import ipa-4.9.6-6.module+el8.5.0+12660+88e16a2c
This commit is contained in:
parent
aca3dbcb48
commit
32d9493df4
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/freeipa-4.9.2.tar.gz
|
SOURCES/freeipa-4.9.6.tar.gz
|
||||||
|
@ -1 +1 @@
|
|||||||
c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
|
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
|
||||||
|
@ -1,381 +0,0 @@
|
|||||||
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Fri, 11 Dec 2020 07:35:59 +0200
|
|
||||||
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Test IPA servers and clients behavior when sudo is not installed.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8530
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
.../nightly_ipa-4-9_latest.yaml | 12 ++++
|
|
||||||
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
|
|
||||||
.../nightly_ipa-4-9_previous.yaml | 12 ++++
|
|
||||||
.../test_integration/test_installation.py | 66 +++++++++++++++++++
|
|
||||||
4 files changed, 103 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
index 3acd6a13c..d91b16cab 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
@@ -535,6 +535,18 @@ jobs:
|
|
||||||
timeout: 10800
|
|
||||||
topology: *master_1repl
|
|
||||||
|
|
||||||
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
|
||||||
+ requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
|
||||||
+ template: *ci-ipa-4-9-latest
|
|
||||||
+ timeout: 4800
|
|
||||||
+ topology: *master_1repl_1client
|
|
||||||
+
|
|
||||||
fedora-latest-ipa-4-9/test_idviews:
|
|
||||||
requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
priority: 50
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
index c01192cf5..8adb06d0c 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
@@ -575,6 +575,19 @@ jobs:
|
|
||||||
timeout: 10800
|
|
||||||
topology: *master_1repl
|
|
||||||
|
|
||||||
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
|
||||||
+ requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
+ selinux_enforcing: True
|
|
||||||
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
|
||||||
+ template: *ci-ipa-4-9-latest
|
|
||||||
+ timeout: 4800
|
|
||||||
+ topology: *master_1repl_1client
|
|
||||||
+
|
|
||||||
fedora-latest-ipa-4-9/test_idviews:
|
|
||||||
requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
priority: 50
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
index a6ea24f6a..2b5d4fd5e 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
@@ -535,6 +535,18 @@ jobs:
|
|
||||||
timeout: 10800
|
|
||||||
topology: *master_1repl
|
|
||||||
|
|
||||||
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
|
|
||||||
+ requires: [fedora-previous-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
|
|
||||||
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
|
|
||||||
+ template: *ci-ipa-4-9-previous
|
|
||||||
+ timeout: 4800
|
|
||||||
+ topology: *master_1repl_1client
|
|
||||||
+
|
|
||||||
fedora-previous-ipa-4-9/test_idviews:
|
|
||||||
requires: [fedora-previous-ipa-4-9/build]
|
|
||||||
priority: 50
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index eb6f7d78e..6e8af024c 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
|
|
||||||
self.replicas[0].hostname],
|
|
||||||
stdin_text=dirman_password)
|
|
||||||
assert self.replicas[0].hostname not in cmd.stdout_text
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestInstallWithoutSudo(IntegrationTest):
|
|
||||||
+
|
|
||||||
+ num_clients = 1
|
|
||||||
+ num_replicas = 1
|
|
||||||
+ no_sudo_str = "The sudo binary does not seem to be present on this"
|
|
||||||
+
|
|
||||||
+ @classmethod
|
|
||||||
+ def install(cls, mh):
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
+ def test_sudo_removal(self):
|
|
||||||
+ # ipa-client makes sudo depend on libsss_sudo.
|
|
||||||
+
|
|
||||||
+ # --nodeps is mandatory because dogtag uses sudo at install
|
|
||||||
+ # time until commit 49585867207922479644a03078c29548de02cd03
|
|
||||||
+ # which is scheduled to land in 10.10.
|
|
||||||
+
|
|
||||||
+ # This also means sudo+libsss_sudo cannot be uninstalled on
|
|
||||||
+ # IPA servers with a CA.
|
|
||||||
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
|
|
||||||
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
|
|
||||||
+ tasks.uninstall_packages(
|
|
||||||
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ def test_ipa_installation_without_sudo(self):
|
|
||||||
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
|
|
||||||
+ tasks.install_master(self.master, setup_dns=True)
|
|
||||||
+
|
|
||||||
+ def test_replica_installation_without_sudo(self):
|
|
||||||
+ # FixMe: When Dogtag 10.10 is out, test replica installation
|
|
||||||
+ # without sudo and with CA
|
|
||||||
+ tasks.uninstall_packages(
|
|
||||||
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
|
|
||||||
+ )
|
|
||||||
+ # One-step install is needed.
|
|
||||||
+ # With promote=True, two-step install is done and that only captures
|
|
||||||
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
|
|
||||||
+ result = tasks.install_replica(
|
|
||||||
+ self.master, self.replicas[0], promote=False,
|
|
||||||
+ setup_dns=True, setup_ca=False
|
|
||||||
+ )
|
|
||||||
+ assert self.no_sudo_str in result.stderr_text
|
|
||||||
+
|
|
||||||
+ def test_client_installation_without_sudo(self):
|
|
||||||
+ result = tasks.install_client(self.master, self.clients[0])
|
|
||||||
+ assert self.no_sudo_str in result.stderr_text
|
|
||||||
+
|
|
||||||
+ def test_remove_sudo_on_ipa(self):
|
|
||||||
+ tasks.uninstall_packages(
|
|
||||||
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
|
|
||||||
+ )
|
|
||||||
+ self.master.run_command(
|
|
||||||
+ ['ipactl', 'restart']
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ def test_install_sudo_on_client(self):
|
|
||||||
+ """ Check that installing sudo pulls libsss_sudo in"""
|
|
||||||
+ for pkg in ('sudo', 'libsss_sudo'):
|
|
||||||
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
|
|
||||||
+ tasks.uninstall_client(self.clients[0])
|
|
||||||
+ tasks.install_packages(self.clients[0], ['sudo'])
|
|
||||||
+ for pkg in ('sudo', 'libsss_sudo'):
|
|
||||||
+ assert tasks.is_package_installed(self.clients[0], pkg)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 10 Dec 2020 08:35:12 +0200
|
|
||||||
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Handle package removal without taking dependencies into account.
|
|
||||||
E.g. add frontends for rpm -e --nodeps.
|
|
||||||
|
|
||||||
Related: ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
|
|
||||||
1 file changed, 41 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
index b91859816..2fe78367f 100755
|
|
||||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
|
||||||
@@ -29,6 +29,7 @@ import re
|
|
||||||
import collections
|
|
||||||
import itertools
|
|
||||||
import shutil
|
|
||||||
+import shlex
|
|
||||||
import copy
|
|
||||||
import subprocess
|
|
||||||
import tempfile
|
|
||||||
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
|
|
||||||
return tmpdir
|
|
||||||
|
|
||||||
|
|
||||||
-def uninstall_packages(host, pkgs):
|
|
||||||
+def uninstall_packages(host, pkgs, nodeps=False):
|
|
||||||
"""Uninstall packages on a remote host.
|
|
||||||
- :param host: the host where the uninstallation takes place
|
|
||||||
- :param pkgs: packages to uninstall, provided as a list of strings
|
|
||||||
+ :param host: the host where the uninstallation takes place.
|
|
||||||
+ :param pkgs: packages to uninstall, provided as a list of strings.
|
|
||||||
+ :param nodeps: ignore dependencies (dangerous!).
|
|
||||||
"""
|
|
||||||
platform = get_platform(host)
|
|
||||||
- # Only supports RHEL 8+ and Fedora for now
|
|
||||||
- if platform in ('rhel', 'fedora'):
|
|
||||||
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
|
|
||||||
- elif platform in ('ubuntu'):
|
|
||||||
- install_cmd = ['apt-get', 'remove', '-y']
|
|
||||||
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
|
|
||||||
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
|
|
||||||
+ if nodeps:
|
|
||||||
+ if platform in ('rhel', 'fedora'):
|
|
||||||
+ cmd = "rpm -e --nodeps"
|
|
||||||
+ elif platform in ('ubuntu'):
|
|
||||||
+ cmd = "dpkg -P --force-depends"
|
|
||||||
+ for package in pkgs:
|
|
||||||
+ uninstall_cmd = shlex.split(cmd)
|
|
||||||
+ uninstall_cmd.append(package)
|
|
||||||
+ # keep raiseonerr=True here. --fcami
|
|
||||||
+ host.run_command(uninstall_cmd)
|
|
||||||
else:
|
|
||||||
- raise ValueError('install_packages: unknown platform %s' % platform)
|
|
||||||
- host.run_command(install_cmd + pkgs, raiseonerr=False)
|
|
||||||
+ if platform in ('rhel', 'fedora'):
|
|
||||||
+ cmd = "/usr/bin/dnf remove -y"
|
|
||||||
+ elif platform in ('ubuntu'):
|
|
||||||
+ cmd = "apt-get remove -y"
|
|
||||||
+ uninstall_cmd = shlex.split(cmd)
|
|
||||||
+ uninstall_cmd.extend(pkgs)
|
|
||||||
+ host.run_command(uninstall_cmd, raiseonerr=False)
|
|
||||||
|
|
||||||
|
|
||||||
def wait_for_request(host, request_id, timeout=120):
|
|
||||||
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
|
|
||||||
assert "Authentication succeeded" not in stderr
|
|
||||||
assert "No more authentication methods to try." in stderr
|
|
||||||
return (return_code, stdout, stderr)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def is_package_installed(host, pkg):
|
|
||||||
+ platform = get_platform(host)
|
|
||||||
+ if platform in ('rhel', 'fedora'):
|
|
||||||
+ result = host.run_command(
|
|
||||||
+ ['rpm', '-q', pkg], raiseonerr=False
|
|
||||||
+ )
|
|
||||||
+ elif platform in ['ubuntu']:
|
|
||||||
+ result = host.run_command(
|
|
||||||
+ ['dpkg', '-s', pkg], raiseonerr=False
|
|
||||||
+ )
|
|
||||||
+ else:
|
|
||||||
+ raise ValueError(
|
|
||||||
+ 'is_package_installed: unknown platform %s' % platform
|
|
||||||
+ )
|
|
||||||
+ return result.returncode == 0
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 10 Dec 2020 08:15:22 +0200
|
|
||||||
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8530
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaclient/install/client.py | 14 +++++++++++++-
|
|
||||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
|
||||||
index 8acfa0cd1..0e478fa26 100644
|
|
||||||
--- a/ipaclient/install/client.py
|
|
||||||
+++ b/ipaclient/install/client.py
|
|
||||||
@@ -24,6 +24,7 @@ import re
|
|
||||||
import SSSDConfig
|
|
||||||
import shutil
|
|
||||||
import socket
|
|
||||||
+import subprocess
|
|
||||||
import sys
|
|
||||||
import tempfile
|
|
||||||
import textwrap
|
|
||||||
@@ -2200,7 +2201,18 @@ def install_check(options):
|
|
||||||
"authentication resources",
|
|
||||||
rval=CLIENT_INSTALL_ERROR)
|
|
||||||
|
|
||||||
- # when installing with '--no-sssd' option, check whether nss-ldap is
|
|
||||||
+ # When installing without the "--no-sudo" option, check whether sudo is
|
|
||||||
+ # available.
|
|
||||||
+ if options.conf_sudo:
|
|
||||||
+ try:
|
|
||||||
+ subprocess.Popen(['sudo -V'])
|
|
||||||
+ except FileNotFoundError:
|
|
||||||
+ logger.info(
|
|
||||||
+ "The sudo binary does not seem to be present on this "
|
|
||||||
+ "system. Please consider installing sudo if required."
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
|
|
||||||
# installed
|
|
||||||
if not options.sssd:
|
|
||||||
if not os.path.exists(paths.PAM_KRB5_SO):
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Thu, 10 Dec 2020 07:55:16 +0200
|
|
||||||
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
On 10.10+ releases of Dogtag, the PKI installer will not depend
|
|
||||||
on sudo anymore. This opens the possibility of creating IPA servers
|
|
||||||
without a properly configured sudo.
|
|
||||||
In fact, even IPA clients should have sudo and libsss_sudo installed
|
|
||||||
in most cases, so add a weak dependency on both of them to the client
|
|
||||||
subpackage.
|
|
||||||
Also make sure libsss_sudo is installed if sudo is present.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8530
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
freeipa.spec.in | 5 +++++
|
|
||||||
1 file changed, 5 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index ba52a3834..93e473ac4 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -640,6 +640,11 @@ Requires: nfs-utils
|
|
||||||
Requires: sssd-tools >= %{sssd_version}
|
|
||||||
Requires(post): policycoreutils
|
|
||||||
|
|
||||||
+# https://pagure.io/freeipa/issue/8530
|
|
||||||
+Recommends: libsss_sudo
|
|
||||||
+Recommends: sudo
|
|
||||||
+Requires: (libsss_sudo if sudo)
|
|
||||||
+
|
|
||||||
Provides: %{alt_name}-client = %{version}
|
|
||||||
Conflicts: %{alt_name}-client
|
|
||||||
Obsoletes: %{alt_name}-client < %{version}
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -0,0 +1,136 @@
|
|||||||
|
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Tue, 22 Jun 2021 14:36:51 +0200
|
||||||
|
Subject: [PATCH] paths: add IPA_SERVER_CONF
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8891
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipaplatform/base/paths.py | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
|
||||||
|
index 91423b332..de217d9ef 100644
|
||||||
|
--- a/ipaplatform/base/paths.py
|
||||||
|
+++ b/ipaplatform/base/paths.py
|
||||||
|
@@ -71,6 +71,7 @@ class BasePathNamespace:
|
||||||
|
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
|
||||||
|
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
|
||||||
|
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
|
||||||
|
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
|
||||||
|
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
|
||||||
|
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
|
||||||
|
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Tue, 22 Jun 2021 14:45:49 +0200
|
||||||
|
Subject: [PATCH] ipatests: smoke test for server debug mode.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Add a smoke test to make sure the server can be set in debug mode
|
||||||
|
without issue.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8891
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_installation.py | 27 +++++++++++++++++++
|
||||||
|
1 file changed, 27 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 301767b8d..0c96536f0 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
|
||||||
|
def test_install_master(self):
|
||||||
|
tasks.install_master(self.master, setup_dns=False)
|
||||||
|
|
||||||
|
+ @pytest.mark.skip_if_platform(
|
||||||
|
+ "debian", reason="This test hardcodes the httpd service name"
|
||||||
|
+ )
|
||||||
|
+ def test_smoke_test_for_debug_mode(self):
|
||||||
|
+ """Test if an IPA server works in debug mode.
