diff --git a/.gitignore b/.gitignore index be5c7c7..8b5115a 100644 --- a/.gitignore +++ b/.gitignore @@ -136,3 +136,5 @@ /freeipa-4.12.0.tar.gz.asc /freeipa-4.12.1.tar.gz.asc /freeipa-4.12.1.tar.gz +/freeipa-4.12.2.tar.gz +/freeipa-4.12.2.tar.gz.asc diff --git a/0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch b/0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch deleted file mode 100644 index 373c903..0000000 --- a/0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch +++ /dev/null @@ -1,79 +0,0 @@ -From ebccaac3cf8a5688739d76426924469d5b4df6b1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 10 Jun 2024 14:54:41 -0400 -Subject: [PATCH] Add iparepltopoconf objectclass to topology permissions - -The domain and ca objects were unreadable which caused -the conneciton lines between nodes in the UI to not be -visible. - -Also add a manual ACI to allow reading the min/max -domain level. - -Fixes: https://pagure.io/freeipa/issue/9594 - -Signed-off-by: Rob Crittenden -Reviewed-By: Michal Polovka ---- - ACI.txt | 8 ++++---- - install/updates/40-replication.update | 11 +++++++++++ - ipaserver/plugins/topology.py | 2 +- - 3 files changed, 16 insertions(+), 5 deletions(-) - -diff --git a/ACI.txt b/ACI.txt -index 13b0a64bde6b29503b048630f1c718e5e30759b2..50c8824d43cd6d3ca9a381b5d34425cb0197508c 100644 ---- a/ACI.txt -+++ b/ACI.txt -@@ -375,13 +375,13 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry - dn: dc=ipa,dc=example - aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";) - dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example --aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example --aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example --aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example --aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=trusts,dc=ipa,dc=example - aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";) - dn: cn=trusts,dc=ipa,dc=example -diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update -index 06b6613ed4c9ede935f879ee46ed5e7d5a0935ba..6dc38e36d96b4e019eb35f9d0367bfc7a202af98 100644 ---- a/install/updates/40-replication.update -+++ b/install/updates/40-replication.update -@@ -28,3 +28,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX - dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config - remove:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";) - add:aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";) -+ -+dn: cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX -+default:objectClass: top -+default:objectClass: groupofnames -+default:objectClass: ipapermission -+default:cn: Read domain level -+default:ipapermissiontype: SYSTEM -+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX -+ -+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX -+add:aci: (targetattr = "ipamaxdomainlevel || ipamindomainlevel")(version 3.0;acl "permission:Read domain level";allow (read, search, compare) groupdn = "ldap:///cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX";) -diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py -index be0cf3d705267af66e20fb990b2fed72b61d2c49..1401fe259226c12abe42a5670d3ce1812c27cc05 100644 ---- a/ipaserver/plugins/topology.py -+++ b/ipaserver/plugins/topology.py -@@ -104,7 +104,7 @@ class topologysegment(LDAPObject): - object_name = _('segment') - object_name_plural = _('segments') - object_class = ['iparepltoposegment'] -- permission_filter_objectclasses = ['iparepltoposegment'] -+ permission_filter_objectclasses = ['iparepltoposegment', 'iparepltopoconf'] - default_attributes = [ - 'cn', - 'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode', --- -2.45.2 - diff --git a/0002-freeipa-disable-nis.patch b/0002-freeipa-disable-nis.patch new file mode 100644 index 0000000..bd4e270 --- /dev/null +++ b/0002-freeipa-disable-nis.patch @@ -0,0 +1,900 @@ +From da1ec155fb5d5afc29b70ff4d68f0d774aa7f245 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 29 Apr 2024 10:10:08 +0300 +Subject: [PATCH] Remove NIS server support + + RHEL 8.3+ already deprecated support for NIS protocol. + RHEL 9 does not ship NIS client side + RHEL 10 removes NIS server emulator support + +Remove NIS server integration from the migration and +management tools. + +Fixes: https://pagure.io/freeipa/issue/9363 + +Signed-off-by: Alexander Bokovoy +--- + freeipa.spec.in | 2 - + install/share/Makefile.am | 2 - + install/share/nis-update.uldif | 38 ---- + install/share/nis.uldif | 96 ---------- + install/tools/Makefile.am | 2 - + install/tools/ipa-compat-manage.in | 17 +- + install/tools/ipa-nis-manage.in | 205 --------------------- + install/tools/man/Makefile.am | 1 - + install/tools/man/ipa-nis-manage.1 | 51 ----- + install/updates/10-enable-betxn.update | 3 - + install/updates/50-nis.update | 3 - + install/updates/Makefile.am | 1 - + ipaplatform/base/paths.py | 2 - + ipaserver/install/ipa_migrate.py | 27 +-- + ipaserver/install/ipa_migrate_constants.py | 24 --- + ipaserver/install/plugins/update_nis.py | 92 --------- + ipatests/test_cmdline/test_cli.py | 1 - + ipatests/test_integration/test_commands.py | 87 --------- + 18 files changed, 16 insertions(+), 638 deletions(-) + delete mode 100644 install/share/nis-update.uldif + delete mode 100644 install/share/nis.uldif + delete mode 100644 install/tools/ipa-nis-manage.in + delete mode 100644 install/tools/man/ipa-nis-manage.1 + delete mode 100644 install/updates/50-nis.update + delete mode 100644 ipaserver/install/plugins/update_nis.py + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index e370290bc..b5e33a6ac 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -1508,7 +1508,6 @@ fi + %{_sbindir}/ipa-ldap-updater + %{_sbindir}/ipa-otptoken-import + %{_sbindir}/ipa-compat-manage +-%{_sbindir}/ipa-nis-manage + %{_sbindir}/ipa-managed-entries + %{_sbindir}/ipactl + %{_sbindir}/ipa-advise +@@ -1583,7 +1582,6 @@ fi + %{_mandir}/man1/ipa-ca-install.1* + %{_mandir}/man1/ipa-kra-install.1* + %{_mandir}/man1/ipa-compat-manage.1* +-%{_mandir}/man1/ipa-nis-manage.1* + %{_mandir}/man1/ipa-managed-entries.1* + %{_mandir}/man1/ipa-ldap-updater.1* + %{_mandir}/man8/ipactl.8* +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index 4029297b7..24664ca3b 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -67,8 +67,6 @@ dist_app_DATA = \ + master-entry.ldif \ + memberof-task.ldif \ + memberof-conf.ldif \ +- nis.uldif \ +- nis-update.uldif \ + opendnssec_conf.template \ + opendnssec_kasp.template \ + unique-attributes.ldif \ +diff --git a/install/share/nis-update.uldif b/install/share/nis-update.uldif +deleted file mode 100644 +index e602c1de0..000000000 +--- a/install/share/nis-update.uldif ++++ /dev/null +@@ -1,38 +0,0 @@ +-# Updates for NIS +- +-# Correct syntax error that caused users to not appear +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") +- +-# Correct syntax error that caused nested netgroups to not work +-# https://bugzilla.redhat.com/show_bug.cgi?id=788625 +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") +- +-# Make the padding an expression so usercat and hostcat always gets +-# evaluated when displaying entries. +-# https://bugzilla.redhat.com/show_bug.cgi?id=767372 +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byaddr +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byname +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +diff --git a/install/share/nis.uldif b/install/share/nis.uldif +deleted file mode 100644 +index 1735fb552..000000000 +--- a/install/share/nis.uldif ++++ /dev/null +@@ -1,96 +0,0 @@ +-dn: cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: nsSlapdPlugin +-default:objectclass: extensibleObject +-default:cn: NIS Server +-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so +-default:nsslapd-plugininitfunc: nis_plugin_init +-default:nsslapd-plugintype: object +-default:nsslapd-pluginbetxn: on +-default:nsslapd-pluginenabled: on +-default:nsslapd-pluginid: nis-server +-default:nsslapd-pluginversion: 0.10 +-default:nsslapd-pluginvendor: redhat.com +-default:nsslapd-plugindescription: NIS Server Plugin +-default:nis-tcp-wrappers-name: nis-server +- +-dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: passwd.byname +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: passwd.byuid +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: group.byname +-default:nis-base: cn=groups, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: group.bygid +-default:nis-base: cn=groups, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: netid.byname +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-# Note that the escapes in this entry can be quite confusing. The trick +-# is that each level of nesting requires (2^n) - 1 escapes. So the +-# first level is \", the second is \\\", the third is \\\\\\\", etc. +-# (1, 3, 7, 15, more than that and you'll go insane) +- +-# Note that this configuration mirrors the Schema Compat configuration for +-# triples. +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: netgroup +-default:nis-base: cn=ng, cn=alt, $SUFFIX +-default:nis-filter: (objectClass=ipanisNetgroup) +-default:nis-key-format: %{cn} +-default:nis-value-format:%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byaddr +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byname +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am +index c454fad97..a5306ffe9 100644 +--- a/install/tools/Makefile.am ++++ b/install/tools/Makefile.am +@@ -19,7 +19,6 @@ dist_noinst_DATA = \ + ipa-server-upgrade.in \ + ipactl.in \ + ipa-compat-manage.in \ +- ipa-nis-manage.in \ + ipa-managed-entries.in \ + ipa-ldap-updater.in \ + ipa-otptoken-import.in \ +@@ -56,7 +55,6 @@ nodist_sbin_SCRIPTS = \ + ipa-server-upgrade \ + ipactl \ + ipa-compat-manage \ +- ipa-nis-manage \ + ipa-managed-entries \ + ipa-ldap-updater \ + ipa-otptoken-import \ +diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in +index 459f39fc8..70dd7c451 100644 +--- a/install/tools/ipa-compat-manage.in ++++ b/install/tools/ipa-compat-manage.in +@@ -26,6 +26,7 @@ from ipaplatform.paths import paths + try: + from optparse import OptionParser # pylint: disable=deprecated-module + from ipapython import ipautil, config ++ from ipapython.ipaldap import realm_to_serverid + from ipaserver.install import installutils + from ipaserver.install.ldapupdate import LDAPUpdate + from ipalib import api, errors +@@ -150,9 +151,19 @@ def main(): + try: + entry = get_entry(nis_config_dn) + # We can't disable schema compat if the NIS plugin is enabled +- if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': +- print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) +- print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) ++ if ( ++ entry is not None ++ and entry.get("nsslapd-pluginenabled", [""])[0].lower() == "on" ++ ): ++ instance = realm_to_serverid(api.env.realm) ++ print( ++ "The NIS plugin is configured, cannot " ++ "disable compatibility.", file=sys.stderr, ++ ) ++ print( ++ f"Run \"dsconf {instance} plugin set --enabled off " ++ "'NIS Server'\" first.", file=sys.stderr, ++ ) + retval = 2 + except errors.ExecutionError as lde: + print("An error occurred while talking to the server.") +diff --git a/install/tools/ipa-nis-manage.in b/install/tools/ipa-nis-manage.in +deleted file mode 100644 +index 6b156ce6a..000000000 +--- a/install/tools/ipa-nis-manage.in ++++ /dev/null +@@ -1,205 +0,0 @@ +-#!/usr/bin/python3 +-# Authors: Rob Crittenden +-# Authors: Simo Sorce +-# +-# Copyright (C) 2009 Red Hat +-# see file 'COPYING' for use and warranty information +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation, either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-from __future__ import print_function +- +-import sys +-import os +-from ipaplatform.paths import paths +-try: +- from optparse import OptionParser # pylint: disable=deprecated-module +- from ipapython import ipautil, config +- from ipaserver.install import installutils +- from ipaserver.install.ldapupdate import LDAPUpdate +- from ipalib import api, errors +- from ipapython.ipa_log_manager import standard_logging_setup +- from ipapython.dn import DN +- from ipaplatform import services +-except ImportError as e: +- print("""\ +-There was a problem importing one of the required Python modules. The +-error was: +- +- %s +-""" % e, file=sys.stderr) +- sys.exit(1) +- +-nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +-compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config')) +- +-def parse_options(): +- usage = "%prog [options] \n" +- usage += "%prog [options]\n" +- parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) +- +- parser.add_option("-d", "--debug", action="store_true", dest="debug", +- help="Display debugging information about the update(s)") +- parser.add_option("-y", dest="password", +- help="File containing the Directory Manager password") +- +- config.add_standard_options(parser) +- options, args = parser.parse_args() +- +- return options, args +- +-def get_dirman_password(): +- """Prompt the user for the Directory Manager password and verify its +- correctness. +- """ +- password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False) +- +- return password +- +-def get_entry(dn): +- """ +- Return the entry for the given DN. If the entry is not found return +- None. +- """ +- entry = None +- try: +- entry = api.Backend.ldap2.get_entry(dn) +- except errors.NotFound: +- pass +- return entry +- +-def main(): +- retval = 0 +- files = [paths.NIS_ULDIF] +- servicemsg = "" +- +- if os.getegid() != 0: +- sys.exit('Must be root to use this tool.') +- +- installutils.check_server_configuration() +- +- options, args = parse_options() +- +- if len(args) != 1: +- sys.exit("You must specify one action: enable | disable | status") +- elif args[0] not in {"enable", "disable", "status"}: +- sys.exit("Unrecognized action [" + args[0] + "]") +- +- standard_logging_setup(None, debug=options.debug) +- dirman_password = "" +- if options.password: +- try: +- pw = ipautil.template_file(options.password, []) +- except IOError: +- sys.exit("File \"%s\" not found or not readable" % options.password) +- dirman_password = pw.strip() +- else: +- dirman_password = get_dirman_password() +- if dirman_password is None: +- sys.exit("Directory Manager password required") +- +- if not dirman_password: +- sys.exit("No password supplied") +- +- api.bootstrap( +- context='cli', confdir=paths.ETC_IPA, +- debug=options.debug, in_server=True) +- api.finalize() +- api.Backend.ldap2.connect(bind_pw=dirman_password) +- +- if args[0] == "enable": +- compat = get_entry(compat_dn) +- if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': +- sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") +- entry = None +- try: +- entry = get_entry(nis_config_dn) +- except errors.ExecutionError as lde: +- print("An error occurred while talking to the server.") +- print(lde) +- retval = 1 +- +- # Enable either the portmap or rpcbind service +- portmap = services.knownservices.portmap +- rpcbind = services.knownservices.rpcbind +- +- if portmap.is_installed(): +- portmap.enable() +- servicemsg = portmap.service_name +- elif rpcbind.is_installed(): +- rpcbind.enable() +- servicemsg = rpcbind.service_name +- else: +- print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) +- retval = 3 +- +- # The cn=config entry for the plugin may already exist but it +- # could be turned off, handle both cases. +- if entry is None: +- print("Enabling plugin") +- ld = LDAPUpdate() +- if ld.update(files) != True: +- retval = 1 +- elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': +- print("Enabling plugin") +- # Already configured, just enable the plugin +- entry['nsslapd-pluginenabled'] = ['on'] +- api.Backend.ldap2.update_entry(entry) +- else: +- print("Plugin already Enabled") +- retval = 2 +- +- elif args[0] == "disable": +- try: +- entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) +- entry['nsslapd-pluginenabled'] = ['off'] +- api.Backend.ldap2.update_entry(entry) +- except (errors.NotFound, errors.EmptyModlist): +- print("Plugin is already disabled") +- retval = 2 +- except errors.LDAPError as lde: +- print("An error occurred while talking to the server.") +- print(lde) +- retval = 1 +- +- elif args[0] == "status": +- nis_entry = get_entry(nis_config_dn) +- enabled = (nis_entry and +- nis_entry.get( +- 'nsslapd-pluginenabled', '')[0].lower() == "on") +- if enabled: +- print("Plugin is enabled") +- retval = 0 +- else: +- print("Plugin is not enabled") +- retval = 4 +- +- else: +- retval = 1 +- +- if retval == 0: +- if args[0] in {"enable", "disable"}: +- print("This setting will not take effect until you restart " +- "Directory Server.") +- +- if args[0] == "enable": +- print("The %s service may need to be started." % servicemsg) +- +- api.Backend.ldap2.disconnect() +- +- return retval +- +-if __name__ == '__main__': +- installutils.run_script(main, operation_name='ipa-nis-manage') +diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am +index 34f359863..282407602 100644 +--- a/install/tools/man/Makefile.am ++++ b/install/tools/man/Makefile.am +@@ -18,7 +18,6 @@ dist_man1_MANS = \ + ipa-kra-install.1 \ + ipa-ldap-updater.1 \ + ipa-compat-manage.1 \ +- ipa-nis-manage.1 \ + ipa-managed-entries.1 \ + ipa-backup.1 \ + ipa-restore.1 \ +diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 +deleted file mode 100644 +index 1107b7790..000000000 +--- a/install/tools/man/ipa-nis-manage.1 ++++ /dev/null +@@ -1,51 +0,0 @@ +-.