[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 447 commits: Bump to IPA 4.13
Timo Aaltonen (@tjaalton)
gitlab at salsa.debian.org
Sun Feb 8 16:46:39 GMT 2026
Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa
Commits:
3f3ac4f1 by Antonio Torres at 2024-05-28T16:18:42+02:00
Bump to IPA 4.13
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
65bea693 by Rob Crittenden at 2024-06-06T15:09:46-04:00
Use a unique task name for each backend in ipa-backup
The name used to be "export_%Y_%m_%d_%H_%M_%S" so if the tasks
were added within the same second the second backend would fail.
Add the backend name to the task name to ensure uniqueness.
export_{backend}_%Y_%m_%d_%H_%M_%S
Fixes: https://pagure.io/freeipa/issue/9584
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
- - - - -
3b58080f by Julien Rische at 2024-06-10T12:51:22+02:00
kdb: fix vulnerability in GCD rules handling
The initial implementation of MS-SFU by MIT Kerberos was missing a
condition for granting the "forwardable" flag on S4U2Self tickets.
Fixing this mistake required adding special case for the
check_allowed_to_delegate() function: if the target service argument is
NULL, then it means the KDC is probing for general constrained
delegation rules, not actually checking a specific S4U2Proxy request.
In commit e86807b5, the behavior of ipadb_match_acl() was modified to
match the changes from upstream MIT Kerberos a441fbe3. However, a
mistake resulted in this mechanism to apply in cases where target
service argument is set AND unset. This results in S4U2Proxy requests to
be accepted regardless of the fact there is a matching service
delegation rule or not.
This vulnerability does not affect services having RBCD (resource-based
constrained delegation) rules.
This fixes CVE-2024-2698
Signed-off-by: Julien Rische <jrische at redhat.com>
- - - - -
dfd4492e by Julien Rische at 2024-06-10T12:51:22+02:00
kdb: apply combinatorial logic for ticket flags
The initial design for ticket flags was implementing this logic:
* If a ticket policy is defined for the principal entry, use flags from
this policy if they are set. Otherwise, use default ticket flags.
* If no ticket policy is defined for the principal entry, but there is a
global one, use flags from the global ticket policy if they are set.
Otherwise, use default ticket flags.
* If no policy (principal nor global) is defined, use default ticket
flags.
However, this logic was broken by a1165ffb which introduced creation of
a principal-level ticket policy in case the ticket flag set is modified.
This was typically the case for the -allow_tix flag, which was set
virtually by the KDB driver when a user was locked until they initialize
their password on first kinit pre-authentication.
This was causing multiple issues, which are mitigated by the new
approach:
Now flags from each level are combined together. There flags like
+requires_preauth which are set systematically by the KDB diver, as
well as -allow_tix which is set based on the value of "nsAccountLock".
This commit also adds the implicit -allow_svr ticket flag for user
principals to protect users against Kerberoast-type attacks. None of
these flags are stored in the LDAP database, they are hard-coded in the
KDB driver.
In addition to these "virtual" ticket flags, flags from both global and
principal ticket policies are applied (if these policies exist).
Principal ticket policies are not supported for hosts and services, but
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
class is supported for all account types. This is required for ticket
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".
It is possible to ignore flags from the global ticket policy or default
flags like -allow_svr for a user principal by setting the
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
case, any ticket flag can be configured in the principal ticket policy,
except requires_preauth and allow_tix.
When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB
argument), all the system described above is disabled and ticket flags
are written in the principal ticket policy as they are provided. This is
required to initialize the Kerberos LDAP container during IPA server
installation.
This fixes CVE-2024-3183
Signed-off-by: Julien Rische <jrische at redhat.com>
- - - - -
6b26a4eb by Rob Crittenden at 2024-06-12T11:08:29-04:00
Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.
Also add a manual ACI to allow reading the min/max
domain level.
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
3249b124 by Florence Blanc-Renaud at 2024-06-17T14:49:39-04:00
ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.
Open the keyfile in binary mode to pass the expected format.
Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
80755123 by Florence Blanc-Renaud at 2024-06-24T09:24:23+02:00
spec file: do not create /etc/ssh/ssh_config.orig if unchanged
The upgrade removes the line
HostKeyAlgorithms ssh-rsa,ssh-dss
if present in /etc/ssh/ssh_config and creates a backup in
/etc/ssh/ssh_config.orig, even if no change was applied.
Create the backup file only if the file was changed.
Fixes: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
78e96707 by Florence Blanc-Renaud at 2024-06-24T09:24:23+02:00
ipatests: add test for ticket 9610
Test scenario:
- ensure there is no /etc/ssh/ssh_config.orig file
- force ipa-client package reinstallation
- ensure no backup file is created in /etc/ssh/ssh_config.orig
Related: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
20df6090 by Florence Blanc-Renaud at 2024-06-25T17:54:37-04:00
PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.
Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
70cd9dd1 by Florence Blanc-Renaud at 2024-06-25T17:54:37-04:00
ipatests: add test for PKINIT renewal on hidden replica
Test scenario: on a hidden replica, force the renewal of
PKINIT cert by calling getcert resubmit.
Related: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fd93a3b8 by Florence Blanc-Renaud at 2024-06-26T07:30:20+02:00
Gating and nightly tests: move to f39/f40
Now that fedora 40 is available and fedora 38 is EOL, adjust the test
pipelines:
- fedora-previous now refers to f39
- fedora-latest now refers to f40
Gating tests will now run on fedora 40.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
1a83d833 by Florence Blanc-Renaud at 2024-06-26T07:30:20+02:00
ipatests: mark test_ca_show_error_handling as xfail
With PKI 11.5.0, the test
test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
is failing with an exception and a different error message.
Mark as xfail until PKI provides a fix
Related: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
7513575c by Florence Blanc-Renaud at 2024-06-26T07:30:20+02:00
ipatests: fix / permissions to allow ssh with private key
The test test_ssh_key_connection is performing a ssh login
with a private and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9607
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8293b74e by Rob Crittenden at 2024-06-26T07:40:54+02:00
Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.
Include a test to catch any additional files that may be created
and left behind.
Fixes: https://pagure.io/freeipa/issue/8080
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
58003600 by Florence Blanc-Renaud at 2024-07-01T15:01:48+02:00
ipatests: fix / permissions for test_nested_group_members
The test test_nested_group_members is performing a ssh login
with a private key and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)
Ensure that / has 755 before launching the test.
Fixes: https://pagure.io/freeipa/issue/9615
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
b5f40a30 by Anuja More at 2024-07-02T17:31:52+02:00
Added template for ad_master_1replica_1client
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d422155f by Anuja More at 2024-07-02T17:31:52+02:00
ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator at AD.EXAMPLE.COM is
used for the deployment or promotion of a replica
Related: https://pagure.io/freeipa/issue/9542
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
224c4517 by TAKAHASHI Masatsuna at 2024-07-04T09:57:57+02:00
ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.
Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
5fe7cf50 by Sudhir Menon at 2024-07-05T17:31:05+02:00
ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
68cdca3d by 김인수 at 2024-07-05T17:41:13+02:00
Translated using Weblate (Korean)
Currently translated at 18.9% (923 of 4877 strings)
Co-authored-by: 김인수 <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d4604698 by Weblate at 2024-07-05T17:41:13+02:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e82dd41d by Oğuz Ersen at 2024-07-05T17:41:13+02:00
Translated using Weblate (Turkish)
Currently translated at 10.0% (489 of 4881 strings)
Co-authored-by: Oğuz Ersen <oguz at ersen.moe>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/tr/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
326b0a24 by Léane GRASSER at 2024-07-05T17:41:13+02:00
Translated using Weblate (French)
Currently translated at 72.7% (3549 of 4881 strings)
Co-authored-by: Léane GRASSER <leane.grasser at proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fr/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
deb37ef2 by Temuri Doghonadze at 2024-07-05T17:41:13+02:00
Translated using Weblate (Georgian)
Currently translated at 35.0% (1713 of 4881 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
91100505 by Florence Blanc-Renaud at 2024-07-05T15:48:10-04:00
ipa-ods-enforcer: stop must also stop the socket
ipa-ods-enforcer is a socket-activated service. In order to fully stop
the service, IPA needs to call
systemctl stop ipa-ods-enforcer.service ipa-ods-enforcer.socket
otherwise the socket remains active (listening) and can restart the
service.
A consequence of the issue is the backup / uninstall / restore
scenario that is failing to sign the zones. The uninstaller removes
the socket /run/opendnssec/engine.sock but leaves the ipa-ods-enforcer.socket
active. A subsequent restore or install will not re-create the socket.
Fixes: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
88a392cf by Florence Blanc-Renaud at 2024-07-05T15:48:10-04:00
Uninstall: stop sssd-kcm before removing KCM ccaches database
The service is socket-activated and will be restarted whenever
needed. It must be stopped before the database is removed
otherwise it fails to recreate the file.
Fixes: https://pagure.io/freeipa/issue/9616
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0be8d040 by Florence Blanc-Renaud at 2024-07-05T15:48:10-04:00
test_replica_install_after_restore: kinit after restore
After uninstall and restore, kinit is required before
launching any ipa command.
Related: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
faa0aa5d by Thomas Woerner at 2024-07-08T15:05:07+02:00
ipa_sidgen: Allow sidgen_task to continue after finding issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.
This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.
Fixes: https://pagure.io/freeipa/issue/9618
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56533980 by Sudhir Menon at 2024-07-08T15:15:46+02:00
Added new testsuite(ipa_ipa_migration) in prci definitions
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
09aecbc7 by Shunsuke matsumoto at 2024-07-10T11:39:31-04:00
The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.
Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
024d41eb by Mark Reynolds at 2024-07-10T11:41:58-04:00
ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.
Fixes: https://pagure.io/freeipa/issue/9620
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d0f15a6d by Rob Crittenden at 2024-07-11T22:20:55+02:00
Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.
This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:
Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee 34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status
Fixes: https://pagure.io/freeipa/issue/9629
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
23de8459 by Rob Crittenden at 2024-07-12T13:53:25-04:00
Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.
There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.
This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.
This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a11c843a by Mohammad Rizwan at 2024-07-12T13:53:25-04:00
ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8d5461be by Rob Crittenden at 2024-07-12T13:53:25-04:00
Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
31645c41 by Mark Reynolds at 2024-07-15T11:39:50-04:00
ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail. Instead just use the file path provided.
Fixes: https://pagure.io/freeipa/issue/9619
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d2f45c6e by Alexander Bokovoy at 2024-07-16T09:58:27-04:00
ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.
The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
required, regardless of the state of LDAP client
In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.
If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------
Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.
Related: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
8d2bf906 by Mark Reynolds at 2024-07-16T10:20:50-04:00
Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries
We should also not migrate DNA ranges in staging mode
Fixes: https://pagure.io/freeipa/issue/9621
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0c79ecb1 by Julien Rische at 2024-07-18T14:36:32+02:00
Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1c566104 by Julien Rische at 2024-07-18T14:36:32+02:00
Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5cfc4b40 by Florence Blanc-Renaud at 2024-07-18T17:14:55+02:00
ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.
Related: https://pagure.io/freeipa/issue/9620
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
cf3a46cc by Florence Blanc-Renaud at 2024-07-18T17:14:55+02:00
ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
Related: https://pagure.io/freeipa/issue/9621
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
c40ce0e1 by Rob Crittenden at 2024-07-19T08:32:52-04:00
Fix a copy/paste issue when detecting the HSM SELinux subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
708ef88a by N M at 2024-07-30T10:12:52+02:00
Translated using Weblate (Spanish)
Currently translated at 58.2% (2845 of 4881 strings)
Co-authored-by: N M <nm at users.noreply.translate.fedoraproject.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
acb87a8b by Florence Blanc-Renaud at 2024-07-30T16:04:53+02:00
spec file: do not use nodejs-22 on f39 and f40
Nodejs22 has been released on f39 and f40 and freeipa fails
to build with this version. Nodejs22 will be the default version
in f41+ and adds a symlink from /usr/bin/node-22 to /usr/bin/node
but on older fedora versions, the symlink is not created.
As our build is using /usr/bin/node command, it fails with
command not found.
Stick to Nodejs 20 on these older versions.
Fixes: https://pagure.io/freeipa/issue/9643
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4d075fdd by Mark Reynolds at 2024-07-31T18:13:53+02:00
ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.
Fixes: https://pagure.io/freeipa/issue/9642
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
202de166 by Rob Crittenden at 2024-07-31T18:33:29+02:00
Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
fd5ce0ca by Rob Crittenden at 2024-07-31T18:46:34+02:00
ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.
Don't rely on previous running tests installing the token
password file so they can be run individually.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3b9ac93f by Alexander Bokovoy at 2024-07-31T18:49:36+02:00
ipalib/x509.py: support Cryptography 43
Cryptography 43 added two new abstract methods to Certificate class of
which we are using one, public_key_algorithm_oid.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fc572880 by Alexander Bokovoy at 2024-07-31T18:49:36+02:00
ipalib/x509.py: get rid of unicode helper
Pylint started to complain that 'unicode' variable is accessed before
definition. This is clearly a bug in how 'six' and pylint are working
together.
Replace use of 'unicode()' by 'str()'.
Fixes: https://pagure.io/freeipa/issue/9644
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cb008bc9 by Alexander Bokovoy at 2024-07-31T18:49:36+02:00
ipalib/constants.py: factor out TripleDES use
Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
af316dd6 by Alexander Bokovoy at 2024-07-31T18:49:36+02:00
Get rid of unicode and long helpers in ipa-otptoken-import
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3b21e191 by Florence Blanc-Renaud at 2024-07-31T16:23:42-04:00
Replica CA installation: ignore time skew during initial replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.
The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.
During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1dc84ba7 by Rob Crittenden at 2024-08-05T09:32:34+02:00
Log errors reported by adtrustinstance.check_inst() using logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.
Fixes: https://pagure.io/freeipa/issue/9637
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
64937571 by Rob Crittenden at 2024-08-05T09:34:17+02:00
Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.
This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.
Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.
Fixes: https://pagure.io/freeipa/issue/9624
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bfefe531 by Florence Blanc-Renaud at 2024-08-05T21:22:48+02:00
ipatests: increase the timeout for test_hsm.py::TestHSMInstall
The test is often failing on timeout. Add 15min to the test
definitions.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dd1bcd17 by Mohammad Rizwan at 2024-08-08T09:35:40+02:00
ipatests: Verify that SIDgen task continue even if it fails to assign sid
related: https://pagure.io/freeipa/issue/9618
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e8189933 by Sudhir Menon at 2024-08-08T14:46:21+02:00
ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bbc232e4 by Florence Blanc-Renaud at 2024-08-09T18:51:07+02:00
ipatests: skip HSM test if pki < 11.5.9
The test TestHSMNegative should be skipped if PKI is too old,
but its uninstall method does not check the PKI version.
Add a call to check_version in the class uninstall method.
Fixes: https://pagure.io/freeipa/issue/9648
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
88123ad2 by Florence Blanc-Renaud at 2024-08-14T12:05:58+02:00
trust-add: handle unavailable domain
When ipa trust-add fails to retrieve the remote domain information,
it exits with "an internal error has occurred".
Handle the case with a better error message.
Fixes: https://pagure.io/freeipa/issue/9488
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
995c4f35 by Florence Blanc-Renaud at 2024-08-14T13:38:15+02:00
HSM: fix the module name
During the server installation, the installer checks if the
SElinux policy module for the specific hardware is detected. The
current code mixed up SElinux policy module name and RPM
package name and resulted in a false warning that the module
was missing.
The module name is ipa-nfast or ipa-luna, not ipa-selinux-nfast
or ipa-selinux-luna.
The name is defined in the spec file as %{module}-nfast
and module=ipa.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1ef33966 by Rob Crittenden at 2024-08-14T17:53:14+02:00
Correct usage of public_key_algorithm_oid in ipalib/x509
public_key_algorithm_oid is property of underlying Certificate object
that is not supposed to be callable. I missed that it contained
() at the end.
Fixes: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2aa49424 by Rob Crittenden at 2024-08-14T17:53:14+02:00
Ignore TripleDES python-cryptography import warnings
TripleDES will be deprecated in python-cryptography 48.0.0. We
have code that uses it if it is available and otherwise ignores
it.
Because this gets imports in constants.py this warning is promiment
pretty much everywhere. So let's ignore it since we already handle
the issue.
Related: https://pagure.io/freeipa/issue/9641
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
15de71ae by Rob Crittenden at 2024-08-15T10:10:34+02:00
Fix some resource leaks identified by a static analyzer
Fixes: https://pagure.io/freeipa/issue/9367
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
58c1fdd4 by Sudhir Menon at 2024-08-16T08:55:45+02:00
ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py
Test 'test_hsm_negative_bad_token_dir_permissions'
was failing in RHEL because of the below error.
"ipa: ERROR: stderr: usermod: invalid option -- 'r'"
Hence replaced the usermod with gpasswd command which does the same and
works on both RHEL and Fedora.
Ref: https://pagure.io/freeipa/issue/9626
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b56d4349 by Sudhir Menon at 2024-08-21T10:08:10+02:00
ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done
Related: https://pagure.io/freeipa/issue/9635
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b07f1d97 by Sudhir Menon at 2024-08-28T18:53:45+02:00
ipatests: Check Default PAC type is added to config
This patch checks that the default PAC type
is added to configuration i.e ipaKrbAuthzData: MS-PAC
during ipa-server-installation
The patch also checks that if 'ipaKrbAuthzData: MS-PAC'
attribute is deleted and then when we run 'ipa-server-upgrade'
command the attribute is added back.
Related: https://pagure.io/freeipa/issue/9632
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e98a8082 by Alexander Bokovoy at 2024-08-28T15:48:27-04:00
Remove NIS server support
RHEL 8.3+ already deprecated support for NIS protocol.
RHEL 9 does not ship NIS client side
RHEL 10 removes NIS server emulator support
Remove NIS server integration from the migration and
management tools.
Fixes: https://pagure.io/freeipa/issue/9363
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
2959c989 by Alexander Bokovoy at 2024-08-29T16:21:41+02:00
selinux: add all IPA log files to ipa_log_t file context
We have multiple log files that produced by IPA components. Some of them
are written by the tools that run as root and inherit their file context
from /var/log -> var_log_t. However, increasingly we get tools that were
run through oddjob helpers. These supposed to be run within ipa_helper_t
SELinux context which has write permissions for ipa_log_t file context.
Add all known log files from the base platform. The following script was
used to generate them:
$ git grep '_LOG = .*ipa.*\.log' ipaplatform/base/paths.py | cut -d= -f2 | \
xargs -I% echo -e "%\t--\tgen_context(system_u:object_r:ipa_log_t,s0)"
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclient-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaclientsamba-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-ca-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-conncheck.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipareplica-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/iparestore.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-enable-sid.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-adtrust-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-dns-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-kra-install.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaserver-uninstall.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaupgrade.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipatrust-enable-agent.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipaepn.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-custodia.audit.log -- gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipa-migrate.log -- gen_context(system_u:object_r:ipa_log_t,s0)
ipa-custodia.audit.log was already in the present list.
Additionally, ipa-migrate-conflict.ldif is used by the ipa-migrate tool
but is not provided through the ipaplatform mechanism. It is added
explicitly.
Fixes: https://pagure.io/freeipa/issue/9654
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
01d90b4a by asharov at redhat.com at 2024-08-29T11:04:56-04:00
Add ipa-idrange-fix
ipa-idrange-fix is a tool for analysis of existing IPA ranges, users
and groups outside of those ranges, and functionality to propose
and apply remediations to make sure as much users and groups as
possible end up in the IPA-managed ranges.
Fixes: https://pagure.io/freeipa/issue/9612
Signed-off-by: Aleksandr Sharov <asharov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
90297c4c by Aleksandr Sharov at 2024-08-29T11:04:56-04:00
Add PR-CI definitions
fixes: https://pagure.io/freeipa/issue/9612
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7808fc83 by Mark Reynolds at 2024-08-30T11:09:17+02:00
ipa-migrate - fix migration issues with entries using ipaUniqueId in the RDN
We need to handle these entries differently and specify what attribute
and search base to use to find the entry on the local server. Most
entries can use the "cn" attribute but for selinux usermaps we need to
search using the ipaOwner attribute which is a DN, and in turn requires
additional handling/converting in order to properly check if the usermap
exists or not.
Also fixed an issue where an attribute should be removed from the local
entry if it does not exist on the remote entry.
And fixed the handling od "sudoOrder" which is defined as multi-valued
in the schema, but we really need to treat it as single-valued
Fixes: https://pagure.io/freeipa/issue/9640
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b9fc303e by Florence Blanc-Renaud at 2024-08-30T14:36:06+02:00
ipatests: Add missing comma in test_idrange_no_rid_bases_reversed
The test is calling ipa idrange-add but is missing a comma in
the arguments list.
The resulting call is using "--rid-base 100300000--secondary-rid-base".
Add the missing comma to build the command with
"--rid-base 100300000 --secondary-rid-base"
Fixes: https://pagure.io/freeipa/issue/9656
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d87dc829 by Erik Belko at 2024-09-03T10:35:34+02:00
ipatests: Update ipa-adtrust-install test
update test_user_connects_smb_share_if_locked_specific_group with wait
for SSSD to be online after ipa-adtrust-install command
Related: https://pagure.io/freeipa/issue/9655
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2cb6e446 by Francisco Trivino at 2024-09-05T15:24:56+02:00
Installer: activate ssh service in sssd.conf
This commit enables SSSD's ssh service in ipa-client-install to ensure
sss_ssh_knownhosts and sss_ssh_knownhostsproxy functions properly.
Fixes: https://pagure.io/freeipa/issue/9649
Related: https://pagure.io/freeipa/issue/9536
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b98b4a88 by Mark Reynolds at 2024-09-06T17:35:26+02:00
ipa-migrate - fix alternate entry search filter
Processing a filter like a DN can cause normalization issues that result
in an invalid filter. Make sure the filter is encapsulated with
parenthesis and we call replace_suffix_value() instead of
replace_suffix()
Fixes: https://pagure.io/freeipa/issue/9658
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Fix typo in test
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ce673216 by Florence Blanc-Renaud at 2024-09-09T16:00:30+02:00
Custodia: in fips mode add -nomac or -nomacver to openssl pkcs12
In FIPS mode the command openssl pkcs12 fails unless the
export is called with -nomac and import with -nomacver
The command is used by custodia to export private keys from the
master and import them in the replica.