|
||||||
|
+ Related: https://pagure.io/freeipa/issue/8891
|
||||||
|
+
|
||||||
|
+ Note: this test hardcodes the "httpd" service name.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ target_fname = paths.IPA_SERVER_CONF
|
||||||
|
+ assert not self.master.transport.file_exists(target_fname)
|
||||||
|
+
|
||||||
|
+ # set the IPA server in debug mode
|
||||||
|
+ server_conf = "[global]\ndebug=True"
|
||||||
|
+ self.master.put_file_contents(target_fname, server_conf)
|
||||||
|
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
||||||
|
+
|
||||||
|
+ # smoke test in debug mode
|
||||||
|
+ tasks.kdestroy_all(self.master)
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ self.master.run_command(["ipa", "user-show", "admin"])
|
||||||
|
+
|
||||||
|
+ # rollback
|
||||||
|
+ self.master.run_command(["rm", target_fname])
|
||||||
|
+ self.master.run_command(["systemctl", "restart", "httpd"])
|
||||||
|
+
|
||||||
|
def test_schema_compat_attribute_and_tree_disable(self):
|
||||||
|
"""Test if schema-compat-entry-attribute is set
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||||
|
Date: Wed, 23 Jun 2021 06:35:19 +0200
|
||||||
|
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
perf_counter_ns is only available in Python 3.7 and later.
|
||||||
|
Define a lambda for 3.6 and lower.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8891
|
||||||
|
Signed-off-by: François Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/rpcserver.py | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||||
|
index b121316bf..e612528e0 100644
|
||||||
|
--- a/ipaserver/rpcserver.py
|
||||||
|
+++ b/ipaserver/rpcserver.py
|
||||||
|
@@ -31,6 +31,7 @@ import os
|
||||||
|
import time
|
||||||
|
import traceback
|
||||||
|
from io import BytesIO
|
||||||
|
+from sys import version_info
|
||||||
|
from urllib.parse import parse_qs
|
||||||
|
from xmlrpc.client import Fault
|
||||||
|
|
||||||
|
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
|
||||||
|
if six.PY3:
|
||||||
|
unicode = str
|
||||||
|
|
||||||
|
+# time.perf_counter_ns appeared in Python 3.7.
|
||||||
|
+if version_info < (3, 7):
|
||||||
|
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
|
||||||
|
+
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
HTTP_STATUS_SUCCESS = '200 Success'
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,272 @@
|
|||||||
|
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Mon, 8 Mar 2021 18:15:50 +0100
|
||||||
|
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
|
||||||
|
services
|
||||||
|
|
||||||
|
Authentication indicators should not be enforced against internal
|
||||||
|
IPA services, since not all users of those services are able to produce
|
||||||
|
Kerberos tickets with all the auth indicator options. This includes
|
||||||
|
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
|
||||||
|
If a client that is being promoted to replica has an auth indicator
|
||||||
|
in its host principal then the promotion is aborted.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8206
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
|
||||||
|
ipaserver/plugins/host.py | 5 ++++-
|
||||||
|
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
|
||||||
|
3 files changed, 41 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||||
|
index 73967a224..f1fb91036 100644
|
||||||
|
--- a/ipaserver/install/server/replicainstall.py
|
||||||
|
+++ b/ipaserver/install/server/replicainstall.py
|
||||||
|
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
|
||||||
|
))
|
||||||
|
|
||||||
|
|
||||||
|
+def promotion_check_host_principal_auth_ind(conn, hostdn):
|
||||||
|
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
|
||||||
|
+ if 'krbprincipalauthind' in entry:
|
||||||
|
+ raise RuntimeError(
|
||||||
|
+ "Client cannot be promoted to a replica if the host principal "
|
||||||
|
+ "has an authentication indicator set."
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@common_cleanup
|
||||||
|
@preserve_enrollment_state
|
||||||
|
def promote_check(installer):
|
||||||
|
@@ -956,6 +965,10 @@ def promote_check(installer):
|
||||||
|
config.master_host_name, None)
|
||||||
|
|
||||||
|
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
||||||
|
+ hostdn = DN(('fqdn', api.env.host),
|
||||||
|
+ api.env.container_host,
|
||||||
|
+ api.env.basedn)
|
||||||
|
+ promotion_check_host_principal_auth_ind(conn, hostdn)
|
||||||
|
|
||||||
|
# Make sure that domain fulfills minimal domain level
|
||||||
|
# requirement
|
||||||
|
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||||
|
index eb1f8ef04..41fa933e2 100644
|
||||||
|
--- a/ipaserver/plugins/host.py
|
||||||
|
+++ b/ipaserver/plugins/host.py
|
||||||
|
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
||||||
|
LDAPAddAttributeViaOption,
|
||||||
|
LDAPRemoveAttributeViaOption)
|
||||||
|
from .service import (
|
||||||
|
- validate_realm, normalize_principal,
|
||||||
|
+ validate_realm, validate_auth_indicator, normalize_principal,
|
||||||
|
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
|
||||||
|
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
|
||||||
|
rename_ipaallowedtoperform_to_ldap, revoke_certs)
|
||||||
|
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
|
||||||
|
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
|
||||||
|
if 'krbticketflags' in entry_attrs:
|
||||||
|
entry_attrs['objectclass'].append('krbticketpolicyaux')
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
+
|
||||||
|
return dn
|
||||||
|
|
||||||
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||||
|
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
|
||||||
|
if 'krbprincipalaux' not in (item.lower() for item in
|
||||||
|
entry_attrs['objectclass']):
|
||||||
|
entry_attrs['objectclass'].append('krbprincipalaux')
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||||
|
index 1c9347804..cfbbff3c6 100644
|
||||||
|
--- a/ipaserver/plugins/service.py
|
||||||
|
+++ b/ipaserver/plugins/service.py
|
||||||
|
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
|
||||||
|
raise errors.RealmMismatch()
|
||||||
|
|
||||||
|
|
||||||
|
+def validate_auth_indicator(entry):
|
||||||
|
+ new_value = entry.get('krbprincipalauthind', None)
|
||||||
|
+ if not new_value:
|
||||||
|
+ return
|
||||||
|
+ # The following services are considered internal IPA services
|
||||||
|
+ # and shouldn't be allowed to have auth indicators.
|
||||||
|
+ # https://pagure.io/freeipa/issue/8206
|
||||||
|
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||||
|
+ principal = kerberos.Principal(pkey)
|
||||||
|
+ server = api.Command.server_find(principal.hostname)['result']
|
||||||
|
+ if server:
|
||||||
|
+ prefixes = ("host", "cifs", "ldap", "HTTP")
|
||||||
|
+ else:
|
||||||
|
+ prefixes = ("cifs",)
|
||||||
|
+ if principal.service_name in prefixes:
|
||||||
|
+ raise errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=_('authentication indicators not allowed '
|
||||||
|
+ 'in service "%s"' % principal.service_name)
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def normalize_principal(value):
|
||||||
|
"""
|
||||||
|
Ensure that the name in the principal is lower-case. The realm is
|
||||||
|
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
|
||||||
|
hostname)
|
||||||
|
|
||||||
|
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
if not options.get('force', False):
|
||||||
|
# We know the host exists if we've gotten this far but we
|
||||||
|
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
|
||||||
|
assert isinstance(dn, DN)
|
||||||
|
|
||||||
|
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
# verify certificates
|
||||||
|
certs = entry_attrs.get('usercertificate') or []
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Mon, 8 Mar 2021 18:20:35 +0100
|
||||||
|
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
|
||||||
|
IPA services
|
||||||
|
|
||||||
|
Authentication indicators should not be added to internal IPA services,
|
||||||
|
since this can lead to a broken IPA setup. In case a client with
|
||||||
|
an auth indicator set in its host principal, promoting it to a replica
|
||||||
|
should fail.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8206
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_replica_promotion.py | 38 +++++++++++++++++++
|
||||||
|
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
|
||||||
|
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
|
||||||
|
3 files changed, 69 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index 0a137dbdc..b9c56f775 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
assert result.returncode == 1
|
||||||
|
assert expected_err in result.stderr_text
|
||||||
|
|
||||||
|
+ @replicas_cleanup
|
||||||
|
+ def test_install_with_host_auth_ind_set(self):
|
||||||
|
+ """ A client shouldn't be able to be promoted if it has
|
||||||
|
+ any auth indicator set in the host principal.
|
||||||
|
+ https://pagure.io/freeipa/issue/8206
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ client = self.replicas[0]
|
||||||
|
+ # Configure firewall first
|
||||||
|
+ Firewall(client).enable_services(["freeipa-ldap",
|
||||||
|
+ "freeipa-ldaps"])
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa-client-install', '-U',
|
||||||
|
+ '--domain', self.master.domain.name,
|
||||||
|
+ '--realm', self.master.domain.realm,
|
||||||
|
+ '-p', 'admin',
|
||||||
|
+ '-w', self.master.config.admin_password,
|
||||||
|
+ '--server', self.master.hostname,
|
||||||
|
+ '--force-join'])
|
||||||
|
+
|
||||||
|
+ tasks.kinit_admin(client)
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
||||||
|
+ client.hostname])
|
||||||
|
+
|
||||||
|
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||||
|
+ self.master.config.dirman_password],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
||||||
|
+ client.hostname])
|
||||||
|
+
|
||||||
|
+ expected_err = ("Client cannot be promoted to a replica if the host "
|
||||||
|
+ "principal has an authentication indicator set.")
|
||||||
|
+ assert res.returncode == 1
|
||||||
|
+ assert expected_err in res.stderr_text
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@replicas_cleanup
|
||||||
|
def test_one_command_installation(self):
|
||||||
|
"""
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
index c66bbc865..9cfde3565 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
||||||
|
error=u'An IPA master host cannot be deleted or disabled')):
|
||||||
|
command()
|
||||||
|
|
||||||
|
+ def test_try_add_auth_ind_master(self, this_host):
|
||||||
|
+ command = this_host.make_update_command({
|
||||||
|
+ u'krbprincipalauthind': u'radius'})
|
||||||
|
+ with raises_exact(errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=u'authentication indicators not allowed '
|
||||||
|
+ 'in service "host"'
|
||||||
|
+ )):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestValidation(XMLRPC_test):
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
index 4c845938c..ed634a045 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
@@ -25,6 +25,7 @@ from ipalib import api, errors
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
||||||
|
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
||||||
|
from ipatests.test_xmlrpc import objectclasses
|
||||||
|
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
||||||
|
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
||||||
|
@@ -1552,6 +1553,15 @@ def indicators_host(request):
|
||||||
|
return tracker.make_fixture(request)
|
||||||
|
|
||||||
|
|
||||||
|
+@pytest.fixture(scope='function')
|
||||||
|
+def this_host(request):
|
||||||
|
+ """Fixture for the current master"""
|
||||||
|
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
|
||||||
|
+ fqdn=api.env.host)
|
||||||
|
+ tracker.exists = True
|
||||||
|
+ return tracker
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def indicators_service(request):
|
||||||
|
tracker = ServiceTracker(
|
||||||
|
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
||||||
|
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||||
|
)
|
||||||
|
|
||||||
|
+ def test_update_indicator_internal_service(self, this_host):
|
||||||
|
+ command = this_host.make_command('service_mod',
|
||||||
|
+ 'ldap/' + this_host.fqdn,
|
||||||
|
+ **dict(krbprincipalauthind='otp'))
|
||||||
|
+ with raises_exact(errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=u'authentication indicators not allowed '
|
||||||
|
+ 'in service "ldap"'
|
||||||
|
+ )):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def managing_host(request):
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,60 +0,0 @@
|
|||||||
From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
|
|
||||||
Date: Wed, 17 Feb 2021 19:43:00 +0530
|
|
||||||
Subject: [PATCH] ipatests: error message check in uninstall log for KRA
|
|
||||||
|
|
||||||
This test checks that there is no error message in uninstall
|
|
||||||
log for KRA instance when IPA was installed with KRA.
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/8550
|
|
||||||
|
|
||||||
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_backup_and_restore.py | 22 ++++++++++++++++---
|
|
||||||
1 file changed, 19 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
|
|
||||||
index f13dfb5cb..6890ef201 100644
|
|
||||||
--- a/ipatests/test_integration/test_backup_and_restore.py
|
|
||||||
+++ b/ipatests/test_integration/test_backup_and_restore.py
|
|
||||||
@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
|
|
||||||
|
|
||||||
backup_path = tasks.get_backup_dir(self.master)
|
|
||||||
|
|
||||||
- self.master.run_command(['ipa-server-install',
|
|
||||||
- '--uninstall',
|
|
||||||
- '-U'])
|
|
||||||
+ # check that no error message in uninstall log for KRA instance
|
|
||||||
+ cmd = self.master.run_command(['ipa-server-install',
|
|
||||||
+ '--uninstall',
|
|
||||||
+ '-U'])
|
|
||||||
+ assert "failed to uninstall KRA" not in cmd.stderr_text
|
|
||||||
|
|
||||||
if reinstall:
|
|
||||||
tasks.install_master(self.master, setup_dns=True)
|
|
||||||
@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
|
|
||||||
"""backup, uninstall, reinstall, restore"""
|
|
||||||
self._full_backup_restore_with_vault(reinstall=True)
|
|
||||||
|
|
||||||
+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
|
|
||||||
+ """Test there is no error message in uninstall log for KRA instance
|
|
||||||
+
|
|
||||||
+ There was error message in uninstall log when IPA with KRA was
|
|
||||||
+ uninstalled. This test check that there is no error message in
|
|
||||||
+ uninstall log for kra instance.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/8550
|
|
||||||
+ """
|
|
||||||
+ cmd = self.master.run_command(['ipa-server-install',
|
|
||||||
+ '--uninstall',
|
|
||||||
+ '-U'])
|
|
||||||
+ assert "failed to uninstall KRA" not in cmd.stderr_text
|
|
||||||
+
|
|
||||||
|
|
||||||
class TestBackupAndRestoreWithReplica(IntegrationTest):
|
|
||||||
"""Regression tests for issues 7234 and 7455
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,119 +0,0 @@
|
|||||||
From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergey Orlov <sorlov@redhat.com>
|
|
||||||
Date: Tue, 16 Feb 2021 12:32:55 +0100
|
|
||||||
Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
|
|
||||||
mode
|
|
||||||
|
|
||||||
Related to https://pagure.io/freeipa/issue/8715
|
|
||||||
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
|
|
||||||
1 file changed, 22 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 3e522617d..c8a348212 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -5,6 +5,7 @@ from __future__ import absolute_import
|
|
||||||
import re
|
|
||||||
import textwrap
|
|
||||||
import time
|
|
||||||
+import functools
|
|
||||||
|
|
||||||
import pytest
|
|
||||||
|
|
||||||
@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
|
|
||||||
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
+from ipatests.pytest_ipa.integration import fips
|
|
||||||
from ipapython.dn import DN
|
|
||||||
from collections import namedtuple
|
|
||||||
from contextlib import contextmanager
|
|
||||||
@@ -20,6 +22,18 @@ from contextlib import contextmanager
|
|
||||||
TestDataRule = namedtuple('TestDataRule',
|
|
||||||
['name', 'ruletype', 'user', 'subject'])
|
|
||||||
|
|
||||||
+
|
|
||||||
+def skip_in_fips_mode_due_to_issue_8715(test_method):
|
|
||||||
+ @functools.wraps(test_method)
|
|
||||||
+ def wrapper(instance):
|
|
||||||
+ if fips.is_fips_enabled(instance.master):
|
|
||||||
+ pytest.skip('Skipping in FIPS mode due to '
|
|
||||||
+ 'https://pagure.io/freeipa/issue/8715')
|
|
||||||
+ else:
|
|
||||||
+ test_method(instance)
|
|
||||||
+ return wrapper
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class BaseTestTrust(IntegrationTest):
|
|
||||||
num_clients = 1
|
|
||||||
topology = 'line'
|
|
||||||
@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
|
|
||||||
# Test for one-way forest trust with shared secret
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_establish_forest_trust_with_shared_secret(self):
|
|
||||||
tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
tasks.configure_windows_dns_for_trust(self.ad, self.master)
|
|
||||||
@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
tasks.establish_trust_with_ad(
|
|
||||||
self.master, self.ad_domain, shared_secret=self.shared_secret)
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
|
|
||||||
result = self.master.run_command(
|
|
||||||
['ipa', 'trust-fetch-domains', self.ad.domain.name],
|
|
||||||
@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
self.check_trustdomains(
|
|
||||||
self.ad_domain, [self.ad_domain, self.ad_subdomain])
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
|
|
||||||
"""Check that user has SID-generated UID"""
|
|
||||||
# Using domain name since it is lowercased realm name for AD domains
|
|
||||||
@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
assert re.search(
|
|
||||||
testuser_regex, result.stdout_text), result.stdout_text
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_remove_forest_trust_with_shared_secret(self):
|
|
||||||
ps_cmd = (
|
|
||||||
'[System.DirectoryServices.ActiveDirectory.Forest]'
|
|
||||||
@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
|
|
||||||
# Test for one-way external trust with shared secret
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_establish_external_trust_with_shared_secret(self):
|
|
||||||
tasks.configure_dns_for_trust(self.master, self.ad)
|
|
||||||
tasks.configure_windows_dns_for_trust(self.ad, self.master)
|
|
||||||
@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
self.master, self.ad_domain, shared_secret=self.shared_secret,
|
|
||||||
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_trustdomains_found_in_external_trust_with_shared_secret(self):
|
|
||||||
result = self.master.run_command(
|
|
||||||
['ipa', 'trust-fetch-domains', self.ad.domain.name],
|
|
||||||
@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
self.check_trustdomains(
|
|
||||||
self.ad_domain, [self.ad_domain])
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
|
|
||||||
"""Check that user has SID-generated UID"""
|
|
||||||
# Using domain name since it is lowercased realm name for AD domains
|
|
||||||
@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
|
|
||||||
assert re.search(
|
|
||||||
testuser_regex, result.stdout_text), result.stdout_text
|
|
||||||
|
|
||||||
+ @skip_in_fips_mode_due_to_issue_8715
|
|
||||||
def test_remove_external_trust_with_shared_secret(self):
|
|
||||||
self.ad.run_command(
|
|
||||||
['netdom.exe', 'trust', self.master.domain.name,
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -0,0 +1,89 @@
|
|||||||
|
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Mon, 5 Jul 2021 09:51:41 +0200
|
||||||
|
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
|
||||||
|
|
||||||
|
The command
|
||||||
|
ipa stageuser-add --user-auth-type=xxx
|
||||||
|
is currently failing because the objectclass ipauserauthtypeclass
|
||||||
|
is missing from the created entry.
