[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 376 commits: Back to git snapshots
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Wed Jan 18 16:30:21 GMT 2023
Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa
Commits:
8042bdc9 by Antonio Torres at 2021-11-25T19:23:38+01:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
a0eb02cf by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipaplatform/debian: Fix HTTPD_ALIAS_DIR, and drop some obsolete paths.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cf9c4cc7 by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipaplatform: Add support for recognizing systemd-timesyncd
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
da9be70f by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipaplatform/debian: Fix named keytab name
This was changed in bind9 9.16 packaging
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dcdc31b6 by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipaplatform/debian: Fix ntpd service name
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e99870f7 by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipatests/test_ipaplatform: Skip test_ipa_version on Debian
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
739d3566 by Timo Aaltonen at 2021-11-29T15:27:50+01:00
ipaplatform: Modify paths to fips-mode-setup and systemd-tmpfiles
Debian hasn't yet migrated to a unified /usr.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
69f5f319 by Timo Aaltonen at 2021-11-29T15:27:50+01:00
configure: Use HTTPD_GROUP in init/tmpfiles/ipa.conf.in
This is a platform specific value.
Fixes: https://pagure.io/freeipa/issue/9014
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
669f3d71 by Alexander Bokovoy at 2021-11-30T09:51:21+01:00
ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7d93bda3 by Alexander Bokovoy at 2021-11-30T09:51:21+01:00
ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ba7ec71b by Mohammad Rizwan at 2021-11-30T09:56:38+01:00
ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
Fixture `expire_certs` moves date back after renewing the certs.
This is causing the ipa-replica to fail. This fix first uninstalls
the server then moves back the date.
Fixes: https://pagure.io/freeipa/issue/9052
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8b22ee01 by Sumedh Sidhaye at 2021-11-30T09:58:29+01:00
Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>`
Related: https://pagure.io/freeipa/issue/8605
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4c54e9d6 by Florence Blanc-Renaud at 2021-12-14T15:13:43+01:00
ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
kinit with an otp token (which makes ipa-otpd create a LDAP
connection), then sleeps for 60s. The expectation is that
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
and close the connection.
According to 389ds doc, the idle timeout is enforced when the
connection table is walked. By doing a ldapsearch, the test
"wakes up" ns-slapd and forces the detection of ipa-otpd
idle connection.
Fixes: https://pagure.io/freeipa/issue/9044
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
465f1669 by Anuja More at 2021-12-16T13:52:12+01:00
ipatests: Test default value of nsslapd-sizelimit.
related : https://pagure.io/freeipa/issue/8962
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cbd9ac6a by Mohammad Rizwan at 2021-12-18T08:25:27+01:00
ipatests: Test empty cert request doesn't force certmonger to segfault
When empty cert request is submitted to certmonger, it goes to
segfault. This fix test that if something like this happens,
certmonger should gracefuly handle it
and some PEP8 fixes
related: https://pagure.io/certmonger/issue/191
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
ce112e68 by Alexander Bokovoy at 2022-01-12T11:19:14+01:00
Support building against OpenLDAP 2.6+
OpenLDAP 2.6 deprecated separate libldap/libldap_r, there is only one
(reentrant) variant for the library.
Attempt to use _r variant by default. In case it is missing, assume we
are using OpenLDAP 2.6 which has libraries without _r suffix. The
functions are still reentrant so there is not functional difference.
Fixes: https://pagure.io/freeipa/issue/9080
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1d19b860 by Mohammad Rizwan at 2022-01-12T15:03:38+01:00
Test cases for ipa-replica-conncheck command
Following test cases would be checked:
- when called with --principal (it should then prompt for a password)
- when called with --principal / --password
- when called without principal and password but with a kerberos TGT,
kinit admin done before calling ipa-replica-conncheck
- when called without principal and password, and without any kerberos
TGT (it should default to principal=admin and prompt for a password)
related: https://pagure.io/freeipa/issue/9047
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
5444da01 by Mohammad Rizwan at 2022-01-12T15:03:38+01:00
PEP8 Fixes
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
1efdda07 by Florence Blanc-Renaud at 2022-01-13T08:22:56+01:00
ipatests: update images for f34 and f35
New versions of pki-server fix the following issues:
Fixes: https://pagure.io/freeipa/issue/9024
Fixes: https://pagure.io/freeipa/issue/8865
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
edbd8f69 by Anuja More at 2022-01-13T08:26:57+01:00
ipatests: webui: Tests for subordinate ids.
Added web-ui tests to verify where operations
using subordinate ids are working as expected.
Related : https://pagure.io/freeipa/issue/8361
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
878859f4 by Michal Polovka at 2022-01-13T08:26:57+01:00
pr-ci definitions: add web-ui subid-related jobs
Related: https://pagure.io/freeipa/issue/8361
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6ff74911 by Florence Blanc-Renaud at 2022-01-14T09:47:41+01:00
automember default group: remove --desc parameter
The automember-default-group commands inherit from
the automember commands but should not provide the
--desc parameter.
Remove 'description' from the list of parameters.
Fixes: https://pagure.io/freeipa/issue/9068
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b9c42fed by Florence Blanc-Renaud at 2022-01-14T09:50:46+01:00
Config plugin: return EmptyModlist when no change is applied
When ipa config-mod is called with the option --enable-sid,
the code needs to trap EmptyModlist exception (it is expected
that no LDAP attribute is modified by this operation).
The code had a flaw and was checking:
'enable_sid' in options
instead of
options['enable_sid']
"'enable_sid' in options" always returns true as this option
is a Flag with a default value, hence always present even if
not specified on the command line.
Fixes: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd735099 by Florence Blanc-Renaud at 2022-01-14T09:50:46+01:00
config plugin: add a test ensuring EmptyModlist is returned
Add a test to test_config_plugin, that calls ipa config-mod
with the same value as already present in LDAP.
The call must return EmptyModlist.
Related: https://pagure.io/freeipa/issue/9063
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
419d7fd6 by Michal Polovka at 2022-01-14T16:57:36+01:00
ipatests: webui: Use safe-loader for loading YAML configuration file
FullLoader class for YAML loader was introduced in version 5.1 which
also deprecated default loader. SafeLoader, however, stays consistent
across the versions and brings added security.
This fix is necessary as PyYAML > 5.1 is not available in downstream.
Related: https://pagure.io/freeipa/issue/9009
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e11cf7f4 by jh23453 at 2022-01-17T10:27:12+01:00
Remove deprecation warning when installing a CA replica
I got the following message when installing a replica with CA:
2021-11-22T21:15:35Z DEBUG [5/30]: configuring certificate server instance
...
WARNING: The 'pki_ssl_server_token' in [CA] has been deprecated. Use 'pki_sslserver_token' instead.
Installation log: /var/log/pki/pki-ca-spawn.20211122221535.log
Installing CA into /var/lib/pki/pki-tomcat.
With the following change the message no longer appears when installing a replica.
This commit fixes the firt (and simple) part of https://pagure.io/freeipa/issue/9056
Signed-off-by: Jochen Kellner <jochen at jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0edf915e by Sumedh Sidhaye at 2022-01-17T13:36:22+01:00
Added test automation for SHA384withRSA CSR support
Scenario 1:
Setup master with --ca-signing-algorithm=SHA384withRSA
Run certutil and check Signing Algorithm
Scenario 2:
Setup a master
Stop services
Modify default.params.signingAlg in CS.cfg
Restart services
Resubmit cert (Resubmitted cert should have new Algorithm)
Pagure Link: https://pagure.io/freeipa/issue/8906
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
ef43ea03 by Sumedh Sidhaye at 2022-01-17T13:36:22+01:00
Added nightly job definitions
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
d8a7f15e by Florence Blanc-Renaud at 2022-01-20T16:42:18+01:00
ipatests: update images for f34 and f35
The new images contain the pkg kernel-modules
Fixes: https://pagure.io/freeipa/issue/9087
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
ace0bbfd by Alexander Bokovoy at 2022-01-25T09:09:22+01:00
ipa-kdb: refactor KDB driver to prepare for KDB version 9
MIT Kerberos 1.20 changes DAL interface around PAC record issuance:
sign_authdata callback is removed and replaced with issue_pac one.
The signatures are different and logic changed as well.
Prepare for KDB version 9 by moving PAC implementation into separate
source files. ipa_kdb_mspac.c is left with most of the common code.
FreeIPA supports sign_authdata callback since KDB version 6, move current
implementation to ipa_kdb_mspac_v6.c.
KDB version 8 actually changed sign_authdata interface and we accounted
to that in ipa_kdb.c with a stub that re-uses v6 version. Keep it as it
is right now.
Finally, add KDB version 9 stub files. Compiling against MIT Kerberos
1.20 does not work yet, thus explicit #error message in ipa_kdb.c. This
will be worked on later.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cd8e9ce1 by Florence Blanc-Renaud at 2022-01-25T17:33:23+01:00
ipatests: fix expected automount config in nsswitch.conf
The test TestIpaClientAutomountFileRestore expects a
specific order for the automount sources to query
in /etc/nsswitch.conf.
With authselect update 1.3.0, the databases are sorted in
order of likelihood and the following line in seen:
automount: files sss
instead of
automount: sss files
Since the test doesn't care about the order but rather about
the list of sources, ignore the order.
Fixes: https://pagure.io/freeipa/issue/9067
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9bae5492 by Florence Blanc-Renaud at 2022-02-01T08:53:30+01:00
ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
The access to /kra/admin/kra/getStatus will be needed
in order to fix pki-healthcheck.
Note that this commit is a pre-requisite for the fix
to be done on PKI side. No test added since the full
integration test already exists in test_replica_promotion.py,
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
Fixes: https://pagure.io/freeipa/issue/9099
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
653a7fe0 by Francisco Trivino at 2022-02-01T08:57:24+01:00
Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12.
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
replica talks to the Custodia server on C8S source server. The later creates an
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
default encryption scheme, which is no longer supported on C9S.
This commit enforces a stronger encryption algorigthm by adding following
arguments to the Custodia server handler:
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
Fixes: https://pagure.io/freeipa/issue/9101
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6d70421f by Julien Rische at 2022-02-02T21:51:44+01:00
ipa-kdb: do not remove keys for hardened auth-enabled users
Since 5d51ae5, principal keys were dropped in case user auth indicator
was not including password. Thereafter, the key removal behavior was
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
Support for hardened pre-auth methods (FAST and SPAKE) was added in
d057040, and the removal of principal keys was restored afterwards by
f0d12b7, but not taking the new hardened auth indicator into account.
Fixes: https://pagure.io/freeipa/issue/9065
Related to: https://pagure.io/freeipa/issue/8001
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
294ae35a by Julien Rische at 2022-02-02T21:51:44+01:00
ipatests: add case for hardened-only ticket policy
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
edb21684 by Rob Crittenden at 2022-02-04T09:32:30+01:00
Don't always override the port in import_included_profiles
I can only guess to the original purpose of this override. I
believe it was because this is called in the installer prior
to Apache being set up. The expectation was that this would
only be called locally. It predates the RestClient class.
RestClient will attempt to find an available service. In this
case, during a CA installation, the local server is not
considered available because it lacks an entry in
cn=masters. So it will never be returned as an option.
So by overriding the port to 8443 the remote connection will
likely fail because we don't require that the port be open.
So instead, instantiate a RestClient and see what happens.
There are several use-cases:
1. Installing an initial server. The RestClient connection
should fail, so we will fall back to the override port and
use the local server. If Apache happens to be running with
a globally-issued certificate then the RestClient will
succeed. In this case if the connected host and the local
hostname are the same, override in that case as well.
2. Installing as a replica. In this case the local server should
be ignored in all cases and a remote CA will be picked with
no override done.
3. Switching from CA-less to CA-ful. The web server will be
trusted but the RestClient login will fail with a 404. Fall
back to the override port in this case.
The motivation for this is trying to install an EL 8.x replica
against an EL 7.9 server. 8.5+ includes the ACME service and
a new profile is needed which doesn't exist in 7. This was
failing because the RestClient determined that the local server
wasn't running a CA so tried the remote one (7.9) on the override
port 8443. Since this port isn't open: failure.
Chances are that adding the profile is still going to fail
because again, 7.9 lacks ACME capabilities, but it will fail in
a way that allows the installation to continue.
I suspect that all of the overrides can similarly handled, or
handled directly within the RestClient class, but for the sake
of "do no harm" I'm only changing this instance for now.
https://pagure.io/freeipa/issue/9100
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
7c5540bb by Rob Crittenden at 2022-02-07T09:16:32+01:00
Remove ipa-join errors from behind the debug option
This brings it inline with the previous XML-RPC output which
only hid the request and response from the output and not
any errors returned.
https://pagure.io/freeipa/issue/9103
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com>
- - - - -
85ce7acb by Alexander Bokovoy at 2022-02-07T13:03:47+02:00
OpenLDAP 2.6+: use only -H option to specify LDAP url
OpenLDAP 2.6+ finally deprecated -h and -p options in all its command
line tools. They are not allowed anymore and cause ldap* tools to stop
hard with 'unknown option' error.
