rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2.1

Browse Source 
- Resolves: RHEL-54545 Covscan issues: Resource Leak
- Resolves: RHEL-54304 support for python cryptography 43.0.0
- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
- Resolves: RHEL-46897 With unreachable AD, ipa trust returns an internal error

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-08-21 21:06:29 +02:00
parent 86420dd2f3
commit 0378d5e4e5
34 changed files with 915 additions and 3258 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -136,3 +136,5 @@
/freeipa-4.12.0.tar.gz.asc
/freeipa-4.12.1.tar.gz.asc
/freeipa-4.12.1.tar.gz
/freeipa-4.12.2.tar.gz
/freeipa-4.12.2.tar.gz.asc

79
0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch
View File

@ -1,79 +0,0 @@
From ebccaac3cf8a5688739d76426924469d5b4df6b1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 10 Jun 2024 14:54:41 -0400
Subject: [PATCH] Add iparepltopoconf objectclass to topology permissions
The domain and ca objects were unreadable which caused
the conneciton lines between nodes in the UI to not be
visible.
Also add a manual ACI to allow reading the min/max
domain level.
Fixes: https://pagure.io/freeipa/issue/9594
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ACI.txt | 8 ++++----
install/updates/40-replication.update | 11 +++++++++++
ipaserver/plugins/topology.py | 2 +-
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 13b0a64bde6b29503b048630f1c718e5e30759b2..50c8824d43cd6d3ca9a381b5d34425cb0197508c 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -375,13 +375,13 @@ aci: (targetattr = "cmdcategory || cn || createtimestamp || description || entry
dn: dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || description || entryusn || modifytimestamp || objectclass || ou || sudocommand || sudohost || sudonotafter || sudonotbefore || sudooption || sudoorder || sudorunas || sudorunasgroup || sudorunasuser || sudouser")(target = "ldap:///ou=sudoers,dc=ipa,dc=example")(version 3.0;acl "permission:System: Read Sudoers compat tree";allow (compare,read,search) userdn = "ldap:///anyone";)
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
-aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Add Topology Segments";allow (add) groupdn = "ldap:///cn=System: Add Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
-aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Modify Topology Segments";allow (write) groupdn = "ldap:///cn=System: Modify Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
-aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "cn || createtimestamp || entryusn || iparepltopoconfroot || iparepltoposegmentdirection || iparepltoposegmentleftnode || iparepltoposegmentrightnode || iparepltoposegmentstatus || modifytimestamp || nsds5replicastripattrs || nsds5replicatedattributelist || nsds5replicatedattributelisttotal || objectclass")(targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Read Topology Segments";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=topology,cn=ipa,cn=etc,dc=ipa,dc=example
-aci: (targetfilter = "(objectclass=iparepltoposegment)")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetfilter = "(|(objectclass=iparepltopoconf)(objectclass=iparepltoposegment))")(version 3.0;acl "permission:System: Remove Topology Segments";allow (delete) groupdn = "ldap:///cn=System: Remove Topology Segments,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=trusts,dc=ipa,dc=example
aci: (targetattr = "cn || createtimestamp || entryusn || ipantadditionalsuffixes || ipantflatname || ipantsecurityidentifier || ipantsidblacklistincoming || ipantsidblacklistoutgoing || ipanttrustdirection || ipanttrusteddomainsid || ipanttrustpartner || modifytimestamp || objectclass")(version 3.0;acl "permission:System: Read Trust Information";allow (compare,read,search) userdn = "ldap:///all";)
dn: cn=trusts,dc=ipa,dc=example
diff --git a/install/updates/40-replication.update b/install/updates/40-replication.update
index 06b6613ed4c9ede935f879ee46ed5e7d5a0935ba..6dc38e36d96b4e019eb35f9d0367bfc7a202af98 100644
--- a/install/updates/40-replication.update
+++ b/install/updates/40-replication.update
@@ -28,3 +28,14 @@ default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
dn: cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
remove:aci: (targetattr=cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass)(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
add:aci: (targetattr = "cn || dnaMaxValue || dnaNextRange || dnaNextValue || dnaThreshold || dnaType || objectclass")(version 3.0;acl "permission:Read DNA Range";allow (read, search, compare) groupdn = "ldap:///cn=Read DNA Range,cn=permissions,cn=pbac,$SUFFIX";)
+
+dn: cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX
+default:objectClass: top
+default:objectClass: groupofnames
+default:objectClass: ipapermission
+default:cn: Read domain level
+default:ipapermissiontype: SYSTEM
+default:member: cn=Replication Administrators,cn=privileges,cn=pbac,$SUFFIX
+
+dn: cn=masters,cn=ipa,cn=etc,$SUFFIX
+add:aci: (targetattr = "ipamaxdomainlevel || ipamindomainlevel")(version 3.0;acl "permission:Read domain level";allow (read, search, compare) groupdn = "ldap:///cn=Read domain level,cn=permissions,cn=pbac,$SUFFIX";)
diff --git a/ipaserver/plugins/topology.py b/ipaserver/plugins/topology.py
index be0cf3d705267af66e20fb990b2fed72b61d2c49..1401fe259226c12abe42a5670d3ce1812c27cc05 100644
--- a/ipaserver/plugins/topology.py
+++ b/ipaserver/plugins/topology.py
@@ -104,7 +104,7 @@ class topologysegment(LDAPObject):
object_name = _('segment')
object_name_plural = _('segments')
object_class = ['iparepltoposegment']
- permission_filter_objectclasses = ['iparepltoposegment']
+ permission_filter_objectclasses = ['iparepltoposegment', 'iparepltopoconf']
default_attributes = [
'cn',
'ipaReplTopoSegmentdirection', 'ipaReplTopoSegmentrightNode',
--
2.45.2