Fixes: https://pagure.io/freeipa/issue/9577
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
19651f8e by Florence Blanc-Renaud at 2024-09-13T14:25:06+02:00
azure tests: move to fedora 40
Fedora 39 is approaching its EOL (2024-11-12),
move azure tests to fedora 40
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4a0a142 by Florence Blanc-Renaud at 2024-09-13T14:25:06+02:00
UnsafeIPAddress: pass flag=0 to IPNetwork
When parsing a string, the constructor tries to parse the value
as an IP Address first, or falls back to an IPNetwork with the
flags INET_PTON.
Use the flag 0 instead for an IPNetwork.
Fixes: https://pagure.io/freeipa/issue/9645
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
97718f68 by Florence Blanc-Renaud at 2024-09-13T14:25:06+02:00
azure pipeline: use latest version of DownloadPipelineArtifact task
update the task from v0 to v2
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
18d550a3 by Stanislav Levin at 2024-09-17T10:24:33+02:00
ipatests: make TestDuplicates teardowns order agnostic
Fixtures 'user4' and 'user5' track the same actual user 'tuser'.
If used together their teardowns can fail depending on the
order of execution.
With this change fixtures of TestDuplicates are simplified and
method-scoped.
Related: https://pagure.io/freeipa/issue/9571
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2df2066a by Sam Morris at 2024-09-17T17:55:34+02:00
Fix a couple of instances of the "no-break control character" being used inadvertently
Fixes https://pagure.io/freeipa/issue/9665
Signed-off-by: Sam Morris <sam at robots.org.uk>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3203afcc by Florence Blanc-Renaud at 2024-09-20T16:39:51+02:00
ipatests: provide a ccache to rpcclient deletetrustdom
With samba update to samba-4.20.4, rpcclient now needs a
ccache otherwise it prompts for a password.
Fixes: https://pagure.io/freeipa/issue/9667
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c33e92d8 by Florence Blanc-Renaud at 2024-09-20T16:39:51+02:00
test_adtrust_install: add --use-krb5-ccache to smbclient command
With samba 4.20.4 the smbclient commands needs a ccache otherwise it
prompts for a password.
Fixes: https://pagure.io/freeipa/issue/9666
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
273f68b7 by Rob Crittenden at 2024-10-03T13:17:53-04:00
Don't rely on removing the CA to uninstall the ACME depoyment
There has always been a pki-server commnd acme-remove. We were
not aware that it should be called prior to removing a CA. In
11.5.0 this is strongly encouraged by the PKI team. In 11.6.0
ACME is treated as a full subsystem so will be removed in the
future using pkidestroy -s ACME
The new class acmeinstance.ACMEInstance is introduced so its
uninstallation can be handled in a similar way as the other
PKI services via DogtagInstance. It is, right now, a pretty
thin wrapper.
We can discuss moving the ACME installation routines here at
some point. It would be ok as long as we don't have to introduce
another PKI restart as part of it.
In PKI 11.6.0 pkidestroy has new options to ensure a clean
uninstall: --remove-conf --remove-logs. Pass those options
into pkidestroy calls for 11.6.0+.
Clean up an additional IPA-generated file that needs to be
cleaned up during uninstall: /root/kracert.p12. 11.6.0 is
more sensitive to leftover files than previous versions.
Fixes: https://pagure.io/freeipa/issue/9673
Fixes: https://pagure.io/freeipa/issue/9674
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
26af2164 by Sudhir Menon at 2024-10-07T14:26:47-04:00
ipatests: Fixes for ipa-idrange-fix testsuite
This patch adds the line tasks.install_master(cls.master).
The kinit admin command fails with the below error as the
IPA is not configured on the test system
'ipa: ERROR: stderr: kinit: Configuration file does not specify default
realm when parsing name admin'
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d9c200aa by Yaakov Selkowitz at 2024-10-09T09:38:45+02:00
spec: Use nodejs22 on RHEL 10 and ELN
nodejs22 is now the default nodejs version in RHEL 10 as well as ELN.
Signed-off-by: Yaakov Selkowitz <yselkowi at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4ccde2ed by 김인수 at 2024-10-09T09:41:05+02:00
Translated using Weblate (Korean)
Currently translated at 19.0% (930 of 4881 strings)
Translated using Weblate (Korean)
Currently translated at 19.0% (930 of 4881 strings)
Co-authored-by: 김인수 <simmon at nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9ab6601c by Mark Reynolds at 2024-10-09T09:48:16+02:00
Do not let user with an expired OTP token to log in if only OTP is allowed
If only OTP authentication is allowed, and a user tries to login with an
expired token, do not let them log in with their password. Forcing the
admin to intervene. If the user does not have an OTP token then allow
them to log in with a password until an OTP token is configured
Fixes: https://pagure.io/freeipa/issue/9387
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
df8cdb06 by Florence Blanc-Renaud at 2024-10-09T11:25:00+02:00
Nightly test definition: use master_1repl topology for idrange_fix
The test test_ipa_idrange_fix is installing IPA server as it sets
topology=line. Its test definition should not use a template
that pre-installs the IPA server (ipaserver preinstalls IPA server
but master_1repl does not).
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
929dc568 by Florence Blanc-Renaud at 2024-10-09T15:50:40+02:00
test_ipahealthcheck: skip connectivity_and_data check
PKI removed the clones.check connectivity_and_data check in
11.5 and master branches. Skip the test depending on PKI version.
The most recent version on 11.5 is 11.5.4 and still contains the check,
hence skipping if version >= 11.5.5.
Fixes: https://pagure.io/freeipa/issue/9668
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c37f4d09 by Sudhir Menon at 2024-10-10T09:41:00+02:00
ipatests: Activate ssh in sssd.conf
This testcase checks that services: ssh
is included in the sssd.conf file when
ipa-client-install is successful.
Ref: https://pagure.io/freeipa/issue/9649
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c775de3c by Alexander Bokovoy at 2024-10-10T10:30:58+02:00
selinux: allow Cockpit to use HTTP keytab on IPA servers
Cockpit can use GSSAPI authentication and has pretty good definition of
how to enable it: https://cockpit-project.org/guide/latest/sso.html.
These instructions work on IPA clients but they cannot be used on IPA
servers because IPA framework already owns HTTP/.. Kerberos service and
its keytab.
Luckily, there are two changes that need to be done to enable Cockpit
single sign-on with GSSAPI on IPA servers:
- create a symlink /etc/cockpit/krb5.keytab to
/var/lib/ipa/gssproxy/http.keytab
- add SELinux policy to allow cockpit_session_t to operate on
/var/lib/ipa/gssproxy/http.keytab file
For existing installation an upgrade process would restore SELinux
context of the http.keytab file to the new value.
Note that Cockpit documentation above also talks about Kerberos service
modifications to enable delegation. These modifications should not be
done for IPA servers' HTTP services, as these services are already
enabled to handle delegation.
Fixes: https://pagure.io/freeipa/issue/9675
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4519c2fd by Alexander Bokovoy at 2024-10-10T10:30:58+02:00
Minimal test for Cockpit integration on IPA master
Add a test to share HTTP service keytab on IPA master between IPA and
Cockpit. The test configures Cockpit with IPA CA-issued certificate and
allows Cockpit to access IPA HTTP service keytab for authentication.
The test then attempts to authenticate with GSSAPI as admin user. A
successful result is when we receive CSRF token from the Cockpit as
the result of this authentication. This means we have logged in
successfully with Kerberos.
Fixes: https://pagure.io/freeipa/issue/9675
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c4f3d903 by Alexander Bokovoy at 2024-10-10T10:30:58+02:00
Extend nightly tests with Cockpit test
Fixes: https://pagure.io/freeipa/issue/9675
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a2d498e0 by Mohammad Rizwan at 2024-10-14T21:02:29-04:00
ipatests: refactor password file handling in TestHSMInstall
When token and associated certs are not being cleaned
up properly, the subsequent installation fails. Hence
Password file related scenarios moved out to new test class
so that it have fresh installation.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f3ec6ae8 by Ian Brown at 2024-10-14T22:02:07-04:00
Replace instances of del os.environ with os.environ.pop
Fixes: https://pagure.io/freeipa/issue/9450
Signed-off-by: Ian Brown <ian.brown at templeandwebster.com.au>
Signed-off-by: Ian Brown <ianbrown78 at gmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
35fc1470 by Florence Blanc-Renaud at 2024-10-15T15:10:39-04:00
ipa-migrate man page: fix typos and errors
ipa-migrate man page mentions non-existing option --hostname.
Fix the SYNOPSIS and various typos.
Fixes: https://pagure.io/freeipa/issue/9681
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
- - - - -
e1f96ffc by Sudhir Menon at 2024-10-15T15:12:17-04:00
ipatests: Test for ipa hbac rule duplication
This test checks that ipa-migrate is not creating duplicate default hbac rules
for allow_all and allow_systemd-user rules.
Related: https://pagure.io/freeipa/issue/9640
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
163bf355 by Madhuri Upadhye at 2024-10-18T11:42:47+02:00
ipatests: 2FA test cases
Added following:
Added 'ssh_2fa_with_cmd' method for authentication,
as for '\n' with paramiko did not work. In a test case
need to just press `Enter` for `second factor`.
Advantage of above function is no having paramiko
dependancy.
We can run the any command in same session after
authentication of user.
Test cases:
1. Authenticate the user only with password,
just press enter at `Second factor` and check tgt after auth.
when User authentication types: otp, password
2. Authenticate the user with password and otpvalues and
check tgt of user after auth when
User authentication types: otp, password
related: https://github.com/SSSD/sssd/pull/7500
Signed-off-by: Madhuri Upadhye <mupadhye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1f595426 by Mark Reynolds at 2024-10-23T13:36:15-04:00
ipa-migrate - dryrun write updates crashes when removing values
When removing values the mod value list is None and that leads to a
crash when trying to iterate it. Instead check that the vals are not
None before looping.
Fixes: https://pagure.io/freeipa/issue/9682
Signed-off-by: MArk Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
67441226 by Alexander Bokovoy at 2024-10-23T13:37:21-04:00
web ui: Add explicit white border for QR code widget
There was discussion in the ticket 9202 how to do that and the simplest
way is to force a border via CSS. We have a CSS specifically for QR code
widget, so use it.
A default view is white, so the border will not be visible (white on
white) but for dark backgrounds the border will be there clearly
visible.
Fixes: https://pagure.io/freeipa/issue/9202
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
0abfb20c by Mark Reynolds at 2024-10-23T13:38:24-04:00
ipa-migrate should migrate dns forward zones
Fixes: https://pagure.io/freeipa/issue/9686
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
48479d40 by Rob Crittenden at 2024-10-25T13:12:40+02:00
Small fixup to determine which ACME uninstaller to use
The conditional was <= 11.5.0 which it should have been
< 11.6.0 to allow for small updates to the 11.5.0 branch.
Fixes: https://pagure.io/freeipa/issue/9673
Fixes: https://pagure.io/freeipa/issue/9674
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c100b1a2 by Alexander Bokovoy at 2024-10-31T07:07:45+01:00
vault: handle pyca InternalError exception for PKCS#1 v1.5 padding
In FIPS mode one cannot use PKCS#1 v1.5 padding. OpenSSL did remove it
from the FIPS provider and will report an error that PyCA cannot
process, so it will raise its own InternalException.
Handle it the same way as ValueError.
Fixes: https://pagure.io/freeipa/issue/9689
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
817d8849 by Anuja More at 2024-10-31T15:29:28+05:30
ipatests: Update ipatests to test topology with multiple domain.
Added changes in ipatests so that ipa server-replica-client
can be installed with two domain - ipa.test and trustedipa.test
Related: https://pagure.io/freeipa/issue/9657
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
07f33365 by Sudhir Menon at 2024-10-31T14:45:35+01:00
ipatests: Tests for ipa-migrate tool
This patch includes test to covers below scenarios
1. hbac and sudo rules are migrated to local server
2. uid for user migrated varies in stage/prod mode.
3. subids are migrated to local server
4. idranges are migrated to local server
5. vaults are not migrated to local server.
6. Ensure trust related data is also migrated to local server
7. Added paths.IPA_MIGRATE_LOG in ipatests/pytest_ipa/integration/__init__.py
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e8ed1d70 by Sudhir Menon at 2024-10-31T14:45:35+01:00
ipatests: Updated nightly definitions for ipa-ipa-migration
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1a47d3a9 by Florence Blanc-Renaud at 2024-11-05T11:23:32-05:00
Tests: migrate to f40/f41
Now that fedora 41 is available and fedora 39 is approaching EOL,
adjust the test pipelines:
- fedora-previous now refers to f40
- fedora-latest now refers to f41
Gating tests will now run on fedora 41.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2f1ca6db by Florence Blanc-Renaud at 2024-11-07T08:36:41+01:00
Nightly test def: fix topology for test_IPAMigrateADTrust
The test needs topology: *ad_master_1repl_1client
instead of topology: *master_1repl_1client
because it requires an AD server.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
13281e78 by Carla Martinez at 2024-11-07T08:40:05+01:00
Fix: 'Organization' field in Okta not required
Although the 'Organization' field is not required
when using the Okta template, the WebUI requires it
in order to create a new IDP. If this is not provided,
an error is shown.
Fixes: https://pagure.io/freeipa/issue/9687
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
411b29db by Florence Blanc-Renaud at 2024-11-15T10:37:15+01:00
ipatests: install master with allow-zone-overlap
In the IPA to IPA migration tests, install the destination master
with --setup-dns --allow-zone-overlap to allow installation
even if the zone is already served by the source master.
Fixes: https://pagure.io/freeipa/issue/9697
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
aa81bd25 by Alexander Bokovoy at 2024-11-21T10:01:27+01:00
ipaserver/dcerpc: support Samba 4.21
Samba 4.21 moved samba.trust_utils module to samba.lsa_utils.
Fixes: https://pagure.io/freeipa/issue/9702
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
286b7caf by Dmytro Markevych at 2024-11-22T16:28:14+01:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4881 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.8% (4876 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.7% (4871 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.7% (4867 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.6% (4866 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.5% (4861 of 4881 strings)
Co-authored-by: Dmytro Markevych <hotr1pak at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
30fee9cb by Yuri Chornoivan at 2024-11-22T16:28:14+01:00
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4881 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 100.0% (4881 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.8% (4876 of 4881 strings)
Translated using Weblate (Ukrainian)
Currently translated at 99.6% (4866 of 4881 strings)
Co-authored-by: Yuri Chornoivan <yurchor at ukr.net>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/uk/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3777d2b0 by Rob Crittenden at 2024-11-22T16:30:48+01:00
Change default to RSN when 389-ds uses the mdb backend
The lmdb performance for VLV indexes is not great so the PKI
team recommended we switch from sequential serial numbers to
Random Serial Numbers (RSN).
The first time a non-bdb backend (future-proofing) is installed
then the replication RSN configuration value is stored. All future
replica installs will use RSN.
We have no way of enforcing ONLY to have RSN across a topology
so it will be up to administrators to retire any sequential CAs.
Fixes: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
ed70380c by Rob Crittenden at 2024-11-22T16:30:48+01:00
ipatests: Test that when lmdb is available, enable RSN
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
9248e2df by Rob Crittenden at 2024-11-22T16:30:48+01:00
Add RSN-by-default test to nightly builds
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
2cd2b8fe by Rob Crittenden at 2024-11-22T16:30:48+01:00
Set required version of 389-ds for VLV fix on F40/41
Require builds that contain the fixes for VLV handling in
https://bugzilla.redhat.com/show_bug.cgi?id=2317851
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
6f304bac by Rob Crittenden at 2024-11-22T16:30:48+01:00
Enable pruning when Random Serial Numbers are enabled
When using short-lived certs (ACME) along with normal certificate
issuance the expired certs can build over time in the PKI database.
This can cause issues with replication, performance and overall
database size.
Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning
so if we have it enabled then enable pruning to avoid future issues.
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
0eafb031 by Rob Crittenden at 2024-11-22T16:30:48+01:00
Don't drop certificates in cert-find if the LWCA was removed
The cert-find command wants to return the IPA CA name of the
issued certificates. If the CA was removed then the certificate
is skipped in the output. This basically black holes any certificates
issued by the LWCA.
It is also breaking the cert_find tests with RSNv3 enabled at
times depending on the certificate order returned. Some of them
may be certificates issued by a now-deleted CA.
This was discovered in test_xmlrpc/test_cert.py with the
cert-find tests where the expected number of certificates wasn't
returned. This is because ra.find() retrieved exactly 10 certificates
and then some were removed when trying to identify the CA.
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
fd222273 by Florence Blanc-Renaud at 2024-11-27T09:26:41+01:00
ipatests: pruning is enabled by default with LMDB
The test test_acme.py::TestACMEPrune::test_enable_pruning expects
certificate pruning to be disabled by default. That assumption
is valid only if the backend is BDB (if the backend is LMDB,
RSNv3 + cert pruning are enabled by default).
Update the test to be consistent with the new defaults.
Fixes: https://pagure.io/freeipa/issue/9706
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c8befc9f by Florence Blanc-Renaud at 2024-11-27T09:31:24+01:00
webuitests: adapt to Random Serial Numbers
The webui tests were written for sequential serial numbers
and expect the certs to be issued with low serial numbers.
Adapt to Random Serial Numbers.
Fixes:https://pagure.io/freeipa/issue/9707
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b20c3fb6 by Florence Blanc-Renaud at 2024-11-29T17:28:18+01:00
readthedocs: install crypto 43.0.0
If crypto 44.0.0 is installed, readthedocs build fails
with:
TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate'
is not an acceptable base type
Force installation of cryptography < 44.0.0
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
6ce87f09 by Andi Chandler at 2024-12-02T08:31:55+01:00
Translated using Weblate (English (United Kingdom))
Currently translated at 0.2% (11 of 4881 strings)
Co-authored-by: Andi Chandler <andi at gowling.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/en_GB/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
65ed1aa1 by Rob Crittenden at 2024-12-03T14:15:58-05:00
Allow looking up constants.Group by gid in addition to name
This adds flexibility so we can look up groups by both gid and
by name in order to have a more consistent API for management.
Related: https://pagure.io/freeipa/issue/9709
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
efadc564 by Rob Crittenden at 2024-12-03T14:15:58-05:00
Pass all pkiuser groups as suplementary when validating an HSM
We were doing a "best effort" when validating the HSM token is
visible with a valid PIN when it came to groups. A specific
workaround was added for softhsm2 but this didn't carry over
to other HSMs that may have group-specific read/write access.
Use the new capability in ipaplatform.constants.py::Group to be
able to use generate a valid entry from a group GID. Pair this
with os.getgrouplist() and all groups will be passed correctly
via ipautil.run().
Fixes: https://pagure.io/freeipa/issue/9709
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8a8b8a76 by Alexander Bokovoy at 2024-12-04T09:50:44+01:00
Revert "readthedocs: install crypto 43.0.0"
This reverts commit b20c3fb60558b538ef13e0e0fe89ae361d529553.
As we support PyCA 44.0.0, no need to prevent its installation anymore.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a47475f3 by Alexander Bokovoy at 2024-12-04T09:50:44+01:00
ipalib/x509: support PyCA 44.0
PyCA made x509.Certificate class concrete, it cannot be extended anymore
by Python code. The intent is to use helper functions to instantiate
certificate objects and never create them directly.
FreeIPA wraps PyCA's x509.Certificate class and provides own shim
on top of it. In most cases we load the certificate content via the
helper functions and don't really need to derive from the certificate
class.
Move IPACertificate to be a normal Python object class that stores
x509.Certificate internally. The only place where this breaks is when
IPACertificate object needs to be passed to a code that expects
x509.Certificate (Dogtag PKI). In such cases, expose the underlying
certificate instance via IPACertificate.cert property.
Fixes: https://pagure.io/freeipa/issue/9708
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
bc31c270 by Stanislav Levin at 2024-12-04T09:50:44+01:00
pyca: adapt import paths for TripleDES cipher
https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.TripleDES
> This algorithm has been deprecated and moved to the Decrepit
cryptography module. If you need to continue using it then update your
code to use the new module path. It will be removed from this namespace
in 48.0.0.
Fixes: https://pagure.io/freeipa/issue/9708
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
60f9bd04 by Alexander Bokovoy at 2024-12-04T12:11:22-05:00
ipa-pwd-extop: clarify OTP use over LDAP binds
OTP use during LDAP bind can be enforced either explicitly via client
specifying a control with OID 2.16.840.1.113730.3.8.10.7 and no payload
or implicitly through the global IPA configuration with EnforceLDAPOTP.
OTP token enforcement overrides IPA user authentication types
requirements:
If OTP enforcement is required:
- if user authentication types still allow password authentication,
authentication with just a password is denied, regardless whether OTP
tokens are associated with the user or not.
If OTP enforcement is not required:
- if user has no OTP tokens but user authentication types require OTP
use, authentication with just a password is allowed until a token is
added.
- if user has OTP tokens and user authentication types require OTP use
but not password, authentication with just a password is denied.
Additionally, enforcement of OTP only applies to LDAP objects which
don't use 'simpleSecurityObject' objectclass. This allows system service
accounts to continue authenticate with a password regardless of the
OTP enforcement.
Fixes: https://pagure.io/freeipa/issue/9699
Fixes: https://pagure.io/freeipa/issue/9711
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e184864a by Stanislav Levin at 2024-12-09T09:23:58+01:00
adtrust: add missing ipaAllowedOperations objectclass
Per @abbra explanation:
> When expected Kerberos principal names for this object were flipped to
follow requirements for cross-realm krbtgt objects expected by Active
Directory, trusted object changed its canonical Kerberos principal name.
The keytab for this Kerberos principal name is fetched by SSSD and it
needs to be permitted to read the key. We added the virtual permission
to allow the keytab retrieval but didn't add the objectclass that
actually allows adding an LDAP attribute to express the permission. When
an attribute is added to an LDAP object, objectclasses of the object
must allow presence of that attribute.
This is the followup to #9471 and fixes the upgrade.
Thanks @abbra!
Related: https://pagure.io/freeipa/issue/9471
Fixes: https://pagure.io/freeipa/issue/9712
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b9d7137d by Florence Blanc-Renaud at 2024-12-09T12:42:38+01:00
Fix copr build
With fedora41 and rpm 4.20, the copr build does not work anymore.
- rpm 4.20 introduces a change in %autopatch.
The command now issues a warning if there is no patch to apply.
This makes "dnf builddep" crash. The warning can be silenced
with the "-q" option.
- dnf builddep produces non-utf8 characters (for instance
when installing logrotate, the output of the scriptlet is
printed in color). rpm-coprbuild fails to decode the output
and exits on error.
To avoid this failure, redirect the output to a file.