\" A man page for ipa-nis-manage +-.\" Copyright (C) 2009 Red Hat, Inc. +-.\" +-.\" This program is free software; you can redistribute it and/or modify +-.\" it under the terms of the GNU General Public License as published by +-.\" the Free Software Foundation, either version 3 of the License, or +-.\" (at your option) any later version. +-.\" +-.\" This program is distributed in the hope that it will be useful, but +-.\" WITHOUT ANY WARRANTY; without even the implied warranty of +-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-.\" General Public License for more details. +-.\" +-.\" You should have received a copy of the GNU General Public License +-.\" along with this program. If not, see . +-.\" +-.\" Author: Rob Crittenden +-.\" +-.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages" +-.SH "NAME" +-ipa\-nis\-manage \- Enables or disables the NIS listener plugin +-.SH "SYNOPSIS" +-ipa\-nis\-manage [options] +-.SH "DESCRIPTION" +-Run the command with the \fBenable\fR option to enable the NIS plugin. +- +-Run the command with the \fBdisable\fR option to disable the NIS plugin. +- +-Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin. +- +-In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. +- +-Directory Server will need to be restarted after the NIS listener plugin has been enabled. +- +-.SH "OPTIONS" +-.TP +-\fB\-d\fR, \fB\-\-debug\fR +-Enable debug logging when more verbose output is needed +-.TP +-\fB\-y\fR \fIfile\fR +-File containing the Directory Manager password +-.SH "EXIT STATUS" +-0 if the command was successful +- +-1 if an error occurred +- +-2 if the plugin is already in the required status (enabled or disabled) +- +-3 if RPC services cannot be enabled. +- +-4 if status command detected plugin in disabled state. +diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update +index 1f89341c7..9525292cb 100644 +--- a/install/updates/10-enable-betxn.update ++++ b/install/updates/10-enable-betxn.update +@@ -44,6 +44,3 @@ only: nsslapd-pluginbetxn: on + + dn: cn=Schema Compatibility, cn=plugins, cn=config + onlyifexist: nsslapd-pluginbetxn: on +- +-dn: cn=NIS Server, cn=plugins, cn=config +-onlyifexist: nsslapd-pluginbetxn: on +diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update +deleted file mode 100644 +index 05a166f00..000000000 +--- a/install/updates/50-nis.update ++++ /dev/null +@@ -1,3 +0,0 @@ +-# Updates are applied only if NIS plugin has been configured +-# update definitions are located in install/share/nis-update.uldif +-plugin: update_nis_configuration +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index fd96831d8..cce2670a6 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -52,7 +52,6 @@ app_DATA = \ + 50-groupuuid.update \ + 50-hbacservice.update \ + 50-krbenctypes.update \ +- 50-nis.update \ + 50-ipaconfig.update \ + 55-pbacmemberof.update \ + 59-trusts-sysacount.update \ +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index b339d2202..aed293845 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -295,8 +295,6 @@ class BasePathNamespace: + KRB_CON = "/usr/share/ipa/html/krb.con" + HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini" + HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" +- NIS_ULDIF = "/usr/share/ipa/nis.uldif" +- NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" + SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" + SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" + IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" +diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py +index e21937401..a889143ec 100644 +--- a/ipaserver/install/ipa_migrate.py ++++ b/ipaserver/install/ipa_migrate.py +@@ -31,7 +31,7 @@ from ipapython.ipa_log_manager import standard_logging_setup + from ipaserver.install.ipa_migrate_constants import ( + DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, + STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, +- DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS, ++ DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS, + DB_EXCLUDE_TREES + ) + +@@ -718,8 +718,7 @@ class IPAMigrate(): + self.log_info(title) + self.log_info('-' * (len(title) - 1)) + logged_something = self.log_stats(DS_CONFIG) +- if self.args.verbose or NIS_PLUGIN['count'] > 0: +- self.log_info(f" - NIS Server Plugin: {NIS_PLUGIN['count']}") ++ if self.args.verbose: + logged_something = True + if not self.log_stats(DS_INDEXES) and not logged_something: + self.log_info(" - No updates") +@@ -1847,28 +1846,6 @@ class IPAMigrate(): + add_missing=True) + stats['config_processed'] += 1 + +- # Slapi NIS Plugin +- if DN(NIS_PLUGIN['dn']) == DN(entry['dn']): +- # Parent plugin entry +- self.process_config_entry( +- entry['dn'], entry['attrs'], NIS_PLUGIN, +- add_missing=True) +- stats['config_processed'] += 1 +- elif DN(NIS_PLUGIN['dn']) in DN(entry['dn']): +- # Child NIS plugin entry +- nis_dn = entry['dn'] +- lc_remote_realm = self.remote_realm.lower() +- lc_realm = self.realm.lower() +- nis_dn = nis_dn.replace(lc_remote_realm, lc_realm) +- if 'nis-domain' in entry['attrs']: +- value = entry['attrs']['nis-domain'][0] +- value = value.replace(lc_remote_realm, lc_realm) +- entry['attrs']['nis-domain'][0] = value +- # Process the entry +- self.process_config_entry(nis_dn, entry['attrs'], NIS_PLUGIN, +- add_missing=True) +- stats['config_processed'] += 1 +- + # + # Migration + # +diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py +index 0e26c7549..e0e504741 100644 +--- a/ipaserver/install/ipa_migrate_constants.py ++++ b/ipaserver/install/ipa_migrate_constants.py +@@ -502,30 +502,6 @@ DS_CONFIG = { + }, + } + +-# +-# Slpai NIS is an optional plugin. It requires special handling +-# +-NIS_PLUGIN = { +- 'dn': 'cn=NIS Server,cn=plugins,cn=config', +- 'attrs': [ +- 'nis-domain', +- 'nis-base', +- 'nis-map', +- 'nis-filter', +- 'nis-key-format:', +- 'nis-values-format:', +- 'nis-secure', +- 'nis-disallowed-chars', +- # Parent plugin entry +- 'nsslapd-pluginarg0', +- 'nsslapd-pluginenabled' +- ], +- 'multivalued': [], +- 'label': 'NIS Server Plugin', +- 'mode': 'all', +- 'count': 0, +-} +- + # + # This mapping is simliar to above but it handles container entries + # This could be built into the above mapping using the "comma" approach +diff --git a/ipaserver/install/plugins/update_nis.py b/ipaserver/install/plugins/update_nis.py +deleted file mode 100644 +index c02eb5f83..000000000 +--- a/ipaserver/install/plugins/update_nis.py ++++ /dev/null +@@ -1,92 +0,0 @@ +-# +-# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +-# +- +-from __future__ import absolute_import +- +-import logging +- +-from ipalib.plugable import Registry +-from ipalib import errors +-from ipalib import Updater +-from ipaplatform.paths import paths +-from ipapython.dn import DN +-from ipaserver.install import sysupgrade +-from ipaserver.install.ldapupdate import LDAPUpdate +- +-logger = logging.getLogger(__name__) +- +-register = Registry() +- +- +-@register() +-class update_nis_configuration(Updater): +- """Update NIS configuration +- +- NIS configuration can be updated only if NIS Server was configured via +- ipa-nis-manage command. +- """ +- +- def __recover_from_missing_maps(self, ldap): +- # https://fedorahosted.org/freeipa/ticket/5507 +- # if all following DNs are missing, but 'NIS Server' container exists +- # we are experiencig bug and maps should be fixed +- +- if sysupgrade.get_upgrade_state('nis', +- 'done_recover_from_missing_maps'): +- # this recover must be done only once, a user may deleted some +- # maps, we do not want to restore them again +- return +- +- logger.debug("Recovering from missing NIS maps bug") +- +- suffix = "cn=NIS Server,cn=plugins,cn=config" +- domain = self.api.env.domain +- missing_dn_list = [ +- DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [ +- "nis-domain={domain}+nis-map=passwd.byname,{suffix}", +- "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", +- "nis-domain={domain}+nis-map=group.byname,{suffix}", +- "nis-domain={domain}+nis-map=group.bygid,{suffix}", +- "nis-domain={domain}+nis-map=netid.byname,{suffix}", +- "nis-domain={domain}+nis-map=netgroup,{suffix}", +- ] +- ] +- +- for dn in missing_dn_list: +- try: +- ldap.get_entry(dn, attrs_list=['cn']) +- except errors.NotFound: +- pass +- else: +- # bug is not effective, at least one of 'possible missing' +- # maps was detected +- return +- +- sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', +- True) +- +- # bug is effective run update to recreate missing maps +- ld = LDAPUpdate(api=self.api) +- ld.update([paths.NIS_ULDIF]) +- +- def execute(self, **options): +- ldap = self.api.Backend.ldap2 +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- try: +- ldap.get_entry(dn, attrs_list=['cn']) +- except errors.NotFound: +- # NIS is not configured on system, do not execute update +- logger.debug("Skipping NIS update, NIS Server is not configured") +- +- # container does not exist, bug #5507 is not effective +- sysupgrade.set_upgrade_state( +- 'nis', 'done_recover_from_missing_maps', True) +- else: +- self.__recover_from_missing_maps(ldap) +- +- logger.debug("Executing NIS Server update") +- ld = LDAPUpdate(api=self.api) +- ld.update([paths.NIS_UPDATE_ULDIF]) +- +- return False, () +diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py +index ae0d059ce..718798d68 100644 +--- a/ipatests/test_cmdline/test_cli.py ++++ b/ipatests/test_cmdline/test_cli.py +@@ -385,7 +385,6 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' + '/usr/share/ipa/updates/05-pre_upgrade_plugins.update'], + 2, None, IPA_NOT_CONFIGURED), + (['ipa-managed-entries'], 2, None, IPA_NOT_CONFIGURED), +- (['ipa-nis-manage'], 2, None, IPA_NOT_CONFIGURED), + (['ipa-pkinit-manage'], 2, None, IPA_NOT_CONFIGURED), + (['ipa-replica-manage', 'list'], 1, IPA_NOT_CONFIGURED, None), + (['ipa-server-certinstall'], 2, None, IPA_NOT_CONFIGURED), +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index fd34defe5..e00b0f3bb 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1269,93 +1269,6 @@ class TestIPACommand(IntegrationTest): + serverid = realm_to_serverid(self.master.domain.realm) + return ("dirsrv@%s.service" % serverid) + +- def test_ipa_nis_manage_enable(self): +- """ +- This testcase checks if ipa-nis-manage enable +- command enables plugin on an IPA master +- """ +- dirsrv_service = self.get_dirsrv_id() +- console_msg = ( +- "Enabling plugin\n" +- "This setting will not take effect until " +- "you restart Directory Server.\n" +- "The rpcbind service may need to be started" +- ) +- status_msg = "Plugin is enabled" +- tasks.kinit_admin(self.master) +- result = self.master.run_command( +- ["ipa-nis-manage", "enable"], +- stdin_text=self.master.config.admin_password, +- ) +- assert console_msg in result.stdout_text +- # verify using backend +- conn = self.master.ldap_connect() +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- entry = conn.get_entry(dn) +- nispluginstring = entry.get('nsslapd-pluginEnabled') +- assert 'on' in nispluginstring +- # restart for changes to take effect +- self.master.run_command(["systemctl", "restart", dirsrv_service]) +- self.master.run_command(["systemctl", "restart", "rpcbind"]) +- time.sleep(DIRSRV_SLEEP) +- # check status msg on the console +- result = self.master.run_command( +- ["ipa-nis-manage", "status"], +- stdin_text=self.master.config.admin_password, +- ) +- assert status_msg in result.stdout_text +- +- def test_ipa_nis_manage_disable(self): +- """ +- This testcase checks if ipa-nis-manage disable +- command disable plugin on an IPA Master +- """ +- dirsrv_service = self.get_dirsrv_id() +- msg = ( +- "This setting will not take effect " +- "until you restart Directory Server." +- ) +- status_msg = "Plugin is not enabled" +- tasks.kinit_admin(self.master) +- result = self.master.run_command( +- ["ipa-nis-manage", "disable"], +- stdin_text=self.master.config.admin_password, +- ) +- assert msg in result.stdout_text +- # verify using backend +- conn = self.master.ldap_connect() +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- entry = conn.get_entry(dn) +- nispluginstring = entry.get('nsslapd-pluginEnabled') +- assert 'off' in nispluginstring +- # restart dirsrv for changes to take effect +- self.master.run_command(["systemctl", "restart", dirsrv_service]) +- time.sleep(DIRSRV_SLEEP) +- # check status msg on the console +- result = self.master.run_command( +- ["ipa-nis-manage", "status"], +- stdin_text=self.master.config.admin_password, +- raiseonerr=False, +- ) +- assert result.returncode == 4 +- assert status_msg in result.stdout_text +- +- def test_ipa_nis_manage_enable_incorrect_password(self): +- """ +- This testcase checks if ipa-nis-manage enable +- command throws error on console for invalid DS admin password +- """ +- msg1 = "Insufficient access: " +- msg2 = "Invalid credentials" +- result = self.master.run_command( +- ["ipa-nis-manage", "enable"], +- stdin_text='Invalid_pwd', +- raiseonerr=False, +- ) +- assert result.returncode == 1 +- assert msg1 in result.stderr_text +- assert msg2 in result.stderr_text +- + def test_pkispawn_log_is_present(self): + """ + This testcase checks if pkispawn logged properly. +-- +2.45.2 + + diff --git a/0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch b/0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch deleted file mode 100644 index 7e7c943..0000000 --- a/0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 9de053ef02db8cb63e14edc64ac22ec2d3d7bbc9 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 17 Jun 2024 17:01:33 +0200 -Subject: [PATCH] ipa-otptoken-import: open the key file in binary mode - -ipa-otptoken-import provides an option (-k KEYFILE) to import -an encrypted PSKC file but this option does not work with python3 -in RHEL8 and above, because the key should be passed in binary -format to the cryptography functions instead of string format. - -Open the keyfile in binary mode to pass the expected format. - -Fixes: https://pagure.io/freeipa/issue/9609 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_otptoken_import.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py -index dbaeacdf6885d3238f2d0294e24a5adad5a5c38d..d3f3d3cfa84e4a4bf57383e0ba543f4543e25c92 100644 ---- a/ipaserver/install/ipa_otptoken_import.py -+++ b/ipaserver/install/ipa_otptoken_import.py -@@ -539,7 +539,7 @@ class OTPTokenImport(admintool.AdminTool): - - # Load the keyfile. - keyfile = self.safe_options.keyfile -- with open(keyfile) as f: -+ with open(keyfile, "rb") as f: - self.doc.setKey(f.read()) - - def run(self): --- -2.45.2 - diff --git a/0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch b/0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch deleted file mode 100644 index e03537c..0000000 --- a/0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 09e66dc936cf2d99bcc44d60d6851aafa9ede46a Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 19 Jun 2024 15:38:36 +0200 -Subject: [PATCH] spec file: do not create /etc/ssh/ssh_config.orig if - unchanged - -The upgrade removes the line -HostKeyAlgorithms ssh-rsa,ssh-dss -if present in /etc/ssh/ssh_config and creates a backup in -/etc/ssh/ssh_config.orig, even if no change was applied. - -Create the backup file only if the file was changed. - -Fixes: https://pagure.io/freeipa/issue/9610 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - freeipa.spec.in | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 6803de752bc122bf6e1eafd610d399cde994cad5..1e1a0c04728972c6c53beb47dafb25d7898ab0ea 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -1320,7 +1320,9 @@ if [ $1 -gt 1 ] ; then - chmod 0600 /var/log/ipaupgrade.log - SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" - if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then -- sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" -+ if grep -E -q '^HostKeyAlgorithms ssh-rsa,ssh-dss' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null; then -+ sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" -+ fi - # https://pagure.io/freeipa/issue/9536 - # replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts - if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then --- -2.45.2 - diff --git a/0005-ipatests-add-test-for-ticket-9610.patch b/0005-ipatests-add-test-for-ticket-9610.patch deleted file mode 100644 index 2bf0ad3..0000000 --- a/0005-ipatests-add-test-for-ticket-9610.