Fix this by always using -H url option instead. Deriving default value
for -H url from the configuration file still works, it is only -h and -p
that were deprecated.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Fixes: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
10d32d43 by Alexander Bokovoy at 2022-02-07T13:03:47+02:00
pylint: workaround incorrect pylint detection of a local function
pylint 2.9 thinks that __add_principal is a class-level method that is
unused. It is a local function inside one of class methods and is used
directly inside that method.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0d034d7f by Alexander Bokovoy at 2022-02-07T13:03:47+02:00
translations: regenerate translations after changes in help message in sudorule
A change to replace -h and -p options in OpenLDAP command line utilities
causes also an update in the help text in sudorule plugin. This, sadly,
makes existing translations of that text not valid anymore. However, we
have to change the text as OpenLDAP 2.6+ will make the command
referenced in the help text incorrect.
The change in OpenLDAP 2.6+ implements deprecation that was announced by
OpenLDAP project around 20 years ago, so all existing tools support -H
option.
See also: https://bugs.openldap.org/show_bug.cgi?id=8618
Related: https://pagure.io/freeipa/issue/9106
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
896d0f35 by Florence Blanc-Renaud at 2022-02-08T18:32:24+01:00
ipatests: update images for f34 and f35
The new images include 389-ds-base 2.0.14-1
which contains the fixes for the following tickets:
389-ds-base #5079 Freeipa nightly test failure with winsync agreement
389-ds-base #5031 ipa-restore broken in selinux enforcing mode
Fixes: https://pagure.io/freeipa/issue/9069
Fixes: https://pagure.io/freeipa/issue/9051
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
9b6d0bb1 by Rob Crittenden at 2022-02-10T08:33:14+01:00
Enable the ccache sweep timer during installation
The timer was only being enabled during package installation
if IPA was configured. So effectively only on upgrade.
Add as a separate installation step after the ccache directory
is configured.
Fixes: https://pagure.io/freeipa/issue/9107
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0d9eb3d5 by Mohammad Rizwan at 2022-02-10T08:33:14+01:00
Test ipa-ccache-sweep.timer enabled by default during installation
This test checks that ipa-ccache-sweep.timer is enabled by default
during the ipa installation.
related: https://pagure.io/freeipa/issue/9107
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
86b98b86 by Stanislav Levin at 2022-02-10T08:39:47+01:00
ipatests: healthcheck: Sync the expected system RRs
The support for the DNS URI RRs has been added in freeipa-healthcheck:
https://github.com/freeipa/freeipa-healthcheck/issues/222
Fixes: https://pagure.io/freeipa/issue/9054
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc2348ae by Rob Crittenden at 2022-02-14T11:09:46+02:00
ipatests: Remove certmonger tracking before uninstall in cert tests
There is some contention between certmonger starting during the
uninstallation process in order to stop the tracking and activity
going on within certmonger helpers.
As near as I can tell certmonger is not running, then IPA is
stopped in order to uninstall, then certmonger is started to stop
the tracking. certmonger checks cert status on startup but since
IPA isn't running it can't get a host ticket. During this time any
request over DBus may time out, causing a test to fail when we're
just trying to clean up.
https://pagure.io/freeipa/issue/8506
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b36bcf4e by Anuja More at 2022-02-14T11:13:55+02:00
ipatests: remove additional check for failed units.
On RHEL tests are randomly failing because of this check
and the test doesn't need to check this.
Related : https://pagure.io/freeipa/issue/9108
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
83770219 by Brian Turek at 2022-02-14T11:18:07+02:00
ipalib: Handle percent signs in saved values
Turn off string interpolation on the FileStore class to avoid
exceptions when a value to be saved contains a percent sign (%).
The underlying SafeConfigParser that is used interprets percent
signs as placeholders to be interpolated which then causes an
exception as the placeholder isn't properly formatted.
ipa-client-install uses the FileStore class to backup certain
values that it overwrites as part of the installation. If those
pre-existing, backed-up values contained a percent sign,
ipa-client-install would throw an exception and thus prevent
installation.
https://pagure.io/freeipa/issue/9085
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
186ebe31 by Francisco Trivino at 2022-02-14T11:33:05+02:00
ipa_cldap: fix memory leak
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
berval (bv_val) when processing a CLDAP packet request from a worker. The
data is used by ipa_cldap_respond() but bv_val is not freed later on.
This commit is adding the corresponding free() after ipa_cldap_respond()
is completed.
Discovered by LeakSanitizer
Fixes: https://pagure.io/freeipa/issue/9110
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz at redhat.com>
- - - - -
f2731107 by Florence Blanc-Renaud at 2022-02-22T14:46:44+01:00
Commit template: use either Fixes or Related
Update the commit template to be consistent with the
commit message requirements described at
https://www.freeipa.org/page/Contribute/Code#Commit_message_requirements
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
- - - - -
d8174b0c by Rob Crittenden at 2022-02-23T10:04:19+01:00
Set the mode on ipaupgrade.log during RPM %post snipppet
The IPA tools will create /var/log/ipaupgrade.log with mode
0600. If for some reason this file doesn't exist during
upgrade then it will be created by the RPM transaction with
mode 0644 (because of umask).
So always set the mode once the snippets are done. This
will ensure that a newly created log will have the expected
mode and also fix any previous incorrectly set mode.
Fixes: https://pagure.io/freeipa/issue/8899
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
6b70e3c4 by Anuja More at 2022-02-24T08:46:15+01:00
ipatests: Tests for Autoprivate group.
Added tests using posix AD trust and non posix AD trust.
For option --auto-private-groups=[hybrid/true/false]
Related : https://pagure.io/freeipa/issue/8807
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
84381001 by Anuja More at 2022-02-24T08:46:15+01:00
mark xfail for test_idoverride_with_auto_private_group[hybrid]
Related : https://github.com/SSSD/sssd/issues/5989
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
7ad500e5 by Anuja More at 2022-02-24T08:46:15+01:00
Mark xfail test_gidnumber_not_corresponding_existing_group[true,hybrid]
Related : https://github.com/SSSD/sssd/issues/5988
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
ab9e7dac by Rob Crittenden at 2022-02-24T08:53:34+01:00
ipa-restore: Mark a restored server as enabled
There is no use-case to keep a restored server in a hidden
state. It can be re-marked as hidden once the installation is
recovered from the restore. So mark all restored services as
enabled so they are visible to existing clients during the
remaining recovery.
Fixes: https://pagure.io/freeipa/issue/9095
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ac8e969 by Rob Crittenden at 2022-02-25T11:15:39+01:00
Verify the user-provided hostname in the server installer
The refactor change 9094dfc had a slight error where the
user-input provided value in input wasn't being validated. Only
the command-line or the current FQDN was being verified so
if the FQDN was bad any value input by the user was being skipped.
Fixes: https://pagure.io/freeipa/issue/9111
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
57de18e9 by Rob Crittenden at 2022-02-25T11:15:39+01:00
Strip off trailing period of a user-provided FQDN in installer
The example text included a trailing dot which isn't actually
allowed in a system hostname (just DNS). Remove the suggestion
to include it and strip off any trailing dot so that the install
can proceed.
Related: https://pagure.io/freeipa/issue/9111
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
42f41ff6 by Florence Blanc-Renaud at 2022-03-03T08:12:58+01:00
ipatests: add missing test in the nightly defs
The test
test_integration/test_installation.py::TestInstallWithoutNamed
was missing in some nightly definitions.
Add the job definition for nightly_ipa-4-9_latest_selinux.yaml
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a5190081 by Alexander Bokovoy at 2022-03-08T17:15:55+01:00
KRB instance: make provision to work with crypto policy without SHA-1 HMAC types
RHEL 9 system-wide crypto policies aim at eventual removal of SHA-1 use.
Due to bootstrapping process, force explicitly supported encryption
types in kdc.conf or we may end up with AES128-SHA1 and AES256-SHA2 only
in FIPS mode at bootstrap time which then fails to initialize kadmin
principals requiring use of AES256-SHA2 and AES128-SHA2.
Camellia ciphers must be filtered out in FIPS mode, we do that already
in the kerberos.ldif.
At this point we are not changing the master key encryption type to
AES256-SHA2 because upgrading existing deployments is complicated and
at the time when a replica configuration is deployed, we don't know what
is the encryption type of the master key of the original server as well.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
b0166835 by Alexander Bokovoy at 2022-03-08T17:15:55+01:00
tests: ensure AD-SUPPORT subpolicy is active
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
49d9147e by Alexander Bokovoy at 2022-03-08T17:15:55+01:00
ipatests: extend AES keyset to SHA2-based ones
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
ee39de46 by Alexander Bokovoy at 2022-03-08T17:15:55+01:00
freeipa.spec: bump crypto-policies dependency for CentOS 9 Stream
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
7f8b4f03 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip redundant-u-string-prefix
Pylint 2.10 introduced new checker `redundant-u-string-prefix`:
> Used when we detect a string with a u prefix. These prefixes were
necessary in Python 2 to indicate a string was Unicode, but since Python
3.0 strings are Unicode by default.
There are ~31K emitted warnings right now. They can be fixed on
refactorings without any rush.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b5fc2eef by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip consider-using-f-string
Pylint 2.11 introduced new checker:
> Used when we detect a string that is being formatted with format() or
% which could potentially be a f-string. The use of f-strings is
preferred. Requires Python 3.6 and ``py-version >= 3.6``.
- f-strings are not mandatory
- format can be more readable
- there are ~5.5K spotted issues
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
40ee6a47 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip use-dict-literal/use-list-literal
Pylint 2.10 introduced new checkers:
> Emitted when using dict() to create an empty dictionary instead of the
literal {}. The literal is faster as it avoids an additional function
call.
> Emitted when using list() to create an empty list instead of the
literal []. The literal is faster as it avoids an additional function
call.
Too many unessential changes.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
106d011e by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip unspecified-encoding
Pylint 2.10 introduced new checker:
> It is better to specify an encoding when opening documents. Using the
system default implicitly can create problems on other operating
systems. See https://www.python.org/dev/peps/pep-0597/
According to that PEP:
> open(filename) isn't explicit about which encoding is expected:
- If ASCII is assumed, this isn't a bug, but may result in decreased
performance on Windows, particularly with non-Latin-1 locale
encodings
- If UTF-8 is assumed, this may be a bug or a platform-specific script
- If the locale encoding is assumed, the behavior is as expected (but
could change if future versions of Python modify the default)
IPA requires UTF-8 environments.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6fd75de5 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix use-maxsplit-arg
Pylint 2.9.0 new checker:
> Emitted when accessing only the first or last element of str.split()..
The first and last element can be accessed by using str.split(sep,
maxsplit=1)[0] or str.rsplit(sep, maxsplit=1)[-1] instead.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
04c40323 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Clean up __convert_to_gssapi_replication
__convert_to_gssapi_replication has been added in a0bfbec19 and
then removed in ce2bb47cc without clean up.
Found by Pylint:
```
ipaserver/install/krbinstance.py:589: [W0238(unused-private-member),
KrbInstance.__convert_to_gssapi_replication] Unused private member
`KrbInstance.__convert_to_gssapi_replication(self)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3c77949a by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Drop never used __remove_lightweight_ca_key_retrieval_custodia
__remove_lightweight_ca_key_retrieval_custodia has been added in
8700101d9, but it was never used.
Caught by Pylint:
```
ipaserver/install/cainstance.py:1308: [W0238(unused-private-member),
CAInstance.__remove_lightweight_ca_key_retrieval_custodia]
Unused private member
`CAInstance.__remove_lightweight_ca_key_retrieval_custodia(self)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dfa1ceac by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Drop no longer used __finalized
The private member `__finalized` has been added in
7db3aae1b26588b3650dae442b07dca0f33ab0c8, later removed in
6b8abb0d78a8d86d7ca52083a267fe226bf74656, but `_API__finalized`
(access via mangled attribute name) was not cleaned up and finally
refactored back to `__finalized` in
b1fc875c3ac74be91df8f1cf8b4369b77a156677.
Found by Pylint:
```
ipalib/plugable.py:807: [W0238(unused-private-member), API.finalize]
Unused private member `API.__finalized`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ca818b1 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip unused-private-member for property case
See https://github.com/PyCQA/pylint/issues/4756 for details
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bffde84c by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip unused-private-member for unsupported cases
> This mangling is done without regard to the syntactic position of the
identifier, as long as it occurs within the definition of a class.
`__set_attr` is called for instance of the class within its
classmethod.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4da897c3 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix unused-private-member
Pylint 2.9.0 introduced new checker:
> Emitted when a private member of a class is defined but not used
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
91ff7b87 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Drop no longer used __home
`__home` has been added in 8ca44bcbfa2aec0c7c84205dc08c81f711a22c5d,
later `tests.util` was refactored in
fd43b39145382b96cd2e0d0da3d5dcbe0d3a4a2a, but `__home` wasn't cleaned
up.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0ebf09e0 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Remove unused __convert_iter
__convert_iter was added in 24b6cb89d, but it was never used.
Found by Pylint:
```
ipalib/frontend.py:696: [W0238(unused-private-member),
Command.__convert_iter] Unused private member
`Command.__convert_iter(self, kw)`)
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ccf9334d by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix deprecated-class
There is no actual usage of deprecated classes for Python3.
Pylint complains about such for Python2. Since Python2 is no
longer supported these imports were removed.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d3b384b5 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix unnecessary-dict-index-lookup
Pylint 2.9 introduced new check:
> Emitted when iterating over the dictionary items (key-item pairs) and
accessing the value by index lookup. The value can be accessed directly
instead.