- dnf5 does not recognize the options --skip-broken and --spec.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
1a9ee0d8 by Sudhir Menon at 2024-12-10T16:10:06+01:00
Fix the typo in ipa_migrate_constants.
ipa-migrate.log displays Privileges migrated as Privledges
due to typo in labelling i.e 'label': 'Privledges'
Hence changed that to 'label': 'Privileges'
---- LOG FILE ----
INFO - Privledges: 3
------------------
Fixes: https://pagure.io/freeipa/issue/9715
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
03ba8d42 by Sudhir Menon at 2024-12-12T16:06:16+01:00
ipatests: Fixes for ipa-ipa-migration tool
The test test_ipa_migrate_with_invalid_host has been
failing in downstream run due to mismatch in the expected test output,
hence the assert statement has been modified.
Related: https://pagure.io/freeipa/issue/3656
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ab82b3d8 by Jonathan Steffan at 2024-12-16T14:20:10+01:00
workshop: Increase RAM for VMs to Avoid OOM
- Update all VMs to have 2GB of RAM
Fixes: https://pagure.io/freeipa/issue/9720
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
05a6e52d by Ricky Tigg at 2024-12-20T15:33:40+01:00
Translated using Weblate (Finnish)
Currently translated at 17.9% (876 of 4881 strings)
Co-authored-by: Ricky Tigg <ricky.tigg at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3a5ce9cb by Weblate Translation Memory at 2024-12-20T15:33:40+01:00
Translated using Weblate (Finnish)
Currently translated at 17.9% (876 of 4881 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
76dfadd9 by Florence Blanc-Renaud at 2025-01-02T13:27:04-05:00
Installation test: KRA on replica after cert renewal
Add a new test installing the KRA on a replica after the
KRA certs have been renewed on the master.
Related: https://pagure.io/freeipa/issue/9692
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
10c3464e by Florence Blanc-Renaud at 2025-01-02T13:27:04-05:00
KRA cert renewal: update ca.connector.KRA.transportCert
After the KRA transport cert has been renewed, the value
of ca.connector.KRA.transportCert must also be updated in
/etc/pki/pki-tomcat/ca/CS.cfg.
Otherwise replica installation with KRA fails.
Fixes: https://pagure.io/freeipa/issue/9692
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1e5eb442 by Florence Blanc-Renaud at 2025-01-03T08:11:16-05:00
Dogtag instance: add method to create temp password file
The temp password file contains the password for the internal
token as well as the password for HSM (if any).
Related: https://pagure.io/freeipa/issue/9705
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7ec0cb4c by Florence Blanc-Renaud at 2025-01-03T08:11:16-05:00
Cert renewal: update the trust flags for audit cert
When certmonger renews the auditSigningCert for the CA
or the KRA, it has to add the P trust flag to the NSS
database in /etc/pki/pki-tomcat/alias.
If IPA is installed in FIPS mode with an HSM, the
certutil commands must be provided a password file
containing both the internal token password and the
HSM password, and the cert name must be prefixed
with the tokenname (otherwise certutil -M succeeds
but does not update the trust flags).
Fixes: https://pagure.io/freeipa/issue/9705
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4146d77d by Florence Blanc-Renaud at 2025-01-03T08:11:16-05:00
Temp commit: move to fedora 41
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e13be8a7 by Florence Blanc-Renaud at 2025-01-07T16:31:13+01:00
ipatests: certbot removed the --manual-public-ip-logging-ok parameter
The certbot CLI has deprecated the parameter --manual-public-ip-logging-ok
and finally removed it from certbot 3.0.
The test test_acme.py is using this parameter and fails in rawhide.
Do not use this parameter any more.
Fixes: https://pagure.io/freeipa/issue/9724
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4776a8ba by Rob Crittenden at 2025-01-08T15:59:59+01:00
Add 30-second timeout for certmonger request/start tracking
certmonger needs to validate that the PIN/password and/or token
are valid and available. In the case of a very slow HSM this can
take longer than the 5-second default timeout.
We saw an HSM that took 18 seconds to start tracking the CA signing
certificate so default to 30 to be safe.
Fixes: https://pagure.io/freeipa/issue/9725
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
ba298501 by Ricky Tigg at 2025-01-14T15:02:51+01:00
Translated using Weblate (Finnish)
Currently translated at 19.9% (976 of 4881 strings)
Translated using Weblate (Finnish)
Currently translated at 18.4% (900 of 4881 strings)
Co-authored-by: Ricky Tigg <ricky.tigg at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ba720b92 by Alexander Bokovoy at 2025-01-15T12:18:46+01:00
Unify use of option parsers
Do not use direct optparse references, instead import IPAOptionParser
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
0591de36 by Alexander Bokovoy at 2025-01-15T12:18:46+01:00
ipa tools: remove sensitive material from the commandline
When command line tools accept passwords, remove them from the command
line so that they don't get visible in '/proc/pid/commandline'.
There is no common method to access the original ARGV vector and modify
it from Python. Since this mostly affects Linux systems where IPA
services run, we expect use of GNU libc and thus can rely on internal
glibc symbols. If they aren't available, the code will skip removing
passwords.
Fixes: CVE-2024-11029
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bd844036 by Sumit Bose at 2025-01-15T12:18:47+01:00
ipa-otpd: use oidc_child's --client-secret-stdin option
To remove the client secret from the command line where it would be
visible e.g. when calling ps it is now passed via stdin to oidc_child.
Fixes: CVE-2024-11029
Signed-off-by: Sumit Bose <sbose at redhat.com>
- - - - -
31338fea by Florence Blanc-Renaud at 2025-01-15T18:36:25-03:00
Fix pylint issue in ipatests/i18n.py
This file should not import ipa modules
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
6e26b060 by Florence Blanc-Renaud at 2025-01-16T13:41:35-05:00
ipatests: force the version for uninstall/reinstall
The backup-restore tests ensure that ipa-restore complains if
a required package is missing. The test scenario removes the
ipa-server-dns package, tries a restore (expecting a failure),
then reinstall the ipa-server-dns pkg and retry the restore
(expecting a success).
The issue is that reinstallation sometimes pulls a more recent
version and ipa-restore fails because of the version mismatch.
Ensure the reinstallation pulls the same version.
Fixes: https://pagure.io/freeipa/issue/9723
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3863043f by Florence Blanc-Renaud at 2025-01-17T09:22:41+01:00
Nightly tests: add test_ipahelthcheck to 389ds pipeline
Add the test to the list of nightlies run against 389ds.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1d93e486 by Florence Blanc-Renaud at 2025-01-17T09:22:41+01:00
ipatests: skip test_ipahealthcheck_ds_configcheck for recent versions
389-ds removed the parameter nsslapd-logging-hr-timestamps-enabled
in 2.5.3 and above. Skip the test that exercises the corresponding
healthcheck.
Fixes: https://pagure.io/freeipa/issue/9730
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6f475294 by Florence Blanc-Renaud at 2025-01-17T09:22:41+01:00
ipatests: restart dirsrv after time jumps
The test for ipa-healthcheck is moving the date in the future.
Restart the dirsrv instance because the LDAP server is
sensitive to large time jumps.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f12c4ed6 by Alexander Bokovoy at 2025-01-21T17:23:13+01:00
ipa-otpd: do not pass OIDC client secret if there is none to pass
If there is no client secret specified for the OIDC client, don't push
it to oidc_child via stdin. oidc_child does only expect client secret if
--client-secret-stdin option was specified and we already specify it
only if client secret is not empty.
In addition, if client secret is empty (it is a public OIDC client),
then strlen(NULL) would crash in glibc internals. Avoid that!
Fixes: https://pagure.io/freeipa/issue/9734
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4e43dd7c by Alexander Bokovoy at 2025-01-21T17:23:13+01:00
Migrate Keycloak tests to JDK 21 and Keycloak 26
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
92ca7c63 by Alexander Bokovoy at 2025-01-21T17:23:13+01:00
Reintroduce test_idp to gating tests
test_idp should complete in ~27 minutes.
Related: https://pagure.io/freeipa/issue/9734
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c5300a31 by Rob Crittenden at 2025-01-27T08:31:49+01:00
Apply certmonger_timeout to start_tracking and request_cert
We've seen that with some slow HSMs the default DBus timeout
the HSM doesn't respond quickly enough to certmonger start
tracking requests which fails the entire installation.
A first attempt was made to bump up the default to 30 seconds
which turned out to not be long enough.
There is already a certmonger timeout defined in the API but it
is 300 seconds so I was hesitant to use it. It could delay the
actual failure of a blown install by 5 minutes. But it also gives
the end user the flexibility to be able to control success over
an installation so we'll go ahead and use it.
Fixes: https://pagure.io/freeipa/issue/9725
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3cd3d175 by Francisco Trivino at 2025-01-30T13:21:20-05:00
ipatests: increase delays for WebUI host test
Previously, it waited 0.5 seconds before checking if the record was present,
but this delay was often insufficient, causing intermittent failures.
Fixes: https://pagure.io/freeipa/issue/9721
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
66335486 by Rob Crittenden at 2025-01-31T08:53:10-05:00
Write out the PKI admin certificate as a PEM file
It was being written out in base-64 only. The PKI team gave
us a heads-up that that may not always be supported. So use
a standard PEM file instead.
Fixes: https://pagure.io/freeipa/issue/9735
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ac931764 by Rob Crittenden at 2025-01-31T08:55:13-05:00
Add a message where the ipa service restarted at end of install
There is a noticeable near the end of an IPA server installation
after the client installation is complete and before the
"Setup complete" message is displayed.
A few minor things are done here but the big time sink is
enabling ipa.service and restarting it because the CA takes
so long to start. In my testing it was between 40 and 60 seconds.
So add a little message so folks don't think the client installer
hung up at the end.
Fixes: https://pagure.io/freeipa/issue/9741
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
18c4a2f9 by Rob Crittenden at 2025-01-31T13:58:32-05:00
Suppress spurious failure messages when uninstalling ACME
We fork out to pki-server to uninstall the ACME service and
the results are very coarse, currently just a pass/fail. This
can lead to displaying very long tracebacks as an error
message.
So check for the existence of the acme path and only invoke
the uninstaller if it exists.
Fixes: https://pagure.io/freeipa/issue/9740
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
d9bf35dc by Florence Blanc-Renaud at 2025-02-04T13:41:54+01:00
ipatests: on rhel10 do not install firefox
Firefox will be installed as a pre-requisite as it either comes
as a flatpak or a tar file. The flatpak is not compatible with
geckodriver as explained in geckodriver release notes
(https://github.com/mozilla/geckodriver/releases/tag/v0.35.0)
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
- - - - -
50e8c4a1 by Florence Blanc-Renaud at 2025-02-06T10:54:39+01:00
ipatests: simulate FIPS mode and install replica
The procedure allowing to simulate FIPS mode is now working
(fixed since fedora 38).
The installation of a PKI clone in FIPS mode works with PKI 11.6 but
fails below. Adjust the test to skip if pki < 11.6.
Fixes: https://pagure.io/freeipa/issue/9002
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
538e5c12 by Andi Chandler at 2025-02-11T08:54:59+01:00
Translated using Weblate (English (United Kingdom))
Currently translated at 0.2% (13 of 4881 strings)
Co-authored-by: Andi Chandler <andi at gowling.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/en_GB/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
11b4ef74 by Rob Crittenden at 2025-02-11T09:00:46+01:00
Configure the pki-tomcatd service systemd timeout
IPA defines a startup timeout that is primarily used
during installation to extend service start-up timeouts
on slower systems.
This tends to work ok when runing pki-spawn but can fail when
systemd is starting the tomcat service.
Use the value of startup_timeout to set TimeoutStartSec in
the pki-tomcat systemd override file ipa.conf. This will
preserve the necessary startup_timeout for all future restarts.
This was seen with a very slow HSM where installation was successful
(pki-spawn) but pki-tomcatd startup timed out at the end of the
installation.
To increase the value in installation one needs to create the file
/etc/ipa/installer.conf with contents:
[global]
startup_timeout = 300 (or whatever)
Fixes: https://pagure.io/freeipa/issue/9743
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
4952dff4 by Rob Crittenden at 2025-02-11T09:00:46+01:00
Align startup_timeout with the systemd default and document it
We had it set to 120 seconds while the systemd default is 90.
They should be the same because the first one that times out "wins".
Move where during the installation we create the systemd override
file so that the timeout will be applied across all subsequent
server starts during and post installation.
Fixes: https://pagure.io/freeipa/issue/9743
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
3de12743 by Antonio Torres at 2025-02-11T09:09:22+01:00
Add DNS over TLS support
Add DNS over TLS support using Unbound as a local resolver. This
includes new options on both server and client side.
* `--dns-over-tls`: enable DNS over TLS support. This option is present
on both client and server. It deploys Unbound and configures BIND on
the server to receive DoT requests.
* `--dot-forwarder`: the upstream DNS server with DoT support. It must
be specified in the format `1.2.3.4#dns.server.test`
* `--dns-over-tls-key` and `--dns-over-tls-cert`: in case user prefers
to have the DoT certificate in BIND generated by themselves. If these
are empty, IPA CA is used instead to request a new certificate.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Brezina <pbrezina at redhat.com>
- - - - -
62c6c096 by Antonio Torres at 2025-02-11T09:09:22+01:00
ipatests: add tests for DNS over TLS
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Brezina <pbrezina at redhat.com>
- - - - -
4d0aacaa by Antonio Torres at 2025-02-11T09:09:22+01:00
PRCI: add definitions for DNS over TLS tests
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Brezina <pbrezina at redhat.com>
- - - - -
43239008 by Antonio Torres at 2025-02-11T09:09:22+01:00
spec: add unbound requirement and template file
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Varun Mylaraiah <mvarun at redhat.com>
Reviewed-By: Pavel Brezina <pbrezina at redhat.com>
- - - - -
91353b10 by Antonio Torres at 2025-02-12T19:47:57+01:00
dns: only disable unbound when DoT is enabled
Ensure unbound is only stopped and disabled when DNS over TLS was
enabled during installation.
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4b7235c8 by Mark Reynolds at 2025-02-12T14:01:41-05:00
ipa-migrate - do not migrate tombstone entries, ignore MidairCollisions, and krbpwdpolicyreference
Replication related entries should not be migrated. The main reason is
that we do not allow entries to be added that have an RDN of nsuniqueid
(only the server can internally add them).
Most midair collisions are transient issues and can be ignored for
migration purposes. In migration tests this only happens when an
attribute does not exist in the local server. This happens frequently
with COS attributes.
We should also ignore 'krbpwdpolicyreference' as it's an attribute that is
set by COS and does not need to be migrated.
Fixes: https://pagure.io/freeipa/issue/9737
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
018b3d3d by Rob Crittenden at 2025-02-13T11:04:23-05:00
Validate the default e-mail domain in the config plugin
There was zero validation at all. Re-use the Email validator
since that will be used to validate the eventual e-mail
address set in a user.
Fixes: https://pagure.io/freeipa/issue/9680
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
d2b5a9b9 by Florence Blanc-Renaud at 2025-02-26T20:04:39+05:30
ipatests: use "sos report" instead of "sosreport" command
The "soscommand" has been deprecated and "sos report" should be
used instead. The redirector was removed in sos 4.9.
Fixes: https://pagure.io/freeipa/issue/9752
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
8fda2e0d by Rob Crittenden at 2025-02-26T20:20:17+05:30
Use new(er) PKI connection API in ipa-pki-wait-running
Since PKI v10.8.0 the PKIConnection object can longer be
created for a specific subsystem. The client that consumes
the connection specifies the subsystem instead.
Use this new API unconditionally as we require PKI >= 10.10.0
and what is available in supported repos is generally 11.5.0+.
See https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes
Fixes: https://pagure.io/freeipa/issue/9691
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0dee69d7 by Rob Crittenden at 2025-02-26T20:29:17+05:30
Fix some memory errors identified by a static analyzer
Fix a couple of leaks and a double free.
Fixes: https://pagure.io/freeipa/issue/9698
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
1937189e by Frederik Himpe at 2025-02-26T16:14:28+01:00
Make name of nobody group configurable and use nogroup on Debian
Fixes: https://pagure.io/freeipa/issue/9753
Signed-off-by: Frederik Himpe <frederik at frehi.be>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
2085b61c by Rob Crittenden at 2025-02-26T16:29:05+01:00
Remove migration from mod_nss to mod_ssl
mod_nss was the original crypto engine used in Apache with IPA.
Support was dropped in IPA release 4.7.0 in 4596674 and looks
like it was introduced into Fedora in F28.
It's time to remove this upgrade code.
This retains the HTTPD_NSS_CONF definition so that
contrib/copy-schema-to-ca-RHEL6.py can still work.
Fixes: https://pagure.io/freeipa/issue/9739
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
42a94e99 by Rob Crittenden at 2025-02-26T16:29:05+01:00
Remove the migration of the RA cert from mod_nss to mod_ssl
Originally the RA certificate was stored in the Apache NSS
database so it was available natively to the framework. It
was subsequently moved into PEM files even prior to the
switch from mod_nss to mod_ssl.
This code was introduced with 4.5.0 and was last seen in Fedora
in 27 in 2017. We don't support direct in-place upgrades from
such an old version so we should be safe from bricking a user's
installation.
Fixes: https://pagure.io/freeipa/issue/9739
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cbe863bf by Florence Blanc-Renaud at 2025-02-27T12:30:28+01:00
vault: remove PKIConnection deprecation warning
PKIConnection should be created without the subsystem and
the susbystem has to be provided in the AccountClient as
described in https://github.com/dogtagpki/pki/wiki/PKI-10.8-Python-Changes
Fixes: https://pagure.io/freeipa/issue/9754
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
3c50bc23 by David Hanina at 2025-03-04T18:16:10+01:00
Replace fips-mode-setup
RHEL10 no longer support fips-setup-mode, this has been
replaced in the healthcheck tool, but also needs to be replaced here.
Fixes: https://pagure.io/freeipa/issue/9750
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
90d70b5d by David Hanina at 2025-03-04T18:16:10+01:00
Skip for unpatched freeipa-healthcheck
The patch is not yet live, therefore we should expect an failure.
Once the patched version goes out, the test should work properly.
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
dfcc2552 by Rob Crittenden at 2025-03-06T14:31:46+01:00
Log failed auth attempts over LDAP when a user is locked
The KDC logs when a user who is locked out with
Client's credentials have been revoked
The LDAP server did not. This adds a message so administrators
can tell when a user is locked out.
ALERT - ipalockout_postop - User uid=tuser,cn=users,cn=accounts,dc=example,dc=test is locked out. Too many failed authentication attempts.
Fixes: https://pagure.io/freeipa/issue/9742
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
69ca3e47 by Florence Blanc-Renaud at 2025-03-07T18:45:42+05:30
WebUI: fix the tooltip for Search Size limit
The tooltip for IPA Server > Configuration > Search size limit
is using the doc from ipasearchtimelimit instead of
ipasearchrecordslimit.
Use the right tooltip to properly display:
Maximum number of records to search (-1 or 0 is unlimited)
Fixes: https://pagure.io/freeipa/issue/9758
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
cd3b7b9b by Florence Blanc-Renaud at 2025-03-07T16:04:33+01:00
ipatests: adapt error code and message for samba 4.22
When establishing trust with an unreachable AD domain controller,
the error code and message have changed with samba 4.22.
Update the test to be compatible with any version of samba.
Fixes: https://pagure.io/freeipa/issue/9751
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a542a918 by Erik Belko at 2025-03-10T15:27:08+05:30
man: fix formatting and syntax issues
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
071e5fe3 by Vasily Parfenov at 2025-03-10T15:27:08+05:30
man: fix incorrect groff syntax in man pages
Updating cases in man pages which had incorrect groff syntax
Signed-off-by: Erik Belko <ebelko at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c7b6f4d0 by Frederik Himpe at 2025-03-10T19:15:09+05:30
Make path of Samba lock directory configurable and use /run/samba on Debian
Signed-off-by: Frederik Himpe <frederik at frehi.be>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
56be7b46 by Rob Crittenden at 2025-03-10T23:06:28+05:30
Drop python v2 in ipaserver/install/certs.py for lint errors
ipaserver/install/certs.py:908: [W4902(deprecated-method), _CrossProcessLock._read] Using deprecated method readfp())
ipaserver/install/certs.py:908: [I0021(useless-suppression), ] Useless suppression of 'no-member')
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4a9c1dde by Rob Crittenden at 2025-03-10T23:06:28+05:30
Drop python 2 support in installutils.py
Compatibility in python 3.12 is limited and is triggering lint
failures.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6d7f51c1 by Rob Crittenden at 2025-03-10T23:06:28+05:30
Drop python 2 support in ipaserver/install/ca.py
Lint issues with unicode
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1a7a11c1 by Florence Blanc-Renaud at 2025-03-12T10:19:43+01:00
Leapp upgrade: skip systemctl calls
During LEAPP upgrade, the system is booted in a special mode
without systemd. As a consequence, any scriptlet calling
systemctl fails and may break the upgrade.
Skip the call to systemctl if a LEAPP upgrade is in progress
(this is easily checked using the env variable $LEAPP_IPU_IN_PROGRESS
that is set for instance to LEAPP_IPU_IN_PROGRESS=8to9).
Fixes: RHEL-82089
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a6060fe5 by Florence Blanc-Renaud at 2025-03-12T10:23:09+01:00
ipatest: make test_cert more robust to replication delays
The test TestCAShowErrorHandling::test_ca_show_error_handling is
adding a subca on the replica, then checks the entry is present on the
master.
If the replication is a bit slow, the call on the master may fail to
return the newly created subca.
The test should wait for replication to complete before calling
ipa ca-find.
Fixes: https://pagure.io/freeipa/issue/9762
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b917b320 by David Hanina at 2025-03-12T19:35:37+05:30
Disable --raw and --structured together
Disables --raw and --structured for dnsrecord-* command.
This is being shown in help for structured, as raw is implemented in
almost every command, therefore people are more likely to view
structured. Also contains tests, even though this is newly noted, this
combination has never worked in the past.
Fixes: https://pagure.io/freeipa/issue/9756
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
cc763d78 by Alexander Bokovoy at 2025-03-13T21:22:37+05:30
config-mod: allow disabling subordinate ID integration
When full 32-bit ID range usage is required, subordinate ID support have
to be disabled. However, even if ID range for subordinate IDs were to be
removed, it will be restored during the next data upgrade.
Change upgrade code to only apply subID range creation when subID
support is enabled.
Do not allow allocating subIDs if their use is disabled.
Allow full 32-bit uidNumber/gidNumber values in JSON payload.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cdafe1d3 by Alexander Bokovoy at 2025-03-13T21:22:37+05:30
update_dna_shared_config: do not fail when config is not found
The helper function was supposed to return a DN or None.
