately, this is incompatible with older versions of systemd
(< v248).
See https://github.com/systemd/systemd/pull/17902 for details.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9148ca2e by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Add workaround for PhantomJS against OpenSSL 1.1.1
WebUI unit tests fail with:
```
PhantomJS threw an error:ERROR
>> Auto configuration failed 0 [
>> 'Auto configuration failed',
>> '140613066520384:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(libssl_conf.so): libssl_conf.so: cannot open shared object file: No such file or directory',
>> '140613066520384:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244:',
>> '140613066520384:error:0E07506E:configuration file routines:MODULE_LOAD_DSO:error loading dso:conf_mod.c:285:module=ssl_conf, path=ssl_conf',
>> '140613066520384:error:0E076071:configuration file routines:MODULE_RUN:unknown module name:conf_mod.c:222:module=ssl_conf'
>> ]
...
Warning: PhantomJS exited unexpectedly with exit code 1.� Use --force to continue.
Aborted due to warnings.
```
See https://github.com/wch/webshot/pull/93 for details.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b5fdba7a by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Warn about memory issues
The nonzero number of memory/memory+Swap usage hits limits may
indicate the possible env instability(crashes, random failures, etc.).
> memory.failcnt # show the number of memory usage hits limits
memory.memsw.failcnt # show the number of memory+Swap hits limits
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
07c423af by Stanislav Levin at 2021-05-25T10:45:49+03:00
BIND: Setup logging
- allow BIND's logging customization
- preconfig logging with ISC recommendations:
https://kb.isc.org/docs/aa-01526
Fixes: https://pagure.io/freeipa/issue/8856
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
65700bf7 by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: Setup and collect BIND logs
For Base/XMLRPC tests BIND's logs are already collected.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fc0c6b44 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Run Base and XMLRPC tests is isolated network
The tests in these envs make DNS requests to wild(internet) NSs,
though usually tests assume the opposite making requests to
`test.` zone. This makes CI unstable and dependent on wild
resolvers and logically wrong.
In future there can be tests which may want to check BIND as
resolver(cache) for external networks. In this case such tests
should be placed on not isolated mode.
By default, a test env is not isolated from internet(as it was
before), but it may be a good idea to change this default in
future.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cc72a988 by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: Handle network-isolated mode
Since the dns plugin's tests have no access to wild resolvers
nobody answer such requests but authoritative NS.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4709aefb by Stanislav Levin at 2021-05-25T10:45:49+03:00
dnsutil: Improvements for IPA DNS Resolver
- check only IPv6 address of local NS if specified
- increase request timeout(2sec is too small, BIND resolver's
default 10sec)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
269c61a9 by Stanislav Levin at 2021-05-25T10:45:49+03:00
dns: get_reverse_zone: Ignore resolver's timeout
The DNS server may not process a query in a its internal timeout for
a some reason or don't answer for a query at all. This may indicate
a high load on DNS server. For example, if IPA DNS server is
configured with 'none' forward policy (read as resolver), then
SERVFAIL/Timeout errors will be normal until the hot cache for zones.
Resolver's timeout in turn, indicates that it queried a server, but
didn't received an answer in specified timeout.
Related: https://pagure.io/freeipa/issue/7397
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3889d865 by Stanislav Levin at 2021-05-25T10:45:49+03:00
pytest: Show extra summary information for all except passed tests
By default pytest reports in summary section about tests failures and errors.
It will be helpful to see skipped, xfailed and xpassed tests.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
afef09cc by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: Ignore warnings on failed to read files on tarring
There are tons of useless warnings about missing files on collecting
logs, such as:
```
tar: /var/log/ipaserver-kra-install.log: Warning: Cannot stat: No such file or directory
tar: /var/log/ipaepn.log: Warning: Cannot stat: No such file or directory
tar: /etc/NetworkManager/NetworkManager.conf: Warning: Cannot stat: No such file or directory
tar: /var/log/ipabackup.log: Warning: Cannot stat: No such file or directory
tar: /var/log/iparestore.log: Warning: Cannot stat: No such file or directory
...
```
Since `--ignore-failed-read` option is passed to tar the caller
doesn't care about not readable(mostly missing) files and these warnings
may be filtered out.
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4a4c078b by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: Suppress list trust or certificates
There are tons of useless information in test's runner log on
server uninstallation about list trust and certificates, such
as:
```
RUN ['trust', 'list']
pkcs11:id=%D2%87%B4%E3%DF%37%27%93%55%F6%56%EA%81%E5%36%CC%8C%1E%3F%BD;type=cert
type: certificate
label: ACCVRAIZ1
trust: anchor
category: authority
pkcs11:id=%F7%7D%C5%FD%C4%E8%9A%1B%77%64%A7%F5%1D%A0%CC%BF%87%60%9A%6D;type=cert
type: certificate
label: AC RAIZ FNMT-RCM
trust: anchor
category: authority
pkcs11:id=%52%D8%88%3A%C8%9F%78%66%ED%89%F3%7B%38%70%94%C9%02%02%36%D0;type=cert
type: certificate
label: Actalis Authentication Root CA
trust: anchor
category: authority
...
```
This improves the readability of test logs.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
611b49e4 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Collect installed packages
The list of installed packages may be useful for checking the
versions of packages for analysis. Previously, only the newly
installed packages can be observed on Build phase.
This is convenient for experienced users of PR-CI.
Note: the read-only access provided for non-master containers
to be able to execute Azure scripts. The logs are still collected
only on controller.
Only RPM-based collection is implemented for Fedora. By default
nothing is collected.
Users may want to override `installed_packages` function
in the corresponding `ipatests/azure/scripts/variables-DISTRO.sh`.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
26ee44bc by Stanislav Levin at 2021-05-25T10:45:49+03:00
ipatests: dnssec: Add alternative approach for checking chain of trust
drill is currently broken on F34. Fortunately, there are another
tools for checking DNSSEC trust. One of them is `delv`:
> delv is a tool for sending DNS queries and validating the results,
using the same internal resolver and validator logic as named.
delv sends to a specified name server all queries needed to fetch and
validate the requested data; this includes the original requested query,
subsequent queries to follow CNAME or DNAME chains, queries for DNSKEY,
and DS records to establish a chain of trust for DNSSEC validation. It
does not perform iterative resolution, but simulates the behavior of a
name server configured for DNSSEC validating and forwarding.
Related: https://pagure.io/freeipa/issue/8793
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a893852b by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Warn about extra and missing gating tests compared to PR-CI
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
01553572 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Re-balance tests envs
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c2db326 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: coredump: Wait for systemd fully booted
Otherwise, 'Check for coredumps' task fails with:
```
Verifying : samba-debugsource-2:4.14.4-0.fc34.x86_64 20/20
[Errno 2] No such file or directory: '/var/lib/dnf/rpmdb_lock.pid'
Finishing: Check for coredumps
```
This is due to systemd-tmpfiles(not ready yet).
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
10461b70 by Stanislav Levin at 2021-05-25T10:45:49+03:00
azure: Make it possible to adjust Docker resources per test env
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
379d5da0 by Florence Blanc-Renaud at 2021-05-26T17:04:56+03:00
pkispawn: override AJP connector address
Since commit 1906afbeb3c8b7140601be7f9bee2f7fef5b0a5e, in order to fix
rhbz#1780082, pki defines AJP connectors using localhost4 and localhost6:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" secret="..."/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost6" name="Connector2" secret="..."/>
When /etc/hosts only defines the following:
127.0.0.1 localhost
::1 localhost
the connector initialization may fail with
java.net.BindException: Address already in use
The installer can add the following definitions to pkispawn cfg file:
pki_ajp_host_ipv4=127.0.0.1
pki_ajp_host_ipv6=::1
in order to force the value to an IP address instead of localhost4/6.
Fixes: https://pagure.io/freeipa/issue/8851
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
338f0bce by Alexander Bokovoy at 2021-05-27T18:26:28+03:00
Update IRC links to point to Libera.chat
Update documentation now that we moved IRC channels #freeipa and #sssd
to Libera.chat network.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5250ef82 by MIZUTA Takeshi at 2021-05-27T18:28:19+03:00
Add --keyfile option to ipa-otptoken-import.1
ipa-otptoken-import.1 describes the -k option.
However, the long option --keyfile option is also available.
Therefore, add the --keyfile option to ipa-otptoken-import.1.
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b4b2c10e by Alexander Bokovoy at 2021-06-01T17:09:28+03:00
ds: Support renaming of a replication plugin in 389-ds
IPA topology plugin depends on the replication plugin but
389-ds cannot handle older alias querying in the plugin
configuration with 'nsslapd-plugin-depends-on-named: ..' attribute
See https://github.com/389ds/389-ds-base/issues/4786 for details
Fixes: https://pagure.io/freeipa/issue/8799
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
dfee18f0 by Weblate at 2021-06-02T11:30:27+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
- - - - -
f2543df1 by Yuri Chornoivan at 2021-06-02T11:30:27+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4668 of 4668 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
- - - - -
76dac09f by Weblate at 2021-06-02T11:30:27+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
- - - - -
09c83ca4 by Yuri Chornoivan at 2021-06-02T11:30:27+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4669 of 4669 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
- - - - -
ee12f2b4 by Daniel Lara Souza at 2021-06-02T11:30:27+03:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 3.8% (178 of 4669 strings)
Co-authored-by: Daniel Lara Souza <daniellarasouza at yahoo.com.br>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
- - - - -
61bc4e05 by Hela Basa at 2021-06-02T11:30:27+03:00
Added translation using Weblate (Sinhala)
Co-authored-by: Hela Basa <r45xveza at pm.me>
- - - - -
55e4b5e1 by Rafael Fontenelle at 2021-06-02T11:30:27+03:00
Translated using Weblate (Portuguese (Brazil))
Currently translated at 4.7% (223 of 4669 strings)
Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pt_BR/
Translation: freeipa/master
- - - - -
6d33d29f by Marcin Stanclik at 2021-06-02T11:30:27+03:00
Translated using Weblate (Polish)
Currently translated at 9.6% (451 of 4669 strings)
Co-authored-by: Marcin Stanclik <mstanclik at yahoo.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Translation: freeipa/master
- - - - -
f1ac7972 by Weblate at 2021-06-02T11:30:28+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
- - - - -
164617ab by Piotr Drąg at 2021-06-02T11:30:28+03:00
Translated using Weblate (Polish)
Currently translated at 9.6% (451 of 4669 strings)
Translated using Weblate (Polish)
Currently translated at 9.6% (451 of 4669 strings)
Co-authored-by: Piotr Drąg <piotrdrag at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Translation: freeipa/master
- - - - -
d9f00e0b by Jan Kuparinen at 2021-06-02T11:30:28+03:00
Translated using Weblate (Finnish)
Currently translated at 7.2% (340 of 4672 strings)
Translated using Weblate (Finnish)
Currently translated at 6.8% (318 of 4672 strings)
Translated using Weblate (Finnish)
Currently translated at 6.2% (290 of 4672 strings)
Translated using Weblate (Finnish)
Currently translated at 6.2% (290 of 4672 strings)
Added translation using Weblate (Finnish)
Co-authored-by: Jan Kuparinen <copper_fin at hotmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Translation: freeipa/master
- - - - -
6f89607f by Emilio Herrera at 2021-06-02T11:30:28+03:00
Translated using Weblate (Spanish)
Currently translated at 60.6% (2835 of 4672 strings)
Co-authored-by: Emilio Herrera <ehespinosa57 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
- - - - -
3e3fa86e by Yuri Chornoivan at 2021-06-02T11:30:28+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4672 of 4672 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
- - - - -
f0823459 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2498472 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
941a99e1 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d87ea0b by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ae15b3f by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d0d08f48 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e7f439d9 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b5a7dea8 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f86ad3e1 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e59d3854 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c7bb5f0 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
09aff3ad by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bfada8d7 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5250d9eb by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8139c51 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8da69a8e by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0c996497 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dce1b51d by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
addd5e80 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e8128e2d by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b77859f5 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3f760c2f by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa5d5208 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
54b9d2d3 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d2bca84 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
54533998 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
30649332 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6b21c918 by Alexander Bokovoy at 2021-06-02T11:30:28+03:00
Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c82ed2eb by Stanislav Levin at 2021-06-03T09:21:45+03:00
ipatests: Fetch sudo rules without time offset
As of 2.5.0 SSSD introduces a random timeout for the refresh
of the SUDO rules [0]. With that change it's no longer possible
to immediate fetch of SUDO rules unless the feature is disabled
[1].
[0]: https://github.com/SSSD/sssd/issues/5609
[1]: https://github.com/SSSD/sssd/issues/5635
Related: https://pagure.io/freeipa/issue/8844
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
208b9b4c by Alexander Bokovoy at 2021-06-03T13:34:13+03:00
service: enforce keytab user when retrieving the keytab
HTTP service uses different user for keytab ownership than the service
user. On Fedora this leads to http.keytab being owned by 'apache' user
after IPA deployment while it should be owned by 'root' to allow
GSSPROXY configuration to work correctly.
The situation is fixed during upgrade (ipa-server-upgrade) but it means
for new deployments there might be a period of unexplained Web UI
authentication failures.
Fixes: https://pagure.io/freeipa/issue/8872
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
6395d239 by Serhii Tsymbaliuk at 2021-06-03T14:55:56+02:00
WebUI: Add support of 'ipaautoprivategroups' LDAP attribute on 'ID Ranges' page
Add 'Auto private groups' field on 'Add ID range' form with the following options: true, false, hybrid.
The field is optional and can be omitted.
Its value can be also modified on 'Range Settings' page after the range is added.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
d8b8f54b by Serhii Tsymbaliuk at 2021-06-03T14:55:56+02:00
WebUI tests: Add test for 'ipaautoprivategroups' field on 'ID Ranges' page
Add test_range_auto_private_groups test case to test_trust WebUI test suite to cover the field.
Ticket: https://pagure.io/freeipa/issue/8837
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
51fb9d61 by Rob Crittenden at 2021-06-04T08:49:53+03:00
Catch ValueError when trying to retrieve existing credentials
get_credentials() was changed to raise ValueError instead of
gssapi.exceptions.GSSError as part of the sweeper to clean up
expired credentials caches.
For WebUI users, this will prevent a 500 error if their
associated credentials cache is expired or missing.
https://pagure.io/freeipa/issue/8873
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ba5b9c56 by Armando Neto at 2021-06-04T08:51:01+03:00
ipatests: Bump PR-CI boxes
Update Fedora 34 and 33 boxes to include new packages
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
bef78d16 by Alexander Bokovoy at 2021-06-04T09:12:54+03:00
Contributors: add new contributors to the list
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
26fc0bca by Alexander Bokovoy at 2021-06-04T12:11:35+03:00
Depend on system-logos-ipa on RHEL/CentOS Stream
Fedora ELN represents itself as a RHEL but it does not have
redhat-logos-ipa package. CentOS Stream does not have redhat-logos-ipa
but has centos-logos-ipa package. Both RHEL and CentOS Stream provide
system-logos-ipa so we can depend on it instead.
This allows to make IPA packages installable on CentOS Stream and on
Fedora ELN.
Fixes: https://pagure.io/freeipa/issue/8874
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
71bf78dd by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/bn_IN.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6ee9f47f by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/ca.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f637189b by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/cs.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8c388aea by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/de.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5ac08a22 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/en_GB.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7edcf72e by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/es.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9c7d0201 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/eu.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab624d29 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/fi.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cbf7bf63 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/fr.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
371d5f67 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/hi.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1de9cb50 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/hu.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f2f08f66 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/id.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b543bb0 by Alexander Bokovoy at 2021-06-04T12:29:47+03:00
po/ipa.pot: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
526bad77 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/ja.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2b50e52 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/kn.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7db17047 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/mr.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0b94425e by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/nl.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6f1c7cbf by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/pa.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b78368b4 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/pl.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d9803f27 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/pt.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed69ee14 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/pt_BR.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c0b0b390 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/ru.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fbccd931 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/sk.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
44d13962 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/tg.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab33f80c by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/tr.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
943e93b0 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/uk.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
be929b74 by Alexander Bokovoy at 2021-06-04T12:29:48+03:00
po/zh_CN.po: Update translations to FreeIPA master state
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
33327b2e by Alexander Bokovoy at 2021-06-04T15:38:08+03:00
get_credentials: return ValueError for missing creds
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
584952ba by Armando Neto at 2021-06-07T10:49:57+02:00
workshop: Update docs and support default cloud image
Update instructions on how to build images starting with Fedora 34 using
kickstart files used by Fedora to build its cloud images.
Change vagrant provisioning steps to support both prebuilt and default
cloud images, removing the burden of maintaining boxes up-to-date, but
also providing a way to build fresh images without external packer
templates.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5c83ec06 by Florence Blanc-Renaud at 2021-06-07T16:33:15-04:00
ipatests: set selinux context for fips mode
In order to test FIPS mode, the test is faking a user-space
FIPS environment by creating a file /var/tmp/userspace-fips
and bind-mounting this file as /proc/sys/crypto/fips_enabled
The security context needs to be properly set otherwise
/proc/sys/crypto/fips_enabled inherits the security context
unconfined_u:object_r:user_tmp_t:s0 and cannot be read,
resulting in the test seeing fips_mode=false.
Fixes: https://pagure.io/freeipa/issue/8868
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6f49cc06 by Florence Blanc-Renaud at 2021-06-08T08:36:09+02:00
ipatests: delete the replica before uninstallation
The test
test_installation.py::TestInstallWithCA1::test_install_with_bad_ldap_conf
is uninstalling a replica by calling ipa-server-install --uninstall
directly, instead of deleting the replica first.
Use tasks.uninstall_replica instead of tasks.uninstall_master
to perform a proper uninstallation.
Fixes: https://pagure.io/freeipa/issue/8876
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bcb8d4d4 by Sergey Orlov at 2021-06-08T15:10:08-04:00
ipatests: temporary disable execution of test_nfs.py::TestNFS in nightly runs
During test run on Fedora 34 and 35 sssd produces multi-gigabyte log file
which causes test runners to run out of disk space.
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
25f42c32 by Florence Blanc-Renaud at 2021-06-09T17:54:01-04:00
freeipa.spec: bump 389-ds version
IPA depends on the 389-ds version with the fix for
https://github.com/389ds/389-ds-base/issues/4700
Regression in winsync replication agreement
The same 389-ds version also fixes
https://github.com/389ds/389-ds-base/issues/4670
389ds coredump in IPA nightly test
test_caless.py::TestReplicaInstall::test_wildcard_http
Fixes: https://pagure.io/freeipa/issue/8691
Fixes: https://pagure.io/freeipa/issue/8756
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
accc27e6 by Sergey Orlov at 2021-06-10T20:56:46+02:00
ipatests: disable test_nfs.py::TestNFS in nightly runs on Fedora 33
Also disable in Fedora 33 as it also has the faulty version of sssd
which produces multi-gigabyte log file
Related to https://pagure.io/freeipa/issue/8877
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5509e00a by Florence Blanc-Renaud at 2021-06-10T20:59:27+02:00
ipa-cert-fix man page: add note about certmonger renewal
ipa-cert-fix man page needs to explain that certmonger may
trigger a renewal right after ipa-cert-fix completes because
certmonger does not notice the updated certificates.
Also add a similar note at the end of ipa-cert-fix.