Note: in Python3 removing from dict during an iteration is not
possible even. For example,
```
cat a.py
d = {"a": 1}
for k, v in d.items():
if v is not None:
del d[k]
python3 a.py
Traceback (most recent call last):
File "/usr/src/RPM/BUILD/freeipa/a.py", line 3, in <module>
for k, v in d.items():
RuntimeError: dictionary changed size during iteration
```
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
054376c1 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix deprecated-decorator
Pylint 2.9 introduced new checker:
> The decorator is marked as deprecated and will be removed in the
future.
- @abstractproperty has been deprecated since Python3.3 [0]
- @abstractclassmethod has been deprecated since Python3.3 [1]
[0]: https://docs.python.org/3/library/abc.html#abc.abstractproperty
[1]: https://docs.python.org/3/library/abc.html#abc.abstractclassmethod
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
afba4147 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip isinstance-second-argument-not-valid-type
The type of value to be compared is class attribute.
Today's Pylint doesn't support this.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
08f2db78 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix no-member
Teach pylint or skip newly exposed no-members.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
76c2c08f by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix unused-variable
Fixed newly exposed unused variables.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
13e5720d by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip not-callable
The klass property is referenced to class attribute.
Today's Pylint doesn't support this.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
322d0892 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix consider-using-dict-items
Pylint 2.9 introduced new check:
> New checker consider-using-dict-items. Emitted when iterating over
dictionary keys and then indexing the same dictionary with the key
within loop body.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bb515f41 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip raising-bad-type
See https://github.com/PyCQA/pylint/issues/4772 for details.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2db2c6cb by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Enable useless-suppression
https://pylint.pycqa.org/en/latest/user_guide/message-control.html#detecting-useless-disables:
> As pylint gets better and false positives are removed, disables that
became useless can accumulate and clutter the code. In order to clean
them you can enable the useless-suppression warning.
This doesn't enforce useless-suppression warnings as errors. The idea is
cleanup of these warings on every Pylint's bump.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
03cd9143 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip use-implicit-booleaness-not-comparison
Pylint 2.12.0 introduced new checker:
> Used when Pylint detects that collection literal comparison is being
used to check for emptiness; Use implicit booleaness insteadof a
collection classes; empty collections are considered as false
Comparison of variable to equality to collection:
> Lexicographical comparison between built-in collections works as follows:
For two collections to compare equal, they must be of the same type,
have the same length, and each pair of corresponding elements must
compare equal (for example, [1,2] == (1,2) is false because the type is
not the same).
Collections that support order comparison are ordered the same as their
first unequal elements (for example, [1,2,x] <= [1,2,y] has the same
value as x <= y). If a corresponding element does not exist, the shorter
collection is ordered first (for example, [1,2] < [1,2,3] is true).
So, `assert value == {}` is not the same as `assert not value`.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a960adc6 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix arguments-renamed
Pylint 2.9.0 introduced new checker which was a subset of
arguments-differ:
> Used when a method parameter has a different name than in the
implemented interface or in an overridden method.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3ea0e1bd by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix consider-using-in
Pylint 2.11.0 extends consider-using-in check to work for
attribute access.
> To check if a variable is equal to one of many values,combine the
values into a tuple and check if the variable is contained "in" it
instead of checking for equality against each of the values.This
is faster and less verbose.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1f17ade6 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip deprecated-method for match_hostname
Python3.7 switched to
`X509_VERIFY_PARAM_set1_host`/`X509_VERIFY_PARAM_set1_ip`
and deprecated `match_hostname` without replacement. Probably,
on removal `match_hostname` the similar functionality may be
implemented on IPA side.
https://docs.python.org/3/library/ssl.html#ssl.match_hostname
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd99e4d4 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix deprecated-method for threading
As of Python3 `currentThread`, `thread.getName` are aliases for
`threading.current_thread()` and `threading.Thread.name`
respectively.
In Python3.10:
> bpo-43723: The following threading methods are now deprecated and
should be replaced:
currentThread => threading.current_thread()
activeCount => threading.active_count()
Condition.notifyAll => threading.Condition.notify_all()
Event.isSet => threading.Event.is_set()
Thread.setName => threading.Thread.name
thread.getName => threading.Thread.name
Thread.isDaemon => threading.Thread.daemon
Thread.setDaemon => threading.Thread.daemon
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bfb23318 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip unsupported-assignment-operation
Pylint thinks that the values are None because doesn't support
flow analysis.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5b46578 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix format-string-without-interpolation
Found by new Pylint:
> ipaclient/install/client.py:1926:
[W1310(format-string-without-interpolation), get_ca_certs] Using
formatting for a string that does not have any interpolated variables)
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6202a7d8 by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b58ec49d by Stanislav Levin at 2022-03-14T10:44:55-04:00
pylint: Skip false-positive invalid-sequence-index
Pylint doesn't handle flow control and thus, doesn't understand
that a key of type `str` is not reachable at this point:
> ipalib/base.py:472: [E1126(invalid-sequence-index),
NameSpace.__getitem__] Sequence index is not an int, slice, or instance
with __index__)
Note: I faced this error on Python3.9 and didn't see it using
Python3.10.
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1e2cf551 by Stanislav Levin at 2022-03-14T10:44:55-04:00
azure: Bump supported Pylint
Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b413a327 by Fraser Tweedale at 2022-03-15T08:32:56+01:00
allow overriding systemd-tmpfiles program
In some contexts, filesystem mounts may be owned by unmapped users
(e.g. `emptyDir` mounts in Kubernetes / OpenShift when using user
namespaces). This causes `systemd-tmpfiles(8)` to fail, as a
consequence of systemd's path processing routines which reject this
scenario. Therefore, in Fedora container context, if the
`IPA_TMPFILES_PROG` environment value is set, use the program
specified by its value instead of `/bin/systemd-tmpfiles`.
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Fixes: https://pagure.io/freeipa/issue/9126
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3a4238ba by Rob Crittenden at 2022-03-16T11:07:24+02:00
ipatests: Give the subCA more time to be loaded by the CA
The subCA keys are loaded out-of-band after creation into the
CA so they may have been replicated but not loaded. Give more
time for them to appear in the remote CA.
Use a loop for the checking instead of a raw sleep because most
of the time this is very fast (< 15 seconds) but sometimes it
requires just a bit more. Allow up to 60 seconds.
To avoid output difference, strip the token name out of certutil
output. We don't care about the token a certificate is stored
in, the internal or the FIPS token. We just care that they exist
on both servers and that the keys match.
Apparently in some cases the token name is displayed and not in
others so lets normalize the output to make comparisons more
consistent.
Fixes: https://pagure.io/freeipa/issue/9096
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
cedca75f by Sumit Bose at 2022-03-16T16:19:02+02:00
extdom: user getorigby{user|group}name if available
New calls, getorigbyusername() and getorigbygroupname(), are added to
libsss_nss_idmap. They allow to query the AD specific attributes for a
user or a group directly. Besides a minor performance benefit it helps
to avoid issues if there are users and groups with the same name and the
group is not a user-private group but a real group with members.
Fixes: https://pagure.io/freeipa/issue/9127
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3e54c436 by Alexander Bokovoy at 2022-03-16T16:21:52+02:00
Kerberos instance: default to AES256-SHA2 for master key encryption
KDC configuration in /var/kerberos/krb5kdc/kdc.conf is generated from
the template in install/share/kdc.conf.template. Master key encryption
type specified there is used to bootstrap the master key in LDAP
database. Once it is done, actual deployment does not rely on the
master_key_type value anymore. The actual master key(s) get loaded from
LDAP database where they stored in a BER-encoded format, preserving all
parameters, including encryption type.
This means we can safely migrate to AES256-SHA2 as the default master
key encryption type for new installations. Replicas will get their
master key encryption type details from the server they were provisioned
from.
MIT Kerberos supports AES256-SHA2 since 1.15 (2015), meaning RHEL 7.4 is
the earliest supported version as it provides krb5 1.15.1. Current
supported RHEL 7 version is RHEL 7.9. Since RHEL 6 already cannot be
used as a replica to IPA 4.5+ due to a domain level 1 upgrade, this
change does not affect old releases.
Migration from the previously deployed master key encryption type is
described by MIT Kerberos upstream in
http://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/retiring-des.html#the-database-master-key
One would need to use '-x ipa-setup-override-restrictions' to allow
the `kdb5_util` utility to modify the data over IPA KDB driver.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
3baae8d1 by Alexander Bokovoy at 2022-03-16T16:21:52+02:00
test_otp: do not use paramiko unless it is really needed
paramiko cannot be used in FIPS mode. We have few tests that import
generic methods from test_otp (add_token/del_token) and those tests fail
in FIPS mode due to unconditional 'import paramiko'.
Instead, move 'import paramiko' to the ssh_2f() helper which is not used
in FIPS mode (the whole SSH 2FA test is skipped then).
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
2e70535f by Alexander Bokovoy at 2022-03-16T16:21:52+02:00
test_krbtpolicy: skip SPAKE-related tests in FIPS mode
SPAKE is based on the crypto primitives which are not FIPS compliant
yet. This means that in FIPS mode use of 'hardened' authentication
indicator is not possible. Skip corresponding tests in FIPS mode.
Related: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
895e99b6 by Christian Heimes at 2022-03-16T16:24:02+02:00
Support AES for KRA archival wrapping
The vault plugin has used TripleDES (des-ede3-cbc) as default wrapping
algorithm since the plugin was introduced. Allow use of AES-128-CBC as
alternative wrapping algorithm for transport of secrets.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
984190ee by Francisco Trivino at 2022-03-16T16:24:02+02:00
Set AES as default for KRA archival wrapping
This commit sets AES-128-CBC as default wrapping algorithm as
TripleDES (des-ede3-cbc) is not supported anymore in C9S.
Fixes: https://pagure.io/freeipa/issue/6524
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
83551693 by Mohammad Rizwan at 2022-03-16T16:26:03+02:00
ipatests: Check maxlife error message where minlife > maxlife specified
When minlife > maxlife specified on commandline, it says:
"ipa: ERROR: invalid 'maxlife': Maximum password life must be
greater than minimum."
But when minlife == maxlife specfied, It works.
This test check that error message says what exactly it does
related: https://pagure.io/freeipa/issue/9038
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bd8748f6 by Rob Crittenden at 2022-03-16T16:27:20+02:00
Convert values using _SYNTAX_MAPPING with --delattr
When an entry is loaded the incoming values are converted
into python datatypes automatically based on the _SYNTAX_MAPPING
value in ipaldap.
When using delattr to remove a mapped value it will fail because
the datatypes do not match up. For example date types are
datetime.datetime structions and won't match a generalized time
string.
So try to map the value to delete using _SYNTAX_MAPPING before
trying to remove the value. Fall back to trying to remove the
raw value if the mapping fails.
This won't work for some mapping types, DNs for example. Providing
only the RDN value for a DN-type, manager for example, lacks the
context to know how to construct the DN (RDN and contaner).
Fixes: https://pagure.io/freeipa/issue/9004
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3e8a355d by Alexander Bokovoy at 2022-03-18T09:38:05+01:00
ipalib/util.py: switch to ssl.PROTOCOL_TLS_CLIENT by default
Python 3.10 deprecated ssl.PROTOCOL_TLS and ssl.PROTOCOL_SSLv23
constants which were aliases to each other. Use of them now causes a
warning to be displayed:
/usr/lib/python3.10/site-packages/ipalib/util.py:347: DeprecationWarning: ssl.PROTOCOL_TLS is deprecated
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
Use ssl.PROTOCOL_TLS_CLIENT instead, this constant is available since
Python 3.6.
Fixes: https://pagure.io/freeipa/issue/9129
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c46ea21e by Rob Crittenden at 2022-03-18T14:28:11+01:00
Remove the --no-sssd option from ipa-client-automount
This makes automount configurable only using sssd and not LDAP.
The reason is that authselect 1.3 no longer supports
user-nsswitch.conf which is where we made direct changes to the
nss configuration on Fedora/RHEL.
The equivalent option was removed from ipa-client-install in
https://pagure.io/freeipa/issue/7671
Fixes: https://pagure.io/freeipa/issue/9084
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
12785a36 by Florence Blanc-Renaud at 2022-03-19T17:36:33+01:00
ipatests: remove certmonger tracking before uninstall
test_ipahealthcheck_expiring is moving the date in the future
in order to check that certmonger properly warns about expiring
certificates, then uninstalls the master.
The uninstallation randomly fails with a DBus error communicating
with certmonger because of a contention between certmonger being
waken up by the call to stop tracking certs and the certmonger
helpers trying to renew the certs.
The test is stopping PKI server, then moves the date in the future.
At this point, certmonger is still running (we are testing that
getcert list properly warns about near expiration). This means that
chances are high that certmonger has enough time to launch the CA helper
for renewal, that takes the lock. But since PKI is down, the helper
remains running for a while and does not release the lock. Then
certmonger is stopped, the tracking files are removed, certmonger is
restarted.
To avoid the contention, manually remove the tracking before
calling uninstall and remove the renewal lock file.
Fixes: https://pagure.io/freeipa/issue/9123
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
85b2c819 by Florence Blanc-Renaud at 2022-03-19T17:36:33+01:00
ipatests: Fix a call to run_command with wildcard
The test is calling run_command with a list of arguments:
run_command(['rm', '-f', paths.CERTMONGER_REQUESTS_DIR + '/*'])
but this format does not support shell expansion.
Replace with a str parameter:
run_command('rm -fv' + paths.CERTMONGER_REQUESTS_DIR + '/*')
to make sure all the files in the directory are actually removed.