|
||||||
|
|
||||||
|
There is code adding the missing objectclass in the
|
||||||
|
pre_common_callback method of user_add, and this code should
|
||||||
|
be common to user_add and stageuser_add. In order to avoid code
|
||||||
|
duplication, it makes more sense to move the existing code to
|
||||||
|
pre_common_callback of baseuser_add, that is called by both
|
||||||
|
classes.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8909
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/baseuser.py | 3 +++
|
||||||
|
ipaserver/plugins/user.py | 4 ----
|
||||||
|
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||||
|
index ae16a978a..6035228f1 100644
|
||||||
|
--- a/ipaserver/plugins/baseuser.py
|
||||||
|
+++ b/ipaserver/plugins/baseuser.py
|
||||||
|
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
|
||||||
|
if entry_attrs.get('ipatokenradiususername', None):
|
||||||
|
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
||||||
|
entry_attrs, update=False)
|
||||||
|
+ if entry_attrs.get('ipauserauthtype', None):
|
||||||
|
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
|
||||||
|
+ entry_attrs, update=False)
|
||||||
|
|
||||||
|
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||||
|
assert isinstance(dn, DN)
|
||||||
|
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||||
|
index 6f7facb53..e4ee572b2 100644
|
||||||
|
--- a/ipaserver/plugins/user.py
|
||||||
|
+++ b/ipaserver/plugins/user.py
|
||||||
|
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
|
||||||
|
'ipauser' not in entry_attrs['objectclass']:
|
||||||
|
entry_attrs['objectclass'].append('ipauser')
|
||||||
|
|
||||||
|
- if 'ipauserauthtype' in entry_attrs and \
|
||||||
|
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
|
||||||
|
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
|
||||||
|
-
|
||||||
|
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
|
||||||
|
if rcl:
|
||||||
|
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Mon, 5 Jul 2021 10:22:31 +0200
|
||||||
|
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8909
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
index 5586fc607..bc606b093 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
|
||||||
|
result = command()
|
||||||
|
assert result['count'] == 1
|
||||||
|
|
||||||
|
+ def test_create_withuserauthtype(self, stageduser):
|
||||||
|
+ stageduser.ensure_missing()
|
||||||
|
+ command = stageduser.make_create_command(
|
||||||
|
+ options={u'ipauserauthtype': u'password'})
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestCreateInvalidAttributes(XMLRPC_test):
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,347 +0,0 @@
|
|||||||
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Wed, 3 Feb 2021 15:52:05 -0500
|
|
||||||
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
|
|
||||||
|
|
||||||
The nickname of the 389-ds certificate was hardcoded as
|
|
||||||
Server-Cert which failed if the user had installed a
|
|
||||||
third-party certificate using ipa-server-certinstall.
|
|
||||||
|
|
||||||
Instead pull the nickname from the DS configuration and
|
|
||||||
retrieve it based on that.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8600
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
|
|
||||||
1 file changed, 11 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
|
||||||
index 2f2c15613..29af89cd5 100644
|
|
||||||
--- a/ipaserver/install/ipa_cert_fix.py
|
|
||||||
+++ b/ipaserver/install/ipa_cert_fix.py
|
|
||||||
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
|
|
||||||
certs.append((IPACertType.HTTPS, cert))
|
|
||||||
|
|
||||||
# LDAPS
|
|
||||||
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
|
|
||||||
+ serverid = realm_to_serverid(api.env.realm)
|
|
||||||
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
|
||||||
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
|
||||||
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
|
||||||
db = NSSDatabase(nssdir=ds_dbdir)
|
|
||||||
- cert = db.get_cert('Server-Cert')
|
|
||||||
+ cert = db.get_cert(ds_nickname)
|
|
||||||
if cert.not_valid_after <= now:
|
|
||||||
certs.append((IPACertType.LDAPS, cert))
|
|
||||||
|
|
||||||
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
|
|
||||||
elif certtype is IPACertType.HTTPS:
|
|
||||||
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
|
|
||||||
elif certtype is IPACertType.LDAPS:
|
|
||||||
- ds_dbdir = dsinstance.config_dirname(
|
|
||||||
- realm_to_serverid(api.env.realm))
|
|
||||||
+ serverid = realm_to_serverid(api.env.realm)
|
|
||||||
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
|
|
||||||
+ ds_dbdir = dsinstance.config_dirname(serverid)
|
|
||||||
db = NSSDatabase(nssdir=ds_dbdir)
|
|
||||||
- db.delete_cert('Server-Cert')
|
|
||||||
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
|
|
||||||
+ ds_nickname = ds.get_server_cert_nickname(serverid)
|
|
||||||
+ db.delete_cert(ds_nickname)
|
|
||||||
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
|
|
||||||
elif certtype is IPACertType.KDC:
|
|
||||||
shutil.copyfile(cert_path, paths.KDC_CERT)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Thu, 4 Feb 2021 08:25:48 -0500
|
|
||||||
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
|
|
||||||
|
|
||||||
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
|
|
||||||
so would fail if a third-party certificate was installed for DS.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8600
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
|
|
||||||
1 file changed, 57 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
index 2f7de5526..f9e5fe6e2 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
@@ -11,6 +11,17 @@ import time
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def server_install_teardown(func):
|
|
||||||
+ def wrapped(*args):
|
|
||||||
+ master = args[0].master
|
|
||||||
+ try:
|
|
||||||
+ func(*args)
|
|
||||||
+ finally:
|
|
||||||
+ ipa_certs_cleanup(master)
|
|
||||||
+ return wrapped
|
|
||||||
|
|
||||||
|
|
||||||
class TestIpaCertFix(IntegrationTest):
|
|
||||||
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
|
|
||||||
else:
|
|
||||||
# timeout
|
|
||||||
raise AssertionError('Timeout: Failed to renew all the certs')
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestIpaCertFixThirdParty(CALessBase):
|
|
||||||
+ """
|
|
||||||
+ Test that ipa-cert-fix works with an installation with custom certs.
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ @classmethod
|
|
||||||
+ def install(cls, mh):
|
|
||||||
+ cls.nickname = 'ca1/server'
|
|
||||||
+
|
|
||||||
+ super(TestIpaCertFixThirdParty, cls).install(mh)
|
|
||||||
+ tasks.install_master(cls.master, setup_dns=True)
|
|
||||||
+
|
|
||||||
+ @server_install_teardown
|
|
||||||
+ def test_third_party_certs(self):
|
|
||||||
+ self.create_pkcs12(self.nickname,
|
|
||||||
+ password=self.cert_password,
|
|
||||||
+ filename='server.p12')
|
|
||||||
+ self.prepare_cacert('ca1')
|
|
||||||
+
|
|
||||||
+ # We have a chain length of one. If this is extended then the
|
|
||||||
+ # additional cert names will need to be calculated.
|
|
||||||
+ nick_chain = self.nickname.split('/')
|
|
||||||
+ ca_cert = '%s.crt' % nick_chain[0]
|
|
||||||
+
|
|
||||||
+ # Add the CA to the IPA store
|
|
||||||
+ self.copy_cert(self.master, ca_cert)
|
|
||||||
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
|
|
||||||
+
|
|
||||||
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
|
|
||||||
+ self.master.run_command(['ipa-certupdate'])
|
|
||||||
+
|
|
||||||
+ # Install the updated certs and restart the world
|
|
||||||
+ self.copy_cert(self.master, 'server.p12')
|
|
||||||
+ args = ['ipa-server-certinstall',
|
|
||||||
+ '-p', self.master.config.dirman_password,
|
|
||||||
+ '--pin', self.master.config.admin_password,
|
|
||||||
+ '-d', 'server.p12']
|
|
||||||
+ self.master.run_command(args)
|
|
||||||
+ self.master.run_command(['ipactl', 'restart',])
|
|
||||||
+
|
|
||||||
+ # Run ipa-cert-fix. This is basically a no-op but tests that
|
|
||||||
+ # the DS nickname is used and not a hardcoded value.
|
|
||||||
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
|
|
||||||
+ assert self.nickname in result.stderr_text
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Fri, 5 Feb 2021 09:00:54 -0500
|
|
||||||
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
|
|
||||||
|
|
||||||
Related: https://github.com/dogtagpki/pki/issues/3387
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
freeipa.spec.in | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
|
||||||
index 93e473ac4..0e261285b 100755
|
|
||||||
--- a/freeipa.spec.in
|
|
||||||
+++ b/freeipa.spec.in
|
|
||||||
@@ -128,11 +128,11 @@
|
|
||||||
%if 0%{?rhel} == 8
|
|
||||||
# PKIConnection has been modified to always validate certs.
|
|
||||||
# https://pagure.io/freeipa/issue/8379
|
|
||||||
-%global pki_version 10.9.0-0.4
|
|
||||||
+%global pki_version 10.10.4-1
|
|
||||||
%else
|
|
||||||
# New KRA profile, ACME support
|
|
||||||
# https://pagure.io/freeipa/issue/8545
|
|
||||||
-%global pki_version 10.10.0-2
|
|
||||||
+%global pki_version 10.10.3-1
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# RHEL 8.3+, F32+ has 0.79.13
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Wed, 10 Feb 2021 16:07:13 -0500
|
|
||||||
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
|
|
||||||
|
|
||||||
If the Apache, 389-ds or KDC certificate was issued by
|
|
||||||
a third party there is nothing we can do, regardless of
|
|
||||||
whether it is expired or not.
|
|
||||||
|
|
||||||
Report which certificates will not be renewed so the
|
|
||||||
admin can manually do do (likely in the event of a
|
|
||||||
third-party certificate).
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8600
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
|
|
||||||
1 file changed, 43 insertions(+), 10 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
|
||||||
index 29af89cd5..210cf80f1 100644
|
|
||||||
--- a/ipaserver/install/ipa_cert_fix.py
|
|
||||||
+++ b/ipaserver/install/ipa_cert_fix.py
|
|
||||||
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
|
|
||||||
from ipapython.dn import DN
|
|
||||||
from ipapython.ipaldap import realm_to_serverid
|
|
||||||
from ipaserver.install import ca, cainstance, dsinstance
|
|
||||||
+from ipaserver.install.certs import is_ipa_issued_cert
|
|
||||||
from ipapython import directivesetter
|
|
||||||
from ipapython import ipautil
|
|
||||||
|
|
||||||
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
|
|
||||||
|
|
||||||
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
|
|
||||||
api.finalize()
|
|
||||||
+
|
|
||||||
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
|
|
||||||
+ print(
|
|
||||||
+ "The LDAP server is not running; cannot proceed."
|
|
||||||
+ )
|
|
||||||
+ return 1
|
|
||||||
+
|
|
||||||
api.Backend.ldap2.connect() # ensure DS is up
|
|
||||||
|
|
||||||
subject_base = dsinstance.DsInstance().find_subject_base()
|
|
||||||
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
|
|
||||||
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
|
|
||||||
|
|
||||||
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
|
|
||||||
- certs, extra_certs = expired_certs(now)
|
|
||||||
+ certs, extra_certs, non_renewed = expired_certs(now)
|
|
||||||
|
|
||||||
if not certs and not extra_certs:
|
|
||||||
print("Nothing to do.")
|
|
||||||
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
|
|
||||||
|
|
||||||
print(msg)
|
|
||||||
|
|
||||||
- print_intentions(certs, extra_certs)
|
|
||||||
+ print_intentions(certs, extra_certs, non_renewed)
|
|
||||||
|
|
||||||
response = ipautil.user_input('Enter "yes" to proceed')
|
|
||||||
if response.lower() != 'yes':
|
|
||||||
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
|
|
||||||
fix_certreq_directives(certs)
|
|
||||||
run_cert_fix(certs, extra_certs)
|
|
||||||
except ipautil.CalledProcessError:
|
|
||||||
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
|
|
||||||
+ if any(
|
|
||||||
+ x[0] is IPACertType.LDAPS
|
|
||||||
+ for x in extra_certs + non_renewed
|
|
||||||
+ ):
|
|
||||||
# The DS cert was expired. This will cause
|
|
||||||
# 'pki-server cert-fix' to fail at the final
|
|
||||||
# restart. Therefore ignore the CalledProcessError
|
|
||||||
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
|
|
||||||
print("Becoming renewal master.")