Fixes: https://pagure.io/freeipa/issue/8702
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
16ab690b by Rob Crittenden at 2021-06-11T09:23:56-04:00
Design doc to allow LDAP bind using the RADIUS auth type
The RADIUS auth type is only supported with Kerberos currently.
This design proposes a way to make it work with LDAP binds
as well without relying ok workarounds.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a169b1b by Stanislav Levin at 2021-06-12T11:19:25+03:00
krb_utils: Simplify get_credentials
Previously, `get_credentials` raises either ValueError or re-raises
GSSError. The former makes the handling of this function more difficult
without a good reason.
With this change:
- `get_credentials` no longer handles exceptions by itself, but delegates
this to the callers (which already process GSS errors).
- `get_credentials_if_valid` doesn't raise any expected exceptions, but
return valid credentials (on the moment of calling) or None. This makes
it consistent with docs.
Related: https://pagure.io/freeipa/issue/8873
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0ebc59c2 by Stanislav Levin at 2021-06-12T11:19:25+03:00
gssproxy: Don't refresh expired delegated credentials
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
and pass down that path as `KRB5CCNAME` env variable to WSGI worker.
GSSProxy in turn, protects these credentials from direct usage of
`ipa-api`. But the configuration of `service/ipa-api` (in particular,
'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
default GSS name ('=None') dictates to refresh expired credentials
with the client's keytab overwriting the origin credentials with
initial credentials of keytab's principal.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6434968a by Rob Crittenden at 2021-06-14T15:19:42-04:00
When loading certificates verify that it is X.509 v3
Simple version enforcement. A v1 certificate won't have the
extensions that are assumed available later during the validation
process.
https://pagure.io/freeipa/issue/8817
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
16e1cbdc by Christian Heimes at 2021-06-15T14:13:16+03:00
LDAP autobind authenticateAsDN for BIND named
Use new nsslapd-ldapiautoauthdnattr feature to switch BIND named from
GSSAPI bind to EXTERNAL LDAPI bind.
Requires 389-DS >= 1.4.4.11 or >= 2.0.2
Fixes: https://pagure.io/freeipa/issue/8544
See: https://github.com/389ds/389-ds-base/issues/4381
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
5b8f37f8 by Christian Heimes at 2021-06-15T14:13:16+03:00
Add design for LDAPI autobind
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1e98f310 by Christian Heimes at 2021-06-16T10:28:17-04:00
Add Custodia 0.6.0 to ipaserver package
Incorporate Custodia into IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d27f01b2 by Christian Heimes at 2021-06-16T10:28:17-04:00
Remove unused Custodia modules
The CLI, IPA integration and storage backends are not used by IPA.
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a4631b7f by Christian Heimes at 2021-06-16T10:28:17-04:00
Fix Custodia imports
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e1abfe0f by Christian Heimes at 2021-06-16T10:28:17-04:00
Fix Custodia pylint issues
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c27233e3 by Christian Heimes at 2021-06-16T10:28:17-04:00
Remove more unused Custodia code
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
470bb6ed by Christian Heimes at 2021-06-16T10:28:17-04:00
Add Custodia tests
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6f09c1b by Christian Heimes at 2021-06-16T10:28:17-04:00
Also drop Custodia client and forwarder
See: https://pagure.io/freeipa/issue/8882
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb748666 by Florence Blanc-Renaud at 2021-06-16T11:25:08-04:00
CA-less install: non-ASCII chars in CA cert subject
In a CA-less install, if the CA cert subject contains
non-ascii characters, ipa-server-install fails when
configuring SSL for httpd.
The issue happens when calling ipautil.run to extract the keys
from a p12file. The code is using the raw output of the command
and doesn't need to specify capture_output=True, as this option
breaks if the output contains non-ascii characters.
The raw_output contains bytes, the output is a str built by decoding
the raw_output and may fail if non-ascii characters are present.
Fixes: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
0faddc91 by Florence Blanc-Renaud at 2021-06-16T11:25:08-04:00
ipatests: use non-ascii chars in CA-less install
The CA-less installation creates an external CA with the
subject CN=CA,O=Example Organization.
In order to test non-ascii subjects, use
CN=CA,O=Example Organization España
instead.
Related: https://pagure.io/freeipa/issue/8880
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
50306cc6 by Antonio Torres at 2021-06-17T17:28:48-04:00
Allow PKINIT to be enabled when updating from a pre-PKINIT IPA CA server
When upgrading from a server with IPA CA before PKINIT was introduced
(4.5), PKINIT would not be enabled and there wasn't any way to enable it
since upgrade code only issues self-signed certificates when
certificates are missing. With these change there is a way to enable
PKINIT when coming from a IPA server with a pre-PKINIT version (4.4 and
before).
Fixes: https://pagure.io/freeipa/issue/8532
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3a4939fa by Antonio Torres at 2021-06-18T10:46:29-04:00
host: try to resolve FQDN before command execution
Trying to resolve the FQDN before command execution (during
pre-callback) helps detect cases where the host specified by the user
does not exist, saving execution time. Aside from this, resolving the
FQDN is useful when only the shortname of the host is passed, as this
would cause issues when trying to update the DNS records during
modification of the entry.
Fixes: https://pagure.io/freeipa/issue/8726
Fixes: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3e77d313 by Antonio Torres at 2021-06-18T10:46:29-04:00
ipatests: test host update using shortname
Add test to ensure that host-mod resolves the FQDN when passing the
shortname of the host being modified.
Related: https://pagure.io/freeipa/issue/8726
Related: https://pagure.io/freeipa/issue/8884
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
16057898 by Mohammad Rizwan at 2021-06-18T10:49:07-04:00
ipatest: Test ipa-cert-fix fails when startup directive is missing from CS.cfg
This test checks that if 'selftests.container.order.startup' directive
is missing from CS.cfg, ipa-cert-fix fails and throw proper error
message. It also checks that underlying command 'pki-server cert-fix'
should fail to renew the cert.
related: https://pagure.io/freeipa/issue/8721
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
922357b7 by Rob Crittenden at 2021-06-21T10:58:02+02:00
Use get_replication_plugin_name in LDAP updater
This allows for a consistent way to retrieve the value from
LDAP. The method is used to find an existing entry. It is not usable
to add or remove entries.
Moving it in the code allows the value to always be set in the
substitution dictionary and not rely on a specific caller.
It was moved to installutils.py to avoid circular import.
https://pagure.io/freeipa/issue/8885
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c14d52f4 by Armando Neto at 2021-06-21T18:58:59+02:00
ipatests: Bump PR-CI rawhide template
Update system's Python to 3.10
Issue: https://github.com/freeipa/freeipa-pr-ci/issues/435
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0c2530ef by Sudhir Menon at 2021-06-22T16:42:14+02:00
ipatests: Test to check that ResponseNotReady error is not displayed when user session cache is deleted
Pagure: https://pagure.io/freeipa/issue/7752
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3597ab9b by Stanislav Levin at 2021-06-23T13:16:01-04:00
ipatests: healthcheck: Update IPAHostKeytab assumptions
As of 0.9 freeipa-healthcheck requires running `dirsrv` service
for `IPAHostKeytab` check. So, previous assumption about the
triggering the GSSAPI error no longer works. For example, this can
be achieved by deletion of host's keytab.
Fixes: https://pagure.io/freeipa/issue/8889
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1439764c by Serhii Tsymbaliuk at 2021-06-25T15:42:20+02:00
WebUI: Fix certificate serial number representation
Big numbers are automatically translated to scientific notation in JavaScript.
It causes an issue with some certificate serial numbers.
The fix normalizes the notation base on original value from serial_number_hex.
The implementation works only for browsers that support BigInt.
It would not work for old browsers like Internet Explorer.
Ticket: https://pagure.io/freeipa/issue/8754
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
72f44b55 by François Cami at 2021-06-28T11:41:07+03:00
ipa-client-install: remove fsync in do_nsupdate()
No need to flush buffers on the nsupdate file as it will get
removed at the end of the function.
Related: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
20c7bd5e by François Cami at 2021-06-28T11:41:07+03:00
ipa-client-install: invoke nsupdate twice (GSS-TSIG, plain)
ipa-client-install invokes nsupdate with GSS-TSIG at client
enrollment time. If that fails, no retry is done.
Change that behavior to try again without GSS-TSIG.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2e31e847 by François Cami at 2021-06-28T11:41:07+03:00
ipa-client-install: update sssd.conf if nsupdate requires -g
If dynamic DNS updates are selected, sssd will use GSS-TSIG
by default for nsupdate.
When ipa-client-install notices that plain nsupdate is required,
switch sssd to use no authentication for dynamic updates too.
Fixes: https://pagure.io/freeipa/issue/8402
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf802443 by Stanislav Levin at 2021-06-28T14:16:56+03:00
plugins: Don't treat keys of api as bytes
The plugin `plugins` iterates over the keys of API instance,
__iter__ of which is a generator of class.__name__ from
(Command, Object, Method, Backend, Updater). So, the allowed type
is str, not bytes.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc212e55 by Stanislav Levin at 2021-06-28T14:16:56+03:00
ipatests: Add tests for `plugins` plugin
Previously there were no tests for `ipalib.misc` module.
Fixes: https://pagure.io/freeipa/issue/8898
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fe863594 by Stanislav Levin at 2021-06-28T14:16:56+03:00
ipatests: Add tests for `env` plugin
Previously there were no tests for `ipalib.misc` module.
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf26159e by Sudhir Menon at 2021-06-28T14:25:02+03:00
Increase timeout for test_commands.py
test_commands.py testsuite is failing due to
'RunPytest timed out after 4800s'
Hence the timeout has been increased from 4800 to 5400
Ref: https://github.com/freeipa-pr-ci2/freeipa/pull/996
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
19d5b3b6 by Rob Crittenden at 2021-06-29T14:55:50+03:00
Return a copy of cached entries, only with requested attributes
Some plugins, notably dns, modifies a returned entry in order
to compare it to the user-provided info (e.g. dnsrecord-del).
This modification was done on the cached entry directly rather
than a copy which caused unexpected results, mostly
EmptyResult because the cached entry was changed directly so
the next get_entry returned the same modified entry.
In addition, on a hit in the LDAP cache the entire cached entry
was returned regardless of what attributes were requested.
The automember condition add/remove calls only request the
inclusive/exclusive rule attributes and loop over the returned
values to look for duplicates. This was failing because the queried
entry contains attributes that the candidate entry does not contain.
The automember code is:
old_entry = ldap.get_entry(dn, [attr])
for regex in old_entry.keys():
if not isinstance(entry_attrs[regex], (list, tuple)):
old_entry, returned from the cache, contained objectclass, cn,
description, etc. which don't exist in the candidate entry so
entry_attrs[regex] threw a KeyError.
To return a copy of the entry and requested attributes on a
search HIT.
Also be more careful when storing the attributes in the cache entry.
The returned attributes may not match the requested. So store the
attributes we actually have.
This issue was exposed by Ansible which maintains a larger and
longer-lived cache because commands are executed in the server context
one after another, giving the cache a chance to build up.
Adjust the expected test results as well. In test_get_testuser()
the first request asks for all attributes (default) so ensure
that is successful since a user_add gets all attributes in
the post_callback. Next request a subset of the attributes which
is also a hit and confirm that only those requested were returned.
https://pagure.io/freeipa/issue/8897
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
675b5d2f by François Cami at 2021-07-01T13:15:48-04:00
paths: add IPA_SERVER_CONF
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
69497f4a by François Cami at 2021-07-01T13:15:48-04:00
ipatests: smoke test for server debug mode.
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
06791db5 by François Cami at 2021-07-01T13:15:48-04:00
rpcserver.py: perf_counter_ns is Python 3.7+
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0bdbf114 by Antonio Torres at 2021-07-05T11:07:02+02:00
Add checks to prevent adding auth indicators to internal IPA services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
da72a576 by Antonio Torres at 2021-07-05T11:07:02+02:00
ipatests: ensure auth indicators can't be added to internal IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
10676f64 by Florence Blanc-Renaud at 2021-07-05T11:09:01+02:00
Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.
Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
ec8b26b2 by Florence Blanc-Renaud at 2021-07-06T08:14:33+02:00
stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
05d69c8c by Florence Blanc-Renaud at 2021-07-06T08:14:33+02:00
XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a7c85178 by Florence Blanc-Renaud at 2021-07-07T21:54:17+02:00
man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8d83ebde by Florence Blanc-Renaud at 2021-07-08T11:06:49+02:00
augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.
Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
fbee1549 by Florence Blanc-Renaud at 2021-07-08T13:40:04+02:00
Server install: do not use unchecked ip addr for ipa-ca record
At the end of a server installation, the DNS records for
ipa-ca.$DOMAIN are created/updated with the IP addresses of the
new server.
The current code resolves the IP addresses of the new server
but doesn't check them. This can result in the addition of
a link-local address to ipa-ca record.
For each address, make sure that it's neither reserved nor a
link-local address.
Fixes: https://pagure.io/freeipa/issue/8810
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
1c4ae372 by Christian Heimes at 2021-07-09T09:47:30-04:00
Add basic support for subordinate user/group ids
New LDAP object class "ipaUserSubordinate" with four new fields:
- ipasubuidnumber / ipasubuidcount
- ipasubgidnumber / ipasgbuidcount
New self-service permission to add subids.
New command user-auto-subid to auto-assign subid
The code hard-codes counts to 65536, sets subgid equal to subuid, and
does not allow removal of subids. There is also a hack that emulates a
DNA plugin with step interval 65536 for testing.
Work around problem with older SSSD clients that fail with unknown
idrange type "ipa-local-subid", see: https://github.com/SSSD/sssd/issues/5571
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c78d1341 by Christian Heimes at 2021-07-09T09:47:30-04:00
Redesign subid feature
Subordinate ids are now handled by a new plugin class and stored in
separate entries in the cn=subids,cn=accounts subtree.
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
51035d93 by Christian Heimes at 2021-07-09T09:47:30-04:00
Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1e00748f by Christian Heimes at 2021-07-09T09:47:30-04:00
Fix ipa-server-upgrade
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
110940b9 by Christian Heimes at 2021-07-09T09:47:30-04:00
Fix oid of ipaUserDefaultSubordinateId
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
30eceb50 by Serhii Tsymbaliuk at 2021-07-09T09:47:30-04:00
WebUI: Improve subordinate ids user workflow
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
aae6c029 by Christian Heimes at 2021-07-09T09:47:30-04:00
Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
02e19d0a by Rob Crittenden at 2021-07-09T13:21:00-04:00
Add SHA384withRSA as a certificate signing algorithm
It required support in dogtag which was added in 10.5.0.
This is only easily configurable during installation because
it will set ca.signing.defaultSigningAlgorithm to the
selected algorithm in CS.cfg
The certificate profiles will generally by default set
default.params.signingAlg=- which means use the CA default.
So while an existing installation will technically allow
SHA384withRSA it will require profile changes and/or
changing the defaultSigningAlgorithm in CS.cfg and
restarting (completely untested). And that won't affect
already issued-certificates.
https://pagure.io/freeipa/issue/8906
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c64eaa49 by Sudhir Menon at 2021-07-12T09:07:53+02:00
ipatests: Fix for test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Related: https://pagure.io/freeipa/issue/8889
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
eb8a6d07 by Florence Blanc-Renaud at 2021-07-12T10:43:39+02:00
ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
ea8f4b69 by Mohammad Rizwan at 2021-07-12T19:59:06+02:00
ipatests: Test ipa-cert-fix warns when startup directive is missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b43ac4fd by Michal Polovka at 2021-07-12T17:11:10-04:00
ipatests: test_ipahealthcheck: print a message if a system is healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).
Related: https://pagure.io/freeipa/issue/8892
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4616c125 by François Cami at 2021-07-13T15:03:46+02:00
pr-ci definitions: add subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3189e501 by Michal Polovka at 2021-07-13T16:52:57+02:00
ipatests: test_installation: move tracking_reqs dependency to ipalib constants ipaserver: krainstance: utilize moved tracking_reqs dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bd0d4374 by Rob Crittenden at 2021-07-13T17:57:28-04:00
Fall back to krbprincipalname when validating host auth indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4bd1d15b by Florence Blanc-Renaud at 2021-07-14T14:31:51-04:00
webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.
Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
24afb10c by Florence Blanc-Renaud at 2021-07-15T16:28:30+02:00
spec file: Trust controller role should pull sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
178fb134 by Alexander Bokovoy at 2021-07-16T15:38:53+02:00
rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
cb37f499 by Florence Blanc-Renaud at 2021-07-16T16:33:29+02:00
Index: Fix definition for memberOf
The index definition for memberOf is inconsistent:
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
The cn attribute should be memberOf, not member. Fix the definition.
Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
319aa7a4 by Florence Blanc-Renaud at 2021-07-16T14:35:48-04:00
webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.
With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cbe5151e by François Cami at 2021-07-20T11:11:28+02:00
ipatests: smbclient "-k" => "--use-kerberos=desired"
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
4618c3c2 by François Cami at 2021-07-21T11:29:00+02:00
tasks.py: fix flake8-reported issues
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
82ab9245 by François Cami at 2021-07-21T15:27:31+02:00
test_acme: refactor with tasks
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
93fad5a8 by François Cami at 2021-07-21T15:27:31+02:00
test_acme: make password renewal more robust
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
10bd66dd by Rob Crittenden at 2021-07-22T14:39:24-04:00
Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
2097776e by Rob Crittenden at 2021-07-22T14:39:24-04:00
ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
b71009b3 by François Cami at 2021-07-23T10:52:55+02:00
Azure: temporarily disable problematic tests, #1
test_installation.TestInstallMaster, test_advise,
and test_integration.test_commands.TestIPACommand rely on DNS
forwarders and hit a known BIND bug:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2728
quite often.
This is blocking gating nearly completely.
Disable these tests in gating until the bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
baed2e6f by François Cami at 2021-07-23T10:52:55+02:00
Azure: temporarily disable problematic tests, #2
test_cert and test_SubCAkeyReplication are randomly failing.
The suspect for test_SubCAkeyReplication is an nss bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1985061
The reason for test_cert failures was not identified, the only
relevant line in the log contains:
2021-07-22T17:37:21.0873339Z tests: cert, result: 1, time: 30:08.98
2021-07-22T17:37:21.0874172Z Command exited with non-zero status 1
Disable these tests in gating until the NSS bug is fixed and
the related build is available in Fedora.
Related: https://pagure.io/freeipa/issue/8864
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
d4d545a1 by François Cami at 2021-07-23T10:52:55+02:00
gating.yaml: Fix TestInstallMaster timeout
test_integration/test_installation.py::TestInstallMaster 's
timeout is 10800 on all nightlies but it timeouts in gating with a
timeout of 3600. Use 7200 in gating so that it has some chance of
completing.
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
3e9bb606 by Rob Crittenden at 2021-07-26T11:07:57-04:00
Display all orphaned keys in automountlocation-tofiles
Only the first key was being displayed for any orphaned map.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
14062c77 by Rob Crittenden at 2021-07-26T11:07:57-04:00
ipatests: Add test for ipa automountlocation-tofiles
Only the first key of orphaned automount keys was being
displayed.
tofiles was created because making sense of LDAP automount
information is a brain squeezer. The purpose is not to
display in a precise file format but to display it in
a sensible and understandable way.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f470f649 by Rob Crittenden at 2021-07-26T11:07:57-04:00
Fix automountlocation-tofiles expected output in xmlrpc test
The previous output matched the bad behavior of only displaying
one orphaned key.
https://pagure.io/freeipa/issue/7814
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
8a4a338c by François Cami at 2021-07-27T09:55:27+02:00
ipatests: refactor test_ipa_cert_fix with tasks
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
718099af by Antonio Torres at 2021-07-27T13:27:36+02:00
ipa-kra-install: exit if ca_host is overriden
ipa-kra-install should exit if ca_host line is present
in /etc/ipa/default.conf, as it may lead to a misconfigured
setup.