900
0002-freeipa-disable-nis.patch Normal file
View File

@ -0,0 +1,900 @@
From da1ec155fb5d5afc29b70ff4d68f0d774aa7f245 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 29 Apr 2024 10:10:08 +0300
Subject: [PATCH] Remove NIS server support
RHEL 8.3+ already deprecated support for NIS protocol.
RHEL 9 does not ship NIS client side
RHEL 10 removes NIS server emulator support
Remove NIS server integration from the migration and
management tools.
Fixes: https://pagure.io/freeipa/issue/9363
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
freeipa.spec.in | 2 -
install/share/Makefile.am | 2 -
install/share/nis-update.uldif | 38 ----
install/share/nis.uldif | 96 ----------
install/tools/Makefile.am | 2 -
install/tools/ipa-compat-manage.in | 17 +-
install/tools/ipa-nis-manage.in | 205 ---------------------
install/tools/man/Makefile.am | 1 -
install/tools/man/ipa-nis-manage.1 | 51 -----
install/updates/10-enable-betxn.update | 3 -
install/updates/50-nis.update | 3 -
install/updates/Makefile.am | 1 -
ipaplatform/base/paths.py | 2 -
ipaserver/install/ipa_migrate.py | 27 +--
ipaserver/install/ipa_migrate_constants.py | 24 ---
ipaserver/install/plugins/update_nis.py | 92 ---------
ipatests/test_cmdline/test_cli.py | 1 -
ipatests/test_integration/test_commands.py | 87 ---------
18 files changed, 16 insertions(+), 638 deletions(-)
delete mode 100644 install/share/nis-update.uldif
delete mode 100644 install/share/nis.uldif
delete mode 100644 install/tools/ipa-nis-manage.in
delete mode 100644 install/tools/man/ipa-nis-manage.1
delete mode 100644 install/updates/50-nis.update
delete mode 100644 ipaserver/install/plugins/update_nis.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index e370290bc..b5e33a6ac 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1508,7 +1508,6 @@ fi
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
-%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-advise
@@ -1583,7 +1582,6 @@ fi
%{_mandir}/man1/ipa-ca-install.1*
%{_mandir}/man1/ipa-kra-install.1*
%{_mandir}/man1/ipa-compat-manage.1*
-%{_mandir}/man1/ipa-nis-manage.1*
%{_mandir}/man1/ipa-managed-entries.1*
%{_mandir}/man1/ipa-ldap-updater.1*
%{_mandir}/man8/ipactl.8*
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 4029297b7..24664ca3b 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -67,8 +67,6 @@ dist_app_DATA = \
master-entry.ldif \
memberof-task.ldif \
memberof-conf.ldif \
- nis.uldif \
- nis-update.uldif \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
diff --git a/install/share/nis-update.uldif b/install/share/nis-update.uldif
deleted file mode 100644
index e602c1de0..000000000
--- a/install/share/nis-update.uldif
+++ /dev/null
@@ -1,38 +0,0 @@
-# Updates for NIS
-
-# Correct syntax error that caused users to not appear
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")
-
-# Correct syntax error that caused nested netgroups to not work
-# https://bugzilla.redhat.com/show_bug.cgi?id=788625
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")
-
-# Make the padding an expression so usercat and hostcat always gets
-# evaluated when displaying entries.
-# https://bugzilla.redhat.com/show_bug.cgi?id=767372
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-replace:nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})")
-
-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: ethers.byaddr
-default:nis-base: cn=computers, cn=accounts, $SUFFIX
-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6")
-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: ethers.byname
-default:nis-base: cn=computers, cn=accounts, $SUFFIX
-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
-default:nis-secure: no
diff --git a/install/share/nis.uldif b/install/share/nis.uldif
deleted file mode 100644
index 1735fb552..000000000
--- a/install/share/nis.uldif
+++ /dev/null
@@ -1,96 +0,0 @@
-dn: cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: nsSlapdPlugin
-default:objectclass: extensibleObject
-default:cn: NIS Server
-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so
-default:nsslapd-plugininitfunc: nis_plugin_init
-default:nsslapd-plugintype: object
-default:nsslapd-pluginbetxn: on
-default:nsslapd-pluginenabled: on
-default:nsslapd-pluginid: nis-server
-default:nsslapd-pluginversion: 0.10
-default:nsslapd-pluginvendor: redhat.com
-default:nsslapd-plugindescription: NIS Server Plugin
-default:nis-tcp-wrappers-name: nis-server
-
-dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: passwd.byname
-default:nis-base: cn=users, cn=accounts, $SUFFIX
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: passwd.byuid
-default:nis-base: cn=users, cn=accounts, $SUFFIX
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: group.byname
-default:nis-base: cn=groups, cn=accounts, $SUFFIX
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: group.bygid
-default:nis-base: cn=groups, cn=accounts, $SUFFIX
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: netid.byname
-default:nis-base: cn=users, cn=accounts, $SUFFIX
-default:nis-secure: no
-
-# Note that the escapes in this entry can be quite confusing. The trick
-# is that each level of nesting requires (2^n) - 1 escapes. So the
-# first level is \", the second is \\\", the third is \\\\\\\", etc.
-# (1, 3, 7, 15, more than that and you'll go insane)
-
-# Note that this configuration mirrors the Schema Compat configuration for
-# triples.
-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: netgroup
-default:nis-base: cn=ng, cn=alt, $SUFFIX
-default:nis-filter: (objectClass=ipanisNetgroup)
-default:nis-key-format: %{cn}
-default:nis-value-format:%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})")
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: ethers.byaddr
-default:nis-base: cn=computers, cn=accounts, $SUFFIX
-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6")
-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
-default:nis-secure: no
-
-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config
-default:objectclass: top
-default:objectclass: extensibleObject
-default:nis-domain: $DOMAIN
-default:nis-map: ethers.byname
-default:nis-base: cn=computers, cn=accounts, $SUFFIX
-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost))
-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7")
-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7")
-default:nis-secure: no
-
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index c454fad97..a5306ffe9 100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -19,7 +19,6 @@ dist_noinst_DATA = \
ipa-server-upgrade.in \
ipactl.in \
ipa-compat-manage.in \
- ipa-nis-manage.in \
ipa-managed-entries.in \
ipa-ldap-updater.in \
ipa-otptoken-import.in \
@@ -56,7 +55,6 @@ nodist_sbin_SCRIPTS = \
ipa-server-upgrade \
ipactl \
ipa-compat-manage \
- ipa-nis-manage \
ipa-managed-entries \
ipa-ldap-updater \
ipa-otptoken-import \
diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in
index 459f39fc8..70dd7c451 100644
--- a/install/tools/ipa-compat-manage.in
+++ b/install/tools/ipa-compat-manage.in
@@ -26,6 +26,7 @@ from ipaplatform.paths import paths
try:
from optparse import OptionParser # pylint: disable=deprecated-module
from ipapython import ipautil, config
+ from ipapython.ipaldap import realm_to_serverid
from ipaserver.install import installutils
from ipaserver.install.ldapupdate import LDAPUpdate
from ipalib import api, errors
@@ -150,9 +151,19 @@ def main():
try:
entry = get_entry(nis_config_dn)
# We can't disable schema compat if the NIS plugin is enabled
- if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on':
- print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr)
- print("Run 'ipa-nis-manage disable' first.", file=sys.stderr)
+ if (
+ entry is not None
+ and entry.get("nsslapd-pluginenabled", [""])[0].lower() == "on"
+ ):
+ instance = realm_to_serverid(api.env.realm)
+ print(
+ "The NIS plugin is configured, cannot "
+ "disable compatibility.", file=sys.stderr,
+ )
+ print(
+ f"Run \"dsconf {instance} plugin set --enabled off "
+ "'NIS Server'\" first.", file=sys.stderr,
+ )
retval = 2
except errors.ExecutionError as lde:
print("An error occurred while talking to the server.")
diff --git a/install/tools/ipa-nis-manage.in b/install/tools/ipa-nis-manage.in
deleted file mode 100644
index 6b156ce6a..000000000
--- a/install/tools/ipa-nis-manage.in
+++ /dev/null
@@ -1,205 +0,0 @@
-#!/usr/bin/python3
-# Authors: Rob Crittenden <rcritten@redhat.com>
-# Authors: Simo Sorce <ssorce@redhat.com>
-#
-# Copyright (C) 2009 Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-from __future__ import print_function
-
-import sys
-import os
-from ipaplatform.paths import paths
-try:
- from optparse import OptionParser # pylint: disable=deprecated-module
- from ipapython import ipautil, config
- from ipaserver.install import installutils
- from ipaserver.install.ldapupdate import LDAPUpdate
- from ipalib import api, errors
- from ipapython.ipa_log_manager import standard_logging_setup
- from ipapython.dn import DN
- from ipaplatform import services
-except ImportError as e:
- print("""\
-There was a problem importing one of the required Python modules. The
-error was:
-
- %s
-""" % e, file=sys.stderr)
- sys.exit(1)
-
-nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
-compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config'))
-
-def parse_options():
- usage = "%prog [options] <enable|disable|status>\n"
- usage += "%prog [options]\n"
- parser = OptionParser(usage=usage, formatter=config.IPAFormatter())
-
- parser.add_option("-d", "--debug", action="store_true", dest="debug",
- help="Display debugging information about the update(s)")
- parser.add_option("-y", dest="password",
- help="File containing the Directory Manager password")
-
- config.add_standard_options(parser)
- options, args = parser.parse_args()
-
- return options, args
-
-def get_dirman_password():
- """Prompt the user for the Directory Manager password and verify its
- correctness.
- """
- password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False)
-
- return password
-
-def get_entry(dn):
- """
- Return the entry for the given DN. If the entry is not found return
- None.
- """
- entry = None
- try:
- entry = api.Backend.ldap2.get_entry(dn)
- except errors.NotFound:
- pass
- return entry
-
-def main():
- retval = 0
- files = [paths.NIS_ULDIF]
- servicemsg = ""
-
- if os.getegid() != 0:
- sys.exit('Must be root to use this tool.')
-
- installutils.check_server_configuration()
-
- options, args = parse_options()
-
- if len(args) != 1:
- sys.exit("You must specify one action: enable | disable | status")
- elif args[0] not in {"enable", "disable", "status"}:
- sys.exit("Unrecognized action [" + args[0] + "]")
-
- standard_logging_setup(None, debug=options.debug)
- dirman_password = ""
- if options.password:
- try:
- pw = ipautil.template_file(options.password, [])
- except IOError:
- sys.exit("File \"%s\" not found or not readable" % options.password)
- dirman_password = pw.strip()
- else:
- dirman_password = get_dirman_password()
- if dirman_password is None:
- sys.exit("Directory Manager password required")
-
- if not dirman_password:
- sys.exit("No password supplied")
-
- api.bootstrap(
- context='cli', confdir=paths.ETC_IPA,
- debug=options.debug, in_server=True)
- api.finalize()
- api.Backend.ldap2.connect(bind_pw=dirman_password)
-
- if args[0] == "enable":
- compat = get_entry(compat_dn)
- if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
- sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable")
- entry = None
- try:
- entry = get_entry(nis_config_dn)
- except errors.ExecutionError as lde:
- print("An error occurred while talking to the server.")
- print(lde)
- retval = 1
-
- # Enable either the portmap or rpcbind service
- portmap = services.knownservices.portmap
- rpcbind = services.knownservices.rpcbind
-
- if portmap.is_installed():
- portmap.enable()
- servicemsg = portmap.service_name
- elif rpcbind.is_installed():
- rpcbind.enable()
- servicemsg = rpcbind.service_name
- else:
- print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name))
- retval = 3
-
- # The cn=config entry for the plugin may already exist but it
- # could be turned off, handle both cases.
- if entry is None:
- print("Enabling plugin")
- ld = LDAPUpdate()
- if ld.update(files) != True:
- retval = 1
- elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off':
- print("Enabling plugin")
- # Already configured, just enable the plugin
- entry['nsslapd-pluginenabled'] = ['on']
- api.Backend.ldap2.update_entry(entry)
- else:
- print("Plugin already Enabled")
- retval = 2
-
- elif args[0] == "disable":
- try:
- entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled'])
- entry['nsslapd-pluginenabled'] = ['off']
- api.Backend.ldap2.update_entry(entry)
- except (errors.NotFound, errors.EmptyModlist):
- print("Plugin is already disabled")
- retval = 2
- except errors.LDAPError as lde:
- print("An error occurred while talking to the server.")
- print(lde)
- retval = 1
-
- elif args[0] == "status":
- nis_entry = get_entry(nis_config_dn)
- enabled = (nis_entry and
- nis_entry.get(
- 'nsslapd-pluginenabled', '')[0].lower() == "on")
- if enabled:
- print("Plugin is enabled")
- retval = 0
- else:
- print("Plugin is not enabled")
- retval = 4
-
- else:
- retval = 1
-
- if retval == 0:
- if args[0] in {"enable", "disable"}:
- print("This setting will not take effect until you restart "
- "Directory Server.")
-
- if args[0] == "enable":
- print("The %s service may need to be started." % servicemsg)
-
- api.Backend.ldap2.disconnect()
-
- return retval
-
-if __name__ == '__main__':
- installutils.run_script(main, operation_name='ipa-nis-manage')
diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
index 34f359863..282407602 100644
--- a/install/tools/man/Makefile.am
+++ b/install/tools/man/Makefile.am
@@ -18,7 +18,6 @@ dist_man1_MANS = \
ipa-kra-install.1 \
ipa-ldap-updater.1 \
ipa-compat-manage.1 \
- ipa-nis-manage.1 \
ipa-managed-entries.1 \
ipa-backup.1 \
ipa-restore.1 \
diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1
deleted file mode 100644
index 1107b7790..000000000
--- a/install/tools/man/ipa-nis-manage.1
+++ /dev/null
@@ -1,51 +0,0 @@
-.\" A man page for ipa-nis-manage
-.\" Copyright (C) 2009 Red Hat, Inc.
-.\"
-.\" This program is free software; you can redistribute it and/or modify
-.\" it under the terms of the GNU General Public License as published by
-.\" the Free Software Foundation, either version 3 of the License, or
-.\" (at your option) any later version.
-.\"
-.\" This program is distributed in the hope that it will be useful, but
-.\" WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-.\" General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public License
-.\" along with this program. If not, see <http://www.gnu.org/licenses/>.
-.\"
-.\" Author: Rob Crittenden <rcritten@redhat.com>
-.\"
-.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages"
-.SH "NAME"
-ipa\-nis\-manage \- Enables or disables the NIS listener plugin
-.SH "SYNOPSIS"
-ipa\-nis\-manage [options] <enable|disable|status>
-.SH "DESCRIPTION"
-Run the command with the \fBenable\fR option to enable the NIS plugin.
-
-Run the command with the \fBdisable\fR option to disable the NIS plugin.
-
-Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin.
-
-In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used.
-
-Directory Server will need to be restarted after the NIS listener plugin has been enabled.
-
-.SH "OPTIONS"
-.TP
-\fB\-d\fR, \fB\-\-debug\fR
-Enable debug logging when more verbose output is needed
-.TP
-\fB\-y\fR \fIfile\fR
-File containing the Directory Manager password
-.SH "EXIT STATUS"
-0 if the command was successful
-
-1 if an error occurred
-
-2 if the plugin is already in the required status (enabled or disabled)
-
-3 if RPC services cannot be enabled.
-
-4 if status command detected plugin in disabled state.
diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update
index 1f89341c7..9525292cb 100644
--- a/install/updates/10-enable-betxn.update
+++ b/install/updates/10-enable-betxn.update
@@ -44,6 +44,3 @@ only: nsslapd-pluginbetxn: on
dn: cn=Schema Compatibility, cn=plugins, cn=config
onlyifexist: nsslapd-pluginbetxn: on
-
-dn: cn=NIS Server, cn=plugins, cn=config
-onlyifexist: nsslapd-pluginbetxn: on
diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update
deleted file mode 100644
index 05a166f00..000000000
--- a/install/updates/50-nis.update
+++ /dev/null
@@ -1,3 +0,0 @@
-# Updates are applied only if NIS plugin has been configured
-# update definitions are located in install/share/nis-update.uldif
-plugin: update_nis_configuration
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index fd96831d8..cce2670a6 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -52,7 +52,6 @@ app_DATA = \
50-groupuuid.update \
50-hbacservice.update \
50-krbenctypes.update \
- 50-nis.update \
50-ipaconfig.update \
55-pbacmemberof.update \
59-trusts-sysacount.update \
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index b339d2202..aed293845 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -295,8 +295,6 @@ class BasePathNamespace:
KRB_CON = "/usr/share/ipa/html/krb.con"
HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini"
HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con"
- NIS_ULDIF = "/usr/share/ipa/nis.uldif"
- NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif"
SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update"
SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif"
IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins"
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index e21937401..a889143ec 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -31,7 +31,7 @@ from ipapython.ipa_log_manager import standard_logging_setup
from ipaserver.install.ipa_migrate_constants import (
DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS,
- DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS,
+ DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS,
DB_EXCLUDE_TREES
)
@@ -718,8 +718,7 @@ class IPAMigrate():
self.log_info(title)
self.log_info('-' * (len(title) - 1))
logged_something = self.log_stats(DS_CONFIG)
- if self.args.verbose or NIS_PLUGIN['count'] > 0:
- self.log_info(f" - NIS Server Plugin: {NIS_PLUGIN['count']}")
+ if self.args.verbose:
logged_something = True
if not self.log_stats(DS_INDEXES) and not logged_something:
self.log_info(" - No updates")
@@ -1847,28 +1846,6 @@ class IPAMigrate():
add_missing=True)
stats['config_processed'] += 1
- # Slapi NIS Plugin
- if DN(NIS_PLUGIN['dn']) == DN(entry['dn']):
- # Parent plugin entry
- self.process_config_entry(
- entry['dn'], entry['attrs'], NIS_PLUGIN,
- add_missing=True)
- stats['config_processed'] += 1
- elif DN(NIS_PLUGIN['dn']) in DN(entry['dn']):
- # Child NIS plugin entry
- nis_dn = entry['dn']
- lc_remote_realm = self.remote_realm.lower()
- lc_realm = self.realm.lower()
- nis_dn = nis_dn.replace(lc_remote_realm, lc_realm)
- if 'nis-domain' in entry['attrs']:
- value = entry['attrs']['nis-domain'][0]
- value = value.replace(lc_remote_realm, lc_realm)
- entry['attrs']['nis-domain'][0] = value
- # Process the entry
- self.process_config_entry(nis_dn, entry['attrs'], NIS_PLUGIN,
- add_missing=True)
- stats['config_processed'] += 1
-
#
# Migration
#
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index 0e26c7549..e0e504741 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -502,30 +502,6 @@ DS_CONFIG = {
},
}
-#
-# Slpai NIS is an optional plugin. It requires special handling
-#
-NIS_PLUGIN = {
- 'dn': 'cn=NIS Server,cn=plugins,cn=config',
- 'attrs': [
- 'nis-domain',
- 'nis-base',
- 'nis-map',
- 'nis-filter',
- 'nis-key-format:',
- 'nis-values-format:',
- 'nis-secure',
- 'nis-disallowed-chars',
- # Parent plugin entry
- 'nsslapd-pluginarg0',
- 'nsslapd-pluginenabled'
- ],
- 'multivalued': [],
- 'label': 'NIS Server Plugin',
- 'mode': 'all',
- 'count': 0,
-}
-
#
# This mapping is simliar to above but it handles container entries
# This could be built into the above mapping using the "comma" approach
diff --git a/ipaserver/install/plugins/update_nis.py b/ipaserver/install/plugins/update_nis.py
deleted file mode 100644
index c02eb5f83..000000000
--- a/ipaserver/install/plugins/update_nis.py
+++ /dev/null
@@ -1,92 +0,0 @@
-#
-# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
-#
-
-from __future__ import absolute_import
-
-import logging
-
-from ipalib.plugable import Registry
-from ipalib import errors
-from ipalib import Updater
-from ipaplatform.paths import paths
-from ipapython.dn import DN
-from ipaserver.install import sysupgrade
-from ipaserver.install.ldapupdate import LDAPUpdate
-
-logger = logging.getLogger(__name__)
-
-register = Registry()
-
-
-@register()
-class update_nis_configuration(Updater):
- """Update NIS configuration
-
- NIS configuration can be updated only if NIS Server was configured via
- ipa-nis-manage command.
- """
-
- def __recover_from_missing_maps(self, ldap):
- # https://fedorahosted.org/freeipa/ticket/5507
- # if all following DNs are missing, but 'NIS Server' container exists
- # we are experiencig bug and maps should be fixed
-
- if sysupgrade.get_upgrade_state('nis',
- 'done_recover_from_missing_maps'):
- # this recover must be done only once, a user may deleted some
- # maps, we do not want to restore them again
- return
-
- logger.debug("Recovering from missing NIS maps bug")
-
- suffix = "cn=NIS Server,cn=plugins,cn=config"
- domain = self.api.env.domain
- missing_dn_list = [
- DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [
- "nis-domain={domain}+nis-map=passwd.byname,{suffix}",
- "nis-domain={domain}+nis-map=passwd.byuid,{suffix}",
- "nis-domain={domain}+nis-map=group.byname,{suffix}",
- "nis-domain={domain}+nis-map=group.bygid,{suffix}",
- "nis-domain={domain}+nis-map=netid.byname,{suffix}",
- "nis-domain={domain}+nis-map=netgroup,{suffix}",
- ]
- ]
-
- for dn in missing_dn_list:
- try:
- ldap.get_entry(dn, attrs_list=['cn'])
- except errors.NotFound:
- pass
- else:
- # bug is not effective, at least one of 'possible missing'
- # maps was detected
- return
-
- sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps',
- True)
-
- # bug is effective run update to recreate missing maps
- ld = LDAPUpdate(api=self.api)
- ld.update([paths.NIS_ULDIF])
-
- def execute(self, **options):
- ldap = self.api.Backend.ldap2
- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
- try:
- ldap.get_entry(dn, attrs_list=['cn'])
- except errors.NotFound:
- # NIS is not configured on system, do not execute update
- logger.debug("Skipping NIS update, NIS Server is not configured")
-
- # container does not exist, bug #5507 is not effective
- sysupgrade.set_upgrade_state(
- 'nis', 'done_recover_from_missing_maps', True)
- else:
- self.__recover_from_missing_maps(ldap)
-
- logger.debug("Executing NIS Server update")
- ld = LDAPUpdate(api=self.api)
- ld.update([paths.NIS_UPDATE_ULDIF])
-
- return False, ()
diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
index ae0d059ce..718798d68 100644
--- a/ipatests/test_cmdline/test_cli.py
+++ b/ipatests/test_cmdline/test_cli.py
@@ -385,7 +385,6 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system'
'/usr/share/ipa/updates/05-pre_upgrade_plugins.update'],
2, None, IPA_NOT_CONFIGURED),
(['ipa-managed-entries'], 2, None, IPA_NOT_CONFIGURED),
- (['ipa-nis-manage'], 2, None, IPA_NOT_CONFIGURED),
(['ipa-pkinit-manage'], 2, None, IPA_NOT_CONFIGURED),
(['ipa-replica-manage', 'list'], 1, IPA_NOT_CONFIGURED, None),
(['ipa-server-certinstall'], 2, None, IPA_NOT_CONFIGURED),
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index fd34defe5..e00b0f3bb 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1269,93 +1269,6 @@ class TestIPACommand(IntegrationTest):
serverid = realm_to_serverid(self.master.domain.realm)
return ("dirsrv@%s.service" % serverid)
- def test_ipa_nis_manage_enable(self):
- """
- This testcase checks if ipa-nis-manage enable
- command enables plugin on an IPA master
- """
- dirsrv_service = self.get_dirsrv_id()
- console_msg = (
- "Enabling plugin\n"
- "This setting will not take effect until "
- "you restart Directory Server.\n"
- "The rpcbind service may need to be started"
- )
- status_msg = "Plugin is enabled"
- tasks.kinit_admin(self.master)
- result = self.master.run_command(
- ["ipa-nis-manage", "enable"],
- stdin_text=self.master.config.admin_password,
- )
- assert console_msg in result.stdout_text
- # verify using backend
- conn = self.master.ldap_connect()
- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
- entry = conn.get_entry(dn)
- nispluginstring = entry.get('nsslapd-pluginEnabled')
- assert 'on' in nispluginstring
- # restart for changes to take effect
- self.master.run_command(["systemctl", "restart", dirsrv_service])
- self.master.run_command(["systemctl", "restart", "rpcbind"])
- time.sleep(DIRSRV_SLEEP)
- # check status msg on the console
- result = self.master.run_command(
- ["ipa-nis-manage", "status"],
- stdin_text=self.master.config.admin_password,
- )
- assert status_msg in result.stdout_text
-
- def test_ipa_nis_manage_disable(self):
- """
- This testcase checks if ipa-nis-manage disable
- command disable plugin on an IPA Master
- """
- dirsrv_service = self.get_dirsrv_id()
- msg = (
- "This setting will not take effect "
- "until you restart Directory Server."
- )
- status_msg = "Plugin is not enabled"
- tasks.kinit_admin(self.master)
- result = self.master.run_command(
- ["ipa-nis-manage", "disable"],
- stdin_text=self.master.config.admin_password,
- )
- assert msg in result.stdout_text
- # verify using backend
- conn = self.master.ldap_connect()
- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config'))
- entry = conn.get_entry(dn)
- nispluginstring = entry.get('nsslapd-pluginEnabled')
- assert 'off' in nispluginstring
- # restart dirsrv for changes to take effect
- self.master.run_command(["systemctl", "restart", dirsrv_service])
- time.sleep(DIRSRV_SLEEP)
- # check status msg on the console
- result = self.master.run_command(
- ["ipa-nis-manage", "status"],
- stdin_text=self.master.config.admin_password,
- raiseonerr=False,
- )
- assert result.returncode == 4
- assert status_msg in result.stdout_text
-
- def test_ipa_nis_manage_enable_incorrect_password(self):
- """
- This testcase checks if ipa-nis-manage enable
- command throws error on console for invalid DS admin password
- """
- msg1 = "Insufficient access: "
- msg2 = "Invalid credentials"
- result = self.master.run_command(
- ["ipa-nis-manage", "enable"],
- stdin_text='Invalid_pwd',
- raiseonerr=False,
- )
- assert result.returncode == 1
- assert msg1 in result.stderr_text
- assert msg2 in result.stderr_text
-
def test_pkispawn_log_is_present(self):
"""
This testcase checks if pkispawn logged properly.
--
2.45.2