Fixes: https://pagure.io/freeipa/issue/8506
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
98eb661f by Sudhir Menon at 2022-03-22T13:51:02+01:00
ipatests: Test for pki.server.healthcheck.clones.connectivity_and_data
This test checks that when
'pki.server.healthcheck.clones.connectivity_and_data' check is run
'Source 'pki.server.healthcheck.clones.connectivity_and_data' not found'
is not displayed.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2041995
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
09481117 by Alexander Bokovoy at 2022-03-25T14:34:54+01:00
tests: ensure AD-SUPPORT subpolicy is active in more cases
Continuation of the commit 2eee5931d714ca237290be7dc2fb7233ce747eca:
Use AD-SUPPORT subpolicy when testing trust to Active Directory in FIPS
mode. This is required in FIPS mode due to AD not supporting Kerberos
AES-bases encryption types using FIPS-compliant PBKDF2 and KDF, as
defined in RFC 8009.
Fixes: https://pagure.io/freeipa/issue/9119
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
b6b5f607 by Alexander Bokovoy at 2022-03-28T20:33:54+03:00
ipatests: fix check for AD topology being present
Fixes: https://pagure.io/freeipa/issue/9133
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a53b190a by Timo Aaltonen at 2022-03-29T12:04:35+03:00
control: Add systemd-timesyncd to freeipa-client Conflicts. (Closes: #1008195)
- - - - -
9cd48d18 by Sumit Bose at 2022-04-01T09:44:06+02:00
ipa-kdb: fix make check
The recent refactoring split out code into two new files which are
needed for the test binary as well.
Related: https://pagure.io/freeipa/issue/9083
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c3bd6908 by Mohammad Rizwan at 2022-04-08T10:31:27+02:00
ipatests: fix the topologysegment-reinitialize command
There is no guarantee for the topologysegement name, it could be
master-to-replica or replica-to-master. If it is master-to-replica
then --right should be used with the command else --left.
Fixes: https://pagure.io/freeipa/issue/9137
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
de1f4467 by Mohammad Rizwan at 2022-04-08T10:31:27+02:00
ipatests: extend find_segment with suffix param
topologysegment name can be different depending on suffix.
This patch determines and supply the name of topologysgement
as per the suffix
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
710314a7 by Alexander Bokovoy at 2022-04-14T21:33:53+02:00
ipa-pwd-extop: allow ipasam to request RC4-HMAC in Kerberos keys for trusted domain objects
This is a problem since we added commit b5fbbd1 in 2019. Its logic
allowed to add RC4-HMAC keys for cifs/.. service principal but it didn't
account for the case when cifs/.. principal initiates the request.
Since ipasam only uses GETKEYTAB control, provide this extension only
here and don't allow the same for SETKEYTAB. At the point of check for
the bind DN, we already have verified that the DN is allowed to write to
the krbPrincipalKey attribute so there is no leap of faith to 'any
cifs/... principal' here.
A principal must be member of cn=adtrust
agents,cn=sysaccounts,cn=etc,$SUFFIX to allow perform this operation
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
91d083c3 by Alexander Bokovoy at 2022-04-14T21:33:53+02:00
ipa-sam: retrieve trusted domain account credential from the TDO itself
When NRPC netr_ServerAuthenticate3 call is performed, a trusted AD DC
would use trusted domain account to authenticate to Samba. This means
that Samba would do internally samr_QueryUserInfo2 request with level 16
(UserControlInformation), coming to PDB module via pdb_getsampwsid()
call.
For normal user or workstation accounts we expect to have Kerberos keys
available and may be able to extract NTLM hash data from them. However,
trusted domain account is not a normal Kebreros principal. It stores TDO
credential in a different way. Since we never processed it through the
pdb_getsampwsid() call, it was not possible to retrieve the NTLM hash
for TDO account at all, hence netr_ServerAuthenticate3 call was failing.
NTLM hash is used internally in Samba. An external communication with AD
DC will use an AES-based session key that is derived from the TDO
credential. The credential itself can be treated as a plaintext here.
Fix it by adding a recognition of the trusted domain object account and
retrieve the NTLM hash from the correct attribute of the TDO.
Fixes: https://pagure.io/freeipa/issue/9134
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ee6472ce by Alexander Bokovoy at 2022-04-14T21:33:53+02:00
ipatests: collect samba logs when setting up trust to AD
In many cases it is impossible to investigate test failures of
environments where a trust to Active Directory is establishe without
Samba logs.
Collect Samba logs by default and make sure Samba is configured with
higher log levels if we are going to configure IPA to setup trust to
Active Directory.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5ba5143f by Florence Blanc-Renaud at 2022-04-26T10:00:54+02:00
ipatests: fix wrong condition in xfail_context for auto private grp
The tests
TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
and
TestPosixAutoPrivateGroup::test_gidnumber_not_corresponding_existing_group
are expected to fail until SSSD fixes issues 5988 and 5989.
They currently define an xfail_context with a condition based on
sssd version but that condition is wrong (as of today, no version
of sssd provides the fix).
Remove the wrong condition so that the test is always expected to fail.
Fixes: https://pagure.io/freeipa/issue/9141
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
2ffa2b42 by Antonio Torres at 2022-04-26T16:40:35+02:00
Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
8a28154a by Antonio Torres at 2022-04-26T16:44:11+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
029c4fc6 by Antonio Torres at 2022-04-26T16:53:46+02:00
Become IPA 4.9.9
- - - - -
0cdbe00a by Antonio Torres at 2022-04-26T17:04:41+02:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
d37d1f71 by Florence Blanc-Renaud at 2022-05-03T08:31:07+02:00
EPN: document missing option msg_subject
In /etc/ipa/epn.conf it is possible to customize the
e-mail subject by setting msg_subject=<value> but this
setting is not documented in the man page.
Add the options in epn.conf man page and in the template.
Fixes: https://pagure.io/freeipa/issue/9145
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5877c4e1 by Florence Blanc-Renaud at 2022-05-03T08:32:26+02:00
ipatests: update the expected sha256sum of epn.conf file
The file epn.conf has been updated when fixing issue 9145
and the test test_epn.py::TestEPN::test_EPN_config_file
is comparing its sha256sum with the checksum of the
shipped file from the package ipa-client-epn.
The expected checksum needs to be updated.
Fixes: https://pagure.io/freeipa/issue/9146
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de918aea by Alexander Bokovoy at 2022-05-04T15:50:39+03:00
doc: migrate to m2r2 and newer sphinx, add plantuml to venv
m2r project was forked to m2r2 which is actively developed.
m2r2 works with new Sphinx versions.
Update our list of documentation requirements and add support for
plantuml to be able to integrate diagrams.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
7ddef72f by Alexander Bokovoy at 2022-05-04T15:50:39+03:00
docs: add plantuml and use virtual environment to generate docs
Documentation generator can be run inside Python virtual environment.
This allows to isolate from the system-wide changes and add Sphinx
extensions that aren't packaged in a distribution.
The only exception right now is plantuml package. We rely on plantuml to
generate diagrams and since it is written in Java, it cannot be
installed directly into the Python venv through 'pip' tool.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
68c20846 by Alexander Bokovoy at 2022-05-04T15:50:39+03:00
docs: add the readthedocs configuration
We need to install additional plantuml package before the build
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
ffd8f14a by Alexander Bokovoy at 2022-05-04T15:50:39+03:00
docs: update Sphinx requirements in ipasphinx package
One-liner rule to update ipasphinx dependency as we are using m2r2
package which is compatible with newer Sphinx.
Fixes: https://pagure.io/freeipa/issue/9148
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
5ea1866f by Alexander Bokovoy at 2022-05-04T15:50:39+03:00
docs: force sphinx version above 3.0 to avoid caching in RTD
ReadTheDocs somehow caches requirements and insists in using old
version of Sphinx (1.8). We have to force using newer one (4.5)
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
b3093d9c by Florence Blanc-Renaud at 2022-05-04T15:00:04-04:00
ipatests: remove test_rekey_keytype_DSA
The test is calling getcert rekey -G DSA in order to rekey
a certificate with a DSA key, but DSA support has been disabled
in the default crypto policy, and certmonger does not support it
any more (see the BZ
https://bugzilla.redhat.com/show_bug.cgi?id=2066439)
Remove the test as it's not relevant anymore. The rekey
operation is tested anyway in other tests:
- test_certmonger_rekey_keysize
- test_rekey_keytype_RSA
- test_rekey_request_id
Fixes: https://pagure.io/freeipa/issue/9140
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
59cf9017 by Alexander Bokovoy at 2022-05-05T15:02:38+03:00
web ui: do not provide Remove button in subid page
subid range management does not allow to delete ranges
If subid range was allocated, it cannot be removed because there might
be file objects associated with it on one of IPA clients.
In Web UI a button to remove the range should not be shown.
Remove corresponding test from the Web UI test for subid as the button
to remove the subid range is not present anymore.
Fixes: https://pagure.io/freeipa/issue/9150
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
1e882144 by Alexander Bokovoy at 2022-05-05T17:44:04+03:00
Switch Azure CI to Fedora 36 pre-release
Use fedora-toolbox:36 image as it is prepared to work with systemd and
sudo
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
137e62cc by Alexander Bokovoy at 2022-05-05T17:44:04+03:00
Azure CI: temporarily add libldap_r.so symlink for python-ldap PIP use
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
c2434c4e by Alexander Bokovoy at 2022-05-05T17:44:04+03:00
Azure CI: don't force non-existing OpenSSL configuration anymore
Newer grunt will pull a PhantomJS that is compatible with newer OpenSSL
so the workaround is not needed anymore.
Additionally, OpenSSL 3.0 is more strict and does not tolerate
non-existing default configuration file.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ea0275f6 by Alexander Bokovoy at 2022-05-05T17:44:04+03:00
js tests: use latest grunt
Allow npm to install and use latest grunt that is compatible with newer
OpenSSL.
This, in turn, requires ATK interfaces to be present for the chromium
installed by puppeteer.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f11b7b3b by Sudhir Menon at 2022-05-06T12:06:33-04:00
ipatests: Adding --no-dnssec-validation option for healthcheck
healthcheck related tests are failing because of the below issue
"client @0x7f8ee47c4d48 : servfail cache hit (CD=0)"
and as a result healthcheck related packages are not downloaded on test
system.
Hence adding the --no-dnssec-validation option to install_master
and install_replica function
https://pagure.io/freeipa/issue/9151
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f814d9f by Florence Blanc-Renaud at 2022-05-09T09:05:51+02:00
ipatests: --no-dnssec-validation requires --setup-dns
The test test_ipahealthcheck.py::TestIpaHealthCheckWithoutDNS
is installing the server without DNS but calls the installer
with --no-dnssec-validation option.
Remove the --no-dnssec-validation option as it is incompatible
with a non-DNS setup.
Fixes: https://pagure.io/freeipa/issue/9152
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42afcc95 by Armando Neto at 2022-05-10T23:09:17+03:00
workshop: Update docs and support default cloud image
Update instructions on how to build images starting with Fedora 34 using
kickstart files used by Fedora to build its cloud images.
Change vagrant provisioning steps to support both prebuilt and default
cloud images, removing the burden of maintaining boxes up-to-date, but
also providing a way to build fresh images without external packer
templates.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
8d81338c by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
doc/designs: add External IdP support design documents
External IdP objects represent OAuth 2.0 clients that can be used to
perform OAuth 2.0 device authorization grant flow.
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
1df7b82a by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
external-idp: add LDAP schema, indices and other LDAP objects
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
2136bd5d by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
external-idp: add support to manage external IdP objects
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
b77015b7 by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
external-idp: add XMLRPC tests for External IdP objects and idp indicator
Fixes: https://pagure.io/freeipa/issue/8804
Fixes: https://pagure.io/freeipa/issue/8803
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
bf8e2bb9 by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
ipa-otpd: add support for SSSD OIDC helper
SSSD OIDC helper is used for negotiating with OAUTH2 or OIDC end points
of external identity providers (IdPs).
ipa-otpd daemon now is capable to take either Issuer URL or individual
endpoints and call SSSD OIDC helper accordingly.
Communication with SSSD OIDC helper can be debugged with the use of a
debug variable set in /etc/ipa/default.conf. Man page for
default.conf(5) has been updated to provide this information.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Sumit Bose <sbose at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
673478b1 by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
KDB: support external IdP configuration
When IdP configuration is provided, take it into account:
- idp-specific Kerberos ticket policy would be applied
- Presence of IdP link in a Kerberos principal entry would cause KDB to
enable `idp` pre-authentication method on KDC side.
The latter requires additional pre-authentication method supplied with
SSSD 2.7.0.
Fixes: https://pagure.io/freeipa/issue/8804
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Pavel Březina <pbrezina at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
51a4e42d by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
External IdP: add Web UI to manage IdP references
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
660c3dc2 by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
External IdP: initial SELinux policy
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
d0eab8fe by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
doc/workshop: document use of pam_sss_gss PAM module
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
d49aa710 by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
freeipa.spec.in: use SSSD 2.7.0 to add IdP pre-auth mechanism
SSSD 2.7.0 provides oidc_child and 'idp' Kerberos pre-auth mechanism as
a part of sssd-idp package which is required by sssd-ipa.