Fixes: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
42447c45 by Antonio Torres at 2021-07-27T13:27:36+02:00
ipatests: test if KRA install fails when ca_host is overriden
KRA install on a replica should fail if ca_host is
overriden in /etc/ipa/default.conf.
Related: https://pagure.io/freeipa/issue/8245
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1457bc60 by Armando Neto at 2021-07-27T15:44:44+02:00
ipatests: bump prci boxes + move gating to f34
Bump template box version to latest to include recently updated
dependencies and move gating and temp definitions to latest Fedora
release.
Issue: https://pagure.io/freeipa/issue/8935
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
ae05970e by Rob Crittenden at 2021-07-30T08:45:08-04:00
ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:
- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fece03d4 by Rob Crittenden at 2021-07-30T08:45:08-04:00
ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.
Use correct datatype of return value for ber_scanf to
correct different signedness comparision.
Fixed while working on https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7729b1c8 by Rob Crittenden at 2021-07-30T08:45:08-04:00
ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8170659d by Christian Heimes at 2021-07-30T08:58:25-04:00
Fix ldapupdate.get_sub_dict() for missing named user
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Co-authored-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3568a3d1 by Rob Crittenden at 2021-08-02T15:31:24-04:00
Provide more information in ipa-certupdate on ccache failure
ipa-certupdate obtains host credentials to operate. If this
fails with a ccache error this can be confusing if the user
executing it already has admin credentails.
Include the principal being retrieved and the keytab being
used.
This basically intercepts the exception to log additional
information and lets the exception be handled at a higher
level.
https://pagure.io/freeipa/issue/8257
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ad06c75b by François Cami at 2021-08-02T22:32:39+02:00
freeipa.spec.in: remove python3-pexpect from Requires
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
81b61578 by Anuja More at 2021-08-03T08:32:25+02:00
ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
Related : https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e13bd7ed by Rob Crittenden at 2021-08-03T11:05:15-04:00
ipa-advise: if p11-kit provides opensc, don't add to NSS db
p11-kit-proxy in newer distributions handles loading the OpenSC
PKCS#11 library so don't try to add it to the NSS database in
/etc/pki/nssdb if it is already available in order to avoid a
potentially confusing error message.
https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
9d1ee644 by Rob Crittenden at 2021-08-03T11:05:15-04:00
ipa-advise: Define the domain used when looking up ipa-ca
The error message if ipa-ca can't be resolved included the
undefined variable ${domain_name}. Since this is static anyway
change to a python format string and hardcode the string in
the resulting script as api.env.domain.
Discovered while working on https://pagure.io/freeipa/issue/8934
Related: https://pagure.io/freeipa/issue/8934
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
32727804 by Rob Crittenden at 2021-08-03T11:09:28-04:00
ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.
Verify that it is present in the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
bb38fbca by Mohammad Rizwan at 2021-08-04T12:10:33+02:00
ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e11a78a2 by Antonio Torres at 2021-08-04T14:09:45+02:00
dnszone: deprecate option for setting SOA serial
Since IPA 3 [1] SOA serial is managed automatically via autoincrement,
and the option of disabling this behavior was deprecated in IPA 3.3.3 [2]..
As a result, the option '--serial' during DNS zone addition would be
ignored as it is set during the creation. This commit adds a deprecation
warning if this option is used.
[1]: https://www.freeipa.org/page/V3/DNS_SOA_serial_auto-incrementation
[2]: https://www.freeipa.org/page/Releases/3.3.3
Fixes: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>
- - - - -
715987a8 by Antonio Torres at 2021-08-04T14:09:45+02:00
ipatests: expect SOA serial option deprecation warning
Tests must be updated to expect the new deprecation warning.
Related: https://pagure.io/freeipa/issue/8227
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Jeffman <rjeffman at redhat.com>
- - - - -
4785d87e by Rob Crittenden at 2021-08-04T14:20:19+02:00
Add index for sudoorder
sudorule-mod <rule> --order=<num> does a search for an existing
order and this search is unindexed.
https://pagure.io/freeipa/issue/8939
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e914a597 by François Cami at 2021-08-05T15:19:33+02:00
ipatests: use krb5_trace in TestIpaAdTrustInstall
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
4932a9c9 by Rob Crittenden at 2021-08-05T17:36:46+02:00
Don't assume that plugin attributes and objectclasses are lowercase
A user wrote their own plugin to add custom attributes which was
failing with an incorrect error that the attribute wasn't allowed.
It wasn't allowed because it wasn't being treated as case-insensitive
so wasn't being found in the schema.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7b77fef7 by Rob Crittenden at 2021-08-05T17:36:46+02:00
ipatests: add suite for testing custom plugins
Ensure that attributes and objectclasses are case-insensitive.
https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e3304ff3 by Rob Crittenden at 2021-08-05T17:36:46+02:00
pr-ci definitions: add custom plugin-related jobs
Related: https://pagure.io/freeipa/issue/8415
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9310366a by Chris Kelley at 2021-08-05T17:35:51-04:00
Parse getStatus as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
c75be14b by Christian Heimes at 2021-08-09T08:42:39+02:00
Fix string check in uninstall helper
The install helpers used an invalid string check. ``('ubuntu')`` is
not a tuple. It's a string with superfluous parenthesis. A single-item
tuple would be ``('ubuntu',)``. It's recommended to use set literals to
avoid such mistakes.
Also check for 'debian' platform.
Fixes: https://pagure.io/freeipa/issue/8937
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6e2ca193 by Chris Kelley at 2021-08-09T08:44:52+02:00
Parse cert chain as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7cac63fa by Anuja More at 2021-08-09T14:49:21+02:00
ipatests: Test ldapsearch with base scope works with compat tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cd665e2d by Anuja More at 2021-08-09T14:49:21+02:00
ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
16b3788f by Anuja More at 2021-08-10T11:12:52+02:00
ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.
Related: https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bb628aeb by Stanislav Levin at 2021-08-12T16:34:17-04:00
ipatests: Fix TestAJPSecretUpgrade tests on systems without pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.
Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dabf2763 by Anuja More at 2021-08-12T16:35:52-04:00
ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d46f5b2c by Michal Polovka at 2021-08-13T09:19:48+02:00
ipatests: test_ipahealthcheck: Verify permissions for /var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
Resolves: https://pagure.io/freeipa/issue/8949
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
db698556 by Rob Crittenden at 2021-08-16T09:12:55+02:00
Clean up the PKI securitydomain when removing a server
PKI has its own internal knowledge of servers and services
in its securitydomain. This has not been cleaned up in the
past but is becoming more of an issue as PKI now relies on its
securitydomain for more things, and it has a healthcheck that
reports inconsistencies.
Removing entries is straightforward using the PKI REST API.
In order to operate on the API access is needed. There was an
unused Security Domain Administrators group that I've added to
the resourceACLS we created for managing the securitydomain.
The ipara user is added as a member of this group. The REST
API binds to the CA using the IPA RA certificate.
Related commits are b3c2197b7e4ed18a7febe3efa6396c2272ebccca
and ba4df6449aaa0843ab43a1a2b3cb1df8bb022c24.
These resourceACLS were originally created as a backwards
compatibility mechanism for dogtag v9 and later only created when a
replica was installed purportedly to save a restart. I don't see
any reason to not have these defined. They are apparently needed due
to the PKI database upgrade issues.
In any case if the purpose was to suppress these ACLS it failed
because as soon as a replica with a CA was installed they were as
well, and we need this ACL in order to manage the securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c0d6c05d by Rob Crittenden at 2021-08-16T09:12:55+02:00
ipatests: Verify that securitydomain is updated on server-del
For every server-del ensure that the server being deleted is
also removed from the PKI securitydomain.
https://pagure.io/freeipa/issue/8930
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d5e499cd by Rob Crittenden at 2021-08-17T14:05:49-04:00
Only call add_agent_to_security_domain_admins() when CA is installed
This allows the RA agent to manage the pki security domain and is
only needed if a CA has been configured. Only call it in a CA-ful
installation.
https://pagure.io/freeipa/issue/8956
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
23fa1574 by François Cami at 2021-08-18T17:55:41+02:00
Update list of contributors
Signed-off-by: François Cami <fcami at redhat.com>
- - - - -
3eb0759a by Stanislav Levin at 2021-08-19T08:44:26+02:00
schema plugin: Generate stable fingerprint
If some Param defines several values for `exclude` or `include`
attributes then API schema hash will be unstable.
First, these Param's attributes are converted to frozenset
(ipalib/parameters.py), then `ipaserver.plugins.schema` plugin
converts `exclude` and `include` attrs to list. Set/frozenset in
turn, is unordered collection [0]. So, the end order of values is
undefined.
But due to the nature of sets:
> two sets are equal if and only if every element of each set is
contained in the other (each is a subset of the other)
the order of values can be ignored.
Note: other Param's attrs with type frozenset are not affected because
they are not processed by the schema plugin.
[0]: https://docs.python.org/3/library/stdtypes.html#set-types-set-frozenset
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
77e7ac35 by Stanislav Levin at 2021-08-19T08:44:26+02:00
ipatests: Add tests for `schema` Command
- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered
- allow testing of the plugin in `development` mode(locked API).
Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
50c6359f by Mohammad Rizwan at 2021-08-19T08:48:02+02:00
ipatests: wait while http/ldap/pkinit cert get renew on replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c963adc7 by Mohammad Rizwan at 2021-08-19T08:48:02+02:00
ipatests: update the timemout for test_ipa_cert_fix.py in nightlies
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
099a7a24 by François Cami at 2021-08-20T14:37:22+02:00
freeipa.spec.in: update 389-DS version
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
42067e56 by Stanislav Levin at 2021-08-24T16:49:10+02:00
Azure: Run pycodestyle check in Lint job
- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.
- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.
- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.
- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
3f134fea by Stanislav Levin at 2021-08-24T16:49:10+02:00
pycodestyle: Check *.in Python files
Many of IPA Python scripts are shebang configurable scripts and
have special suffix '.in' for that. Pycodestyle by default check
only '*.py' files [0].
[0]: https://pycodestyle.pycqa.org/en/latest/intro.html
Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
7b5ef8ae by Florence Blanc-Renaud at 2021-08-25T11:00:03+02:00
ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
d5672a97 by Endi S. Dewata at 2021-08-26T14:07:29+02:00
Specify PKI installation log paths
The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.
This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.
Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
- - - - -
b5f692c1 by Florence Blanc-Renaud at 2021-08-31T14:58:52+02:00
selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
f1c58fb6 by Christian Heimes at 2021-08-31T18:28:27-04:00
Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.
Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.
See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d743219a by Sumit Bose at 2021-09-01T13:45:25-04:00
extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4414d50d by Rob Crittenden at 2021-09-02T12:56:18-04:00
Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b624179c by François Cami at 2021-09-02T20:51:56+02:00
subid: subid-match: display the owner's ID not DN
Previously, the subid-match command would output the full
DN of the owner of the matched range.
With this change, the UID of the owner is displayed, just like
for other subid- commands.
Fixes: https://github.com/freeipa/freeipa/pull/6001
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b91c0afd by Rob Crittenden at 2021-09-03T08:59:57-04:00
Increase default limit on LDAP searches to 100k
A similar change was attempted years ago in commit
9724251292e4c0797367fcc351a9f16f30c6aefe but it was
never applied because it used the wrong DN and because
nsslapd-timelimit is already present in the entry
the default keyword won't trigger.
Use replace instead to increase the value to 100k from
the default as originally intended.
nsslapd-sizelimit can be changed only with a MOD_REPLACE
otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA
only uses MOD_REPLACE for single-value attributes but
nsslapd-sizelimit is not yet in schema. Add it to
the known set of exceptions for single-value attributes.
https://pagure.io/freeipa/issue/8962
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
b18cd122 by Florence Blanc-Renaud at 2021-09-08T08:16:14+02:00
ipatests: rpcclient now uses --use-kerberos=desired
The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)
Adapt the test to be compatible with both old and new versions.
Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
2ba3028b by Florence Blanc-Renaud at 2021-09-08T10:24:49+02:00
migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0d33d21a by Stanislav Levin at 2021-09-08T14:53:08+02:00
docs: Make use of `text` highlighting
As of 4.9.7 FreeIPA makes use of raw lexer in doc/designs/subordinate-ids.md.
raw alias has been removed in Pygments 2.8.0:
https://pygments.org/docs/changelog/#version-2-8-0
https://github.com/pygments/pygments/pull/1643
This causes the failure of Azure Docs job.
I think that the original goal of `raw` was the disabling of block
highlighting, which can be done with `text` lexer:
https://pygments.org/docs/lexers/#pygments.lexers.special.TextLexer
Fixes: https://pagure.io/freeipa/issue/8985
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0342e18e by Florence Blanc-Renaud at 2021-09-08T16:46:21+02:00
ipatests: fix logic waiting for repl in TestIPACommand
The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master
The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
Note that this waits for updates originating on this host, not those
coming from other hosts.
Fixes: https://pagure.io/freeipa/issue/8975
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
- - - - -
d43b5139 by Chris Kelley at 2021-09-10T13:56:46-04:00
Make Dogtag return XML for ipa cert-find
Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.
Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a2e06c38 by Florence Blanc-Renaud at 2021-09-14T14:56:42-04:00
ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).
As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.
Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5edf144a by Florence Blanc-Renaud at 2021-09-14T14:58:33-04:00
Doc: add a design template
Add a template for new features in doc/designs/template.md
The template is excluded from automatic doc generation.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a941e8f6 by Stanislav Levin at 2021-09-15T08:48:13+02:00
azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```
This is expected failure since processes are not stopped during logs
collection and can flush their logs.
Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93126e01 by Stanislav Levin at 2021-09-15T10:16:54+02:00
krb5: Pin kpasswd server to a primary one
There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.
Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)
So, `kpasswd_server` serves as fallback for the offlined locator.
Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.
Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4fa6afa9 by Stanislav Levin at 2021-09-15T10:16:54+02:00
ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.
It's useful to see what is happening during kinit in case of any
issues.
Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ba526c5c by Rob Crittenden at 2021-09-16T13:16:17-04:00
Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
540b01bc by Rob Crittenden at 2021-09-16T13:16:17-04:00
ipatests: Test that a user can be issued multiple certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
- - - - -
7706dfaf by Stanislav Levin at 2021-09-20T17:53:53+02:00
schema plugin: Fix commands without metaobject arg
Previously, all the commands of schema plugin derived from
BaseMetaSearch require metaobject as their argument
(by implementation), but the spec for some of them only optionally
asks for search criteria arg. This patch fixes this inconsistency.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
210739c0 by Stanislav Levin at 2021-09-20T17:53:53+02:00
command_defaults: Don't crash on nonexistent command
It's common for ipa commands to raise NotFound in such a case.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d4a3ed9d by Stanislav Levin at 2021-09-20T17:53:53+02:00
test_schema_plugin: Drop dependency on Tracker
Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c0a2b377 by Stanislav Levin at 2021-09-20T17:53:53+02:00
test_schema_plugin: Add missing tests for command, class and topic commands
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7a9301c5 by Pavel Březina at 2021-09-22T09:36:39+02:00
kdb: fix typo in ipa_kdcpolicy_check_as
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd85b729 by Vit Mojzis at 2021-09-27T09:53:38-04:00
selinux: Fix file context definition for /var/run
There is a file context equivalence rule assigning /run the same
contexts as /var/run. Because of it it's necessary to use /var/run
instead of /run in file context definitions.
See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#File_contexts_and_equivalency_rules
Signed-off-by: Vit Mojzis <vmojzis at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
a6b3993d by Florence Blanc-Renaud at 2021-09-29T15:50:31+02:00
ipatests: increase sosreport verbosity
With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
https://github.com/sosreport/sos/commit/1d0729a9dcfe3f3cebb961114c9bc05136cf8cfb
Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.
Fixes: https://pagure.io/freeipa/issue/9000
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
2d534662 by Florence Blanc-Renaud at 2021-09-29T15:52:45+02:00
ipatests: update expected error message for openssl verify
The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.
Fixes: https://pagure.io/freeipa/issue/8999
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
563077c9 by Florence Blanc-Renaud at 2021-10-04T09:14:24-04:00
webui test: close notification after selinux user map update
The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.
After saving the modification on the record, close any notification
to make sure the test succeeds.
Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
2a7285c8 by Sergey Orlov at 2021-10-05T10:23:31+02:00
ipatests: check for message in sssd log only during actual test action
Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.
Fixes https://pagure.io/freeipa/issue/8987
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
575074da by Florence Blanc-Renaud at 2021-10-08T10:39:05+02:00
ipatests: Update the subca used in TestIPACommand::test_cacert_manage
The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.
Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
47fbe05f by Rob Crittenden at 2021-10-08T10:47:58+02:00
Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.
This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:
Added option "('one', 'two')" to Sudo Rule "test"
or
Added option "(u'one', u'Two')" to Sudo Rule "test"
instead of with this change:
Added option "one,two" to Sudo Rule "test"
Removing an option works in a similar way.
The value is normalized on the client side in order to ensure that
the option value is always a tuple.
https://pagure.io/freeipa/issue/2278
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8f1dda64 by Stanislav Levin at 2021-10-18T12:08:56+02:00
seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.
More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750
See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087
Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json
Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json
Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ade5b9de by Stanislav Levin at 2021-10-21T08:03:03+02:00
azure: Don't customize pip's builddir
As of 21.3 pip:
> Remove the --build-dir option and aliases, one last time. (pypa/pip#10485)
https://pip.pypa.io/en/stable/news/#v21-3
Previous versions warn about deprecation.
The builddir is provided to pip via env variable PIP_BUILD in Tox task.
The purpose of changing of default builddir was noexec mount option for
/tmp in Travis (see 17d571c961). Since Travis is no longer used and
Azure lacks this issue the PIP_BUILD can be safely removed.
Note: pip 21.3 just ignores this env variable, which is more than can be
said for the command line option. It's better to clean it up, since the
behaviour may be changed in future.
This is effectively the revert of 17d571c961.
Fixes: https://pagure.io/freeipa/issue/9011
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f11a4c3d by Michal Polovka at 2021-10-21T10:36:27+02:00
ipatests: webui: Specify configuration loader
Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.
Fixes: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
91334b27 by Florence Blanc-Renaud at 2021-10-21T18:58:16+02:00
ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bbe554ac by Florence Blanc-Renaud at 2021-10-21T18:58:16+02:00
ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bacddb82 by Florence Blanc-Renaud at 2021-10-28T16:22:26-04:00
Design: Integrate SID configuration into base IPA installers
Add design doc for the feature.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5856f107 by Rob Crittenden at 2021-10-28T16:24:06-04:00
On redhat-based platforms rely on authselect to enable sudo
The default platform task enable_sssd_sudo() writes directly
to nsswitch.conf to enable sudo. This isn't necessary to do on
systems with authselect where we already pass in with-sudo as a
profile option.