35
0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch
View File

@ -1,35 +0,0 @@
From 9de053ef02db8cb63e14edc64ac22ec2d3d7bbc9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 17 Jun 2024 17:01:33 +0200
Subject: [PATCH] ipa-otptoken-import: open the key file in binary mode
ipa-otptoken-import provides an option (-k KEYFILE) to import
an encrypted PSKC file but this option does not work with python3
in RHEL8 and above, because the key should be passed in binary
format to the cryptography functions instead of string format.
Open the keyfile in binary mode to pass the expected format.
Fixes: https://pagure.io/freeipa/issue/9609
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_otptoken_import.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index dbaeacdf6885d3238f2d0294e24a5adad5a5c38d..d3f3d3cfa84e4a4bf57383e0ba543f4543e25c92 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -539,7 +539,7 @@ class OTPTokenImport(admintool.AdminTool):
# Load the keyfile.
keyfile = self.safe_options.keyfile
- with open(keyfile) as f:
+ with open(keyfile, "rb") as f:
self.doc.setKey(f.read())
def run(self):
--
2.45.2

39
0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch
View File

@ -1,39 +0,0 @@
From 09e66dc936cf2d99bcc44d60d6851aafa9ede46a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 19 Jun 2024 15:38:36 +0200
Subject: [PATCH] spec file: do not create /etc/ssh/ssh_config.orig if
unchanged
The upgrade removes the line
HostKeyAlgorithms ssh-rsa,ssh-dss
if present in /etc/ssh/ssh_config and creates a backup in
/etc/ssh/ssh_config.orig, even if no change was applied.
Create the backup file only if the file was changed.
Fixes: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
freeipa.spec.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6803de752bc122bf6e1eafd610d399cde994cad5..1e1a0c04728972c6c53beb47dafb25d7898ab0ea 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1320,7 +1320,9 @@ if [ $1 -gt 1 ] ; then
chmod 0600 /var/log/ipaupgrade.log
SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
- sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+ if grep -E -q '^HostKeyAlgorithms ssh-rsa,ssh-dss' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null; then
+ sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
+ fi
# https://pagure.io/freeipa/issue/9536
# replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts
if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then
--
2.45.2

69
0005-ipatests-add-test-for-ticket-9610.patch
View File

@ -1,69 +0,0 @@
From 4d51446bd3cd9ab222f9978f8f5def1f3a37fa0e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 20 Jun 2024 08:13:27 +0200
Subject: [PATCH] ipatests: add test for ticket 9610
Test scenario:
- ensure there is no /etc/ssh/ssh_config.orig file
- force ipa-client package reinstallation
- ensure no backup file is created in /etc/ssh/ssh_config.orig
Related: https://pagure.io/freeipa/issue/9610
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 15 +++++++++++++++
ipatests/test_integration/test_upgrade.py | 14 ++++++++++++++
2 files changed, 29 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 6665f361e0880a149ecca8c6f7c3fe1feb1f42d0..9d6b5f67a311a28c335801d59e0ff0f0c7faccdd 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2550,6 +2550,21 @@ def install_packages(host, pkgs):
host.run_command(install_cmd + pkgs)
+def reinstall_packages(host, pkgs):
+ """Install packages on a remote host.
+ :param host: the host where the installation takes place
+ :param pkgs: packages to install, provided as a list of strings
+ """
+ platform = get_platform(host)
+ if platform in {'rhel', 'fedora'}:
+ install_cmd = ['/usr/bin/dnf', 'reinstall', '-y']
+ elif platform in {'debian', 'ubuntu'}:
+ install_cmd = ['apt-get', '--reinstall', 'install', '-y']
+ else:
+ raise ValueError('install_packages: unknown platform %s' % platform)
+ host.run_command(install_cmd + pkgs)
+
+
def download_packages(host, pkgs):
"""Download packages on a remote host.
:param host: the host where the download takes place
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index 182e3b5da3c758cc10913ad4eed119b0983fcc23..011de939e92790734d63da2f85be1c25349116a8 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -477,3 +477,17 @@ class TestUpgrade(IntegrationTest):
self.master.run_command(['ipa-server-upgrade'])
assert self.master.transport.file_exists(
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)
+
+ def test_ssh_config(self):
+ """Test that pkg upgrade does not create /etc/ssh/ssh_config.orig
+
+ Test for ticket 9610
+ The upgrade of ipa-client package should not create a backup file
+ /etc/ssh/ssh_config.orig if no change is applied.
+ """
+ # Ensure there is no backup file before the test
+ self.master.run_command(["rm", "-f", paths.SSH_CONFIG + ".orig"])
+ # Force client package reinstallation to trigger %post scriptlet
+ tasks.reinstall_packages(self.master, ['*ipa-client'])
+ assert not self.master.transport.file_exists(
+ paths.SSH_CONFIG + ".orig")
--
2.45.2

41
0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch
View File

@ -1,41 +0,0 @@
From c8e3fdeb0015f9c52c64816d6cd39279c5d3ad5a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 20 Jun 2024 08:36:04 +0200
Subject: [PATCH] PKINIT certificate: fix renewal on hidden replica
The renewal of PKINIT cert on hidden replica is failing because
of a test ensuring that the KDC service is either enabled or
configured. The test needs to be extended and allow hidden, too.
Fixes: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/cert.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index df415c375189a54ceb0a00670f9c15e2f154a94e..6249c6d6f24acdca4fc3e9dd989f58344192b567 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -55,7 +55,7 @@ from ipapython.dn import DN
from ipapython.ipautil import datetime_from_utctimestamp
from ipaserver.plugins.service import normalize_principal, validate_realm
from ipaserver.masters import (
- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled
+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled
)
try:
@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id):
def ca_kdc_check(api_instance, hostname):
master_dn = api_instance.Object.server.get_dn(unicode(hostname))
kdc_dn = DN(('cn', 'KDC'), master_dn)
- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE}
+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE}
try:
kdc_entry = api_instance.Backend.ldap2.get_entry(
kdc_dn, ['ipaConfigString'])
--
2.45.2

54
0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch
View File

@ -1,54 +0,0 @@
From 467ec04f93a29fd31ba037cef348c09547541fe7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 24 Jun 2024 09:18:54 +0200
Subject: [PATCH] ipatests: add test for PKINIT renewal on hidden replica
Test scenario: on a hidden replica, force the renewal of
PKINIT cert by calling getcert resubmit.
Related: https://pagure.io/freeipa/issue/9611
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_replica_promotion.py | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index b71f2d5d7e1517ab73d79b62477a3377839b0b7a..7ef44c571c8a4106577d27f4712f661be873dacc 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -26,6 +26,7 @@ from ipalib.constants import (
)
from ipaplatform.paths import paths
from ipapython import certdb
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
from ipatests.test_integration.test_dns_locations import (
resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC
)
@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest):
'ipa-crlgen-manage', 'status'])
assert "CRL generation: enabled" in result.stdout_text
+ def test_hidden_replica_renew_pkinit_cert(self):
+ """Renew the PKINIT cert on a hidden replica.
+
+ Test for https://pagure.io/freeipa/issue/9611
+ """
+ # Get Request ID
+ cmd = ['getcert', 'list', '-f', paths.KDC_CERT]
+ result = self.replicas[0].run_command(cmd)
+ req_id = get_certmonger_fs_id(result.stdout_text)
+
+ self.replicas[0].run_command([
+ 'getcert', 'resubmit', '-f', paths.KDC_CERT
+ ])
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
+
class TestHiddenReplicaKRA(IntegrationTest):
"""Test KRA & hidden replica features.
--
2.45.2