Fixes: https://pagure.io/freeipa/issue/8805
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
5f9e0d3f by Alexander Bokovoy at 2022-05-10T23:09:17+03:00
workshop: add chapter 12: External IdP support
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
- - - - -
40a257f1 by Alexander Bokovoy at 2022-05-10T23:43:13+03:00
docs: tune RTD to display lists with disc and left margin
RTD default theme removes discs from the section list items which makes
design pages look strange. Add them back via small CSS override.
Also, add 1em on the left side of the disc to provide visual cue that
this is a list item.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Sumit Bose <sbose at redhat.com>
(cherry picked from commit 79a4073730a8fe5ba2424f3896a2fd440c17ac9e)
- - - - -
979163bf by Alexander Bokovoy at 2022-05-11T16:46:07+03:00
freeipa.spec.in: Depend on sssd-idp directly to help RHEL BaseOS/AppStream repository split
In RHEL there is a split of packages between Base OS and AppStream
repositories. While both repositories are accessible and enabled by
default, there are different requirements towards binary packages in
both. Namely, Base OS packages cannot have runtime dependencies to
AppStream packages and they should have a stricter lifecycle promises in
terms of API and ABI stability.
SSSD 2.7.0 adds sssd-idp package which provides actual implementation of
OAuth 2.0 integration. Since SSSD is provided as part of Base OS, if
sssd-idp is placed there, then all its dependencies would have to be in
Base OS. Unfortunately, libjose is already part of AppStream.
SSSD team currently pulls sssd-idp as a dependency of sssd-ipa so
FreeIPA didn't need to change anything. However, Base OS requirements
will force SSSD team to drop sssd-idp dependency from sssd-ipa. This
means FreeIPA will have to explicitly depend on sssd-idp.
Fixes:https://pagure.io/freeipa/issue/9155
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d39e232e by Florence Blanc-Renaud at 2022-05-14T12:44:46+02:00
client uninstall: handle uninstall with authconfig
If the client was installed with authconfig, with
automount configured to use ldap (--no-sssd), and later
updated to a version using authselect, the uninstaller
tries to disable the authselect feature with-custom-automount
but fails because there is no authselect profile in use.
(Upgrade of a client does not transform authconfig settings
into authselect settings because we don't have any client
upgrader, as opposed to the ipa-server-upgrade for the
servers).
To avoid uninstallation failure, ignore the error and log a
warning.
The second part of the commit leverages the "complete" state
stored in the statestore, in order to fix issues when
a client installation fails and the installation is reverted
by the ipa-client-install tool itself.
The fix checks if the statestore shows an incomplete
installation. If the install was incomplete and failed before
any attempt to configure authselect, then unconfigure doesn't
need to do anything. In the other cases, unconfigure needs
to revert to the pre-ipa state.
Fixes: https://pagure.io/freeipa/issue/9147
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9ae6ef54 by Francisco Trivino at 2022-05-19T14:52:41-03:00
ipatests: Bump PR-CI latest templates to Fedora 36
Moving 'latest' to Fedora 36 and 'previous' to Fedora 35.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
b979dd91 by Anuja More at 2022-05-23T14:45:44+03:00
ipatests: Add integration tests for External IdP support
Tests for [RFE]: Added integration tests for external IdP
authentication with keycloak-17 as identity provider.
Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
b39f9336 by Anuja More at 2022-05-23T14:45:44+03:00
pr-ci definitions: add external idp related jobs.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
c03a8c3c by Francisco Trivino at 2022-05-25T07:20:10+02:00
Update ipa-replica-install replication agreement error message
So that it prints out a valid command:
- replace "ipa-replica-manage del" by "ipa server-del" (only domain-level1 is now supported)
- the commands needs to be run on a working server, not on the host where ipa-replica-install failed
Fixes: https://pagure.io/freeipa/issue/9162
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
74b2fd06 by Florence Blanc-Renaud at 2022-05-25T15:08:03-04:00
Installer: add --subid option to select the sssd profile with-subid
Add the --subid option to client, server and replica installers.
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Fixes: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e10f3385 by Florence Blanc-Renaud at 2022-05-25T15:08:03-04:00
man pages: document the --subid installer option
Document --subid in the man pages for
- ipa-client-install
- ipa-replica-install
- ipa-server-install
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0193498f by Florence Blanc-Renaud at 2022-05-25T15:08:03-04:00
ipatests: add new test with --subid installer option
Add a new test for ipa-client-install --subid
Add a new test for ipa-server-install --subid
Related: https://pagure.io/freeipa/issue/9159
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7e596fd1 by Thorsten Scherf at 2022-05-25T15:13:51-04:00
workshop: add freeipa version requirements
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
84c88b69 by Thorsten Scherf at 2022-05-25T15:13:51-04:00
workshop: add freeipa version requirements
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2baae42 by Alexander Bokovoy at 2022-05-25T15:14:39-04:00
ipa-kdb: apply per-indicator settings from inherited ticket policy
Fixes: https://pagure.io/freeipa/issue/9121
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed1447ab by Rob Crittenden at 2022-05-25T15:14:39-04:00
kdb: The jitter offset should always be positive
Otherwise the resulting value could be outside the valid
bounds of the time value.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
300f1301 by Rob Crittenden at 2022-05-25T15:14:39-04:00
If the password auth type is enabled also enable the hardened policy
This will allow custom hardened password policy to be applied.
Without this then the policy will be skipped because the UA
is not enabled.
The KDC and client will prefer SPAKE any time it is available.
For IPA this should mean we should choose hardened setting over a
default one any time SPAKE is used.
Related: https://pagure.io/freeipa/issue/9121
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1c6bdf97 by Alexander Bokovoy at 2022-05-26T17:59:08+02:00
Support dnssec utils from bind 9.17.2+
In bind 9.17.2+ all dnssec utilities were moved to /usr/bin with
commit 4419606c9d2a52536a6dd0882ac0c7068ac27f30.
Since we only use those utilities in the specialized tool, do a fixup of
the paths in the tool.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
35c720ca by Alexander Bokovoy at 2022-05-26T17:59:08+02:00
Ignore dnssec-enable-related named-checkonf errors in test
Check and skip dnssec-enable-related issues in 9.18+ where dnssec-enable
option was removed completely.
Fixes: https://pagure.io/freeipa/issue/9157
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
6c6fc7db by Alexander Bokovoy at 2022-05-30T17:10:44+03:00
ipa-kdb: avoid additional checks for a well-known anonymous principal
For a well-known anonymous principal an Anonymous PKINIT method is used
which ignores the password set in the principal entry. For these
principals any defined user auth type is irrelevant, their use is
defined in RFC 6112. This gets confusing when a default user auth type
requires a particular authentication method.
When AS request for Anonymous PKINIT is used, a TGT would contain no
authentication indicator. It means we cannot apply any specific
indicator policy and must skip the checks.
Fixes: https://pagure.io/freeipa/issue/9165
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4fcbf2de by Rob Crittenden at 2022-05-30T18:24:37+02:00
Implement LDAP bind grace period 389-ds plugin
Add support for bind grace limiting per
https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-06
389-ds provides for alternative naming than the draft, using those
instead: passwordGraceUserTime for pwdGraceUserTime and
passwordGraceLimit for pwdGraceLoginLimit.
passwordGraceLimit is a policy variable that an administrator
sets to determine the maximum number of LDAP binds allowed when
a password is marked as expired. This is suported for both the
global and per-group password policies.
passwordGraceUserTime is a count per-user of the number of binds.
When the passwordGraceUserTime exceeds the passwordGraceLimit then
all subsequent binds will be denied and an administrator will need
to reset the user password.
If passwordGraceLimit is less than 0 then grace limiting is disabled
and unlimited binds are allowed.
Grace login limitations only apply to entries with the objectclass
posixAccount or simplesecurityobject in order to limit this to
IPA users and system accounts.
Some basic support for the LDAP ppolicy control is enabled such that
if the ppolicy control is in the bind request then the number of
remaining grace binds will be returned with the request.
The passwordGraceUserTime attribute is reset to 0 upon a password
reset.
user-status has been extended to display the number of grace binds
which is stored centrally and not per-server.
Note that passwordGraceUserTime is an operational attribute.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6b3ab98b by Rob Crittenden at 2022-05-30T18:24:37+02:00
Remove the replicated attribute constants
These pre-existed in ipaserver/install/replication.py.
The constants were only originally used in ldapupdate.py
but have subsequently been switched to the replication.py
versions so they are not used anywhere in the code.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
87fe3fbb by Rob Crittenden at 2022-05-30T18:24:37+02:00
Exclude passwordgraceusertime from replication
Treat this like other failed login attributes and don't
replicate them.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ab0e67d1 by Michal Polovka at 2022-06-01T16:04:58+02:00
ipatests: test_subids: test subid-match shows UID of the owner
ipa subid-match should show UID of the owner instead of DN.
Related: https://pagure.io/freeipa/issue/8977
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
0e8350e0 by Rob Crittenden at 2022-06-02T13:59:50+02:00
healthcheck: add tests for setting cli options in config file
Fixes: https://pagure.io/freeipa/issue/9136
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
352b9dfb by Michal Polovka at 2022-06-02T14:03:01+02:00
ipatests: RFE: Improve ipa-replica-install error message
Test for RFE: Improve error message with more detail for
ipa-replica-install command. If the replication agreement already
exists, check if the error message contains
a particular command needed to delete it.
Related: https://pagure.io/freeipa/issue/9162
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
58ddcffc by Michal Polovka at 2022-06-02T14:03:01+02:00
ipatests: tasks: add ipactl start, stop and restart
Include functions to manage IdM service using ipactl, in particular
starting, stopping and restarting the service.
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c0028646 by Rob Crittenden at 2022-06-02T14:15:30+02:00
dnssec daemons: read the dns context config file for debug state
This had been hardcoded to debug=True but it spams the logs
with a lot of unnecessary information.
Allow it to be enabled for troubleshooting purposes but keep it
disabled by default.
Enabling debug would involve created /etc/ipa/dns.conf:
[global]
debug = True
I didn't add a more generic mechanism because for now we only need
the value of debug and it introduces a lot of type conversion
headaches. ipalib handles this automatically but to duplicate this
would be corner-case city.
Fixes: https://pagure.io/freeipa/issue/9128
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
62bafcc5 by Rob Crittenden at 2022-06-03T09:53:27+02:00
Configure and enable the graceperiod plugin on upgrades
The graceperiod plugin was only being enabled on new
installations. Enable also on upgrade.
Loading a new plugin requires a restart. Do so if a
new one is configured.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8b2edd5b by Rob Crittenden at 2022-06-03T17:01:51+02:00
Don't duplicate the LDAP gracelimit set in the previous test
Remove a duplicated policy change which sets the gracelimit
to 3.
We don't typically run tests individually but as a whole. If
we ever need to call this one test directly we can ignore
failures.
Fixes: https://pagure.io/freeipa/issue/9167
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d2b29645 by Rob Crittenden at 2022-06-07T08:15:04+02:00
doc: Design document for LDAP graceperiod
Implement part of RFC https://tools.ietf.org/id/draft-behera-ldap-password-policy-10.html
Related: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b0fbdc3 by Rob Crittenden at 2022-06-07T08:15:04+02:00
Set default LDAP password grace period to -1
This will retain existing behavior where LDAP passwords are
allowed to bind past expiration.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6cc4109 by Rob Crittenden at 2022-06-07T08:15:04+02:00
graceperiod: ignore case when checking for missing objectclass
Don't assume that all objectclasses are lower-case. Some are
camel-cased.
Fixes: https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
faeb656c by Alexander Bokovoy at 2022-06-10T11:10:51+02:00
ipaldap: fix conversion from boolean OID to Python
In IPA framework we don't properly convert to Python bool type and just
return a string (TRUE or FALSE). This can be seen with many boolean
attributes, like
Bool('idnsallowdynupdate?',
cli_name='dynamic_update',
label=_('Dynamic update'),
doc=_('Allow dynamic updates.'),
attribute=True,
default=False,
autofill=True
),
in 'ipa dnszone-show':
> > > api.Command.dnszone_show('ipa.test')['result']['idnsallowdynupdate']
['TRUE']
This is because we don't have the reverse (from LDAP to Python) mapping
for the LDAP boolean OID 1.3.6.1.4.1.1466.115.121.1.7.
When Web UI asks for the entry, it gets back JSON output that contains
this 'TRUE' value:
"idnsallowdynupdate": [
"TRUE"
],
Add proper mapping from LDAP to Python bool type. With this, a simple
'checkbox' type can be used in Web UI instead of a complex radio-box
setup.
Note that when IPA API is asked to return raw values, 'TRUE' and 'FALSE'
still returned. These are the actual LDAP boolean attribute values. Care
needs to be done in tests:
- if output is from a command with --raw option, 'TRUE' or 'FALSE'
should be expected
- if output if from a normal (non-raw) command, True or False would be
returned
Fixes: https://pagure.io/freeipa/issue/9171
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6147f877 by Florence Blanc-Renaud at 2022-06-10T12:19:11+02:00
ipatest: update expected out for ipa-healthcheck's DogtagCertsConnectivityCheck
Pre ipa-healthcheck 0.11, failures detected by DogtagCertsConnectivityCheck
were reported as:
"msg": "Request for certificate failed, <error>"
but the output is now the following:
"msg": "Request for certificate failed: {error}"
"error": <error>
Update the expected output to be compatible with both versions.