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 4d51446bd3cd9ab222f9978f8f5def1f3a37fa0e Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 20 Jun 2024 08:13:27 +0200 -Subject: [PATCH] ipatests: add test for ticket 9610 - -Test scenario: -- ensure there is no /etc/ssh/ssh_config.orig file -- force ipa-client package reinstallation -- ensure no backup file is created in /etc/ssh/ssh_config.orig - -Related: https://pagure.io/freeipa/issue/9610 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - ipatests/pytest_ipa/integration/tasks.py | 15 +++++++++++++++ - ipatests/test_integration/test_upgrade.py | 14 ++++++++++++++ - 2 files changed, 29 insertions(+) - -diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py -index 6665f361e0880a149ecca8c6f7c3fe1feb1f42d0..9d6b5f67a311a28c335801d59e0ff0f0c7faccdd 100755 ---- a/ipatests/pytest_ipa/integration/tasks.py -+++ b/ipatests/pytest_ipa/integration/tasks.py -@@ -2550,6 +2550,21 @@ def install_packages(host, pkgs): - host.run_command(install_cmd + pkgs) - - -+def reinstall_packages(host, pkgs): -+ """Install packages on a remote host. -+ :param host: the host where the installation takes place -+ :param pkgs: packages to install, provided as a list of strings -+ """ -+ platform = get_platform(host) -+ if platform in {'rhel', 'fedora'}: -+ install_cmd = ['/usr/bin/dnf', 'reinstall', '-y'] -+ elif platform in {'debian', 'ubuntu'}: -+ install_cmd = ['apt-get', '--reinstall', 'install', '-y'] -+ else: -+ raise ValueError('install_packages: unknown platform %s' % platform) -+ host.run_command(install_cmd + pkgs) -+ -+ - def download_packages(host, pkgs): - """Download packages on a remote host. - :param host: the host where the download takes place -diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py -index 182e3b5da3c758cc10913ad4eed119b0983fcc23..011de939e92790734d63da2f85be1c25349116a8 100644 ---- a/ipatests/test_integration/test_upgrade.py -+++ b/ipatests/test_integration/test_upgrade.py -@@ -477,3 +477,17 @@ class TestUpgrade(IntegrationTest): - self.master.run_command(['ipa-server-upgrade']) - assert self.master.transport.file_exists( - paths.SYSTEMD_PKI_TOMCAT_IPA_CONF) -+ -+ def test_ssh_config(self): -+ """Test that pkg upgrade does not create /etc/ssh/ssh_config.orig -+ -+ Test for ticket 9610 -+ The upgrade of ipa-client package should not create a backup file -+ /etc/ssh/ssh_config.orig if no change is applied. -+ """ -+ # Ensure there is no backup file before the test -+ self.master.run_command(["rm", "-f", paths.SSH_CONFIG + ".orig"]) -+ # Force client package reinstallation to trigger %post scriptlet -+ tasks.reinstall_packages(self.master, ['*ipa-client']) -+ assert not self.master.transport.file_exists( -+ paths.SSH_CONFIG + ".orig") --- -2.45.2 - diff --git a/0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch b/0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch deleted file mode 100644 index 38dfd03..0000000 --- a/0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c8e3fdeb0015f9c52c64816d6cd39279c5d3ad5a Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 20 Jun 2024 08:36:04 +0200 -Subject: [PATCH] PKINIT certificate: fix renewal on hidden replica - -The renewal of PKINIT cert on hidden replica is failing because -of a test ensuring that the KDC service is either enabled or -configured. The test needs to be extended and allow hidden, too. - -Fixes: https://pagure.io/freeipa/issue/9611 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/cert.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index df415c375189a54ceb0a00670f9c15e2f154a94e..6249c6d6f24acdca4fc3e9dd989f58344192b567 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -55,7 +55,7 @@ from ipapython.dn import DN - from ipapython.ipautil import datetime_from_utctimestamp - from ipaserver.plugins.service import normalize_principal, validate_realm - from ipaserver.masters import ( -- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled -+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled - ) - - try: -@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id): - def ca_kdc_check(api_instance, hostname): - master_dn = api_instance.Object.server.get_dn(unicode(hostname)) - kdc_dn = DN(('cn', 'KDC'), master_dn) -- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE} -+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE} - try: - kdc_entry = api_instance.Backend.ldap2.get_entry( - kdc_dn, ['ipaConfigString']) --- -2.45.2 - diff --git a/0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch b/0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch deleted file mode 100644 index e19f7f4..0000000 --- a/0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 467ec04f93a29fd31ba037cef348c09547541fe7 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 24 Jun 2024 09:18:54 +0200 -Subject: [PATCH] ipatests: add test for PKINIT renewal on hidden replica - -Test scenario: on a hidden replica, force the renewal of -PKINIT cert by calling getcert resubmit. - -Related: https://pagure.io/freeipa/issue/9611 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../test_integration/test_replica_promotion.py | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index b71f2d5d7e1517ab73d79b62477a3377839b0b7a..7ef44c571c8a4106577d27f4712f661be873dacc 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -26,6 +26,7 @@ from ipalib.constants import ( - ) - from ipaplatform.paths import paths - from ipapython import certdb -+from ipatests.test_integration.test_cert import get_certmonger_fs_id - from ipatests.test_integration.test_dns_locations import ( - resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC - ) -@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest): - 'ipa-crlgen-manage', 'status']) - assert "CRL generation: enabled" in result.stdout_text - -+ def test_hidden_replica_renew_pkinit_cert(self): -+ """Renew the PKINIT cert on a hidden replica. -+ -+ Test for https://pagure.io/freeipa/issue/9611 -+ """ -+ # Get Request ID -+ cmd = ['getcert', 'list', '-f', paths.KDC_CERT] -+ result = self.replicas[0].run_command(cmd) -+ req_id = get_certmonger_fs_id(result.stdout_text) -+ -+ self.replicas[0].run_command([ -+ 'getcert', 'resubmit', '-f', paths.KDC_CERT -+ ]) -+ tasks.wait_for_certmonger_status( -+ self.replicas[0], ('MONITORING'), req_id, timeout=600 -+ ) -+ - - class TestHiddenReplicaKRA(IntegrationTest): - """Test KRA & hidden replica features. --- -2.45.2 - diff --git a/0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch b/0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch deleted file mode 100644 index 499c07c..0000000 --- a/0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch +++ /dev/null @@ -1,917 +0,0 @@ -From 90b22ff888cc55132c78024d08ffcf0ce8021cea Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Tue, 25 Jun 2024 11:00:28 +0530 -Subject: [PATCH] ipatests: Tests for ipa-ipa migration tool - -This patch includes tests for ipa-ipa migration -tool - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Mark Reynolds ---- - ipaplatform/base/paths.py | 1 + - .../test_ipa_ipa_migration.py | 879 ++++++++++++++++++ - 2 files changed, 880 insertions(+) - create mode 100644 ipatests/test_integration/test_ipa_ipa_migration.py - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 2b0fc6b5aa954a1018f602605eb0cdcebcee0592..b339d2202f440e0277d50073060f4a3b55e312fe 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -425,6 +425,7 @@ class BasePathNamespace: - IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia" - IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check" - IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab' -+ IPA_MIGRATE_LOG = '/var/log/ipa-migrate.log' - EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d' - GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf' - KRB5CC_HTTPD = '/tmp/krb5cc-httpd' -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -new file mode 100644 -index 0000000000000000000000000000000000000000..7e2d4a34216f6cf168f15dda10ce10538a3c3cb9 ---- /dev/null -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -0,0 +1,879 @@ -+# Copyright (C) 2020 FreeIPA Contributors see COPYING for license -+# -+ -+""" -+Tests to verify ipa-migrate tool. -+""" -+ -+from __future__ import absolute_import -+from ipatests.test_integration.base import IntegrationTest -+from ipatests.pytest_ipa.integration import tasks -+from ipaplatform.paths import paths -+ -+import pytest -+import textwrap -+ -+ -+def prepare_ipa_server(master): -+ """ -+ Setup remote IPA server environment -+ """ -+ # Setup IPA users -+ for i in range(1, 5): -+ master.run_command( -+ [ -+ "ipa", -+ "user-add", -+ "testuser%d" % i, -+ "--first", -+ "Test", -+ "--last", -+ "User%d" % i, -+ ] -+ ) -+ -+ # Setup IPA group -+ master.run_command(["ipa", "group-add", "testgroup"]) -+ -+ # Add respective members to each group -+ master.run_command( -+ ["ipa", "group-add-member", "testgroup", "--users=testuser1"] -+ ) -+ -+ # Adding stage user -+ master.run_command( -+ [ -+ "ipa", -+ "stageuser-add", -+ "--first=Tim", -+ "--last=User", -+ "--password", -+ "tuser1", -+ ] -+ ) -+ -+ # Add Custom idrange -+ master.run_command( -+ [ -+ "ipa", -+ "idrange-add", -+ "testrange", -+ "--base-id=10000", -+ "--range-size=10000", -+ "--rid-base=300000", -+ "--secondary-rid-base=400000", -+ ] -+ ) -+ -+ # Add Automount locations and maps -+ master.run_command(["ipa", "automountlocation-add", "baltimore"]) -+ master.run_command(["ipa", "automountmap-add", "baltimore", "auto.share"]) -+ master.run_command( -+ [ -+ "ipa", -+ "automountmap-add-indirect", -+ "baltimore", -+ "--parentmap=auto.share", -+ "--mount=sub auto.man", -+ ] -+ ) -+ master.run_command( -+ [ -+ "ipa", -+ "automountkey-add", -+ "baltimore", -+ "auto.master", -+ "--key=/share", -+ "--info=auto.share", -+ ] -+ ) -+ -+ # Run ipa-adtrust-install -+ master.run_command(["dnf", "install", "-y", "ipa-server-trust-ad"]) -+ master.run_command( -+ [ -+ "ipa-adtrust-install", -+ "-a", -+ master.config.admin_password, -+ "--add-sids", -+ "-U", -+ ] -+ ) -+ -+ # Generate subids for users -+ master.run_command(["ipa", "subid-generate", "--owner=testuser1"]) -+ master.run_command(["ipa", "subid-generate", "--owner=admin"]) -+ -+ # Add Sudo rules -+ master.run_command(["ipa", "sudorule-add", "readfiles"]) -+ master.run_command(["ipa", "sudocmd-add", "/usr/bin/less"]) -+ master.run_command( -+ [ -+ "ipa", -+ "sudorule-add-allow-command", -+ "readfiles", -+ "--sudocmds", -+ "/usr/bin/less", -+ ] -+ ) -+ master.run_command( -+ [ -+ "ipa", -+ "sudorule-add-host", -+ "readfiles", -+ "--hosts", -+ "server.example.com", -+ ] -+ ) -+ master.run_command( -+ ["ipa", "sudorule-add-user", "readfiles", "--users", "testuser1"] -+ ) -+ -+ # Add Custom CA -+ master.run_command( -+ [ -+ "ipa", -+ "ca-add", -+ "puppet", -+ "--desc", -+ '"Puppet"', -+ "--subject", -+ "CN=Puppet CA,O=TESTRELM.TEST", -+ ] -+ ) -+ -+ # Add ipa roles and add privileges to the role -+ master.run_command( -+ ["ipa", "role-add", "--desc=Junior-level admin", "junioradmin"] -+ ) -+ master.run_command( -+ [ -+ "ipa", -+ "role-add-privilege", -+ "--privileges=User Administrators", -+ "junioradmin", -+ ] -+ ) -+ -+ # Add permission -+ master.run_command( -+ [ -+ "ipa", -+ "permission-add", -+ "--type=user", -+ "--permissions=add", -+ "Add Users", -+ ] -+ ) -+ -+ # Add otp token for testuser1 -+ master.run_command( -+ [ -+ "ipa", -+ "otptoken-add", -+ "--type=totp", -+ "--owner=testuser1", -+ '--desc="My soft token', -+ ] -+ ) -+ -+ # Add a netgroup and user to the netgroup -+ master.run_command( -+ ["ipa", "netgroup-add", '--desc="NFS admins"', "admins"] -+ ) -+ master.run_command( -+ ["ipa", "netgroup-add-member", "--users=testuser2", "admins"] -+ ) -+ -+ # Set krbpolicy policy -+ master.run_command( -+ ["ipa", "krbtpolicy-mod", "--maxlife=99999", "--maxrenew=99999"] -+ ) -+ master.run_command(["ipa", "krbtpolicy-mod", "admin", "--maxlife=9600"]) -+ -+ # Add IPA location -+ master.run_command( -+ ["ipa", "location-add", "location", "--description", "My location"] -+ ) -+ -+ # Add idviews and overrides -+ master.run_command(["ipa", "idview-add", "idview1"]) -+ master.run_command(["ipa", "idoverrideuser-add", "idview1", "testuser1"]) -+ master.run_command( -+ [ -+ "ipa", -+ "idoverrideuser-mod", -+ "idview1", -+ "testuser1", -+ "--shell=/bin/sh", -+ ] -+ ) -+ -+ # Add DNSzone -+ master.run_command( -+ [ -+ "ipa", -+ "dnszone-add", -+ "example.test", -+ "--admin-email=admin@example.test", -+ ] -+ ) -+ master.run_command( -+ ["ipa", "dnszone-mod", "example.test", "--dynamic-update=TRUE"] -+ ) -+ -+ # Add hbac rule -+ master.run_command(["ipa", "hbacrule-add", "--usercat=all", "test1"]) -+ master.run_command( -+ ["ipa", "hbacrule-add", "--hostcat=all", "testuser_sshd"] -+ ) -+ master.run_command( -+ ["ipa", "hbacrule-add-user", "--users=testuser1", "testuser_sshd"] -+ ) -+ master.run_command( -+ ["ipa", "hbacrule-add-service", "--hbacsvcs=sshd", "testuser_sshd"] -+ ) -+ -+ # Vault addition -+ master.run_command( -+ [ -+ "ipa", -+ "vault-add", -+ "--password", -+ "vault1234", -+ "--type", -+ "symmetric", -+ ] -+ ) -+ -+ # Add Selinuxusermap -+ master.run_command( -+ [ -+ "ipa", -+ "selinuxusermap-add", -+ "--usercat=all", -+ "--selinuxuser=xguest_u:s0", -+ "test1", -+ ] -+ ) -+ -+ # Modify passkeyconfig -+ master.run_command( -+ ["ipa", "passkeyconfig-mod", "--require-user-verification=FALSE"] -+ ) -+ -+ -+def run_migrate( -+ host, mode, remote_host, bind_dn=None, bind_pwd=None, extra_args=None -+): -+ """ -+ ipa-migrate tool command -+ """ -+ cmd = ["ipa-migrate"] -+ if mode: -+ cmd.append(mode) -+ if remote_host: -+ cmd.append(remote_host) -+ if bind_dn: -+ cmd.append("-D") -+ cmd.append(bind_dn) -+ if bind_pwd: -+ cmd.append("-w") -+ cmd.append(bind_pwd) -+ if extra_args: -+ for arg in extra_args: -+ cmd.append(arg) -+ result = host.run_command(cmd, raiseonerr=False) -+ return result -+ -+ -+class TestIPAMigrateScenario1(IntegrationTest): -+ """ -+ Tier-1 tests for ipa-migrate tool with DNS enabled on -+ local and remote server -+ """ -+ -+ num_replicas = 1 -+ num_clients = 1 -+ topology = "line" -+ -+ @classmethod -+ def install(cls, mh): -+ tasks.install_master(cls.master, setup_dns=True, setup_kra=True) -+ prepare_ipa_server(cls.master) -+ tasks.install_client(cls.master, cls.clients[0], nameservers=None) -+ -+ def test_remote_server(self): -+ """ -+ This test installs IPA server instead of replica on -+ system under test with the same realm and domain name. -+ """ -+ tasks.install_master(self.replicas[0], setup_dns=True, setup_kra=True) -+ -+ def test_ipa_migrate_without_kinit_as_admin(self): -+ """ -+ This test checks that ipa-migrate tool displays -+ error when kerberos ticket is missing for admin -+ """ -+ self.replicas[0].run_command(["kdestroy", "-A"]) -+ KINIT_ERR_MSG = "ipa: ERROR: Did not receive Kerberos credentials\n" -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ assert result.returncode == 1 -+ assert KINIT_ERR_MSG in result.stderr_text -+ tasks.kinit_admin(self.replicas[0]) -+ -+ def test_ipa_migrate_log_file_is_created(self): -+ """ -+ This test checks that ipa-migrate.log file is created when ipa-migrate -+ tool is run -+ """ -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ assert self.replicas[0].transport.file_exists(paths.IPA_MIGRATE_LOG) -+ -+ def test_ipa_migrate_with_incorrect_bind_pwd(self): -+ """ -+ This test checks that ipa-migrate tool fails with incorrect -+ bind password -+ """ -+ ERR_MSG = ( -+ "IPA to IPA migration starting ...\n" -+ "Failed to bind to remote server: Insufficient access: " -+ "Invalid credentials\n" -+ ) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ "incorrect_bind_pwd", -+ extra_args=['-x'], -+ ) -+ assert result.returncode == 1 -+ assert ERR_MSG in result.stderr_text -+ -+ def test_ipa_migrate_with_incorrect_bind_dn(self): -+ """ -+ This test checks that ipa-migrate tool fails with incorrect -+ bind dn -+ """ -+ ERR_MSG = ( -+ "IPA to IPA migration starting ...\n" -+ "Failed to bind to remote server: Insufficient access: " -+ "Invalid credentials\n" -+ ) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Dir Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ assert result.returncode == 1 -+ assert ERR_MSG in result.stderr_text -+ -+ def test_ipa_migrate_with_invalid_host(self): -+ """ -+ This test checks that ipa-migrate tools fails with -+ invalid host -+ """ -+ hostname = "server.invalid.host" -+ ERR_MSG = ( -+ "IPA to IPA migration starting ...\n" -+ "Failed to bind to remote server: cannot connect to " -+ "'ldap://" -+ "{}': \n".format(hostname) -+ ) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ "server.invalid.host", -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ assert result.returncode == 1 -+ assert ERR_MSG in result.stderr_text -+ -+ def test_dry_run_record_output_ldif(self): -+ """ -+ This testcase run ipa-migrate tool with the -+ -o option which captures the output to ldif file -+ """ -+ ldif_file = "/tmp/test.ldif" -+ param = ['-x', '-o', ldif_file] -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ assert self.replicas[0].transport.file_exists("/tmp/test.ldif") -+ -+ @pytest.fixture() -+ def empty_log_file(self): -+ """ -+ This fixture empties the log file before ipa-migrate tool -+ is run since the log is appended everytime the tool is run. -+ """ -+ self.replicas[0].run_command( -+ ["truncate", "-s", "0", paths.IPA_MIGRATE_LOG] -+ ) -+ yield -+ -+ def test_ipa_sigden_plugin_fail_error(self, empty_log_file): -+ """ -+ This testcase checks that sidgen plugin fail error is -+ not seen during migrate prod-mode -+ """ -+ SIDGEN_ERR_MSG = "SIDGEN task failed: \n" -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ error_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert SIDGEN_ERR_MSG not in error_msg -+ -+ def test_ipa_migrate_stage_mode_dry_run(self, empty_log_file): -+ """ -+ Test ipa-migrate stage mode with dry-run option -+ """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ IPA_MIGRATE_STAGE_DRY_RUN_LOG = "--dryrun=True\n" -+ IPA_SERVER_UPRGADE_LOG = "Skipping ipa-server-upgrade in dryrun mode.