917
0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch
View File

@ -1,917 +0,0 @@
From 90b22ff888cc55132c78024d08ffcf0ce8021cea Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Tue, 25 Jun 2024 11:00:28 +0530
Subject: [PATCH] ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
---
ipaplatform/base/paths.py | 1 +
.../test_ipa_ipa_migration.py | 879 ++++++++++++++++++
2 files changed, 880 insertions(+)
create mode 100644 ipatests/test_integration/test_ipa_ipa_migration.py
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 2b0fc6b5aa954a1018f602605eb0cdcebcee0592..b339d2202f440e0277d50073060f4a3b55e312fe 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -425,6 +425,7 @@ class BasePathNamespace:
IPA_CUSTODIA_HANDLER = "/usr/libexec/ipa/custodia"
IPA_CUSTODIA_CHECK = "/usr/libexec/ipa/ipa-custodia-check"
IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
+ IPA_MIGRATE_LOG = '/var/log/ipa-migrate.log'
EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
new file mode 100644
index 0000000000000000000000000000000000000000..7e2d4a34216f6cf168f15dda10ce10538a3c3cb9
--- /dev/null
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -0,0 +1,879 @@
+# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
+#
+
+"""
+Tests to verify ipa-migrate tool.
+"""
+
+from __future__ import absolute_import
+from ipatests.test_integration.base import IntegrationTest
+from ipatests.pytest_ipa.integration import tasks
+from ipaplatform.paths import paths
+
+import pytest
+import textwrap
+
+
+def prepare_ipa_server(master):
+ """
+ Setup remote IPA server environment
+ """
+ # Setup IPA users
+ for i in range(1, 5):
+ master.run_command(
+ [
+ "ipa",
+ "user-add",
+ "testuser%d" % i,
+ "--first",
+ "Test",
+ "--last",
+ "User%d" % i,
+ ]
+ )
+
+ # Setup IPA group
+ master.run_command(["ipa", "group-add", "testgroup"])
+
+ # Add respective members to each group
+ master.run_command(
+ ["ipa", "group-add-member", "testgroup", "--users=testuser1"]
+ )
+
+ # Adding stage user
+ master.run_command(
+ [
+ "ipa",
+ "stageuser-add",
+ "--first=Tim",
+ "--last=User",
+ "--password",
+ "tuser1",
+ ]
+ )
+
+ # Add Custom idrange
+ master.run_command(
+ [
+ "ipa",
+ "idrange-add",
+ "testrange",
+ "--base-id=10000",
+ "--range-size=10000",
+ "--rid-base=300000",
+ "--secondary-rid-base=400000",
+ ]
+ )
+
+ # Add Automount locations and maps
+ master.run_command(["ipa", "automountlocation-add", "baltimore"])
+ master.run_command(["ipa", "automountmap-add", "baltimore", "auto.share"])
+ master.run_command(
+ [
+ "ipa",
+ "automountmap-add-indirect",
+ "baltimore",
+ "--parentmap=auto.share",
+ "--mount=sub auto.man",
+ ]
+ )
+ master.run_command(
+ [
+ "ipa",
+ "automountkey-add",
+ "baltimore",
+ "auto.master",
+ "--key=/share",
+ "--info=auto.share",
+ ]
+ )
+
+ # Run ipa-adtrust-install
+ master.run_command(["dnf", "install", "-y", "ipa-server-trust-ad"])
+ master.run_command(
+ [
+ "ipa-adtrust-install",
+ "-a",
+ master.config.admin_password,
+ "--add-sids",
+ "-U",
+ ]
+ )
+
+ # Generate subids for users
+ master.run_command(["ipa", "subid-generate", "--owner=testuser1"])
+ master.run_command(["ipa", "subid-generate", "--owner=admin"])
+
+ # Add Sudo rules
+ master.run_command(["ipa", "sudorule-add", "readfiles"])
+ master.run_command(["ipa", "sudocmd-add", "/usr/bin/less"])
+ master.run_command(
+ [
+ "ipa",
+ "sudorule-add-allow-command",
+ "readfiles",
+ "--sudocmds",
+ "/usr/bin/less",
+ ]
+ )
+ master.run_command(
+ [
+ "ipa",
+ "sudorule-add-host",
+ "readfiles",
+ "--hosts",
+ "server.example.com",
+ ]
+ )
+ master.run_command(
+ ["ipa", "sudorule-add-user", "readfiles", "--users", "testuser1"]
+ )
+
+ # Add Custom CA
+ master.run_command(
+ [
+ "ipa",
+ "ca-add",
+ "puppet",
+ "--desc",
+ '"Puppet"',
+ "--subject",
+ "CN=Puppet CA,O=TESTRELM.TEST",
+ ]
+ )
+
+ # Add ipa roles and add privileges to the role
+ master.run_command(
+ ["ipa", "role-add", "--desc=Junior-level admin", "junioradmin"]
+ )
+ master.run_command(
+ [
+ "ipa",
+ "role-add-privilege",
+ "--privileges=User Administrators",
+ "junioradmin",
+ ]
+ )
+
+ # Add permission
+ master.run_command(
+ [
+ "ipa",
+ "permission-add",
+ "--type=user",
+ "--permissions=add",
+ "Add Users",
+ ]
+ )
+
+ # Add otp token for testuser1
+ master.run_command(
+ [
+ "ipa",
+ "otptoken-add",
+ "--type=totp",
+ "--owner=testuser1",
+ '--desc="My soft token',
+ ]
+ )
+
+ # Add a netgroup and user to the netgroup
+ master.run_command(
+ ["ipa", "netgroup-add", '--desc="NFS admins"', "admins"]
+ )
+ master.run_command(
+ ["ipa", "netgroup-add-member", "--users=testuser2", "admins"]
+ )
+
+ # Set krbpolicy policy
+ master.run_command(
+ ["ipa", "krbtpolicy-mod", "--maxlife=99999", "--maxrenew=99999"]
+ )
+ master.run_command(["ipa", "krbtpolicy-mod", "admin", "--maxlife=9600"])
+
+ # Add IPA location
+ master.run_command(
+ ["ipa", "location-add", "location", "--description", "My location"]
+ )
+
+ # Add idviews and overrides
+ master.run_command(["ipa", "idview-add", "idview1"])
+ master.run_command(["ipa", "idoverrideuser-add", "idview1", "testuser1"])
+ master.run_command(
+ [
+ "ipa",
+ "idoverrideuser-mod",
+ "idview1",
+ "testuser1",
+ "--shell=/bin/sh",
+ ]
+ )
+
+ # Add DNSzone
+ master.run_command(
+ [
+ "ipa",
+ "dnszone-add",
+ "example.test",
+ "--admin-email=admin@example.test",
+ ]
+ )
+ master.run_command(
+ ["ipa", "dnszone-mod", "example.test", "--dynamic-update=TRUE"]
+ )
+
+ # Add hbac rule
+ master.run_command(["ipa", "hbacrule-add", "--usercat=all", "test1"])
+ master.run_command(
+ ["ipa", "hbacrule-add", "--hostcat=all", "testuser_sshd"]
+ )
+ master.run_command(
+ ["ipa", "hbacrule-add-user", "--users=testuser1", "testuser_sshd"]
+ )
+ master.run_command(
+ ["ipa", "hbacrule-add-service", "--hbacsvcs=sshd", "testuser_sshd"]
+ )
+
+ # Vault addition
+ master.run_command(
+ [
+ "ipa",
+ "vault-add",
+ "--password",
+ "vault1234",
+ "--type",
+ "symmetric",
+ ]
+ )
+
+ # Add Selinuxusermap
+ master.run_command(
+ [
+ "ipa",
+ "selinuxusermap-add",
+ "--usercat=all",
+ "--selinuxuser=xguest_u:s0",
+ "test1",
+ ]
+ )
+
+ # Modify passkeyconfig
+ master.run_command(
+ ["ipa", "passkeyconfig-mod", "--require-user-verification=FALSE"]
+ )
+
+
+def run_migrate(
+ host, mode, remote_host, bind_dn=None, bind_pwd=None, extra_args=None
+):
+ """
+ ipa-migrate tool command
+ """
+ cmd = ["ipa-migrate"]
+ if mode:
+ cmd.append(mode)
+ if remote_host:
+ cmd.append(remote_host)
+ if bind_dn:
+ cmd.append("-D")
+ cmd.append(bind_dn)
+ if bind_pwd:
+ cmd.append("-w")
+ cmd.append(bind_pwd)
+ if extra_args:
+ for arg in extra_args:
+ cmd.append(arg)
+ result = host.run_command(cmd, raiseonerr=False)
+ return result
+
+
+class TestIPAMigrateScenario1(IntegrationTest):
+ """
+ Tier-1 tests for ipa-migrate tool with DNS enabled on
+ local and remote server
+ """
+
+ num_replicas = 1
+ num_clients = 1
+ topology = "line"
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+ prepare_ipa_server(cls.master)
+ tasks.install_client(cls.master, cls.clients[0], nameservers=None)
+
+ def test_remote_server(self):
+ """
+ This test installs IPA server instead of replica on
+ system under test with the same realm and domain name.
+ """
+ tasks.install_master(self.replicas[0], setup_dns=True, setup_kra=True)
+
+ def test_ipa_migrate_without_kinit_as_admin(self):
+ """
+ This test checks that ipa-migrate tool displays
+ error when kerberos ticket is missing for admin
+ """
+ self.replicas[0].run_command(["kdestroy", "-A"])
+ KINIT_ERR_MSG = "ipa: ERROR: Did not receive Kerberos credentials\n"
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ assert result.returncode == 1
+ assert KINIT_ERR_MSG in result.stderr_text
+ tasks.kinit_admin(self.replicas[0])
+
+ def test_ipa_migrate_log_file_is_created(self):
+ """
+ This test checks that ipa-migrate.log file is created when ipa-migrate
+ tool is run
+ """
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ assert self.replicas[0].transport.file_exists(paths.IPA_MIGRATE_LOG)
+
+ def test_ipa_migrate_with_incorrect_bind_pwd(self):
+ """
+ This test checks that ipa-migrate tool fails with incorrect
+ bind password
+ """
+ ERR_MSG = (
+ "IPA to IPA migration starting ...\n"
+ "Failed to bind to remote server: Insufficient access: "
+ "Invalid credentials\n"
+ )
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ "incorrect_bind_pwd",
+ extra_args=['-x'],
+ )
+ assert result.returncode == 1
+ assert ERR_MSG in result.stderr_text
+
+ def test_ipa_migrate_with_incorrect_bind_dn(self):
+ """
+ This test checks that ipa-migrate tool fails with incorrect
+ bind dn
+ """
+ ERR_MSG = (
+ "IPA to IPA migration starting ...\n"
+ "Failed to bind to remote server: Insufficient access: "
+ "Invalid credentials\n"
+ )
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Dir Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ assert result.returncode == 1
+ assert ERR_MSG in result.stderr_text
+
+ def test_ipa_migrate_with_invalid_host(self):
+ """
+ This test checks that ipa-migrate tools fails with
+ invalid host
+ """
+ hostname = "server.invalid.host"
+ ERR_MSG = (
+ "IPA to IPA migration starting ...\n"
+ "Failed to bind to remote server: cannot connect to "
+ "'ldap://"
+ "{}': \n".format(hostname)
+ )
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ "server.invalid.host",
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ assert result.returncode == 1
+ assert ERR_MSG in result.stderr_text
+
+ def test_dry_run_record_output_ldif(self):
+ """
+ This testcase run ipa-migrate tool with the
+ -o option which captures the output to ldif file
+ """
+ ldif_file = "/tmp/test.ldif"
+ param = ['-x', '-o', ldif_file]
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ assert self.replicas[0].transport.file_exists("/tmp/test.ldif")
+
+ @pytest.fixture()
+ def empty_log_file(self):
+ """
+ This fixture empties the log file before ipa-migrate tool
+ is run since the log is appended everytime the tool is run.
+ """
+ self.replicas[0].run_command(
+ ["truncate", "-s", "0", paths.IPA_MIGRATE_LOG]
+ )
+ yield
+
+ def test_ipa_sigden_plugin_fail_error(self, empty_log_file):
+ """
+ This testcase checks that sidgen plugin fail error is
+ not seen during migrate prod-mode
+ """
+ SIDGEN_ERR_MSG = "SIDGEN task failed: \n"
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ error_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert SIDGEN_ERR_MSG not in error_msg
+
+ def test_ipa_migrate_stage_mode_dry_run(self, empty_log_file):
+ """
+ Test ipa-migrate stage mode with dry-run option
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ IPA_MIGRATE_STAGE_DRY_RUN_LOG = "--dryrun=True\n"
+ IPA_SERVER_UPRGADE_LOG = "Skipping ipa-server-upgrade in dryrun mode.\n"
+ IPA_SKIP_SIDGEN_LOG = "Skipping SIDGEN task in dryrun mode."
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert result.returncode == 0
+ assert IPA_MIGRATE_STAGE_DRY_RUN_LOG in install_msg
+ assert IPA_SERVER_UPRGADE_LOG in install_msg
+ assert IPA_SKIP_SIDGEN_LOG in install_msg
+
+ def test_ipa_migrate_prod_mode_dry_run(self, empty_log_file):
+ """
+ Test ipa-migrate prod mode with dry run option
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ IPA_MIGRATE_PROD_DRY_RUN_LOG = "--dryrun=True\n"
+ IPA_SERVER_UPRGADE_LOG = (
+ "Skipping ipa-server-upgrade in dryrun mode.\n"
+ )
+ IPA_SIDGEN_LOG = "Skipping SIDGEN task in dryrun mode.\n"
+ result = run_migrate(
+ self.replicas[0],
+ "prod-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-x'],
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert result.returncode == 0
+ assert IPA_MIGRATE_PROD_DRY_RUN_LOG in install_msg
+ assert IPA_SERVER_UPRGADE_LOG in install_msg
+ assert IPA_SIDGEN_LOG in install_msg
+
+ def test_ipa_migrate_with_skip_schema_option_dry_run(self, empty_log_file):
+ """
+ This test checks that ipa-migrate tool works
+ with -S(schema) options in stage mode
+ """
+ param = ['-x', '-S']
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ SKIP_SCHEMA_MSG_LOG = "Schema Migration " \
+ "(migrated 0 definitions)\n"
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert SKIP_SCHEMA_MSG_LOG in install_msg
+
+ def test_ipa_migrate_with_skip_config_option_dry_run(self, empty_log_file):
+ """
+ This test checks that ipa-migrate tool works
+ with -C(config) options in stage mode
+ """
+ SKIP_MIGRATION_CONFIG_LOG = "DS Configuration Migration " \
+ "(migrated 0 entries)\n"
+ param = ['-x', '-C']
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert SKIP_MIGRATION_CONFIG_LOG in install_msg
+
+ def test_ipa_migrate_reset_range(self, empty_log_file):
+ """
+ This test checks the reset range option -r
+ along with prod-mode, since stage-mode this is done
+ automatically.
+ """
+ param = ['-r', '-n']
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ RESET_RANGE_LOG = "--reset-range=True\n"
+ run_migrate(
+ self.replicas[0],
+ "prod-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert RESET_RANGE_LOG in install_msg
+
+ def test_ipa_migrate_stage_mode_dry_override_schema(self, empty_log_file):
+ """
+ This test checks that -O option (override schema) works
+ in dry mode
+ """
+ param = ['-x', '-O', '-n']
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ SCHEMA_OVERRIDE_LOG = "--schema-overwrite=True\n"
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert SCHEMA_OVERRIDE_LOG in install_msg
+
+ @pytest.mark.xfail(
+ reason="https://issues.redhat.com/browse/RHEL-45463", strict=True
+ )
+ def test_ipa_migrate_stage_mode(self, empty_log_file):
+ """
+ This test checks that ipa-migrate is successful
+ in dry run mode
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n"
+ MIGRATION_CONFIG_LOG_MSG = "Migrating configuration ...\n"
+ IPA_UPGRADE_LOG_MSG = (
+ "Running ipa-server-upgrade ... (this make take a while)\n"
+ )
+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n"
+ MIGRATION_COMPLETE_LOG_MSG = "Migration complete!\n"
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-n'],
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert result.returncode == 0
+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg
+ assert MIGRATION_CONFIG_LOG_MSG in install_msg
+ assert IPA_UPGRADE_LOG_MSG in install_msg
+ assert SIDGEN_TASK_LOG_MSG in install_msg
+ assert MIGRATION_COMPLETE_LOG_MSG in install_msg
+
+ def test_ipa_migrate_prod_mode(self, empty_log_file):
+ """
+ This test checks that ipa-migrate is successful
+ in prod run mode
+ """
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ MIGRATION_SCHEMA_LOG_MSG = "Migrating schema ...\n"
+ MIGRATION_DATABASE_LOG_MSG = (
+ "Migrating database ... (this make take a while)\n"
+ )
+ IPA_UPGRADE_LOG_MSG = (
+ "Running ipa-server-upgrade ... (this make take a while)\n"
+ )
+ SIDGEN_TASK_LOG_MSG = "Running SIDGEN task ...\n"
+ result = run_migrate(
+ self.replicas[0],
+ "prod-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=['-n'],
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert result.returncode == 0
+ assert MIGRATION_SCHEMA_LOG_MSG in install_msg
+ assert MIGRATION_DATABASE_LOG_MSG in install_msg
+ assert IPA_UPGRADE_LOG_MSG in install_msg
+ assert SIDGEN_TASK_LOG_MSG in install_msg
+
+ def test_ipa_migrate_with_bind_pwd_file_option(self, empty_log_file):
+ """
+ This testcase checks that ipa-migrate tool
+ works with valid bind_pwd specified in a file using '-j'
+ option
+ """
+ DEBUG_MSG = "--bind-pw-file=/tmp/pwd.txt\n"
+ bind_pwd_file = "/tmp/pwd.txt"
+ bind_pwd_file_content = self.master.config.admin_password
+ self.replicas[0].put_file_contents(
+ bind_pwd_file, bind_pwd_file_content
+ )
+ param = ['-j', bind_pwd_file, '-x']
+ result = run_migrate(
+ host=self.replicas[0],
+ mode="stage-mode",
+ remote_host=self.master.hostname,
+ bind_dn="cn=Directory Manager",
+ bind_pwd=None,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert DEBUG_MSG in install_msg
+ assert result.returncode == 0
+
+ def test_ipa_migrate_using_db_ldif(self):
+ """
+ This test checks that ipa-migrate tool
+ works with db ldif file using -C option
+ """
+ DB_LDIF_LOG = "--db-ldif=/tmp/dse.ldif\n"
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ ldif_file_path = "/tmp/dse.ldif"
+ param = ["-f", ldif_file_path, "-n", "-x"]
+ realm_name = self.master.domain.realm
+ base_dn = str(self.master.domain.basedn)
+ dse_ldif = textwrap.dedent(
+ f"""
+ dn: cn={realm_name},cn=kerberos,{base_dn}
+ cn: {realm_name}
+ objectClass: top
+ objectClass: krbrealmcontainer
+ """
+ ).format(
+ realm_name=self.master.domain.realm,
+ base_dn=str(self.master.domain.basedn),
+ )
+ self.replicas[0].put_file_contents(ldif_file_path, dse_ldif)
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert result.returncode == 0
+ assert DB_LDIF_LOG in install_msg
+
+ def test_ipa_migrate_using_invalid_dbldif_file(self):
+ """
+ This testcase checks that proper error msg is
+ displayed when invalid ldif file without realm is used
+ as input to schema config option -f
+ """
+ ERR_MSG = (
+ "IPA to IPA migration starting ...\n"
+ "Unable to find realm from remote LDIF\n"
+ )
+ tasks.kinit_admin(self.master)
+ tasks.kinit_admin(self.replicas[0])
+ base_dn = str(self.master.domain.basedn)
+ ldif_file = "/tmp/ldif_file"
+ param = ["-f", ldif_file, "-n", "-x"]
+ dse_ldif = textwrap.dedent(
+ """
+ version: 1
+ dn: cn=schema,{}
+
+ """
+ ).format(base_dn)
+ self.replicas[0].put_file_contents(ldif_file, dse_ldif)
+ result = run_migrate(
+ self.replicas[0],
+ "prod-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=param,
+ )
+ assert result.returncode == 2
+ assert ERR_MSG in result.stderr_text
+
+ def test_ipa_migrate_subtree_option(self):
+ """
+ This testcase checks the subtree option
+ -s along with the ipa-migrate command
+ """
+ base_dn = str(self.master.domain.basedn)
+ subtree = 'cn=security,{}'.format(base_dn)
+ params = ['-s', subtree, '-n', '-x']
+ base_dn = str(self.master.domain.basedn)
+ CUSTOM_SUBTREE_LOG = (
+ "Add db entry 'cn=security,{} - custom'"
+ ).format(base_dn)
+ dse_ldif = textwrap.dedent(
+ """
+ dn: cn=security,{base_dn}
+ changetype: add
+ objectClass:top
+ objectClass: nscontainer
+ """
+ ).format(base_dn=base_dn)
+ tasks.ldapmodify_dm(self.master, dse_ldif)
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert result.returncode == 0
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert CUSTOM_SUBTREE_LOG in install_msg
+
+ @pytest.fixture()
+ def modify_dns_zone(self):
+ zone_name = 'ipatest.test'
+ self.master.run_command(
+ ["ipa", "dnszone-add", zone_name, "--force"]
+ )
+ yield
+ self.replicas[0].run_command(
+ ["ipa", "dnszone-del", zone_name]
+ )
+
+ def test_ipa_migrate_dns_option(self, modify_dns_zone):
+ """
+ This testcase checks that when migrate dns option
+ -B is used the dns entry is migrated to the
+ local host.
+ """
+ zone_name = "ipatest.test."
+ base_dn = str(self.master.domain.basedn)
+ DNS_LOG1 = "--migrate-dns=True\n"
+ DNS_LOG2 = (
+ "DEBUG Added entry: idnsname={},cn=dns,{}\n"
+ ).format(zone_name, base_dn)
+ DNS_LOG3 = (
+ "DEBUG Added entry: idnsname=_kerberos,"
+ "idnsname={},cn=dns,{}\n"
+ ).format(zone_name, base_dn)
+ params = ["-B", "-n"]
+ run_migrate(
+ self.replicas[0],
+ "prod-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ result = self.replicas[0].run_command(["ipa", "dnszone-find"])
+ assert "Zone name: ipatest.test." in result.stdout_text
+ install_msg = self.replicas[0].get_file_contents(
+ paths.IPA_MIGRATE_LOG, encoding="utf-8"
+ )
+ assert DNS_LOG1 in install_msg
+ assert DNS_LOG2 in install_msg
+ assert DNS_LOG3 in install_msg
+
+ @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003",
+ strict=True)
+ def test_ipa_migrate_version_option(self):
+ """
+ This testcase checks the version of
+ the ipa-migrate tool using -v option
+ """
+ CONSOLE_LOG = (
+ "ipa-migrate: error: the following arguments are "
+ "required: mode, hostname"
+ )
+ result = self.master.run_command(["ipa-migrate", "-V"])
+ assert result.returncode == 0
+ assert CONSOLE_LOG not in result.stderr_text
+
+ def test_ipa_migrate_with_log_file_option(self):
+ """
+ This testcase checks that log file is created
+ with -l option
+ """
+ custom_log_file = "/tmp/test.log"
+ params = ['-x', '-n', '-l', custom_log_file]
+ run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert self.replicas[0].transport.file_exists(custom_log_file)
--
2.45.2