Related: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
99decb11 by Alexander Bokovoy at 2025-03-13T21:22:37+05:30
baseuser: allow uidNumber and gidNumber of 32-bit range
JSON format allows to encode integers up to 2^53-1. Linux systems allow
for 32-bit IDs. Permit setting full 32-bit uidNumber and gidNumber
through IPA API. Administrators already can set 32-bit IDs via LDAP.
ID Range also needs to permit larger sizes of RID bases. SIDGEN plugin
already treats RID bases as 1..MAX_UINT32.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
5a398d27 by Alexander Bokovoy at 2025-03-13T21:22:37+05:30
ipatests: add a test to use full 32-bit ID range space
The test reconfigures IPA deployment to disable subordinate IDs support
and then configures an additional ID range to cover upper half of the
2^32 ID space. It then makes sure that a user with an UID/GID from that
ID range can be created and used.
Fixes: https://pagure.io/freeipa/issue/9757
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7ab7c808 by Temuri Doghonadze at 2025-03-17T14:48:43+01:00
Translated using Weblate (Georgian)
Currently translated at 35.7% (1747 of 4881 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
140c3b54 by Florence Blanc-Renaud at 2025-03-18T22:35:11+05:30
idrange: use minvalue=0 for baserid and secondarybaserid
With the support of 32 bit idrange, the minvalue was set to 1
but this introduces a regression in the command ipa trust-add
as the range for AD trust is added with baserid=0
Lower the minvalue to 0
Fixes: https://pagure.io/freeipa/issue/9765
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
ed8b4bc3 by Florence Blanc-Renaud at 2025-03-18T22:35:11+05:30
gating tests: add test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust
This way we have at least one gating test that calls
ipa trust-add.
Related: test_ipahealthcheck.py::TestIpaHealthCheckWithADtrust
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
14196891 by David Hanina at 2025-03-19T21:40:06+05:30
Disallow removal of dogtag and ipa-dnskeysyncd services on IPA servers
Also removes dogtagldap from unremovable services
Fixes: https://pagure.io/freeipa/issue/9764
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
5a63a50d by Florence Blanc-Renaud at 2025-03-20T18:44:11+05:30
ipatests: update fedora41 vagrant box to 0.0.2
New version generated March 18
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
08450eef by Sudhir Menon at 2025-03-20T21:02:04+05:30
ipatests: Tests to check data in journal log
This testcase checks that ipa administrative user
password is not displayed in journal log.
Related: https://issues.redhat.com/browse/RHEL-67190
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f91b677a by Rob Crittenden at 2025-03-21T13:26:39-04:00
Don't require certificates to have unique ipaCertSubject
In the wild a public CA issued a new subordinate CA certificate
with an identical subject to another, with a new private key.
This was uninstallable using ipa-cacert-manage because it would
fail with "subject public key info mismatch" during verification
because a different certificate with the same subject but
different public key was installed.
I'm not sure of the reasoning to prevent this situation but I
see it as giving users flexibility. This may be hurtful to them
but they can always remove any affected certs.
This is backwards compatible with older releases from the client
perspective. Older servers will choke on the duplicates and
won't be able to manage these.
A new serial number option is added for displaying the list of
certificates and for use when deleting one with a duplicate subject.
ipa-cacert-manage delete on systems without this patch will
successfully remove ALL of the requested certificates. There is no
way to distinguish. At least it won't break anything and the
deleted certificates can be re-added.
Fixes: https://pagure.io/freeipa/issue/9652
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
f1c30c5f by Antonio Torres at 2025-03-25T12:26:52+05:30
dns: don't populate forwarders with DoT forwarders
DNS over TLS setup overrides global forwarder to point to Unbound, so no
need to setup regular forwarders.
Resolves: https://pagure.io/freeipa/issue/9748
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
79c704fb by Francisco Trivino at 2025-03-25T10:30:10+01:00
doc/designs: add encrypted DNS design documents
Add design page for Encrypted DNS traffic support.
Related: https://pagure.io/freeipa/issue/9605
Signed-off-by: Francisco Trivino <ftrivino at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ac6eee67 by Aleksandr Sharov at 2025-03-25T10:33:06+01:00
Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired.
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
23bfcdd4 by Aleksandr Sharov at 2025-03-25T10:33:06+01:00
Test fix for the update
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e3f99194 by Alexander Bokovoy at 2025-03-26T11:17:43+02:00
add sourcery.ai github action
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Fransisco Trivino Garcia <ftrivino at redhat.com>
- - - - -
f9eb1154 by Alexander Bokovoy at 2025-03-26T13:46:11+02:00
Revert "add sourcery.ai github action"
This reverts commit e3f991948a439bd6d84f22263c98a13f9b47d2a0.
Sourcery works right now without adding an action as a webhook, so we
don't need an action that cannot access secrets when triggered from a
pull request.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
940a0bc8 by Florence Blanc-Renaud at 2025-03-28T09:17:15+01:00
PRCI definitions: update vagrant box version for rawhide
Use version 0.9.1 based on fedora 43 - March 26, 2025
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
9743fb96 by Rob Crittenden at 2025-03-28T19:15:04+05:30
Address deprecation warning in ipa-replica-manage
Running ipa-replica-manage results in a deprecation warning:
/usr/lib/python3.12/site-packages/ipaclient/install/ipadiscovery.py:20:
DeprecationWarning: ipaclient.install.ipadiscovery is deprecated, use ipacli
ent.discovery
Switch to the new usage.
Fixes: https://pagure.io/freeipa/issue/9771
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ea374e83 by David Hanina at 2025-03-31T08:46:57+02:00
Correct dnsrecord_* tests for --raw --structured
Fixes typo in the tests, --raw --structured is only checked if rest of
the command is correct as well, therefore test changes were required.
Fixes: https://pagure.io/freeipa/issue/9768
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
83d22c5e by Ricky Tigg at 2025-04-04T13:24:55+02:00
Translated using Weblate (Finnish)
Currently translated at 20.0% (981 of 4881 strings)
Co-authored-by: Ricky Tigg <ricky.tigg at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fi/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
6ddf7e94 by Sudhir Menon at 2025-04-07T22:19:32+05:30
ipatests: Fix for ipa-healthcheck test in FIPS Mode
Fix https://github.com/freeipa/freeipa-healthcheck/pull/349
was added for RHEL10 only causing the tests to
fail in RHEL10.1.
Hence the if condition has been changed in the testcode.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9b938b51 by Julien Rische at 2025-04-08T09:42:45+02:00
ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op
Also remove unused "search_pb" variable and its associated free
functions.
Fixes: https://pagure.io/freeipa/issue/9772
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
f5084adb by Florence Blanc-Renaud at 2025-04-09T11:55:29+05:30
PRCI: switch testing from f40 and f41 to f41 and f42
Fedora 42 will be available soon and Fedora 40 will be EOL May 13 2025.
Start testing on fedora 41 and fedora 42.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
e964b7de by Florence Blanc-Renaud at 2025-04-09T11:55:29+05:30
ipatests: fix test_idp
The test is calling su -c "sudo yum list yum" keycloakuser
to ensure that keycloakuser is allowed to execute the yum command.
On fedora 42 and above, the yum package does not exist any more.
Replace with a call to yum list sssd-client as the package
sssd-client is always installed on our test machines.
Fixes: https://pagure.io/freeipa/issue/9769
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
8bc64a26 by Temuri Doghonadze at 2025-04-14T14:42:19+02:00
Translated using Weblate (Georgian)
Currently translated at 35.8% (1749 of 4881 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
26c80e84 by Florence Blanc-Renaud at 2025-04-15T16:23:32+05:30
azure pipeline: replace ubuntu-20.04 with 24.04
Azure is deprecating the Ubuntu-20.04 Apr 15th, see announcement
https://devblogs.microsoft.com/devops/upcoming-updates-for-azure-pipelines-agents-images/#ubuntu
With the Ubuntu 24.04 image, we need to change permissions of /etc/shadow
in order to allow sudo commands.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
b08fe801 by Florence Blanc-Renaud at 2025-04-15T16:23:32+05:30
azure pipeline: skip step disabling conflicting apparmor profile
aa-disable /etc/apparmor.d/usr.sbin.chronyd fails on Ubuntu 24.04
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2079019
Skip the step for now
Fix the top command (replace n 1 with -n 1)
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
bdfcf8c2 by Florence Blanc-Renaud at 2025-04-15T16:23:32+05:30
Azure CI: use podman instead of docker through emulation
- The scaled containers are named name_i instead of name-i
(with _ instead of -)
- podman-compose doesn't have the option -p project_id
Use the env var COMPOSE_PROJECT_NAME instead
- Do not add all capabilities in docker-compose.yml
Drop the CAP_SYS_TIME capability, otherwise chronyd fails to start
in the container
- Use absolute path to mount volumes in the containers
When using a relative path which is a symbolic link, podman is
confused. Use only absolute paths.
- Use default network in podman-compose
- Start podman.socket and set the env var DOCKER_HOST to
communicate with it
- Ubuntu 24.04 uses cgroup v2 and has different files for
memory control files.
- test_sudo: force idrange to be compatible with containers
The user defined on the host has a subuid/subgid range of
65536 ids. Create ipa server with an idrange below
65536, otherwise sudo commands fail.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
4e06a417 by Mark Reynolds at 2025-05-01T15:47:33-04:00
ipa-migrate - remove replication state information
Remove replication state information (happens when LDIFs are used).
State information is written like:
attribute;adcsn=<CSN>
But we also support ";binary" which should not be removed so special
handling is needed in that case.
Signed-off-by: Mark Reynolds <mareynol at redhat.com>
Fixes: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1fb3e7fe by Mark Reynolds at 2025-05-01T15:48:55-04:00
ipa-migrate - do not process AD entgries in staging mode
Only migrate AD entries in production mode due to schema conflicts
created when removing certain AD attributes (e.g.
ipantsecurityidentifier)
SIgned-off-by: Mark Reynolds <mreynolds at redhat.com>
relates: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6cdabdac by Mark Reynolds at 2025-05-01T15:51:08-04:00
ipa-migrate - improve suffix replacement
When values are "normalized/converted" to a new domain the order in
which the host/release/suffix are converted matters. Replacing the
suffix first can lead to incorrect results, so convert the host/realm
before converting the suffix
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
relates: https://pagure.io/freeipa/issue/9776
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
1311df2e by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
Use OpenSSL provider with BIND for Fedora 42+ and RHEL10+
OpenSSL Engine API is deprecated and ability to compile against it is
removed in RHEL10. OpenSSL provider API is the future.
Fedora 42+ also defaults to OpenSSL provider. With pkcs11-provider, the
same PKCS#11 modules can be loaded transparently like with OpenSSL
engines. Thus, we can update configuration to use the provider API.
While Fedora 41 also defaults to OpenSSL provider, we need BIND version
that supports using OpenSSL provider API. This backport was only done in
Fedora 42.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d1e22146 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
DNS: detect when OpenSSL engine should be removed on upgrade
For OpenSSL Provider API use we don't need 'named -E engine-name'
anymore, it has to be removed. The removal process is slightly
complicated because we need to detect '-E engine-name' and compare it
with the engine we know about (pkcs11) but if we are upgrading to the
build that supports OpenSSL Provider API, we don't know the engine name
anymore.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b9579fe0 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
ipa-dnskeysyncd: use systemd-tmpfiles to handle tokens
ipa-dnskeysyncd daemon relies on both OpenDNSSEC and BIND accessing the
same cryptographic token. We use SoftHSMv2 here and store token in
DNSSEC_TOKENS_DIR, defined by the IPA platform.
Configure ipa-dnskeysyncd service to update permissions of the token
files using custom systemd-tmpfiles configuration.
Extend SELinux policy to handle access to the token under a separate
file context. Both token and its pin file need to be accessed by the BIND
rndc tool.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c9f7cf11 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
freeipa.spec.in: update BIND-related dependencies
BIND in Fedora 42+ includes a custom backport for DNSSEC support when
using OpenSSL provider API. Make sure we have that support included.
For RHEL 10 we should be using a similar build but it is not yet
available, so make sure we include the version that is up to date prior
to enabling DNSSEC with OpenSSL provider API. Once new BIND build is
available, we can enable OpenSSL provider API usage in ipaplatform.rhel.
Fixes: https://pagure.io/freeipa/issue/9696
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d7b454e1 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
freeipa.spec.in: do not recommend encrypted DNS on pre-F42 systems
Fedora 41 or earlier do not have infrastructure to run encrypted DNS
server side.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7e254aee by Rob Crittenden at 2025-05-06T13:48:35+02:00
Azure CI: Use F42
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d271fc19 by Rob Crittenden at 2025-05-06T13:48:35+02:00
Make the Azure template work with both dnf4 and dnf5
Add a version test to call dnf builddep differently based on
release.
Remove --skip-broken when calling dnf builddep. This was an
old workaround from 2019. The option is no longer supported
with dnf5. First seen in F41. Drop in all calls.
dnf5 doesn't take a --spec option. It has to be passed a spec file.
So in that case copy freeipa.spec.in to freeipa.spec and call.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b7c17c70 by Rob Crittenden at 2025-05-06T13:48:35+02:00
Test: dnf5 handles updating itself differently than dnf4
If there are no updates then dnf update dnf will fail with a return
code of 1.
https://github.com/rpm-software-management/dnf5/issues/1862
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ec990a5e by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
Move wheel constraints to F41+
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ef6ead4c by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
fix used-before-assignment errors where pylint cannot infer logic
install/tools/ipa-csreplica-manage:471: [E0601(used-before-assignment), main] Using variable 'replica1' before assignment)
install/tools/ipa-csreplica-manage:471: [E0601(used-before-assignment), main] Using variable 'replica2' before assignment)
install/tools/ipa-replica-manage:1598: [E0601(used-before-assignment), main] Using variable 'replica1' before assignment)
install/tools/ipa-replica-manage:1598: [E0601(used-before-assignment), main] Using variable 'replica2' before assignment)
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
94a0552c by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
pylint: do not use return at the end of flow
pylint 3.3+ considers the last 'return' in the flow 'useless':
contrib/perflog:89: [R1711(useless-return), parselog.display_times] Useless return at end of function or method)
ipatests/pytest_ipa/integration/tasks.py:1342: [R1711(useless-return), two_connected_topo] Useless return at end of function or method)
ipaserver/plugins/baseldap.py:575: [R1711(useless-return), host_is_master] Useless return at end of function or method)
ipaserver/install/replication.py:1425: [R1711(useless-return), ReplicationManager.initialize_replication] Useless return at end of function or method)
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1493aec4 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
test_console: rework matching to adjust to Python 3.13
Different formatting causes the old test assert to always fail.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
8934728d by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
Make IPAAbstractVersion available to all platforms
They still need to implement own comparison function
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ac791f73 by Miro Hrončok at 2025-05-06T13:48:35+02:00
Stop using deprecated pkg_resources
Use packaging.version and importlib.metadata instead.
Note that packaging.version only parses versions compatible with Python packaging
(originally defined in PEP 440).
https://packaging.python.org/en/latest/specifications/version-specifiers/
Fixes https://pagure.io/freeipa/issue/9676
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
df319b97 by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
Azure CI: do not run test_ipaserver/test_migratepw
Unfortunately, password migration initializes PyCA several times within
the same process. PyCA uses PyO3 which explicitly disables such behavior
and breaks the execution. As a result, the test fails with the following
error message in the logs:
-------------------------------------
from cryptography.hazmat.bindings._rust import x509 as rust_x509, referer: https://master1.ipa.test/ipa/migration/migration.py
ImportError: PyO3 modules compiled for CPython 3.8 or older may only be initialized once per interpreter process, referer: https://master1.ipa.test/ipa/migration/migration.py
-------------------------------------
This was introduced in in 2022 with the following commit:
https://github.com/PyO3/pyo3/commit/f17e70316751285340508d0009103570af7e0873
and means the test always fails to detect the recent Python 3.9+ (Fedora
42 runs on Python 3.13).
Fedora's PyO3 build allows to re-enable unsafe sub-interpreters but it has
to be enabled within the package using pyo3 rust crate, e.g. PyCA. PyCA
is built without this support.
Disable the test until we find out how to fix this mess.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e7095dce by Alexander Bokovoy at 2025-05-06T13:48:35+02:00
test_schema: do not fool pytest with a non-test class name
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
56261bbb by Julien Rische at 2025-05-07T10:35:21-03:00
kdb: keep ipadb_get_connection() from succeeding with null LDAP context
The final call to ipadb_reinit_mspac() in ipadb_get_connection() is not
considered essential for the function to succeed, as there might be
cases where the required pieces of information to generate PACs are not
yet configured in the database. However, in environments where 389ds is
overwhelmed, the LDAP connection established at the beginning of
ipadb_get_connection() might already be lost while executing
ipadb_reinit_mspac().
Connection errors were not distinguished from configuration errors,
which could result in ipadb_get_connection() succeeding while the LDAP
context is set to null, leading to a KDC crash on the next LDAP request.
ipadb_get_connection() now explicitly checks the value of the LDAP
context before returning.
Fixes: https://pagure.io/freeipa/issue/9777
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a58479b0 by Rob Crittenden at 2025-05-12T16:37:19+05:30
Add --domain option to ipa-client-automount for DNS discovery
If the client machine is not in the IPA DNS domain then discovery
will not find a server. Add a --domain option so that the set of
servers can be discovered.
Note that --domain is initialized to "" rather than None to match
the behavior in ipa-client-install.
Fixes: https://pagure.io/freeipa/issue/9780
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
e3425d06 by Florence Blanc-Renaud at 2025-05-12T13:13:38+02:00
PRCI tests: update vagrant image with latest bind package
Fedora 42 is now officially available. Update the bind and
bind-dyndb-ldap packages to the latest versions
(bind-9.18.35-2.fc42, bind-dyndb-ldap-11.11-3.fc42)
by updating the vragrant image to 0.0.4
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c2aae876 by Florence Blanc-Renaud at 2025-05-16T10:19:42+02:00
dns install: fix selinux avc relabelto
During the DNS server installation in SELinux enforcing mode,
ipa-dnskeysyncd.service fails to restart because of the AVC:
avc: denied { relabelto } for pid=29955 comm="systemd-tmpfile" name="softhsm_pin" dev="vda4" ino=38440 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:ipa_dnskey_t:s0 tclass=file permissive=0
Add the missing policies
allow systemd_tmpfiles_t ipa_dnskey_t:file relabelto;
allow ipa_dnskey_t fs_t:filesystem associate;
allow ipa_ods_exporter_t ipa_dnskey_t:file { getattr ioctl open read };
allow named_t ipa_dnskey_t:file { getattr open read };
Fixes: https://pagure.io/freeipa/issue/9782
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d1abdca1 by Florence Blanc-Renaud at 2025-05-19T16:35:24+02:00
ipatests: add extensions to server certificates for CAless mode
When installing the server in CA less mode, the tests generate
server certificates but some extensions were missing.
Generate server cert with an Authority Key Identifier extension
using the CA's subject key identifier.
Without this extension, replica installation fails with
certificate verify failed: Missing Authority Key Identifier
in the step fetching the DM password from the server.
Add KeyUsage and Extended Key Usage.
Fixes: https://pagure.io/freeipa/issue/9787
Related: https://github.com/dogtagpki/pki/issues/5051
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
6329c370 by Florence Blanc-Renaud at 2025-05-20T10:41:39+02:00
azure pipeline: disable InstallDNSSECFirst
The test is unstable and prevents green CI.
Moreover it is already executed in PRCI gating tests.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
089e813b by Florence Blanc-Renaud at 2025-05-21T16:26:57+02:00
ipatests: test_manual_renewal_master_transfer must wait for replication
The test is transferring the CA renewal role from master to replica.
It calls ipa config-mod on the replica then checks with ipa config-show
on the master.
Wait for replication to complete between the 2 steps.
Fixes: https://pagure.io/freeipa/issue/9790
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
247adf43 by David Hanina at 2025-05-26T08:31:43+02:00
Require baserid and secondarybaserid
This has been already required for some time, just not really enforced.
Also adds few new tests, and removes test without providing rid.
Fixes: https://pagure.io/freeipa/issue/9779
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
397a85cd by PRANAV THUBE at 2025-05-27T07:47:04+02:00
ipatests: Ignore /run/log/journal in test_uninstallation.py
Update - Add /run/log/journal to the allowed list for leftover files/directories
Fixes: https://pagure.io/freeipa/issue/9788
Signed-off-by: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e4a3d46e by Florence Blanc-Renaud at 2025-05-27T09:33:13+02:00
ipa config-mod: fix internalerror when setting an empty ipaconfigstring
When ipa config-mod is called with --ipaconfigstring="", the command
fails with an InternalError.
This happens because the code added for 32bits uid did not properly
handle this case.
Same issue if ipa subid-stats is called with a null ipaconfigstring.
This commit now handles when ipaconfigstring is empty or None, and adds
a test.
Fixes: https://pagure.io/freeipa/issue/9794
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>
- - - - -
d2bd254c by Sudhir Menon at 2025-05-27T13:48:19+05:30
ipatests: Test to check dot forwarders are added to unbound.
This test checks that dns forwarder is listed in
dnsserver-show command and also the dot forwarder is
added to unbound and included in /etc/unbound/conf.d/zzz-ipa.conf
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
111e0f04 by Rob Crittenden at 2025-05-27T10:24:09+02:00
Fix some issues identified by a static analyzer
Remove resource leak when reading the IPA config in ipa-getkeytab
Free popt in ipa-getkeytab
Initialize ret in ipa-otpd/passkey.c
Use the correct free function in util/ipa_krb5.c
Related: https://pagure.io/freeipa/issue/9468
Fixes: https://pagure.io/freeipa/issue/9365
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
669d8af5 by Sudhir Menon at 2025-05-28T12:07:01+05:30
ipatests: Tests for krbLastSuccessfulAuth warning
This testcase checks that ipa-healthcheck issues
warning when ipaconfigstring=AllowNThash
Ref: https://github.com/freeipa/freeipa-healthcheck/issues/315
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cca17c67 by Sudhir Menon at 2025-05-29T14:26:11+05:30
ipatests: ipahealthcheck warns for user provided certificates about to expire
This patch tests that ipa-healthcheck tools warns when IPA server is
installed CALess and user provided certificates are about to expire.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
30e707c4 by Sudhir Menon at 2025-05-29T14:26:11+05:30
Added TestIPAHealthcheckWithCALess to nightly yaml file.