Fixes: https://pagure.io/freeipa/issue/9175
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
34882766 by Sudhir Menon at 2022-06-10T14:00:16+02:00
ipatests: ipahealthcheck tests to check change in permission of ipaserver log files
This testscase checks that when permission of
ipaserver-upgrade.log
file is changed healtcheck tool reports the correct warning message.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8abc0a22 by Francisco Trivino at 2022-06-10T17:13:18+02:00
Update subordinate design doc
This commit updates the subordinate design document to reflect the current state
and remove "outdated" message.
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
23d56bb9 by Florence Blanc-Renaud at 2022-06-13T12:51:09+02:00
ipa-replica-install: nsds5replicaUpdateInProgress is a Boolean
nsds5replicaUpdateInProgress is defined in LDAP schema as a boolean.
Now that IPA API is able to properly map booleans to the python
bool type, this attribute is not a string any more and
comparisons can be done directly based on its real type.
The code in ipa-replica-install was reading nsds5replicaUpdateInProgress
and calling value.tolower() == 'true' but should now use
value == True instead.
Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c6bc8fd4 by Florence Blanc-Renaud at 2022-06-13T12:51:09+02:00
ipatests: update expected output for boolean attribute
Now that IPA API properly maps LDAP boolean attributes to the
python bool type, they are displayed as True/False instead
of TRUE/FALSE in the ipa *-show outputs.
Update the expected output for DNS Active Zone.
Related: https://pagure.io/freeipa/issue/9171
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f3255393 by Armando Neto at 2022-06-13T16:05:18-03:00
ipatests: bump pr-ci templates
Packages updated to include `freeipa-healthcheck-0.11-2`.
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4b8b032e by Florence Blanc-Renaud at 2022-06-14T08:12:10+02:00
ACI: define "Read DNS entries from a zone" aci during install
The ACI "Read DNS entries from a zone" is defined when
ipa-server-upgrade is run but not for new installations.
In order to have consistent ACI (same set for new install
and for install + upgrade), define this ACI in
install/share/dns.ldif instead of "Allow read access".
Fixes: https://pagure.io/freeipa/issue/9173
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
deaaaaf1 by Rob Crittenden at 2022-06-14T16:51:13+02:00
Remove extraneous AJP secret from server.xml on upgrades
PKI 10.10 unconditionally added an upgrade script for the AJP
connector which replaced the AJP secret regardless of tomcat
version. It replaced requiredSecret with secret. IPA expects
the attribute by version so this could make the secrets out of
date and/or have connectors with both secrets and different
values.
PKI commit e70373ab131aba810f318c1d917896392b49ff4b has since
been reverted but there may be servers with both secrets still.
On next IPA upgrade clean them up.
Also allow re-writing ipa-pki-proxy.conf in case the secret
changes to ensure they remain in sync.
Fixes: https://pagure.io/freeipa/issue/9176
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d062dc9d by Rob Crittenden at 2022-06-14T13:20:36-04:00
Add switch for LDAP cache debug output
The LDAP cache log is rather chatty and a bit overwhelming when
looking for error messages. Disable it by default but allow it
to be enabled when a new config option, ldap_cache_debug, is
enabled.
Fixes: https://pagure.io/freeipa/issue/9180
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cfca49c4 by Alexander Bokovoy at 2022-06-14T14:14:16-04:00
idviews: use cached ipaOriginalUid value when resolving ID override anchor
For ID overrides 'ipaOriginalUid' value should be the human-readable
version of the ID override anchor. Since we would have it already set in
the ID override entry, prefer using it instead of looking up the
override anchor.
This should speed up significantly operations which list all ID
overrides in the view, like Web UI views.
Fixes: https://pagure.io/freeipa/issue/9178
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fe048d83 by Matthew Davis at 2022-06-15T08:34:01+02:00
Suse compatibility fix
Removes authselect requirement for Suse
Use Suse 'pam-config' to configure PAM
Configures nsswitch.conf
Removes domainname service since it does not exist on Suse
Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github at virtual.drop.net
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
60739ce4 by Michal Polovka at 2022-06-15T12:13:15+02:00
ipatests: xfail for test_ipahealthcheck_hidden_replica to respect pki version
Change xfail for test_replica_promotion.py/TestHiddenReplicaPromotion/test_ipahealthcheck_hidden_replica
to respect platform and pki version as the related issue is fixed.
Implement tasks/get_platform_version which returns a platform version
number(s) of a provided host in a form of a tuple.
Related: https://pagure.io/freeipa/issue/8582
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
70d23b22 by Matthew Davis at 2022-06-15T14:12:47+03:00
Create missing SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
One some distributions, namely Suse, the SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
does not exist by default. Ipa-client-install will fail to initialize
the kerberos ticket and error when this directory does not exist.
This patch simply creates the directory if it does not exist before
adding the include statement into /etc/krb5.conf
Fixes: https://pagure.io/freeipa/issue/9174
Signed-off-by: Matthew Davis github at virtual.drop.net
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
553b84c6 by Antonio Torres at 2022-06-15T16:22:50+02:00
Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
dabea80f by Antonio Torres at 2022-06-15T16:28:00+02:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
61a64aef by Antonio Torres at 2022-06-15T16:33:21+02:00
Become IPA 4.9.10
- - - - -
3e90842b by Antonio Torres at 2022-06-15T16:42:51+02:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
a6a67812 by Michal Polovka at 2022-06-17T16:39:08+02:00
ipatests: Increase expect timeout for interactive mode
Increase the default timeout for expect function when testing
interactive mode to mitigate an issue when the tests are failing
on the slow systems.
Fixes: https://pagure.io/freeipa/issue/9183
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
206e08d8 by Michal Polovka at 2022-06-17T16:41:08+02:00
ipatests: Healthcheck should ignore pki errors when CA is not configured
Test if ipa-healthcheck complains about pki.server.healthcheck errors
when CA is not configured on the replica.
Related: https://github.com/freeipa/freeipa-healthcheck/issues/201
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a8d71b3f by Timo Aaltonen at 2022-06-22T15:03:17+03:00
Merge branch 'upstream'
- - - - -
48badb05 by Timo Aaltonen at 2022-06-22T15:03:49+03:00
version bump
- - - - -
05e7e56f by Timo Aaltonen at 2022-06-22T15:07:26+03:00
patches: Drop upstreamed patches.
- - - - -
21bfb2cd by Timo Aaltonen at 2022-06-22T15:14:25+03:00
source: Extend diff-ignore.
- - - - -
93710dbd by Timo Aaltonen at 2022-06-22T17:52:36+03:00
ldap-so-path.diff: Don't hardcode path to bind/ldap.so.
- - - - -
b568ec01 by Timo Aaltonen at 2022-06-22T17:59:28+03:00
libsofthsm-path.diff: Use multiarch path for libsofthsm2.so.
- - - - -
ff415253 by Florence Blanc-Renaud at 2022-06-23T08:39:14+02:00
Preserve user: fix the confusing summary
When ipa user-del --preserve is called, the command output
prints a summary with:
Deleted user: user1
although the user was preserved.
Replace the summary with
Preserved user: user1
to reflect what was actually done.
Fixes: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4984ff21 by Florence Blanc-Renaud at 2022-06-23T08:39:14+02:00
xmlrpc tests: updated expected output for preserved user
Update the expected summary for the command
ipa user-del --preserve
The command now displays: Preserved user: user1
instead of Deleted user: user1
Related: https://pagure.io/freeipa/issue/9187
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
857713c5 by Anuja More at 2022-06-23T13:44:02+02:00
Add end to end integration tests for external IdP
Added tests for HBAC and SUDO rule and other
test scenarios.
Related : https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8803
Related: https://pagure.io/freeipa/issue/8804
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
50b4d9ab by Anuja More at 2022-06-23T13:44:02+02:00
ipatests: update prci definitions for test_idp.py
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
afa94c79 by Michal Polovka at 2022-06-23T17:43:08-04:00
ipatests: Healthcheck use subject base from IPA not REALM
Test if healthcheck uses cert subject base from IPA and not from
REALM. This prevents false-positive errors when the subject base is
customized.
Related: https://github.com/freeipa/freeipa-healthcheck/issues/253
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c39c2ee8 by Timo Aaltonen at 2022-06-23T17:44:11-04:00
ipaplatform/debian: Use multiarch path for libsofthsm2.so
The library moved there some years ago, and the compat symlink might go
away at some point. Better prepare for it.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
56c82709 by Timo Aaltonen at 2022-06-23T17:44:11-04:00
ipaplatform/debian: Drop the path for ldap.so
Named is able to find plugins if they are installed in the plugindir,
so drop the hardcoded path from named.conf.
Signed-off-by: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
15f454f6 by Anuja More at 2022-06-23T17:45:16-04:00
ipatests: Fix install_master for test_idp.py
For install_master added --no-dnssec-validation.
Fixes: https://pagure.io/freeipa/issue/9189
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
4f158042 by Matthew Davis at 2022-06-23T17:46:03-04:00
Add missing parameter to Suse modify_nsswitch_pam_stack
Add missing subid parameter for Suse.
Fixes: https://pagure.io/freeipa/issue/9185
Signed-off-by: Matthew Davis <github at virtual.drop.net>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
de64d672 by Rob Crittenden at 2022-06-24T11:36:39+02:00
Fix test_secure_ajp_connector.py failing with Python 3.6.8
Some of the test data are not expected to cause a rewrite in
the upgrade code. Those that do will set the rewrite flag.
In that case there is a new server.xml to be read. This is
handled with mock_open(). The contents can be retrieved via
mocked_file().write.call_args but the repr() of it is:
call(b'<Server port="1234" shutdown="SHUTDOWN">\n ...')
In at least Python 3.10 one can use write.call_args.args to get
just the raw data. This does not work with Python 3.6.8 and
returns the string 'args' instead results in a TypeError.
TypeError: a bytes-like object is required, not 'str'
Instead drop the args and use the data directly.
For the case of x = mocked_file().write.call_args:
x[0] is a tuple with the first element being the data
x[0][0] is the raw data
So use x[0][0] to get at the data instead of x.args[0]
Fixes: https://pagure.io/freeipa/issue/9190
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
3675bd1d by Rob Crittenden at 2022-06-30T14:56:06-04:00
Only calculate LDAP password grace when the password is expired
The user's pwd expiration was retrieved but inadvertently was never
compared to current time. So any LDAP bind, including from the
IPA API, counted against the grace period. There is no need to go
through the graceperiod code for non-expired passwords.
https://pagure.io/freeipa/issue/1539
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
585cebb1 by Fraser Tweedale at 2022-07-06T09:48:18+02:00
man: add --skip-mem-check to man pages
Document the --skip-mem-check flag in the ipa-server-install(1) and
ipa-replica-install(1) man pages.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cbf2614d by Fraser Tweedale at 2022-07-06T09:48:18+02:00
install: suggest --skip-mem-check when mem check fails
In the memory check failure message, add a hint to the administrator
that they can use the --skip-mem-check flag to skip the check.
Related: https://pagure.io/freeipa/issue/8404
Signed-off-by: Fraser Tweedale <frase at frase.id.au>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
991849cf by Armando Neto at 2022-07-12T13:53:54-03:00
webui: Do not allow empty pagination size
Pagination size must be required, the current validators are triggered after
form is submitted, thus the only way for check if data is not empty is by making
the field required.
Fixes: https://pagure.io/freeipa/issue/9192
Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f33266c2 by David Pascual at 2022-07-16T07:53:57+02:00
ipatests: Checker script for prci definitions
This script allows developers to check if prci definition jobs have the correct format,
which is defined in prci_jobs_spec.yaml
Useful when adding new jobs to the definitions.
Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
b31631ad by Rob Crittenden at 2022-07-16T07:57:49+02:00
Warn for permissions with read/write/search/compare and no attrs
An ACI with rights of read, write, search and/or compare without
attributes to apply the rights to is effectively a no-op. Allow
the ACI to be created but include a warning. Ignore the add
and delete rights. While they make no sense in the context of
the other rights we should still warn that they are a no-op
with no attributes.
Use the existing make_aci() object method to create the
message and update the add/mod callers to capture and add the
message to the result if one is provided.
When updating an existing ACI the effective attributes will
not be included so fall back to the attributes in the resulting
permission.
Prior to checking for rights and attributes convert any deprecated
names for older clients into the newer values needed by make_aci
This is exercised by existing xmlrpc permission tests that
create such permissions without attributes.
https://pagure.io/freeipa/issue/9188
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e77b0b08 by Stanislav Levin at 2022-07-26T16:57:54-04:00
ap: Raise dbus timeout
With some recent changes on Azure Agent the default DBus call
timeout is not good enough. For example, in case of
`InstallDNSSECFirst_1_to_5` job hostnamectl received reply in ~20sec,
but later it increased to ~30sec (more subjobs - more time to reply).
It's good to raise this timeout to be more protected against minimum
performance times.
https://www.freedesktop.org/software/systemd/man/sd_bus_set_method_call_timeout.html#Description
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
98c6e96e by Stanislav Levin at 2022-07-26T16:57:54-04:00
ap: Disable azure's security daemon
This daemon run clamav which is resource aggressive.
No point to run Windows virus scanner on Ubuntu in Linux-only
environment.
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b59baf31 by Stanislav Levin at 2022-07-26T16:57:54-04:00
ap: Rearrange overloaded jobs
With some recent changes the Azure Agent has decreased performance.
For example, `InstallDNSSECFirst_1_to_5` (5 subjobs) job took ~33min
and now it takes ~40min. In the same time there are jobs having only
1 or 2 subjobs and they should be used more.