Override the default function with does a direct write with a no-op.
https://pagure.io/freeipa/issue/8755
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18456e71 by Stanislav Levin at 2021-10-28T16:29:01-04:00
ipatests: TestMultipleExternalCA: Create tempfiles on remote host
Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.
The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.
Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d6d41362 by Armando Neto at 2021-10-31T20:44:27-03:00
ipatests: bump rawhide template for PR-CI
New PR-CI template based on compose `Fedora-Rawhide-20211021.n.0`,
future Fedora 36.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f1922fe5 by Sergey Orlov at 2021-11-01T13:57:18+01:00
ipatests: use AD domain name from config instead of hardcoded value
The test fails when test config contains AD domain value other than one
hardcoded in the test code.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ebe838cb by Sumedh Sidhaye at 2021-11-01T11:27:53-04:00
Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain) where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`
BZ Link: https://bugzilla.redhat.com/show_bug.cgi?id=1958788
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f9e95ce5 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
SID generation: define SIDInstallInterface
Move the SID-related options into a separate InstallInterface
(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
make ADTrustInstallInterface inherit from SIDInstallInterface.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5541b9d6 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
Installers: configure sid generation in server/replica installer
ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.
Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b0545326 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
adtrust install: define constants for rid bases
Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed001c97 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME
The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.
--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.
This command can be run multiple times.
Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8dc064c2 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipatests: add test ensuring SIDs are generated for new installs
The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2d468fa4 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fdfde9ce by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipatests: adapt expected output with SID
>From now on, new users/groups automatically get a SID.
Update the expect test outputs.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fd53ed14 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
User lifecycle: ignore SID when moving from preserved to staged
When a preserved user entry is moved to staged state, the SID
attribute must not be provided to user-stage command (the option
does not exist and the SID will be re-generated anyway).
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c99b8bb4 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipatests: backup-reinstall-restore needs to clear sssd cache
The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
02b4241e by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
Webui tests: new idrange now requires base RID
Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bede62bf by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
User plugin: do not return the SID on user creation
The SID is not part of the default user attributes and does not
need to be returned in the user-add output.
Related: https://pagure.io/freeipa/issue/8995
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cc8a0bc2 by Florence Blanc-Renaud at 2021-11-02T10:11:28+01:00
ipatests: update the expected output of user-add cmd
The SID is not expected to be returned by ipa user-add.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b665ccf by Florence Blanc-Renaud at 2021-11-02T11:40:25+01:00
ipatests: revert wrong commit on gating definition
Commit ebe838c overwrote the PRCI definition with temp commit
and needs to be reverted.
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
3d809c70 by Alexander Bokovoy at 2021-11-02T15:38:05+02:00
doc/designs: fix formatting in LDAPI autobind design
Even though specifying 'raw' format is allowed, this breaks Read The
Docs which is not able to complete the full build of documentation and,
therefore, doesn't publish an updated documentation.
Pushed under one-liner rule.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6b544c43 by Mohammad Rizwan at 2021-11-03T10:55:49+01:00
ipatests: remove redundant kinit from test
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b842b825 by Rob Crittenden at 2021-11-03T10:59:10+01:00
Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.
This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.
If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.
Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.
https://pagure.io/freeipa/issue/8492
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2e7396b0 by Florence Blanc-Renaud at 2021-11-10T14:05:53+01:00
ipatests: fix get_user_result method
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.
Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6cfb9b71 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: store SID in the principal entry
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.
Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
637653a5 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: enforce SID checks when generating PAC
Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
443a9906 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: use entry DN to compare aliased entries in S4U operations
When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.
Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).
Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6828273b by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: S4U2Proxy target should use a service name without realm
According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.
Fixes: https://pagure.io/freeipa/issue/9031
Pair-programmed-with: Andreas Schneider <asn at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andreas Schneider <asn at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
23336160 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: add support for PAC_UPN_DNS_INFO_EX
CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.
The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9a0bcbbe by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: add support for PAC_REQUESTER_SID buffer
CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal..
The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0022bd70 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support
PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3042a1d5 by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
ipa-kdb: Use proper account flags for Kerberos principal in PAC
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6e6fad4b by Alexander Bokovoy at 2021-11-10T15:00:27-05:00
SMB: switch IPA domain controller role
As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations. This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.
Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4062e7b9 by Alexander Bokovoy at 2021-11-11T16:13:56-05:00
ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0c08faf3 by Alexander Bokovoy at 2021-11-11T16:13:56-05:00
ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
680d92b5 by Florence Blanc-Renaud at 2021-11-18T18:05:35+01:00
ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail
The test failure is a known issue, happening on f33+. Mark as xfail
until 8700 is fixed.
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
aed5fd87 by Alexander Bokovoy at 2021-11-18T18:07:42+01:00
freeipa.spec.in: -server subpackage should require samba-client-libs
KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.
There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
f224f6ad by Armando Neto at 2021-11-18T19:58:23-03:00
ipatests: Bump PR-CI latest templates to Fedora 35
Moving 'latest' to Fedora 35 and 'previous' to Fedora 34.
Update Rawhide template.
Based on https://github.com/freeipa/freeipa-pr-ci/pull/445.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
15da3a8e by Armando Neto at 2021-11-18T20:04:36-03:00
ipatests: Fix UI_driver method after Selenium upgrade
`WebDriver.switch_to_active_element()` was deprecated in favour of
`driver.switch_to.active_element`.
Method was deprecated a long time ago, however deprecation message and
proxy method were removed recently and are not present in latest
version.
https://selenium-python.readthedocs.io/api.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to_active_element
https://www.selenium.dev/selenium/docs/api/py/webdriver_remote/selenium.webdriver.remote.webdriver.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to
Issue: https://pagure.io/freeipa/issue/9029
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4c61b926 by Florence Blanc-Renaud at 2021-11-19T22:12:32+01:00
ipatests: update packages in rawhide test test_installation_client.py
The test definition is missing the instruction to update
the packages.
Fixes: https://pagure.io/freeipa/issue/9035
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b8cea149 by François Cami at 2021-11-22T09:54:34+01:00
pwpolicy: change lifetime error message
ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."
Change the error message so that it conveys the
actual logic.
Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
36b97580 by Petr Vobornik at 2021-11-22T12:38:35+01:00
fix(webui): create correct PTR record when navigated from host page
In scenario:
1. make sure that reverse zone doesn't have the desired PTR record
2. open host page of the host with matchnig the A record, e.g.: https://server.pvoborni.test/ipa/ui/#/e/host/details/test2.pvoborni.test
3. click on the "Host name" link, it will bring us to it's DNS record page. E.g., https://server.pvoborni.test/ipa/ui/#/e/dnsrecord/details/pvoborni.test&test2
! notice the missing '.' in the URL after zone name (pvoborni.test)
4. click on the A record , dialog will show up, saying "record not found"
5. click on the "create DNS record"
PTR record created by Web UI doesn't have trailing '.' (is not fully
qualified record) even if the DNS zone is.
This patch is fixing the link to the DNS Record page so that the
page then correctly gets the DNS Zone name and thus creates a correct
fully qualified PTR record.
https://bugzilla.redhat.com/show_bug.cgi?id=2009114
https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
da4a7d29 by Petr Vobornik at 2021-11-22T12:38:35+01:00
webui tests: remove unnecessary code in add_record
Pkeys are not used anywhere in the method thus can be removed.
Related: https://pagure.io/freeipa/issue/9036
Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3bcbc869 by Rob Crittenden at 2021-11-22T14:38:24-05:00
Don't limit role-find by hostname when searching for last KRA
The "is this the last KRA" test did a role-find including the
current server. This skewed the result if the server to be
removed has a KRA installed, it would always return "not allowed"
because len(roles) == 1 and the name matched, regardless of
whether other servers also provided a KRA.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
26230328 by Jochen Kellner at 2021-11-23T10:27:45+01:00
Remove duplicate _() in the error path
When running IPA in locale de_DE.UTF-8 I got an internal error:
jochen at freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten
This is not the complete messages. Using en_US.UTF-8 would be ok.
In the httpd error_log:
] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext'
] Traceback (most recent call last):
] File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute
] result = command(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
] return self.__do_call(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
] ret = self.run(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run
] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute] return self.execute(*args, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute
] delete_entry(pkey)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry
] dn = callback(self, ldap, dn, *nkeys, **options)
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback
] self._ensure_last_of_role(
] File
"/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line
520, in _ensure_last_of_role
] handler(
] File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler
] raise errors.ServerRemovalError(reason=_(msg))
] File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__
] messages.process_message_arguments(self, format, message, **kw)
] File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments
] kw[key] = unicode(value)
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__
] return unicode(self.as_unicode())
] File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode
] return t.gettext(self.msg)
] File "/usr/lib64/python3.10/gettext.py", line 498, in gettext
] tmsg = self._catalog.get(message, missing)
] TypeError: unhashable type: 'Gettext'
] ipa: INFO: [jsonserver_session] admin at EXAMPLE.ORG:
server_del/1(['freeipa4.example.org'], version='2.245'): InternalError
Alexander suggested to remove _() in local handler() function in
_ensure_last_of_role():
else:
raise errors.ServerRemovalError(reason=_(msg))
Looks like all the callers give already gettext-enabled message (wrapped
with _() already).
At least for my case I now get a complete error message.
Fixes: https://pagure.io/freeipa/issue/9046
Signed-off-by: Jochen Kellner <jochen at jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9043b8d5 by Alexander Bokovoy at 2021-11-23T10:31:34+01:00
Fix use of comparison functions to avoid GCC bug 95189
Due to a bug in GCC 9 and GCC 10 optimizing code, all C library
comparison functions should be used with explicit result comparison in
the code to avoid problems described in
http://r6.ca/blog/20200929T023701Z.html
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189
The code below is affected:
```
if (strcmp(a, b) || !strcmp(c, d)) ...
```
while the code below is not affected:
```
if (strcmp(a, b) != 0 || strcmp(c, d)) == 0
```
for all C library cmp functions and related:
- strcmp(), strncmp()
- strcasecmp(), strncasecmp()
- stricmp(), strnicmp()
- memcmp()
This PR idea is based on the pull request by 'Nicolas Williams <nico at twosigma.com>'
to Heimdal Kerberos: https://github.com/heimdal/heimdal/pull/855
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eb833b15 by Florence Blanc-Renaud at 2021-11-23T14:57:49+01:00
ipatests: remove xfail on f35+ for test_number_of_zones
systemd-resolved fixed the issue on f35+
Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
- - - - -
20f68d81 by François Cami at 2021-11-25T16:49:00+01:00
freeipa.spec: depend on bind-dnssec-utils
The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.
With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.
Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Antonio Torres Moríñigo <atorresm at protonmail.com>
- - - - -
f01531ec by Antonio Torres at 2021-11-25T18:58:57+01:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
7c2f99f8 by Antonio Torres at 2021-11-25T19:12:45+01:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
4738ab3d by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de97d83c by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipaplatform: Add support for recognizing systemd-timesyncd
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dfbae694 by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipaplatform/debian: Fix named keytab name
This was changed in bind9 9.16 packaging
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e94afdd6 by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipaplatform/debian: Fix ntpd service name
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
52090d39 by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipatests/test_ipaplatform: Skip test_ipa_version on Debian
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9799b819 by Timo Aaltonen at 2021-11-25T21:02:56-05:00
ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles
Debian hasn't yet migrated to a unified /usr.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9eecaddd by Timo Aaltonen at 2021-11-25T21:02:56-05:00
configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in
This is a platform specific value.
Fixes: https://pagure.io/freeipa/issue/9014
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f1a44185 by Sumedh Sidhaye at 2021-11-29T15:21:11+01:00
Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>`
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f18a6c02 by Mohammad Rizwan at 2021-11-29T15:24:38+01:00
ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.
Fixes: https://pagure.io/freeipa/issue/9052
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bda59110 by Alexander Bokovoy at 2021-11-29T21:00:42+02:00
ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
637412ac by Alexander Bokovoy at 2021-11-29T21:00:42+02:00
ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b5fd2889 by Florence Blanc-Renaud at 2021-12-14T09:00:38+01:00
ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
kinit with an otp token (which makes ipa-otpd create a LDAP
connection), then sleeps for 60s. The expectation is that
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
and close the connection.
According to 389ds doc, the idle timeout is enforced when the
connection table is walked. By doing a ldapsearch, the test
"wakes up" ns-slapd and forces the detection of ipa-otpd
idle connection.
Fixes: https://pagure.io/freeipa/issue/9044
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
56e4f33c by Anuja More at 2021-12-16T08:34:03+01:00
ipatests: Test default value of nsslapd-sizelimit.
related : https://pagure.io/freeipa/issue/8962
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a8b2279e by Mohammad Rizwan at 2021-12-17T17:27:30+01:00
ipatests: Test empty cert request doesn't force certmonger to segfault
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it
and some PEP8 fixes
related: https://pagure.io/certmonger/issue/191
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
f0191040 by Alexander Bokovoy at 2022-01-11T15:19:36-05:00
Support building against OpenLDAP 2.6+
OpenLDAP 2.6 deprecated separate libldap/libldap_r, there is only one
(reentrant) variant for the library.
Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.
Fixes: https://pagure.io/freeipa/issue/9080
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
265f2618 by Mohammad Rizwan at 2022-01-12T11:22:28+01:00
Test cases for ipa-replica-conncheck command
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
TGT (it should default to principal=admin and prompt for a password)
related: https://pagure.io/freeipa/issue/9047
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
df03dd9b by Mohammad Rizwan at 2022-01-12T11:22:28+01:00
PEP8 Fixes
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2f2597b by Anuja More at 2022-01-12T15:01:28+01:00
ipatests: webui: Tests for subordinate ids.
Added web-ui tests to verify where operations
using subordinate ids are working as expected.
Related : https://pagure.io/freeipa/issue/8361
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
56df1fd9 by Anuja More at 2022-01-12T15:01:28+01:00
pr-ci definitions: add web-ui subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
513099b4 by Florence Blanc-Renaud at 2022-01-13T08:21:05+01:00
ipatests: update images for f34 and f35
New versions of pki-server fix the following issues:
Fixes: https://pagure.io/freeipa/issue/9024
Fixes: https://pagure.io/freeipa/issue/8865
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
189d090d by Florence Blanc-Renaud at 2022-01-13T14:12:49-05:00
automember default group: remove --desc parameter
The automember-default-group commands inherit from
the automember commands but should not provide the
--desc parameter.
Remove 'description' from the list of parameters.
Fixes: https://pagure.io/freeipa/issue/9068
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
327e0232 by Florence Blanc-Renaud at 2022-01-13T14:20:59-05:00
Config plugin: return EmptyModlist when no change is applied
When ipa config-mod is called with the option --enable-sid,
the code needs to trap EmptyModlist exception (it is expected
that no LDAP attribute is modified by this operation).
The code had a flaw and was checking:
'enable_sid' in options
instead of
options['enable_sid']
"'enable_sid' in options" always returns true as this option
is a Flag with a default value, hence always present even if
not specified on the command line.
Fixes: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
325415bb by Florence Blanc-Renaud at 2022-01-13T14:20:59-05:00
config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.
Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ff020413 by Michal Polovka at 2022-01-14T08:38:41-05:00
ipatests: webui: Use safe-loader for loading YAML configuration file
FullLoader class for YAML loader was introduced in version 5.1 which
also deprecated default loader. SafeLoader, however, stays consistent
across the versions and brings added security.
This fix is necessary as PyYAML > 5.1 is not available in downstream.
Related: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
75645760 by Sumedh Sidhaye at 2022-01-14T15:10:54+01:00
Added test automation for SHA384withRSA CSR support
Scenario 1:
Setup master with --ca-signing-algorithm=SHA384withRSA
Run certutil and check Signing Algorithm
Scenario 2:
Setup a master
Stop services
Modify default.params.signingAlg in CS.cfg
Restart services
Resubmit cert (Resubmitted cert should have new Algorithm)
Added nightly definitions
Pagure Link: https://pagure.io/freeipa/issue/8906
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
a137eee8 by jh23453 at 2022-01-14T17:24:58+01:00
Remove deprecation warning when installing a CA replica
I got the following message when installing a replica with CA:
2021-11-22T21:15:35Z DEBUG [5/30]: configuring certificate server instance
...
WARNING: The 'pki_ssl_server_token' in [CA] has been deprecated. Use 'pki_sslserver_token' instead.
Installation log: /var/log/pki/pki-ca-spawn.20211122221535.log
Installing CA into /var/lib/pki/pki-tomcat.
With the following change the message no longer appears when installing a replica.
This commit fixes the firt (and simple) part of https://pagure.io/freeipa/issue/9056
Signed-off-by: Jochen Kellner <jochen at jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2278de73 by Florence Blanc-Renaud at 2022-01-20T16:40:38+01:00
ipatests: update images for f34 and f35
The new images include kernel-modules package.
Fixes: https://pagure.io/freeipa/issue/9087
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
2dc75201 by Alexander Bokovoy at 2022-01-24T17:38:24-05:00
ipa-kdb: refactor KDB driver to prepare for KDB version 9
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.
Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.
FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.
KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.
Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d97a221f by Florence Blanc-Renaud at 2022-01-25T15:40:28+01:00
ipatests: fix expected automount config in nsswitch.conf
The test TestIpaClientAutomountFileRestore expects a
specific order for the automount sources to query
in /etc/nsswitch.conf.
With authselect update 1.3.0, the databases are sorted in
order of likelihood and the following line in seen:
automount: files sss
instead of
automount: sss files
Since the test doesn't care about the order but rather about
the list of sources, ignore the order.
Fixes: https://pagure.io/freeipa/issue/9067
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd7f4a74 by Francisco Trivino at 2022-01-31T10:08:43+01:00
Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12.
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
replica talks to the Custodia server on C8S source server. The later creates an
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
default encryption scheme, which is no longer supported on C9S.
This commit enforces a stronger encryption algorigthm by adding following
arguments to the Custodia server handler:
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
Fixes: https://pagure.io/freeipa/issue/9101
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f3636c6a by Florence Blanc-Renaud at 2022-01-31T18:14:22-05:00
ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
The access to /kra/admin/kra/getStatus will be needed
in order to fix pki-healthcheck.
Note that this commit is a pre-requisite for the fix
to be done on PKI side. No test added since the full
integration test already exists in test_replica_promotion.py,
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
Fixes: https://pagure.io/freeipa/issue/9099
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
35e94bee by Julien Rische at 2022-02-02T15:42:45+01:00
ipa-kdb: do not remove keys for hardened auth-enabled users
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.
Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
97d123cc by Julien Rische at 2022-02-02T15:42:45+01:00
ipatests: add case for hardened-only ticket policy
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8c241869 by Rob Crittenden at 2022-02-03T13:36:18-05:00
Don't always override the port in import_included_profiles
I can only guess to the original purpose of this override. I
believe it was because this is called in the installer prior
to Apache being set up. The expectation was that this would
only be called locally. It predates the RestClient class.
RestClient will attempt to find an available service. In this
case, during a CA installation, the local server is not
considered available because it lacks an entry in
cn=masters. So it will never be returned as an option.
So by overriding the port to 8443 the remote connection will
likely fail because we don't require that the port be open.
So instead, instantiate a RestClient and see what happens.
There are several use-cases:
1. Installing an initial server. The RestClient connection
should fail, so we will fall back to the override port and
use the local server. If Apache happens to be running with
a globally-issued certificate then the RestClient will
succeed. In this case if the connected host and the local
hostname are the same, override in that case as well.