104
0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch
View File

@ -1,104 +0,0 @@
From a8e75bbb77e15e3a42adb2d30933cf9e1edd2f0b Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 11 Jun 2024 10:50:51 +0200
Subject: [PATCH] ipa_sidgen: Allow sidgen_task to continue after finding
issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.
This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.
Fixes: https://pagure.io/freeipa/issue/9618
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 11 ++++++-----
.../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c | 11 ++++++++---
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
index cb763ebf8c733e50483c23856a248eb536c796f1..13f4de5416606df1911f14f60ab1af1a8ba0184b 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c
@@ -491,7 +491,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
}
if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) {
- LOG_FATAL("ID value too large.\n");
+ LOG_FATAL("ID value too large on entry [%s].\n", dn_str);
ret = LDAP_CONSTRAINT_VIOLATION;
goto done;
}
@@ -508,7 +508,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
&has_posix_group,
&has_ipa_id_object);
if (ret != 0) {
- LOG_FATAL("Cannot determine objectclasses.\n");
+ LOG_FATAL("Cannot determine objectclasses on entry [%s].\n", dn_str);
goto done;
}
@@ -522,15 +522,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry,
id = (uid_number != 0) ? uid_number : gid_number;
objectclass_to_add = NULL;
} else {
- LOG_FATAL("Inconsistent objectclasses and attributes, nothing to do.\n");
+ LOG_FATAL("Inconsistent objectclasses and attributes on entry "
+ "[%s], nothing to do.\n", dn_str);
ret = 0;
goto done;
}
ret = find_sid_for_id(id, plugin_id, base_dn, dom_sid, ranges, &sid);
if (ret != 0) {
- LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID.\n",
- (unsigned long) id);
+ LOG_FATAL("Cannot convert Posix ID [%lu] into an unused SID on "
+ "entry [%s].\n", (unsigned long) id, dn_str);
goto done;
}
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
index 007b1c945d0e37c4061f6a33cfdd667c45118c99..67979cb9fb0b5560009643c84be7eb07d767d77f 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_task.c
@@ -89,7 +89,7 @@ static void free_pblock(void *arg)
static int do_work(struct worker_ctx *worker_ctx)
{
Slapi_PBlock *pb;
- int ret;
+ int ret, failures = 0;
size_t c;
char *filter = NULL;
char *attrs[] = { OBJECTCLASS, UID_NUMBER, GID_NUMBER, NULL };
@@ -151,8 +151,7 @@ static int do_work(struct worker_ctx *worker_ctx)
worker_ctx->base_dn, worker_ctx->dom_sid,
worker_ctx->ranges);
if (ret != 0) {
- LOG_FATAL("Cannot add SID to existing entry.\n");
- goto done;
+ failures++;
}
if (worker_ctx->delay != 0) {
@@ -162,6 +161,12 @@ static int do_work(struct worker_ctx *worker_ctx)
}
};
+ ret = failures;
+ if (ret > 0) {
+ LOG_FATAL("Finished with %d failures, please check the log.\n",
+ failures);
+ }
+
done:
slapi_ch_free_string(&filter);
pthread_cleanup_pop(1);
--
2.45.2

45
0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch
View File

@ -1,45 +0,0 @@
From 4521fe5f9125c74b4ad6e4e51f8c66c009079281 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 13 Jun 2024 10:39:54 +0200
Subject: [PATCH] ipatests: mark test_ca_show_error_handling as xfail
With PKI 11.5.0, the test
test_cert.py::TestCAShowErrorHandling::test_ca_show_error_handling
is failing with an exception and a different error message.
Mark as xfail until PKI provides a fix
Related: https://pagure.io/freeipa/issue/9606
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
---
ipatests/test_integration/test_cert.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 4dd1254a2d16420bb70686f9715497dfb9048ecf..91598b655a8cd6ff92c1a0cf2166c6548a7af758 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -25,6 +25,7 @@ from pkg_resources import parse_version
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.util import xfail_context
DEFAULT_RA_AGENT_SUBMITTED_VAL = '19700101000000'
@@ -555,7 +556,11 @@ class TestCAShowErrorHandling(IntegrationTest):
)
error_msg = 'ipa: ERROR: The certificate for ' \
'{} is not available on this server.'.format(lwca)
- assert error_msg in result.stderr_text
+ bad_version = (tasks.get_pki_version(self.master)
+ >= tasks.parse_version('11.5.0'))
+ with xfail_context(bad_version,
+ reason="https://pagure.io/freeipa/issue/9606"):
+ assert error_msg in result.stderr_text
def test_certmonger_empty_cert_not_segfault(self):
"""Test empty cert request doesn't force certmonger to segfault
--
2.45.2

47
0011-ipa-migrate-remove-V-option.patch
View File

@ -1,47 +0,0 @@
From efa57193630f244185b3f295ed0de17c6d08f75a Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 Jul 2024 10:49:49 -0400
Subject: [PATCH] ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.
Fixes: https://pagure.io/freeipa/issue/9620
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/tools/man/ipa-migrate.1 | 3 ---
ipaserver/install/ipa_migrate.py | 3 ---
2 files changed, 6 deletions(-)
diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1
index 78881d1f8a9ea91d7824e5f8b13f50aecf5ebd16..2d9d2c650a4c44a2f397d1c2ccb42fb95eea2bae 100644
--- a/install/tools/man/ipa-migrate.1
+++ b/install/tools/man/ipa-migrate.1
@@ -67,9 +67,6 @@ Reset the ID range for migrated users/groups. In "stage-mode" this is done autom
\fB\-F\fR, \fB\-\-force\fR
Ignore any errors and continue to proceed with migration effort.
.TP
-\fB\-V\fR, \fB\-\-version\fR
-Display the version of the migration tool.
-.TP
\fB\-q\fR, \fB\-\-quiet\fR
Only log errors during the migration process.
.TP
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 58351af604b8d6f4ac31432a425718a4d45e0178..6be8d9ba23b36779bf6296df757c1aca551968c0 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -389,9 +389,6 @@ class IPAMigrate():
parser.add_argument('-F', '--force',
help='Ignore errors and continue with migration',
action='store_true', default=False)
- parser.add_argument('-V', '--version',
- help='Display verison of the migration tool',
- action='store_true', default=False)
parser.add_argument('-q', '--quiet',
help='Only display errors during the migration',
action='store_true', default=False)
--
2.45.2

37
0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch
View File

@ -1,37 +0,0 @@
From 1b278de4ab9c5e00fb48dc2de1ea31d9bdfc94bc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 9 Jul 2024 14:35:25 -0400
Subject: [PATCH] Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.
This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:
Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee 34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status
Fixes: https://pagure.io/freeipa/issue/9629
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1e1a0c04728972c6c53beb47dafb25d7898ab0ea..b3b19cf8881db97307836513ff2263dc4fe4ca03 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1367,6 +1367,7 @@ fi
%postun selinux-luna
if [ $1 -eq 0 ]; then
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}-luna
+fi
%posttrans selinux
%selinux_relabel_post -s %{selinuxtype}
--
2.45.2

231
0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch
View File

@ -1,231 +0,0 @@
From 7ab1bcb2d364c26024db4ec99c707ebefffcd3e7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Jul 2024 15:00:59 -0400
Subject: [PATCH] Re-organize HSM validation to be more consistent/less
duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.
There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.
This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.
This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 72 +++++++++++++++--------------
ipaserver/install/kra.py | 56 ++++++++++++++++++++--
ipaserver/install/server/install.py | 2 +
3 files changed, 93 insertions(+), 37 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index dc4b47056f0e327d120ab6dad238deae3c26bbcd..b8155d9965712dbce4076e9d73d6712135309ce2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -193,6 +193,8 @@ def hsm_validator(token_name, token_library, token_password):
if not token_name:
logger.debug("No token name, assuming not an HSM install")
return
+ if not token_password:
+ raise ValueError("No token password provided")
val, pki_version = hsm_version()
if val is False:
raise ValueError(
@@ -361,17 +363,16 @@ def install_check(standalone, replica_config, options):
host_name = options.host_name
if replica_config is None:
- if options.token_name:
- try:
- hsm_validator(
- options.token_name, options.token_library_path,
- options.token_password)
- except ValueError as e:
- raise ScriptError(str(e))
options._subject_base = options.subject_base
options._ca_subject = options.ca_subject
options._random_serial_numbers = options.random_serial_numbers
token_name = options.token_name
+ token_library_path = options.token_library_path
+ if "setup_ca" in options.__dict__:
+ setup_ca = options.setup_ca
+ else:
+ # We got here through ipa-ca-install
+ setup_ca = True
else:
# during replica install, this gets invoked before local DS is
# available, so use the remote api.
@@ -399,33 +400,36 @@ def install_check(standalone, replica_config, options):
if replica_config.setup_ca and token_name:
if not options.token_library_path:
options.token_library_path = token_library_path
- if (
- not options.token_password_file
- and not options.token_password
- ):
- if options.unattended:
- raise ScriptError("HSM token password required")
- token_password = installutils.read_password(
- f"HSM token '{token_name}'", confirm=False
- )
- if token_password is None:
- raise ScriptError("HSM token password required")
- else:
- options.token_password = token_password
-
- if options.token_password_file:
- with open(options.token_password_file, "r") as fd:
- options.token_password = fd.readline().strip()
- try:
- hsm_validator(
- token_name,
- options.token_library_path
- if options.token_library_path
- else token_library_path,
- options.token_password,
- )
- except ValueError as e:
- raise ScriptError(str(e))
+ setup_ca = replica_config.setup_ca
+
+ if setup_ca and token_name:
+ if (options.token_password_file and options.token_password):
+ raise ScriptError(
+ "token-password and token-password-file are mutually exclusive"
+ )
+ if options.token_password_file:
+ with open(options.token_password_file, "r") as fd:
+ options.token_password = fd.readline().strip()
+ if (
+ not options.token_password_file
+ and not options.token_password
+ ):
+ if options.unattended:
+ raise ScriptError("HSM token password required")
+ token_password = installutils.read_password(
+ f"HSM token '{token_name}'", confirm=False
+ )
+ if token_password is None:
+ raise ScriptError("HSM token password required")
+ else:
+ options.token_password = token_password
+
+ try:
+ hsm_validator(
+ token_name, token_library_path,
+ options.token_password)
+ except ValueError as e:
+ raise ScriptError(str(e))
if replica_config is not None and not replica_config.setup_ca:
return
diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 2c5b47590c26e37818f055cfd218c85d74e9b46c..dc3bc7c204394187bb7a5c4cc1b863a2091bdc49 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -16,10 +16,12 @@ from ipalib.kinit import kinit_keytab
from ipaplatform import services
from ipaplatform.paths import paths
from ipapython import ipautil
+from ipapython.admintool import ScriptError
from ipapython.install.core import group
from ipaserver.install import ca, cainstance
from ipaserver.install import krainstance
from ipaserver.install import dsinstance
+from ipaserver.install import installutils
from ipaserver.install import service as _service
from . import dogtag
@@ -58,13 +60,61 @@ def install_check(api, replica_config, options):
"KRA can not be installed when 'ca_host' is overriden in "
"IPA configuration file.")
+ # There are three scenarios for installing a KRA
+ # 1. At install time of the initial server
+ # 2. Using ipa-kra-install
+ # 3. At install time of a replica
+ #
+ # These tests are done in reverse order. If we are doing a
+ # replica install we can check the remote CA.
+ #
+ # If we are running ipa-kra-install then there must be a CA
+ # use that.
+ #
+ # If initial install we either have the token options or we don't.
+
+ cai = cainstance.CAInstance()
+ if replica_config is not None:
+ (token_name, token_library_path) = ca.lookup_hsm_configuration(api)
+ elif cai.is_configured() and cai.hsm_enabled:
+ (token_name, token_library_path) = ca.lookup_hsm_configuration(api)
+ elif 'token_name' in options.__dict__:
+ token_name = options.token_name
+ token_library_path = options.token_library_path
+ else:
+ token_name = None
+
+ if replica_config is not None:
+ if (
+ token_name
+ and options.token_password_file
+ and options.token_password
+ ):
+ raise ScriptError(
+ "token-password and token-password-file are mutually exclusive"
+ )
+
if options.token_password_file:
with open(options.token_password_file, "r") as fd:
options.token_password = fd.readline().strip()
- if replica_config is not None:
- (token_name, token_library) = ca.lookup_hsm_configuration(api)
- ca.hsm_validator(token_name, token_library, options.token_password)
+ if (
+ token_name
+ and not options.token_password_file
+ and not options.token_password
+ ):
+ if options.unattended:
+ raise ScriptError("HSM token password required")
+ token_password = installutils.read_password(
+ f"HSM token '{token_name}'", confirm=False
+ )
+ if token_password is None:
+ raise ScriptError("HSM token password required")
+ else:
+ options.token_password = token_password
+
+ if token_name:
+ ca.hsm_validator(token_name, token_library_path, options.token_password)
def install(api, replica_config, options, custodia):
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 1b18873363cece5e187a7c772acfcbc6c565ee97..47db1314239906a10bb77e5fc0d4c1eddc02e2da 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -663,6 +663,8 @@ def install_check(installer):
options.token_name is not None
)
):
+ if options.unattended:
+ raise ScriptError("HSM token password required")
token_password = read_password(
f"HSM token '{options.token_name}'" , confirm=False)
if token_password is None:
--
2.45.2