TestIPAHealthcheckWithCALess has been added to the below nightly
yaml files.
nightly_latest.yaml
nightly_latest_selinux.yaml
nightly_latest_testing.yaml
nightly_latest_testing_selinux.yaml
nightly_previous.yaml
nightly_rawhide.yaml
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
78abf1ff by Florence Blanc-Renaud at 2025-06-03T13:41:48+02:00
ipatests: skip encrypted dns tests on fedora 41
The package ipa-server-encrypted-dns is not available on fedora 41
as it requires a more recent bind version.
Skip the tests that require this package in f41.
Fixes: https://pagure.io/freeipa/issue/9799
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
982569fc by Florence Blanc-Renaud at 2025-06-03T13:54:58+02:00
ipatests: fix xfail annotation for test_ipa_healthcheck_fips_enabled
The test is expected to fail
- on rhel 10.0 with ipa-healthcheck < 0.17
On Fedora 41, the command fips-mode-check is still available.
On Fedora 42, it has been removed but ipa-healthcheck 0.18 has
been adapted.
Fixes: https://pagure.io/freeipa/issue/9791
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b36c163f by David Hanina at 2025-06-03T15:46:56+02:00
Warn when UID is out of local ID ranges
Provides simple warning when creating new user with uid out of
all local ranges, as this is the main culprit of breaking Kerberos, by
not generating ipantsecurityidentifier. We don't have to check for
user-mod, because modification never changes ipantsecurityidentifier.
We do not have to check groups, as groups are ignored for ipa without
AD trust. It's reasonable to revisit this in the future for group
creation and warn against groups out of ranges as well as
warn for users with groups without SID, in case AD trust is enabled.
Fixes: https://pagure.io/freeipa/issue/9781
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
3e15108f by Florence Blanc-Renaud at 2025-06-04T09:47:16+02:00
ipatests: fix invalid range creation in test_ipa_idrange_fix.py
The test is creating a local ID range without rid-base and
secondary-rid-base in order to test the behavior of ipa-idrange-fix.
Since the patch for ticket #9779 it is not possible any more to call
ipa idrange-add for local range without these parameters. The test needs
to create the invalid local range using a direct ldapmodify instead.
Fixes: https://pagure.io/freeipa/issue/9801
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
34ed47f8 by Antonio Torres at 2025-06-04T17:25:42+02:00
Fix inconsistency in manpage for DoT forwarder option
The example given in manpages for --dot-forwarder option is inconsistent
to the format that is required.
Fixes: https://pagure.io/freeipa/issue/9804
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
974a507e by Thomas Woerner at 2025-06-16T14:49:26+05:30
ipa-client-install: Fix nsupdate issues when dns_over_tls is enabled
The server commands for nsupdate.txt to define the server with the port
853 have been added for dns_over_tls. These commands do not have a leading
newline. This results in a syntax error as the next line is added to the
command.
Fixes: https://pagure.io/freeipa/issue/9806
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
6b9400c1 by Rob Crittenden at 2025-06-17T09:48:44+02:00
Set krbCanonicalName=admin at REALM on the admin user
The admin must always own this name. If another entry has this
value set then remove it.
There is a uniqueness plugin for this attribute so the only two
possibilities are:
- no entry has this value set
- the admin user has this value set
- a different entry has the value set
Still, for robustness purposes, the upgrade plugin will handle
more entries.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
5323b770 by Florence Blanc-Renaud at 2025-06-19T13:48:18+02:00
ipa-idrange-fix: check that IPA server is installed
If ipa-idrange-fix is called on a system where the server is not configured,
it crashes with a Traceback when trying to access api.env.basedn.
Check that IPA server is configured before processing further
ipatests: add test launching ipa-idrange-fix on unconfigured server
Fixes: https://pagure.io/freeipa/issue/9809
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
6346ca71 by Rob Crittenden at 2025-06-20T16:30:04+02:00
Add token options to immutables for pki override
Setting the HSM options in a pki-override-file will
result in a successful installation but it affects the
storage of the token library path. It is stored as None.
We could also instead save the provided value from the
override but an override isn't necessary in this case
since IPA provides command-line options to enable it.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
43b1fd77 by Julien Rische at 2025-06-20T17:24:23+02:00
ipa-kdb: support storing multiple KVNO for the same principal
All MIT krb5 keys are encoded with an encryption type identifier and a
KVNO (key version number). The KVNO is referring to the original
credentials string (and its associated salt) which was used to generate
the key using the derivation function of the associated encryption type.
So far, when a set of Kerberos keys was provided to ipa-kdb, only the
newest KVNO ones were saved in a single "krbPrincipalKey" LDAP
attribute. All the older ones were deleted in the process.
This commit allows to keep older keys by splitting them in multiple
"krbPrincipalKey" attribute based on their KVNO.
Fixes: https://pagure.io/freeipa/issue/9370
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb12d9e1 by Julien Rische at 2025-06-20T17:24:23+02:00
Use ipaplatform tasks for krb5 enctypes
Provide the master key encryption type and the list of supported
encryption types as ipaplatform.<platform>.tasks methods. This allows
to generate the list at runtime based on the environment (e.g. FIPS) and
override the list depending of the platform.
3DES HMAC-SHA1 encryption type is now removed from supported encryption
types if it is present.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb36633e by Julien Rische at 2025-06-20T17:24:23+02:00
Add test for master key upgrade
Since commit 4ed7da378940198cf4415f86d4eb013de6ac6455 in MIT krb5,
kdb5_util sets the required bits on the modification mask of updated
principal entries to enable ipa-kdb to switch the active master key.
This commit creates a "test_fedora_legacy" ipaplatform where the AES
HMAC-SHA2 encryption types are not enabled. "test_mkey_upgrade" uses
this platform to initialize a domain with an aes256-cts-hmac-sha1-96
master key, and test its upgrade to aes256-cts-hmac-sha384-192.
Some parts of the test infrastructure had to be made aware of this new
platform (e.g. firewall integration).
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
878b800e by Mark Reynolds at 2025-06-23T08:15:21+02:00
ipa-migrate - only remove repl state attribute options
Improve how we process attributes that might include replication state
data. Previously we only cared about ";binary" but there are other
attribute options that are used in IPA. Now we completely break down the
attribute into each option and rebuild it without any repl state options
Fixes: https://pagure.io/freeipa/issue/9784
Signed-off-by: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
2eaba849 by Florence Blanc-Renaud at 2025-06-24T11:33:39+02:00
ipatests: fix test_adtrust_install_with_non_ipa_user
Fix the test scenario:
create a user with a second krbprincipalname but no
krbcanonical name.
kinit -E with the other name
try ipa-adtrust-install with the other name
It should fail with the error message 'user not found'
Fixes: https://pagure.io/freeipa/issue/9812
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
49ae3f15 by Sudhir Menon at 2025-06-25T17:01:22+05:30
ipatests: Tests for 32BitIdranges.
Running 32BitIdrange tests in AD enviornment
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
43033b0c by Sudhir Menon at 2025-06-25T17:01:22+05:30
ipatests: prci nightly definitions for 32BitIdranges
32BitIdranges testuiste has been included in the
nightly prvi definitions.
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
4b877c7c by Thomas Woerner at 2025-06-26T08:19:51+02:00
ipa-client-install: New --no-dnssec-validation option
The new option is needed to be able to deactivate DNSSEC validation
for unbound.
Unbound is by default configured to do DNSSEC validation with the
validator module.
The solution is to set module-config to "iterator".
When the server is built with EDNS client subnet support this should be
changed to "subnetcache iterator" according to the unbound man page.
Fixes: https://pagure.io/freeipa/issue/9805
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
0bc08968 by Thomas Woerner at 2025-06-26T08:19:51+02:00
ipaserver/install/dns.py: Allow to Turn off DNSSEC validation for unbound
Unbound is by default configured to do DNSSEC validation with the validator
module. The solution is to set module-config to "iterator".
When the server is built with EDNS client subnet support this should be
changed to "subnetcache iterator" according to the unbound man page.
Fixes: https://pagure.io/freeipa/issue/9805
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
47626a95 by Thomas Woerner at 2025-06-26T12:08:50+02:00
Replica: Request cert for DoT before setting up bind
Deploying a replica with DNS support using an IPA server DNS with DoT
fails while setting up DNS over TLS. The request for the certificate for
DoT using IPA CA is done after the DNS server for the replica is configured.
The nameserver in /etc/resolv.conf has been changed to 127.0.0.1, but
unbound was not yet configured as a forwarder.
The solution is to move the cert request before the DNS server
configuration. The unbound config from the client deployment is still
working at that moment.
Fixes: https://pagure.io/freeipa/issue/9808
Signed-off-by: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
76b3a342 by Antonio Torres at 2025-07-01T15:36:19+02:00
dns: only overwrite resolv.conf during eDNS setup when needed
Don't overwrite resolv.conf if it already points to 127.0.0.1. This
ensures compatibility with read-only containers.
Fixes: https://pagure.io/freeipa/issue/9813
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9d7689f9 by Rafael Guterres Jeffman at 2025-07-10T14:02:58-04:00
Use correct capitalization for GitHub and GitLab
The correct third party trademarks are GitHub and GitLab, and this is
the capitalization that needs to be used for documentation and messages,
when referring to each service.
Fixes: https://pagure.io/freeipa/issue/9811
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
eada98e4 by Alexander Bokovoy at 2025-07-14T09:36:24-04:00
freeipa.spec.in: protect scriptlets in environment where dbus or systemd do not run
For quite some time, even as early as with Fedora 37, we had
Running scriptlet: freeipa-server-trust-ad-4.10.1-1.fc37.x86_64
338/343
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
System has not been booted with systemd as init system (PID 1). Can't operate.
Failed to connect to bus: Host is down
warning: %post(freeipa-server-trust-ad-4.10.1-1.fc37.x86_64) scriptlet failed,
exit status 1
Error in POSTIN scriptlet in rpm package freeipa-server-trust-ad
when installing freeipa-server-trust-ad, but the whole rpm transaction passed
and the dnf command returned with exit 0. So we did not care about that failure
because, well, it did not get reported in any way it could be caught.
This has changed with recent registry.fedoraproject.org/fedora:rawhide image
which seem so have rpm-5.99.91-1.fc43.x86_64. Now instead of exiting with 0 as
with previous registry.fedoraproject.org/fedora:rawhide images, the dnf exits
with 1, even if the version freeipa-server-trust-ad-4.12.2-14.fc43.x86_64 is
the same in both cases.
Fixes: https://pagure.io/freeipa/issue/9826
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a53b2a37 by Alexander Bokovoy at 2025-07-23T14:15:25-04:00
kdb: prevent double crash in RBCD ACL free
acl_list was set to prev->tl_data_contents and its value is freed but
then is is freed again outside of the if(). Just reset acl_list pointer
as prev->tl_data_contents is removed unconditionally outside of the RBCD
ACL removal.
Related: https://pagure.io/freeipa/issue/9367
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
4484ad72 by David Hanina at 2025-07-23T14:16:44-04:00
Fix terminal height for Rawhide
Replaces old ioctl function with shutil.get_terminal_size.
This should be more universal.
Fixes: https://pagure.io/freeipa/issue/9824
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7e436ff6 by Stanislav Levin at 2025-07-25T16:00:15-04:00
install: make use of shared temp directory for hsm validation
During hsm validation temporary directory and files are prepared
by root in base temporary directory which can be private and
thereby not readable by anybody but root. The validation in its
turn, run some checks as pkiuser and fail to read not accessible
resources in such a case.
Hence, to make them available some shared place need to be used,
e.g. /tmp.
Fixes: https://pagure.io/freeipa/issue/9831
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
82fa9f1e by Sudhir Menon at 2025-07-28T08:45:52+02:00
ipatests: Tests for ipa-migrate tool with ldif file
This test checks that when ipa-migrate tool
uses ldif file it works without any error.
Related: https://pagure.io/freeipa/issue/9776
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
15d5093f by Sudhir Menon at 2025-07-28T08:45:52+02:00
ipatests: Nightly definitions for TestIPAMigratewithBackupRestore
Signed-off-by: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e8378a0d by Michal Polovka at 2025-07-28T14:31:07+02:00
ipatests: test_fips: Remove obsolete patch
Remove no-longer-required patch for crypto policy from the test_fips.py
suite which causes failures in the test runs.
Resolves: https://pagure.io/freeipa/issue/9810
Signed-off-by: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e6445b88 by Antonio Torres at 2025-07-29T17:14:45+02:00
dns: disable all previous Unbound configuration before deploying ours
Previous configuration from another packages might break our Unbound
setup. Rename the config files to disable them before deploying our
configuration.
Fixes: https://pagure.io/freeipa/issue/9814
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d8017371 by Anuja More at 2025-07-30T10:10:34+02:00
ipatests: Remove xfail from test_installation::test_number_of_zones
Removed xfail for test_number_of_zones
This test is xpass when executed in IdM-CI
but still failing in PRCI. There is a different configuration
in the 2 CIs and with this we will get a green test
in IdM-CI nightly tests.
Related : https://pagure.io/freeipa/issue/9135
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
52024ed7 by Florence Blanc-Renaud at 2025-07-30T16:46:15+02:00
Spec file: use nodejs22 on fedora 41+
Do not use the newest nodesjs24 as it does not provide the /usr/bin/node
command, only /usr/bin/node-24.
Force the use of nodejs22.
Fixes: https://pagure.io/freeipa/issue/9836
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3ade90de by Wouter Schoot at 2025-07-31T09:09:10+02:00
Update 11-kerberos-ticket-policy.rst
Fixed missing backtick
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
76727f97 by Anuja More at 2025-08-06T13:22:32-04:00
ipatests: Add comprehensive tests for ipa-client-automount --domain option
- Add parametrized test for domain validation covering valid/invalid formats
- Add cross-domain discovery test showing --domain enables discovery when
client is in different domain than IPA domain
- Validate configuration in sssd.conf after successful automount setup
The new tests ensure --domain option works correctly and provides proper
hints for DNS discovery in cross-domain scenarios, reducing user friction
compared to requiring --server specification.
Related: https://pagure.io/freeipa/issue/9780
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
64809910 by Sam Morris at 2025-08-14T16:31:22-04:00
Fix ipa-client-install failure when a trusted CA's distinguished name contains slash characters
Fixes: https://pagure.io/freeipa/issue/8924
Signed-off-by: Sam Morris <sam at robots.org.uk>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
6069147e by Florence Blanc-Renaud at 2025-08-26T16:51:01+02:00
Spec file: bump samba version to 4.23.0 in f43 and above
Fixes: https://pagure.io/freeipa/issue/9843
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
c0994948 by Florence Blanc-Renaud at 2025-09-01T13:52:09+02:00
DNS over TLS: use system trust store
When a client or server is configured with DoT, the installer
creates /etc/unbound/conf.d/zzz-ipa.conf with
tls-cert-bundle: /etc/pki/tls/certs/ca-bundle.crt
This certificate bundle does not exist any more in fedora 43+
(https://fedoraproject.org/wiki/Changes/droppingOfCertPemFile)
and the missing file prevents unbound service from starting.
The configuration should rather set
tls-system-cert: yes
in order to rely on the systemwide trust store.
The upgrade is also handled by this change.
Fixes: https://pagure.io/freeipa/issue/9838
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
40b24b24 by Florence Blanc-Renaud at 2025-09-03T08:37:50+02:00
ipatests: fix test_certmonger_ipa_responder_jsonrpc
Test scenario:
- install IPA server and client
- store the start date
- request a certificate on the client using ipa-getcert
- check in the journal after start date that the request was done using the
https://.../ipa/json URI
The test obtains the start date on the runner. As a consequence, if the runner
is late compared to the client, it may miss the message in the journal.
The date should rather be obtained on the client.
Fixes: https://pagure.io/freeipa/issue/9848
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
81aadac8 by Florence Blanc-Renaud at 2025-09-03T08:41:00+02:00
ipatests: remove xfail for PKI 11.7
The test test_ca_show_error_handling is green with PKI 11.7
because the PKI regression has been fixed.
Update the xfail condition to 11.5 <= version < 11.7.
Fixes: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca29a5a4 by Florence Blanc-Renaud at 2025-09-05T10:59:05+02:00
xmlrpc test: fix test_find_orphan_automember_rules
The test was written with a complex logic depending on the
installed version of 389-ds. The command was expected to fail if
version < 1.4.0.22.
Fedora has been shipping the fixed version for a long time already,
and the test can be simplified. Moreover, the code responsible
for retrieving 389 ds version does not work for ds 3.1.3 which
provides a vendorVersion attribute not compliant with python
versioning schema.
Fixes: https://pagure.io/freeipa/issue/9850
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
b0e4cdbf by Florence Blanc-Renaud at 2025-09-05T17:13:55+02:00
ipatests: fix test_otp
The test is performing ssh from the runner to the master
but is using the external_hostname and randomly fails.
Make sure to use the configured hostname instead.
Fixes: https://pagure.io/freeipa/issue/9849
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
70518cec by Florence Blanc-Renaud at 2025-09-10T07:58:44+02:00
azure webui tests: force chromium version
azure webui tests are failing with chromium-140.0.7339.80-1.fc42
Force to install an older version
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
96c3d2d1 by Alexander Bokovoy at 2025-09-12T14:03:09+02:00
dcerpc: make sure forest trust info structure version is 1
[MS-DRSR] 5.64 FOREST_TRUST_INFORMATION defines version of the
ForestTrustInfo structure as 1. We didn't set it so it was defaulting to
zero. Samba validates the version number and rejects ForestTrustInfo
structures from FreeIPA.
Make sure new structures are always set to version 1 and old strutures
fixed up to have version 1.
Fixes: https://pagure.io/freeipa/issue/9852
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
ae8e8507 by Alexander Bokovoy at 2025-09-12T14:03:09+02:00
dcerpc: Support Samba 4.23
Samba 4.23 ignores trust to PIM and 'within the forest' domains. It
didn't know what to do with them in past as well but starting with 4.23
the domain trust entries which have trust attributes with
LSA_TRUST_ATTRIBUTE_PIM_TRUST and LSA_TRUST_ATTRIBUTE_WITHIN_FOREST bits
set will be ignored.
FreeIPA did default to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST for domains
stored with trusted attributes set to 0 or missing. This was behavior in
past for Samba as well. Since FreeIPA only supports forest trust and an
external trust, in both cases we should set explicit LSA trust attribute
bits:
- LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE for the forest trust
- LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE for the external trust
Fixes: https://pagure.io/freeipa/issue/9852
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
6594c9d5 by Alexander Bokovoy at 2025-09-12T14:03:09+02:00
ipasam: simplify error handling in fill_pdb_trusted_domain
Related: https://pagure.io/freeipa/issue/9852
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
3c3a0945 by Alexander Bokovoy at 2025-09-12T14:03:09+02:00
ipasam: address signedness warnings
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
516ad5a8 by Alexander Bokovoy at 2025-09-12T14:03:09+02:00
ipasam: define prototypes
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Julien Rische <jrische at redhat.com>
- - - - -
b73d8f18 by Florence Blanc-Renaud at 2025-09-17T10:50:15-04:00
ipatests: update the Let's Encrypt cert chain
The test TestIPACommand::test_cacert_manage is using
Let's Encrypt chain to check the ipa-cacert-manage install
command.
The chain isrgrootx1 > r3 must be replaced with
isrgrootx1 > r12 because r3 expired Sep 15.
Fixes: https://pagure.io/freeipa/issue/9857
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
9f49a8da by Rob Crittenden at 2025-09-18T09:49:09+02:00
Test that certificates beyond 2038 can be parsed
The old 32-bit time_t will overflow in 2038. Test that
the IPA certificate loader will be able to parse
certificates far into the future.
Related: https://pagure.io/freeipa/issue/2496
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f2a8f5cc by Rob Crittenden at 2025-09-18T09:49:09+02:00
Test that password expiration date past 2038 works
There was a time we capped the expiration date at 2038
because otherwise time would overflow. That was fixed.
Add a test to ensure it stays that way.
Fixes: https://pagure.io/freeipa/issue/2496
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2f3c035e by Alexander Bokovoy at 2025-09-18T13:29:32+05:30
GetEntryFromLDIF: handle DNs case-insensitive
LDAP expects case-insensitive DNs, so modify LDIF parser to
compare DNs as case-insensitive strings and use case-preserving but
case-insensitive dictionary.
Fixes: https://pagure.io/freeipa/issue/9854
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0d0a558b by Florence Blanc-Renaud at 2025-09-18T17:14:08+02:00
ipatests: exclude TomcatFileCheck when RSN are enabled
Because of PKI issue #4906, the permissions of
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg
are too permissive when RSN is enabled and the check TomcatFileCheck
from ipahealthcheck.ipa.files fails.
Exclude this check when RSN are enabled.
Related: https://github.com/dogtagpki/pki/issues/4906
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
92f992a6 by Florence Blanc-Renaud at 2025-09-18T17:16:06+02:00
ipatests: add xfail for TestKRAinstallAfterCertRenew
With PKI 11.6, pkispawn checks that the certificate provided in
pki_admin_cert_file = /root/.dogtag/pki-tomcat/ca_admin.cert is still
valid.
In this scenario the date is moved past the validy date and IPA
does not refresh the certificate, hence the test fails.
Mark as known issue (ticket https://pagure.io/freeipa/issue/9763)
Related: https://pagure.io/freeipa/issue/9763
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
46b7c16b by Rob Crittenden at 2025-09-18T17:20:01+02:00
Don't let lack of subca in PKI prevent LDAP deletion
If a subCA only exists in LDAP then it couldn't be removed.
Allow the process to continue. It will fail in the same way if
it doesn't exist on both Dogtag and IPA.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cc459c8c by Rob Crittenden at 2025-09-18T17:22:19+02:00
Catch decoding errors in CertificateSigningRequest parameters
A try/except is needed around base64.b64decode in case an invalid
CSR is passed in to a cert function.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2b2cd1ea by Alexander Bokovoy at 2025-09-19T13:45:16+02:00
ipasam: remove definitions which included from ndr_drsblobs.h
Do not need to have duplicates as we include them. They used to be not
exported by Samba but not anymore.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
0b796ce7 by Florence Blanc-Renaud at 2025-09-22T18:14:21+02:00
ipatests: fix TestIPAMigratewithBackupRestore setup
The test is installing a first master with DNS enabled, then a
second master (same domain name, with DNS enabled) in order to
perform migration.
Add --allow-zone-overlap to the 2nd master installation.
Fixes: https://pagure.io/freeipa/issue/9858
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
9b7fc311 by David Hanina at 2025-09-25T17:07:35+02:00
Add modern webui build
Adds modern webui as a submodule. Contains changes in the specfile to
include the `dist` folder of modern webui.