Fixes: https://pagure.io/freeipa/issue/9207
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1ada42e3 by Stanislav Levin at 2022-07-26T16:57:54-04:00
ap: Constrain supported docutils
New Sphinx 5.1.0 (Released: Jul 24, 2022) bumped supported docutils
to 0.19:
https://github.com/sphinx-doc/sphinx/pull/10656
But m2r2 doesn't support it yet:
https://github.com/CrossNox/m2r2/issues/52
Thereby, docutils must be constrained to < 0.19.
This should be fixed by m2r2 and after they do it the restriction
can be removed.
Fixes: https://pagure.io/freeipa/issue/9208
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f962a0c2 by Erik at 2022-08-01T09:22:37-04:00
ipatests: healthcheck: test if system is FIPS enabled
Test if FIPS is enabled and the check exists.
Related: https://pagure.io/freeipa/issue/8951
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1316cd8b by Rob Crittenden at 2022-08-01T13:03:51-04:00
Disabling gracelimit does not prevent LDAP binds
Originally the code treated 0 as disabled. This was
changed during the review process to -1 but one remnant
was missed effetively allowing gracelimit 0 to also mean
disabled.
Add explicit tests for testing with gracelimit = 0 and
gracelimit = -1.
Also remove some extranous "str(self.master.domain.basedn)"
lines from some of the tests.
Fixes: https://pagure.io/freeipa/issue/9206
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
6483f333 by David Pascual at 2022-08-04T13:23:26-04:00
ipatest: fix prci checker target masked return code & add pylint
In the yamllint target of makefile, prci_checker result was being masked by echo statement.
Aditionally, prci_checker script has been added to the list of Python sources to be Pylinted.
Addressing comments of recently merged PR:
https://github.com/freeipa/freeipa/pull/6301#discussion_r923163970
https://github.com/freeipa/freeipa/pull/6301#issuecomment-1187037261
Signed-off-by: David Pascual <davherna at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d40fd287 by Florence Blanc-Renaud at 2022-08-08T14:35:11+02:00
azure tests: disable TestInstallDNSSECFirst
The test TestInstallDNSSECFirst is failing because of one of its
dependencies (the most likely suspect is the update of openssl-pkcs11).
Disable the test from azure gating until the issue is solved.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
a5762621 by Sudhir Menon at 2022-08-09T08:35:07+02:00
ipatests: ipa-client-install --subid adds entry in nsswitch.conf
This testcase checks that when ipa-client-install command
is run with --subid option, /etc/nsswitch.conf file is updated
with the below entry
subid: nss
Related: https://pagure.io/freeipa/issue/9159
Since the newly added testsuite required client
system, hence modified the below yaml files to change the topology
from *master_1repl to *master_1repl_1client in the below files
gating.yaml
nightly_latest.yaml
nightly_previous.yaml
nightly_rawhide.yaml
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ade5093b by Carla Martinez at 2022-08-09T12:00:00+02:00
webui: Allow grace login limit
There was no support for setting the grace login limit on the WebUI. The
only way to so was only via CLI:
`ipa pwpolicy-mod --gracelimit=2 global_policy`
Thus, the grace login limit must be updated from the policy section and
this will reflect also on the user settings (under the 'Password Policy'
section)
Fixes: https://pagure.io/freeipa/issue/9211
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
05a298f5 by Florence Blanc-Renaud at 2022-08-16T13:10:10+02:00
check_repl_update: in progress is a boolean
With the fix for https://pagure.io/freeipa/issue/9171,
nsds5replicaUpdateInProgress is now handled as a boolean.
One remaining occurrence was still handling it as a string
and calling lower() on its value.
Replace with direct boolean comparison.
Fixes: https://pagure.io/freeipa/issue/9218
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aaf57185 by Rob Crittenden at 2022-08-16T13:15:41+02:00
upgrades: Don't restart the CA on ACME and profile schema change
There are currently three sets of CA schema changes applied
in ipa-server-upgrade:
* addition of ACME schema
* addition of certificate profile schema
* addition of lightweight CA schema
None of these require a restart of the CA to be supported.
There is an issue in schema parsing such that it doesn't handle
X-ORIGIN properly. A difference is detected and a change applied
but no change is recorded in LDAP so every time upgrade is
run it thinks a CA restart is needed. The CA is not quick to
restart so avoiding one is best, particularly when the update is
run as part of an rpm transaction where a user with an itchy finger
may think things have hung and break out of it.
https://github.com/389ds/389-ds-base/issues/5366 was
filed to track this.
Related: https://pagure.io/freeipa/issue/9204
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5e2e4664 by Thomas Woerner at 2022-08-16T19:31:18+02:00
DNSResolver: Fix use of nameservers with ports
IPA DNS zone and forwardzone commands allow to use nameservers with ports
as "SERVER_IP port PORT_NUMBER". bind is supporting this syntax, but the
Resolver in dnspython that is used to verify the list of forwarders
(nameservers) is only allowing to have IP addresses in this list. With
dnspython version 2.20 there is a new validator in dns.resolver.BaseResolver
that ensures this.
Refs:
- https://bind9.readthedocs.io/en/v9_18_4/reference.html#zone-statement-grammar
- https://github.com/rthalley/dnspython/blob/master/dns/resolver.py#L1094
ipapython/dnsutil.DNSResolver derives from dns.resolver.Resolver. The setter
for nameservers has been overloaded in the DNSResolver class to split out
the port numbers into the nameserver_ports dict { SERVER_IP: PORT_NUMBER }.
After the setter for nameservers succeeded, nameserver_ports is set.
nameserver_ports is used in the resolve() method of dns.resolver.Resolver..
Additional tests have been added to verify that nameservers and also
nameserver_ports are properly set and also valid.
Fixes: https://pagure.io/freeipa/issue/9158
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2385d1d9 by Florence Blanc-Renaud at 2022-08-16T19:35:37+02:00
ipatests: Fix expected object classes
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the expected object classes.
Related: https://pagure.io/freeipa/issue/9062
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
a7369944 by Florence Blanc-Renaud at 2022-08-16T19:35:37+02:00
gitignore: add install/oddjob/org.freeipa.server.config-enable-sid
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
434620ee by Rob Crittenden at 2022-08-19T08:17:28+02:00
doc: Update LDAP grace period design with default values
New group password policies will get -1 (unlimited) on creation
by default.
Existing group password policies will remain untouched and
those created prior will be treated as no BIND allowed.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
497a57e7 by Rob Crittenden at 2022-08-19T08:17:28+02:00
Set default gracelimit on group password policies to -1
This will retain previous behavior of unlimited LDAP BIND
post-expiration.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a4ddaaf3 by Rob Crittenden at 2022-08-19T08:17:28+02:00
Set default on group pwpolicy with no grace limit in upgrade
If an existing group policy lacks a password grace limit
update it to -1 on upgrade.
Fixes: https://pagure.io/freeipa/issue/9212
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
88ea19b9 by Scott Poore at 2022-08-19T12:10:02+02:00
ipatests: Rename create_quarkus to create_keycloak
The module installs and configures a Keycloak server and
not just the Quarkus Java framework. So, renaming to better
reflect what the module is used for.
Fixes: https://pagure.io/freeipa/issue/9225
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9290aa55 by Alexander Bokovoy at 2022-08-30T08:23:51+02:00
ipa-otpd: initialize local pointers and handle gcc 10
oauth2_on_child_readable() does not use the main verto context and used
to drop the argument name to signify that. This is a feature of C2X
standard by default and is not enabled in gcc before 11 by default (it
is enabled in RHEL 8's gcc 8.5).
Add a simple 'if the context is missing, get out' code to use 'ctx'.
This allows to avoid enabling C2X features.
Initialize local pointers to prevent use before initialization on exit
paths in abnormal situations as well.
Fixes: https://pagure.io/freeipa/issue/9230
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
35892445 by Jesse Sandberg at 2022-08-30T08:30:15+02:00
Fix ipa-ccache-sweeper activation timer and clean up service file
Added OnActiveSec=12h to start the timer cycle because OnUnitActiveSec setting alone never triggers the timer after boot as there has not been transition between active and inactive state.
Removed [Install] section from sweeper.service as it is not needed
Fixes: https://pagure.io/freeipa/issue/9231
Signed-off-by: Jesse Sandberg <jesse.sandberg at netcode.fi>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
109cd579 by Alexander Bokovoy at 2022-08-30T10:43:15+02:00
fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
cefa8f1e by Carla Martinez at 2022-08-30T20:05:33+02:00
Set pkeys in test_selinuxusermap.py::test_misc::delete_record
The test_selinuxusermap.py::test_selinuxusermap::test_misc is failing
because the 'delete_record' function (located in the same file) is passing
incorrect parameters: it should take the 'pkeys' instead of the full
data.
The changes will take the right 'pkeys' parameters in the 'test_misc()'
function.
Fixes: https://pagure.io/freeipa/issue/9161
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
89fe83b0 by Stanislav Levin at 2022-09-21T10:53:11-04:00
x509: Replace removed register_interface with subclassing
python-cryptography 38.0 removed `register_interface` decorator:
pyca/cryptography at f70e334a52fdf5bd1ad42460efb78d989f8535d9
Backward compatibility:
Cryptography haven't changed the interface of `Certificate` since it was
first used by IPA (4.6.0) till cryptography 38.0.
cryptography 38.0 (pyca/cryptography at c1b7307a3e4ef9cd246feae88178afba7389405c)
added `tbs_precertificate_bytes` attribute.
Fixes: https://pagure.io/freeipa/issue/9160
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
91a02174 by Rob Crittenden at 2022-09-22T08:15:09+02:00
Fix upper bound of password policy grace limit
It was defined as an unsigned value (2**32) because it
originally was. During the review an additional setting of
disabled (-1) was added so the value needed to be signed.
The upper bound needs to be 2**31 which is provided by
the xmlrpc client MAXINT import.
Fixes: https://pagure.io/freeipa/issue/9243
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
0513a83a by Carla Martinez at 2022-09-22T14:16:07+02:00
webui: Show 'Sudo order' column
In the 'Sudo rules' page, the 'Sudo order' column should be visible in the
list so the users can easily see which rules override other rules based on
their order.
Fixes: https://pagure.io/freeipa/issue/9237
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
69413325 by Rob Crittenden at 2022-09-26T13:48:47+02:00
Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4cc94cd3 by Florence Blanc-Renaud at 2022-09-29T16:34:42-04:00
ipa otptoken-sync: return error when sync fails
The command ipa otptoken-sync does not properly handle
errors happening during the synchronization step.
- Even if an error is detected (such as invalid password
provided), the command exits with return code = 0. An
error message is displayed but the exit code should be 1.
- When an invalid token is provided, the token is not
synchronized but the error is not reported back to the
ipa otptoken-sync command.
The first issue can be fixed by raising an exception when
the HTTP response contains an header with an error.
The second issue is fixed by returning LDAP_INVALID_CREDENTIALS
to ldap bind with the sync control if synchronization fails.
Fixes: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
895a800e by Florence Blanc-Renaud at 2022-09-29T16:34:42-04:00
ipatests: add negative test for otptoken-sync
Scenario: call ipa otptoken-sync with
- an invalid password
- an invalid first token (containing non-digits)
- an invalid sequence of tokens
The test expects a return code = 1.
Related: https://pagure.io/freeipa/issue/9248
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
762d786b by Rob Crittenden at 2022-09-30T13:14:40+02:00
Move client certificate request after krb5.conf is created
The creation of krb5.conf was moved to the end of the script
as part of maintaining server affinity during ipa-client-install.
If the installation is faster than replication then requests
against some IPA servers may fail because the client entry is
not yet present.
This is more difficult with certmonger as it will only use
/etc/krb5.conf. There is no way of knowing, even at the end
of the client installation, that replication has finished.
Certificate issuance may fail during ipa-client-install but
certmonger will re-try the request.
Fixes: https://pagure.io/freeipa/issue/9246
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
- - - - -
e9048daa by Carla Martinez at 2022-09-30T13:17:19+02:00
Set 'idnssoaserial' to deprecated
A warning message (regarding the SOA serial deprecation) is shown
on the webui and CLI every time a new DNS zone is added (even if the
'--serial' option is not being explicitly set) or the SOA serial is modified.
This should be managed by setting the 'idnssoaserial' as deprecated and
not required parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
76604df0 by Carla Martinez at 2022-09-30T13:17:19+02:00
ipatest: Remove warning message for 'idnssoaserial'
The tests must be updated to not expect the
deprecation warning messages for the 'idnssoaserial'
parameter. Those should (successfully) fail when
'dnszone_add' and 'dnszone_mod' commands are
executed with the SOA serial parameter provided.
Also, due to this SOA serial deprecation, an
expected-to-fail test should be defined when a
DNS zone is added (dnszone_add) and the SOA serial
is passed as a parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
9f8c9a4d by Carla Martinez at 2022-09-30T13:17:19+02:00
webui: Set 'SOA serial' field as read-only
On the WebUI, the SOA serial textbox must be disabled (non-editable)
to prevent the 'ValidationError' message to be shown when this
specific field is manually set.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
856edcc8 by Carla Martinez at 2022-09-30T13:17:19+02:00
Update API and VERSION
The API and VERSION files need to be updated
to hold the changes made in the 'idnssoaserial'
parameter.