192
0014-ipatests-tests-related-to-token-password-file.patch
View File

@ -1,192 +0,0 @@
From 4ea1ad6acae910574a524403bc82c80d24b525d6 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 13 Jun 2024 14:07:57 +0530
Subject: [PATCH] ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_hsm.py | 85 ++++++++++++++++++++++++---
1 file changed, 77 insertions(+), 8 deletions(-)
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
index b49af12492f7dce4bd41836b220d75d9fc99b5c2..3a33c3bda6d072aa16e361b04ac2d668902bb0e9 100644
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@@ -163,6 +163,7 @@ class BaseHSMTest(IntegrationTest):
master_extra_args = []
token_password = None
token_name = None
+ token_password_file = '/tmp/token_password'
random_serial = False
@classmethod
@@ -191,7 +192,7 @@ class BaseHSMTest(IntegrationTest):
delete_hsm_token([cls.master] + cls.replicas, cls.token_name)
@classmethod
- def sync_tokens(cls, source):
+ def sync_tokens(cls, source, token_name=None):
"""Synchronize non-networked HSM tokens between machines
source: source host for the token data
"""
@@ -207,7 +208,8 @@ class BaseHSMTest(IntegrationTest):
for host in [cls.master] + cls.replicas:
if host == source:
continue
- copy_token_files(source, [host], cls.token_name)
+ copy_token_files(source, [host],
+ token_name if token_name else cls.token_name)
class TestHSMInstall(BaseHSMTest):
@@ -218,6 +220,10 @@ class TestHSMInstall(BaseHSMTest):
def test_hsm_install_replica0_ca_less_install(self):
check_version(self.master)
+
+ self.master.put_file_contents(
+ self.token_password_file, self.token_password
+ )
tasks.install_replica(
self.master, self.replicas[0], setup_ca=False,
setup_dns=True,
@@ -307,6 +313,50 @@ class TestHSMInstall(BaseHSMTest):
assert returncode == 0
assert output == "No issues found."
+ def test_hsm_install_server_password_file(self):
+ check_version(self.master)
+ # cleanup before fresh install with password file
+ for client in self.clients:
+ tasks.uninstall_client(client)
+
+ for replica in self.replicas:
+ tasks.uninstall_master(replica)
+
+ tasks.uninstall_master(self.master)
+
+ delete_hsm_token([self.master] + self.replicas, self.token_name)
+ self.token_name, self.token_password = get_hsm_token(self.master)
+ self.master.put_file_contents(self.token_password_file,
+ self.token_password)
+ self.replicas[0].put_file_contents(self.token_password_file,
+ self.token_password)
+
+ tasks.install_master(
+ self.master, setup_dns=self.master_with_dns,
+ setup_kra=self.master_with_kra,
+ setup_adtrust=self.master_with_ad,
+ extra_args=(
+ '--token-name', self.token_name,
+ '--token-library-path', hsm_lib_path,
+ '--token-password-file', self.token_password_file
+ )
+ )
+ self.sync_tokens(self.master, token_name=self.token_name)
+
+ def test_hsm_install_replica0_password_file(self):
+ check_version(self.master)
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=True,
+ extra_args=('--token-password-file', self.token_password_file,)
+ )
+
+ def test_hsm_install_replica0_kra_password_file(self):
+ check_version(self.master)
+ tasks.install_kra(
+ self.replicas[0],
+ extra_args=('--token-password-file', self.token_password_file,)
+ )
+
class TestHSMInstallADTrustBase(BaseHSMTest):
"""
@@ -321,7 +371,7 @@ class TestHSMInstallADTrustBase(BaseHSMTest):
check_version(self.master)
tasks.install_replica(
self.master, self.replicas[0], setup_ca=True,
- setup_adtrust=True, setup_kra=True, setup_dns=True,
+ setup_adtrust=False, setup_kra=True, setup_dns=True,
nameservers='master' if self.master_with_dns else None,
extra_args=('--token-password', self.token_password,)
)
@@ -356,7 +406,8 @@ class TestHSMcertRenewal(BaseHSMTest):
'auditSigningCert cert-pki-ca': 'caauditSigningCert'
}
CA_TRACKING_REQS.update(KRA_TRACKING_REQS)
- self.master.put_file_contents('/tmp/token_passwd', self.token_password)
+ self.master.put_file_contents(self.token_password_file,
+ self.token_password)
for nickname in CA_TRACKING_REQS:
cert = tasks.certutil_fetch_cert(
self.master,
@@ -772,6 +823,7 @@ class TestHSMcertFixReplica(BaseHSMTest):
class TestHSMNegative(IntegrationTest):
master_with_dns = False
+ token_password_file = '/tmp/token_password'
@classmethod
def install(cls, mh):
@@ -792,7 +844,6 @@ class TestHSMNegative(IntegrationTest):
'--token-password', self.token_password
)
)
- # assert 'error message non existing token name' in result.stderr_text
assert result.returncode != 0
# wrong token password
@@ -804,7 +855,6 @@ class TestHSMNegative(IntegrationTest):
'--token-password', 'token_passwd'
)
)
- # assert 'error message wrong passwd' in result.stderr_text
assert result.returncode != 0
# wrong token lib
@@ -816,7 +866,6 @@ class TestHSMNegative(IntegrationTest):
'--token-password', self.token_password
)
)
- # assert 'error message non existing token lib' in result.stderr_text
assert result.returncode != 0
def test_hsm_negative_special_char_token_name(self):
@@ -842,7 +891,27 @@ class TestHSMNegative(IntegrationTest):
'--token-password', token_passwd
)
)
- # assert 'error message non existing token lib' in result.stderr_text
+ assert result.returncode != 0
+
+ def test_hsm_negative_token_password_and_file(self):
+ """Test token-password and token-password-file at same time
+
+ Test if command fails when --token-password and --token-password-file
+ provided at the same time results into command failure.
+ """
+ check_version(self.master)
+ self.master.put_file_contents(
+ self.token_password_file, self.token_password
+ )
+ result = tasks.install_master(
+ self.master, raiseonerr=False,
+ extra_args=(
+ '--token-name', self.token_name,
+ '--token-library-path', hsm_lib_path,
+ '--token-password', self.token_password,
+ '--token-password-file', self.token_password_file
+ )
+ )
assert result.returncode != 0
--
2.45.2

36
0015-Include-token-password-options-in-ipa-kra-install-ma.patch
View File

@ -1,36 +0,0 @@
From 6c53a22a2cacf7807df11e51492d1a2c42aeeda1 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 18 Jun 2024 11:16:07 -0400
Subject: [PATCH] Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/tools/man/ipa-kra-install.1 | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/install/tools/man/ipa-kra-install.1 b/install/tools/man/ipa-kra-install.1
index 5476a4e717584cd7c6f823e3c3cb4e4948f14875..955085bf7162863a0567356417a0886e733c0b42 100644
--- a/install/tools/man/ipa-kra-install.1
+++ b/install/tools/man/ipa-kra-install.1
@@ -54,6 +54,15 @@ Log to the given file
.TP
\fB\-\-pki\-config\-override\fR=\fIFILE\fR
File containing overrides for KRA installation.
+.SS "HSM OPTIONS"
+The token name and library path are retrieved from the existing
+installation.
+.TP
+\fB\-\-token\-password\fR=\fITOKEN_PASSWORD\fR
+The PKCS#11 token password for the HSM.
+.TP
+\fB\-\-token\-password\-file\fR=\fITOKEN_PASSWORD_FILE\fR
+The full path to a file containing the PKCS#11 token password.
.SH "EXIT STATUS"
0 if the command was successful
--
2.45.2

86
0016-ipa-migrate-starttls-does-not-work.patch
View File

@ -1,86 +0,0 @@
From eeade50933cb2251b43ee34c642bcae69a216655 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 Jul 2024 10:20:47 -0400
Subject: [PATCH] ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail. Instead just use the file path provided.
Fixes: https://pagure.io/freeipa/issue/9619
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/tools/man/ipa-migrate.1 | 2 +-
ipaserver/install/ipa_migrate.py | 25 +++++++++++++++++--------
2 files changed, 18 insertions(+), 9 deletions(-)
diff --git a/install/tools/man/ipa-migrate.1 b/install/tools/man/ipa-migrate.1
index 2d9d2c650a4c44a2f397d1c2ccb42fb95eea2bae..47ae47ea4afa3a5a6fe25dd9bbd14c27ab5f1fdb 100644
--- a/install/tools/man/ipa-migrate.1
+++ b/install/tools/man/ipa-migrate.1
@@ -25,7 +25,7 @@ network interruptions)
In this mode everything will be migrated including the current user SIDs and
DNA ranges
.TP
-\fBstage\-mod\fR
+\fBstage\-mode\fR
In this mode, SIDs & DNA ranges are not migrated, and DNA attributes are reset
.SH "COMMANDS"
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 6be8d9ba23b36779bf6296df757c1aca551968c0..0e19b98b5be532c513876e165561f0af176baa27 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -27,7 +27,6 @@ from ipalib.x509 import IPACertificate
from ipaplatform.paths import paths
from ipapython.dn import DN
from ipapython.ipaldap import LDAPClient, LDAPEntry, realm_to_ldapi_uri
-from ipapython.ipautil import write_tmp_file
from ipapython.ipa_log_manager import standard_logging_setup
from ipaserver.install.ipa_migrate_constants import (
DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
@@ -758,13 +757,19 @@ class IPAMigrate():
insecure_bind = False
if self.args.cacertfile is not None:
- # Store CA cert into file
- tmp_ca_cert_f = write_tmp_file(self.args.cacertfile)
- cacert = tmp_ca_cert_f.name
-
# Start TLS connection (START_TLS)
- ds_conn = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
- tmp_ca_cert_f.close()
+ try:
+ ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
+ start_tls=True)
+ except (
+ ldap.LDAPError,
+ errors.NetworkError,
+ errors.DatabaseError,
+ IOError
+ ) as e:
+ self.handle_error(
+ f"Failed to connect to remote server: {str(e)}"
+ )
else:
# LDAP (insecure)
ds_conn = LDAPClient(ldapuri)
@@ -773,7 +778,11 @@ class IPAMigrate():
try:
ds_conn.simple_bind(DN(self.args.bind_dn), self.bindpw,
insecure_bind=insecure_bind)
- except (errors.NetworkError, errors.ACIError) as e:
+ except (
+ errors.NetworkError,
+ errors.ACIError,
+ errors.DatabaseError
+ ) as e:
self.handle_error(f"Failed to bind to remote server: {str(e)}")
# All set, stash the remote connection
--
2.45.2

232
0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch
View File

@ -1,232 +0,0 @@
From 051d61fdc301f2768ac78c45e93a5f9eeff8aa28 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 25 Jun 2024 14:27:24 +0300
Subject: [PATCH] ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.
The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
required, regardless of the state of LDAP client
In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.
If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------
Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.
Related: https://pagure.io/freeipa/issue/5169
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 39 ++++++++++----
ipatests/test_integration/test_otp.py | 52 ++++++++++++++++---
2 files changed, 76 insertions(+), 15 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index cc170fc4b81f8ecad88f4ff4401b5651c43aaf55..c967e2cfffbd920280639f3188783ec150523b47 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -1212,13 +1212,20 @@ done:
* value at the end. This leaves only the password in creds for later
* validation.
*/
+typedef enum {
+ OTP_IS_NOT_REQUIRED = 0,
+ OTP_IS_REQUIRED_EXPLICITLY,
+ OTP_IS_REQUIRED_IMPLICITLY
+} otp_req_enum;
static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
- struct berval *creds, bool otpreq)
+ struct berval *creds, otp_req_enum otpreq,
+ bool *notokens)
{
uint32_t auth_types;
/* Get the configured authentication types. */
auth_types = otp_config_auth_types(otp_config, entry);
+ *notokens = false;
/*
* IMPORTANT SECTION!
@@ -1248,7 +1255,11 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
/* With no tokens, succeed if tokens aren't required. */
if (tokens[0] == NULL) {
otp_token_free_array(tokens);
- return !otpreq;
+ *notokens = true;
+ if (otpreq != OTP_IS_NOT_REQUIRED)
+ /* DENY: OTP is required, either explicitly or implicitly */
+ return false;
+ return true;
}
if (otp_token_validate_berval(tokens, creds, NULL)) {
@@ -1259,7 +1270,8 @@ static bool ipapwd_pre_bind_otp(const char *bind_dn, Slapi_Entry *entry,
otp_token_free_array(tokens);
}
- return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) && !otpreq;
+ return (auth_types & OTP_CONFIG_AUTH_TYPE_PASSWORD) &&
+ (otpreq == OTP_IS_NOT_REQUIRED);
}
static int ipapwd_authenticate(const char *dn, Slapi_Entry *entry,
@@ -1452,6 +1464,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
struct tm expire_tm;
int rc = LDAP_INVALID_CREDENTIALS;
char *errMesg = NULL;
+ bool notokens = false;
/* get BIND parameters */
ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn);
@@ -1510,8 +1523,9 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
/* Try to do OTP first. */
syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID);
- otpreq = otpctrl_present(pb, OTP_REQUIRED_OID);
- if (!syncreq && !otpreq) {
+ otpreq = otpctrl_present(pb, OTP_REQUIRED_OID) ?
+ OTP_IS_REQUIRED_EXPLICITLY : OTP_IS_NOT_REQUIRED;
+ if (!syncreq && (otpreq == OTP_IS_NOT_REQUIRED)) {
ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG);
if (ret != 0) {
LOG_FATAL("ipapwd_gen_checks failed!?\n");
@@ -1520,11 +1534,17 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
return 0;
}
if (krbcfg->enforce_ldap_otp) {
- otpreq = true;
+ otpreq = OTP_IS_REQUIRED_IMPLICITLY;
}
}
- if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq))
- goto invalid_creds;
+ if (!syncreq && !ipapwd_pre_bind_otp(dn, entry,
+ credentials, otpreq, &notokens)) {
+ /* We got here because ipapwd_pre_bind_otp() returned false,
+ * it means that either token verification failed or
+ * a rule for empty tokens failed current policy. */
+ if (!(notokens || (otpreq == OTP_IS_NOT_REQUIRED)))
+ goto invalid_creds;
+ }
/* Ensure that there is a password. */
if (credentials->bv_len == 0) {
@@ -1561,7 +1581,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
* for access log to notice multi-factor authentication has happened
* https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html
*/
- if (!syncreq && otpreq) {
+ if (!syncreq &&
+ ((otpreq != OTP_IS_NOT_REQUIRED) && !notokens)) {
slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH);
}
#endif
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index d2dfca4cbf8c60955e888b6f92bd88a2608bb265..350371bfe1e4c1cc6dcc89f6584f813fcb0d32a0 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -458,41 +458,81 @@ class TestOTPToken(IntegrationTest):
master = self.master
basedn = master.domain.basedn
USER1 = 'user-forced-otp'
+ TMP_PASSWORD = 'Secret1234509'
binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}")
- tasks.create_active_user(master, USER1, PASSWORD)
tasks.kinit_admin(master)
+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '0'])
+ tasks.user_add(master, USER1, password=TMP_PASSWORD)
# Enforce use of OTP token for this user
master.run_command(['ipa', 'user-mod', USER1,
'--user-auth-type=otp'])
try:
+ # Change initial password through the IPA endpoint
+ url = f'https://{master.hostname}/ipa/session/change_password'
+ master.run_command(['curl', '-d', f'user={USER1}',
+ '-d', f'old_password={TMP_PASSWORD}',
+ '-d', f'new_password={PASSWORD}',
+ '--referer', f'https://{master.hostname}/ipa',
+ url])
conn = master.ldap_connect()
# First, attempt authenticating with a password but without LDAP
# control to enforce OTP presence and without server-side
# enforcement of the OTP presence check.
conn.simple_bind(binddn, f"{PASSWORD}")
- # Add an OTP token now
- otpuid, totp = add_otptoken(master, USER1, otptype="totp")
# Next, enforce Password+OTP for a user with OTP token
master.run_command(['ipa', 'config-mod', '--addattr',
'ipaconfigstring=EnforceLDAPOTP'])
+ # Try to bind without OTP because there is no OTP token yet,
+ # the operation should succeed because OTP enforcement is implicit
+ # and there is no token yet, so it is allowed.
+ conn.simple_bind(binddn, f"{PASSWORD}")
+ conn.unbind()
+ # Add an OTP token now
+ otpuid, totp = add_otptoken(master, USER1, otptype="totp")
# Next, authenticate with Password+OTP and with the LDAP control
# this operation should succeed
otpvalue = totp.generate(int(time.time())).decode("ascii")
+ conn = master.ldap_connect()
conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}",
client_controls=[
BooleanControl(
controlType="2.16.840.1.113730.3.8.10.7",
booleanValue=True)])
- # Remove token
- del_otptoken(self.master, otpuid)
+ conn.unbind()
+ # Sleep to make sure we are going to use a different token value
+ time.sleep(45)
+ # Use OTP token again, without LDAP control, should succeed
+ # because OTP enforcement is implicit
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ conn = master.ldap_connect()
+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}")
+ conn.unbind()
# Now, try to authenticate without otp and without control
- # this operation should fail
+ # this operation should fail because we have OTP token associated
+ # with the user account
try:
+ conn = master.ldap_connect()
conn.simple_bind(binddn, f"{PASSWORD}")
+ conn.unbind()
except errors.ACIError:
pass
+ # Sleep to make sure we are going to use a different token value
+ time.sleep(45)
+ # Use OTP token again, without LDAP control, should succeed
+ # because OTP enforcement is implicit
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ # Finally, change password again, now that otp is present
+ master.run_command(['curl', '-d', f'user={USER1}',
+ '-d', f'old_password={PASSWORD}',
+ '-d', f'new_password={TMP_PASSWORD}0',
+ '-d', f'otp={otpvalue}',
+ '--referer', f'https://{master.hostname}/ipa',
+ url])
+ # Remove token
+ del_otptoken(self.master, otpuid)
master.run_command(['ipa', 'config-mod', '--delattr',
'ipaconfigstring=EnforceLDAPOTP'])
finally:
+ master.run_command(['ipa', 'pwpolicy-mod', '--minlife', '1'])
master.run_command(['ipa', 'user-del', USER1])
--
2.45.2