|
|
||||||
cainstance.CAInstance().set_renewal_master()
|
|
||||||
|
|
||||||
+ print("Restarting IPA")
|
|
||||||
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
|
|
||||||
|
|
||||||
return 0
|
|
||||||
|
|
||||||
|
|
||||||
def expired_certs(now):
|
|
||||||
- return expired_dogtag_certs(now), expired_ipa_certs(now)
|
|
||||||
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
|
|
||||||
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
|
|
||||||
|
|
||||||
|
|
||||||
def expired_dogtag_certs(now):
|
|
||||||
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
|
|
||||||
|
|
||||||
"""
|
|
||||||
certs = []
|
|
||||||
+ non_renewed = []
|
|
||||||
|
|
||||||
# IPA RA
|
|
||||||
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
|
|
||||||
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
|
|
||||||
# Apache HTTPD
|
|
||||||
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
|
|
||||||
if cert.not_valid_after <= now:
|
|
||||||
- certs.append((IPACertType.HTTPS, cert))
|
|
||||||
+ if not is_ipa_issued_cert(api, cert):
|
|
||||||
+ non_renewed.append((IPACertType.HTTPS, cert))
|
|
||||||
+ else:
|
|
||||||
+ certs.append((IPACertType.HTTPS, cert))
|
|
||||||
|
|
||||||
# LDAPS
|
|
||||||
serverid = realm_to_serverid(api.env.realm)
|
|
||||||
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
|
|
||||||
db = NSSDatabase(nssdir=ds_dbdir)
|
|
||||||
cert = db.get_cert(ds_nickname)
|
|
||||||
if cert.not_valid_after <= now:
|
|
||||||
- certs.append((IPACertType.LDAPS, cert))
|
|
||||||
+ if not is_ipa_issued_cert(api, cert):
|
|
||||||
+ non_renewed.append((IPACertType.LDAPS, cert))
|
|
||||||
+ else:
|
|
||||||
+ certs.append((IPACertType.LDAPS, cert))
|
|
||||||
|
|
||||||
# KDC
|
|
||||||
cert = x509.load_certificate_from_file(paths.KDC_CERT)
|
|
||||||
if cert.not_valid_after <= now:
|
|
||||||
- certs.append((IPACertType.KDC, cert))
|
|
||||||
+ if not is_ipa_issued_cert(api, cert):
|
|
||||||
+ non_renewed.append((IPACertType.HTTPS, cert))
|
|
||||||
+ else:
|
|
||||||
+ certs.append((IPACertType.KDC, cert))
|
|
||||||
|
|
||||||
- return certs
|
|
||||||
+ return certs, non_renewed
|
|
||||||
|
|
||||||
|
|
||||||
-def print_intentions(dogtag_certs, ipa_certs):
|
|
||||||
- print("The following certificates will be renewed: ")
|
|
||||||
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
|
|
||||||
+ print("The following certificates will be renewed:")
|
|
||||||
print()
|
|
||||||
|
|
||||||
for certid, cert in dogtag_certs:
|
|
||||||
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
|
|
||||||
for certtype, cert in ipa_certs:
|
|
||||||
print_cert_info("IPA", certtype.value, cert)
|
|
||||||
|
|
||||||
+ if non_renewed:
|
|
||||||
+ print(
|
|
||||||
+ "The following certificates will NOT be renewed because "
|
|
||||||
+ "they were not issued by the IPA CA:"
|
|
||||||
+ )
|
|
||||||
+ print()
|
|
||||||
+
|
|
||||||
+ for certtype, cert in non_renewed:
|
|
||||||
+ print_cert_info("IPA", certtype.value, cert)
|
|
||||||
+
|
|
||||||
|
|
||||||
def print_cert_info(context, desc, cert):
|
|
||||||
print("{} {} certificate:".format(context, desc))
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -0,0 +1,35 @@
|
|||||||
|
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 7 Jul 2021 14:11:40 +0200
|
||||||
|
Subject: [PATCH] man page: update ipa-server-upgrade.1
|
||||||
|
|
||||||
|
The man page needs to clarify in which case the command needs
|
||||||
|
to be run.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8913
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
---
|
||||||
|
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
|
||||||
|
index 3db19b0f1..f01e21c6b 100644
|
||||||
|
--- a/install/tools/man/ipa-server-upgrade.1
|
||||||
|
+++ b/install/tools/man/ipa-server-upgrade.1
|
||||||
|
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
|
||||||
|
.SH "SYNOPSIS"
|
||||||
|
ipa\-server\-upgrade [options]
|
||||||
|
.SH "DESCRIPTION"
|
||||||
|
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
|
||||||
|
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
|
||||||
|
+the IPA packages are being updated. It is not intended to be executed by
|
||||||
|
+end\-users, unless the automatic execution reports an error. In this case,
|
||||||
|
+the administrator needs to identify and fix the issue that is causing the
|
||||||
|
+upgrade failure (with the help of /var/log/ipaupgrade.log)
|
||||||
|
+and manually re\-run ipa\-server\-upgrade.
|
||||||
|
|
||||||
|
ipa\-server\-upgrade will:
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,69 @@
|
|||||||
|
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 12 Jul 2021 11:02:10 -0400
|
||||||
|
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
|
||||||
|
indicators
|
||||||
|
|
||||||
|
When adding a new host the principal cannot be determined because it
|
||||||
|
relies on either:
|
||||||
|
|
||||||
|
a) an entry to already exist
|
||||||
|
b) krbprincipalname be a component of the dn
|
||||||
|
|
||||||
|
As a result the full dn is being passed into ipapython.Kerberos
|
||||||
|
which can't parse it.
|
||||||
|
|
||||||
|
Look into the entry in validate_validate_auth_indicator() for
|
||||||
|
krbprincipalname in this case.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8206
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/service.py | 5 +++++
|
||||||
|
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
|
||||||
|
2 files changed, 16 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||||
|
index cfbbff3c6..498f5e444 100644
|
||||||
|
--- a/ipaserver/plugins/service.py
|
||||||
|
+++ b/ipaserver/plugins/service.py
|
||||||
|
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
|
||||||
|
# and shouldn't be allowed to have auth indicators.
|
||||||
|
# https://pagure.io/freeipa/issue/8206
|
||||||
|
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||||
|
+ if pkey == str(entry.dn):
|
||||||
|
+ # krbcanonicalname may not be set yet if this is a host entry,
|
||||||
|
+ # try krbprincipalname
|
||||||
|
+ if 'krbprincipalname' in entry:
|
||||||
|
+ pkey = entry['krbprincipalname']
|
||||||
|
principal = kerberos.Principal(pkey)
|
||||||
|
server = api.Command.server_find(principal.hostname)['result']
|
||||||
|
if server:
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
index 9cfde3565..ff50e796c 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
|
||||||
|
)):
|
||||||
|
command()
|
||||||
|
|
||||||
|
+ def test_add_non_master_with_auth_ind(self, host5):
|
||||||
|
+ host5.ensure_missing()
|
||||||
|
+ command = host5.make_command(
|
||||||
|
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
|
||||||
|
+ force=True
|
||||||
|
+ )
|
||||||
|
+ result = command()
|
||||||
|
+ # The fact that the command succeeds exercises the change but
|
||||||
|
+ # let's check the indicator as well.
|
||||||
|
+ assert result['result']['krbprincipalauthind'] == ('radius',)
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestValidation(XMLRPC_test):
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,135 +0,0 @@
|
|||||||
From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sergey Orlov <sorlov@redhat.com>
|
|
||||||
Date: Wed, 17 Feb 2021 16:48:33 +0100
|
|
||||||
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
|
|
||||||
|
|
||||||
Related to https://pagure.io/freeipa/issue/8636
|
|
||||||
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
|
|
||||||
ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
|
|
||||||
2 files changed, 80 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
|
|
||||||
index 55291ae8b..f62b667bd 100644
|
|
||||||
--- a/ipatests/pytest_ipa/integration/__init__.py
|
|
||||||
+++ b/ipatests/pytest_ipa/integration/__init__.py
|
|
||||||
@@ -28,12 +28,14 @@ import os
|
|
||||||
import tempfile
|
|
||||||
import shutil
|
|
||||||
import re
|
|
||||||
+import functools
|
|
||||||
|
|
||||||
import pytest
|
|
||||||
from pytest_multihost import make_multihost_fixture
|
|
||||||
|
|
||||||
from ipapython import ipautil
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
+from . import fips
|
|
||||||
from .config import Config
|
|
||||||
from .env_config import get_global_config
|
|
||||||
from . import tasks
|
|
||||||
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
|
|
||||||
del cls.ad_subdomains
|
|
||||||
del cls.ad_treedomains
|
|
||||||
del cls.ad_domains
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
|
|
||||||
+ if callable(reason):
|
|
||||||
+ raise TypeError('Invalid decorator usage, add "()"')
|
|
||||||
+
|
|
||||||
+ def decorator(test_method):
|
|
||||||
+ @functools.wraps(test_method)
|
|
||||||
+ def wrapper(instance, *args, **kwargs):
|
|
||||||
+ if fips.is_fips_enabled(getattr(instance, host)):
|
|
||||||
+ pytest.skip(reason)
|
|
||||||
+ else:
|
|
||||||
+ test_method(instance, *args, **kwargs)
|
|
||||||
+ return wrapper
|
|
||||||
+ return decorator
|
|
||||||
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
|
|
||||||
index 37725ab15..749a96325 100644
|
|
||||||
--- a/ipatests/test_integration/test_smb.py
|
|
||||||
+++ b/ipatests/test_integration/test_smb.py
|
|
||||||
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
from ipaplatform.osinfo import osinfo
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
+from ipatests.pytest_ipa.integration import skip_if_fips
|
|
||||||
|
|
||||||
|
|
||||||
def wait_smbd_functional(host):
|
|
||||||
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
|
|
||||||
finally:
|
|
||||||
self.cleanup_mount(mountpoint)
|
|
||||||
|
|
||||||
+ def check_repeated_smb_mount(self, options):
|
|
||||||
+ mountpoint = '/mnt/smb'
|
|
||||||
+ unc = '//{}/homes'.format(self.smbserver.hostname)
|
|
||||||
+ test_file = 'ntlm_test'
|
|
||||||
+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
|
|
||||||
+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
|
|
||||||
+
|
|
||||||
+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
|
|
||||||
+ self.smbserver.put_file_contents(test_file_server_path, '')
|
|
||||||
+ try:
|
|
||||||
+ for i in [1, 2]:
|
|
||||||
+ res = self.smbclient.run_command([
|
|
||||||
+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
|
|
||||||
+ raiseonerr=False)
|
|
||||||
+ assert res.returncode == 0, (
|
|
||||||
+ 'Mount failed at iteration {}. Output: {}'
|
|
||||||
+ .format(i, res.stdout_text + res.stderr_text))
|
|
||||||
+ assert self.smbclient.transport.file_exists(
|
|
||||||
+ test_file_client_path)
|
|
||||||
+ self.smbclient.run_command(['umount', mountpoint])
|
|
||||||
+ finally:
|
|
||||||
+ self.cleanup_mount(mountpoint)
|
|
||||||
+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
|
|
||||||
+
|
|
||||||
+ @skip_if_fips()
|
|
||||||
+ def test_ntlm_authentication_with_auto_domain(self):
|
|
||||||
+ """Repeatedly try to authenticate with username and password with
|
|
||||||
+ automatic domain discovery.
|
|
||||||
+
|
|
||||||
+ This is a regression test for https://pagure.io/freeipa/issue/8636
|
|
||||||
+ """
|
|
||||||
+ tasks.kdestroy_all(self.smbclient)
|
|
||||||
+
|
|
||||||
+ mount_options = 'user={user},pass={password},domainauto'.format(
|
|
||||||
+ user=self.ipa_user1,
|
|
||||||
+ password=self.ipa_user1_password
|
|
||||||
+ )
|
|
||||||
+
|
|
||||||
+ self.check_repeated_smb_mount(mount_options)
|
|
||||||
+
|
|
||||||
+ @skip_if_fips()
|
|
||||||
+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
|
|
||||||
+ tasks.kdestroy_all(self.smbclient)
|
|
||||||
+
|
|
||||||
+ mount_options = 'user={user}@{domain},pass={password}'.format(
|
|
||||||
+ user=self.ipa_user1,
|
|
||||||
+ password=self.ipa_user1_password,
|
|
||||||
+ domain=self.master.domain.name.lower()
|
|
||||||
+ )
|
|
||||||
+ self.check_repeated_smb_mount(mount_options)
|
|
||||||
+
|
|
||||||
+ @skip_if_fips()
|
|
||||||
+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
|
|
||||||
+ tasks.kdestroy_all(self.smbclient)
|
|
||||||
+
|
|
||||||
+ mount_options = 'user={user}@{domain},pass={password}'.format(
|
|
||||||
+ user=self.ipa_user1,
|
|
||||||
+ password=self.ipa_user1_password,
|
|
||||||
+ domain=self.master.domain.name.upper()
|
|
||||||
+ )
|
|
||||||
+ self.check_repeated_smb_mount(mount_options)
|
|
||||||
+
|
|
||||||
def test_uninstall_samba(self):
|
|
||||||
self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
|
|
||||||
res = self.smbserver.run_command(
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,79 +0,0 @@
|
|||||||
From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Tue, 16 Feb 2021 16:53:24 +0100
|
|
||||||
Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
|
|
||||||
|
|
||||||
Fix zonemgr option in ipaserver install being
|
|
||||||
ignored because of an incorrect condition.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8718
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/bindinstance.py | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
|
|
||||||
index 3b446ce76..19941cd00 100644
|
|
||||||
--- a/ipaserver/install/bindinstance.py
|
|
||||||
+++ b/ipaserver/install/bindinstance.py
|
|
||||||
@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
|
|
||||||
else:
|
|
||||||
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
|
|
||||||
|
|
||||||
- if zonemgr is None:
|
|
||||||
+ if not zonemgr:
|
|
||||||
zonemgr = 'hostmaster.%s' % name
|
|
||||||
|
|
||||||
if ns_hostname:
|
|
||||||
@@ -682,7 +682,7 @@ class BindInstance(service.Service):
|
|
||||||
self.forward_policy = forward_policy
|
|
||||||
self.reverse_zones = reverse_zones
|
|
||||||
|
|
||||||
- if zonemgr is not None:
|
|
||||||
+ if not zonemgr:
|
|
||||||
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
|
|
||||||
else:
|
|
||||||
self.zonemgr = normalize_zonemgr(zonemgr)
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
|
|
||||||
From: Antonio Torres <antorres@redhat.com>
|
|
||||||
Date: Tue, 16 Feb 2021 18:24:26 +0100
|
|
||||||
Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
|
|
||||||
install
|
|
||||||
|
|
||||||
Add test to check that zonemgr is correctly
|
|
||||||
set when installing IPA server.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/8718
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_installation.py | 7 +++++++
|
|
||||||
1 file changed, 7 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index 6e8af024c..18c5bd243 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
|
|
||||||
extra_args=['--zonemgr', 'me@example.org'],
|
|
||||||
)
|
|
||||||
|
|
||||||
+ tasks.kinit_admin(self.master)
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ['ipa', 'dnszone-show', self.master.domain.name]
|
|
||||||
+ ).stdout_text
|
|
||||||
+
|
|
||||||
+ assert "Administrator e-mail address: me.example.org" in result
|
|
||||||
+
|
|
||||||
def test_server_install_lock_bind_recursion(self):
|
|
||||||
"""Test if server installer lock Bind9 recursion
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -0,0 +1,30 @@
|
|||||||
|
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Fri, 16 Jul 2021 09:20:33 +0300
|
||||||
|
Subject: [PATCH] rhel platform: add a named crypto-policy support
|
||||||
|
|
||||||
|
RHEL 8+ provides bind system-wide crypto policy support, enable it.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8925
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipaplatform/rhel/paths.py | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
|
||||||
|
index c081ada32..3631550eb 100644
|
||||||
|
--- a/ipaplatform/rhel/paths.py
|
||||||
|
+++ b/ipaplatform/rhel/paths.py
|
||||||
|
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
|
||||||
|
|
||||||
|
|
||||||
|
class RHELPathNamespace(RedHatPathNamespace):
|
||||||
|
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
||||||
|
if HAS_NFS_CONF:
|
||||||
|
SYSCONFIG_NFS = '/etc/nfs.conf'
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,53 @@
|
|||||||
|
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 30 Aug 2021 16:44:47 -0400
|
||||||
|
Subject: [PATCH] Catch and log errors when adding CA profiles
|
||||||
|
|
||||||
|
Rather than stopping the installer entirely, catch and report
|
||||||
|
errors adding new certificate profiles, and remove the
|
||||||
|
broken profile entry from LDAP so it may be re-added later.