\n" -+ IPA_SKIP_SIDGEN_LOG = "Skipping SIDGEN task in dryrun mode." -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert IPA_MIGRATE_STAGE_DRY_RUN_LOG in install_msg -+ assert IPA_SERVER_UPRGADE_LOG in install_msg -+ assert IPA_SKIP_SIDGEN_LOG in install_msg -+ -+ def test_ipa_migrate_prod_mode_dry_run(self, empty_log_file): -+ """ -+ Test ipa-migrate prod mode with dry run option -+ """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ IPA_MIGRATE_PROD_DRY_RUN_LOG = "--dryrun=True\n" -+ IPA_SERVER_UPRGADE_LOG = ( -+ "Skipping ipa-server-upgrade in dryrun mode.\n" -+ ) -+ IPA_SIDGEN_LOG = "Skipping SIDGEN task in dryrun mode.\n" -+ result = run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-x'], -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert IPA_MIGRATE_PROD_DRY_RUN_LOG in install_msg -+ assert IPA_SERVER_UPRGADE_LOG in install_msg -+ assert IPA_SIDGEN_LOG in install_msg -+ -+ def test_ipa_migrate_with_skip_schema_option_dry_run(self, empty_log_file): -+ """ -+ This test checks that ipa-migrate tool works -+ with -S(schema) options in stage mode -+ """ -+ param = ['-x', '-S'] -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ SKIP_SCHEMA_MSG_LOG = "Schema Migration " \ -+ "(migrated 0 definitions)\n" -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert SKIP_SCHEMA_MSG_LOG in install_msg -+ -+ def test_ipa_migrate_with_skip_config_option_dry_run(self, empty_log_file): -+ """ -+ This test checks that ipa-migrate tool works -+ with -C(config) options in stage mode -+ """ -+ SKIP_MIGRATION_CONFIG_LOG = "DS Configuration Migration " \ -+ "(migrated 0 entries)\n" -+ param = ['-x', '-C'] -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert SKIP_MIGRATION_CONFIG_LOG in install_msg -+ -+ def test_ipa_migrate_reset_range(self, empty_log_file): -+ """ -+ This test checks the reset range option -r -+ along with prod-mode, since stage-mode this is done -+ automatically. -+ """ -+ param = ['-r', '-n'] -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ RESET_RANGE_LOG = "--reset-range=True\n" -+ run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert RESET_RANGE_LOG in install_msg -+ -+ def test_ipa_migrate_stage_mode_dry_override_schema(self, empty_log_file): -+ """ -+ This test checks that -O option (override schema) works -+ in dry mode -+ """ -+ param = ['-x', '-O', '-n'] -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ SCHEMA_OVERRIDE_LOG = "--schema-overwrite=True\n" -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert SCHEMA_OVERRIDE_LOG in install_msg -+ -+ @pytest.mark.xfail( -+ reason="https://issues.redhat.com/browse/RHEL-45463", strict=True -+ ) -+ def test_ipa_migrate_stage_mode(self, empty_log_file): -+ """ -+ This test checks that ipa-migrate is successful -+ in dry run mode -+ """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -+ MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n" -+ IPA_UPGRADE_LOG_MSG = ( -+ "Running ipa-server-upgrade ... (this make take a while)\n" -+ ) -+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -+ MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n" -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-n'], -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg -+ assert MIGRATION_CONFIG_LOG_MSG in install_msg -+ assert IPA_UPGRADE_LOG_MSG in install_msg -+ assert SIDGEN_TASK_LOG_MSG in install_msg -+ assert MIGRATION_COMPLETE_LOG_MSG in install_msg -+ -+ def test_ipa_migrate_prod_mode(self, empty_log_file): -+ """ -+ This test checks that ipa-migrate is successful -+ in prod run mode -+ """ -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n" -+ MIGRATION_DATABASE_LOG_MSG = ( -+ "Migrating database ... (this make take a while)\n" -+ ) -+ IPA_UPGRADE_LOG_MSG = ( -+ "Running ipa-server-upgrade ... (this make take a while)\n" -+ ) -+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n" -+ result = run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=['-n'], -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg -+ assert MIGRATION_DATABASE_LOG_MSG in install_msg -+ assert IPA_UPGRADE_LOG_MSG in install_msg -+ assert SIDGEN_TASK_LOG_MSG in install_msg -+ -+ def test_ipa_migrate_with_bind_pwd_file_option(self, empty_log_file): -+ """ -+ This testcase checks that ipa-migrate tool -+ works with valid bind_pwd specified in a file using '-j' -+ option -+ """ -+ DEBUG_MSG = "--bind-pw-file=/tmp/pwd.txt\n" -+ bind_pwd_file = "/tmp/pwd.txt" -+ bind_pwd_file_content = self.master.config.admin_password -+ self.replicas[0].put_file_contents( -+ bind_pwd_file, bind_pwd_file_content -+ ) -+ param = ['-j', bind_pwd_file, '-x'] -+ result = run_migrate( -+ host=self.replicas[0], -+ mode="stage-mode", -+ remote_host=self.master.hostname, -+ bind_dn="cn=Directory Manager", -+ bind_pwd=None, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert DEBUG_MSG in install_msg -+ assert result.returncode == 0 -+ -+ def test_ipa_migrate_using_db_ldif(self): -+ """ -+ This test checks that ipa-migrate tool -+ works with db ldif file using -C option -+ """ -+ DB_LDIF_LOG = "--db-ldif=/tmp/dse.ldif\n" -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ ldif_file_path = "/tmp/dse.ldif" -+ param = ["-f", ldif_file_path, "-n", "-x"] -+ realm_name = self.master.domain.realm -+ base_dn = str(self.master.domain.basedn) -+ dse_ldif = textwrap.dedent( -+ f""" -+ dn: cn={realm_name},cn=kerberos,{base_dn} -+ cn: {realm_name} -+ objectClass: top -+ objectClass: krbrealmcontainer -+ """ -+ ).format( -+ realm_name=self.master.domain.realm, -+ base_dn=str(self.master.domain.basedn), -+ ) -+ self.replicas[0].put_file_contents(ldif_file_path, dse_ldif) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert result.returncode == 0 -+ assert DB_LDIF_LOG in install_msg -+ -+ def test_ipa_migrate_using_invalid_dbldif_file(self): -+ """ -+ This testcase checks that proper error msg is -+ displayed when invalid ldif file without realm is used -+ as input to schema config option -f -+ """ -+ ERR_MSG = ( -+ "IPA to IPA migration starting ...\n" -+ "Unable to find realm from remote LDIF\n" -+ ) -+ tasks.kinit_admin(self.master) -+ tasks.kinit_admin(self.replicas[0]) -+ base_dn = str(self.master.domain.basedn) -+ ldif_file = "/tmp/ldif_file" -+ param = ["-f", ldif_file, "-n", "-x"] -+ dse_ldif = textwrap.dedent( -+ """ -+ version: 1 -+ dn: cn=schema,{} -+ -+ """ -+ ).format(base_dn) -+ self.replicas[0].put_file_contents(ldif_file, dse_ldif) -+ result = run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=param, -+ ) -+ assert result.returncode == 2 -+ assert ERR_MSG in result.stderr_text -+ -+ def test_ipa_migrate_subtree_option(self): -+ """ -+ This testcase checks the subtree option -+ -s along with the ipa-migrate command -+ """ -+ base_dn = str(self.master.domain.basedn) -+ subtree = 'cn=security,{}'.format(base_dn) -+ params = ['-s', subtree, '-n', '-x'] -+ base_dn = str(self.master.domain.basedn) -+ CUSTOM_SUBTREE_LOG = ( -+ "Add db entry 'cn=security,{} - custom'" -+ ).format(base_dn) -+ dse_ldif = textwrap.dedent( -+ """ -+ dn: cn=security,{base_dn} -+ changetype: add -+ objectClass:top -+ objectClass: nscontainer -+ """ -+ ).format(base_dn=base_dn) -+ tasks.ldapmodify_dm(self.master, dse_ldif) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=params, -+ ) -+ assert result.returncode == 0 -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert CUSTOM_SUBTREE_LOG in install_msg -+ -+ @pytest.fixture() -+ def modify_dns_zone(self): -+ zone_name = 'ipatest.test' -+ self.master.run_command( -+ ["ipa", "dnszone-add", zone_name, "--force"] -+ ) -+ yield -+ self.replicas[0].run_command( -+ ["ipa", "dnszone-del", zone_name] -+ ) -+ -+ def test_ipa_migrate_dns_option(self, modify_dns_zone): -+ """ -+ This testcase checks that when migrate dns option -+ -B is used the dns entry is migrated to the -+ local host. -+ """ -+ zone_name = "ipatest.test." -+ base_dn = str(self.master.domain.basedn) -+ DNS_LOG1 = "--migrate-dns=True\n" -+ DNS_LOG2 = ( -+ "DEBUG Added entry: idnsname={},cn=dns,{}\n" -+ ).format(zone_name, base_dn) -+ DNS_LOG3 = ( -+ "DEBUG Added entry: idnsname=_kerberos," -+ "idnsname={},cn=dns,{}\n" -+ ).format(zone_name, base_dn) -+ params = ["-B", "-n"] -+ run_migrate( -+ self.replicas[0], -+ "prod-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=params, -+ ) -+ result = self.replicas[0].run_command(["ipa", "dnszone-find"]) -+ assert "Zone name: ipatest.test." in result.stdout_text -+ install_msg = self.replicas[0].get_file_contents( -+ paths.IPA_MIGRATE_LOG, encoding="utf-8" -+ ) -+ assert DNS_LOG1 in install_msg -+ assert DNS_LOG2 in install_msg -+ assert DNS_LOG3 in install_msg -+ -+ @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003", -+ strict=True) -+ def test_ipa_migrate_version_option(self): -+ """ -+ This testcase checks the version of -+ the ipa-migrate tool using -v option -+ """ -+ CONSOLE_LOG = ( -+ "ipa-migrate: error: the following arguments are " -+ "required: mode, hostname" -+ ) -+ result = self.master.run_command(["ipa-migrate", "-V"]) -+ assert result.returncode == 0 -+ assert CONSOLE_LOG not in result.stderr_text -+ -+ def test_ipa_migrate_with_log_file_option(self): -+ """ -+ This testcase checks that log file is created -+ with -l option -+ """ -+ custom_log_file = "/tmp/test.log" -+ params = ['-x', '-n', '-l', custom_log_file] -+ run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=params, -+ ) -+ assert self.replicas[0].transport.file_exists(custom_log_file) --- -2.45.2 - diff --git a/0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch b/0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch deleted file mode 100644 index c275835..0000000 --- a/0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch +++ /dev/null @@ -1,104 +0,0 @@ -From a8e75bbb77e15e3a42adb2d30933cf9e1edd2f0b Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Tue, 11 Jun 2024 10:50:51 +0200 -Subject: [PATCH] ipa_sidgen: Allow sidgen_task to continue after finding - issues - -find_sid_for_ldap_entry could fail in several ways if a Posix ID can not -be converted to an unused SID. This could happen for example for ducplicate -IDs or user/group out of range. - -This change enables ipa_sidgen_task to continue in the error case to try -to convert the entries without errors. The error messages have been -extended to additionally show the DN string for the bad entries. - -Fixes: https://pagure.io/freeipa/issue/9618 - -Signed-off-by: Thomas Woerner -Reviewed-By: Alexander Bokovoy ---- - .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 11 ++++++----- - .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 11 ++++++++--- - 2 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -index cb763ebf8c733e50483c23856a248eb536c796f1..13f4de5416606df1911f14f60ab1af1a8ba0184b 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -@@ -491,7 +491,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - } - - if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { -- LOG_FATAL("ID value too large.\n"); -+ LOG_FATAL("ID value too large on entry [%s].\n", dn_str); - ret = LDAP_CONSTRAINT_VIOLATION; - goto done; - } -@@ -508,7 +508,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - &has_posix_group, - &has_ipa_id_object); - if (ret != 0) { -- LOG_FATAL("Cannot determine objectclasses.\n"); -+ LOG_FATAL("Cannot determine objectclasses on entry [%s].\n", dn_str); - goto done; - } - -@@ -522,15 +522,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - id = (uid_number != 0) ? uid_number : gid_number; - objectclass_to_add = NULL; - } else { -- LOG_FATAL("Inconsistent objectclasses and attributes, nothing to do.\n"); -+ LOG_FATAL("Inconsistent objectclasses and attributes on entry " -+ "[%s], nothing to do.\n", dn_str); - ret = 0; - goto done; - } - - ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, &sid); - if (ret != 0) { -- LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID.\n", -- (unsigned long) id); -+ LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID on " -+ "entry [%s].\n", (unsigned long) id, dn_str); - goto done; - } - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c -index 007b1c945d0e37c4061f6a33cfdd667c45118c99..67979cb9fb0b5560009643c84be7eb07d767d77f 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c -@@ -89,7 +89,7 @@ static void free_pblock(void *arg) - static int do_work(struct worker_ctx *worker_ctx) - { - Slapi_PBlock *pb; -- int ret; -+ int ret, failures = 0; - size_t c; - char *filter = NULL; - char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL }; -@@ -151,8 +151,7 @@ static int do_work(struct worker_ctx *worker_ctx) - worker_ctx->base_dn, worker_ctx->dom_sid, - worker_ctx->ranges); - if (ret != 0) { -- LOG_FATAL("Cannot add SID to existing entry.\n"); -- goto done; -+ failures++; - } - - if (worker_ctx->delay != 0) { -@@ -162,6 +161,12 @@ static int do_work(struct worker_ctx *worker_ctx) - } - }; - -+ ret = failures; -+ if (ret > 0) { -+ LOG_FATAL("Finished with %d failures, please check the log.\n", -+ failures); -+ } -+ - done: - slapi_ch_free_string(&filter); - pthread_cleanup_pop(1); --- -2.45.2 - diff --git a/0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch b/0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch deleted file mode 100644 index 047d3f2..0000000 --- a/0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 4521fe5f9125c74b4ad6e4e51f8c66c009079281 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 13 Jun 2024 10:39:54 +0200 -Subject: [PATCH] ipatests: mark test_ca_show_error_handling as xfail - -With PKI 11.5.0, the test - test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling -is failing with an exception and a different error message. -Mark as xfail until PKI provides a fix - -Related: https://pagure.io/freeipa/issue/9606 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Francisco Trivino ---- - ipatests/test_integration/test_cert.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py -index 4dd1254a2d16420bb70686f9715497dfb9048ecf..91598b655a8cd6ff92c1a0cf2166c6548a7af758 100644 ---- a/ipatests/test_integration/test_cert.py -+++ b/ipatests/test_integration/test_cert.py -@@ -25,6 +25,7 @@ from pkg_resources import parse_version - - from ipatests.pytest_ipa.integration import tasks - from ipatests.test_integration.base import IntegrationTest -+from ipatests.util import xfail_context - - DEFAULT_RA_AGENT_SUBMITTED_VAL = '19700101000000' - -@@ -555,7 +556,11 @@ class TestCAShowErrorHandling(IntegrationTest): - ) - error_msg = 'ipa: ERROR: The certificate for ' \ - '{} is not available on this server.'.format(lwca) -- assert error_msg in result.stderr_text -+ bad_version = (tasks.get_pki_version(self.master) -+ >= tasks.parse_version('11.5.0')) -+ with xfail_context(bad_version, -+ reason="https://pagure.io/freeipa/issue/9606"): -+ assert error_msg in result.stderr_text - - def test_certmonger_empty_cert_not_segfault(self): - """Test empty cert request doesn't force certmonger to segfault --- -2.45.2 - diff --git a/0011-ipa-migrate-remove-V-option.patch b/0011-ipa-migrate-remove-V-option.patch deleted file mode 100644 index 290733d..0000000 --- a/0011-ipa-migrate-remove-V-option.patch +++ /dev/null @@ -1,47 +0,0 @@ -From efa57193630f244185b3f295ed0de17c6d08f75a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 8 Jul 2024 10:49:49 -0400 -Subject: [PATCH] ipa-migrate - remove -V option - -The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed. - -Fixes: https://pagure.io/freeipa/issue/9620 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden ---- - install/tools/man/ipa-migrate.1 | 3 --- - ipaserver/install/ipa_migrate.py | 3 --- - 2 files changed, 6 deletions(-) - -diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1 -index 78881d1f8a9ea91d7824e5f8b13f50aecf5ebd16..2d9d2c650a4c44a2f397d1c2ccb42fb95eea2bae 100644 ---- a/install/tools/man/ipa-migrate.1 -+++ b/install/tools/man/ipa-migrate.1 -@@ -67,9 +67,6 @@ Reset the ID range for migrated users/groups. In "stage-mode" this is done autom - \fB\-F\fR, \fB\-\-force\fR - Ignore any errors and continue to proceed with migration effort. - .TP --\fB\-V\fR, \fB\-\-version\fR --Display the version of the migration tool. --.TP - \fB\-q\fR, \fB\-\-quiet\fR - Only log errors during the migration process. - .TP -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 58351af604b8d6f4ac31432a425718a4d45e0178..6be8d9ba23b36779bf6296df757c1aca551968c0 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -389,9 +389,6 @@ class IPAMigrate(): - parser.add_argument('-F', '--force', - help='Ignore errors and continue with migration', - action='store_true', default=False) -- parser.add_argument('-V', '--version', -- help='Display verison of the migration tool', -- action='store_true', default=False) - parser.add_argument('-q', '--quiet', - help='Only display errors during the migration', - action='store_true', default=False) --- -2.45.2 - diff --git a/0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch b/0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch deleted file mode 100644 index 6efea74..0000000 --- a/0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 1b278de4ab9c5e00fb48dc2de1ea31d9bdfc94bc Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 9 Jul 2024 14:35:25 -0400 -Subject: [PATCH] Fix syntax error in the selinux-luna %postun script - -It was missing a trailing fi. - -This bad syntax was preventing cleanup of the -{free}ipa-selinux-luna SELinux module: - -Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee 34/44 -/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file -warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status - -Fixes: https://pagure.io/freeipa/issue/9629 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - freeipa.spec.in | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 1e1a0c04728972c6c53beb47dafb25d7898ab0ea..b3b19cf8881db97307836513ff2263dc4fe4ca03 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -1367,6 +1367,7 @@ fi - %postun selinux-luna - if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-luna -+fi - - %posttrans selinux - %selinux_relabel_post -s %{selinuxtype} --- -2.45.2 - diff --git a/0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch b/0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch deleted file mode 100644 index 88cf761..0000000 --- a/0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch +++ /dev/null @@ -1,231 +0,0 @@ -From 7ab1bcb2d364c26024db4ec99c707ebefffcd3e7 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 5 Jul 2024 15:00:59 -0400 -Subject: [PATCH] Re-organize HSM validation to be more consistent/less - duplication - -hsm_validator() was more or less bolted in place late in the -development cycle in in order to catch some of the more common -problems: bad token name, bad password, etc. - -There was a fair bit of duplication and had the side-effect of not -reading in the token password from the --token-password-file option -in some cases. - -This patch also re-adds a lost feature where an exception is raised if -both the --token-password and --token-password-file options are passed -in. - -This also needs to be enforced on initial server, replica and when -called by ipa-kra-install. Given that each has a unique subject of -options some duplication remains. - -Fixes: https://pagure.io/freeipa/issue/9603 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ca.py | 72 +++++++++++++++-------------- - ipaserver/install/kra.py | 56 ++++++++++++++++++++-- - ipaserver/install/server/install.py | 2 + - 3 files changed, 93 insertions(+), 37 deletions(-) - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index dc4b47056f0e327d120ab6dad238deae3c26bbcd..b8155d9965712dbce4076e9d73d6712135309ce2 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -193,6 +193,8 @@ def hsm_validator(token_name, token_library, token_password): - if not token_name: - logger.debug("No token name, assuming not an HSM install") - return -+ if not token_password: -+ raise ValueError("No token password provided") - val, pki_version = hsm_version() - if val is False: - raise ValueError( -@@ -361,17 +363,16 @@ def install_check(standalone, replica_config, options): - host_name = options.host_name - - if replica_config is None: -- if options.token_name: -- try: -- hsm_validator( -- options.token_name, options.token_library_path, -- options.token_password) -- except ValueError as e: -- raise ScriptError(str(e)) - options._subject_base = options.subject_base - options._ca_subject = options.ca_subject - options._random_serial_numbers = options.random_serial_numbers - token_name = options.token_name -+ token_library_path = options.token_library_path -+ if "setup_ca" in options.__dict__: -+ setup_ca = options.setup_ca -+ else: -+ # We got here through ipa-ca-install -+ setup_ca = True - else: - # during replica install, this gets invoked before local DS is - # available, so use the remote api. -@@ -399,33 +400,36 @@ def install_check(standalone, replica_config, options): - if replica_config.setup_ca and token_name: - if not options.token_library_path: - options.token_library_path = token_library_path -- if ( -- not options.token_password_file -- and not options.token_password -- ): -- if options.unattended: -- raise ScriptError("HSM token password required") -- token_password = installutils.read_password( -- f"HSM token '{token_name}'", confirm=False -- ) -- if token_password is None: -- raise ScriptError("HSM token password required") -- else: -- options.token_password = token_password -- -- if options.token_password_file: -- with open(options.token_password_file, "r") as fd: -- options.token_password = fd.readline().strip() -- try: -- hsm_validator( -- token_name, -- options.token_library_path -- if options.token_library_path -- else token_library_path, -- options.token_password, -- ) -- except ValueError as e: -- raise ScriptError(str(e)) -+ setup_ca = replica_config.setup_ca -+ -+ if setup_ca and token_name: -+ if (options.token_password_file and options.token_password): -+ raise ScriptError( -+ "token-password and token-password-file are mutually exclusive" -+ ) -+ if options.token_password_file: -+ with open(options.token_password_file, "r") as fd: -+ options.token_password = fd.readline().strip() -+ if ( -+ not options.token_password_file -+ and not options.token_password -+ ): -+ if options.unattended: -+ raise ScriptError("HSM token password required") -+ token_password = installutils.read_password( -+ f"HSM token '{token_name}'", confirm=False -+ ) -+ if token_password is None: -+ raise ScriptError("HSM token password required") -+ else: -+ options.token_password = token_password -+ -+ try: -+ hsm_validator( -+ token_name, token_library_path, -+ options.token_password) -+ except ValueError as e: -+ raise ScriptError(str(e)) - - if replica_config is not None and not replica_config.setup_ca: - return -diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py -index 2c5b47590c26e37818f055cfd218c85d74e9b46c..dc3bc7c204394187bb7a5c4cc1b863a2091bdc49 100644 ---- a/ipaserver/install/kra.py -+++ b/ipaserver/install/kra.py -@@ -16,10 +16,12 @@ from ipalib.kinit import kinit_keytab - from ipaplatform import services - from ipaplatform.paths import paths - from ipapython import ipautil -+from ipapython.admintool import ScriptError - from ipapython.install.core import group - from ipaserver.install import ca, cainstance - from ipaserver.install import krainstance - from ipaserver.install import dsinstance -+from ipaserver.install import installutils - from ipaserver.install import service as _service - - from . import dogtag -@@ -58,13 +60,61 @@ def install_check(api, replica_config, options): - "KRA can not be installed when 'ca_host' is overriden in " - "IPA configuration file.") - -+ # There are three scenarios for installing a KRA -+ # 1. At install time of the initial server -+ # 2. Using ipa-kra-install -+ # 3. At install time of a replica -+ # -+ # These tests are done in reverse order. If we are doing a -+ # replica install we can check the remote CA. -+ # -+ # If we are running ipa-kra-install then there must be a CA -+ # use that. -+ # -+ # If initial install we either have the token options or we don't. -+ -+ cai = cainstance.CAInstance() -+ if replica_config is not None: -+ (token_name, token_library_path) = ca.lookup_hsm_configuration(api) -+ elif cai.is_configured() and cai.hsm_enabled: -+ (token_name, token_library_path) = ca.lookup_hsm_configuration(api) -+ elif 'token_name' in options.__dict__: -+ token_name = options.token_name -+ token_library_path = options.token_library_path -+ else: -+ token_name = None -+ -+ if replica_config is not None: -+ if ( -+ token_name -+ and options.token_password_file -+ and options.token_password -+ ): -+ raise ScriptError( -+ "token-password and token-password-file are mutually exclusive" -+ ) -+ - if options.token_password_file: - with open(options.token_password_file, "r") as fd: - options.token_password = fd.readline().strip() - -- if replica_config is not None: -- (token_name, token_library) = ca.lookup_hsm_configuration(api) -- ca.hsm_validator(token_name, token_library, options.token_password) -+ if ( -+ token_name -+ and not options.token_password_file -+ and not options.token_password -+ ): -+ if options.unattended: -+ raise ScriptError("HSM token password required") -+ token_password = installutils.read_password( -+ f"HSM token '{token_name}'", confirm=False -+ ) -+ if token_password is None: -+ raise ScriptError("HSM token password required") -+ else: -+ options.token_password = token_password -+ -+ if token_name: -+ ca.hsm_validator(token_name, token_library_path, options.token_password) - - - def install(api, replica_config, options, custodia): -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 1b18873363cece5e187a7c772acfcbc6c565ee97..47db1314239906a10bb77e5fc0d4c1eddc02e2da 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -663,6 +663,8 @@ def install_check(installer): - options.token_name is not None - ) - ): -+ if options.unattended: -+ raise ScriptError("HSM token password required") - token_password = read_password( - f"HSM token '{options.token_name}'" , confirm=False) - if token_password is None: --- -2.45.2 - diff --git a/0014-ipatests-tests-related-to-token-password-file.patch b/0014-ipatests-tests-related-to-token-password-file.patch deleted file mode 100644 index f297331..0000000 --- a/0014-ipatests-tests-related-to-token-password-file.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 4ea1ad6acae910574a524403bc82c80d24b525d6 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 13 Jun 2024 14:07:57 +0530 -Subject: [PATCH] ipatests: tests related to --token-password-file - -Test automation added around the --token-password-file -option for server/replica/kra install. - -Related: https://pagure.io/freeipa/issue/9603 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_hsm.py | 85 ++++++++++++++++++++++++--- - 1 file changed, 77 insertions(+), 8 deletions(-) - -diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py -index b49af12492f7dce4bd41836b220d75d9fc99b5c2..3a33c3bda6d072aa16e361b04ac2d668902bb0e9 100644 ---- a/ipatests/test_integration/test_hsm.py -+++ b/ipatests/test_integration/test_hsm.py -@@ -163,6 +163,7 @@ class BaseHSMTest(IntegrationTest): - master_extra_args = [] - token_password = None - token_name = None -+ token_password_file = '/tmp/token_password' - random_serial = False - - @classmethod -@@ -191,7 +192,7 @@ class BaseHSMTest(IntegrationTest): - delete_hsm_token([cls.master] + cls.replicas, cls.token_name) - - @classmethod -- def sync_tokens(cls, source): -+ def sync_tokens(cls, source, token_name=None): - """Synchronize non-networked HSM tokens between machines - source: source host for the token data - """ -@@ -207,7 +208,8 @@ class BaseHSMTest(IntegrationTest): - for host in [cls.master] + cls.replicas: - if host == source: - continue -- copy_token_files(source, [host], cls.token_name) -+ copy_token_files(source, [host], -+ token_name if token_name else cls.token_name) - - - class TestHSMInstall(BaseHSMTest): -@@ -218,6 +220,10 @@ class TestHSMInstall(BaseHSMTest): - - def test_hsm_install_replica0_ca_less_install(self): - check_version(self.master) -+ -+ self.master.put_file_contents( -+ self.token_password_file, self.token_password -+ ) - tasks.install_replica( - self.master, self.replicas[0], setup_ca=False, - setup_dns=True, -@@ -307,6 +313,50 @@ class TestHSMInstall(BaseHSMTest): - assert returncode == 0 - assert output == "No issues found." - -+ def test_hsm_install_server_password_file(self): -+ check_version(self.master) -+ # cleanup before fresh install with password file -+ for client in self.clients: -+ tasks.uninstall_client(client) -+ -+ for replica in self.replicas: -+ tasks.uninstall_master(replica) -+ -+ tasks.uninstall_master(self.master) -+ -+ delete_hsm_token([self.master] + self.replicas, self.token_name) -+ self.token_name, self.token_password = get_hsm_token(self.master) -+ self.master.put_file_contents(self.token_password_file, -+ self.token_password) -+ self.replicas[0].put_file_contents(self.token_password_file, -+ self.token_password) -+ -+ tasks.install_master( -+ self.master, setup_dns=self.master_with_dns, -+ setup_kra=self.master_with_kra, -+ setup_adtrust=self.master_with_ad, -+ extra_args=( -+ '--token-name', self.token_name, -+ '--token-library-path', hsm_lib_path, -+ '--token-password-file', self.token_password_file -+ ) -+ ) -+ self.sync_tokens(self.master, token_name=self.token_name) -+ -+ def test_hsm_install_replica0_password_file(self): -+ check_version(self.master) -+ tasks.install_replica( -+ self.master, self.replicas[0], setup_ca=True, -+ extra_args=('--token-password-file', self.token_password_file,) -+ ) -+ -+ def test_hsm_install_replica0_kra_password_file(self): -+ check_version(self.master) -+ tasks.install_kra( -+ self.replicas[0], -+ extra_args=('--token-password-file', self.token_password_file,) -+ ) -+ - - class TestHSMInstallADTrustBase(BaseHSMTest): - """ -@@ -321,7 +371,7 @@ class TestHSMInstallADTrustBase(BaseHSMTest): - check_version(self.master) - tasks.install_replica( - self.master, self.replicas[0], setup_ca=True, -- setup_adtrust=True, setup_kra=True, setup_dns=True, -+ setup_adtrust=False, setup_kra=True, setup_dns=True, - nameservers='master' if self.master_with_dns else None, - extra_args=('--token-password', self.token_password,) - ) -@@ -356,7 +406,8 @@ class TestHSMcertRenewal(BaseHSMTest): - 'auditSigningCert cert-pki-ca': 'caauditSigningCert' - } - CA_TRACKING_REQS.update(KRA_TRACKING_REQS) -- self.master.put_file_contents('/tmp/token_passwd', self.token_password) -+ self.master.put_file_contents(self.token_password_file, -+ self.token_password) - for nickname in CA_TRACKING_REQS: - cert = tasks.certutil_fetch_cert( - self.master, -@@ -772,6 +823,7 @@ class TestHSMcertFixReplica(BaseHSMTest): - class TestHSMNegative(IntegrationTest): - - master_with_dns = False -+ token_password_file = '/tmp/token_password' - - @classmethod - def install(cls, mh): -@@ -792,7 +844,6 @@ class TestHSMNegative(IntegrationTest): - '--token-password', self.token_password - ) - ) -- # assert 'error message non existing token name' in result.stderr_text - assert result.returncode != 0 - - # wrong token password -@@ -804,7 +855,6 @@ class TestHSMNegative(IntegrationTest): - '--token-password', 'token_passwd' - ) - ) -- # assert 'error message wrong passwd' in result.stderr_text - assert result.returncode != 0 - - # wrong token lib -@@ -816,7 +866,6 @@ class TestHSMNegative(IntegrationTest): - '--token-password', self.token_password - ) - ) -- # assert 'error message non existing token lib' in result.stderr_text - assert result.returncode != 0 - - def test_hsm_negative_special_char_token_name(self): -@@ -842,7 +891,27 @@ class TestHSMNegative(IntegrationTest): - '--token-password', token_passwd - ) - ) -- # assert 'error message non existing token lib' in result.stderr_text -+ assert result.returncode != 0 -+ -+ def test_hsm_negative_token_password_and_file(self): -+ """Test token-password and token-password-file at same time -+ -+ Test if command fails when --token-password and --token-password-file -+ provided at the same time results into command failure. -+ """ -+ check_version(self.master) -+ self.master.put_file_contents( -+ self.token_password_file, self.token_password -+ ) -+ result = tasks.install_master( -+ self.master, raiseonerr=False, -+ extra_args=( -+ '--token-name', self.token_name, -+ '--token-library-path', hsm_lib_path, -+ '--token-password', self.token_password, -+ '--token-password-file', self.token_password_file -+ ) -+ ) - assert result.returncode != 0 - - --- -2.45.2 - diff --git a/0015-Include-token-password-options-in-ipa-kra-install-ma.patch b/0015-Include-token-password-options-in-ipa-kra-install-ma.patch deleted file mode 100644 index f55217b..0000000 --- a/0015-Include-token-password-options-in-ipa-kra-install-ma.