74
0018-ipatests-Test-replica-installation-using-AD-admin.patch
View File

@ -1,74 +0,0 @@
From 8b703150a47bf509f37856bdc27cfa99e85e5e6b Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 24 Jun 2024 13:48:24 +0530
Subject: [PATCH] ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator@AD.EXAMPLE.COM is
used for the deployment or promotion of a replica
Related: https://pagure.io/freeipa/issue/9542
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_replica_promotion.py | 46 +++++++++++++++++++
1 files changed, 46 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 7ef44c571c8a4106577d27f4712f661be873dacc..c754cef88cb275987f5afdaad43f2ea07e3b7476 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -1318,3 +1318,49 @@ class TestHiddenReplicaKRA(IntegrationTest):
self.replicas[0].hostname, '--state=hidden'
])
assert result.returncode == 0
+
+
+class TestReplicaConn(IntegrationTest):
+ num_replicas = 1
+ num_ad_domains = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.replica = cls.replicas[0]
+ cls.ad = cls.ads[0]
+ ad_domain = cls.ad.domain.name
+ cls.ad_admin = 'Administrator@{}'.format(ad_domain.upper())
+ cls.adview = 'Default Trust View'
+ tasks.install_master(cls.master, setup_adtrust=True)
+ tasks.configure_dns_for_trust(cls.master, cls.ad)
+ tasks.establish_trust_with_ad(cls.master, cls.ad.domain.name)
+ tasks.install_client(cls.master, cls.replica)
+
+ def test_replica_conncheck_ad_admin(self):
+ """
+ Test to verify that replica installation is not failing for
+ replica connection check when AD administrator
+ Administrator@AD.EXAMPLE.COM is used for the deployment
+ or promotion of a replica.
+
+ Related : https://pagure.io/freeipa/issue/9542
+ """
+ self.master.run_command(
+ ['ipa', 'idoverrideuser-add', self.adview, self.ad_admin]
+ )
+ self.master.run_command(
+ ["ipa", "group-add-member", "admins", "--idoverrideusers",
+ self.ad_admin]
+ )
+ tasks.clear_sssd_cache(self.master)
+
+ self.replica.run_command(
+ ["ipa-replica-install", "--setup-ca", "-U", "--ip-address",
+ self.replica.ip, "--realm", self.replica.domain.realm,
+ "--domain", self.replica.domain.name,
+ "--principal={0}".format(self.ad_admin),
+ "--password", self.master.config.ad_admin_password]
+ )
+ logs = self.replica.get_file_contents(paths.IPAREPLICA_CONNCHECK_LOG)
+ error = "not allowed to perform server connection check"
+ assert error.encode() not in logs
--
2.45.2

46
0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch
View File

@ -1,46 +0,0 @@
From 85a853ba93c1d23d5bad13a1ae2bee802dc90131 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 8 Jul 2024 11:25:53 -0400
Subject: [PATCH] Issue 9621 - ipa-migrate - should not update mapped
attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries
We should also not migrate DNA ranges in staging mode
Fixes: https://pagure.io/freeipa/issue/9621
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 0e19b98b5be532c513876e165561f0af176baa27..20f59f84db21022b66c0aa1ffd696d99aef85a44 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -1322,6 +1322,9 @@ class IPAMigrate():
self.args.reset_range
or self.mode == "stage-mode"
) and attr.lower() in DNA_REGEN_ATTRS:
+ # Skip dna attributes from managed entries
+ if 'mepManagedBy' in local_entry:
+ break
# Ok, set the magic regen value
local_entry[attr] = [DNA_REGEN_VAL]
self.log_debug("Resetting the DNA range for: "
@@ -1816,6 +1819,9 @@ class IPAMigrate():
# processing the entries
for entry in remote_dse:
for dse_item in DS_CONFIG.items():
+ if dse_item[0] == "dna" and self.mode == "stage-mode":
+ # Do not migrate DNA ranges in staging mode
+ continue
dse = dse_item[1]
for dn in dse['dn']:
if DN(dn) == DN(entry['dn']):
--
2.45.2

50
0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch
View File

@ -1,50 +0,0 @@
From de940802bb6631fbbc97afd11869d87cba18f47f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 17 Jul 2024 18:32:37 +0200
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.
Related: https://pagure.io/freeipa/issue/9620
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
---
ipatests/test_integration/test_ipa_ipa_migration.py | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 7e2d4a34216f6cf168f15dda10ce10538a3c3cb9..9aa8a9f32071f122ebb247ba8a1aff041e4fd49a 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -846,20 +846,18 @@ class TestIPAMigrateScenario1(IntegrationTest):
assert DNS_LOG2 in install_msg
assert DNS_LOG3 in install_msg
- @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003",
- strict=True)
def test_ipa_migrate_version_option(self):
"""
- This testcase checks the version of
- the ipa-migrate tool using -v option
+ The -V option has been removed.
"""
CONSOLE_LOG = (
"ipa-migrate: error: the following arguments are "
"required: mode, hostname"
)
- result = self.master.run_command(["ipa-migrate", "-V"])
- assert result.returncode == 0
- assert CONSOLE_LOG not in result.stderr_text
+ result = self.master.run_command(["ipa-migrate", "-V"],
+ raiseonerr=False)
+ assert result.returncode == 2
+ assert CONSOLE_LOG in result.stderr_text
def test_ipa_migrate_with_log_file_option(self):
"""
--
2.45.2

33
0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch
View File

@ -1,33 +0,0 @@
From 6eb6a929308c2916df9aed2da9ee6ef9d98e2438 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 17 Jul 2024 18:36:24 +0200
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
Related: https://pagure.io/freeipa/issue/9621
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
---
ipatests/test_integration/test_ipa_ipa_migration.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 9aa8a9f32071f122ebb247ba8a1aff041e4fd49a..a516941047315e07407b8063a7010526d384ab3b 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -600,9 +600,6 @@ class TestIPAMigrateScenario1(IntegrationTest):
)
assert SCHEMA_OVERRIDE_LOG in install_msg
- @pytest.mark.xfail(
- reason="https://issues.redhat.com/browse/RHEL-45463", strict=True
- )
def test_ipa_migrate_stage_mode(self, empty_log_file):
"""
This test checks that ipa-migrate is successful
--
2.45.2

26
0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch
View File

@ -1,26 +0,0 @@
From d1a485a435ea9dba7587d1998451a09d3aa4077b Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 17 Jul 2024 15:45:06 +0200
Subject: [PATCH] Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/updates/60-trusts.update | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 56e392044a2fae97ab2f26d8afcffa6a872d41c8..b2fdccae74accf934c9f9e7d83fe63459c1e48b4 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
-addifnew: ipaKrbAuthzData: MS-PAC
+add: ipaKrbAuthzData: MS-PAC
--
2.45.2

26
0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch
View File

@ -1,26 +0,0 @@
From 9f88188204e443dd5d1d22ebe65b947452558f66 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 17 Jul 2024 15:47:33 +0200
Subject: [PATCH] Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/updates/50-krbenctypes.update | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
index 1058a92d8f5a4971e9ecab52506981b8e470ff77..1bf2bf33a6566586639767771dff501d91a03508 100644
--- a/install/updates/50-krbenctypes.update
+++ b/install/updates/50-krbenctypes.update
@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
add: krbSupportedEncSaltTypes: aes128-sha2:special
add: krbSupportedEncSaltTypes: aes256-sha2:normal
add: krbSupportedEncSaltTypes: aes256-sha2:special
+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
+remove: krbDefaultEncSaltTypes: arcfour-hmac:special
--
2.45.2

33
0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch
View File

@ -1,33 +0,0 @@
From fdd471d55c73503456683b1dea55769700730b16 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 Jul 2024 13:40:28 -0400
Subject: [PATCH] Fix a copy/paste issue when detecting the HSM SELinux
subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b8155d9965712dbce4076e9d73d6712135309ce2..e57dc47587fa0e0a6dbbe7511784af065560d782 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -265,7 +265,7 @@ def hsm_validator(token_name, token_library, token_password):
if 'nfast' in token_library:
module = 'ipa-selinux-nfast'
elif 'luna' in token_library:
- module = 'ipa-selinux-nfast'
+ module = 'ipa-selinux-luna'
else:
module = None
if module:
--
2.45.2

36
0025-ipa-migrate-properly-handle-invalid-certificates.patch
View File

@ -1,36 +0,0 @@
From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 29 Jul 2024 09:58:30 -0400
Subject: [PATCH] ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.
Fixes: https://pagure.io/freeipa/issue/9642
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -761,6 +761,12 @@ class IPAMigrate():
try:
ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
start_tls=True)
+ except ValueError:
+ # Most likely invalid certificate
+ self.handle_error(
+ "Failed to connect to remote server: "
+ "CA certificate is invalid"
+ )
except (
ldap.LDAPError,
errors.NetworkError,
--
2.45.2

73
0026-ipatests-Fix-usage-of-token_password_file.patch
View File

@ -1,73 +0,0 @@
From f03a96a7b914eb5130552cea626fd28e26b2108d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Jul 2024 10:21:28 -0400
Subject: [PATCH] ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.
Don't rely on previous running tests installing the token
password file so they can be run individually.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_hsm.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
index 3a33c3bda6d072aa16e361b04ac2d668902bb0e9..64305460a5150dfc28a4ab378ac72cd38987184c 100644
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@@ -173,6 +173,9 @@ class BaseHSMTest(IntegrationTest):
cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods'])
cls.token_name, cls.token_password = get_hsm_token(cls.master)
+ cls.master.put_file_contents(
+ cls.token_password_file, cls.token_password
+ )
tasks.install_master(
cls.master, setup_dns=cls.master_with_dns,
setup_kra=cls.master_with_kra,
@@ -220,10 +223,6 @@ class TestHSMInstall(BaseHSMTest):
def test_hsm_install_replica0_ca_less_install(self):
check_version(self.master)
-
- self.master.put_file_contents(
- self.token_password_file, self.token_password
- )
tasks.install_replica(
self.master, self.replicas[0], setup_ca=False,
setup_dns=True,
@@ -412,7 +411,7 @@ class TestHSMcertRenewal(BaseHSMTest):
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
- '/tmp/token_passwd',
+ self.token_password_file,
nickname,
token_name=self.token_name,
)
@@ -428,13 +427,14 @@ class TestHSMcertRenewal(BaseHSMTest):
status = tasks.wait_for_request(self.master, request_id[0], 120)
assert status == "MONITORING"
- args = ['-L', '-h', self.token_name, '-f', '/tmp/token_passwd']
+ args = ['-L', '-h', self.token_name, '-f',
+ self.token_password_file,]
tasks.run_certutil(self.master, args, paths.PKI_TOMCAT_ALIAS_DIR)
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
- '/tmp/token_passwd',
+ self.token_password_file,
nickname,
token_name=self.token_name,
)
--
2.45.2

175
0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
View File

@ -1,175 +0,0 @@
From 38b83c2b9329b8b16096d63e83f186c91d578ce8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Jul 2024 16:14:46 -0400
Subject: [PATCH] Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 20 ++++++++--
ipatests/test_integration/test_hsm.py | 57 +++++++++++++++++++++++++++
2 files changed, 74 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index e57dc47587fa0e0a6dbbe7511784af065560d782..9ff91b9cc42673138eee6fa8e0eb46b323be8b1d 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -18,6 +18,7 @@ import six
from ipalib.constants import IPA_CA_CN
from ipalib.install import certstore
from ipalib.install.service import enroll_only, master_install_only, replica_install_only
+from ipaplatform.constants import constants
from ipaserver.install import sysupgrade
from ipapython.install import typing
from ipapython.install.core import group, knob, extend_knob
@@ -208,8 +209,15 @@ def hsm_validator(token_name, token_library, token_password):
raise ValueError(
"Token library path '%s' does not exist" % token_library
)
+ pkiuser = constants.PKI_USER
+ pkigroup = constants.PKI_GROUP
+ if 'libsofthsm' in token_library:
+ import grp
+ group = grp.getgrnam(constants.ODS_GROUP)
+ if str(constants.PKI_USER) in group.gr_mem:
+ pkigroup = constants.ODS_GROUP
with certdb.NSSDatabase() as tempnssdb:
- tempnssdb.create_db()
+ tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
# Try adding the token library to the temporary database in
# case it isn't already available. Ignore all errors.
command = [
@@ -223,6 +231,7 @@ def hsm_validator(token_name, token_library, token_password):
# It may fail if p11-kit has already registered the library, that's
# ok.
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
+ runas=pkiuser, suplementary_groups=[pkigroup],
raiseonerr=False)
command = [
@@ -232,7 +241,8 @@ def hsm_validator(token_name, token_library, token_password):
'-force'
]
lines = ipautil.run(
- command, cwd=tempnssdb.secdir, capture_output=True).output
+ command, cwd=tempnssdb.secdir, capture_output=True,
+ runas=pkiuser, suplementary_groups=[pkigroup]).output
found = False
token_line = f'token: {token_name}'
for line in lines.split('\n'):
@@ -241,9 +251,11 @@ def hsm_validator(token_name, token_library, token_password):
break
if not found:
raise ValueError(
- "Token named '%s' was not found" % token_name
+ "Token named '%s' was not found. Check permissions"
+ % token_name
)
pwdfile = ipautil.write_tmp_file(token_password)
+ os.fchown(pwdfile.fileno(), pkiuser.uid, pkigroup.gid)
args = [
paths.CERTUTIL,
"-d", '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir),
@@ -252,6 +264,8 @@ def hsm_validator(token_name, token_library, token_password):
"-f", pwdfile.name,
]
result = ipautil.run(args, cwd=tempnssdb.secdir,
+ runas=pkiuser,
+ suplementary_groups=[pkigroup],
capture_error=True, raiseonerr=False)
if result.returncode != 0 and len(result.error_output):
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
index 64305460a5150dfc28a4ab378ac72cd38987184c..974820fc7363b77fd5fdecc7cf0efca412f3af42 100644
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@@ -833,6 +833,13 @@ class TestHSMNegative(IntegrationTest):
cls.token_name, cls.token_password = get_hsm_token(cls.master)
+ @classmethod
+ def uninstall(cls, mh):
+ cls.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', cls.token_name],
+ raiseonerr=False
+ )
+
def test_hsm_negative_wrong_token_details(self):
check_version(self.master)
# wrong token name
@@ -868,6 +875,51 @@ class TestHSMNegative(IntegrationTest):
)
assert result.returncode != 0
+ def test_hsm_negative_bad_token_dir_permissions(self):
+ """Create an unreadable softhsm2 token and install should fail.
+
+ This is most often seen on replicas where the pkiuser is not
+ a member of the ods group.
+ """
+ check_version(self.master)
+ token_name = 'bad_perms'
+ token_passwd = 'Secret123'
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', token_name],
+ raiseonerr=False
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
+ )
+ self.master.run_command(
+ ['softhsm2-util', '--init-token',
+ '--free', '--pin', token_passwd, '--so-pin', token_passwd,
+ '--label', token_name]
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-r', '-G', 'ods']
+ )
+ result = tasks.install_master(
+ self.master, raiseonerr=False,
+ extra_args=(
+ '--token-name', token_name,
+ '--token-library-path', hsm_lib_path,
+ '--token-password', token_passwd
+ )
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
+ )
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', token_name],
+ raiseonerr=False
+ )
+ assert result.returncode != 0
+ assert (
+ f"Token named '{token_name}' was not found"
+ in result.stderr_text
+ )
+
def test_hsm_negative_special_char_token_name(self):
check_version(self.master)
token_name = 'hsm:token'
@@ -912,6 +964,11 @@ class TestHSMNegative(IntegrationTest):
'--token-password-file', self.token_password_file
)
)
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', self.token_name],
+ raiseonerr=False
+ )
+ # assert 'error message non existing token lib' in result.stderr_text
assert result.returncode != 0
--
2.45.2