|
||||||
|
|
||||||
|
It was discovered that installing a newer IPA that has the
|
||||||
|
ACME profile which requires sanToCNDefault will fail when
|
||||||
|
installing a new server against a very old one that lacks
|
||||||
|
this class.
|
||||||
|
|
||||||
|
Running ipa-server-upgrade post-install will add the profile
|
||||||
|
and generate the missing ipa-ca SAN record so that ACME
|
||||||
|
can work.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8974
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/cainstance.py | 13 +++++++++++--
|
||||||
|
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||||
|
index 9e842b33e..8c8bf1b3a 100644
|
||||||
|
--- a/ipaserver/install/cainstance.py
|
||||||
|
+++ b/ipaserver/install/cainstance.py
|
||||||
|
@@ -1973,8 +1973,17 @@ def import_included_profiles():
|
||||||
|
|
||||||
|
# Create the profile, replacing any existing profile of same name
|
||||||
|
profile_data = __get_profile_config(profile_id)
|
||||||
|
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
|
||||||
|
- logger.debug("Imported profile '%s'", profile_id)
|
||||||
|
+ try:
|
||||||
|
+ _create_dogtag_profile(profile_id, profile_data,
|
||||||
|
+ overwrite=True)
|
||||||
|
+ except errors.HTTPRequestError as e:
|
||||||
|
+ logger.warning("Failed to import profile '%s': %s. Running "
|
||||||
|
+ "ipa-server-upgrade when installation is "
|
||||||
|
+ "completed may resolve this issue.",
|
||||||
|
+ profile_id, e)
|
||||||
|
+ conn.delete_entry(entry)
|
||||||
|
+ else:
|
||||||
|
+ logger.debug("Imported profile '%s'", profile_id)
|
||||||
|
else:
|
||||||
|
logger.debug(
|
||||||
|
"Profile '%s' is already in LDAP; skipping", profile_id
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,318 +0,0 @@
|
|||||||
From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Tue, 2 Feb 2021 17:33:57 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
|
|
||||||
|
|
||||||
Test moves system date to expire certs. Then calls ipa-cert-fix
|
|
||||||
to renew them. This certs include subsystem, audit-signing,
|
|
||||||
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/7885
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
|
|
||||||
1 file changed, 60 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
index f9e5fe6e2..da68af573 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
|
|
||||||
import pytest
|
|
||||||
import time
|
|
||||||
|
|
||||||
+import logging
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
from ipatests.pytest_ipa.integration import tasks
|
|
||||||
from ipatests.test_integration.base import IntegrationTest
|
|
||||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
|
||||||
|
|
||||||
|
|
||||||
+logger = logging.getLogger(__name__)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
def server_install_teardown(func):
|
|
||||||
def wrapped(*args):
|
|
||||||
master = args[0].master
|
|
||||||
@@ -24,6 +28,26 @@ def server_install_teardown(func):
|
|
||||||
return wrapped
|
|
||||||
|
|
||||||
|
|
||||||
+def check_status(host, cert_count, state, timeout=600):
|
|
||||||
+ """Helper method to check that if all the certs are in given state
|
|
||||||
+ :param host: the host
|
|
||||||
+ :param cert_count: no of cert to look for
|
|
||||||
+ :param state: state to check for
|
|
||||||
+ :param timeout: max time in seconds to wait for the state
|
|
||||||
+ """
|
|
||||||
+ for _i in range(0, timeout, 10):
|
|
||||||
+ result = host.run_command(['getcert', 'list'])
|
|
||||||
+ count = result.stdout_text.count(f"status: {state}")
|
|
||||||
+ logger.info("cert count in %s state : %s", state, count)
|
|
||||||
+ if int(count) == cert_count:
|
|
||||||
+ break
|
|
||||||
+ time.sleep(10)
|
|
||||||
+ else:
|
|
||||||
+ raise RuntimeError("request timed out")
|
|
||||||
+
|
|
||||||
+ return count
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class TestIpaCertFix(IntegrationTest):
|
|
||||||
@classmethod
|
|
||||||
def uninstall(cls, mh):
|
|
||||||
@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
|
|
||||||
# timeout
|
|
||||||
raise AssertionError('Timeout: Failed to renew all the certs')
|
|
||||||
|
|
||||||
+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
|
|
||||||
+ """Test if ipa-cert-fix renews expired certs
|
|
||||||
+
|
|
||||||
+ Test moves system date to expire certs. Then calls ipa-cert-fix
|
|
||||||
+ to renew them. This certs include subsystem, audit-signing,
|
|
||||||
+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/7885
|
|
||||||
+ """
|
|
||||||
+ # wait for cert expiry
|
|
||||||
+ check_status(self.master, 8, "CA_UNREACHABLE")
|
|
||||||
+
|
|
||||||
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
|
||||||
+
|
|
||||||
+ check_status(self.master, 9, "MONITORING")
|
|
||||||
+
|
|
||||||
+ # second iteration of ipa-cert-fix
|
|
||||||
+ result = self.master.run_command(
|
|
||||||
+ ['ipa-cert-fix', '-v'],
|
|
||||||
+ stdin_text='yes\n'
|
|
||||||
+ )
|
|
||||||
+ assert "Nothing to do" in result.stdout_text
|
|
||||||
+ check_status(self.master, 9, "MONITORING")
|
|
||||||
+
|
|
||||||
+ def test_ipa_cert_fix_non_ipa(self):
|
|
||||||
+ """Test ipa-cert-fix doesn't work on non ipa system
|
|
||||||
+
|
|
||||||
+ ipa-cert-fix tool should not work on non ipa system.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/7885
|
|
||||||
+ """
|
|
||||||
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
|
||||||
+ stdin_text='yes\n',
|
|
||||||
+ raiseonerr=False)
|
|
||||||
+ assert result.returncode == 2
|
|
||||||
+
|
|
||||||
|
|
||||||
class TestIpaCertFixThirdParty(CALessBase):
|
|
||||||
"""
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Thu, 11 Feb 2021 16:54:22 +0530
|
|
||||||
Subject: [PATCH] Move fixture outside the class and add setup_kra capability
|
|
||||||
|
|
||||||
Moved fixture to use across multiple classes. Added capability
|
|
||||||
to install the KRA to the fixture
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
|
|
||||||
1 file changed, 30 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
index da68af573..591dc5031 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
|
|
||||||
return count
|
|
||||||
|
|
||||||
|
|
||||||
+@pytest.fixture
|
|
||||||
+def expire_cert_critical():
|
|
||||||
+ """
|
|
||||||
+ Fixture to expire the certs by moving the system date using
|
|
||||||
+ date -s command and revert it back
|
|
||||||
+ """
|
|
||||||
+
|
|
||||||
+ hosts = dict()
|
|
||||||
+
|
|
||||||
+ def _expire_cert_critical(host, setup_kra=False):
|
|
||||||
+ hosts['host'] = host
|
|
||||||
+ # Do not install NTP as the test plays with the date
|
|
||||||
+ tasks.install_master(host, setup_dns=False,
|
|
||||||
+ extra_args=['--no-ntp'])
|
|
||||||
+ if setup_kra:
|
|
||||||
+ tasks.install_kra(host)
|
|
||||||
+ host.run_command(['systemctl', 'stop', 'chronyd'])
|
|
||||||
+ host.run_command(['date', '-s', '+3Years+1day'])
|
|
||||||
+
|
|
||||||
+ yield _expire_cert_critical
|
|
||||||
+
|
|
||||||
+ host = hosts.pop('host')
|
|
||||||
+ tasks.uninstall_master(host)
|
|
||||||
+ host.run_command(['date', '-s', '-3Years-1day'])
|
|
||||||
+ host.run_command(['systemctl', 'start', 'chronyd'])
|
|
||||||
+
|
|
||||||
+
|
|
||||||
class TestIpaCertFix(IntegrationTest):
|
|
||||||
@classmethod
|
|
||||||
def uninstall(cls, mh):
|
|
||||||
@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
|
|
||||||
# the fixture
|
|
||||||
pass
|
|
||||||
|
|
||||||
- @pytest.fixture
|
|
||||||
- def expire_cert_critical(self):
|
|
||||||
- """
|
|
||||||
- Fixture to expire the certs by moving the system date using
|
|
||||||
- date -s command and revert it back
|
|
||||||
- """
|
|
||||||
- # Do not install NTP as the test plays with the date
|
|
||||||
- tasks.install_master(self.master, setup_dns=False,
|
|
||||||
- extra_args=['--no-ntp'])
|
|
||||||
- self.master.run_command(['systemctl', 'stop', 'chronyd'])
|
|
||||||
- self.master.run_command(['date','-s', '+3Years+1day'])
|
|
||||||
- yield
|
|
||||||
- tasks.uninstall_master(self.master)
|
|
||||||
- self.master.run_command(['date','-s', '-3Years-1day'])
|
|
||||||
- self.master.run_command(['systemctl', 'start', 'chronyd'])
|
|
||||||
-
|
|
||||||
def test_missing_csr(self, expire_cert_critical):
|
|
||||||
"""
|
|
||||||
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
|
|
||||||
@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
|
|
||||||
- call getcert resubmit in order to create the CSR in certmonger file
|
|
||||||
- use ipa-cert-fix, no issue should be seen
|
|
||||||
"""
|
|
||||||
+ expire_cert_critical(self.master)
|
|
||||||
# pki must be stopped in order to edit CS.cfg
|
|
||||||
self.master.run_command(['ipactl', 'stop'])
|
|
||||||
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
|
|
||||||
@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/7885
|
|
||||||
"""
|
|
||||||
+ expire_cert_critical(self.master)
|
|
||||||
+
|
|
||||||
# wait for cert expiry
|
|
||||||
check_status(self.master, 8, "CA_UNREACHABLE")
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Thu, 11 Feb 2021 16:59:53 +0530
|
|
||||||
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
|
|
||||||
installed
|
|
||||||
|
|
||||||
This test check if ipa-cert-fix renews certs with kra
|
|
||||||
certificate installed.
|
|
||||||
|
|
||||||
related: https://pagure.io/freeipa/issue/7885
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
.../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
|
|
||||||
1 file changed, 25 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
index 591dc5031..b2e92d4dc 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
|
||||||
@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
|
|
||||||
# the DS nickname is used and not a hardcoded value.
|
|
||||||
result = self.master.run_command(['ipa-cert-fix', '-v'],)
|
|
||||||
assert self.nickname in result.stderr_text
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+class TestCertFixKRA(IntegrationTest):
|
|
||||||
+ @classmethod
|
|
||||||
+ def uninstall(cls, mh):
|
|
||||||
+ # Uninstall method is empty as the uninstallation is done in
|
|
||||||
+ # the fixture
|
|
||||||
+ pass
|
|
||||||
+
|
|
||||||
+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
|
|
||||||
+ """Test if ipa-cert-fix renews expired certs with kra installed
|
|
||||||
+
|
|
||||||
+ This test check if ipa-cert-fix renews certs with kra
|
|
||||||
+ certificate installed.
|
|
||||||
+
|
|
||||||
+ related: https://pagure.io/freeipa/issue/7885
|
|
||||||
+ """
|
|
||||||
+ expire_cert_critical(self.master, setup_kra=True)
|
|
||||||
+
|
|
||||||
+ # check if all subsystem cert expired
|
|
||||||
+ check_status(self.master, 11, "CA_UNREACHABLE")
|
|
||||||
+
|
|
||||||
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
|
||||||
+
|
|
||||||
+ check_status(self.master, 12, "MONITORING")
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Date: Tue, 2 Mar 2021 11:42:36 +0530
|
|
||||||
Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
|
|
||||||
|
|
||||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
|
|
||||||
ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
|
|
||||||
ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
|
|
||||||
3 files changed, 3 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
index ebd539246..8a88698eb 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
@@ -1687,5 +1687,5 @@ jobs:
|
|
||||||
build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
test_suite: test_integration/test_ipa_cert_fix.py
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
- timeout: 3600
|
|
||||||
+ timeout: 7200
|
|
||||||
topology: *master_1repl
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
index d4b597d6e..14f0c4292 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
@@ -1821,5 +1821,5 @@ jobs:
|
|
||||||
selinux_enforcing: True
|
|
||||||
test_suite: test_integration/test_ipa_cert_fix.py
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
- timeout: 3600
|
|
||||||
+ timeout: 7200
|
|
||||||
topology: *master_1repl
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
index 1fd589e6a..b7f8d2b3e 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
@@ -1687,5 +1687,5 @@ jobs:
|
|
||||||
build_url: '{fedora-previous-ipa-4-9/build_url}'
|
|
||||||
test_suite: test_integration/test_ipa_cert_fix.py
|
|
||||||
template: *ci-ipa-4-9-previous
|
|
||||||
- timeout: 3600
|
|
||||||
+ timeout: 7200
|
|
||||||
topology: *master_1repl
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,37 +0,0 @@
|
|||||||
From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Tue, 2 Mar 2021 08:44:35 +0100
|
|
||||||
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
|
|
||||||
|
|
||||||
The test test_commands.py::TestIPACommand::test_ssh_key_connection
|
|
||||||
is checking the content of the journal using journalctl --since ...
|
|
||||||
but provides only the time, not the whole date with year-month-day.
|
|
||||||
As a consequence, if the test is executed around midnight it may
|
|
||||||
find nothing in the journal because it's looking for logs after 11:50PM,
|
|
||||||
which is a date in the future.