Edits Apache httpd template to allow routing to modern webui, however
old ui is still the default.
Requires https://github.com/freeipa/freeipa-webui/pull/695 to be merged.
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
563f20e2 by David Hanina at 2025-09-25T17:07:35+02:00
Add info about modern webui
Adds a small information note, regarding launching modern webui with
redirect link.
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b866ec29 by Rob Crittenden at 2025-09-30T10:22:38+02:00
Enforce uniqueness across krbprincipalname and krbcanonicalname
This relies on a fix in 389-ds that extends the uniqueness plugin
to be able to compare attributes with different matching syntax.
This will prevent privilege escalation attacks if one of the
attributes is not set on an entry if it is set elsewhere.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
- - - - -
bf768991 by Julien Rische at 2025-09-30T10:22:47+02:00
ipa-kdb: enforce PAC presence on TGT for TGS-REQ
MS-KILE's PA-PAC-REQUEST sequence allows the Kerberos client to request
a TGT without a PAC. At the moment, there is no way to configure the MIT
KDC to reject such request.
This commit enforces the presence of the PAC when processing TGTs
provided by TGS-REQ. It ensures the server principal of the TGT is the
same as the one in PAC_CLIENT_INFO (i.e. enforces client principal
canonicalization) with integrity check.
Only one exception is applied: this check is skipped for local TGTs on
domain where the MS-PAC generator is not initialized (i.e. domains where
SID generation was not executed yet).
Signed-off-by: Julien Rische <jrische at redhat.com>
- - - - -
96a5e706 by Florence Blanc-Renaud at 2025-09-30T10:22:51+02:00
ipatests: extend test for unique krbcanonicalname
Add a test ensuring that root at REALM cannot be added as
krbcanonicalname
Add a test for PAC enforcement:
try to access a service using a TGT obtained without PAC.
Should fail as PAC is now enforced.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
db188b9a by Florence Blanc-Renaud at 2025-09-30T17:02:13+02:00
Tests xmlrpc: mark xfail tests requesting cert with subca
With PKI 11.7, requesting a cert with a subca fails.
Mark the tests as xfail for now.
Related: RHEL-108293
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
1c8003ca by Florence Blanc-Renaud at 2025-10-02T16:38:55-04:00
Spec file: bump version for 389-ds
IPA relies on the patch for https://github.com/389ds/389-ds-base/issues/6857
Allow Uniqueness plugin to search uniqueness attributes using custom
matching rules
Provided in 389-ds 3.1.3-2 on fedora 41, 42
3.1.3-7 on fedora 43+
2.7.0-7 on RHEL 9.7
3.1.3-5 on RHEL 10.1
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
db4ff377 by Florence Blanc-Renaud at 2025-10-03T16:06:08+02:00
ipatests: fix TestIpaClientAutomountDiscovery
When executed in IDM-CI the test fails because the file
/etc/resolv.conf is overwritten by Networkmanager.
Use the methods provided by the tasks module to modify
resolver configuration.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
892fea88 by Rob Crittenden at 2025-10-03T15:29:40-04:00
Add support for libpwpolicy credit to password policy
We already have libpwquality plumbed in. The ask here was
to support the quality credits as well.
There are four credits: digits, uppers, lowers and others
These either count complexity towards satisfying the minimum
length or set the minimum number of a type allowed.
If any of the four credits is configured then it will cause
the password policy plugin to go through the libpwquality.
Reminder that libpwquality sets its own min password length
floor that should be overridden already.
If min_classes is set as well then that is still enforced.
Fixes: https://pagure.io/freeipa/issue/9835
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
14d7a5b3 by Anuja More at 2025-10-08T09:29:28+02:00
ipatests: Refactor and port trust functional HBAC tests.
- Tests to cover both root domain and subdomain users:
- Test that adding AD users/groups without the external group to
HBAC rules fails.
- Test HBAC rule denies SSH access for AD users.
- Test HBAC rule allows SSH access for AD users in external group.
- Test HBAC rule denies sudo access for AD users when rule doesn't
include them.
- Test HBAC rule allows sudo access for AD users in external group.
Related : https://pagure.io/freeipa/issue/9845
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
89fb6ad4 by PRANAV THUBE at 2025-10-10T11:48:12+02:00
Extended eDNS testsuite with Relaxed policy testcases. 1. Relaxed policy without certs and including --no-dnssec-validation 2. Relaxed policy with external CA and including --no-dnssec-validation
Automated with Cursor+Claude
Related: https://issues.redhat.com/browse/IDM-2894
Signed-off-by: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
- - - - -
9605ea9a by Rob Crittenden at 2025-10-10T16:52:50+05:30
Use Augeas when updating dbmodules in krb5.conf
This repalces the straight string parsing from IPAv3.0.0.
It should be much more robust and result in a valid
configuration file when complete. aug.save() will
assure that as it will raise an error otherwise.
This will handle the following cases:
* db_library = ipadb.so : do nothing
* db_library is missing, set to ipadb.so
* db_library is something else, replace wih ipadb.so
Fixes: https://pagure.io/freeipa/issue/9862
Related: https://pagure.io/freeipa/issue/5913
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a66df6d7 by David Hanina at 2025-10-13T10:35:47+02:00
Fix webui submodule copr build
It's required to install git for copr, so we can fetch the
webui submodule. Updates webui to use clean-install, updates
dependencies and replaces SWC with Babel for build due to
being architecture agnostic.
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d9a2a6ab by Aleksandr Sharov at 2025-10-14T08:20:23+02:00
Allow ipa tool to force specific server
Fixes: https://pagure.io/freeipa/issue/9744
Signed-off-by: Aleksandr Sharov <asharov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
dd8b7214 by Florence Blanc-Renaud at 2025-10-17T17:22:08+02:00
PRCI tests: update vagrant image with latest PKI / certmonger package
Fedora 42 now ships PKI 11.7.0-5 and certmonger 0.79.21-1.
Update the vagrant image to 0.0.9 in order to pull the new versions.
Related: IDM-3437
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
7f8841cd by Florence Blanc-Renaud at 2025-10-17T17:22:08+02:00
Revert "Tests xmlrpc: mark xfail tests requesting cert with subca"
This reverts commit db188b9ad8dd361ccf3046cf4492499d1bdf9c74.
PKI 11.7.0-3 in fedora 42 fixes the issue with subca cert issuance.
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
78b43256 by Florence Blanc-Renaud at 2025-10-17T17:22:08+02:00
test_cert: adapt the expect error message to PKI 11.7.0-5
The error message returned by ipa ca-show has changed with PKI 11.7.
Adapt the test to succeed with old and new versions.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c7f07d45 by Florence Blanc-Renaud at 2025-10-17T17:22:08+02:00
Integration test: fix teardown of test_expiration_date_post_2038
The test moves the date in the future, performs checks and in the
teardown method uninstalls and moves the date back to the current time.
It often fails in the teardown part because certmonger is in the process
of renewing the expired certificates.
Apply the same strategy as other tests fiddling with the date:
stop certmonger and remove the tracking requests before uninstallation.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a0a8cbf7 by Florence Blanc-Renaud at 2025-10-17T17:22:08+02:00
ipatests: mark test_scale_add_subca as xfail
The test is unstable because of PKI ticket 4677
Mark as xfail for now.
Related: https://github.com/dogtagpki/pki/issues/4677
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
3b5caf9d by Rob Crittenden at 2025-10-27T18:20:45-03:00
Include the HSM token name when creating LWCAs
In order to generate the private key for a a LWCA (subca)
on an HSM the name of the subca needs to be the HSM token
name : name_of_subca, e.g. ipa_token:test.
This works fine now without any code changes but it requires
that admins always remember to include the prefix which is
unlikely (everyone makes mistakes). So do it for them if
an HSM is present and a token is not provided. We only support
one token at a time in IPA so for now this is sufficient.
One can also mix-and-match including the token and not.
For example you can run:
$ ipa ca-add test --subject cn=test
$ ipa ca-show ipa_token:test
It shouldn't be an issue if a lwca name contains a colon.
Fixes: https://pagure.io/freeipa/issue/9865
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
b94848cc by Rob Crittenden at 2025-10-27T18:20:45-03:00
Temp commit
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
3bb87c26 by Alexander Bokovoy at 2025-10-28T17:57:43+05:30
doc/api: regenerate notes
There seem to be a difference between API notes in different files: some
contain CRLF, some LF only, and also some empty lines are present while
they should not be there.
Normalize the remaining API docs.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
205563cc by Alexander Bokovoy at 2025-10-28T17:57:43+05:30
makeapi: enforce en_US.UTF-8 locale when sorting API files
Collation should be the same for API files or we will end up with
differences between development environments.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
0e272e33 by Alexander Bokovoy at 2025-10-28T17:57:43+05:30
API: correct ordering for password policy credits
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
b38b6814 by Anuja More at 2025-10-28T11:54:44-04:00
Revert "Temp commit"
This reverts commit b94848ccff807951bacfa42886ec91342094e85e.
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
a4a218b4 by vectinx at 2025-10-30T15:07:41-04:00
slapi-plugins: Add replication checking to the Modrdn plugin
The Modrdn plugin doesn't check whether the operation it processes is replicated.
This results in duplicate operations on each replica, for example, when deleting a saved user.
To fix this behavior, a check was added to the Modrdn plugin that the operation is not replicated.
Fixes: https://pagure.io/freeipa/issue/9867
Signed-off-by: vectinx <vectinx at yandex.ru>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
a4ff2fcc by Florence Blanc-Renaud at 2025-10-31T16:28:03-04:00
Azure CI: Use F43
Fedora 43 is now available, switch azure CI to this version.
Fixes: IDM-3231
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
3c5160bb by Florence Blanc-Renaud at 2025-10-31T16:28:03-04:00
Azure: fix the configuration issue
The command launching autogen.sh ends with \ and on fedora 43
this causes a build failure
checking build system type... Invalid configuration '\': machine '\-unknown' not recognized
configure: error: /bin/sh ./config.sub \ failed
Remove the trailing \
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
1652e70f by Florence Blanc-Renaud at 2025-10-31T16:28:03-04:00
Azure: fix WebUI tests
Instead of using chromium from the distribution, use the
browser provided with Pupeteer and disbale the sandbox
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
166dbfb6 by Alexander Bokovoy at 2025-11-03T10:07:30+01:00
krb5.conf templates: remove Kerberos 4 support
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
890474ae by Alexander Bokovoy at 2025-11-03T10:07:30+01:00
krb5.conf templates: move IPA domain configuration into a separate snippet
Instead of modifying /etc/krb5.conf with all IPA realm configuration, follow
the practice of creating a separate config snippet file owned by IPA.
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
7a6391f2 by Alexander Bokovoy at 2025-11-03T10:07:30+01:00
Require krb5.conf.d because we install snippets there
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f395e162 by Anuja More at 2025-11-03T16:01:12-05:00
ipatests: Refactor and port trust functional SUDO tests.
- Test scenarios :
- AD users running commands as root via external groups
- AD users switching to other AD user accounts
- IPA users running commands as AD users
- Sudo rule disable/enable functionality
- Command allow/deny restrictions
- Access denial for users not in sudo rules
- Automated with Cursor+Claude
Related : https://pagure.io/freeipa/issue/9845
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
f17fba0a by Alexander Bokovoy at 2025-11-03T17:18:05-05:00
ipa-pwd-extop: add SysAcctManagersDNs support
Add new attribute, SysAcctManagersDNs, to store list of DNs allowed to
reset user passwords without forcing the users to change them
afterwards.
This list will differ from the use of PassSyncManagersDNs by the fact
that password policy checks will still apply to those password changes.
Fixes: https://pagure.io/freeipa/issue/9842
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
24e4fd5c by Alexander Bokovoy at 2025-11-03T17:18:05-05:00
Add system accounts (sysaccounts)
Introduce support for LDAP-based system accounts by adding a dedicated
sysaccount plugin with full CLI commands, extending role membership to
include system accounts, and providing warnings for passsync
configuration updates across servers, along with corresponding
documentation and tests.
New Features:
Implement system accounts LDAP object with CLI commands for add,
delete, modify, find, show, enable, and disable.
Enhancements:
Extend role and baseldap plugins to support sysaccount membership
and manage passsync managers with a ServerSysacctMgrUpdateRequired
warning.
Documentation:
Add a design document for system accounts and regenerate API docs
for sysaccount commands and role membership.
Tests:
Update existing role and service plugin tests to cover sysaccount
membership.
Fixes: https://pagure.io/freeipa/issue/9842
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
8c7427a2 by Alexander Bokovoy at 2025-11-03T17:18:05-05:00
sysaccounts: add integration test
The integration test was created with the help of claude.ai by
providing the following prompt:
>> given the design document in doc/designs/sysaccounts.md, write an
>> integration test for sysaccounts module
Fixes: https://pagure.io/freeipa/issue/9842
Assisted-by: Claude <noreply at anthropic.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
ce1e44b8 by Florence Blanc-Renaud at 2025-11-04T18:47:33+01:00
Modern webui: refresh to the tip of main branch
A previous commit overwrote the version of freeipa-webui and
went back before the patch that was fixing the copr build.
Refresh to the tip of freeipa-webui to include the copr fix.
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
facc956a by hsu zangmen at 2025-11-05T09:17:01+01:00
Added translation using Weblate (Chinese (Traditional Han script))
Co-authored-by: hsu zangmen <chzang55 at gmail.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
2ecfce6f by Temuri Doghonadze at 2025-11-05T09:17:01+01:00
Translated using Weblate (Georgian)
Currently translated at 36.6% (1788 of 4881 strings)
Translated using Weblate (Georgian)
Currently translated at 35.9% (1755 of 4881 strings)
Translated using Weblate (Georgian)
Currently translated at 35.8% (1751 of 4881 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
a7abe5a7 by Fco. Javier F. Serrador at 2025-11-05T09:17:01+01:00
Translated using Weblate (Spanish)
Currently translated at 58.3% (2847 of 4881 strings)
Co-authored-by: Fco. Javier F. Serrador <fserrador at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
222bf766 by Rafael Fontenelle at 2025-11-05T09:17:01+01:00
Translated using Weblate (Spanish)
Currently translated at 58.3% (2847 of 4881 strings)
Co-authored-by: Rafael Fontenelle <rafaelff at gnome.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
b2eddfa5 by Weblate at 2025-11-05T09:17:01+01:00
Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.
Co-authored-by: Weblate <noreply at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f248ad4a by Piotr Drąg at 2025-11-05T09:17:01+01:00
Translated using Weblate (Polish)
Currently translated at 9.3% (456 of 4881 strings)
Co-authored-by: Piotr Drąg <piotrdrag at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/pl/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
458f32ac by Temuri Doghonadze at 2025-11-05T09:17:01+01:00
Translated using Weblate (Georgian)
Currently translated at 36.6% (1791 of 4881 strings)
Co-authored-by: Temuri Doghonadze <temuri.doghonadze at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ebc7c541 by Weblate Translation Memory at 2025-11-05T09:17:01+01:00
Translated using Weblate (Georgian)
Currently translated at 36.6% (1791 of 4881 strings)
Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory at weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ka/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e6be53c1 by Fco. Javier F. Serrador at 2025-11-05T09:17:01+01:00
Translated using Weblate (Spanish)
Currently translated at 62.5% (3055 of 4881 strings)
Translated using Weblate (Spanish)
Currently translated at 62.4% (3047 of 4881 strings)
Translated using Weblate (Spanish)
Currently translated at 62.3% (3045 of 4881 strings)
Translated using Weblate (Spanish)
Currently translated at 59.1% (2886 of 4881 strings)
Co-authored-by: Fco. Javier F. Serrador <fserrador at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d0ea5b5a by Pejman Rezaei at 2025-11-05T09:17:01+01:00
Translated using Weblate (Persian)
Currently translated at 0.6% (30 of 4881 strings)
Added translation using Weblate (Persian)
Co-authored-by: Pejman Rezaei <prezaei.eu at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/fa/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
f0d5a206 by Christian Rohr at 2025-11-05T09:17:01+01:00
Translated using Weblate (German)
Currently translated at 27.4% (1340 of 4881 strings)
Co-authored-by: Christian Rohr <christian.rohr at mailbox.org>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/de/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cc986fd8 by Andi Chandler at 2025-11-05T09:17:01+01:00
Translated using Weblate (English (United Kingdom))
Currently translated at 0.2% (14 of 4881 strings)
Co-authored-by: Andi Chandler <andi at gowling.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/en_GB/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
872189e2 by Arif Budiman at 2025-11-05T09:17:01+01:00
Translated using Weblate (Indonesian)
Currently translated at 42.0% (2054 of 4881 strings)
Co-authored-by: Arif Budiman <arifpedia at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1550fede by Florence Blanc-Renaud at 2025-11-05T09:17:01+01:00
Localization: remove zh_Hant file
When a translation file does not contain any translation, the
build is broken. Remove the zh_Hant file as it is still empty.
Fix es.po
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d4c3b150 by Alexander Bokovoy at 2025-11-05T17:42:25-05:00
freeipa.spec: use proper package name when installing Web UI license
On CentOS Stream and RHEL the package name is 'ipa', not 'freeipa'
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
3894ad88 by PRANAV THUBE at 2025-11-05T17:45:04-05:00
Port bash sudo tests.
Description: Porting the bash sudo testsuite to upstream (Including all
Negative & Positive test cases. Automated with Cursor+Claude
Related: https://issues.redhat.com/browse/IDM-2875
Signed-off-by: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
0ff5d6a3 by Florence Blanc-Renaud at 2025-11-07T15:48:24+01:00
TestHttpKdcProxy: use the snippet file for krb5 config
The test edits krb5 client configuration in /etc/krb5.conf in order
to use a KDC proxy, but the configuration has moved to the snippet
file /etc/krb5.conf.d/freeipa-realm.
Fix the file path.
Fixes: https://pagure.io/freeipa/issue/9871
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
bd828847 by Florence Blanc-Renaud at 2025-11-07T15:50:56+01:00
Backup-restore: backup krb5.conf.d snippet files
The installation of ipa server creates snippets in /etc/krb5.conf.d/
- freeipa-realm
- freeipa-server
Include these files in the backup
Fixes: https://pagure.io/freeipa/issue/9870
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
f2fc104f by Alexander Bokovoy at 2025-11-11T14:44:00+01:00
sysaccount: make sure nsaccountlock is always present
Commands sysaccount-enable/sysaccount-disable allow to lock/unlock the
account. This is exposed via operational attribute `nsAccountLock`
which has to be explicitly requested to query the state. However, if
account wasn't explicitly disabled before, `nsAccountLock` will not be
returned by the LDAP server.
Ensure the nsaccountlock attribute is always retrieved, validated, and
normalized across sysaccount operations.
- Invoke validate_nsaccountlock in create and modify pre-callbacks to
enforce valid values
- Invoke convert_nsaccountlock in create, modify, list, reset, and
policy post-callbacks to normalize the nsaccountlock attribute and
default to False in case it is absent.
Fixes: https://pagure.io/freeipa/issue/9842
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
9441ebfc by PRANAV THUBE at 2025-11-11T14:47:38+01:00
ipatests: Add new test cases with extended automount plugin attributes
Description: Porting the legacy bash ipa-automount testsuite
to upstream.
Related: https://issues.redhat.com/browse/IDM-3298
Signed-off-by: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ec308a03 by Florence Blanc-Renaud at 2025-11-12T15:33:41+01:00
PRCI: switch testing from f41 and f42 to f42 and f43
Fedora 43 is already available and Fedora 41 will be EOL
Wed 2025-11-19 according to Fedora schedule:
https://fedorapeople.org/groups/schedule/f-41/f-41-all-tasks.html
Start testing on fedora 42 and fedora 43.
Fixes: IDM-3229
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
54f9e0f3 by Florence Blanc-Renaud at 2025-11-12T15:33:41+01:00
test_idp: use more recent keycloak server
Use Keycloak 26.4.4 and java 25 for the test setup.
The current versions (keycloak 26.1.0 and java-21) are not
working on Fedora 43.
Fixes: https://pagure.io/freeipa/issue/9833
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
d3909d86 by Florence Blanc-Renaud at 2025-11-12T16:08:52+01:00
test_sudo: do not clean the cache for offline cache tests
The tests for offline caching should not clear SSSD cache
before shutting down the IPA server. Currently most of them
follow the same steps:
- create the rule
- clear the cache
- call run_as_sudo_user (which clears the cache)
- call list_sudo_commands (which clears the cache)
- stop the master
- call run_as_sudo_user with skip_sssd_cache_clear
- call list_sudo_commands with skip_sssd_cache_clear
The scenario is wrong as skip_sssd_cache_clear should also be
added on the calls before the master is stopped.
Fixes: https://pagure.io/freeipa/issue/9874
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: PRANAV THUBE <pthube at redhat.com>
- - - - -
ec22295f by Alexander Bokovoy at 2025-11-12T17:16:48+01:00
sysaccounts: extend permissions to include description and account lock
Security Architect role was supposed to manage sysaccount objects. But
since description attribute is missing from the list of the managed
permissions, the role is unable to modify 'description' field. Same for
nsAccountLock which needs an explicit ACI.
Fixes: https://pagure.io/freeipa/issue/9875
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
e0b9ad0a by Aleksandr Sharov at 2025-11-13T11:23:45+05:30
Correctly recognize OID 2.5.4.97, organizationIdentifier as a subject/issuer DN of the CA certificate
OID 2.5.4.97 added to the ATTR_NAME_BY_OID list, and cainstance during
2-step installation is re-fetching CA certificate and re-parsing OIDs
based on the list. Example:
cert issuer: <Name(C=CZ,2.5.4.97=LLCCZ-123456789,O=Corp,CN=ROOT)>
DN(cert issuer): CN=ROOT,O=Corp,organizationIdentifier=LLCCZ-123456789,C=CZ
Fixes: https://pagure.io/freeipa/issue/9866
Signed-off-by: Aleksandr Sharov <asharov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
c03fe901 by Carla Martinez at 2025-11-18T18:02:21+05:30
Modern WebUI version v0.1.7
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
d018361c by Emilio Herrera at 2025-11-18T18:26:17+05:30
Translated using Weblate (Spanish)
Currently translated at 62.5% (3055 of 4881 strings)
Co-authored-by: Emilio Herrera <ehespinosa57 at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/es/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
cdc80544 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Use the pki tool to bootstrap certificates during installation
We previously called out to certmonger to have it directly
obtain certificates from the CA. Instead use the CA-generated
/root/ca-admin.p12 certificate to authenticate using the pki
tool to generate the IPA RA certificate.