163
0028-Replica-CA-installation-ignore-time-skew-during-init.patch
View File

@ -1,163 +0,0 @@
From aadb8051d4a3172aac3790f47ff4d241a245bab4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 18 Jul 2024 12:57:36 +0200
Subject: [PATCH] Replica CA installation: ignore time skew during initial
replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.
The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.
During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/Makefile.am | 1 -
install/share/replica-prevent-time-skew.ldif | 4 ----
install/tools/ipa-replica-manage.in | 4 ++--
ipaserver/install/cainstance.py | 4 ++++
ipaserver/install/dsinstance.py | 14 ++---------
ipaserver/install/service.py | 25 ++++++++++++++++++++
6 files changed, 33 insertions(+), 19 deletions(-)
delete mode 100644 install/share/replica-prevent-time-skew.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8..4029297b76cc2f30dc9eab606e5670667978dd27 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -38,7 +38,6 @@ dist_app_DATA = \
default-trust-view.ldif \
delegation.ldif \
replica-acis.ldif \
- replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif
deleted file mode 100644
index 5d301feddb56347f3b35be89edaae1a7d91e07de..0000000000000000000000000000000000000000
--- a/install/share/replica-prevent-time-skew.ldif
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=config
-changetype: modify
-replace: nsslapd-ignore-time-skew
-nsslapd-ignore-time-skew: $SKEWVALUE
diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in
index 56145cb8a2249f8c5279d9baec4f34f274990bcf..d6e6ef57c39af70f164d41662227af3dc2535f9c 100644
--- a/install/tools/ipa-replica-manage.in
+++ b/install/tools/ipa-replica-manage.in
@@ -1262,12 +1262,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
- ds.replica_manage_time_skew(prevent=False)
+ ds.replica_ignore_initial_time_skew()
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_update(repl.conn, agreement.dn)
- ds.replica_manage_time_skew(prevent=True)
+ ds.replica_revert_time_skew()
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
nolookup=False):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b4b86024899bc6532f1123503cec63be9435f55b..5dac2c0441752e7bb569cde1fc93bc17c3128cdf 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -416,7 +416,11 @@ class CAInstance(DogtagInstance):
if promote:
# Setup Database
self.step("creating certificate server db", self.__create_ds_db)
+ self.step("ignore time skew for initial replication",
+ self.replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replication)
+ self.step("revert time skew after initial replication",
+ self.replica_revert_time_skew)
self.step("creating ACIs for admin", self.add_ipaca_aci)
self.step("creating installation admin user", self.setup_admin)
self.step("configuring certificate server instance",
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 88984d0219033717cefd28d6170535b6c859330f..dab58e42661f500e7aca0e8311e93d421567b8c8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -387,11 +387,11 @@ class DsInstance(service.Service):
# This helps with initial replication or force-sync because
# the receiving side has no valuable changes itself yet.
self.step("ignore time skew for initial replication",
- self.__replica_ignore_initial_time_skew)
+ self.replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replica)
self.step("prevent time skew after initial replication",
- self.replica_manage_time_skew)
+ self.replica_revert_time_skew)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("updating schema", self.__update_schema)
# See LDIFs for automember configuration during replica install
@@ -997,16 +997,6 @@ class DsInstance(service.Service):
def __add_replication_acis(self):
self._ldap_mod("replica-acis.ldif", self.sub_dict)
- def __replica_ignore_initial_time_skew(self):
- self.replica_manage_time_skew(prevent=False)
-
- def replica_manage_time_skew(self, prevent=True):
- if prevent:
- self.sub_dict['SKEWVALUE'] = 'off'
- else:
- self.sub_dict['SKEWVALUE'] = 'on'
- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
-
def __setup_s4u2proxy(self):
def __add_principal(last_cn, principal, self):
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4c366a184ffdc26aaf7b546af9e4de8b43b7be41..cf0f64ab9794111761adf735bc488269bd1814fc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -862,6 +862,31 @@ class Service:
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
self.set_keytab_owner()
+ def replica_ignore_initial_time_skew(self):
+ """
+ Set nsslapd-ignore-time-skew = on if not already set
+ and store the initial value in order to restore it later.
+
+ The on value allows replica initialization even if there
+ are excessive time skews.
+ """
+ dn = DN(('cn', 'config'))
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
+ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0]
+ if self.original_time_skew != 'on':
+ entry_attrs['nsslapd-ignore-time-skew'] = 'on'
+ api.Backend.ldap2.update_entry(entry_attrs)
+
+ def replica_revert_time_skew(self):
+ """
+ Revert nsslapd-ignore-time-skew to its previous value.
+ """
+ dn = DN(('cn', 'config'))
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
+ if self.original_time_skew != 'on':
+ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew
+ api.Backend.ldap2.update_entry(entry_attrs)
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,
--
2.45.2

49
0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch
View File

@ -1,49 +0,0 @@
From e83d949c7f1734dff70379e360e9bbf626149c61 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 19 Jul 2024 14:24:15 -0400
Subject: [PATCH] Log errors reported by adtrustinstance.check_inst() using
logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.
Fixes: https://pagure.io/freeipa/issue/9637
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/adtrustinstance.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 2ff68dfb46371a6118eb67515347eb762a37e1ec..fd5a5a282fa2a222de85c6b29d8d9621b53c95d2 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -65,8 +65,8 @@ and re-run ipa-adtrust-instal again afterwards.
def check_inst():
for smbfile in [paths.SMBD, paths.NET]:
if not os.path.exists(smbfile):
- print("%s was not found on this system" % smbfile)
- print("Please install the 'samba' packages and " \
+ logger.error("%s was not found on this system", smbfile)
+ logger.error("Please install the 'samba' packages and "
"start the installation again")
return False
@@ -74,9 +74,10 @@ def check_inst():
# by looking for the file /usr/share/ipa/smb.conf.empty
if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR,
"smb.conf.empty")):
- print("AD Trust requires the '%s' package" %
+ logger.error("AD Trust requires the '%s' package",
constants.IPA_ADTRUST_PACKAGE_NAME)
- print("Please install the package and start the installation again")
+ logger.error(
+ "Please install the package and start the installation again")
return False
#TODO: Add check for needed samba4 libraries
--
2.45.2

116
0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
View File

@ -1,116 +0,0 @@
From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Jul 2024 18:14:52 +0530
Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails
to assign sid
related: https://pagure.io/freeipa/issue/9618
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++-
1 file changed, 71 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest):
def get_dirsrv_id(self):
serverid = realm_to_serverid(self.master.domain.realm)
- return("dirsrv@%s.service" % serverid)
+ return ("dirsrv@%s.service" % serverid)
def test_ipa_nis_manage_enable(self):
"""
@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):
api.bootstrap_with_global_options(context='server')
api.finalize()
api.Backend.ldap2.connect()
-
+
api.Command["group_add"]("testgroup1", external=True)
api.Command["group_add"]("testgroup2", external=False)
result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501
@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest):
'/tmp/reproducer2_code.py'])
assert "missing attribute" not in result.stdout_text
+ def test_sidgen_task_continue_on_error(self):
+ """Verify that SIDgen task continue even if it fails to assign sid
+ scenario:
+ - add a user with no uid (it will be auto-assigned inside
+ the range)
+ - add a user with uid 2000
+ - add a user with no uid (it will be auto-assigned inside
+ the range)
+ - edit the first and 3rd users, remove the objectclass
+ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier
+ - run the sidgen task
+ - verify that user1 and user3 have a ipaNTSecurityIdentifier
+ - verify that old error message is not seen in dirsrv error log
+ - verify that new error message is seen in dirsrv error log
+
+ related: https://pagure.io/freeipa/issue/9618
+ """
+ test_user1 = 'test_user1'
+ test_user2 = 'test_user2'
+ test_user2000 = 'test_user2000'
+ base_dn = str(self.master.domain.basedn)
+ old_err_msg = 'Cannot add SID to existing entry'
+ new_err_msg = r'Finished with [0-9]+ failures, please check the log'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, test_user1)
+ self.master.run_command(
+ ['ipa', 'user-add', test_user2000,
+ '--first', 'test', '--last', 'user',
+ '--uid', '2000']
+ )
+ tasks.user_add(self.master, test_user2)
+
+ for user in (test_user1, test_user2):
+ entry_ldif = textwrap.dedent("""
+ dn: uid={user},cn=users,cn=accounts,{base_dn}
+ changetype: modify
+ delete: ipaNTSecurityIdentifier
+ -
+ delete: objectclass
+ objectclass: ipaNTUserAttrs
+ """).format(
+ user=user,
+ base_dn=base_dn)
+ tasks.ldapmodify_dm(self.master, entry_ldif)
+
+ # run sidgen task
+ self.master.run_command(
+ ['ipa', 'config-mod', '--add-sids', '--enable-sid']
+ )
+
+ # ensure that sidgen have added the attr removed above
+ for user in (test_user1, test_user2):
+ result = tasks.ldapsearch_dm(
+ self.master,
+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
+ user=user, base_dn=base_dn),
+ ['ipaNTSecurityIdentifier']
+ )
+ assert 'ipaNTSecurityIdentifier' in result.stdout_text
+
+ dashed_domain = self.master.domain.realm.replace(".", '-')
+ dirsrv_error_log = self.master.get_file_contents(
+ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain),
+ encoding='utf-8'
+ )
+ assert old_err_msg not in dirsrv_error_log
+ assert re.search(new_err_msg, dirsrv_error_log)
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.45.2

76
0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch
View File

@ -1,76 +0,0 @@
From 8046023fc46c628c099d84b026ab866f7c6e16d6 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Thu, 25 Jul 2024 18:32:21 +0530
Subject: [PATCH] ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_ipa_ipa_migration.py | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index a516941047315e07407b8063a7010526d384ab3b..f697bbfbfc6169309274db689501c99fe148cc70 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -872,3 +872,51 @@ class TestIPAMigrateScenario1(IntegrationTest):
extra_args=params,
)
assert self.replicas[0].transport.file_exists(custom_log_file)
+
+ def test_ipa_migrate_stage_mode_with_cert(self):
+ """
+ This testcase checks that ipa-migrate command
+ works without the 'ValuerError'
+ when -Z <cert> option is used with valid cert
+ """
+ cert_file = '/tmp/ipa.crt'
+ remote_server_cert = self.master.get_file_contents(
+ paths.IPA_CA_CRT, encoding="utf-8"
+ )
+ self.replicas[0].put_file_contents(cert_file, remote_server_cert)
+ params = ['-x', '-n', '-Z', cert_file]
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert result.returncode == 0
+
+ def test_ipa_migrate_stage_mode_with_invalid_cert(self):
+ """
+ This test checks ipa-migrate tool throws
+ error when invalid cert is specified with
+ -Z option
+ """
+ cert_file = '/tmp/invaid_cert.crt'
+ invalid_cert = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIFazCCDQYJKoZIhvcNAQELBQAw\n'
+ b'-----END CERTIFICATE-----\n'
+ )
+ ERR_MSG = "Failed to connect to remote server: "
+ params = ['-x', '-n', '-Z', cert_file]
+ self.replicas[0].put_file_contents(cert_file, invalid_cert)
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert result.returncode == 1
+ assert ERR_MSG in result.stderr_text
--
2.45.2

47
freeipa.spec
View File

@ -71,7 +71,7 @@
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
%global samba_version 4.20.0
%global slapi_nis_version 0.56.4
%global slapi_nis_version 0.70.0
%global python_ldap_version 3.1.0-1
%if 0%{?rhel} < 9
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
@ -102,7 +102,7 @@
# 38.28 or later includes passkey-related fixes
%global selinux_policy_version 38.28-1
%global slapi_nis_version 0.56.5
%global slapi_nis_version 0.70.0
# Require new KDB ABI
%global krb5_version 1.21.2
@ -192,7 +192,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.12.1
%define IPA_VERSION 4.12.2
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version
%define AT_SIGN @
@ -205,7 +205,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -238,36 +238,7 @@ Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%endif
%if 0%{?rhel} >= 9
Patch0001: 0001-Revert-Replace-netifaces-with-ifaddr.patch
Patch0002: 0002-Add-iparepltopoconf-objectclass-to-topology-permissi.patch
Patch0003: 0003-ipa-otptoken-import-open-the-key-file-in-binary-mode.patch
Patch0004: 0004-spec-file-do-not-create-etc-ssh-ssh_config.orig-if-u.patch
Patch0005: 0005-ipatests-add-test-for-ticket-9610.patch
Patch0006: 0006-PKINIT-certificate-fix-renewal-on-hidden-replica.patch
Patch0007: 0007-ipatests-add-test-for-PKINIT-renewal-on-hidden-repli.patch
Patch0008: 0008-ipatests-Tests-for-ipa-ipa-migration-tool.patch
Patch0009: 0009-ipa_sidgen-Allow-sidgen_task-to-continue-after-findi.patch
Patch0010: 0010-ipatests-mark-test_ca_show_error_handling-as-xfail.patch
Patch0011: 0011-ipa-migrate-remove-V-option.patch
Patch0012: 0012-Fix-syntax-error-in-the-selinux-luna-postun-script.patch
Patch0013: 0013-Re-organize-HSM-validation-to-be-more-consistent-les.patch
Patch0014: 0014-ipatests-tests-related-to-token-password-file.patch
Patch0015: 0015-Include-token-password-options-in-ipa-kra-install-ma.patch
Patch0016: 0016-ipa-migrate-starttls-does-not-work.patch
Patch0017: 0017-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch
Patch0018: 0018-ipatests-Test-replica-installation-using-AD-admin.patch
Patch0019: 0019-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch
Patch0020: 0020-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch
Patch0021: 0021-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch
Patch0022: 0022-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch
Patch0023: 0023-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch
Patch0024: 0024-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch
Patch0025: 0025-ipa-migrate-properly-handle-invalid-certificates.patch
Patch0026: 0026-ipatests-Fix-usage-of-token_password_file.patch
Patch0027: 0027-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
Patch0028: 0028-Replica-CA-installation-ignore-time-skew-during-init.patch
Patch0029: 0029-Log-errors-reported-by-adtrustinstance.check_inst-us.patch
Patch0030: 0030-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
Patch0031: 0031-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch
Patch0002: 0002-freeipa-disable-nis.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1514,7 +1485,6 @@ fi
%{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage
%{_sbindir}/ipa-nis-manage
%{_sbindir}/ipa-managed-entries
%{_sbindir}/ipactl
%{_sbindir}/ipa-advise
@ -1589,7 +1559,6 @@ fi
%{_mandir}/man1/ipa-ca-install.1*
%{_mandir}/man1/ipa-kra-install.1*
%{_mandir}/man1/ipa-compat-manage.1*
%{_mandir}/man1/ipa-nis-manage.1*
%{_mandir}/man1/ipa-managed-entries.1*
%{_mandir}/man1/ipa-ldap-updater.1*
%{_mandir}/man8/ipactl.8*
@ -1890,6 +1859,12 @@ fi
%endif
%changelog
* Thu Aug 22 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2.1
- Resolves: RHEL-54545 Covscan issues: Resource Leak
- Resolves: RHEL-54304 support for python cryptography 43.0.0
- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
- Resolves: RHEL-46897 With unreachable AD, ipa trust returns an internal error
* Thu Aug 8 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.1-4
- Resolves: RHEL-53501 adtrustinstance only prints issues in check_inst() and does not log them
- Resolves: RHEL-52305 Unconditionally add MS-PAC to global config

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.12.1.tar.gz) = a419c4251a55a69f90e6e3d2a514d6ba9e0609573bd5dbc9ff446c95b09164831233987c8cb70d3c2b53dae9b6600f3efd50c976007637cf18e6679e51f2c2f9
SHA512 (freeipa-4.12.1.tar.gz.asc) = 759de997443d608bb26e684c5de8678cb01d15077a2506ee4cc6102f1b5255a3ffd4bf25fb4a07578e590eb72b44e9f6b42645eac1f6f451d652f36271d3a806
SHA512 (freeipa-4.12.2.tar.gz) = 2e1e67dbe73a458db5c59528799649629a1cb462283e4e9a4c56aff46d275782bcb3b0d57de615bbc7020a4350d4d383501e049ac19ed38250896b1e8fd27cb0
SHA512 (freeipa-4.12.2.tar.gz.asc) = 07309bfdafd2ba9b1ced71374df5a84d242a5bf8e806765b4c3374ee2ddea0484f140d615a24b3f73f39a8ac34727d82a066ea399f91654077170519a12e2d27