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6c53a22a2cacf7807df11e51492d1a2c42aeeda1 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 18 Jun 2024 11:16:07 -0400 -Subject: [PATCH] Include token password options in ipa-kra-install man page - -Related: https://pagure.io/freeipa/issue/9603 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - install/tools/man/ipa-kra-install.1 | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1 -index 5476a4e717584cd7c6f823e3c3cb4e4948f14875..955085bf7162863a0567356417a0886e733c0b42 100644 ---- a/install/tools/man/ipa-kra-install.1 -+++ b/install/tools/man/ipa-kra-install.1 -@@ -54,6 +54,15 @@ Log to the given file - .TP - \fB\-\-pki\-config\-override\fR=\fIFILE\fR - File containing overrides for KRA installation. -+.SS "HSM OPTIONS" -+The token name and library path are retrieved from the existing -+installation. -+.TP -+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR -+The PKCS#11 token password for the HSM. -+.TP -+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR -+The full path to a file containing the PKCS#11 token password. - .SH "EXIT STATUS" - 0 if the command was successful - --- -2.45.2 - diff --git a/0016-ipa-migrate-starttls-does-not-work.patch b/0016-ipa-migrate-starttls-does-not-work.patch deleted file mode 100644 index 954e92d..0000000 --- a/0016-ipa-migrate-starttls-does-not-work.patch +++ /dev/null @@ -1,86 +0,0 @@ -From eeade50933cb2251b43ee34c642bcae69a216655 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 8 Jul 2024 10:20:47 -0400 -Subject: [PATCH] ipa-migrate - starttls does not work - -We were previousily taking the provided ca cert and creating a temporary -file from it. This was incorrect and caused the secure connection to -fail. Instead just use the file path provided. - -Fixes: https://pagure.io/freeipa/issue/9619 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - install/tools/man/ipa-migrate.1 | 2 +- - ipaserver/install/ipa_migrate.py | 25 +++++++++++++++++-------- - 2 files changed, 18 insertions(+), 9 deletions(-) - -diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1 -index 2d9d2c650a4c44a2f397d1c2ccb42fb95eea2bae..47ae47ea4afa3a5a6fe25dd9bbd14c27ab5f1fdb 100644 ---- a/install/tools/man/ipa-migrate.1 -+++ b/install/tools/man/ipa-migrate.1 -@@ -25,7 +25,7 @@ network interruptions) - In this mode everything will be migrated including the current user SIDs and - DNA ranges - .TP --\fBstage\-mod\fR -+\fBstage\-mode\fR - In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset - - .SH "COMMANDS" -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 6be8d9ba23b36779bf6296df757c1aca551968c0..0e19b98b5be532c513876e165561f0af176baa27 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -27,7 +27,6 @@ from ipalib.x509 import IPACertificate - from ipaplatform.paths import paths - from ipapython.dn import DN - from ipapython.ipaldap import LDAPClient, LDAPEntry, realm_to_ldapi_uri --from ipapython.ipautil import write_tmp_file - from ipapython.ipa_log_manager import standard_logging_setup - from ipaserver.install.ipa_migrate_constants import ( - DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, -@@ -758,13 +757,19 @@ class IPAMigrate(): - insecure_bind = False - - if self.args.cacertfile is not None: -- # Store CA cert into file -- tmp_ca_cert_f = write_tmp_file(self.args.cacertfile) -- cacert = tmp_ca_cert_f.name -- - # Start TLS connection (START_TLS) -- ds_conn = LDAPClient(ldapuri, cacert=cacert, start_tls=True) -- tmp_ca_cert_f.close() -+ try: -+ ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile, -+ start_tls=True) -+ except ( -+ ldap.LDAPError, -+ errors.NetworkError, -+ errors.DatabaseError, -+ IOError -+ ) as e: -+ self.handle_error( -+ f"Failed to connect to remote server: {str(e)}" -+ ) - else: - # LDAP (insecure) - ds_conn = LDAPClient(ldapuri) -@@ -773,7 +778,11 @@ class IPAMigrate(): - try: - ds_conn.simple_bind(DN(self.args.bind_dn), self.bindpw, - insecure_bind=insecure_bind) -- except (errors.NetworkError, errors.ACIError) as e: -+ except ( -+ errors.NetworkError, -+ errors.ACIError, -+ errors.DatabaseError -+ ) as e: - self.handle_error(f"Failed to bind to remote server: {str(e)}") - - # All set, stash the remote connection --- -2.45.2 - diff --git a/0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch b/0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch deleted file mode 100644 index 62eaadb..0000000 --- a/0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch +++ /dev/null @@ -1,232 +0,0 @@ -From 051d61fdc301f2768ac78c45e93a5f9eeff8aa28 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 25 Jun 2024 14:27:24 +0300 -Subject: [PATCH] ipa-pwd-extop: differentiate OTP requirements in LDAP binds - -For users who has no OTP tokens defined (yet), a missing token should -not be seen as a failure. This is needed to allow a basic password -change. - -The logic around enforcement of OTP over LDAP bind is the following: ----------------------------------------------------------------------- -- when LDAP OTP control is requested by the LDAP client, OTP is - explicitly required -- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly - required, regardless of the state of LDAP client - -In either case, only users with 'user-auth-type: otp' are allowed to -authenticate. - -If these users have no OTP token associated yet, they will be allowed to -authenticate with their password. This is to allow initial password -change and adding an OTP token. ----------------------------------------------------------------------- - -Implement test that simulates lifecycle for new user who get to change -their password before adding an OTP token. - -Related: https://pagure.io/freeipa/issue/5169 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 39 ++++++++++---- - ipatests/test_integration/test_otp.py | 52 ++++++++++++++++--- - 2 files changed, 76 insertions(+), 15 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index cc170fc4b81f8ecad88f4ff4401b5651c43aaf55..c967e2cfffbd920280639f3188783ec150523b47 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1212,13 +1212,20 @@ done: - * value at the end. This leaves only the password in creds for later - * validation. - */ -+typedef enum { -+ OTP_IS_NOT_REQUIRED = 0, -+ OTP_IS_REQUIRED_EXPLICITLY, -+ OTP_IS_REQUIRED_IMPLICITLY -+} otp_req_enum; - static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, -- struct berval *creds, bool otpreq) -+ struct berval *creds, otp_req_enum otpreq, -+ bool *notokens) - { - uint32_t auth_types; - - /* Get the configured authentication types. */ - auth_types = otp_config_auth_types(otp_config, entry); -+ *notokens = false; - - /* - * IMPORTANT SECTION! -@@ -1248,7 +1255,11 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, - /* With no tokens, succeed if tokens aren't required. */ - if (tokens[0] == NULL) { - otp_token_free_array(tokens); -- return !otpreq; -+ *notokens = true; -+ if (otpreq != OTP_IS_NOT_REQUIRED) -+ /* DENY: OTP is required, either explicitly or implicitly */ -+ return false; -+ return true; - } - - if (otp_token_validate_berval(tokens, creds, NULL)) { -@@ -1259,7 +1270,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry, - otp_token_free_array(tokens); - } - -- return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && !otpreq; -+ return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && -+ (otpreq == OTP_IS_NOT_REQUIRED); - } - - static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry, -@@ -1452,6 +1464,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - struct tm expire_tm; - int rc = LDAP_INVALID_CREDENTIALS; - char *errMesg = NULL; -+ bool notokens = false; - - /* get BIND parameters */ - ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); -@@ -1510,8 +1523,9 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - - /* Try to do OTP first. */ - syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID); -- otpreq = otpctrl_present(pb, OTP_REQUIRED_OID); -- if (!syncreq && !otpreq) { -+ otpreq = otpctrl_present(pb, OTP_REQUIRED_OID) ? -+ OTP_IS_REQUIRED_EXPLICITLY : OTP_IS_NOT_REQUIRED; -+ if (!syncreq && (otpreq == OTP_IS_NOT_REQUIRED)) { - ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG); - if (ret != 0) { - LOG_FATAL("ipapwd_gen_checks failed!?\n"); -@@ -1520,11 +1534,17 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - return 0; - } - if (krbcfg->enforce_ldap_otp) { -- otpreq = true; -+ otpreq = OTP_IS_REQUIRED_IMPLICITLY; - } - } -- if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq)) -- goto invalid_creds; -+ if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, -+ credentials, otpreq, ¬okens)) { -+ /* We got here because ipapwd_pre_bind_otp() returned false, -+ * it means that either token verification failed or -+ * a rule for empty tokens failed current policy. */ -+ if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED))) -+ goto invalid_creds; -+ } - - /* Ensure that there is a password. */ - if (credentials->bv_len == 0) { -@@ -1561,7 +1581,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - * for access log to notice multi-factor authentication has happened - * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html - */ -- if (!syncreq && otpreq) { -+ if (!syncreq && -+ ((otpreq != OTP_IS_NOT_REQUIRED) && !notokens)) { - slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH); - } - #endif -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index d2dfca4cbf8c60955e888b6f92bd88a2608bb265..350371bfe1e4c1cc6dcc89f6584f813fcb0d32a0 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -458,41 +458,81 @@ class TestOTPToken(IntegrationTest): - master = self.master - basedn = master.domain.basedn - USER1 = 'user-forced-otp' -+ TMP_PASSWORD = 'Secret1234509' - binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}") - -- tasks.create_active_user(master, USER1, PASSWORD) - tasks.kinit_admin(master) -+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '0']) -+ tasks.user_add(master, USER1, password=TMP_PASSWORD) - # Enforce use of OTP token for this user - master.run_command(['ipa', 'user-mod', USER1, - '--user-auth-type=otp']) - try: -+ # Change initial password through the IPA endpoint -+ url = f'https://{master.hostname}/ipa/session/change_password' -+ master.run_command(['curl', '-d', f'user={USER1}', -+ '-d', f'old_password={TMP_PASSWORD}', -+ '-d', f'new_password={PASSWORD}', -+ '--referer', f'https://{master.hostname}/ipa', -+ url]) - conn = master.ldap_connect() - # First, attempt authenticating with a password but without LDAP - # control to enforce OTP presence and without server-side - # enforcement of the OTP presence check. - conn.simple_bind(binddn, f"{PASSWORD}") -- # Add an OTP token now -- otpuid, totp = add_otptoken(master, USER1, otptype="totp") - # Next, enforce Password+OTP for a user with OTP token - master.run_command(['ipa', 'config-mod', '--addattr', - 'ipaconfigstring=EnforceLDAPOTP']) -+ # Try to bind without OTP because there is no OTP token yet, -+ # the operation should succeed because OTP enforcement is implicit -+ # and there is no token yet, so it is allowed. -+ conn.simple_bind(binddn, f"{PASSWORD}") -+ conn.unbind() -+ # Add an OTP token now -+ otpuid, totp = add_otptoken(master, USER1, otptype="totp") - # Next, authenticate with Password+OTP and with the LDAP control - # this operation should succeed - otpvalue = totp.generate(int(time.time())).decode("ascii") -+ conn = master.ldap_connect() - conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}", - client_controls=[ - BooleanControl( - controlType="2.16.840.1.113730.3.8.10.7", - booleanValue=True)]) -- # Remove token -- del_otptoken(self.master, otpuid) -+ conn.unbind() -+ # Sleep to make sure we are going to use a different token value -+ time.sleep(45) -+ # Use OTP token again, without LDAP control, should succeed -+ # because OTP enforcement is implicit -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ conn = master.ldap_connect() -+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}") -+ conn.unbind() - # Now, try to authenticate without otp and without control -- # this operation should fail -+ # this operation should fail because we have OTP token associated -+ # with the user account - try: -+ conn = master.ldap_connect() - conn.simple_bind(binddn, f"{PASSWORD}") -+ conn.unbind() - except errors.ACIError: - pass -+ # Sleep to make sure we are going to use a different token value -+ time.sleep(45) -+ # Use OTP token again, without LDAP control, should succeed -+ # because OTP enforcement is implicit -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ # Finally, change password again, now that otp is present -+ master.run_command(['curl', '-d', f'user={USER1}', -+ '-d', f'old_password={PASSWORD}', -+ '-d', f'new_password={TMP_PASSWORD}0', -+ '-d', f'otp={otpvalue}', -+ '--referer', f'https://{master.hostname}/ipa', -+ url]) -+ # Remove token -+ del_otptoken(self.master, otpuid) - master.run_command(['ipa', 'config-mod', '--delattr', - 'ipaconfigstring=EnforceLDAPOTP']) - finally: -+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '1']) - master.run_command(['ipa', 'user-del', USER1]) --- -2.45.2 - diff --git a/0018-ipatests-Test-replica-installation-using-AD-admin.patch b/0018-ipatests-Test-replica-installation-using-AD-admin.patch deleted file mode 100644 index 9a8da53..0000000 --- a/0018-ipatests-Test-replica-installation-using-AD-admin.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 8b703150a47bf509f37856bdc27cfa99e85e5e6b Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 24 Jun 2024 13:48:24 +0530 -Subject: [PATCH] ipatests: Test replica installation using AD admin. - -Test to verify that replica connection check is not failing when -the AD administrator Administrator@AD.EXAMPLE.COM is -used for the deployment or promotion of a replica - -Related: https://pagure.io/freeipa/issue/9542 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud ---- - .../test_replica_promotion.py | 46 +++++++++++++++++++ - 1 files changed, 46 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index 7ef44c571c8a4106577d27f4712f661be873dacc..c754cef88cb275987f5afdaad43f2ea07e3b7476 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -1318,3 +1318,49 @@ class TestHiddenReplicaKRA(IntegrationTest): - self.replicas[0].hostname, '--state=hidden' - ]) - assert result.returncode == 0 -+ -+ -+class TestReplicaConn(IntegrationTest): -+ num_replicas = 1 -+ num_ad_domains = 1 -+ -+ @classmethod -+ def install(cls, mh): -+ cls.replica = cls.replicas[0] -+ cls.ad = cls.ads[0] -+ ad_domain = cls.ad.domain.name -+ cls.ad_admin = 'Administrator@{}'.format(ad_domain.upper()) -+ cls.adview = 'Default Trust View' -+ tasks.install_master(cls.master, setup_adtrust=True) -+ tasks.configure_dns_for_trust(cls.master, cls.ad) -+ tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name) -+ tasks.install_client(cls.master, cls.replica) -+ -+ def test_replica_conncheck_ad_admin(self): -+ """ -+ Test to verify that replica installation is not failing for -+ replica connection check when AD administrator -+ Administrator@AD.EXAMPLE.COM is used for the deployment -+ or promotion of a replica. -+ -+ Related : https://pagure.io/freeipa/issue/9542 -+ """ -+ self.master.run_command( -+ ['ipa', 'idoverrideuser-add', self.adview, self.ad_admin] -+ ) -+ self.master.run_command( -+ ["ipa", "group-add-member", "admins", "--idoverrideusers", -+ self.ad_admin] -+ ) -+ tasks.clear_sssd_cache(self.master) -+ -+ self.replica.run_command( -+ ["ipa-replica-install", "--setup-ca", "-U", "--ip-address", -+ self.replica.ip, "--realm", self.replica.domain.realm, -+ "--domain", self.replica.domain.name, -+ "--principal={0}".format(self.ad_admin), -+ "--password", self.master.config.ad_admin_password] -+ ) -+ logs = self.replica.get_file_contents(paths.IPAREPLICA_CONNCHECK_LOG) -+ error = "not allowed to perform server connection check" -+ assert error.encode() not in logs --- -2.45.2 - diff --git a/0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch b/0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch deleted file mode 100644 index b0453bf..0000000 --- a/0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 85a853ba93c1d23d5bad13a1ae2bee802dc90131 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 8 Jul 2024 11:25:53 -0400 -Subject: [PATCH] Issue 9621 - ipa-migrate - should not update mapped - attributes in managed entries - -We should not migrate mmapped attributes (uidNumber, gidNumber) from -managed entries - -We should also not migrate DNA ranges in staging mode - -Fixes: https://pagure.io/freeipa/issue/9621 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_migrate.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 0e19b98b5be532c513876e165561f0af176baa27..20f59f84db21022b66c0aa1ffd696d99aef85a44 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -1322,6 +1322,9 @@ class IPAMigrate(): - self.args.reset_range - or self.mode == "stage-mode" - ) and attr.lower() in DNA_REGEN_ATTRS: -+ # Skip dna attributes from managed entries -+ if 'mepManagedBy' in local_entry: -+ break - # Ok, set the magic regen value - local_entry[attr] = [DNA_REGEN_VAL] - self.log_debug("Resetting the DNA range for: " -@@ -1816,6 +1819,9 @@ class IPAMigrate(): - # processing the entries - for entry in remote_dse: - for dse_item in DS_CONFIG.items(): -+ if dse_item[0] == "dna" and self.mode == "stage-mode": -+ # Do not migrate DNA ranges in staging mode -+ continue - dse = dse_item[1] - for dn in dse['dn']: - if DN(dn) == DN(entry['dn']): --- -2.45.2 - diff --git a/0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch b/0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch deleted file mode 100644 index e739ecc..0000000 --- a/0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch +++ /dev/null @@ -1,50 +0,0 @@ -From de940802bb6631fbbc97afd11869d87cba18f47f Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 17 Jul 2024 18:32:37 +0200 -Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_version_option - -The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1:: -test_ipa_migrate_version_option is now passing, issue has been fixed. -The -V option has been removed. - -Related: https://pagure.io/freeipa/issue/9620 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Sudhir Menon ---- - ipatests/test_integration/test_ipa_ipa_migration.py | 12 +++++------- - 1 file changed, 5 insertions(+), 7 deletions(-) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index 7e2d4a34216f6cf168f15dda10ce10538a3c3cb9..9aa8a9f32071f122ebb247ba8a1aff041e4fd49a 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -846,20 +846,18 @@ class TestIPAMigrateScenario1(IntegrationTest): - assert DNS_LOG2 in install_msg - assert DNS_LOG3 in install_msg - -- @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003", -- strict=True) - def test_ipa_migrate_version_option(self): - """ -- This testcase checks the version of -- the ipa-migrate tool using -v option -+ The -V option has been removed. - """ - CONSOLE_LOG = ( - "ipa-migrate: error: the following arguments are " - "required: mode, hostname" - ) -- result = self.master.run_command(["ipa-migrate", "-V"]) -- assert result.returncode == 0 -- assert CONSOLE_LOG not in result.stderr_text -+ result = self.master.run_command(["ipa-migrate", "-V"], -+ raiseonerr=False) -+ assert result.returncode == 2 -+ assert CONSOLE_LOG in result.stderr_text - - def test_ipa_migrate_with_log_file_option(self): - """ --- -2.45.2 - diff --git a/0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch b/0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch deleted file mode 100644 index 