|
|
||||||
|
|
||||||
The fix provides a complete date with year-month-day hours:min:sec.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8728
|
|
||||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_commands.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
||||||
index 45f642bf2..b7ffb926f 100644
|
|
||||||
--- a/ipatests/test_integration/test_commands.py
|
|
||||||
+++ b/ipatests/test_integration/test_commands.py
|
|
||||||
@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
|
|
||||||
# start to look at logs a bit before "now"
|
|
||||||
# https://pagure.io/freeipa/issue/8432
|
|
||||||
since = time.strftime(
|
|
||||||
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
|
|
||||||
+ '%Y-%m-%d %H:%M:%S',
|
|
||||||
+ (datetime.now() - timedelta(seconds=10)).timetuple()
|
|
||||||
)
|
|
||||||
|
|
||||||
tasks.run_ssh_cmd(
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -0,0 +1,41 @@
|
|||||||
|
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Mon, 30 Aug 2021 18:40:24 +0200
|
||||||
|
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
|
||||||
|
|
||||||
|
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
|
||||||
|
|
||||||
|
According to gcrypt manual
|
||||||
|
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
|
||||||
|
/proc/cpuinfo is used on ARM architecture to read the hardware
|
||||||
|
capabilities of the CPU. This explains why the issue happens only
|
||||||
|
on aarch64.
|
||||||
|
|
||||||
|
audit2allow suggests to add the following:
|
||||||
|
allow ipa_custodia_t proc_t:file { getattr open read };
|
||||||
|
|
||||||
|
but this policy would be too broad. Instead, the patch is using
|
||||||
|
the interface kernel_read_system_state.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8972
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||||
|
---
|
||||||
|
selinux/ipa.te | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||||
|
index 68e109419..7492fca04 100644
|
||||||
|
--- a/selinux/ipa.te
|
||||||
|
+++ b/selinux/ipa.te
|
||||||
|
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
||||||
|
|
||||||
|
kernel_dgram_send(ipa_custodia_t)
|
||||||
|
kernel_read_network_state(ipa_custodia_t)
|
||||||
|
+kernel_read_system_state(ipa_custodia_t)
|
||||||
|
|
||||||
|
auth_read_passwd(ipa_custodia_t)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,46 @@
|
|||||||
|
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Wed, 25 Aug 2021 17:10:29 +0200
|
||||||
|
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
||||||
|
|
||||||
|
If a client sends a request to lookup an object from a given trusted
|
||||||
|
domain by UID or GID and an object with matching ID is only found in a
|
||||||
|
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
|
||||||
|
indicate to the client that the requested ID does not exists in the
|
||||||
|
given domain.
|
||||||
|
|
||||||
|
Resolves: https://pagure.io/freeipa/issue/8965
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||||
|
index 5d97ff613..6f646b9f4 100644
|
||||||
|
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||||
|
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||||
|
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
|
||||||
|
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
||||||
|
locat[0] = '\0';
|
||||||
|
} else {
|
||||||
|
- ret = LDAP_INVALID_SYNTAX;
|
||||||
|
+ /* The found object is from a different domain than requested,
|
||||||
|
+ * that means it does not exist in the requested domain */
|
||||||
|
+ ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
|
||||||
|
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
||||||
|
locat[0] = '\0';
|
||||||
|
} else {
|
||||||
|
- ret = LDAP_INVALID_SYNTAX;
|
||||||
|
+ /* The found object is from a different domain than requested,
|
||||||
|
+ * that means it does not exist in the requested domain */
|
||||||
|
+ ret = LDAP_NO_SUCH_OBJECT;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,594 +0,0 @@
|
|||||||
From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 19 Feb 2021 15:37:47 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
|
|
||||||
|
|
||||||
Calling to ipadb_get_connection() will remove LDAP context if any error
|
|
||||||
happens. This means upper layers must always verify that LDAP context
|
|
||||||
exists after such calls.
|
|
||||||
|
|
||||||
ipadb_get_user_auth() may re-read global configuration and that may fail
|
|
||||||
and cause IPA context to have NULL LDAP context.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8681
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb.c | 1 +
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
|
|
||||||
3 files changed, 37 insertions(+), 22 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
index 43ba955ac..6e1e3e351 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb.c
|
|
||||||
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
|
|
||||||
/* ldap free lcontext */
|
|
||||||
if ((*ctx)->lcontext) {
|
|
||||||
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
|
|
||||||
+ (*ctx)->lcontext = NULL;
|
|
||||||
}
|
|
||||||
free((*ctx)->supp_encs);
|
|
||||||
free((*ctx)->def_encs);
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 31f617129..81a8fd483 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
krb5_timestamp authtime,
|
|
||||||
struct netr_SamInfo3 *info3)
|
|
||||||
{
|
|
||||||
- LDAP *lcontext = ipactx->lcontext;
|
|
||||||
LDAPDerefRes *deref_results = NULL;
|
|
||||||
struct dom_sid sid;
|
|
||||||
gid_t prigid = -1;
|
|
||||||
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
bool is_idobject = false;
|
|
||||||
krb5_principal princ;
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
|
|
||||||
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
|
|
||||||
&objectclasses);
|
|
||||||
if (ret == 0 && objectclasses != NULL) {
|
|
||||||
for (c = 0; objectclasses[c] != NULL; c++) {
|
|
||||||
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (is_host) {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* fqdn is mandatory for hosts */
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
} else if (is_service) {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
+ "krbCanonicalName", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* krbCanonicalName is mandatory for services */
|
|
||||||
return ret;
|
|
||||||
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ENOENT;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* uid is mandatory */
|
|
||||||
return ret;
|
|
||||||
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
if (is_host || is_service) {
|
|
||||||
prigid = 515; /* Well known RID for domain computers group */
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
|
|
||||||
+ "gidNumber", &intres);
|
|
||||||
if (ret) {
|
|
||||||
/* gidNumber is mandatory */
|
|
||||||
return ret;
|
|
||||||
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.kickoff_time = INT64_MAX;
|
|
||||||
#endif
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
|
|
||||||
"krbLastPwdChange", &timeres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.allow_password_change = info3->base.last_password_change;
|
|
||||||
info3->base.force_password_change = INT64_MAX;
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
info3->base.full_name.string = talloc_strdup(memctx, strres);
|
|
||||||
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTLogonScript", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTProfilePath", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTHomeDirectory", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTHomeDirectoryDrive", &strres);
|
|
||||||
switch (ret) {
|
|
||||||
case 0:
|
|
||||||
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
info3->base.rid = 515;
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
|
|
||||||
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
|
||||||
"ipaNTSecurityIdentifier", &strres);
|
|
||||||
if (ret) {
|
|
||||||
/* SID is mandatory */
|
|
||||||
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
|
|
||||||
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
|
|
||||||
switch (ret) {
|
|
||||||
LDAPDerefRes *dres;
|
|
||||||
LDAPDerefVal *dval;
|
|
||||||
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
|
||||||
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
{
|
|
||||||
struct ipadb_adtrusts *t;
|
|
||||||
- LDAP *lc = ipactx->lcontext;
|
|
||||||
+ LDAP *lc = NULL;
|
|
||||||
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
|
|
||||||
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
|
|
||||||
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
|
|
||||||
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ lc = ipactx->lcontext;
|
|
||||||
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
|
|
||||||
dnstr = ldap_get_dn(lc, le);
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index d1fa51578..cf1b4f53e 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
|
|
||||||
if (gcfg != NULL)
|
|
||||||
gua = gcfg->user_auth;
|
|
||||||
|
|
||||||
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
|
|
||||||
+ * global config and cleared the ipactx */
|
|
||||||
+ if (ipactx->lcontext == NULL)
|
|
||||||
+ return IPADB_USER_AUTH_NONE;
|
|
||||||
+
|
|
||||||
/* Get the user's user_auth settings if not disabled. */
|
|
||||||
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
|
|
||||||
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
|
|
||||||
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
||||||
free(entry);
|
|
||||||
return KRB5_KDB_DBNOTINITED;
|
|
||||||
}
|
|
||||||
- lcontext = ipactx->lcontext;
|
|
||||||
- if (!lcontext) {
|
|
||||||
+
|
|
||||||
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
||||||
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
||||||
+
|
|
||||||
+ /* Get User Auth configuration. */
|
|
||||||
+ ua = ipadb_get_user_auth(ipactx, lentry);
|
|
||||||
+
|
|
||||||
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
|
|
||||||
+ * and that might fail, causing lcontext to become NULL */
|
|
||||||
+ if (!ipactx->lcontext) {
|
|
||||||
krb5_klog_syslog(LOG_INFO,
|
|
||||||
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
|
|
||||||
ret = ipadb_get_connection(ipactx);
|
|
||||||
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
|
|
||||||
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
|
|
||||||
-
|
|
||||||
- /* Get User Auth configuration. */
|
|
||||||
- ua = ipadb_get_user_auth(ipactx, lentry);
|
|
||||||
+ /* If any code below would result in invalidating ipactx->lcontext,
|
|
||||||
+ * lcontext must be updated with the new ipactx->lcontext value.
|
|
||||||
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
|
|
||||||
+ lcontext = ipactx->lcontext;
|
|
||||||
|
|
||||||
/* ignore mask for now */
|
|
||||||
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Tue, 23 Feb 2021 10:06:25 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: fix compiler warnings
|
|
||||||
|
|
||||||
There are few fields in KDB structures that have 'conflicting' types but
|
|
||||||
need to be compared. They come from MIT Kerberos and we have no choice
|
|
||||||
here.
|
|
||||||
|
|
||||||
In the same way, SID structures have own requirements.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
|
|
||||||
4 files changed, 9 insertions(+), 9 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
index ed48ea758..ec2046bfe 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
|
|
||||||
@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
|
|
||||||
|
|
||||||
if (krb5_ts_after(krb5_ts_incr(client->last_failed,
|
|
||||||
ied->pol->lockout_duration), authtime) &&
|
|
||||||
- (client->fail_auth_count >= ied->pol->max_fail &&
|
|
||||||
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
|
|
||||||
ied->pol->max_fail != 0)) {
|
|
||||||
/* client already locked, nothing more to do */
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (ied->pol->max_fail == 0 ||
|
|
||||||
- client->fail_auth_count < ied->pol->max_fail) {
|
|
||||||
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
||||||
/* let's increase the fail counter */
|
|
||||||
client->fail_auth_count++;
|
|
||||||
client->mask |= KMASK_FAIL_AUTH_COUNT;
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 81a8fd483..9691b14f6 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
|
|
||||||
|
|
||||||
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
|
|
||||||
{
|
|
||||||
- size_t c;
|
|
||||||
+ int8_t c;
|
|
||||||
size_t len;
|
|
||||||
- int ofs;
|
|
||||||
+ size_t ofs;
|
|
||||||
uint32_t ia;
|
|
||||||
char *buf;
|
|
||||||
|
|
||||||
@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
|
|
||||||
t[n].upn_suffixes_len = NULL;
|
|
||||||
if (t[n].upn_suffixes != NULL) {
|
|
||||||
- size_t len = 0;
|
|
||||||
+ int len = 0;
|
|
||||||
|
|
||||||
for (; t[n].upn_suffixes[len] != NULL; len++);
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
index cf1b4f53e..0a98ff054 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
|
||||||
@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
|
|
||||||
l = len;
|
|
||||||
for (i = 0; i < count; i++) {
|
|
||||||
ret = snprintf(ap, l, "%s ", authinds[i]);
|
|
||||||
- if (ret <= 0 || ret > l) {
|
|
||||||
+ if (ret <= 0 || ret > (int) l) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto cleanup;
|
|
||||||
}
|
|
||||||
@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
|
||||||
char *s = NULL;
|
|
||||||
size_t ai_size = 0;
|
|
||||||
int cnt = 0;
|
|
||||||
- int i = 0;
|
|
||||||
+ size_t i = 0;
|
|
||||||
|
|
||||||
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
|
|
||||||
if (ret) {
|
|
||||||
@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
|
|
||||||
{
|
|
||||||
krb5_error_code kerr;
|
|
||||||
LDAPMod *m = NULL;
|
|
||||||
- int i;
|
|
||||||
+ size_t i;
|
|
||||||
|
|
||||||
kerr = ipadb_mods_new(imods, &m);
|
|
||||||
if (kerr) {
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
||||||
index 4965e6d7f..6f21ef867 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
|
|
||||||
@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ied->pol->max_fail == 0 ||
|
|
||||||
- client->fail_auth_count < ied->pol->max_fail) {
|
|
||||||
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
|
|
||||||
/* still within allowed failures range */
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 24 Feb 2021 20:51:40 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: add missing prototypes
|
|
||||||
|
|
||||||
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
|
|
||||||
about function prototypes missing. If -Werror is specified, this breaks
|
|
||||||
compilation.
|
|
||||||
|
|
||||||
We also default to -Werror=implicit-function-declaration
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
|
|
||||||
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
|
|
||||||
3 files changed, 20 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
index a89f8bbda..aa61a2d1b 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
|
|
||||||
@@ -14,6 +14,10 @@
|
|
||||||
#define ONE_DAY_SECONDS (24 * 60 * 60)
|
|
||||||
#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
|
|
||||||
|
|
||||||
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
|
|
||||||
+ int maj_ver, int min_ver,
|
|
||||||
+ krb5_plugin_vtable vtable);
|
|
||||||
+
|
|
||||||
static void
|
|
||||||
jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
|
|
||||||
{
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
index 9691b14f6..47b12a16f 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
|
||||||
@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
|
|
||||||
*mspac = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
||||||
- struct dom_sid **result_sids,
|
|
||||||
- int *result_length)
|
|
||||||
+static krb5_error_code
|
|
||||||
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
||||||
+ struct dom_sid **result_sids,
|
|
||||||
+ int *result_length)
|
|
||||||
{
|
|
||||||
int len, i;
|
|
||||||
char **source;
|
|
||||||
@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
||||||
- char **sid_blocklist_incoming,
|
|
||||||
- char **sid_blocklist_outgoing)
|
|
||||||
+static krb5_error_code
|
|
||||||
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
|
|
||||||
+ char **sid_blocklist_incoming,
|
|
||||||
+ char **sid_blocklist_outgoing)
|
|
||||||
{
|
|
||||||
krb5_error_code kerr;
|
|
||||||
|
|
||||||
@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
+static krb5_error_code
|
|
||||||
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
{
|
|
||||||
char *attrs[] = { NULL };
|
|
||||||
char *filter = "(objectclass=ipaNTTrustedDomain)";
|
|
||||||
@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
+static krb5_error_code
|
|
||||||
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
|
|
||||||
{
|
|
||||||
struct ipadb_adtrusts *t;
|
|
||||||
LDAP *lc = NULL;
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
index d23a14a0b..8c8a3a001 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
|
|
||||||
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
|
|
||||||
|
|
||||||
int string_to_sid(const char *str, struct dom_sid *sid);
|
|
||||||
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
|
|
||||||
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
|
|
||||||
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
|
|
||||||
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
||||||
+ bool *_with_pac, bool *_with_pad);
|
|
||||||
\ No newline at end of file
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 24 Feb 2021 20:52:15 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
|
|
||||||
|
|
||||||
Add prototype to the exported function
|
|
||||||
|
|
||||||
Replace few tabs by spaces and mark static code as static.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
|
|
||||||
1 file changed, 14 insertions(+), 11 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
index bc6b26578..3a3060c92 100644
|
|
||||||
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
|
|
||||||
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
|
|
||||||
time_t valid_until;
|
|
||||||
};
|
|
||||||
|
|
||||||
-void ipa_certmap_debug(void *private,
|
|
||||||
- const char *file, long line,
|
|
||||||
- const char *function,
|
|
||||||
- const char *format, ...)