2. Installing as a replica. In this case the local server should
be ignored in all cases and a remote CA will be picked with
no override done.
3. Switching from CA-less to CA-ful. The web server will be
trusted but the RestClient login will fail with a 404. Fall
back to the override port in this case.
The motivation for this is trying to install an EL 8.x replica
against an EL 7.9 server. 8.5+ includes the ACME service and
a new profile is needed which doesn't exist in 7. This was
failing because the RestClient determined that the local server
wasn't running a CA so tried the remote one (7.9) on the override
port 8443. Since this port isn't open: failure.
Chances are that adding the profile is still going to fail
because again, 7.9 lacks ACME capabilities, but it will fail in
a way that allows the installation to continue.
I suspect that all of the overrides can similarly handled, or
handled directly within the RestClient class, but for the sake
of "do no harm" I'm only changing this instance for now.
https://pagure.io/freeipa/issue/9100
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3c1f4ba9 by Rob Crittenden at 2022-02-04T13:28:42-05:00
Remove ipa-join errors from behind the debug option
This brings it inline with the previous XML-RPC output which
only hid the request and response from the output and not
any errors returned.
https://pagure.io/freeipa/issue/9103
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com>
- - - - -
c93fa491 by Alexander Bokovoy at 2022-02-07T10:35:27+02:00
OpenLDAP 2.6+: use only -H option to specify LDAP url
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.
Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Fixes: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
39a4d785 by Alexander Bokovoy at 2022-02-07T10:35:27+02:00
pylint: workaround incorrect pylint detection of a local function
pylint 2.9 thinks that __add_principal is a class-level method that is
unused. It is a local function inside one of class methods and is used
directly inside that method.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d64db126 by Alexander Bokovoy at 2022-02-07T10:35:27+02:00
translations: regenerate translations after changes in help message in sudorule
A change to replace -h and -p options in OpenLDAP command line utilities
causes also an update in the help text in sudorule plugin. This, sadly,
makes existing translations of that text not valid anymore. However, we
have to change the text as OpenLDAP 2.6+ will make the command
referenced in the help text incorrect.
The change in OpenLDAP 2.6+ implements deprecation that was announced by
OpenLDAP project around 20 years ago, so all existing tools support -H
option.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Related: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
926b707d by Florence Blanc-Renaud at 2022-02-08T18:30:43+01:00
ipatests: update images for f34 and f35
The new images include 389-ds-base 2.0.14-1
which contains the fixes for the following tickets:
389-ds-base #5079 Freeipa nightly test failure with winsync agreement
389-ds-base #5031 ipa-restore broken in selinux enforcing mode
Fixes: https://pagure.io/freeipa/issue/9069
Fixes: https://pagure.io/freeipa/issue/9051
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c396ca01 by Rob Crittenden at 2022-02-09T10:41:56-05:00
Enable the ccache sweep timer during installation
The timer was only being enabled during package installation
if IPA was configured. So effectively only on upgrade.
Add as a separate installation step after the ccache directory
is configured.
Fixes: https://pagure.io/freeipa/issue/9107
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f4df4d9b by Mohammad Rizwan at 2022-02-09T10:41:56-05:00
Test ipa-ccache-sweep.timer enabled by default during installation
This test checks that ipa-ccache-sweep.timer is enabled by default
during the ipa installation.
related: https://pagure.io/freeipa/issue/9107
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
54f8733f by Stanislav Levin at 2022-02-09T10:45:40-05:00
ipatests: healthcheck: Sync the expected system RRs
The support for the DNS URI RRs has been added in freeipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/issues/222
Fixes: https://pagure.io/freeipa/issue/9054
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
61650c57 by Rob Crittenden at 2022-02-09T10:48:06-05:00
Re-work the quiet option in ipa-join to not suppress errors
The quiet option was supposed to suppress unnecessary output
on successful invocations. Instead it was suppressing most
error messages as well.
Remove all the quiet checks when an error would be displayed.
Pass the quiet option to ipa-getkeytab so it honors the
request as well.
Also tidy up some of the debug output.
https://pagure.io/freeipa/issue/9105
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
46ccf006 by Rob Crittenden at 2022-02-10T11:55:26-05:00
ipatests: Remove certmonger tracking before uninstall in cert tests
There is some contention between certmonger starting during the
uninstallation process in order to stop the tracking and activity
going on within certmonger helpers.
As near as I can tell certmonger is not running, then IPA is
stopped in order to uninstall, then certmonger is started to stop
the tracking. certmonger checks cert status on startup but since
IPA isn't running it can't get a host ticket. During this time any
request over DBus may time out, causing a test to fail when we're
just trying to clean up.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3de5e4e1 by Francisco Trivino at 2022-02-11T13:31:34+02:00
ipa_cldap: fix memory leak
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
berval (bv_val) when processing a CLDAP packet request from a worker. The
data is used by ipa_cldap_respond() but bv_val is not freed later on.
This commit is adding the corresponding free() after ipa_cldap_respond()
is completed.
Discovered by LeakSanitizer
Fixes: https://pagure.io/freeipa/issue/9110
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
a78f9f7f by Anuja More at 2022-02-11T13:33:16+02:00
ipatests: remove additional check for failed units.
On RHEL tests are randomly failing because of this check
and the test doesn't need to check this.
Related : https://pagure.io/freeipa/issue/9108
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ba796e38 by Brian Turek at 2022-02-11T13:35:32+02:00
ipalib: Handle percent signs in saved values
Turn off string interpolation on the FileStore class to avoid
exceptions when a value to be saved contains a percent sign (%).
The underlying SafeConfigParser that is used interprets percent
signs as placeholders to be interpolated which then causes an
exception as the placeholder isn't properly formatted.
ipa-client-install uses the FileStore class to backup certain
values that it overwrites as part of the installation. If those
pre-existing, backed-up values contained a percent sign,
ipa-client-install would throw an exception and thus prevent
installation.
https://pagure.io/freeipa/issue/9085
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
043b118d by Florence Blanc-Renaud at 2022-02-14T11:21:01+02:00
Commit template: use either Fixes or Related
Update the commit template to be consistent with the
commit message requirements described at
https://www.freeipa.org/page/Contribute/Code#Commit_message_requirements
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
56708d60 by Rob Crittenden at 2022-02-22T14:49:31+01:00
Set the mode on ipaupgrade.log during RPM %post snipppet
The IPA tools will create /var/log/ipaupgrade.log with mode
0600. If for some reason this file doesn't exist during
upgrade then it will be created by the RPM transaction with
mode 0644 (because of umask).
So always set the mode once the snippets are done. This
will ensure that a newly created log will have the expected
mode and also fix any previous incorrectly set mode.
Fixes: https://pagure.io/freeipa/issue/8899
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
663cd9af by Anuja More at 2022-02-23T10:29:14+01:00
ipatests: Tests for Autoprivate group.
Added tests using posix AD trust and non posix AD trust.
For option --auto-private-groups=[hybrid/true/false]
Related : https://pagure.io/freeipa/issue/8807
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9d1f2279 by Anuja More at 2022-02-23T10:29:14+01:00
mark xfail for test_idoverride_with_auto_private_group[hybrid]
Related : https://github.com/SSSD/sssd/issues/5989
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3403af58 by Anuja More at 2022-02-23T10:29:14+01:00
Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
Related : https://github.com/SSSD/sssd/issues/5988
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
50241b36 by Rob Crittenden at 2022-02-23T09:39:51-05:00
ipa-restore: Mark a restored server as enabled
There is no use-case to keep a restored server in a hidden
state. It can be re-marked as hidden once the installation is
recovered from the restore. So mark all restored services as
enabled so they are visible to existing clients during the
remaining recovery.
Fixes: https://pagure.io/freeipa/issue/9095
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8b517e68 by Rob Crittenden at 2022-02-25T08:13:52+01:00
Verify the user-provided hostname in the server installer
The refactor change 9094dfc had a slight error where the
user-input provided value in input wasn't being validated. Only
the command-line or the current FQDN was being verified so
if the FQDN was bad any value input by the user was being skipped.
Fixes: https://pagure.io/freeipa/issue/9111
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b445cff4 by Rob Crittenden at 2022-02-25T08:13:52+01:00
Strip off trailing period of a user-provided FQDN in installer
The example text included a trailing dot which isn't actually
allowed in a system hostname (just DNS). Remove the suggestion
to include it and strip off any trailing dot so that the install
can proceed.
Related: https://pagure.io/freeipa/issue/9111
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
625176a7 by Florence Blanc-Renaud at 2022-03-03T08:11:42+01:00
ipatests: add missing test in the nightly defs
The test
test_integration/test_installation.py::TestInstallWithoutNamed
was missing in some nightly definitions.
Add the job definition for:
- nightly_latest_selinux.yaml
- nightly_latest_testing.yaml
- nightly_latest_testing_selinux.yaml
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d38dd268 by Alexander Bokovoy at 2022-03-08T12:54:47+01:00
KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
Due to bootstrapping process, force explicitly supported encryption
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
in FIPS mode at bootstrap time which then fails to initialize kadmin
principals requiring use of AES256-SHA2 and AES128-SHA2.
Camellia ciphers must be filtered out in FIPS mode, we do that already
in the kerberos.ldif.
At this point we are not changing the master key encryption type to
AES256-SHA2 because upgrading existing deployments is complicated and
at the time when a replica configuration is deployed, we don't know what
is the encryption type of the master key of the original server as well.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
2eee5931 by Alexander Bokovoy at 2022-03-08T12:54:47+01:00
tests: ensure AD-SUPPORT subpolicy is active
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
985dffe1 by Alexander Bokovoy at 2022-03-08T12:54:47+01:00
ipatests: extend AES keyset to SHA2-based ones
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
7d25eead by Alexander Bokovoy at 2022-03-08T12:54:47+01:00
freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
a5b3c64a by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip redundant-u-string-prefix
Pylint 2.10 introduced new checker `redundant-u-string-prefix`:
> Used when we detect a string with a u prefix. These prefixes were
necessary in Python 2 to indicate a string was Unicode, but since Python
3.0 strings are Unicode by default.
There are ~31K emitted warnings right now. They can be fixed on
refactorings without any rush.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
14e94099 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip consider-using-f-string
Pylint 2.11 introduced new checker:
> Used when we detect a string that is being formatted with format() or
% which could potentially be a f-string. The use of f-strings is
preferred. Requires Python 3.6 and ``py-version >= 3.6``.
- f-strings are not mandatory
- format can be more readable
- there are ~5.5K spotted issues
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
af8adbb4 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip use-dict-literal/use-list-literal
Pylint 2.10 introduced new checkers:
> Emitted when using dict() to create an empty dictionary instead of the
literal {}. The literal is faster as it avoids an additional function
call.
> Emitted when using list() to create an empty list instead of the
literal []. The literal is faster as it avoids an additional function
call.
Too many unessential changes.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
97d258c6 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip unspecified-encoding
Pylint 2.10 introduced new checker:
> It is better to specify an encoding when opening documents. Using the
system default implicitly can create problems on other operating
systems. See https://www.python.org/dev/peps/pep-0597/
According to that PEP:
> open(filename) isn't explicit about which encoding is expected:
- If ASCII is assumed, this isn't a bug, but may result in decreased
performance on Windows, particularly with non-Latin-1 locale
encodings
- If UTF-8 is assumed, this may be a bug or a platform-specific script
- If the locale encoding is assumed, the behavior is as expected (but
could change if future versions of Python modify the default)
IPA requires UTF-8 environments.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
017b73e7 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix use-maxsplit-arg
Pylint 2.9.0 new checker:
> Emitted when accessing only the first or last element of str.split()..
The first and last element can be accessed by using str.split(sep,
maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0bea6c4e by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Clean up __convert_to_gssapi_replication
__convert_to_gssapi_replication has been added in a0bfbec19 and
then removed in ce2bb47cc without clean up.
Found by Pylint:
```
ipaserver/install/krbinstance.py:589: [W0238(unused-private-member),
KrbInstance.__convert_to_gssapi_replication] Unused private member
`KrbInstance.__convert_to_gssapi_replication(self)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
db31f65a by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Drop never used __remove_lightweight_ca_key_retrieval_custodia
__remove_lightweight_ca_key_retrieval_custodia has been added in
8700101d9, but it was never used.
Caught by Pylint:
```
ipaserver/install/cainstance.py:1308: [W0238(unused-private-member),
CAInstance.__remove_lightweight_ca_key_retrieval_custodia]
Unused private member
`CAInstance.__remove_lightweight_ca_key_retrieval_custodia(self)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d90f4536 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Drop no longer used __finalized
The private member `__finalized` has been added in
7db3aae1b26588b3650dae442b07dca0f33ab0c8, later removed in
6b8abb0d78a8d86d7ca52083a267fe226bf74656, but `_API__finalized`
(access via mangled attribute name) was not cleaned up and finally
refactored back to `__finalized` in
b1fc875c3ac74be91df8f1cf8b4369b77a156677.
Found by Pylint:
```
ipalib/plugable.py:807: [W0238(unused-private-member), API.finalize]
Unused private member `API.__finalized`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd2739bb by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip unused-private-member for property case
See https://github.com/PyCQA/pylint/issues/4756 for details
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8f117cc7 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip unused-private-member for unsupported cases
> This mangling is done without regard to the syntactic position of the
identifier, as long as it occurs within the definition of a class.
`__set_attr` is called for instance of the class within its
classmethod.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e4e5a506 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix unused-private-member
Pylint 2.9.0 introduced new checker:
> Emitted when a private member of a class is defined but not used
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
21c3dff6 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Drop no longer used __home
`__home` has been added in 8ca44bcbfa2aec0c7c84205dc08c81f711a22c5d,
later `tests.util` was refactored in
fd43b39145382b96cd2e0d0da3d5dcbe0d3a4a2a, but `__home` wasn't cleaned
up.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d991245a by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Remove unused __convert_iter
__convert_iter was added in 24b6cb89d, but it was never used.
Found by Pylint:
```
ipalib/frontend.py:696: [W0238(unused-private-member),
Command.__convert_iter] Unused private member
`Command.__convert_iter(self, kw)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
139f6b63 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix deprecated-class
There is no actual usage of deprecated classes for Python3.
Pylint complains about such for Python2. Since Python2 is no
longer supported these imports were removed.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
516adf40 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix unnecessary-dict-index-lookup
Pylint 2.9 introduced new check:
> Emitted when iterating over the dictionary items (key-item pairs) and
accessing the value by index lookup. The value can be accessed directly
instead.
Note: in Python3 removing from dict during an iteration is not
possible even. For example,
```
cat a.py
d = {"a": 1}
for k, v in d.items():
if v is not None:
del d[k]
python3 a.py
Traceback (most recent call last):
File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module>
for k, v in d.items():
RuntimeError: dictionary changed size during iteration
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
31a9eb37 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix deprecated-decorator
Pylint 2.9 introduced new checker:
> The decorator is marked as deprecated and will be removed in the
future.
- @abstractproperty has been deprecated since Python3.3 [0]
- @abstractclassmethod has been deprecated since Python3.3 [1]
[0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty
[1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e0964787 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip isinstance-second-argument-not-valid-type
The type of value to be compared is class attribute.
Today's Pylint doesn't support this.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a1f0f274 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix no-member
Teach pylint or skip newly exposed no-members.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ba95a377 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix unused-variable
Fixed newly exposed unused variables.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f9d0fc8a by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip not-callable
The klass property is referenced to class attribute.
Today's Pylint doesn't support this.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
851f6d48 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
df3c40fd by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip raising-bad-type
See https://github.com/PyCQA/pylint/issues/4772 for details.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
57ee7d38 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Enable useless-suppression
https://pylint.pycqa.org/en/latest/user_guide/message-control.html#detecting-useless-disables:
> As pylint gets better and false positives are removed, disables that
became useless can accumulate and clutter the code. In order to clean
them you can enable the useless-suppression warning.
This doesn't enforce useless-suppression warnings as errors. The idea is
cleanup of these warings on every Pylint's bump.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8383e60b by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip use-implicit-booleaness-not-comparison
Pylint 2.12.0 introduced new checker:
> Used when Pylint detects that collection literal comparison is being
used to check for emptiness; Use implicit booleaness insteadof a
collection classes; empty collections are considered as false
Comparison of variable to equality to collection:
> Lexicographical comparison between built-in collections works as follows:
For two collections to compare equal, they must be of the same type,
have the same length, and each pair of corresponding elements must
compare equal (for example, [1,2] == (1,2) is false because the type is
not the same).
Collections that support order comparison are ordered the same as their
first unequal elements (for example, [1,2,x] <= [1,2,y] has the same
value as x <= y). If a corresponding element does not exist, the shorter
collection is ordered first (for example, [1,2] < [1,2,3] is true).
So, `assert value == {}` is not the same as `assert not value`.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
baf68ef3 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix arguments-renamed
Pylint 2.9.0 introduced new checker which was a subset of
arguments-differ:
> Used when a method parameter has a different name than in the
implemented interface or in an overridden method.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
42ff1e0f by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix consider-using-in
Pylint 2.11.0 extends consider-using-in check to work for
attribute access.
> To check if a variable is equal to one of many values,combine the
values into a tuple and check if the variable is contained "in" it
instead of checking for equality against each of the values.This
is faster and less verbose.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
adc7b7cc by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip deprecated-method for match_hostname
Python3.7 switched to
`X509_VERIFY_PARAM_set1_host`/`X509_VERIFY_PARAM_set1_ip`
and deprecated `match_hostname` without replacement. Probably,
on removal `match_hostname` the similar functionality may be
implemented on IPA side.
https://docs.python.org/3/library/ssl.html#ssl.match_hostname
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
feab723c by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix deprecated-method for threading
As of Python3 `currentThread`, `thread.getName` are aliases for
`threading.current_thread()` and `threading.Thread.name`
respectively.
In Python3.10:
> bpo-43723: The following threading methods are now deprecated and
should be replaced:
currentThread => threading.current_thread()
activeCount => threading.active_count()
Condition.notifyAll => threading.Condition.notify_all()
Event.isSet => threading.Event.is_set()
Thread.setName => threading.Thread.name
thread.getName => threading.Thread.name
Thread.isDaemon => threading.Thread.daemon
Thread.setDaemon => threading.Thread.daemon
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f416abe5 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip unsupported-assignment-operation
Pylint thinks that the values are None because doesn't support
flow analysis.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ac6fe016 by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix format-string-without-interpolation
Found by new Pylint:
> ipaclient/install/client.py:1926:
[W1310(format-string-without-interpolation), get_ca_certs] Using
formatting for a string that does not have any interpolated variables)
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5a00882e by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bcc6361c by Stanislav Levin at 2022-03-11T13:37:08-05:00
pylint: Skip false-positive invalid-sequence-index
Pylint doesn't handle flow control and thus, doesn't understand
that a key of type `str` is not reachable at this point:
> ipalib/base.py:472: [E1126(invalid-sequence-index),
NameSpace.__getitem__] Sequence index is not an int, slice, or instance
with __index__)
Note: I faced this error on Python3.9 and didn't see it using
Python3.10.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
575b3a21 by Stanislav Levin at 2022-03-11T13:37:08-05:00
azure: Bump supported Pylint
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4bdecd55 by Fraser Tweedale at 2022-03-14T13:06:17-04:00
allow overriding systemd-tmpfiles program
In some contexts, filesystem mounts may be owned by unmapped users
(e.g. `emptyDir` mounts in Kubernetes / OpenShift when using user
namespaces). This causes `systemd-tmpfiles(8)` to fail, as a
consequence of systemd's path processing routines which reject this
scenario. Therefore, in Fedora container context, if the
`IPA_TMPFILES_PROG` environment value is set, use the program
specified by its value instead of `/bin/systemd-tmpfiles`.