6fcb38f..0000000 --- a/0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 6eb6a929308c2916df9aed2da9ee6ef9d98e2438 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 17 Jul 2024 18:36:24 +0200 -Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_stage_mode - -The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1 -::test_ipa_migrate_stage_mode is now passing, the issue has been fixed. - -Related: https://pagure.io/freeipa/issue/9621 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Sudhir Menon ---- - ipatests/test_integration/test_ipa_ipa_migration.py | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index 9aa8a9f32071f122ebb247ba8a1aff041e4fd49a..a516941047315e07407b8063a7010526d384ab3b 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -600,9 +600,6 @@ class TestIPAMigrateScenario1(IntegrationTest): - ) - assert SCHEMA_OVERRIDE_LOG in install_msg - -- @pytest.mark.xfail( -- reason="https://issues.redhat.com/browse/RHEL-45463", strict=True -- ) - def test_ipa_migrate_stage_mode(self, empty_log_file): - """ - This test checks that ipa-migrate is successful --- -2.45.2 - diff --git a/0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch b/0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch deleted file mode 100644 index df99768..0000000 --- a/0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch +++ /dev/null @@ -1,26 +0,0 @@ -From d1a485a435ea9dba7587d1998451a09d3aa4077b Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 17 Jul 2024 15:45:06 +0200 -Subject: [PATCH] Unconditionally add MS-PAC to global config on update - -Fixes: https://pagure.io/freeipa/issue/9632 - -Signed-off-by: Julien Rische -Reviewed-By: Florence Blanc-Renaud ---- - install/updates/60-trusts.update | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update -index 56e392044a2fae97ab2f26d8afcffa6a872d41c8..b2fdccae74accf934c9f9e7d83fe63459c1e48b4 100644 ---- a/install/updates/60-trusts.update -+++ b/install/updates/60-trusts.update -@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$ - - # Add the default PAC type to configuration - dn: cn=ipaConfig,cn=etc,$SUFFIX --addifnew: ipaKrbAuthzData: MS-PAC -+add: ipaKrbAuthzData: MS-PAC --- -2.45.2 - diff --git a/0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch b/0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch deleted file mode 100644 index 2779117..0000000 --- a/0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9f88188204e443dd5d1d22ebe65b947452558f66 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 17 Jul 2024 15:47:33 +0200 -Subject: [PATCH] Remove RC4 and 3DES default encryption types on update - -Fixes: https://pagure.io/freeipa/issue/9633 - -Signed-off-by: Julien Rische -Reviewed-By: Florence Blanc-Renaud ---- - install/updates/50-krbenctypes.update | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update -index 1058a92d8f5a4971e9ecab52506981b8e470ff77..1bf2bf33a6566586639767771dff501d91a03508 100644 ---- a/install/updates/50-krbenctypes.update -+++ b/install/updates/50-krbenctypes.update -@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal - add: krbSupportedEncSaltTypes: aes128-sha2:special - add: krbSupportedEncSaltTypes: aes256-sha2:normal - add: krbSupportedEncSaltTypes: aes256-sha2:special -+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special -+remove: krbDefaultEncSaltTypes: arcfour-hmac:special --- -2.45.2 - diff --git a/0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch b/0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch deleted file mode 100644 index b01086d..0000000 --- a/0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch +++ /dev/null @@ -1,33 +0,0 @@ -From fdd471d55c73503456683b1dea55769700730b16 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 18 Jul 2024 13:40:28 -0400 -Subject: [PATCH] Fix a copy/paste issue when detecting the HSM SELinux - subpackage - -I made a mistake when trying to detect which HSM is being used -to ensure that the appropriate SELinux subpackage is installed. - -Fixes: https://pagure.io/freeipa/issue/9636 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ca.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index b8155d9965712dbce4076e9d73d6712135309ce2..e57dc47587fa0e0a6dbbe7511784af065560d782 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -265,7 +265,7 @@ def hsm_validator(token_name, token_library, token_password): - if 'nfast' in token_library: - module = 'ipa-selinux-nfast' - elif 'luna' in token_library: -- module = 'ipa-selinux-nfast' -+ module = 'ipa-selinux-luna' - else: - module = None - if module: --- -2.45.2 - diff --git a/0025-ipa-migrate-properly-handle-invalid-certificates.patch b/0025-ipa-migrate-properly-handle-invalid-certificates.patch deleted file mode 100644 index 79ac9d3..0000000 --- a/0025-ipa-migrate-properly-handle-invalid-certificates.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Mon, 29 Jul 2024 09:58:30 -0400 -Subject: [PATCH] ipa-migrate - properly handle invalid certificates - -A ValueError is raised when an invalid certificate is used, so the tool -should handle this properly and not produce a stack trace. - -Fixes: https://pagure.io/freeipa/issue/9642 - -Signed-off-by: Mark Reynolds -Reviewed-By: Rob Crittenden ---- - ipaserver/install/ipa_migrate.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py -index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644 ---- a/ipaserver/install/ipa_migrate.py -+++ b/ipaserver/install/ipa_migrate.py -@@ -761,6 +761,12 @@ class IPAMigrate(): - try: - ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile, - start_tls=True) -+ except ValueError: -+ # Most likely invalid certificate -+ self.handle_error( -+ "Failed to connect to remote server: " -+ "CA certificate is invalid" -+ ) - except ( - ldap.LDAPError, - errors.NetworkError, --- -2.45.2 - diff --git a/0026-ipatests-Fix-usage-of-token_password_file.patch b/0026-ipatests-Fix-usage-of-token_password_file.patch deleted file mode 100644 index 1c5762c..0000000 --- a/0026-ipatests-Fix-usage-of-token_password_file.patch +++ /dev/null @@ -1,73 +0,0 @@ -From f03a96a7b914eb5130552cea626fd28e26b2108d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 15 Jul 2024 10:21:28 -0400 -Subject: [PATCH] ipatests: Fix usage of token_password_file - -There were a few hardcoded places where it was set to -/tmp/token_passwd instead of using the class variable. - -Don't rely on previous running tests installing the token -password file so they can be run individually. - -Fixes: https://pagure.io/freeipa/issue/9603 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_hsm.py | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py -index 3a33c3bda6d072aa16e361b04ac2d668902bb0e9..64305460a5150dfc28a4ab378ac72cd38987184c 100644 ---- a/ipatests/test_integration/test_hsm.py -+++ b/ipatests/test_integration/test_hsm.py -@@ -173,6 +173,9 @@ class BaseHSMTest(IntegrationTest): - cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods']) - - cls.token_name, cls.token_password = get_hsm_token(cls.master) -+ cls.master.put_file_contents( -+ cls.token_password_file, cls.token_password -+ ) - tasks.install_master( - cls.master, setup_dns=cls.master_with_dns, - setup_kra=cls.master_with_kra, -@@ -220,10 +223,6 @@ class TestHSMInstall(BaseHSMTest): - - def test_hsm_install_replica0_ca_less_install(self): - check_version(self.master) -- -- self.master.put_file_contents( -- self.token_password_file, self.token_password -- ) - tasks.install_replica( - self.master, self.replicas[0], setup_ca=False, - setup_dns=True, -@@ -412,7 +411,7 @@ class TestHSMcertRenewal(BaseHSMTest): - cert = tasks.certutil_fetch_cert( - self.master, - paths.PKI_TOMCAT_ALIAS_DIR, -- '/tmp/token_passwd', -+ self.token_password_file, - nickname, - token_name=self.token_name, - ) -@@ -428,13 +427,14 @@ class TestHSMcertRenewal(BaseHSMTest): - status = tasks.wait_for_request(self.master, request_id[0], 120) - assert status == "MONITORING" - -- args = ['-L', '-h', self.token_name, '-f', '/tmp/token_passwd'] -+ args = ['-L', '-h', self.token_name, '-f', -+ self.token_password_file,] - tasks.run_certutil(self.master, args, paths.PKI_TOMCAT_ALIAS_DIR) - - cert = tasks.certutil_fetch_cert( - self.master, - paths.PKI_TOMCAT_ALIAS_DIR, -- '/tmp/token_passwd', -+ self.token_password_file, - nickname, - token_name=self.token_name, - ) --- -2.45.2 - diff --git a/0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch b/0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch deleted file mode 100644 index 596f784..0000000 --- a/0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 38b83c2b9329b8b16096d63e83f186c91d578ce8 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 10 Jul 2024 16:14:46 -0400 -Subject: [PATCH] Run HSM validation as pkiuser to verify token permissions - -Run all commands as pkiuser when validating that the HSM token -is available, that the token library path is correct and that -the password can read keys. This will avoid issues where the -initial validation is ok but the pkiuser is not granted read -access to some part of the token. This is very possible -when using softhsm2. - -Fixes: https://pagure.io/freeipa/issue/9626 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ca.py | 20 ++++++++-- - ipatests/test_integration/test_hsm.py | 57 +++++++++++++++++++++++++++ - 2 files changed, 74 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index e57dc47587fa0e0a6dbbe7511784af065560d782..9ff91b9cc42673138eee6fa8e0eb46b323be8b1d 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -18,6 +18,7 @@ import six - from ipalib.constants import IPA_CA_CN - from ipalib.install import certstore - from ipalib.install.service import enroll_only, master_install_only, replica_install_only -+from ipaplatform.constants import constants - from ipaserver.install import sysupgrade - from ipapython.install import typing - from ipapython.install.core import group, knob, extend_knob -@@ -208,8 +209,15 @@ def hsm_validator(token_name, token_library, token_password): - raise ValueError( - "Token library path '%s' does not exist" % token_library - ) -+ pkiuser = constants.PKI_USER -+ pkigroup = constants.PKI_GROUP -+ if 'libsofthsm' in token_library: -+ import grp -+ group = grp.getgrnam(constants.ODS_GROUP) -+ if str(constants.PKI_USER) in group.gr_mem: -+ pkigroup = constants.ODS_GROUP - with certdb.NSSDatabase() as tempnssdb: -- tempnssdb.create_db() -+ tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup)) - # Try adding the token library to the temporary database in - # case it isn't already available. Ignore all errors. - command = [ -@@ -223,6 +231,7 @@ def hsm_validator(token_name, token_library, token_password): - # It may fail if p11-kit has already registered the library, that's - # ok. - ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir, -+ runas=pkiuser, suplementary_groups=[pkigroup], - raiseonerr=False) - - command = [ -@@ -232,7 +241,8 @@ def hsm_validator(token_name, token_library, token_password): - '-force' - ] - lines = ipautil.run( -- command, cwd=tempnssdb.secdir, capture_output=True).output -+ command, cwd=tempnssdb.secdir, capture_output=True, -+ runas=pkiuser, suplementary_groups=[pkigroup]).output - found = False - token_line = f'token: {token_name}' - for line in lines.split('\n'): -@@ -241,9 +251,11 @@ def hsm_validator(token_name, token_library, token_password): - break - if not found: - raise ValueError( -- "Token named '%s' was not found" % token_name -+ "Token named '%s' was not found. Check permissions" -+ % token_name - ) - pwdfile = ipautil.write_tmp_file(token_password) -+ os.fchown(pwdfile.fileno(), pkiuser.uid, pkigroup.gid) - args = [ - paths.CERTUTIL, - "-d", '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir), -@@ -252,6 +264,8 @@ def hsm_validator(token_name, token_library, token_password): - "-f", pwdfile.name, - ] - result = ipautil.run(args, cwd=tempnssdb.secdir, -+ runas=pkiuser, -+ suplementary_groups=[pkigroup], - capture_error=True, raiseonerr=False) - if result.returncode != 0 and len(result.error_output): - if 'SEC_ERROR_BAD_PASSWORD' in result.error_output: -diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py -index 64305460a5150dfc28a4ab378ac72cd38987184c..974820fc7363b77fd5fdecc7cf0efca412f3af42 100644 ---- a/ipatests/test_integration/test_hsm.py -+++ b/ipatests/test_integration/test_hsm.py -@@ -833,6 +833,13 @@ class TestHSMNegative(IntegrationTest): - - cls.token_name, cls.token_password = get_hsm_token(cls.master) - -+ @classmethod -+ def uninstall(cls, mh): -+ cls.master.run_command( -+ ['softhsm2-util', '--delete-token', '--token', cls.token_name], -+ raiseonerr=False -+ ) -+ - def test_hsm_negative_wrong_token_details(self): - check_version(self.master) - # wrong token name -@@ -868,6 +875,51 @@ class TestHSMNegative(IntegrationTest): - ) - assert result.returncode != 0 - -+ def test_hsm_negative_bad_token_dir_permissions(self): -+ """Create an unreadable softhsm2 token and install should fail. -+ -+ This is most often seen on replicas where the pkiuser is not -+ a member of the ods group. -+ """ -+ check_version(self.master) -+ token_name = 'bad_perms' -+ token_passwd = 'Secret123' -+ self.master.run_command( -+ ['softhsm2-util', '--delete-token', '--token', token_name], -+ raiseonerr=False -+ ) -+ self.master.run_command( -+ ['usermod', 'pkiuser', '-a', '-G', 'ods'] -+ ) -+ self.master.run_command( -+ ['softhsm2-util', '--init-token', -+ '--free', '--pin', token_passwd, '--so-pin', token_passwd, -+ '--label', token_name] -+ ) -+ self.master.run_command( -+ ['usermod', 'pkiuser', '-r', '-G', 'ods'] -+ ) -+ result = tasks.install_master( -+ self.master, raiseonerr=False, -+ extra_args=( -+ '--token-name', token_name, -+ '--token-library-path', hsm_lib_path, -+ '--token-password', token_passwd -+ ) -+ ) -+ self.master.run_command( -+ ['usermod', 'pkiuser', '-a', '-G', 'ods'] -+ ) -+ self.master.run_command( -+ ['softhsm2-util', '--delete-token', '--token', token_name], -+ raiseonerr=False -+ ) -+ assert result.returncode != 0 -+ assert ( -+ f"Token named '{token_name}' was not found" -+ in result.stderr_text -+ ) -+ - def test_hsm_negative_special_char_token_name(self): - check_version(self.master) - token_name = 'hsm:token' -@@ -912,6 +964,11 @@ class TestHSMNegative(IntegrationTest): - '--token-password-file', self.token_password_file - ) - ) -+ self.master.run_command( -+ ['softhsm2-util', '--delete-token', '--token', self.token_name], -+ raiseonerr=False -+ ) -+ # assert 'error message non existing token lib' in result.stderr_text - assert result.returncode != 0 - - --- -2.45.2 - diff --git a/0028-Replica-CA-installation-ignore-time-skew-during-init.patch b/0028-Replica-CA-installation-ignore-time-skew-during-init.patch deleted file mode 100644 index 9786576..0000000 --- a/0028-Replica-CA-installation-ignore-time-skew-during-init.patch +++ /dev/null @@ -1,163 +0,0 @@ -From aadb8051d4a3172aac3790f47ff4d241a245bab4 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 18 Jul 2024 12:57:36 +0200 -Subject: [PATCH] Replica CA installation: ignore time skew during initial - replication - -During a replica CA installation, the initial replication step may fail -if there is too much time skew between the server and replica. - -The replica installer already takes care of this for the replication of -the domain suffix but the replica CA installer does not set -nssldapd-ignore-time-skew to on for o=ipaca suffix. - -During a replica CA installation, read the initial value of -nssldapd-ignore-time-skew, force it to on, start replication and -revert to the initial value. - -Apply the same logic to dsinstance and ipa-replica-manage force-sync. - -Fixes: https://pagure.io/freeipa/issue/9635 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - install/share/Makefile.am | 1 - - install/share/replica-prevent-time-skew.ldif | 4 ---- - install/tools/ipa-replica-manage.in | 4 ++-- - ipaserver/install/cainstance.py | 4 ++++ - ipaserver/install/dsinstance.py | 14 ++--------- - ipaserver/install/service.py | 25 ++++++++++++++++++++ - 6 files changed, 33 insertions(+), 19 deletions(-) - delete mode 100644 install/share/replica-prevent-time-skew.ldif - -diff --git a/install/share/Makefile.am b/install/share/Makefile.am -index e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8..4029297b76cc2f30dc9eab606e5670667978dd27 100644 ---- a/install/share/Makefile.am -+++ b/install/share/Makefile.am -@@ -38,7 +38,6 @@ dist_app_DATA = \ - default-trust-view.ldif \ - delegation.ldif \ - replica-acis.ldif \ -- replica-prevent-time-skew.ldif \ - ds-nfiles.ldif \ - ds-ipa-env.conf.template \ - dns.ldif \ -diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif -deleted file mode 100644 -index 5d301feddb56347f3b35be89edaae1a7d91e07de..0000000000000000000000000000000000000000 ---- a/install/share/replica-prevent-time-skew.ldif -+++ /dev/null -@@ -1,4 +0,0 @@ --dn: cn=config --changetype: modify --replace: nsslapd-ignore-time-skew --nsslapd-ignore-time-skew: $SKEWVALUE -diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in -index 56145cb8a2249f8c5279d9baec4f34f274990bcf..d6e6ef57c39af70f164d41662227af3dc2535f9c 100644 ---- a/install/tools/ipa-replica-manage.in -+++ b/install/tools/ipa-replica-manage.in -@@ -1262,12 +1262,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): - repl.force_sync(repl.conn, fromhost) - else: - ds = dsinstance.DsInstance(realm_name=realm) -- ds.replica_manage_time_skew(prevent=False) -+ ds.replica_ignore_initial_time_skew() - repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) - repl.force_sync(repl.conn, thishost) - agreement = repl.get_replication_agreement(thishost) - repl.wait_for_repl_update(repl.conn, agreement.dn) -- ds.replica_manage_time_skew(prevent=True) -+ ds.replica_revert_time_skew() - - def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False, - nolookup=False): -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index b4b86024899bc6532f1123503cec63be9435f55b..5dac2c0441752e7bb569cde1fc93bc17c3128cdf 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -416,7 +416,11 @@ class CAInstance(DogtagInstance): - if promote: - # Setup Database - self.step("creating certificate server db", self.