|
|
||||||
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
|
|
||||||
+ int maj_ver, int min_ver,
|
|
||||||
+ krb5_plugin_vtable vtable);
|
|
||||||
+
|
|
||||||
+static void ipa_certmap_debug(void *private, const char *file, long line,
|
|
||||||
+ const char *function,
|
|
||||||
+ const char *format, ...)
|
|
||||||
{
|
|
||||||
va_list ap;
|
|
||||||
char str[255] = { 0 };
|
|
||||||
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
|
|
||||||
* so there is nothing more to add here. */
|
|
||||||
auth_inds = calloc(2, sizeof(char *));
|
|
||||||
if (auth_inds != NULL) {
|
|
||||||
- ret = asprintf(&auth_inds[0], "pkinit");
|
|
||||||
- if (ret != -1) {
|
|
||||||
+ ret = asprintf(&auth_inds[0], "pkinit");
|
|
||||||
+ if (ret != -1) {
|
|
||||||
auth_inds[1] = NULL;
|
|
||||||
*authinds_out = auth_inds;
|
|
||||||
- } else {
|
|
||||||
- free(auth_inds);
|
|
||||||
+ } else {
|
|
||||||
+ free(auth_inds);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
|
|
||||||
size_t i = 0;
|
|
||||||
|
|
||||||
if ((authinds == NULL) || (moddata == NULL)) {
|
|
||||||
- return;
|
|
||||||
+ return;
|
|
||||||
}
|
|
||||||
|
|
||||||
for(i=0; authinds[i]; i++) {
|
|
||||||
- free(authinds[i]);
|
|
||||||
- authinds[i] = NULL;
|
|
||||||
+ free(authinds[i]);
|
|
||||||
+ authinds[i] = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
free(authinds);
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
||||||
From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Wed, 24 Feb 2021 20:55:41 +0200
|
|
||||||
Subject: [PATCH] ipa-kdb: mark test functions as static
|
|
||||||
|
|
||||||
No need to define missing prototypes to single use test functions.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
|
|
||||||
1 file changed, 5 insertions(+), 8 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
index 2a174ce6b..0b51ffb96 100644
|
|
||||||
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
|
|
||||||
@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
|
|
||||||
krb5_data realm,
|
|
||||||
struct PAC_LOGON_INFO_CTR *info);
|
|
||||||
|
|
||||||
-void test_filter_logon_info(void **state)
|
|
||||||
+static void test_filter_logon_info(void **state)
|
|
||||||
{
|
|
||||||
krb5_error_code kerr;
|
|
||||||
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
|
|
||||||
@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
|
|
||||||
- bool *with_pac, bool *with_pad);
|
|
||||||
-
|
|
||||||
-void test_get_authz_data_types(void **state)
|
|
||||||
+static void test_get_authz_data_types(void **state)
|
|
||||||
{
|
|
||||||
bool with_pac;
|
|
||||||
bool with_pad;
|
|
||||||
@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
|
|
||||||
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
|
|
||||||
}
|
|
||||||
|
|
||||||
-void test_string_to_sid(void **state)
|
|
||||||
+static void test_string_to_sid(void **state)
|
|
||||||
{
|
|
||||||
int ret;
|
|
||||||
struct dom_sid sid;
|
|
||||||
@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
|
|
||||||
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
|
|
||||||
}
|
|
||||||
|
|
||||||
-void test_dom_sid_string(void **state)
|
|
||||||
+static void test_dom_sid_string(void **state)
|
|
||||||
{
|
|
||||||
struct test_ctx *test_ctx;
|
|
||||||
char *str_sid;
|
|
||||||
@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
-void test_check_trusted_realms(void **state)
|
|
||||||
+static void test_check_trusted_realms(void **state)
|
|
||||||
{
|
|
||||||
struct test_ctx *test_ctx;
|
|
||||||
krb5_error_code kerr = 0;
|
|
||||||
--
|
|
||||||
2.29.2
|
|
||||||
|
|
@ -1,64 +0,0 @@
|
|||||||
From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 15 Mar 2021 16:55:08 +0100
|
|
||||||
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
|
|
||||||
(2)
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8530
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
---
|
|
||||||
ipaclient/install/client.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
|
|
||||||
index 0e478fa26..9bdfbddaf 100644
|
|
||||||
--- a/ipaclient/install/client.py
|
|
||||||
+++ b/ipaclient/install/client.py
|
|
||||||
@@ -2205,7 +2205,7 @@ def install_check(options):
|
|
||||||
# available.
|
|
||||||
if options.conf_sudo:
|
|
||||||
try:
|
|
||||||
- subprocess.Popen(['sudo -V'])
|
|
||||||
+ subprocess.Popen(['sudo', '-V'])
|
|
||||||
except FileNotFoundError:
|
|
||||||
logger.info(
|
|
||||||
"The sudo binary does not seem to be present on this "
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
||||||
From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
|
||||||
Date: Mon, 15 Mar 2021 17:00:05 +0100
|
|
||||||
Subject: [PATCH] ipatests: check for the "no sudo present" string absence
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
When sudo is installed, no warning should be output about sudo not
|
|
||||||
being available (obviously). Check that the relevant string is
|
|
||||||
not present.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/8530
|
|
||||||
Signed-off-by: François Cami <fcami@redhat.com>
|
|
||||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_installation.py | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
|
||||||
index a50a59f1a..a5ff17a0d 100644
|
|
||||||
--- a/ipatests/test_integration/test_installation.py
|
|
||||||
+++ b/ipatests/test_integration/test_installation.py
|
|
||||||
@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
|
|
||||||
tasks.install_packages(self.clients[0], ['sudo'])
|
|
||||||
for pkg in ('sudo', 'libsss_sudo'):
|
|
||||||
assert tasks.is_package_installed(self.clients[0], pkg)
|
|
||||||
+ result = tasks.install_client(self.master, self.clients[0])
|
|
||||||
+ assert self.no_sudo_str not in result.stderr_text
|
|
||||||
--
|
|
||||||
2.30.2
|
|
||||||
|
|
@ -0,0 +1,37 @@
|
|||||||
|
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Tue, 7 Sep 2021 17:06:53 +0200
|
||||||
|
Subject: [PATCH] migrate-ds: workaround to detect compat tree
|
||||||
|
|
||||||
|
Migrate-ds needs to check if compat tree is enabled before
|
||||||
|
migrating users and groups. The check is doing a base
|
||||||
|
search on cn=compat,$SUFFIX and considers the compat tree
|
||||||
|
enabled when the entry exists.
|
||||||
|
|
||||||
|
Due to a bug in slapi-nis, the base search may return NotFound
|
||||||
|
even though the compat tree is enabled. The workaround is to
|
||||||
|
perform a base search on cn=users,cn=compat,$SUFFIX instead.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8984
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/migration.py | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
|
||||||
|
index db5241915..6ee205fc8 100644
|
||||||
|
--- a/ipaserver/plugins/migration.py
|
||||||
|
+++ b/ipaserver/plugins/migration.py
|
||||||
|
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
|
||||||
|
# check whether the compat plugin is enabled
|
||||||
|
if not options.get('compat'):
|
||||||
|
try:
|
||||||
|
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
|
||||||
|
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
|
||||||
|
+ (api.env.basedn)))
|
||||||
|
return dict(result={}, failed={}, enabled=True, compat=False)
|
||||||
|
except errors.NotFound:
|
||||||
|
pass
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,54 +0,0 @@
|
|||||||
From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Thu, 6 May 2021 14:10:44 -0400
|
|
||||||
Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed
|
|
||||||
|
|
||||||
This can happen on upgrades from older deployments that lack
|
|
||||||
an ACME installation and don't meet the minimum requirements
|
|
||||||
to deploy one automatically.
|
|
||||||
|
|
||||||
Also don't consider missing ACME schema a total failure, just
|
|
||||||
log and skip it.
|
|
||||||
|
|
||||||
https://pagure.io/freeipa/issue/8832
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
---
|
|
||||||
ipaserver/install/server/upgrade.py | 13 ++++++++++++-
|
|
||||||
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
||||||
index e60524084..75bf26b8e 100644
|
|
||||||
--- a/ipaserver/install/server/upgrade.py
|
|
||||||
+++ b/ipaserver/install/server/upgrade.py
|
|
||||||
@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca):
|
|
||||||
acme_schema_ldif = path
|
|
||||||
break
|
|
||||||
else:
|
|
||||||
- raise RuntimeError('ACME schema file not found')
|
|
||||||
+ logger.info('ACME schema is not available')
|
|
||||||
+ return False
|
|
||||||
|
|
||||||
schema_files=[
|
|
||||||
'/usr/share/pki/server/conf/schema-certProfile.ldif',
|
|
||||||
@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn):
|
|
||||||
"""
|
|
||||||
Re-apply the templates in case anyting has been updated.
|
|
||||||
"""
|
|
||||||
+ logger.info('[Updating ACME configuration]')
|
|
||||||
+ if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')):
|
|
||||||
+ logger.info('ACME is not deployed, skipping')
|
|
||||||
+ return
|
|
||||||
+
|
|
||||||
+ if not os.path.exists(paths.PKI_ACME_ISSUER_CONF):
|
|
||||||
+ logger.info('ACME configuration file %s is missing',
|
|
||||||
+ paths.PKI_ACME_ISSUER_CONF)
|
|
||||||
+ return
|
|
||||||
+
|
|
||||||
password = directivesetter.get_directive(
|
|
||||||
paths.PKI_ACME_ISSUER_CONF,
|
|
||||||
'password',
|
|
||||||
--
|
|
||||||
2.31.1
|
|
||||||
|
|
@ -0,0 +1,89 @@
|
|||||||
|
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 20:03:21 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
|
||||||
|
tree.
|
||||||
|
|
||||||
|
Added test to verify that ldapsearch for compat tree
|
||||||
|
with scope base and sub is not failing.
|
||||||
|
|
||||||
|
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_commands.py | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||||
|
index 2035ced56..e3a0d867e 100644
|
||||||
|
--- a/ipatests/test_integration/test_commands.py
|
||||||
|
+++ b/ipatests/test_integration/test_commands.py
|
||||||
|
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||||
|
# Run the command again after cache is removed
|
||||||
|
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
|
||||||
|
|
||||||
|
+ def test_basesearch_compat_tree(self):
|
||||||
|
+ """Test ldapsearch against compat tree is working
|
||||||
|
+
|
||||||
|
+ This to ensure that ldapsearch with base scope is not failing.
|
||||||
|
+
|
||||||
|
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||||
|
+ """
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ base_dn = str(self.master.domain.basedn)
|
||||||
|
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
||||||
|
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
|
||||||
|
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
|
||||||
|
+
|
||||||
|
|
||||||
|
class TestIPAautomount(IntegrationTest):
|
||||||
|
@classmethod
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 5 Aug 2021 20:23:15 +0530
|
||||||
|
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
|
||||||
|
|
||||||
|
slapi-nis with fix is not part of fedora yet.
|
||||||
|
test requires with fix:
|
||||||
|
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_commands.py | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||||
|
index e3a0d867e..4d9a81652 100644
|
||||||
|
--- a/ipatests/test_integration/test_commands.py
|
||||||
|
+++ b/ipatests/test_integration/test_commands.py
|
||||||
|
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
|
||||||
|
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
|
||||||
|
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
|
||||||
|
from ipaserver.install.installutils import realm_to_serverid
|
||||||
|
+from pkg_resources import parse_version
|
||||||
|
|
||||||
|
logger = logging.getLogger(__name__)
|
||||||
|
|
||||||
|
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||||
|
|
||||||
|
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||||
|
"""
|
||||||
|
+ version = self.master.run_command(
|
||||||
|
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
|
||||||
|
+ )
|
||||||
|
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
|
||||||
|
+ version.stdout_text) <= parse_version("0.56.7"):
|
||||||
|
+ pytest.skip("Test requires slapi-nis with fix on fedora")
|
||||||
|
tasks.kinit_admin(self.master)
|
||||||
|
base_dn = str(self.master.domain.basedn)
|
||||||
|
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
162
SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Normal file
162
SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Normal file
@ -0,0 +1,162 @@
|
|||||||
|
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 9 Aug 2021 20:57:22 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test unsecure nsupdate.
|
||||||
|
|
||||||
|
The test configures an external bind server on the ipa-server
|
||||||
|
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
||||||
|
|
||||||
|
When the IPA client is registered using ipa-client-install,
|
||||||
|
DNS records are added for the client in the bind server using nsupdate.
|
||||||
|
The first try is using GSS-TIG but fails as expected, and the client
|
||||||
|
installer then tries with unauthenticated nsupdate.
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/8402
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_installation_client.py | 118 ++++++++++++++++++
|
||||||
|
1 file changed, 118 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
|
||||||
|
index fa59a5255..014b0f6ab 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation_client.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation_client.py
|
||||||
|
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
|
||||||
|
|
||||||
|
from __future__ import absolute_import
|
||||||
|
|
||||||
|
+import pytest
|
||||||
|
+import re
|
||||||
|
import shlex
|
||||||
|
+import textwrap
|
||||||
|
|
||||||
|
+from ipaplatform.paths import paths
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.pytest_ipa.integration import tasks
|
||||||
|
+from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||||
|
|
||||||
|
|
||||||
|
class TestInstallClient(IntegrationTest):
|
||||||
|
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
|
||||||
|
extra_args=['--ssh-trust-dns'])
|
||||||
|
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
|
||||||
|
assert 'HostKeyAlgorithms' not in result.stdout_text
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestClientInstallBind(IntegrationTest):
|
||||||
|
+ """
|
||||||
|
+ The test configures an external bind server on the ipa-server
|
||||||
|
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
||||||
|
+ When the IPA client is registered using ipa-client-install,
|
||||||
|
+ DNS records are added for the client in the bind server using nsupdate.
|
||||||
|
+ The first try is using GSS-TIG but fails as expected, and the client
|
||||||
|
+ installer then tries with unauthenticated nsupdate.