Fixes: https://pagure.io/freeipa/issue/9249
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
6353e45b by Yuri Chornoivan at 2022-10-02T12:10:01+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4687 of 4687 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f9590de2 by Hela Basa at 2022-10-02T12:10:01+03:00
Added translation using Weblate (Sinhala)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d198a35c by Marcin Stanclik at 2022-10-02T12:10:01+03:00
Translated using Weblate (Polish)
Currently translated at 100.0% (451 of 451 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3b0c1caf by Piotr Drąg at 2022-10-02T12:10:01+03:00
Translated using Weblate (Polish)
Currently translated at 100.0% (451 of 451 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/pl/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
842a6457 by Yuri Chornoivan at 2022-10-02T12:10:01+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4687 of 4687 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6169eb47 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Added translation using Weblate (Finnish)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6bdd02db by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 0.7% (35 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9d6d2e2d by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 6.2% (290 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2061cf9 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 6.8% (318 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5dcb6146 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 7.2% (340 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
15457a6d by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 7.7% (362 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
696a72f7 by Hela Basa at 2022-10-02T12:10:01+03:00
Translated using Weblate (Sinhala)
Currently translated at 0.2% (10 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/si/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0a6246ea by Hela Basa at 2022-10-02T12:10:01+03:00
Added translation using Weblate (Korean)
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fd81a77d by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 6.5% (306 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
23fb8a47 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 7.3% (345 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2203f362 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 7.7% (363 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
10146052 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 7.7% (361 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
00eba1f7 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.3% (389 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
77feee85 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.7% (407 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eac046fd by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.8% (412 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d5726f04 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.8% (412 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
27dba4a7 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.8% (414 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9658dbd3 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 8.8% (415 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18346d99 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 9.0% (422 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
715043df by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 10.5% (494 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
548afe9e by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 10.8% (507 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1e65336b by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 10.9% (511 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d6ff8af6 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 11.0% (514 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cf9f35e3 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 11.0% (517 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9e2f7d04 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 11.1% (522 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20006cc7 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 21.1% (989 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7d12b30e by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 22.0% (1030 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8b3ceace by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 24.1% (1128 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b2cf29ae by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 24.4% (1144 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a8a2b2cf by Ricky Tigg at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 11.3% (529 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7ca1befe by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 28.9% (1351 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b5d6616a by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 30.0% (1406 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d306ee7 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 13.8% (648 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e98691b4 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 15.8% (739 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aa00e7c3 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 31.2% (1461 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
216cced0 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 15.8% (742 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
067cae55 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 31.5% (1472 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c0924f3 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 32.5% (1519 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3392f31a by Ricky Tigg at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 15.9% (743 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5bd77e60 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 32.9% (1540 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
eb1a1f35 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 16.1% (754 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6451fe1 by Ricky Tigg at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 16.3% (762 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fe60d1f6 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 33.8% (1580 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e98e2170 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 34.0% (1590 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
07a1cc54 by simmon at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 35.8% (1675 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9df1672f by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 16.3% (764 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7037e538 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.0% (794 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1853d934 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.0% (798 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20269ac6 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.3% (810 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
246604ec by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 36.6% (1712 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
49a41249 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.6% (826 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
91b63fca by Ricky Tigg at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.7% (827 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
20bcd69f by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.8% (834 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b70041d9 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 36.7% (1718 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a24adeab by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 44.0% (2060 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64b2c0eb by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 45.3% (2117 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
aef749b6 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 46.2% (2163 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
fd538803 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 47.0% (2197 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
994c4351 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 47.3% (2213 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6accc7b by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.9% (836 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4d92e67a by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.9% (839 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e6e638ae by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 48.5% (2268 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c07e0ec7 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 48.6% (2275 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
61dea74b by Yuri Chornoivan at 2022-10-02T12:10:01+03:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4666 of 4666 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/uk/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
7f9588f3 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 49.0% (2290 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
841e0c67 by Jan Kuparinen at 2022-10-02T12:10:01+03:00
Translated using Weblate (Finnish)
Currently translated at 17.9% (840 of 4668 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/fi/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42589415 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 49.6% (2318 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
29dba19a by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 50.5% (2360 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
53e4e721 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 50.5% (2360 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2c555646 by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 50.5% (2360 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b8c39cca by 김인수 at 2022-10-02T12:10:01+03:00
Translated using Weblate (Korean)
Currently translated at 50.5% (2360 of 4672 strings)
Translation: freeipa/ipa-4-9
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/ipa-4-9/ko/
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
64ef2b9c by Florence Blanc-Renaud at 2022-10-03T07:47:35+02:00
ipa man page: format the EXAMPLES section
The EXAMPLES section is missing .TP macros before some of
the provided examples, and they are displayed in the same paragraph.
Add .TP (tagged, indented paragraph) before each example.
Fixes: https://pagure.io/freeipa/issue/9252
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
66635764 by Alexey Tikhonov at 2022-10-06T10:15:25+02:00
extdom: internal functions should be static
Fixes following compilation warnings:
```
ipa_extdom_common.c:109:5: warning: no previous prototype for ‘__nss_to_err’ [-Wmissing-prototypes]
109 | int __nss_to_err(enum nss_status errcode)
| ^~~~~~~~~~~~
ipa_extdom_common.c:738:5: warning: no previous prototype for ‘pack_ber_name_list’ [-Wmissing-prototypes]
738 | int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
| ^~~~~~~~~~~~~~~~~~
```
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
3de618f7 by Alexey Tikhonov at 2022-10-06T10:15:25+02:00
extdom: make sure result doesn't miss domain part
This is required to ensure that only objects from requested domain
are returned.
Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
a07cece0 by Alexey Tikhonov at 2022-10-06T10:15:25+02:00
extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
7e93f46c by Stanislav Levin at 2022-10-07T16:56:18+02:00
ipapython: Support openldap 2.6
While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.
Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.
Thanks @abbra!
Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e51a0c92 by Sumit Bose at 2022-10-10T10:00:23+02:00
ipa-kdb: do not fail if certmap rule cannot be added
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.
This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d9a56b51 by Alexander Bokovoy at 2022-10-11T09:06:21+02:00
ipaclient: do not set TLS CA options in ldap.conf anymore
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:
branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo at suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo at suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.
There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.
RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.
Fixes: https://pagure.io/freeipa/issue/9258
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c977cefa by Nikola Knazekova at 2022-10-18T07:07:45+02:00
Exclude installed policy module file from RPM verification
selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy
Fixes: https://pagure.io/freeipa/issue/9254
Signed-off-by: Nikola Knazekova <nknazeko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
21cb86a8 by Anuja More at 2022-10-18T09:27:23+02:00
ipatests : Test query to AD specific attributes is successful.
Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.
Related : https://pagure.io/freeipa/issue/9127
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
58b02671 by Sudhir Menon at 2022-10-20T08:17:59+02:00
ipatests: WebUI: do not allow subid range deletion
This testcase checks that subid added by user admin
cannot be deleted.
Related: https://pagure.io/freeipa/issue/9150
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
58e12bd9 by Florence Blanc-Renaud at 2022-10-20T08:17:59+02:00
webui tests: fix test_subid suite
The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.
2nd issue: a given record has to be selected in
order to check that there is no "delete" button.
Fixes: https://pagure.io/freeipa/issue/9214
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
58ad9f2e by Florence Blanc-Renaud at 2022-10-21T20:12:45+02:00
Spec file: bump the selinux-policy version
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test at IPA.TEST instead of admin principal.
The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107
Bump the selinux-policy version to install the fix.
Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
80b18b08 by Erik Belko at 2022-11-10T10:20:26+01:00
ipatests: test for root using admin password in webUI
Check if there is no infinite loop caused by this
combination of user and password
Related: https://pagure.io/freeipa/issue/9226
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
fd92757f by Erik Belko at 2022-11-14T08:27:31+01:00
ipatests: Add test for grace login limit
Test user and pwpolicy entity for grace login limit setting.
Related: https://pagure.io/freeipa/issue/9211
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
98eda976 by Carla Martinez at 2022-11-15T15:33:50+01:00
webui: Add label name to 'Certificates' section
For testing purposes and uniformity, the
'Certificates' label (located under
'Active users' settings ) should also have
'name' attribute, like seen in other parts of the WebUI.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
c0b438bc by Mohammad Rizwan at 2022-11-15T15:33:50+01:00
ipatests: Test newly added certificate lable
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
76c8b47e by Carla Martinez at 2022-11-15T15:33:50+01:00
webui: Add name to 'Certificates' table
For testing purposes and uniformity, the 'Certificates'
table generated after a new certificate is added should
also have the 'name' attribute to be able to access its
value.
Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
- - - - -
9d184a29 by Rob Crittenden at 2022-11-17T09:44:54+01:00
Pass the curl write callback by name instead of address
This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.
Also change to a static function and pre-declare it to quiet a
compile-time warning.
https://pagure.io/freeipa/issue/9274
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
beaab476 by Antonio Torres at 2022-11-17T09:50:51+01:00
doc: generate API Reference
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
76aa6d2a by Antonio Torres at 2022-11-17T09:50:51+01:00
Add basic API usage guide
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
80da53ea by Christian Heimes at 2022-11-17T09:52:36+01:00
Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.
Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.
*Requirements*
- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
future.
- A certmap rule must match the host certificate and map it to a single
host entry.
*Example*
```
ipa-client-install \
--pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
--pkinit-anchor=/path/to/kdc-ca-bundle.pem
```
Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
170155b6 by Pavel Březina at 2022-11-17T10:21:07+01:00
docs: add security section to idp
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ca486d15 by Florence Blanc-Renaud at 2022-11-18T15:34:35+01:00
ipatests: update vagrant boxes
Use new version of vagrant boxes:
ci-ipa-4-9-f36 0.0.3
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
- - - - -
c643e56e by Francisco Trivino at 2022-11-22T07:56:00+01:00
Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a0652f5d by Julien Rische at 2022-11-24T07:42:49+01:00
Generate CNAMEs for TXT+URI location krb records
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.
This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.
Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.
Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9efa8fe4 by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
Make sure both krb5 pre 1.20 and 1.20 or later would call into the same
PAC generation code while driven by different API callbacks from the
krb5 KDB interface.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
a0d84034 by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: add krb5 1.20 support
Add basic krb5 1.20 integration without RBCD support. RBCD will come in
a separate series.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
0dd3315a by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: handle cross-realm TGT entries when generating PAC
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.
Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
4755bd42 by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: handle empty S4U proxy in allowed_to_delegate
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.
This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.
Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
7e504647 by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: fix PAC requester check
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
a35cac3d by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
e12aa8bb by Alexander Bokovoy at 2022-11-25T11:16:45+02:00
ipa-kdb: for delegation check, use different error codes before and after krb5 1.20
With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.
Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.
Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
4d6eabd3 by Florence Blanc-Renaud at 2022-11-25T13:52:15+01:00
API reference: update vault doc
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).
Related: https://pagure.io/freeipa/issue/9259
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0caa26da by Florence Blanc-Renaud at 2022-11-25T13:52:15+01:00
API reference: update dnszone_add generated doc
Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)
Related: https://pagure.io/freeipa/issue/9249
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
e725e995 by Florence Blanc-Renaud at 2022-11-25T13:52:15+01:00
API doc: adapt the generated doc for 4.9 branch
The API doc files were generated on the master branch
and simply backported to ipa-4-9 but the code differs on
those branches and the doc files need to be adapted.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
59bfe9d8 by Antonio Torres at 2022-11-25T17:18:33+01:00
Update translations to FreeIPA ipa-4-9 state
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
4f3dd053 by Antonio Torres at 2022-11-25T17:26:03+01:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
2a9919af by Antonio Torres at 2022-11-25T17:47:00+01:00
Become IPA 4.9.11
- - - - -
5f1002f8 by Timo Aaltonen at 2023-01-18T17:51:12+02:00
Merge branch 'upstream'
- - - - -
defbdcdc by Timo Aaltonen at 2023-01-18T17:51:23+02:00
version bump
- - - - -
5ef339b9 by Timo Aaltonen at 2023-01-18T17:59:47+02:00
drop upstreamed patches
- - - - -
56aac44c by Timo Aaltonen at 2023-01-18T18:22:32+02:00
server.install: Updated.
- - - - -
a72d0004 by Timo Aaltonen at 2023-01-18T18:25:27+02:00
releasing package freeipa version 4.9.11-1
- - - - -
30 changed files:
- .git-commit-template
- .gitignore
- + .readthedocs.yaml
- .wheelconstraints.in
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/ipa-join.c
- client/man/default.conf.5
- client/man/epn.conf.5
- client/man/ipa-client-automount.1
- client/man/ipa-client-install.1
- client/man/ipa.1
- client/share/epn.conf
- configure.ac
- daemons/dnssec/ipa-dnskeysync-replica.in
- daemons/dnssec/ipa-dnskeysyncd.in
- daemons/dnssec/ipa-ods-exporter.in
- daemons/ipa-kdb/Makefile.am
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_certauth.c
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_mspac_private.h
- + daemons/ipa-kdb/ipa_kdb_mspac_v6.c
- + daemons/ipa-kdb/ipa_kdb_mspac_v9.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/99aa1043d0f76fa92e94ffb6f6fff034542a6d57...a72d0004f176ecdae7dbd905459b544342237270
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/99aa1043d0f76fa92e94ffb6f6fff034542a6d57...a72d0004f176ecdae7dbd905459b544342237270
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20230118/e5845dc9/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list