__create_ds_db) -+ self.step("ignore time skew for initial replication", -+ self.replica_ignore_initial_time_skew) - self.step("setting up initial replication", self.__setup_replication) -+ self.step("revert time skew after initial replication", -+ self.replica_revert_time_skew) - self.step("creating ACIs for admin", self.add_ipaca_aci) - self.step("creating installation admin user", self.setup_admin) - self.step("configuring certificate server instance", -diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py -index 88984d0219033717cefd28d6170535b6c859330f..dab58e42661f500e7aca0e8311e93d421567b8c8 100644 ---- a/ipaserver/install/dsinstance.py -+++ b/ipaserver/install/dsinstance.py -@@ -387,11 +387,11 @@ class DsInstance(service.Service): - # This helps with initial replication or force-sync because - # the receiving side has no valuable changes itself yet. - self.step("ignore time skew for initial replication", -- self.__replica_ignore_initial_time_skew) -+ self.replica_ignore_initial_time_skew) - - self.step("setting up initial replication", self.__setup_replica) - self.step("prevent time skew after initial replication", -- self.replica_manage_time_skew) -+ self.replica_revert_time_skew) - self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) - self.step("updating schema", self.__update_schema) - # See LDIFs for automember configuration during replica install -@@ -997,16 +997,6 @@ class DsInstance(service.Service): - def __add_replication_acis(self): - self._ldap_mod("replica-acis.ldif", self.sub_dict) - -- def __replica_ignore_initial_time_skew(self): -- self.replica_manage_time_skew(prevent=False) -- -- def replica_manage_time_skew(self, prevent=True): -- if prevent: -- self.sub_dict['SKEWVALUE'] = 'off' -- else: -- self.sub_dict['SKEWVALUE'] = 'on' -- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) -- - def __setup_s4u2proxy(self): - - def __add_principal(last_cn, principal, self): -diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py -index 4c366a184ffdc26aaf7b546af9e4de8b43b7be41..cf0f64ab9794111761adf735bc488269bd1814fc 100644 ---- a/ipaserver/install/service.py -+++ b/ipaserver/install/service.py -@@ -862,6 +862,31 @@ class Service: - self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) - self.set_keytab_owner() - -+ def replica_ignore_initial_time_skew(self): -+ """ -+ Set nsslapd-ignore-time-skew = on if not already set -+ and store the initial value in order to restore it later. -+ -+ The on value allows replica initialization even if there -+ are excessive time skews. -+ """ -+ dn = DN(('cn', 'config')) -+ entry_attrs = api.Backend.ldap2.get_entry(dn) -+ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0] -+ if self.original_time_skew != 'on': -+ entry_attrs['nsslapd-ignore-time-skew'] = 'on' -+ api.Backend.ldap2.update_entry(entry_attrs) -+ -+ def replica_revert_time_skew(self): -+ """ -+ Revert nsslapd-ignore-time-skew to its previous value. -+ """ -+ dn = DN(('cn', 'config')) -+ entry_attrs = api.Backend.ldap2.get_entry(dn) -+ if self.original_time_skew != 'on': -+ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew -+ api.Backend.ldap2.update_entry(entry_attrs) -+ - - class SimpleServiceInstance(Service): - def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None, --- -2.45.2 - diff --git a/0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch b/0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch deleted file mode 100644 index 8ba28b4..0000000 --- a/0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e83d949c7f1734dff70379e360e9bbf626149c61 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 19 Jul 2024 14:24:15 -0400 -Subject: [PATCH] Log errors reported by adtrustinstance.check_inst() using - logger - -It previously only printed the issue which made troubleshooting -after the fact difficult. Using logger.error() provides the same -visual functionality but also logs to the server install log. - -Fixes: https://pagure.io/freeipa/issue/9637 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/adtrustinstance.py | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py -index 2ff68dfb46371a6118eb67515347eb762a37e1ec..fd5a5a282fa2a222de85c6b29d8d9621b53c95d2 100644 ---- a/ipaserver/install/adtrustinstance.py -+++ b/ipaserver/install/adtrustinstance.py -@@ -65,8 +65,8 @@ and re-run ipa-adtrust-instal again afterwards. - def check_inst(): - for smbfile in [paths.SMBD, paths.NET]: - if not os.path.exists(smbfile): -- print("%s was not found on this system" % smbfile) -- print("Please install the 'samba' packages and " \ -+ logger.error("%s was not found on this system", smbfile) -+ logger.error("Please install the 'samba' packages and " - "start the installation again") - return False - -@@ -74,9 +74,10 @@ def check_inst(): - # by looking for the file /usr/share/ipa/smb.conf.empty - if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR, - "smb.conf.empty")): -- print("AD Trust requires the '%s' package" % -+ logger.error("AD Trust requires the '%s' package", - constants.IPA_ADTRUST_PACKAGE_NAME) -- print("Please install the package and start the installation again") -+ logger.error( -+ "Please install the package and start the installation again") - return False - - #TODO: Add check for needed samba4 libraries --- -2.45.2 - diff --git a/0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch b/0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch deleted file mode 100644 index 10977fe..0000000 --- a/0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch +++ /dev/null @@ -1,116 +0,0 @@ -From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001 -From: Mohammad Rizwan -Date: Thu, 11 Jul 2024 18:14:52 +0530 -Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails - to assign sid - -related: https://pagure.io/freeipa/issue/9618 - -Signed-off-by: Mohammad Rizwan -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++- - 1 file changed, 71 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest): - - def get_dirsrv_id(self): - serverid = realm_to_serverid(self.master.domain.realm) -- return("dirsrv@%s.service" % serverid) -+ return ("dirsrv@%s.service" % serverid) - - def test_ipa_nis_manage_enable(self): - """ -@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest): - api.bootstrap_with_global_options(context='server') - api.finalize() - api.Backend.ldap2.connect() -- -+ - api.Command["group_add"]("testgroup1", external=True) - api.Command["group_add"]("testgroup2", external=False) - result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501 -@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest): - '/tmp/reproducer2_code.py']) - assert "missing attribute" not in result.stdout_text - -+ def test_sidgen_task_continue_on_error(self): -+ """Verify that SIDgen task continue even if it fails to assign sid -+ scenario: -+ - add a user with no uid (it will be auto-assigned inside -+ the range) -+ - add a user with uid 2000 -+ - add a user with no uid (it will be auto-assigned inside -+ the range) -+ - edit the first and 3rd users, remove the objectclass -+ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier -+ - run the sidgen task -+ - verify that user1 and user3 have a ipaNTSecurityIdentifier -+ - verify that old error message is not seen in dirsrv error log -+ - verify that new error message is seen in dirsrv error log -+ -+ related: https://pagure.io/freeipa/issue/9618 -+ """ -+ test_user1 = 'test_user1' -+ test_user2 = 'test_user2' -+ test_user2000 = 'test_user2000' -+ base_dn = str(self.master.domain.basedn) -+ old_err_msg = 'Cannot add SID to existing entry' -+ new_err_msg = r'Finished with [0-9]+ failures, please check the log' -+ -+ tasks.kinit_admin(self.master) -+ tasks.user_add(self.master, test_user1) -+ self.master.run_command( -+ ['ipa', 'user-add', test_user2000, -+ '--first', 'test', '--last', 'user', -+ '--uid', '2000'] -+ ) -+ tasks.user_add(self.master, test_user2) -+ -+ for user in (test_user1, test_user2): -+ entry_ldif = textwrap.dedent(""" -+ dn: uid={user},cn=users,cn=accounts,{base_dn} -+ changetype: modify -+ delete: ipaNTSecurityIdentifier -+ - -+ delete: objectclass -+ objectclass: ipaNTUserAttrs -+ """).format( -+ user=user, -+ base_dn=base_dn) -+ tasks.ldapmodify_dm(self.master, entry_ldif) -+ -+ # run sidgen task -+ self.master.run_command( -+ ['ipa', 'config-mod', '--add-sids', '--enable-sid'] -+ ) -+ -+ # ensure that sidgen have added the attr removed above -+ for user in (test_user1, test_user2): -+ result = tasks.ldapsearch_dm( -+ self.master, -+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format( -+ user=user, base_dn=base_dn), -+ ['ipaNTSecurityIdentifier'] -+ ) -+ assert 'ipaNTSecurityIdentifier' in result.stdout_text -+ -+ dashed_domain = self.master.domain.realm.replace(".", '-') -+ dirsrv_error_log = self.master.get_file_contents( -+ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain), -+ encoding='utf-8' -+ ) -+ assert old_err_msg not in dirsrv_error_log -+ assert re.search(new_err_msg, dirsrv_error_log) -+ - - class TestIPAautomount(IntegrationTest): - @classmethod --- -2.45.2 - diff --git a/0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch b/0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch deleted file mode 100644 index efbd47e..0000000 --- a/0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 8046023fc46c628c099d84b026ab866f7c6e16d6 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Thu, 25 Jul 2024 18:32:21 +0530 -Subject: [PATCH] ipatests: ipa-migrate tool with -Z option (CACERTFILE) - -This patch add tests to check the scenarios associated with -pagure tickets - -https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates -https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work - -Signed-off-by: Sudhir Menon -Reviewed-By: Rob Crittenden ---- - .../test_ipa_ipa_migration.py | 48 +++++++++++++++++++ - 1 file changed, 48 insertions(+) - -diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py -index a516941047315e07407b8063a7010526d384ab3b..f697bbfbfc6169309274db689501c99fe148cc70 100644 ---- a/ipatests/test_integration/test_ipa_ipa_migration.py -+++ b/ipatests/test_integration/test_ipa_ipa_migration.py -@@ -872,3 +872,51 @@ class TestIPAMigrateScenario1(IntegrationTest): - extra_args=params, - ) - assert self.replicas[0].transport.file_exists(custom_log_file) -+ -+ def test_ipa_migrate_stage_mode_with_cert(self): -+ """ -+ This testcase checks that ipa-migrate command -+ works without the 'ValuerError' -+ when -Z option is used with valid cert -+ """ -+ cert_file = '/tmp/ipa.crt' -+ remote_server_cert = self.master.get_file_contents( -+ paths.IPA_CA_CRT, encoding="utf-8" -+ ) -+ self.replicas[0].put_file_contents(cert_file, remote_server_cert) -+ params = ['-x', '-n', '-Z', cert_file] -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=params, -+ ) -+ assert result.returncode == 0 -+ -+ def test_ipa_migrate_stage_mode_with_invalid_cert(self): -+ """ -+ This test checks ipa-migrate tool throws -+ error when invalid cert is specified with -+ -Z option -+ """ -+ cert_file = '/tmp/invaid_cert.crt' -+ invalid_cert = ( -+ b'-----BEGIN CERTIFICATE-----\n' -+ b'MIIFazCCDQYJKoZIhvcNAQELBQAw\n' -+ b'-----END CERTIFICATE-----\n' -+ ) -+ ERR_MSG = "Failed to connect to remote server: " -+ params = ['-x', '-n', '-Z', cert_file] -+ self.replicas[0].put_file_contents(cert_file, invalid_cert) -+ result = run_migrate( -+ self.replicas[0], -+ "stage-mode", -+ self.master.hostname, -+ "cn=Directory Manager", -+ self.master.config.admin_password, -+ extra_args=params, -+ ) -+ assert result.returncode == 1 -+ assert ERR_MSG in result.stderr_text --- -2.45.2 - diff --git a/freeipa.spec b/freeipa.spec index 34a7d50..b5aa22b 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -71,7 +71,7 @@ # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 %global samba_version 4.20.0 -%global slapi_nis_version 0.56.4 +%global slapi_nis_version 0.70.0 %global python_ldap_version 3.1.0-1 %if 0%{?rhel} < 9 # Bug 1929067 - PKI instance creation failed with new 389-ds-base build @@ -102,7 +102,7 @@ # 38.28 or later includes passkey-related fixes %global selinux_policy_version 38.28-1 -%global slapi_nis_version 0.56.5 +%global slapi_nis_version 0.70.0 # Require new KDB ABI %global krb5_version 1.21.2 @@ -192,7 +192,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.12.1 +%define IPA_VERSION 4.12.2 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %define AT_SIGN @ @@ -205,7 +205,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 4%{?rc_version:.%rc_version}%{?dist} +Release: 1%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -238,36 +238,7 @@ Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch %endif %if 0%{?rhel} >= 9 Patch0001: 0001-Revert-Replace-netifaces-with-ifaddr.patch -Patch0002: 0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch -Patch0003: 0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch -Patch0004: 0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch -Patch0005: 0005-ipatests-add-test-for-ticket-9610.patch -Patch0006: 0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch -Patch0007: 0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch -Patch0008: 0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch -Patch0009: 0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch -Patch0010: 0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch -Patch0011: 0011-ipa-migrate-remove-V-option.patch -Patch0012: 0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch -Patch0013: 0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch -Patch0014: 0014-ipatests-tests-related-to-token-password-file.patch -Patch0015: 0015-Include-token-password-options-in-ipa-kra-install-ma.patch -Patch0016: 0016-ipa-migrate-starttls-does-not-work.patch -Patch0017: 0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch -Patch0018: 0018-ipatests-Test-replica-installation-using-AD-admin.patch -Patch0019: 0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch -Patch0020: 0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch -Patch0021: 0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch -Patch0022: 0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch -Patch0023: 0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch -Patch0024: 0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch -Patch0025: 0025-ipa-migrate-properly-handle-invalid-certificates.patch -Patch0026: 0026-ipatests-Fix-usage-of-token_password_file.patch -Patch0027: 0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch -Patch0028: 0028-Replica-CA-installation-ignore-time-skew-during-init.patch -Patch0029: 0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch -Patch0030: 0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch -Patch0031: 0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch +Patch0002: 0002-freeipa-disable-nis.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1514,7 +1485,6 @@ fi %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage -%{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries %{_sbindir}/ipactl %{_sbindir}/ipa-advise @@ -1589,7 +1559,6 @@ fi %{_mandir}/man1/ipa-ca-install.1* %{_mandir}/man1/ipa-kra-install.1* %{_mandir}/man1/ipa-compat-manage.1* -%{_mandir}/man1/ipa-nis-manage.1* %{_mandir}/man1/ipa-managed-entries.1* %{_mandir}/man1/ipa-ldap-updater.1* %{_mandir}/man8/ipactl.8* @@ -1890,6 +1859,12 @@ fi %endif %changelog +* Thu Aug 22 2024 Florence Blanc-Renaud - 4.12.2.1 +- Resolves: RHEL-54545 Covscan issues: Resource Leak +- Resolves: RHEL-54304 support for python cryptography 43.0.0 +- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w +- Resolves: RHEL-46897 With unreachable AD, ipa trust returns an internal error + * Thu Aug 8 2024 Florence Blanc-Renaud - 4.12.1-4 - Resolves: RHEL-53501 adtrustinstance only prints issues in check_inst() and does not log them - Resolves: RHEL-52305 Unconditionally add MS-PAC to global config diff --git a/sources b/sources index f6b9bfd..3d981c0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.12.1.tar.gz) = a419c4251a55a69f90e6e3d2a514d6ba9e0609573bd5dbc9ff446c95b09164831233987c8cb70d3c2b53dae9b6600f3efd50c976007637cf18e6679e51f2c2f9 -SHA512 (freeipa-4.12.1.tar.gz.asc) = 759de997443d608bb26e684c5de8678cb01d15077a2506ee4cc6102f1b5255a3ffd4bf25fb4a07578e590eb72b44e9f6b42645eac1f6f451d652f36271d3a806 +SHA512 (freeipa-4.12.2.tar.gz) = 2e1e67dbe73a458db5c59528799649629a1cb462283e4e9a4c56aff46d275782bcb3b0d57de615bbc7020a4350d4d383501e049ac19ed38250896b1e8fd27cb0 +SHA512 (freeipa-4.12.2.tar.gz.asc) = 07309bfdafd2ba9b1ced71374df5a84d242a5bf8e806765b4c3374ee2ddea0484f140d615a24b3f73f39a8ac34727d82a066ea399f91654077170519a12e2d27