Then use that certificate to issue the DS, HTTP and KDC
certificates.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
5d55b4ef by Rob Crittenden at 2025-11-19T16:50:37-05:00
Add config option for RSA key size for HTTP, DS, PKINIT, RA certs
A new command-line option was added, --key-type-size, to define
the type of key to generate and the size of the key, or equivalent.
Only rsa is supported currently but this can be expanded easily if
additional key types are added. Placeholders have been added for
ec and ml-dsa key types but they are not yet supported.
There is also a config plugin option to modify this value. It does
NOT modify any certificates already issued. Changing it will only
apply to new replicas added.
Related: https://pagure.io/freeipa/issue/9738
Also add a test to verify installation key sizes.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
8aea0fd9 by Fraser Tweedale at 2025-11-19T16:50:37-05:00
Refactor installer cert issuance to use pki python lib
Update the installation code to use the pki python client library to
issue certificates. This is instead of using the `pki` CLI program
and parsing its output strings.
As part of this change, decompose the `pki_issue_certificate`
function into two specialised functions, rather than a single
function with different "modes". This makes the logic easier to
follow (and enables the refactor to be done incrementally).
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
43f02840 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Replace REST with PKI python API for cert and LWCA
This reduces the reliance on specific REST/XML API in PKI and will
allow the pki client library to choose which RPC API(s) to use.
Add the new, versioned REST endpoint paths (v1, v2) to the httpd
configuration.
This needs additional refactoring once the certprofile
class is ported and the RestClient class can be dropped or
repurposed so some of the duplication can be re-centralized.
Also catch a bare Exception when we can't reach the local
server on port 443 in ipa-ca-install. This is because
proxying isn't configured yet. So catch that Exception and
try again with port 8443 like other exceptions.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
191aec5a by Rob Crittenden at 2025-11-19T16:50:37-05:00
Use the APIClient instead of direct REST calls for ACME
Drop the use of direct REST calls in favor of using the
APIClient based on the pki python API.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f5fc5e0f by Rob Crittenden at 2025-11-19T16:50:37-05:00
Remove the RestClient class
This is replaced by the APIClient class which uses the pki
python API instead of making direct REST API calls.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
7a33bcca by Rob Crittenden at 2025-11-19T16:50:37-05:00
Use PKIClient instead of deprecated PKIConnection
This is for calls to instantiate a SecurityDomainClient
to get version information.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
e8425bd8 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Configure renewals to use the IPA JSON API
certmonger defaults to using the PKI XML API for renewing
CA/KRA subsystem certificates. certmonger supports the
IPA API for renewals by providing --jsonrpc-url
The IPA API will forward requests to the CA via the
PKI python API. IPA will be RPC agnostic this way and
rely on the PKI python API to handle communication.
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
1c107542 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Retrieve all cert profiles from the CA with --all
Normally IPA only returns the locally-stored certificate profiles.
In order for certmonger to request CA subsystem certificates using
cert_request we need the full set of profiles. Return them all
when --all is provided and the requesting user has permission.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
1729aa4e by Rob Crittenden at 2025-11-19T16:50:37-05:00
Reduce the log level before calling PKI functions
This will reduce the output spam during an IPA server install.
Output like:
2025-06-13T22:17:05Z INFO Connecting to https://localhost:8443
2025-06-13T22:17:05Z INFO Getting PKI server info from /pki/v2/info
File-based logs are not affected.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Signed-off-by: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
37246851 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Set minimum version of certmonger and PKI for PKI-API
The updated certmonger supports the --json-api flag used
to signal that all requests go through the IPA API.
The updated PKI packages provide fixes for the python API
so that all CA requests can be directed through that instead
of using the REST API directly.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
56620f40 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Sort when comparing tuples in the xmlrpc tests
Two test were failing because the order within the result
keys changed. We shouldn't rely on order so sort the result
and compare that.
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
f74ff213 by Rob Crittenden at 2025-11-19T16:50:37-05:00
Refine restricting CA profiles to known subjects
Since renewal now occurs through IPA and not directly via
the CA, restrict the CA profiles to only those certificates
we know about and expect.
The RA Agent cert and the subsystem cert share the same profile
so there is another hoop to jump through in validating that
the subjects are valid and expected.
Since the code runs as ipaapi it does not have access to check
the run status of DS so skip in that case. If it fails, it fails.
Contributions from Fraser Tweedale <ftweedal at redhat.com>
Fixes: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d322bbfb by Rob Crittenden at 2025-11-19T16:50:37-05:00
Detect the highest API version the remote server supports
There are deployed 11.7.0 servers that aren't yet configured
to expose the v2 API. This change will allow IPA to fall back
to the v1 API.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
d424dc6d by Rob Crittenden at 2025-11-19T16:50:37-05:00
Move some functions to installutils to be more independent
This is needed to avoid importing functions and static values
from cainstance.py and krainstance.py. Both import dsinstance.py
which imports lib389 and initializes things that don't work
well within the server API.
They are moved to installutils and ipalib.constants to be more
centralized and reduce imports.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
0b521f7d by Rob Crittenden at 2025-11-19T16:50:37-05:00
PR-CI: Run test_installation_TestInstallKeySizes in the nightlies
This tests the key and type installation arguments so the end
user can have some level of control over the type and key size
of some of the IPA keys.
Related: https://pagure.io/freeipa/issue/9738
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>
- - - - -
3e6b5b95 by Florence Blanc-Renaud at 2025-11-20T15:40:37-05:00
FIPS mode: openssl pkcs12 command needs -nomacver option
In FIPS mode, ipa server installation fails in a call to
openssl pkcs12 command because the PKCS12 MAC requires PKCS12KDF
which is not an approved FIPS algo.
The fix consists in passing the additional option -nomacver
Fixes: https://pagure.io/freeipa/issue/9878
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ca5510a0 by Florence Blanc-Renaud at 2025-11-20T15:40:37-05:00
ipatests: mark test_dnssec as xfail in fips mode
The test test_fips.py::TestInstallFIPS::test_dnssec is failing and
the issue is reported upstream at 9785.
Mark the test as xfail for now.
Related: https://pagure.io/freeipa/issue/9785
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
bcbc88dc by Florence Blanc-Renaud at 2025-11-20T15:40:37-05:00
temp_commit: revert to the version pre 0b521f7
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
e9a644fe by Sumedh Sidhaye at 2025-11-20T15:42:45-05:00
Validate message to check if not a trust agent/controller Previously the check would return an empty SUCCESS message.
This is an update to the integration test since this involves a
beahviour change
Related PR: https://github.com/freeipa/freeipa-healthcheck/pull/367
Related JIRA: https://issues.redhat.com/browse/RHEL-112752
Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
a5132136 by Sumedh Sidhaye at 2025-11-20T15:42:45-05:00
Temp commit
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
b7c66bf2 by Rob Crittenden at 2025-11-20T15:57:54-05:00
Revert "Temp commit"
This reverts commit a5132136cd4f0b4ba900784be40a7eccc8debcad.
It was merged on accident.
- - - - -
0aced739 by Julien Rische at 2025-11-21T16:26:19+05:30
ipatests: fix kdcproxy tests against AD
In recent kdcproxy commit 1773f28eeea72ec6efcd433d3b66595c44d1253f, the
use of DNS discovery has been restricted to declared realms in order to
mitigate CVE-2025-59088. The present commit update the
TestHttpKdcProxy::test_ad_user_login_on_client_with_kdcproxy test to
take this change into account.
Signed-off-by: Julien Rische <jrische at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
9b9c7147 by Florence Blanc-Renaud at 2025-11-25T17:08:58+01:00
test_ipahealthcheck_dogtag_ca_connectivity_check: update expected msg
With the changes related to PKI API, a different error message is
returned when PKI is not reachable.
This breaks the test test_ipahealthcheck_dogtag_ca_connectivity_check.
Update the expected error message.
Fixes: https://pagure.io/freeipa/issue/9881
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
ffb8fe35 by Rob Crittenden at 2025-11-26T14:17:23-05:00
Don't assume the server has a CA service when issuing certificates
The hostname "localhost" was harcoded in pki_issue_certificate.
This worked for installations, even without a CA, because this
wasn't called for issuing those certificates.
It fails with ipa-pkinit-enable on a server without a CA because
only attempted the local server which lacks a CA.
Instead detect the CA based on the local capabilities and the
server list of available CAs, preferring the local server if it
has a CA.
Fixes: https://pagure.io/freeipa/issue/9879
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
136ab8ca by Arif Budiman at 2025-11-28T18:01:32+01:00
Translated using Weblate (Indonesian)
Currently translated at 42.4% (2071 of 4881 strings)
Co-authored-by: Arif Budiman <arifpedia at gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/id/
Translation: freeipa/master
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
c98d1b81 by Rafael Guterres Jeffman at 2025-12-01T11:19:26+01:00
ipa-idrange-fix: Fix typo when ID under 1000 is present.
Fixes: https://pagure.io/freeipa/issue/9885
Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: David Hanina <dhanina at redhat.com>
- - - - -
2dcc943e by Finn Krein-Schuch at 2025-12-02T14:27:24+01:00
Use mod_auth_gssapi option GssapiNegotiateOnce
In some user agents (e.g. Chrome on Windows) after negotiation of
Kerberos auth fails the agent will try negotiating NTML auth. This
will not work but may prompt http basic auth popups before showing the
html login form, confusing the users.
To circumvent this problem mod_auth_gssapi added the option
GssapiNegotiateOnce, sending the negotiate header only once.
References:
[1] Discussion in mod_auth_gssapi:
https://github.com/gssapi/mod_auth_gssapi/discussions/293
Fixes: https://pagure.io/freeipa/issue/5614
Signed-off-by: Finn Krein-Schuch <finn.krein-schuch at sva.de>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
68cc47a3 by Antonio Torres at 2025-12-02T10:26:56-05:00
eDNS: disable dnsconfd before configuring Unbound
If dnsconfd is kept enabled after we are done configuring Unbound for the
encrypted DNS setup, it might overwrite the configuration,
resulting in a broken setup. dnsconfd should be disabled prior to
configuring Unbound during the server/client install process.
Fixes: https://pagure.io/freeipa/issue/9859
Signed-off-by: Antonio Torres <antorres at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
- - - - -
443aff6a by Florence Blanc-Renaud at 2025-12-02T16:38:02+01:00
ipatests: fix teardown of TestIpaCertFix
The test is moving the date in the future to simulate CA certificate
expiration, then uninstalls the server. If certmonger is working,
the uninstaller may fail with a Dbus Exception.
The test can be fixed with the same strategy as other tests changing
the date: stop certmonger and remove the tracking requests before
uninstallation.
Fixes: https://pagure.io/freeipa/issue/9888
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
fb280517 by Antonio Torres at 2025-12-04T11:24:07+01:00
Update list of contributors
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
dd8ba509 by Antonio Torres at 2025-12-04T11:32:44+01:00
Become IPA 4.13.0
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
a4617fb0 by Antonio Torres at 2025-12-04T11:42:21+01:00
Back to git snapshots
Signed-off-by: Antonio Torres <antorres at redhat.com>
- - - - -
b575e3dc by Florence Blanc-Renaud at 2025-12-08T14:26:49+01:00
Nightly test definitions: configure 4.13 branch
Configure the gating and nightly pipelines for ipa-4-13 branch
Fixes: IDM-3230
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
6f0cd075 by Florence Blanc-Renaud at 2025-12-09T12:33:34+01:00
Trust: fix tdo with WITH_FOREST
When a trust was established pre samba 4.23, the trust domain object
could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
This value prevents winbind restart.
The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST.
In this case we should drop the bit and replace it by FOREST_TRANSITIVE
one because otherwise Samba will skip the domain. Do not change the LDAP
representation to allow older replicas to continue operations.
Fixes: https://pagure.io/freeipa/issue/9892
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
c03f7eb2 by Florence Blanc-Renaud at 2025-12-09T12:33:34+01:00
ipatest: add an integration test for samba upgrade
When a trust was establish pre samba 4.23, the trust domain object
could contain ipanttrustattributes = 40 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
and winbind would fail to restart after an upgrade to samba 4.23.
Add a test simulating the situation and calling ipa-server-upgrade
Related: https://pagure.io/freeipa/issue/9892
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f39acce9 by Carla Martinez at 2025-12-09T20:53:28+01:00
Fix: Incorrect auth error message
There is a small bug in the server code that processes
the user-locked situation: while kinit reports `kinit:
Client's credentials have been revoked ...`, the code
expects `kinit: Clients credentials have been revoked ...`
(doesn't contain the apostrophe). By correcting the
message and adding the apostrophe the right message
should be displayed.
Fixes: https://pagure.io/freeipa/issue/9891
Signed-off-by: Carla Martinez <carlmart at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
c173a70c by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-graceperiod: fix memory leaks
Direct return of invalid grace limit bypassed cleanup code.
`tmpstr` variable was not freed in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
819fddc3 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-lockout: fix memory leaks
Move cleanup of `unlock_time` to `done` label to ensure cleanup in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
29699af1 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-pwd-extop: fix memory leaks
`cur_pw` was allocated but not freed after password validation.
`principal_expire` was allocated but not freed in all code paths.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
67ea4467 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-sidgen: fix memory leaks
In various code paths the `ctx` structure was freed, but not
`ctx->base_dn` which may have been allocated.
`sid` was duplicated, but the original memory was never freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
0e409d19 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-range-check: fix memory leak
`ipa_range_check_close` function didn't do any cleanup.
The `ctx` structure was freed, but not `ctx->base_dn` which may have
been allocated.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
4a62d614 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-extdom-extop: fix memory leaks
In various code paths the `ctx` structure was freed, but not `ctx`
resources (`base_dn`, `nss_ctx`, `extdom_instance_counter`) which may
have been allocated.
Plugin didn't have SLAPI_PLUGIN_CLOSE_FN registered, so context was
never freed on server shutdown.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
bfc9552d by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-enrollment: fix memory leaks
`smods`, `fqdn`, `sdn` were not freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
61bc55c9 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
topology: fix memory leaks
`agmt_attr_val`, `targetHost` and internal search results pblock were
not freed.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
ba9074c9 by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-pwd-extop: free krbcfg in all exit paths
Add `free_ipapwd_krbcfg()` calls.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
8eeccb6d by Viktor Ashirov at 2025-12-12T09:40:21+01:00
ipa-pwd-extop: fix memory leaks
In `ipapwd_set_extradata` free `xdata` after it's not longer needed. It
was leaked because `slapi_value_new_berval()` makes a copy of the data.
In `ipapwd_free_slapi_value_array` free `svals` (caller's pointer)
instead of `sv` (local pointer).
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f580f12e by Anuja More at 2025-12-16T11:16:34-03:00
sysaccount_mod: Use object.__setattr__ to set allow_empty_update in exception handler
The error only happens in developer mode (when mode=developer instead of
mode=production in /etc/ipa/default.conf). Using object.__setattr__ bypasses
normal attribute assignment which fails in developer mode when trying to set
the class attribute allow_empty_update on an instance.
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: PRANAV THUBE <pthube at redhat.com>
- - - - -
386e9f37 by Anuja More at 2025-12-16T11:16:34-03:00
ipatests: sysaccounts: add missing integration/webui/xmlrpc tests
Add comprehensive test coverage for system accounts:
Integration tests:
- Password management and privileged behavior
- Backup/restore scenarios (full, data-only, with various attributes)
- Replica deletion and SysAcctManagersDNs persistence
Web UI tests:
- CRUD operations, privileged flag, associations
- Enable/disable, password validation, negative cases
XML-RPC tests:
- Permission checks for normal users and Security Architects
- All CRUD operations and policy management
- Automated with Cursor+Claude
Related: https://pagure.io/freeipa/issue/9842
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: PRANAV THUBE <pthube at redhat.com>
Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: PRANAV THUBE <pthube at redhat.com>
- - - - -
f0948183 by MOHAMMAD SAMI at 2025-12-16T11:23:26-03:00
Fix incorrect error handling in ipapython/graph.py
fix: correction in exception type for remove_edge
the previous code raises the KeyError but the list.remove() actually raises ValueError so the Actual problem was not getting resolved.
Fixes:https://pagure.io/freeipa/issue/9876
signed-off-by: Sami Shaikh 1694samishaikh at gmail.com
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
381e00e5 by Mohammad Rizwan at 2025-12-16T14:39:55-03:00
ipatests: allow dns zone overlap where dns is handled externaly
When dns is handles externaly and `--auto-reverse` is used to install
ipa-server, installation fails as
```
ipa: ERROR: stderr: Checking DNS domain testrelm.test., please wait ...
Checking DNS domain xx.xx.xx.in-addr.arpa., please wait ...
DNS zone xx.xx.xx.in-addr.arpa. already exists in DNS and is handled by server(s): ['xxx.', 'xxx.', 'xxx.', 'xxx.']
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
```
Allow ipa-server install adding '--allow-zone-overlap' option for these
cases.
Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f28c8a2b by Rob Crittenden at 2025-12-16T17:01:39-03:00
ipatests: Add the remote IP before running ipa-migrate
The base class MigrationTest installation sets up two
separate servers, each with their own DNS. The second
one (replica[0]) is the "new" IPA server and will migrate
data from the "old" one (master).
When manually running these tests in my own environment
they fail because the new server can't connect to the old
one because it doesn't have its IP address. This somehow
works in PR-CI. So add the master IP address on the replica
so it has a way to contact it.
Fixes: https://pagure.io/freeipa/issue/9884
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
- - - - -
c8c71922 by PRANAV THUBE at 2025-12-18T15:58:04+05:30
Extended eDNS testsuite with Enforced DNS policy testcases.
Extend the EDNS test suite by, adding structured tests for DNS-over-TLS under a enforced policy with IPA and external CAs.
Tests:
TestDNSOverTLS_EnforcedPolicy_IPA_CA
TestDNSOverTLS_EnforcedPolicy_External_CA
Related: https://issues.redhat.com/browse/IDM-1524
Signed-off-by: PRANAV THUBE <pthube at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
1a7819b2 by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix memory leaks of bind DN
In `ipapwd_chpwop()`, `ipapwd_setkeytab()`, and `ipapwd_getkeytab()`
functions, `bindDN`/`bind_dn` is obtained via `slapi_pblock_get()` with
SLAPI_CONN_DN which returns an allocated string. This string was never
freed in the cleanup sections of these functions.
Add `slapi_ch_free_string()` calls for the bind DN variables in the
`free_and_return` sections of all three functions.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
28979893 by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix memory leaks in `ipapwd_pre_add()`
In `ipapwd_pre_add()`, when processing password from entry extension,
`userpw` was reassigned without freeing the previous value.
Additionally, `enabled` obtained from `ipapwd_getIpaConfigAttr()` was
never freed, and early returns bypassed the cleanup section causing
memory leaks.
Free `userpw` before reassigning it.
Free `enabled` after use.
Replace early `return 0` statements with `goto done` to ensure proper
cleanup of all allocated resources.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
1545c3fd by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix bind DN memory leaks in pre-op handlers
In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, `binddn` is obtained via
`slapi_pblock_get()` with SLAPI_CONN_DN which returns an allocated
string. This string was never freed after use.
Add `slapi_ch_free_string(&binddn)` calls after the bind DN is no longer
needed in both functions.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
f5e47c97 by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix NT hash string memory leak
In `ipapwd_pre_add()` and `ipapwd_pre_mod()`, the `nt` string returned
by `ipapwd_gen_hashes()` was only freed when `is_smb` was true. When NT
hashes are generated for `is_ipant` entries but `is_smb` is false, the
`nt` string was leaked.
Free `nt`, `ntvals` and `svals` unconditionally.
Fix the error path in `ipapwd_pre_add()` where `nt` and `ntvals` were
leaked when `slapi_entry_attr_replace_sv()` failed for `svals`.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
370cdf03 by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix password history values memory leak
In `ipapwd_post_modadd()`, the `pwvals` array returned by
`ipapwd_setPasswordHistory()` was passed to `slapi_mods_add_mod_values()`
but never freed. The `slapi_mods_add_mod_values()` function makes a copy
of the values, so the original array still needs to be freed.
Add `ipapwd_free_slapi_value_array()` call in the cleanup section to
free the array.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
614b3cdc by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix memory leaks in `ipapwd_gen_hashes()` error path
In `ipapwd_gen_hashes()`, when an error occurred after allocating output
parameters, `*ntvals` was freed but `*nthash` was not.
Add `slapi_ch_free_string(nthash)` to the error cleanup section.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
edc00aae by Viktor Ashirov at 2025-12-18T08:39:20-03:00
ipa-pwd-extop: fix valueset memory leak in `ipapwd_get_cur_kvno()`
In `ipapwd_get_cur_kvno()`, the `Slapi_ValueSet` obtained via
`slapi_attr_get_valueset()` was never freed. This function returns a
copy of the valueset that must be freed by the caller using
`slapi_valueset_free()`.
Add `slapi_valueset_free(svs)` before returning from the function.
Related: https://pagure.io/freeipa/issue/9895
Signed-off-by: Viktor Ashirov <vashirov at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
- - - - -
b5458214 by Florence Blanc-Renaud at 2025-12-23T10:10:24-03:00
ipatests: do not allow zone overlap for TestInstallWithCA_DNS4
This test specifically requires to be run without the
--allow-zone-overlap installation option.
Fixes: https://pagure.io/freeipa/issue/9902
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sudhir Menon <sumenon at redhat.com>
- - - - -
fdfce9ac by PRANAV THUBE at 2025-12-26T17:25:38+01:00
ipatests: Refactor and port hbac functional tests.
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>
- - - - -
6ddd9d97 by Florence Blanc-Renaud at 2026-01-07T15:20:29+01:00
Upgrade: use openssl_engine on rhel9
The upgrade on RHEL9 needs to update /etc/sysconfig/ipa-dnskeysyncd
with DNSSEC_TOKENS_DIR and DNSSEC_SOFTHSM_PIN because those
environment variables are used by the systemd unit for ipa-dnskeysyncd.
Currently the upgrade skips this step because of a wrong comparison when
defining the constants:
HAS_PKCS11_OPENSSL_ENGINE = osinfo.version_number == (9,)
The above evaluates to false because osinfo.version_number is a tuple with
(9, minor_version).
Replace the comparison with osinfo.version_number[0] == 9 to make
sure that the upgrade code is properly called on RHEL 9.x
Fixes: https://pagure.io/freeipa/issue/9913
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
d6f7c0b1 by Rob Crittenden at 2026-01-09T17:47:36+01:00
ipa-pwd-extop: Don't manipulate the config if not retrieved
There is a non-zero chance that the Kerberos configuration can't
be retrieved. If this fails it should report an error which will
likely fail the operation but otherwise allow the server to
remain running.