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Fixes: https://pagure.io/freeipa/issue/9126
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ac88216 by Rob Crittenden at 2022-03-15T08:36:18+01:00
ipatests: Give the subCA more time to be loaded by the CA
The subCA keys are loaded out-of-band after creation into the
CA so they may have been replicated but not loaded. Give more
time for them to appear in the remote CA.
Use a loop for the checking instead of a raw sleep because most
of the time this is very fast (< 15 seconds) but sometimes it
requires just a bit more. Allow up to 60 seconds.
To avoid output difference, strip the token name out of certutil
output. We don't care about the token a certificate is stored
in, the internal or the FIPS token. We just care that they exist
on both servers and that the keys match.
Apparently in some cases the token name is displayed and not in
others so lets normalize the output to make comparisons more
consistent.
Fixes: https://pagure.io/freeipa/issue/9096
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
c37a033b by Sumit Bose at 2022-03-16T11:08:39+02:00
extdom: user getorigby{user|group}name if available
New calls, getorigbyusername() and getorigbygroupname(), are added to
libsss_nss_idmap. They allow to query the AD specific attributes for a
user or a group directly. Besides a minor performance benefit it helps
to avoid issues if there are users and groups with the same name and the
group is not a user-private group but a real group with members.
Fixes: https://pagure.io/freeipa/issue/9127
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a6030f5f by Alexander Bokovoy at 2022-03-16T11:14:35+02:00
Kerberos instance: default to AES256-SHA2 for master key encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.
This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.
Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
621af275 by Alexander Bokovoy at 2022-03-16T11:14:35+02:00
test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.
Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
517ae594 by Alexander Bokovoy at 2022-03-16T11:14:35+02:00
test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
40c362e1 by Christian Heimes at 2022-03-16T12:07:01+02:00
Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
b8f45fc6 by Francisco Trivino at 2022-03-16T12:07:01+02:00
Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
- - - - -
5a909cff by Mohammad Rizwan at 2022-03-16T12:17:08+02:00
ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."
But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does
related: https://pagure.io/freeipa/issue/9038
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fe9be8c4 by Rob Crittenden at 2022-03-16T12:18:35+02:00
Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.
When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.
So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.
This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).
Fixes: https://pagure.io/freeipa/issue/9004
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d237c40b by Alexander Bokovoy at 2022-03-17T11:49:57-04:00
ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default
Python 3.10 deprecated ssl.PROTOCOL_TLS and ssl.PROTOCOL_SSLv23
constants which were aliases to each other. Use of them now causes a
warning to be displayed:
/usr/lib/python3.10/site-packages/ipalib/util.py:347: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Use ssl.PROTOCOL_TLS_CLIENT instead, this constant is available since
Python 3.6.
Fixes: https://pagure.io/freeipa/issue/9129
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a283735f by Rob Crittenden at 2022-03-18T09:40:37+01:00
Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.
The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671
Fixes: https://pagure.io/freeipa/issue/9084
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
52ec9cc0 by Florence Blanc-Renaud at 2022-03-19T11:20:50+01:00
ipatests: remove certmonger tracking before uninstall
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.
The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.
The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.
To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.
Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e32bfd44 by Florence Blanc-Renaud at 2022-03-19T11:20:50+01:00
ipatests: Fix a call to run_command with wildcard
The test is calling run_command with a list of arguments:
run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
but this format does not support shell expansion.
Replace with a str parameter:
run_command('rm -fv' + paths.CERTMONGER_REQUESTS_DIR + '/*')
to make sure all the files in the directory are actually removed.
Fixes: https://pagure.io/freeipa/issue/8506
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
67488d23 by Sudhir Menon at 2022-03-22T08:37:51+01:00
ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data
This test checks that when
'pki.server.healthcheck.clones.connectivity_and_data' check is run
'Source 'pki.server.healthcheck.clones.connectivity_and_data' not found'
is not displayed.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041995
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5a42ab11 by Alexander Bokovoy at 2022-03-25T10:23:38+01:00
tests: ensure AD-SUPPORT subpolicy is active in more cases
Continuation of the commit 2eee5931d714ca237290be7dc2fb7233ce747eca:
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
27ab2165 by Alexander Bokovoy at 2022-03-28T16:34:04+03:00
ipatests: fix check for AD topology being present
Fixes: https://pagure.io/freeipa/issue/9133
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f91e9d3f by Sumit Bose at 2022-03-29T14:01:29-04:00
ipa-kdb: fix make check
The recent refactoring split out code into two new files which are
needed for the test binary as well.
Related: https://pagure.io/freeipa/issue/9083
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4514e809 by Mohammad Rizwan at 2022-04-07T14:19:28+02:00
ipatests: fix the topologysegment-reinitialize command
There is no guarantee for the topologysegement name, it could be
master-to-replica or replica-to-master. If it is master-to-replica
then --right should be used with the command else --left.
Fixes: https://pagure.io/freeipa/issue/9137
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
10046ffb by Mohammad Rizwan at 2022-04-07T14:19:28+02:00
ipatests: extend find_segment with suffix param
topologysegment name can be different depending on suffix.
This patch determines and supply the name of topologysgement
as per the suffix
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5638bdcb by Alexander Bokovoy at 2022-04-13T18:37:12+02:00
ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.
Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.
A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4a956616 by Alexander Bokovoy at 2022-04-13T18:37:12+02:00
ipa-sam: retrieve trusted domain account credential from the TDO itself
When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC
would use trusted domain account to authenticate to Samba. This means
that Samba would do internally samr_QueryUserInfo2 request with level 16
(UserControlInformation), coming to PDB module via pdb_getsampwsid()
call.
For normal user or workstation accounts we expect to have Kerberos keys
available and may be able to extract NTLM hash data from them. However,
trusted domain account is not a normal Kebreros principal. It stores TDO
credential in a different way. Since we never processed it through the
pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash
for TDO account at all, hence netr_ServerAuthenticate3 call was failing.
NTLM hash is used internally in Samba. An external communication with AD
DC will use an AES-based session key that is derived from the TDO
credential. The credential itself can be treated as a plaintext here.
Fix it by adding a recognition of the trusted domain object account and
retrieve the NTLM hash from the correct attribute of the TDO.
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
599792e8 by Alexander Bokovoy at 2022-04-13T18:37:12+02:00
ipatests: collect samba logs when setting up trust to AD
In many cases it is impossible to investigate test failures of
environments where a trust to Active Directory is establishe without
Samba logs.
Collect Samba logs by default and make sure Samba is configured with
higher log levels if we are going to configure IPA to setup trust to
Active Directory.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c780504d by Armando Neto at 2022-04-24T21:13:26-03:00
ipatests: bump PR-CI rawhide template
Based on compose `20220413.n.0`.
Issue: https://github.com/freeipa/freeipa-pr-ci/issues/457
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
fbfd64fc by Florence Blanc-Renaud at 2022-04-25T09:04:17+02:00
ipatests: fix wrong condition in xfail_context for auto private grp
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).
Remove the wrong condition so that the test is always expected to fail.
Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
73dbda47 by Antonio Torres at 2022-04-26T16:33:58+02:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
9d88a2fd by Antonio Torres at 2022-04-26T16:45:30+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
300f62f7 by Florence Blanc-Renaud at 2022-04-29T13:56:19-04:00
EPN: document missing option msg_subject
In /etc/ipa/epn.conf it is possible to customize the
e-mail subject by setting msg_subject=<value> but this
setting is not documented in the man page.
Add the options in epn.conf man page and in the template.
Fixes: https://pagure.io/freeipa/issue/9145
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a10a48e1 by Florence Blanc-Renaud at 2022-05-02T16:11:04-04:00
ipatests: update the expected sha256sum of epn.conf file
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.
The expected checksum needs to be updated.
Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
10b4e131 by Alexander Bokovoy at 2022-05-04T09:36:40+03:00
doc: migrate to m2r2 and newer sphinx, add plantuml to venv
m2r project was forked to m2r2 which is actively developed.
m2r2 works with new Sphinx versions.
Update our list of documentation requirements and add support for
plantuml to be able to integrate diagrams.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
4a7cc346 by Alexander Bokovoy at 2022-05-04T09:36:40+03:00
docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.
The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
cfe4d7c1 by Alexander Bokovoy at 2022-05-04T09:36:40+03:00
docs: add the readthedocs configuration
We need to install additional plantuml package before the build
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
dd45fe48 by Alexander Bokovoy at 2022-05-04T09:51:11+03:00
docs: update Sphinx requirements in ipasphinx package
One-liner rule to update ipasphinx dependency as we are using m2r2
package which is compatible with newer Sphinx.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e5471193 by Alexander Bokovoy at 2022-05-04T10:40:07+03:00
docs: force sphinx version above 3.0 to avoid caching in RTD
ReadTheDocs somehow caches requirements and insists in using old
version of Sphinx (1.8). We have to force using newer one (4.5)
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3edd09a8 by Florence Blanc-Renaud at 2022-05-04T13:45:02-04:00
ipatests: remove test_rekey_keytype_DSA
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)
Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id
Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
46dc1c76 by Alexander Bokovoy at 2022-05-05T10:08:45+03:00
web ui: do not provide Remove button in subid page
subid range management does not allow to delete ranges
If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.
In Web UI a button to remove the range should not be shown.
Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.
Fixes: https://pagure.io/freeipa/issue/9150
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
64bbf31f by Alexander Bokovoy at 2022-05-05T15:04:28+03:00
Switch Azure CI to Fedora 36 pre-release
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6a086eb2 by Alexander Bokovoy at 2022-05-05T15:04:28+03:00
Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
53d9dafe by Alexander Bokovoy at 2022-05-05T15:04:28+03:00
Azure CI: don't force non-existing OpenSSL configuration anymore
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.
Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
862340a3 by Alexander Bokovoy at 2022-05-05T15:04:28+03:00
js tests: use latest grunt
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.
This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
92d80773 by Sudhir Menon at 2022-05-06T09:09:09-04:00
ipatests: Adding --no-dnssec-validation option for healthcheck
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function
https://pagure.io/freeipa/issue/9151
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
73daf6b5 by Florence Blanc-Renaud at 2022-05-08T09:32:02+02:00
ipatests: --no-dnssec-validation requires --setup-dns
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.
Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.
Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
79a40737 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
docs: tune RTD to display lists with disc and left margin
RTD default theme removes discs from the section list items which makes
design pages look strange. Add them back via small CSS override.
Also, add 1em on the left side of the disc to provide visual cue that
this is a list item.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
0484949b by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
doc/designs: add External IdP support design documents
External IdP objects represent OAuth 2.0 clients that can be used to
perform OAuth 2.0 device authorization grant flow.
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
fd19bdfd by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
external-idp: add LDAP schema, indices and other LDAP objects
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
10e18c3d by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
external-idp: add support to manage external IdP objects
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
03a905ee by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
external-idp: add XMLRPC tests for External IdP objects and idp indicator
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
3f6656e0 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
ipa-otpd: add support for SSSD OIDC helper
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).
ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.
Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Sumit Bose <sbose at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
a1be4fc8 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
KDB: support external IdP configuration
When IdP configuration is provided, take it into account:
- idp-specific Kerberos ticket policy would be applied
- Presence of IdP link in a Kerberos principal entry would cause KDB to
enable `idp` pre-authentication method on KDC side.
The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.
Fixes: https://pagure.io/freeipa/issue/8804
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
94f7d31d by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
External IdP: add Web UI to manage IdP references
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
429e523d by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
External IdP: initial SELinux policy
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
82175da4 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
doc/workshop: document use of pam_sss_gss PAM module
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
543040a7 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
b5be7f29 by Alexander Bokovoy at 2022-05-10T15:52:41+03:00
workshop: add chapter 12: External IdP support
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
c2e79fa0 by Alexander Bokovoy at 2022-05-11T13:17:17+03:00
freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.
SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.
SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.
Fixes:https://pagure.io/freeipa/issue/9155
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
ce0592bd by Florence Blanc-Renaud at 2022-05-13T16:15:59-04:00
client uninstall: handle uninstall with authconfig
If the client was installed with authconfig, with
automount configured to use ldap (--no-sssd), and later
updated to a version using authselect, the uninstaller
tries to disable the authselect feature with-custom-automount
but fails because there is no authselect profile in use.
(Upgrade of a client does not transform authconfig settings
into authselect settings because we don't have any client
upgrader, as opposed to the ipa-server-upgrade for the
servers).
To avoid uninstallation failure, ignore the error and log a
warning.
The second part of the commit leverages the "complete" state
stored in the statestore, in order to fix issues when
a client installation fails and the installation is reverted
by the ipa-client-install tool itself.
The fix checks if the statestore shows an incomplete
installation. If the install was incomplete and failed before
any attempt to configure authselect, then unconfigure doesn't
need to do anything. In the other cases, unconfigure needs
to revert to the pre-ipa state.
Fixes: https://pagure.io/freeipa/issue/9147
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
49a1c1ca by Francisco Trivino at 2022-05-19T12:40:37-03:00
ipatests: Bump PR-CI latest templates to Fedora 36
Moving 'latest' to Fedora 36 and 'previous' to Fedora 35.
Update Rawhide template.
The following templates are updated:
- gating
- nightly_latest
- nightlñy_latest_selinux
- nightly_previous
- nightly_rawhide
- temp_commit
These are not updated as they will receive a new update after
"custom COPR" feature in PR-CI is merged:
- nightly_latest_389ds
- nightly_latest_pki
- nightly_latest_testing
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
5ca4e8ee by Anuja More at 2022-05-23T08:38:40+03:00
pr-ci definitions: add external idp related jobs.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
9cc703fd by Anuja More at 2022-05-23T08:38:40+03:00
ipatests: Add integration tests for External IdP support
Tests for [RFE]: Added integration tests for external IdP
authentication with keycloak-17 as identity provider.
Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
5457fb7f by Francisco Trivino at 2022-05-24T13:12:56+02:00
Update ipa-replica-install replication agreement error message
So that it prints out a valid command:
- replace "ipa-replica-manage del" by "ipa server-del" (only domain-level1 is now supported)
- the commands needs to be run on a working server, not on the host where ipa-replica-install failed
Fixes: https://pagure.io/freeipa/issue/9162
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
22825099 by Alexander Bokovoy at 2022-05-25T08:08:36+03:00
ipa-kdb: apply per-indicator settings from inherited ticket policy
Fixes: https://pagure.io/freeipa/issue/9121
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
62807654 by Rob Crittenden at 2022-05-25T08:08:36+03:00
kdb: The jitter offset should always be positive
Otherwise the resulting value could be outside the valid
bounds of the time value.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
706a5b87 by Rob Crittenden at 2022-05-25T08:08:36+03:00
If the password auth type is enabled also enable the hardened policy
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.
The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
39354a47 by Thorsten Scherf at 2022-05-25T08:09:43+03:00
workshop: add freeipa version requirements
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
aa6db128 by Thorsten Scherf at 2022-05-25T08:09:43+03:00
workshop: add freeipa version requirements
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
571b6b81 by Florence Blanc-Renaud at 2022-05-25T08:11:39+03:00
Installer: add --subid option to select the sssd profile with-subid
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
49ab92c5 by Florence Blanc-Renaud at 2022-05-25T08:11:39+03:00
man pages: document the --subid installer option
Document --subid in the man pages for
- ipa-client-install
- ipa-replica-install
- ipa-server-install
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
952a77ca by Florence Blanc-Renaud at 2022-05-25T08:11:39+03:00
ipatests: add new test with --subid installer option
Add a new test for ipa-client-install --subid
Add a new test for ipa-server-install --subid
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4859db4 by Rob Crittenden at 2022-05-25T08:26:38+03:00
Design for IPA-to-IPA migration
There are some references and thoughts on expanding the
current migrate-ds plugin as well.
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
875e33d9 by Alexander Bokovoy at 2022-05-25T20:05:42+02:00
Support dnssec utils from bind 9.17.2+
In bind 9.17.2+ all dnssec utilities were moved to /usr/bin with
commit 4419606c9d2a52536a6dd0882ac0c7068ac27f30.
Since we only use those utilities in the specialized tool, do a fixup of
the paths in the tool.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
ee07c154 by Alexander Bokovoy at 2022-05-25T20:05:42+02:00
Ignore dnssec-enable-related named-checkonf errors in test
Check and skip dnssec-enable-related issues in 9.18+ where dnssec-enable
option was removed completely.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
1101b22b by Armando Neto at 2022-05-25T22:38:11+02:00
ipatests: update definitions for custom COPR nightlies
Vagrant templates for `pki-`, `389ds-` and `testing-` are no longer
needed after feature added by https://github.com/freeipa/freeipa-pr-ci/pull/463.
This updates the test definitions to use PR-CI's custom arguments with
standard `ci-master-f36` vagrant box.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0e6d9edd by Alexander Bokovoy at 2022-05-30T12:12:44+03:00
ipa-kdb: avoid additional checks for a well-known anonymous principal
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.
When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.
Fixes: https://pagure.io/freeipa/issue/9165
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f347c3f2 by Rob Crittenden at 2022-05-30T17:24:22+03:00
Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2d5e6935 by Rob Crittenden at 2022-05-30T17:24:22+03:00
Remove the replicated attribute constants
These pre-existed in ipaserver/install/replication.py.
The constants were only originally used in ldapupdate.py
but have subsequently been switched to the replication.py
versions so they are not used anywhere in the code.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aefa5f22 by Rob Crittenden at 2022-05-30T17:24:22+03:00
Exclude passwordgraceusertime from replication
Treat this like other failed login attributes and don't
replicate them.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c18caaa7 by Michal Polovka at 2022-06-01T13:53:23+02:00
ipatests: test_subids: test subid-match shows UID of the owner
ipa subid-match should show UID of the owner instead of DN.
Related: https://pagure.io/freeipa/issue/8977
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
ce50d225 by Michal Polovka at 2022-06-02T10:04:37+02:00
ipatests: RFE: Improve ipa-replica-install error message
Test for RFE: Improve error message with more detail for
ipa-replica-install command. If the replication agreement already
exists, check if the error message contains
a particular command needed to delete it.
Related: https://pagure.io/freeipa/issue/9162
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
94dd9ef1 by Michal Polovka at 2022-06-02T10:04:37+02:00
ipatests: tasks: add ipactl start, stop and restart
Include functions to manage IdM service using ipactl, in particular
starting, stopping and restarting the service.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
e9d0208c by Rob Crittenden at 2022-06-02T11:12:18+02:00
healthcheck: add tests for setting cli options in config file
Fixes: https://pagure.io/freeipa/issue/9136
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cef6a902 by Rob Crittenden at 2022-06-02T11:17:57+02:00
dnssec daemons: read the dns context config file for debug state
This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.
Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.
Enabling debug would involve created /etc/ipa/dns.conf:
[global]
debug = True
I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.
Fixes: https://pagure.io/freeipa/issue/9128
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
773d3cb4 by Rob Crittenden at 2022-06-02T15:24:22-04:00
Configure and enable the graceperiod plugin on upgrades
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.