A flag was added to not allow the Master key to be returned
but since this manipulates *config and that is NULL...SEGV.
Add a goto to skip that block in the case of failure.
Credit to Viktor Ashirov for identifying the fix. All I did
was write up the patch.
Fixes: https://pagure.io/freeipa/issue/9914
Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
- - - - -
ffde59d2 by David Hanina at 2026-01-12T12:07:52+05:30
Delete modern-ui images for RHEL
We need to delete modern-ui artwork for RHEL to allow replacement
through redhat-logos and centos-logos. Also synchronizes webui to
the latest version.
Fixes: https://pagure.io/freeipa/issue/9915
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
9b09e9b7 by Florence Blanc-Renaud at 2026-01-13T16:22:49+01:00
ipa-migrate: avoid KeyError before attributes are normalized
The ipa-migrate tool reads the content of the source LDAP server
and processes the entries. When the entry is a tombstone it must be
discarded.
In order to detect if the entry is a tombstone, the code checks
if the objectclass attribute contains the value 'nsTombstone'.
The problem is that the key ('objectClass') is not normalized
and may either be 'objectclass' (all lowercase) or 'objectClass'.
Take both cases into account and avoid KeyError exception by
normalizing the attribute + looking for case-insensitive value.
Fixes: https://pagure.io/freeipa/issue/9910
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mark Reynolds <mreynolds at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
- - - - -
250ab541 by David Hanina at 2026-01-14T17:57:31+01:00
Update webui to v.0.1.9
Signed-off-by: David Hanina <dhanina at redhat.com>
Reviewed-By: Carla Martinez <carlmart at redhat.com>
- - - - -
573c9194 by Aleksandr Sharov at 2026-01-15T09:28:59-03:00
Adding option --force-server to specify a server to ipa-certupdate tool.
This can be used for disaster recovery or situation with replication
issues, when only one server is fixed/working and is a source of
truth about CA certs for all the other replicas and clients.
Fixes: https://pagure.io/freeipa/issue/9839
Signed-off-by: Aleksandr Sharov (asharov at redhat.com)
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
- - - - -
914aa64f by Antonio Torres at 2026-01-16T10:20:25+01:00
Become IPA.4.13.1
- - - - -
489 changed files:
- .copr/Makefile
- + .gitmodules
- .wheelconstraints.in
- ACI.txt
- API.txt
- BUILD.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/ipa-getkeytab.c
- client/ipa-rmkeytab.c
- client/man/default.conf.5
- client/man/epn.conf.5
- client/man/ipa-certupdate.1
- client/man/ipa-client-automount.1
- client/man/ipa-client-install.1
- client/man/ipa.1
- client/share/Makefile.am
- + client/share/freeipa-realm.template
- + client/share/unbound.conf.template
- configure.ac
- contrib/perflog
- daemons/dnssec/Makefile.am
- daemons/dnssec/ipa-dnskeysyncd.service.in
- daemons/ipa-kdb/README.s4u2proxy.txt
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_common.c
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_passwords.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
- daemons/ipa-otpd/bind.c
- daemons/ipa-otpd/forward.c
- daemons/ipa-otpd/oauth2.c
- daemons/ipa-otpd/passkey.c
- daemons/ipa-sam/ipa_sam.c
- daemons/ipa-slapi-plugins/common/util.h
- daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
- daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
- daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
- daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
- daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h
- daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
- daemons/ipa-slapi-plugins/ipa-range-check/ipa_range_check.c
- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h
- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
- daemons/ipa-slapi-plugins/topology/topology_util.c
- doc/api/A6Record.md
- doc/api/AAAARecord.md
- doc/api/AFSDBRecord.md
- doc/api/APLRecord.md
- doc/api/ARecord.md
- doc/api/AccessTime.md
- doc/api/Any.md
- doc/api/BinaryFile.md
- doc/api/Bool.md
- doc/api/Bytes.md
- doc/api/BytesEnum.md
- doc/api/CERTRecord.md
- doc/api/CNAMERecord.md
- doc/api/DHCIDRecord.md
- doc/api/DLVRecord.md
- doc/api/DNAMERecord.md
- doc/api/DNOrURL.md
- doc/api/DNParam.md
- doc/api/DNSNameParam.md
- doc/api/DNSRecord.md
- doc/api/DSRecord.md
- doc/api/Data.md
- doc/api/DateTime.md
- doc/api/Decimal.md
- doc/api/Dict.md
- doc/api/Enum.md
- doc/api/File.md
- doc/api/Flag.md
- doc/api/ForwardRecord.md
- doc/api/HINFORecord.md
- doc/api/HIPRecord.md
- doc/api/HostPassword.md
- doc/api/IA5Str.md
- doc/api/IPSECKEYRecord.md
- doc/api/Int.md
- doc/api/IntEnum.md
- doc/api/KEYRecord.md
- doc/api/KXRecord.md
- doc/api/LOCRecord.md
- doc/api/MDRecord.md
- doc/api/MINFORecord.md
- doc/api/MXRecord.md
- doc/api/NAPTRRecord.md
- doc/api/NSECRecord.md
- doc/api/NSRecord.md
- doc/api/NXTRecord.md
- doc/api/Number.md
- doc/api/OTPTokenKey.md
- doc/api/PTRRecord.md
- doc/api/Password.md
- doc/api/Principal.md
- doc/api/RPRecord.md
- doc/api/RRSIGRecord.md
- doc/api/SIGRecord.md
- doc/api/SPFRecord.md
- doc/api/SRVRecord.md
- doc/api/SSHFPRecord.md
- doc/api/SerialNumber.md
- doc/api/Str.md
- doc/api/StrEnum.md
- doc/api/TLSARecord.md
- doc/api/TXTRecord.md
- doc/api/URIRecord.md
- doc/api/UnsupportedDNSRecord.md
- doc/api/commands.rst
- doc/api/config_mod.md
- doc/api/pwpolicy_add.md
- doc/api/pwpolicy_find.md
- doc/api/pwpolicy_mod.md
- doc/api/role_add_member.md
- doc/api/role_remove_member.md
- + doc/api/sysaccount_add.md
- + doc/api/sysaccount_del.md
- + doc/api/sysaccount_disable.md
- + doc/api/sysaccount_enable.md
- + doc/api/sysaccount_find.md
- + doc/api/sysaccount_mod.md
- + doc/api/sysaccount_policy.md
- + doc/api/sysaccount_show.md
- + doc/designs/edns.md
- + doc/designs/edns/FreeIPA-eDNS-version3.jpg
- doc/designs/expired_certificate_pruning.md
- doc/designs/external-idp/idp-api.md
- doc/designs/hsm.md
- doc/designs/index.rst
- doc/designs/rbcd.md
- doc/designs/subordinate-ids.md
- + doc/designs/sysaccounts.md
- doc/workshop/11-kerberos-ticket-policy.rst
- doc/workshop/12-external-idp-support.rst
- doc/workshop/Vagrantfile
- freeipa.spec.in
- init/tmpfilesd/Makefile.am
- + init/tmpfilesd/ipa-dnssec.conf.in
- install/Makefile.am
- install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
- + install/freeipa-webui
- install/oddjob/com.redhat.idm.trust-fetch-domains.in
- install/restart_scripts/renew_ca_cert.in
- install/share/60basev2.ldif
- install/share/60ipaconfig.ldif
- install/share/Makefile.am
- install/share/bind.named.conf.template
- + install/share/bind.openssl.provider.cnf.template
- + install/share/bind.openssl.provider.crp.cnf.template
- install/share/bootstrap-template.ldif
- install/share/delegation.ldif
- install/share/ipa-pki-proxy.conf.template
- install/share/ipa.conf.template
- install/share/kerberos.ldif
- − install/share/krb.con.template
- install/share/krb5.conf.template
- − install/share/krb5.ini.template
- − install/share/krbrealm.con.template
- − install/share/nis-update.uldif
- − install/share/nis.uldif
- + install/share/openssl_cnf.template
- − install/share/replica-prevent-time-skew.ldif
- + install/share/subid-generators.uldif
- install/share/unique-attributes.ldif
- install/tools/Makefile.am
- install/tools/ipa-adtrust-install.in
- install/tools/ipa-ca-install.in
- install/tools/ipa-compat-manage.in
- install/tools/ipa-csreplica-manage.in
- install/tools/ipa-dns-install.in
- + install/tools/ipa-idrange-fix.in
- install/tools/ipa-managed-entries.in
- − install/tools/ipa-nis-manage.in
- install/tools/ipa-pki-wait-running.in
- install/tools/ipa-replica-conncheck.in
- install/tools/ipa-replica-manage.in
- install/tools/man/Makefile.am
- install/tools/man/ipa-advise.1
- install/tools/man/ipa-backup.1
- install/tools/man/ipa-ca-install.1
- install/tools/man/ipa-cacert-manage.1
- install/tools/man/ipa-dns-install.1
- + install/tools/man/ipa-idrange-fix.1
- install/tools/man/ipa-kra-install.1
- install/tools/man/ipa-migrate.1
- − install/tools/man/ipa-nis-manage.1
- install/tools/man/ipa-replica-install.1
- install/tools/man/ipa-restore.1
- install/tools/man/ipa-server-install.1
- install/ui/Gruntfile.js
- install/ui/less/plugins/otp.less
- install/ui/src/freeipa/app.js
- install/ui/src/freeipa/idp.js
- install/ui/src/freeipa/navigation/menu_spec.js
- install/ui/src/freeipa/serverconfig.js
- + install/ui/src/freeipa/sysaccount.js
- install/ui/src/freeipa/widgets/LoginScreen.js
- install/updates/10-enable-betxn.update
- install/updates/10-uniqueness.update
- install/updates/40-delegation.update
- install/updates/40-replication.update
- install/updates/45-roles.update
- install/updates/50-ipaconfig.update
- install/updates/50-krbenctypes.update
- − install/updates/50-nis.update
- install/updates/60-trusts.update
- install/updates/73-subid.update
- install/updates/90-post_upgrade_plugins.update
- install/updates/Makefile.am
- ipaclient/install/client.py
- ipaclient/install/ipa_certupdate.py
- ipaclient/install/ipa_client_automount.py
- ipaclient/install/ipa_client_samba.py
- ipaclient/plugins/idrange.py
- + ipaclient/plugins/sysaccounts.py
- ipaclient/plugins/vault.py
- ipaclient/remote_plugins/2_114/dns.py
- ipaclient/remote_plugins/2_156/dns.py
- ipaclient/remote_plugins/2_164/dns.py
- ipaclient/remote_plugins/2_49/dns.py
- ipalib/cli.py
- ipalib/config.py
- ipalib/constants.py
- ipalib/install/certmonger.py
- ipalib/install/certstore.py
- ipalib/ipajson.py
- ipalib/messages.py
- ipalib/parameters.py
- ipalib/plugable.py
- ipalib/rpc.py
- ipalib/util.py
- ipalib/x509.py
- ipaplatform/base/constants.py
- ipaplatform/base/paths.py
- ipaplatform/base/services.py
- ipaplatform/base/tasks.py
- ipaplatform/debian/constants.py
- ipaplatform/debian/paths.py
- ipaplatform/debian/tasks.py
- ipaplatform/fedora/constants.py
- ipaplatform/redhat/tasks.py
- ipaplatform/rhel/constants.py
- ipaplatform/setup.py
- + ipaplatform/test_fedora_legacy/__init__.py
- + ipaplatform/test_fedora_legacy/constants.py
- + ipaplatform/test_fedora_legacy/paths.py
- + ipaplatform/test_fedora_legacy/services.py
- + ipaplatform/test_fedora_legacy/tasks.py
- ipapython/admintool.py
- ipapython/certdb.py
- ipapython/config.py
- ipapython/dn.py
- ipapython/dogtag.py
- ipapython/graph.py
- ipapython/install/cli.py
- ipapython/ipaldap.py
- ipapython/ipautil.py
- ipapython/version.py.in
- ipaserver/advise/base.py
- ipaserver/custodia/server/__init__.py
- ipaserver/dcerpc.py
- ipaserver/dnssec/bindmgr.py
- + ipaserver/install/acmeinstance.py
- ipaserver/install/adtrustinstance.py
- ipaserver/install/bindinstance.py
- ipaserver/install/ca.py
- ipaserver/install/cainstance.py
- ipaserver/install/certs.py
- ipaserver/install/custodiainstance.py
- ipaserver/install/dns.py
- ipaserver/install/dnskeysyncinstance.py
- ipaserver/install/dogtaginstance.py
- ipaserver/install/dsinstance.py
- ipaserver/install/httpinstance.py
- ipaserver/install/installutils.py
- ipaserver/install/ipa_acme_manage.py
- ipaserver/install/ipa_backup.py
- ipaserver/install/ipa_cacert_manage.py
- ipaserver/install/ipa_cert_fix.py
- + ipaserver/install/ipa_idrange_fix.py
- ipaserver/install/ipa_kra_install.py
- ipaserver/install/ipa_migrate.py
- ipaserver/install/ipa_migrate_constants.py
- ipaserver/install/ipa_otptoken_import.py
- ipaserver/install/ipa_restore.py
- ipaserver/install/ipa_server_certinstall.py
- ipaserver/install/ipa_subids.py
- ipaserver/install/kra.py
- ipaserver/install/krainstance.py
- ipaserver/install/krbinstance.py
- ipaserver/install/ldapupdate.py
- ipaserver/install/opendnssecinstance.py
- + ipaserver/install/plugins/add_admin_krbcanonicalname.py
- ipaserver/install/plugins/adtrust.py
- ipaserver/install/plugins/update_dna_shared_config.py
- − ipaserver/install/plugins/update_nis.py
- − ipaserver/install/plugins/update_ra_cert_store.py
- + ipaserver/install/plugins/update_subid_support.py
- ipaserver/install/replication.py
- ipaserver/install/server/__init__.py
- ipaserver/install/server/install.py
- ipaserver/install/server/replicainstall.py
- ipaserver/install/server/upgrade.py
- ipaserver/install/service.py
- ipaserver/install/upgradeinstance.py
- ipaserver/plugins/baseldap.py
- ipaserver/plugins/baseuser.py
- ipaserver/plugins/ca.py
- ipaserver/plugins/cert.py
- ipaserver/plugins/certprofile.py
- ipaserver/plugins/config.py
- ipaserver/plugins/dns.py
- ipaserver/plugins/dogtag.py
- ipaserver/plugins/idrange.py
- ipaserver/plugins/internal.py
- ipaserver/plugins/pwpolicy.py
- ipaserver/plugins/role.py
- ipaserver/plugins/service.py
- ipaserver/plugins/subid.py
- + ipaserver/plugins/sysaccounts.py
- ipaserver/plugins/topology.py
- ipaserver/plugins/trust.py
- ipaserver/plugins/user.py
- ipaserver/plugins/vault.py
- ipaserver/rpcserver.py
- ipaserver/secrets/handlers/pemfile.py
- ipatests/azure/Dockerfiles/Dockerfile.build.fedora
- ipatests/azure/Dockerfiles/Dockerfile.build.rawhide
- ipatests/azure/Dockerfiles/docker-compose.yml
- ipatests/azure/azure-pipelines.yml
- ipatests/azure/azure_definitions/base-fedora.yml
- ipatests/azure/azure_definitions/gating-fedora.yml
- ipatests/azure/scripts/azure-run-tests.sh
- ipatests/azure/scripts/setup_containers.py
- ipatests/azure/templates/autoconf-fedora.yml
- ipatests/azure/templates/prepare-build-fedora.yml
- ipatests/azure/templates/prepare-lint-fedora.yml
- ipatests/azure/templates/prepare-webui-fedora.yml
- ipatests/azure/templates/setup-test-environment.yml
- ipatests/azure/templates/test-jobs.yml
- ipatests/azure/templates/variables-common.yml
- ipatests/azure/templates/variables-fedora.yml
- ipatests/prci_definitions/gating.yaml
- ipatests/prci_definitions/nightly_latest.yaml → ipatests/prci_definitions/nightly_ipa-4-13_latest.yaml
- ipatests/prci_definitions/nightly_latest_selinux.yaml → ipatests/prci_definitions/nightly_ipa-4-13_latest_selinux.yaml
- − ipatests/prci_definitions/nightly_latest_389ds.yaml
- − ipatests/prci_definitions/nightly_latest_pki.yaml
- − ipatests/prci_definitions/nightly_latest_sssd.yaml
- − ipatests/prci_definitions/nightly_latest_testing.yaml
- − ipatests/prci_definitions/nightly_latest_testing_selinux.yaml
- − ipatests/prci_definitions/nightly_previous.yaml
- − ipatests/prci_definitions/nightly_rawhide.yaml
- ipatests/prci_definitions/prci_jobs_spec.yaml
- ipatests/prci_definitions/temp_commit.yaml
- ipatests/pytest_ipa/integration/__init__.py
- ipatests/pytest_ipa/integration/config.py
- ipatests/pytest_ipa/integration/create_bridge.py
- ipatests/pytest_ipa/integration/create_caless_pki.py
- ipatests/pytest_ipa/integration/create_keycloak.py
- ipatests/pytest_ipa/integration/firewall.py
- ipatests/pytest_ipa/integration/tasks.py
- ipatests/test_cmdline/test_cli.py
- ipatests/test_cmdline/test_console.py
- ipatests/test_cmdline/test_schema.py
- ipatests/test_custodia/test_plugins.py
- ipatests/test_integration/base.py
- + ipatests/test_integration/test_32bit_idranges.py
- ipatests/test_integration/test_acme.py
- ipatests/test_integration/test_adtrust_install.py
- ipatests/test_integration/test_backup_and_restore.py
- ipatests/test_integration/test_caless.py
- ipatests/test_integration/test_cert.py
- ipatests/test_integration/test_cli_ipa_not_configured.py
- + ipatests/test_integration/test_cockpit.py
- ipatests/test_integration/test_commands.py
- ipatests/test_integration/test_dnssec.py
- + ipatests/test_integration/test_edns.py
- ipatests/test_integration/test_external_ca.py
- ipatests/test_integration/test_fips.py
- + ipatests/test_integration/test_hbac_functional.py
- ipatests/test_integration/test_hsm.py
- ipatests/test_integration/test_http_kdc_proxy.py
- ipatests/test_integration/test_idp.py
- ipatests/test_integration/test_installation.py
- ipatests/test_integration/test_installation_client.py
- ipatests/test_integration/test_ipa_cert_fix.py
- + ipatests/test_integration/test_ipa_idrange_fix.py
- + ipatests/test_integration/test_ipa_ipa_migration.py
- ipatests/test_integration/test_ipahealthcheck.py
- + ipatests/test_integration/test_mkey_upgrade.py
- + ipatests/test_integration/test_multidomain_ipa.py
- ipatests/test_integration/test_nfs.py
- ipatests/test_integration/test_otp.py
- ipatests/test_integration/test_pki_config_override.py
- ipatests/test_integration/test_pwpolicy.py
- ipatests/test_integration/test_random_serial_numbers.py
- ipatests/test_integration/test_replica_promotion.py
- ipatests/test_integration/test_sso.py
- ipatests/test_integration/test_sssd.py
- ipatests/test_integration/test_sudo.py
- + ipatests/test_integration/test_sysaccounts.py
- ipatests/test_integration/test_topology.py
- ipatests/test_integration/test_trust.py
- + ipatests/test_integration/test_trust_functional.py
- ipatests/test_integration/test_uninstallation.py
- ipatests/test_integration/test_upgrade.py
- ipatests/test_ipalib/test_parameters.py
- ipatests/test_ipalib/test_util.py
- ipatests/test_ipalib/test_x509.py
- ipatests/test_ipaplatform/test_constants.py
- ipatests/test_ipaplatform/test_tasks.py
- ipatests/test_ipaserver/test_ipap11helper.py
- + ipatests/test_webui/data_sysaccount.py
- ipatests/test_webui/test_cert.py
- ipatests/test_webui/test_host.py
- + ipatests/test_webui/test_sysaccount.py
- ipatests/test_webui/ui_driver.py
- ipatests/test_xmlrpc/test_automember_plugin.py
- ipatests/test_xmlrpc/test_automount_plugin.py
- ipatests/test_xmlrpc/test_config_plugin.py
- ipatests/test_xmlrpc/test_dns_plugin.py
- ipatests/test_xmlrpc/test_env_plugin.py
- ipatests/test_xmlrpc/test_permission_plugin.py
- ipatests/test_xmlrpc/test_plugins_plugin.py
- ipatests/test_xmlrpc/test_range_plugin.py
- ipatests/test_xmlrpc/test_role_plugin.py
- ipatests/test_xmlrpc/test_service_plugin.py
- ipatests/test_xmlrpc/test_stageuser_plugin.py
- + ipatests/test_xmlrpc/test_sysaccount_plugin.py
- ipatests/test_xmlrpc/test_user_plugin.py
- ipatests/test_xmlrpc/tracker/ca_plugin.py
- ipatests/test_xmlrpc/tracker/stageuser_plugin.py
- + ipatests/test_xmlrpc/tracker/sysaccount_plugin.py
- makeapi.in
- makerpms.sh
- po/LINGUAS
- po/bn_IN.po
- po/ca.po
- po/cs.po
- po/de.po
- po/en_GB.po
- po/es.po
- po/eu.po
- + po/fa.po
- po/fi.po
- po/fr.po
- po/hi.po
- po/hu.po
- po/id.po
- po/ipa.pot
- po/ja.po
- po/ka.po
- po/kn.po
- po/ko.po
- po/mr.po
- po/nl.po
- po/pa.po
- po/pl.po
- po/pt.po
- po/pt_BR.po
- po/ru.po
- po/sk.po
- po/tg.po
- po/tr.po
- po/uk.po
- po/zh_CN.po
- pylint_plugins.py
- pylintrc
- pypi/test_placeholder.py
- selinux/ipa.fc
- selinux/ipa.if
- selinux/ipa.te
- util/ipa_krb5.c
- util/ipa_krb5.h
- util/ipa_pwd.c
- util/ipa_pwd.h
- util/t_policy.c
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/f2fc367fb00193a8ca8a1f22786fccd6b0024dac...914aa64f782d646cdb8e7244d5687965fe6d498f
--
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/f2fc367fb00193a8ca8a1f22786fccd6b0024dac...914aa64f782d646cdb8e7244d5687965fe6d498f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20260208/ad54906a/attachment-0001.htm>
More information about the Pkg-freeipa-devel
mailing list