Loading a new plugin requires a restart. Do so if a
new one is configured.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
aedb73a9 by Rob Crittenden at 2022-06-03T09:57:52+02:00
Don't duplicate the LDAP gracelimit set in the previous test
Remove a duplicated policy change which sets the gracelimit
to 3.
We don't typically run tests individually but as a whole. If
we ever need to call this one test directly we can ignore
failures.
Fixes: https://pagure.io/freeipa/issue/9167
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
08ab2747 by Rob Crittenden at 2022-06-06T11:24:21-04:00
doc: Design document for LDAP graceperiod
Implement part of RFC https://tools.ietf.org/id/draft-behera-ldap-password-policy-10.html
Related: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
deb0c765 by Rob Crittenden at 2022-06-06T11:24:21-04:00
Set default LDAP password grace period to -1
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
420344ed by Rob Crittenden at 2022-06-06T11:24:21-04:00
graceperiod: ignore case when checking for missing objectclass
Don't assume that all objectclasses are lower-case. Some are
camel-cased.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d3481449 by Rob Crittenden at 2022-06-09T08:35:15+02:00
doc/designs: add Random Serial Numbers v3 support
Related: https://pagure.io/freeipa/issue/2016
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83be923a by Rob Crittenden at 2022-06-09T08:35:15+02:00
Add a new parameter type, SerialNumber, as a subclass of Str
Transmitting a big integer like a random serial number over
either xmlrpc or JSON is problematic because they only support
32-bit integers at best. A random serial number can be as big
as 128 bits (theoretically 160 but dogtag limits it).
Treat as a string instead. Internally the value can be treated
as an Integer to conversions to/from hex as needed but for
transmission purposes handle it as a string.
Fixes: https://pagure.io/freeipa/issue/2016
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
beaa0562 by Rob Crittenden at 2022-06-09T08:35:15+02:00
Add support for Random Serial Numbers v3
Dogtag has implemented a new random serial number scheme
they are calling RSNv3.
https://github.com/dogtagpki/pki/wiki/Random-Certificate-Serial-Numbers-v3
Given the known issues reported this will be supported in IPA for
new installations only.
There is no mixing of random servers and non-random servers
allowed.
Instructions for installing a CA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/ca/Installing-CA-with-Random-Serial-Numbers-v3.adoc
Instructions for installing a KRA:
https://github.com/dogtagpki/pki/blob/master/docs/installation/kra/Installig-KRA-with-Random-Serial-Numbers-v3.adoc
The version of random serial numbers is stored within the CA entry
of the server. It is stored as a version to allow for future upgrades.
If a CA has RSN enabled then any KRA installed will also have it
enabled for its identifiers.
A new attribute, ipaCaRandomSerialNumberVersion, is added to the IPA CA
entry to track the version number in case PKI has future major
revisions. This can also be used to determine if RSN is enabled or not.
Fixes: https://pagure.io/freeipa/issue/2016
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d241d740 by Rob Crittenden at 2022-06-09T08:35:15+02:00
Add tests for Random Serial Number v3 support
Extend existing tests and enabled random serial numbers
during installation. A subset of tests was identified that
exercise the code sufficiently to ensure proper operation.
Update the xml-rpc test to allow the new RSN version number
attribute.
Update some certificate tests where a specifc serial number
is expected.
Fixes: https://pagure.io/freeipa/issue/2016
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c5f2bcb by Alexander Bokovoy at 2022-06-10T09:25:27+02:00
ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like
Bool('idnsallowdynupdate?',
cli_name='dynamic_update',
label=_('Dynamic update'),
doc=_('Allow dynamic updates.'),
attribute=True,
default=False,
autofill=True
),
in 'ipa dnszone-show':
> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']
This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.
When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:
"idnsallowdynupdate": [
"TRUE"
],
Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.
Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:
- if output is from a command with --raw option, 'TRUE' or 'FALSE'
should be expected
- if output if from a normal (non-raw) command, True or False would be
returned
Fixes: https://pagure.io/freeipa/issue/9171
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d5e4e572 by Florence Blanc-Renaud at 2022-06-10T09:30:38+02:00
ipatest: update expected out for ipa-healthcheck's DogtagCertsConnectivityCheck
Pre ipa-healthcheck 0.11, failures detected by DogtagCertsConnectivityCheck
were reported as:
"msg": "Request for certificate failed, <error>"
but the output is now the following:
"msg": "Request for certificate failed: {error}"
"error": <error>
Update the expected output to be compatible with both versions.
Fixes: https://pagure.io/freeipa/issue/9175
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
aa1105b6 by Sudhir Menon at 2022-06-10T12:16:55+02:00
ipatests: ipahealthcheck tests to check change in permission of ipaserver log files
This testscase checks that when permission of
ipaserver-upgrade.log
file is changed healtcheck tool reports the correct warning message.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
60d092f0 by Francisco Trivino at 2022-06-10T14:50:07+02:00
Update subordinate design doc
This commit updates the subordinate design document to reflect the current state
and remove "outdated" message.
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8a4ad659 by Florence Blanc-Renaud at 2022-06-13T09:07:38+02:00
ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean
nsds5replicaUpdateInProgress is defined in LDAP schema as a boolean.
Now that IPA API is able to properly map booleans to the python
bool type, this attribute is not a string any more and
comparisons can be done directly based on its real type.
The code in ipa-replica-install was reading nsds5replicaUpdateInProgress
and calling value.tolower() == 'true' but should now use
value == True instead.
Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8f785482 by Florence Blanc-Renaud at 2022-06-13T09:07:38+02:00
ipatests: update expected output for boolean attribute
Now that IPA API properly maps LDAP boolean attributes to the
python bool type, they are displayed as True/False instead
of TRUE/FALSE in the ipa *-show outputs.
Update the expected output for DNS Active Zone.
Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93a06d82 by Armando Neto at 2022-06-13T12:56:04+02:00
ipatests: bump pr-ci templates
Packages updated to include `freeipa-healthcheck-0.11-2`.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ae193a22 by Florence Blanc-Renaud at 2022-06-13T14:34:30-04:00
ACI: define "Read DNS entries from a zone" aci during install
The ACI "Read DNS entries from a zone" is defined when
ipa-server-upgrade is run but not for new installations.
In order to have consistent ACI (same set for new install
and for install + upgrade), define this ACI in
install/share/dns.ldif instead of "Allow read access".
Fixes: https://pagure.io/freeipa/issue/9173
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
75721741 by Rob Crittenden at 2022-06-14T15:54:50+03:00
Remove extraneous AJP secret from server.xml on upgrades
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version. It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.
PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.
Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.
Fixes: https://pagure.io/freeipa/issue/9176
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
05d96e16 by Rob Crittenden at 2022-06-14T15:56:21+03:00
Add switch for LDAP cache debug output
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.
Fixes: https://pagure.io/freeipa/issue/9180
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e06f0cc9 by Alexander Bokovoy at 2022-06-14T15:58:55+03:00
idviews: use cached ipaOriginalUid value when resolving ID override anchor
For ID overrides 'ipaOriginalUid' value should be the human-readable
version of the ID override anchor. Since we would have it already set in
the ID override entry, prefer using it instead of looking up the
override anchor.
This should speed up significantly operations which list all ID
overrides in the view, like Web UI views.
Fixes: https://pagure.io/freeipa/issue/9178
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5fb9653f by Matthew Davis at 2022-06-14T13:17:37-04:00
Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
One some distributions, namely Suse, the SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
does not exist by default. Ipa-client-install will fail to initialize
the kerberos ticket and error when this directory does not exist.
This patch simply creates the directory if it does not exist before
adding the include statement into /etc/krb5.conf
Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github at virtual.drop.net
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
86acb96e by Matthew Davis at 2022-06-14T14:21:59-04:00
Suse compatibility fix
Removes authselect requirement for Suse
Use Suse 'pam-config' to configure PAM
Configures nsswitch.conf
Removes domainname service since it does not exist on Suse
Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github at virtual.drop.net
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e46dd73a by Michal Polovka at 2022-06-15T10:03:00+02:00
ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version
Change xfail for test_replica_promotion.py/TestHiddenReplicaPromotion/test_ipahealthcheck_hidden_replica
to respect platform and pki version as the related issue is fixed.
Implement tasks/get_platform_version which returns a platform version
number(s) of a provided host in a form of a tuple.
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
27b60cdd by Antonio Torres at 2022-06-15T16:25:58+02:00
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
ca95acc7 by Antonio Torres at 2022-06-15T16:26:55+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
b2bbf816 by Michal Polovka at 2022-06-16T10:47:37+02:00
ipatests: Healthcheck should ignore pki errors when CA is not configured
Test if ipa-healthcheck complains about pki.server.healthcheck errors
when CA is not configured on the replica.
Related: https://github.com/freeipa/freeipa-healthcheck/issues/201
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
40b3c11b by Michal Polovka at 2022-06-17T12:18:42+02:00
ipatests: Increase expect timeout for interactive mode
Increase the default timeout for expect function when testing
interactive mode to mitigate an issue when the tests are failing
on the slow systems.
Fixes: https://pagure.io/freeipa/issue/9183
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b3085b83 by Armando Neto at 2022-06-20T09:09:37-03:00
ipatests: update prci template
New box contains the fixed mock configuration needed when
`enable_testing_repo` is True.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
cbc18ff8 by Florence Blanc-Renaud at 2022-06-22T20:53:29+02:00
Preserve user: fix the confusing summary
When ipa user-del --preserve is called, the command output
prints a summary with:
Deleted user: user1
although the user was preserved.
Replace the summary with
Preserved user: user1
to reflect what was actually done.
Fixes: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3732349b by Florence Blanc-Renaud at 2022-06-22T20:53:29+02:00
xmlrpc tests: updated expected output for preserved user
Update the expected summary for the command
ipa user-del --preserve
The command now displays: Preserved user: user1
instead of Deleted user: user1
Related: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a80a9819 by Anuja More at 2022-06-22T20:57:22+02:00
ipatests: update prci definitions for test_idp.py
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bd57ff35 by Anuja More at 2022-06-22T20:57:22+02:00
Add end to end integration tests for external IdP
Added tests for HBAC and SUDO rule and other
test scenarios.
Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d3c11f76 by Michal Polovka at 2022-06-23T13:01:36-04:00
ipatests: Healthcheck use subject base from IPA not REALM
Test if healthcheck uses cert subject base from IPA and not from
REALM. This prevents false-positive errors when the subject base is
customized.
Related: https://github.com/freeipa/freeipa-healthcheck/issues/253
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
92d718db by Timo Aaltonen at 2022-06-23T13:02:46-04:00
ipaplatform/debian: Use multiarch path for libsofthsm2.so
The library moved there some years ago, and the compat symlink might go
away at some point. Better prepare for it.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
808ac46b by Timo Aaltonen at 2022-06-23T13:02:46-04:00
ipaplatform/debian: Drop the path for ldap.so
Named is able to find plugins if they are installed in the plugindir,
so drop the hardcoded path from named.conf.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ef091c99 by Anuja More at 2022-06-23T13:04:05-04:00
ipatests: Fix install_master for test_idp.py
For install_master added --no-dnssec-validation.
Fixes: https://pagure.io/freeipa/issue/9189
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
6d6b135f by Matthew Davis at 2022-06-23T13:06:02-04:00
Add missing parameter to Suse modify_nsswitch_pam_stack
Add missing subid parameter for Suse.
Fixes: https://pagure.io/freeipa/issue/9185
Signed-off-by: Matthew Davis <github at virtual.drop.net>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9a97f9b4 by Rob Crittenden at 2022-06-23T17:46:57-04:00
Fix test_secure_ajp_connector.py failing with Python 3.6.8
Some of the test data are not expected to cause a rewrite in
the upgrade code. Those that do will set the rewrite flag.
In that case there is a new server.xml to be read. This is
handled with mock_open(). The contents can be retrieved via
mocked_file().write.call_args but the repr() of it is:
call(b'<Server port="1234" shutdown="SHUTDOWN">\n ...')
In at least Python 3.10 one can use write.call_args.args to get
just the raw data. This does not work with Python 3.6.8 and
returns the string 'args' instead results in a TypeError.
TypeError: a bytes-like object is required, not 'str'
Instead drop the args and use the data directly.
For the case of x = mocked_file().write.call_args:
x[0] is a tuple with the first element being the data
x[0][0] is the raw data
So use x[0][0] to get at the data instead of x.args[0]
Fixes: https://pagure.io/freeipa/issue/9190
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
494aac95 by Antonio Torres at 2022-06-29T16:28:57+02:00
Update FreeIPA translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
082ec006 by Antonio Torres at 2022-06-29T16:52:09+02:00
Become IPA 4.10.0
- - - - -
c9d9fb3a by Antonio Torres at 2022-06-29T17:05:51+02:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
6c6a43c9 by Florence Blanc-Renaud at 2022-07-05T14:46:12+02:00
ipatests: add nightly definitions for ipa-4-10 branch
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e7bee5b6 by Fraser Tweedale at 2022-07-06T09:49:27+02:00
man: add --skip-mem-check to man pages
Document the --skip-mem-check flag in the ipa-server-install(1) and
ipa-replica-install(1) man pages.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cebfb879 by Fraser Tweedale at 2022-07-06T09:49:27+02:00
install: suggest --skip-mem-check when mem check fails
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
aca97507 by Sumedh Sidhaye at 2022-07-06T09:51:03+02:00
Added a check while removing 'cert_dir'. The teardown method is called even if all the tests are skipped since the required PKI version is not present. The teardown is trying to remove a non-existent directory.
Currently the cert_dir attribute is only present if IPA installation was
done. If IPA was not installed the attribute does not exist.
In order that the uninstall code finds the attribute a class attribute
is added.
Pagure Issue: https://pagure.io/freeipa/issue/9179
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
33cd62e0 by Rob Crittenden at 2022-07-06T18:25:50+02:00
Only calculate LDAP password grace when the password is expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
02d3fb82 by Armando Neto at 2022-07-12T13:55:15-03:00
webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.
Fixes: https://pagure.io/freeipa/issue/9192
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4499c737 by Florence Blanc-Renaud at 2022-07-14T10:24:34-03:00
Nightly tests: fix template for nightly_ipa-4-10_latest.yaml
The vagrant box must be freeipa/ci-ipa-4-10-f36 on this branch
instead of freeipa/ci-master-f36.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
3d827979 by David Pascual at 2022-07-16T07:54:47+02:00
ipatests: Checker script for prci definitions
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.
Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
499f7172 by Rob Crittenden at 2022-07-16T07:56:50+02:00
Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.
Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.
When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.
Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci
This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.
https://pagure.io/freeipa/issue/9188
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
260d6378 by Stanislav Levin at 2022-07-26T16:58:39-04:00
ap: Raise dbus timeout
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.
https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
acd1d127 by Stanislav Levin at 2022-07-26T16:58:39-04:00
ap: Disable azure's security daemon
This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8ff0c1a5 by Stanislav Levin at 2022-07-26T16:58:39-04:00
ap: Rearrange overloaded jobs
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e5f7356e by Stanislav Levin at 2022-07-26T16:58:39-04:00
ap: Constrain supported docutils
New Sphinx 5.1.0 (Released: Jul 24, 2022) bumped supported docutils
to 0.19:
https://github.com/sphinx-doc/sphinx/pull/10656
But m2r2 doesn't support it yet:
https://github.com/CrossNox/m2r2/issues/52
Thereby, docutils must be constrained to < 0.19.
This should be fixed by m2r2 and after they do it the restriction
can be removed.
Fixes: https://pagure.io/freeipa/issue/9208
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c55185d3 by Erik at 2022-08-01T09:23:22-04:00
ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1bb4ff9e by Rob Crittenden at 2022-08-01T13:02:13-04:00
Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
38e5bcf7 by Sudhir Menon at 2022-08-03T14:31:48+02:00
ipatests: WebUI: do not allow subid range deletion
This testcase checks that subid added by user admin
cannot be deleted.
Related: https://pagure.io/freeipa/issue/9150
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
51f1321b by David Pascual at 2022-08-04T13:24:05-04:00
ipatest: fix prci checker target masked return code & add pylint
In the yamllint target of makefile, prci_checker result was being masked by echo statement.
Aditionally, prci_checker script has been added to the list of Python sources to be Pylinted.
Addressing comments of recently merged PR:
https://github.com/freeipa/freeipa/pull/6301#discussion_r923163970
https://github.com/freeipa/freeipa/pull/6301#issuecomment-1187037261
Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
eb9f606f by Florence Blanc-Renaud at 2022-08-08T13:50:57+02:00
azure tests: disable TestInstallDNSSECFirst
The test TestInstallDNSSECFirst is failing because of one of its
dependencies (the most likely suspect is the update of openssl-pkcs11).
Disable the test from azure gating until the issue is solved.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
a39af6b7 by Sudhir Menon at 2022-08-09T08:38:12+02:00
ipatests: ipa-client-install --subid adds entry in nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7a1e1d9f by Carla Martinez at 2022-08-09T10:05:55+02:00
webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bfe074ed by Sumedh Sidhaye at 2022-08-10T18:07:43+02:00
Additional tests for RSN v3
New Tests include
TestRSNPKIConfig
TestRSNVault
The new tests are just extending existing classes to be run
with random serial numbers enabled
The tests also include a new method to check params set in CS.cfg for both CA and
KRA, and another test to check Random Serial Number version while
running `ipa ca-find`
Added nightly definitions
Related Ticket: https://pagure.io/freeipa/issue/2016
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2003eb6b by Florence Blanc-Renaud at 2022-08-16T13:12:04+02:00
check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
459b81b1 by Rob Crittenden at 2022-08-16T14:01:10+02:00
upgrades: Don't restart the CA on ACME and profile schema change
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:
* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema
None of these require a restart of the CA to be supported.
There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.
https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.
Related: https://pagure.io/freeipa/issue/9204
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6c5530c5 by Thomas Woerner at 2022-08-16T19:32:23+02:00
DNSResolver: Fix use of nameservers with ports
IPA DNS zone and forwardzone commands allow to use nameservers with ports
as "SERVER_IP port PORT_NUMBER". bind is supporting this syntax, but the
Resolver in dnspython that is used to verify the list of forwarders
(nameservers) is only allowing to have IP addresses in this list. With
dnspython version 2.20 there is a new validator in dns.resolver.BaseResolver
that ensures this.
Refs:
- https://bind9.readthedocs.io/en/v9_18_4/reference.html#zone-statement-grammar
- https://github.com/rthalley/dnspython/blob/master/dns/resolver.py#L1094
ipapython/dnsutil.DNSResolver derives from dns.resolver.Resolver. The setter
for nameservers has been overloaded in the DNSResolver class to split out
the port numbers into the nameserver_ports dict { SERVER_IP: PORT_NUMBER }.
After the setter for nameservers succeeded, nameserver_ports is set.
nameserver_ports is used in the resolve() method of dns.resolver.Resolver..
Additional tests have been added to verify that nameservers and also
nameserver_ports are properly set and also valid.
Fixes: https://pagure.io/freeipa/issue/9158
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b6520bef by Florence Blanc-Renaud at 2022-08-16T19:34:34+02:00
ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
458dcebd by Florence Blanc-Renaud at 2022-08-16T19:34:34+02:00
gitignore: add install/oddjob/org.freeipa.server.config-enable-sid
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
1aa39529 by Rob Crittenden at 2022-08-19T08:19:11+02:00
doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
45e6d49b by Rob Crittenden at 2022-08-19T08:19:11+02:00
Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
de6f0745 by Rob Crittenden at 2022-08-19T08:19:11+02:00
Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a0a104a4 by Scott Poore at 2022-08-19T12:12:29+02:00
ipatests: Rename create_quarkus to create_keycloak
The module installs and configures a Keycloak server and
not just the Quarkus Java framework. So, renaming to better
reflect what the module is used for.
Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
79f76558 by Endi S. Dewata at 2022-08-19T12:15:01+02:00
Remove pki_restart_configured_instance
The pki_restart_configured_instance param is no longer used
by pkispawn so it has been removed.
https://github.com/dogtagpki/pki/blob/master/docs/changes/v11.3.0/Server-Changes.adoc
Signed-off-by: Endi S. Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9441d7ed by Alexander Bokovoy at 2022-08-30T08:25:47+02:00
ipa-otpd: initialize local pointers and handle gcc 10
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).
Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.
Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.
Fixes: https://pagure.io/freeipa/issue/9230
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
f6a661bd by Jesse Sandberg at 2022-08-30T08:28:37+02:00
Fix ipa-ccache-sweeper activation timer and clean up service file
Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed
Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg at netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a0928fe1 by Alexander Bokovoy at 2022-08-30T10:44:40+02:00
fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
ea792e11 by Carla Martinez at 2022-08-30T20:04:30+02:00
Set pkeys in test_selinuxusermap.py::test_misc::delete_record
The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.
The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.
Fixes: https://pagure.io/freeipa/issue/9161
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a7beaa0b by Stanislav Levin at 2022-09-20T06:57:39+02:00
x509: Replace removed register_interface with subclassing
python-cryptography 38.0 removed `register_interface` decorator:
pyca/cryptography at f70e334a52fdf5bd1ad42460efb78d989f8535d9
Backward compatibility:
Cryptography haven't changed the interface of `Certificate` since it was
first used by IPA (4.6.0) till cryptography 38.0.
cryptography 38.0 (pyca/cryptography at c1b7307a3e4ef9cd246feae88178afba7389405c)
added `tbs_precertificate_bytes` attribute.
Fixes: https://pagure.io/freeipa/issue/9160
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3c4386ce by Rob Crittenden at 2022-09-21T09:44:00+02:00
Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.
Fixes: https://pagure.io/freeipa/issue/9243
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
c5bcaab8 by Florence Blanc-Renaud at 2022-09-23T16:28:44+02:00
ipa-cacert-manage prune: remove all expired certs
ipa-cacert-manage prune is removing the expired certs one
at a time and this may result in verifying that one of
the expired certs is still valid.
As a consequence, ipa-cacert-manage prune always fails
when more than 1 cert are expired.
To avoid the issue, remove all the expired certs in a single
pass, and validate only the ones that would remain after full
pruning.
Fixes: https://pagure.io/freeipa/issue/9244
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
54b81617 by Carla Martinez at 2022-09-26T08:46:25+02:00
webui: Show 'Sudo order' column
In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.
Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ac776987 by Scott Poore at 2022-09-26T09:03:50+02:00
ipatests: add Keycloak Bridge test
Add test code for new bridge server (ipa-tuura) and Keycloak plugin.
Add uninstall functions for create_keycloak.py so that the tests can
be run repeatedly.
Fixes: https://pagure.io/freeipa/issue/9227
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
db1d0517 by Scott Poore at 2022-09-26T09:03:50+02:00
ipatests: add prci definitions for test_sso jobs
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3cbf2b25 by Rob Crittenden at 2022-09-26T13:47:31+02:00
Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
221768f8 by Florence Blanc-Renaud at 2022-09-29T16:33:27-04:00
ipa otptoken-sync: return error when sync fails
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d9f33b7c by Florence Blanc-Renaud at 2022-09-29T16:33:27-04:00
ipatests: add negative test for otptoken-sync
Scenario: call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens
The test expects a return code = 1.
Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f3c861b9 by Rob Crittenden at 2022-09-30T13:13:20+02:00
Move client certificate request after krb5.conf is created
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.
This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.
Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.
Fixes: https://pagure.io/freeipa/issue/9246
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
242ed2e5 by Carla Martinez at 2022-09-30T13:18:29+02:00
Set 'idnssoaserial' to deprecated
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.
This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
3d34673b by Carla Martinez at 2022-09-30T13:18:29+02:00
ipatest: Remove warning message for 'idnssoaserial'
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.
Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
9b274bc5 by Carla Martinez at 2022-09-30T13:18:29+02:00
webui: Set 'SOA serial' field as read-only
On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
48b9cc33 by Carla Martinez at 2022-09-30T13:18:29+02:00
Update API and VERSION
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
1546c0b2 by Florence Blanc-Renaud at 2022-10-03T07:49:07+02:00
ipa man page: format the EXAMPLES section
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.
Add .TP (tagged, indented paragraph) before each example.
Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d0b33602 by Weblate at 2022-10-03T10:59:26+03:00
Update translation files
Updated by "Update LINGUAS file" hook in Weblate.
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4202264 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 7.7% (362 of 4672 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3500d05f by Weblate at 2022-10-03T10:59:26+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a21bf7fe by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 98.5% (4671 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d6d7c5d2 by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 99.4% (4713 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
63d332ff by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4739 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3452c6fc by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 10.9% (520 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bcc58198 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 15.5% (736 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1c0031c by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 15.6% (742 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4b10b6da by Ricky Tigg at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 15.6% (743 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9419bda by Piotr Drąg at 2022-10-03T10:59:26+03:00
Translated using Weblate (Polish)
Currently translated at 9.5% (452 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c1187be by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 15.9% (754 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
86f828a7 by Ricky Tigg at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 16.0% (762 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
10a51197 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 16.1% (764 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
606ce6d5 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 16.7% (794 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
921fdd2c by Weblate at 2022-10-03T10:59:26+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6de25a0f by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4739 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
63fceacb by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 16.9% (804 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3885bd6f by Andika Triwidada at 2022-10-03T10:59:26+03:00
Translated using Weblate (Indonesian)
Currently translated at 6.8% (323 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0caffa37 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.2% (816 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
dbe49df1 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.5% (832 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
31f7860d by Piotr Drąg at 2022-10-03T10:59:26+03:00
Translated using Weblate (Polish)
Currently translated at 9.5% (453 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
67c54ce7 by Ricky Tigg at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.5% (833 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2b0c9d91 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.7% (840 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
98e80985 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.7% (842 of 4739 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c8c4e93f by Weblate at 2022-10-03T10:59:26+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
867a38a4 by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4741 of 4741 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
242a0dad by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.8% (845 of 4741 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a30db203 by Temuri Doghonadze at 2022-10-03T10:59:26+03:00
Added translation using Weblate (Georgian)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
357dd550 by Weblate at 2022-10-03T10:59:26+03:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6846b953 by Yuri Chornoivan at 2022-10-03T10:59:26+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4818 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d4b92033 by Jan Kuparinen at 2022-10-03T10:59:26+03:00
Translated using Weblate (Finnish)
Currently translated at 17.6% (848 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a1e66f5c by Temuri Doghonadze at 2022-10-03T10:59:26+03:00
Translated using Weblate (Georgian)
Currently translated at 6.9% (333 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
054bd14b by Temuri Doghonadze at 2022-10-03T10:59:26+03:00
Translated using Weblate (Georgian)
Currently translated at 7.6% (368 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3379aa0a by Temuri Doghonadze at 2022-10-03T10:59:26+03:00
Translated using Weblate (Georgian)
Currently translated at 8.3% (401 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f420c19b by 김인수 at 2022-10-03T10:59:26+03:00
Added translation using Weblate (Korean)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9d1541f1 by 김인수 at 2022-10-03T10:59:26+03:00
Translated using Weblate (Korean)
Currently translated at 2.0% (99 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4ea9b5ef by 김인수 at 2022-10-03T10:59:26+03:00
Translated using Weblate (Korean)
Currently translated at 2.2% (108 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d5ea8d6c by 김인수 at 2022-10-03T10:59:26+03:00
Translated using Weblate (Korean)
Currently translated at 2.9% (140 of 4818 strings)
Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
41ba166c by Alexander Bokovoy at 2022-10-03T10:59:26+03:00
Remove empty translation for 'si' which breaks linter
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a6485d63 by Florence Blanc-Renaud at 2022-10-04T09:25:17+02:00
Tests: test on f37 and f36
Fedora 37 beta is now available, move the testing pipelines to
- fedora 37 for the _latest definitions
- fedora 36 for the _previous definition
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
40b9c6fc by Florence Blanc-Renaud at 2022-10-04T09:25:17+02:00
ipatests: mark xfail tests using sssctl domain-status
In fedora 37+, sssctl domain-status is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.
Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3d093c66 by Florence Blanc-Renaud at 2022-10-04T09:25:17+02:00
ipatests: mark xfail tests using dnssec
In fedora 37+, the signing of DNS zones is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
113cb8d7 by Alexey Tikhonov at 2022-10-06T10:13:45+02:00
extdom: internal functions should be static
Fixes following compilation warnings:
```
ipa_extdom_common.c:109:5: warning: no previous prototype for ‘__nss_to_err’ [-Wmissing-prototypes]
109 | int __nss_to_err(enum nss_status errcode)
| ^~~~~~~~~~~~
ipa_extdom_common.c:738:5: warning: no previous prototype for ‘pack_ber_name_list’ [-Wmissing-prototypes]
738 | int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
| ^~~~~~~~~~~~~~~~~~
```
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
4685f9d8 by Alexey Tikhonov at 2022-10-06T10:13:45+02:00
extdom: make sure result doesn't miss domain part
This is required to ensure that only objects from requested domain
are returned.
Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
1360c8b0 by Alexey Tikhonov at 2022-10-06T10:13:45+02:00
extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
51c31e0a by Stanislav Levin at 2022-10-07T16:57:35+02:00
ipapython: Support openldap 2.6
While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.
Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.
Thanks @abbra!
Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ae445f72 by Sumit Bose at 2022-10-10T10:03:39+02:00
ipa-kdb: do not fail if certmap rule cannot be added
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.
This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
93b0e6a9 by Alexander Bokovoy at 2022-10-11T09:03:13+02:00
ipaclient: do not set TLS CA options in ldap.conf anymore
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:
branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo at suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo at suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.
There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.
RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.
Fixes: https://pagure.io/freeipa/issue/9258
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7aa84573 by Viacheslav Sychov at 2022-10-11T09:09:13+02:00
fix: Handle /proc/1/sched missing error
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5477a07d by Sumedh Sidhaye at 2022-10-12T13:34:04+02:00
With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.
Previously the message was:
"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
but now the message is:
\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
Pagure: https://pagure.io/freeipa/issue/9238
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
ad7bdd46 by Nikola Knazekova at 2022-10-18T07:09:49+02:00
Exclude installed policy module file from RPM verification
selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Fixes: https://pagure.io/freeipa/issue/9254
Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
db7cd798 by Anuja More at 2022-10-18T09:24:35+02:00
ipatests : Test query to AD specific attributes is successful.
Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.
Related : https://pagure.io/freeipa/issue/9127
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9936379c by Florence Blanc-Renaud at 2022-10-20T08:15:56+02:00
webui tests: fix test_subid suite
The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.
2nd issue: a given record has to be selected in
order to check that there is no "delete" button.
Fixes: https://pagure.io/freeipa/issue/9214
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e197c743 by Scott Poore at 2022-10-21T20:08:52+02:00
ipatests: add keycloak user login to ipa test
Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.
create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main
test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user
tasks.py:
- add set_user_password to only set password for ipa users
Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4e201ec9 by Florence Blanc-Renaud at 2022-10-21T20:11:14+02:00
Spec file: bump the selinux-policy version
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test at IPA.TEST instead of admin principal.
The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107
Bump the selinux-policy version to install the fix.
Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f0c72dcb by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
Make sure both krb5 pre 1.20 and 1.20 or later would call into the same
PAC generation code while driven by different API callbacks from the
krb5 KDB interface.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9ae0e35 by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: add krb5 1.20 support
Add basic krb5 1.20 integration without RBCD support. RBCD will come in
a separate series.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a5ca2500 by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: handle cross-realm TGT entries when generating PAC
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.
Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1d4db340 by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: handle empty S4U proxy in allowed_to_delegate
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.
This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
88c1293f by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: fix PAC requester check
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d3c7a4fa by Alexander Bokovoy at 2022-11-02T12:44:41+02:00
ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
10604ead by Scott Poore at 2022-11-03T20:05:17+01:00
ipatests: xfail test_ipa_login_with_sso_user
There is a crash occurring that causes Keycloak to be unable to
communicate with ipa-tuura on the bridge server (replica0). This is
much more prevalent in Fedora 37 so we need to xfail that test case
until the crash is resolved.
Related: https://pagure.io/freeipa/issue/9264
Signed-off-by: Scott Poore <spoore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
58088110 by Endi S. Dewata at 2022-11-04T08:07:25+01:00
Explicitly use legacy ID generators by default
The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.
Signed-off-by: Endi S. Dewata <edewata at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
00857578 by Erik Belko at 2022-11-10T10:19:28+01:00
ipatests: test for root using admin password in webUI
Check if there is no infinite loop caused by this
combination of user and password
Related: https://pagure.io/freeipa/issue/9226
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
a2a3d45e by Erik Belko at 2022-11-14T08:21:59+01:00
ipatests: Add test for grace login limit
Test user and pwpolicy entity for grace login limit setting.
Related: https://pagure.io/freeipa/issue/9211
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
465d5f5c by Alexander Bokovoy at 2022-11-14T13:08:36-05:00
ipa-kdb: for delegation check, use different error codes before and after krb5 1.20
With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.
Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
54470c6b by Carla Martinez at 2022-11-15T15:32:37+01:00
webui: Add label name to 'Certificates' section
For testing purposes and uniformity, the
'Certificates' label (located under
'Active users' settings ) should also have
'name' attribute, like seen in other parts of the WebUI.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
580e62a1 by Mohammad Rizwan at 2022-11-15T15:32:37+01:00
ipatests: Test newly added certificate lable
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
813df68b by Carla Martinez at 2022-11-15T15:32:37+01:00
webui: Add name to 'Certificates' table
For testing purposes and uniformity, the 'Certificates'
table generated after a new certificate is added should
also have the 'name' attribute to be able to access its
value.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
9d902d34 by Christian Heimes at 2022-11-16T21:14:46+02:00
Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5631e474 by Rob Crittenden at 2022-11-17T09:46:29+01:00
Pass the curl write callback by name instead of address
This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.
Also change to a static function and pre-declare it to quiet a
compile-time warning.
https://pagure.io/freeipa/issue/9274
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5626976e by Antonio Torres at 2022-11-17T09:49:59+01:00
doc: generate API Reference
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4e490d20 by Antonio Torres at 2022-11-17T09:49:59+01:00
Add basic API usage guide
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56d28724 by Pavel Březina at 2022-11-17T10:38:54+01:00
docs: add security section to idp
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1de3f6c5 by Rob Crittenden at 2022-11-18T09:46:16+01:00
Support tokens and optional password files when opening an NSS db
Each token in an NSS database is likely to have its own
password/PIN. This allows the password to be set per token
available in the PKI password file.
This is necessary for HSM devices where the password is necessary
to access information about the private key (e.g. presence)
This may mean that to see all certificates in a given NSS database
one will need multiple instances of the NSSDatabase class, one for
each desired token (include None for the native token).
https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2aa8ec1d by Rob Crittenden at 2022-11-21T08:28:11+01:00
doc: Design for HSM support
Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.
Related: https://pagure.io/freeipa/issue/9273
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
1dfb5d56 by Florence Blanc-Renaud at 2022-11-21T16:59:14+01:00
Spec file: bump bind version on f37+
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.
Fixes: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b1af716 by Florence Blanc-Renaud at 2022-11-21T16:59:14+01:00
ipatests: re-enable dnssec tests
On fedora 37+ the dnssec tests were broken. The tests
launched for each pull request were disabled or marked
as xfail.
With the bump of bind version, they should now succeed
and can be re-enabled.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ba962632 by Francisco Trivino at 2022-11-22T07:54:18+01:00
Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eb25f89f by Florence Blanc-Renaud at 2022-11-22T13:48:53+01:00
spec file: bump sssd version
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.
No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.
Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9a95c515 by Florence Blanc-Renaud at 2022-11-22T13:48:53+01:00
ipatests: remove xfail for tests using sssctl domain-status
The tests calling sssctl domain-status were marked xfail
because of SSSD issue #6331. Now that the issue is fixed
and freeipa bumped sssd required version, remove the xfail
annotation.
Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f5fb8b05 by Florence Blanc-Renaud at 2022-11-22T16:01:07+01:00
ipatests: update vagrant boxes
Use new versions of vagrant boxes:
ci-ipa-4-10-f36 0.0.2
ci-ipa-4-10-f37 0.0.2
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b0d90996 by Julien Rische at 2022-11-24T07:44:05+01:00
Generate CNAMEs for TXT+URI location krb records
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.
This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.
Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.
Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4baee5ca by Antonio Torres at 2022-11-24T16:32:04+01:00
Update translations to FreeIPA ipa-4-10 state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
e5819bca by Antonio Torres at 2022-11-24T16:52:09+01:00
Become IPA 4.10.1
- - - - -
fd0bc4fc by Timo Aaltonen at 2023-02-21T10:00:35+02:00
Merge tag 'release-4-9-11' into m
tagging IPAv4 4.9.11
- - - - -
e32a28e6 by Timo Aaltonen at 2023-02-21T10:13:29+02:00
Merge branch 'master' into m
- - - - -
9125d8fc by Timo Aaltonen at 2023-02-21T10:20:55+02:00
version bump
- - - - -
de8e6e5a by Timo Aaltonen at 2023-02-21T10:33:03+02:00
control: Bump sssd, bind9 depends.
- - - - -
2da091cd by Timo Aaltonen at 2023-02-21T19:48:17+02:00
patches: Specify krb5_keytab in the named.conf template.
- - - - -
30 changed files:
- ACI.txt
- API.txt
- Contributors.txt
- VERSION.m4
- client/Makefile.am
- client/ipa-getkeytab.c
- client/ipa-join.c
- configure.ac
- daemons/Makefile.am
- daemons/ipa-kdb/ipa-print-pac.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
- daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
- daemons/ipa-slapi-plugins/topology/topology_cfg.c
- daemons/ipa-slapi-plugins/topology/topology_post.c
- daemons/ipa-slapi-plugins/topology/topology_pre.c
- daemons/ipa-slapi-plugins/topology/topology_util.c
- debian/changelog
- debian/control
- debian/control.common
- debian/control.server
- + debian/patches/install-fix-missing-dyndb-keytab-directive.diff
- debian/patches/series
- + doc/api/SerialNumber.md
- doc/api/ca_find.md
- doc/api/cert_find.md
- doc/api/cert_remove_hold.md
- doc/api/cert_revoke.md
- doc/api/cert_show.md
- doc/api/cert_status.md
- doc/api/dnszone_add.md
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/a72d0004f176ecdae7dbd905459b544342237270...2da091cd0e848d5d533ff85334ed1976014b28c1
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/a72d0004f176ecdae7dbd905459b544342237270...2da091cd0e848d5d533ff85334ed1976014b28c1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230221/8ed3da5b/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list