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ num_clients = 1
|
||||||
|
+
|
||||||
|
+ @classmethod
|
||||||
|
+ def install(cls, mh):
|
||||||
|
+ cls.client = cls.clients[0]
|
||||||
|
+
|
||||||
|
+ @pytest.fixture
|
||||||
|
+ def setup_bindserver(self):
|
||||||
|
+ bindserver = self.master
|
||||||
|
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
|
||||||
|
+ # create a zone in the BIND server that is identical to the IPA
|
||||||
|
+ add_zone = textwrap.dedent("""
|
||||||
|
+ zone "{domain}" IN {{ type master;
|
||||||
|
+ file "{domain}.db"; allow-query {{ any; }};
|
||||||
|
+ allow-update {{ any; }}; }};
|
||||||
|
+ """).format(domain=bindserver.domain.name)
|
||||||
|
+
|
||||||
|
+ namedcfg = bindserver.get_file_contents(
|
||||||
|
+ paths.NAMED_CONF, encoding='utf-8')
|
||||||
|
+ namedcfg += '\n' + add_zone
|
||||||
|
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
|
||||||
|
+
|
||||||
|
+ def update_contents(path, pattern, replace):
|
||||||
|
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
|
||||||
|
+ namedcfg_query = re.sub(pattern, replace, contents)
|
||||||
|
+ bindserver.put_file_contents(path, namedcfg_query)
|
||||||
|
+
|
||||||
|
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
|
||||||
|
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
|
||||||
|
+ "#listen-on port 53 { 127.0.0.1; };")
|
||||||
|
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
|
||||||
|
+ "#listen-on-v6 port 53 { ::1; };")
|
||||||
|
+
|
||||||
|
+ add_records = textwrap.dedent("""
|
||||||
|
+ @ IN SOA {fqdn}. root.{domain}. (
|
||||||
|
+ 1001 ;Serial
|
||||||
|
+ 3H ;Refresh
|
||||||
|
+ 15M ;Retry
|
||||||
|
+ 1W ;Expire
|
||||||
|
+ 1D ;Minimum 1D
|
||||||
|
+ )
|
||||||
|
+ @ IN NS {fqdn}.
|
||||||
|
+ ns1 IN A {bindserverip}
|
||||||
|
+ _kerberos.{domain}. IN TXT {zoneupper}
|
||||||
|
+ {fqdn}. IN A {bindserverip}
|
||||||
|
+ ipa-ca.{domain}. IN A {bindserverip}
|
||||||
|
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||||
|
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||||
|
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||||
|
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||||
|
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
|
||||||
|
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
|
||||||
|
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
|
||||||
|
+ """).format(
|
||||||
|
+ fqdn=bindserver.hostname,
|
||||||
|
+ domain=bindserver.domain.name,
|
||||||
|
+ bindserverip=bindserver.ip,
|
||||||
|
+ zoneupper=bindserver.domain.name.upper()
|
||||||
|
+ )
|
||||||
|
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
|
||||||
|
+ bindserver.put_file_contents(bindserverdb, add_records)
|
||||||
|
+ bindserver.run_command(['systemctl', 'start', 'named'])
|
||||||
|
+ Firewall(bindserver).enable_services(["dns"])
|
||||||
|
+ yield
|
||||||
|
+ named_conf_backup.restore()
|
||||||
|
+ bindserver.run_command(['rm', '-rf', bindserverdb])
|
||||||
|
+
|
||||||
|
+ def test_client_nsupdate(self, setup_bindserver):
|
||||||
|
+ """Test secure nsupdate failed, then try unsecure nsupdate..
|
||||||
|
+
|
||||||
|
+ Test to verify when bind is configured with dynamic update policy,
|
||||||
|
+ and during client-install 'nsupdate -g' fails then it should run with
|
||||||
|
+ second call using unauthenticated nsupdate.
|
||||||
|
+
|
||||||
|
+ Related : https://pagure.io/freeipa/issue/8402
|
||||||
|
+ """
|
||||||
|
+ # with pre-configured bind server, install ipa-server without dns.
|
||||||
|
+ tasks.install_master(self.master, setup_dns=False)
|
||||||
|
+ self.client.resolver.backup()
|
||||||
|
+ self.client.resolver.setup_resolver(
|
||||||
|
+ self.master.ip, self.master.domain.name)
|
||||||
|
+ try:
|
||||||
|
+ self.client.run_command(['ipa-client-install', '-U',
|
||||||
|
+ '--domain', self.client.domain.name,
|
||||||
|
+ '--realm', self.client.domain.realm,
|
||||||
|
+ '-p', self.client.config.admin_name,
|
||||||
|
+ '-w', self.client.config.admin_password,
|
||||||
|
+ '--server', self.master.hostname])
|
||||||
|
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
|
||||||
|
+ str1 = "nsupdate (GSS-TSIG) failed"
|
||||||
|
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
|
||||||
|
+ client_log = self.client.get_file_contents(
|
||||||
|
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
|
||||||
|
+ )
|
||||||
|
+ assert str1 in client_log and str2 in client_log
|
||||||
|
+ dig_after = self.client.run_command(
|
||||||
|
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
|
||||||
|
+ '-t', 'SSHFP'])
|
||||||
|
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
|
||||||
|
+ finally:
|
||||||
|
+ self.client.resolver.restore()
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -0,0 +1,128 @@
|
|||||||
|
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 9 Sep 2021 15:26:55 -0400
|
||||||
|
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
|
||||||
|
|
||||||
|
usercertificate often has a subclass and both the plain and
|
||||||
|
subclassed (binary) values are queried. I'm concerned that
|
||||||
|
they are used more or less interchangably in places so not
|
||||||
|
caching these entries is the safest path forward for now until
|
||||||
|
we can dedicate the time to find all usages, determine their
|
||||||
|
safety and/or perhaps handle this gracefully within the cache
|
||||||
|
now.
|
||||||
|
|
||||||
|
What we see in this bug is that usercertificate;binary holds the
|
||||||
|
first certificate value but a user-mod is done with
|
||||||
|
setattr usercertificate=<new_cert>. Since there is no
|
||||||
|
usercertificate value (remember, it's usercertificate;binary)
|
||||||
|
a replace is done and 389-ds wipes the existing value as we've
|
||||||
|
asked it to.
|
||||||
|
|
||||||
|
I'm not comfortable with simply treating them the same because
|
||||||
|
in LDAP they are not.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8986
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||||||
|
---
|
||||||
|
ipapython/ipaldap.py | 14 +++++++++++---
|
||||||
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
||||||
|
index f94b784d6..ced8f1bd6 100644
|
||||||
|
--- a/ipapython/ipaldap.py
|
||||||
|
+++ b/ipapython/ipaldap.py
|
||||||
|
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
|
||||||
|
entry=None, exception=None):
|
||||||
|
# idnsname - caching prevents delete when mod value to None
|
||||||
|
# cospriority - in a Class of Service object, uncacheable
|
||||||
|
- # TODO - usercertificate was banned at one point and I don't remember
|
||||||
|
- # why...
|
||||||
|
- BANNED_ATTRS = {'idnsname', 'cospriority'}
|
||||||
|
+ # usercertificate* - caching subtypes is tricky, trade less
|
||||||
|
+ # complexity for performance
|
||||||
|
+ #
|
||||||
|
+ # TODO: teach the cache about subtypes
|
||||||
|
+
|
||||||
|
+ BANNED_ATTRS = {
|
||||||
|
+ 'idnsname',
|
||||||
|
+ 'cospriority',
|
||||||
|
+ 'usercertificate',
|
||||||
|
+ 'usercertificate;binary'
|
||||||
|
+ }
|
||||||
|
if not self._enable_cache:
|
||||||
|
return
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
||||||
|
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 10 Sep 2021 09:01:48 -0400
|
||||||
|
Subject: [PATCH] ipatests: Test that a user can be issued multiple
|
||||||
|
certificates
|
||||||
|
|
||||||
|
Prevent regressions in the LDAP cache layer that caused newly
|
||||||
|
issued certificates to overwrite existing ones.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/8986
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
|
||||||
|
1 file changed, 29 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||||
|
index 7d51b76ee..b4e85eadc 100644
|
||||||
|
--- a/ipatests/test_integration/test_cert.py
|
||||||
|
+++ b/ipatests/test_integration/test_cert.py
|
||||||
|
@@ -16,6 +16,7 @@ import string
|
||||||
|
import time
|
||||||
|
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
+from ipapython.dn import DN
|
||||||
|
from cryptography import x509
|
||||||
|
from cryptography.x509.oid import ExtensionOID
|
||||||
|
from cryptography.hazmat.backends import default_backend
|
||||||
|
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
|
||||||
|
)
|
||||||
|
assert "profile: caServerCert" in result.stdout_text
|
||||||
|
|
||||||
|
+ def test_multiple_user_certificates(self):
|
||||||
|
+ """Test that a user may be issued multiple certificates"""
|
||||||
|
+ ldap = self.master.ldap_connect()
|
||||||
|
+
|
||||||
|
+ user = 'user1'
|
||||||
|
+
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ tasks.user_add(self.master, user)
|
||||||
|
+
|
||||||
|
+ for id in (0,1):
|
||||||
|
+ csr_file = f'{id}.csr'
|
||||||
|
+ key_file = f'{id}.key'
|
||||||
|
+ cert_file = f'{id}.crt'
|
||||||
|
+ openssl_cmd = [
|
||||||
|
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
|
||||||
|
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
|
||||||
|
+ self.master.run_command(openssl_cmd)
|
||||||
|
+
|
||||||
|
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
|
||||||
|
+ '--certificate-out', cert_file, csr_file]
|
||||||
|
+ self.master.run_command(cmd_args)
|
||||||
|
+
|
||||||
|
+ # easier to count by pulling the LDAP entry
|
||||||
|
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
|
||||||
|
+ ('cn', 'accounts'), self.master.domain.basedn))
|
||||||
|
+
|
||||||
|
+ assert len(entry.get('usercertificate')) == 2
|
||||||
|
+
|
||||||
|
@pytest.fixture
|
||||||
|
def test_subca_certs(self):
|
||||||
|
"""
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
-----BEGIN PGP SIGNATURE-----
|
|
||||||
|
|
||||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
|
|
||||||
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
|
|
||||||
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
|
|
||||||
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
|
|
||||||
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
|
|
||||||
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
|
|
||||||
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
|
|
||||||
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
|
|
||||||
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
|
|
||||||
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
|
|
||||||
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
|
|
||||||
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
|
|
||||||
=XC/f
|
|
||||||
-----END PGP SIGNATURE-----
|
|
16
SOURCES/freeipa-4.9.6.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.9.6.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
-----BEGIN PGP SIGNATURE-----
|
||||||
|
|
||||||
|
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
|
||||||
|
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
|
||||||
|
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
|
||||||
|
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
|
||||||
|
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
|
||||||
|
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
|
||||||
|
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
|
||||||
|
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
|
||||||
|
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
|
||||||
|
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
|
||||||
|
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
|
||||||
|
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
|
||||||
|
=TQFs
|
||||||
|
-----END PGP SIGNATURE-----
|
186
SPECS/ipa.spec
186
SPECS/ipa.spec
@ -2,7 +2,7 @@
|
|||||||
%bcond_without ipatests
|
%bcond_without ipatests
|
||||||
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
|
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
|
||||||
# On RHEL 8 we should use --with ipa_join_xml
|
# On RHEL 8 we should use --with ipa_join_xml
|
||||||
%bcond_without ipa_join_xml
|
%bcond_with ipa_join_xml
|
||||||
|
|
||||||
# Linting is disabled by default, needed for upstream testing
|
# Linting is disabled by default, needed for upstream testing
|
||||||
%bcond_with lint
|
%bcond_with lint
|
||||||
@ -49,9 +49,9 @@
|
|||||||
# lint is not executed during rpmbuild
|
# lint is not executed during rpmbuild
|
||||||
# %%global with_lint 1
|
# %%global with_lint 1
|
||||||
%if %{with lint}
|
%if %{with lint}
|
||||||
%global linter_options --enable-pylint --with-jslint
|
%global linter_options --enable-pylint --without-jslint --enable-rpmlint
|
||||||
%else
|
%else
|
||||||
%global linter_options --disable-pylint --without-jslint
|
%global linter_options --disable-pylint --without-jslint --disable-rpmlint
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# Include SELinux subpackage
|
# Include SELinux subpackage
|
||||||
@ -73,10 +73,13 @@
|
|||||||
%global selinux_policy_version 3.14.3-52
|
%global selinux_policy_version 3.14.3-52
|
||||||
%global slapi_nis_version 0.56.4
|
%global slapi_nis_version 0.56.4
|
||||||
%global python_ldap_version 3.1.0-1
|
%global python_ldap_version 3.1.0-1
|
||||||
# python3-lib389
|
%if 0%{?rhel} < 9
|
||||||
# Fix for "Installation fails: Replica Busy"
|
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
|
||||||
# https://pagure.io/389-ds-base/issue/49818
|
%global ds_version 1.4.3.16-12
|
||||||
%global ds_version 1.4.2.4-6
|
%else
|
||||||
|
%global ds_version 2.0.3-3
|
||||||
|
%endif
|
||||||
|
|
||||||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
||||||
%global httpd_version 2.4.37-21
|
%global httpd_version 2.4.37-21
|
||||||
%global bind_version 9.11.20-6
|
%global bind_version 9.11.20-6
|
||||||
@ -101,9 +104,13 @@
|
|||||||
|
|
||||||
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
|
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
|
||||||
%global python_ldap_version 3.1.0-1
|
%global python_ldap_version 3.1.0-1
|
||||||
# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
|
|
||||||
# https://pagure.io/freeipa/issue/8515
|
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
|
||||||
%global ds_version 1.4.3
|
%if 0%{?fedora} < 34
|
||||||
|
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
|
||||||
|
%else
|
||||||
|
%global ds_version 2.0.4-1
|
||||||
|
%endif
|
||||||
|
|
||||||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
||||||
%global httpd_version 2.4.41-9
|
%global httpd_version 2.4.41-9
|
||||||
@ -126,13 +133,11 @@
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?rhel} == 8
|
%if 0%{?rhel} == 8
|
||||||
# PKIConnection has been modified to always validate certs.
|
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
|
||||||
# https://pagure.io/freeipa/issue/8379
|
%global pki_version 10.10.5
|
||||||
%global pki_version 10.10.5-2
|
|
||||||
%else
|
%else
|
||||||
# New KRA profile, ACME support
|
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
|
||||||
# https://pagure.io/freeipa/issue/8545
|
%global pki_version 10.10.5
|
||||||
%global pki_version 10.10.0-2
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
# RHEL 8.3+, F32+ has 0.79.13
|
# RHEL 8.3+, F32+ has 0.79.13
|
||||||
@ -155,6 +160,16 @@
|
|||||||
%global systemd_version 239
|
%global systemd_version 239
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
# augeas support for new chrony options
|
||||||
|
# see https://pagure.io/freeipa/issue/8676
|
||||||
|
# Note: will need to be updated for RHEL9 when a fix is available for
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||||||
|
%if 0%{?fedora} >= 33
|
||||||
|
%global augeas_version 1.12.0-6
|
||||||
|
%else
|
||||||
|
%global augeas_version 1.12.0-3
|
||||||
|
%endif
|
||||||
|
|
||||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||||
%global gettext_domain ipa
|
%global gettext_domain ipa
|
||||||
@ -163,7 +178,7 @@
|
|||||||
|
|
||||||
# Work-around fact that RPM SPEC parser does not accept
|
# Work-around fact that RPM SPEC parser does not accept
|
||||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||||
%define IPA_VERSION 4.9.2
|
%define IPA_VERSION 4.9.6
|
||||||
# Release candidate version -- uncomment with one percent for RC versions
|
# Release candidate version -- uncomment with one percent for RC versions
|
||||||
#%%global rc_version %%nil
|
#%%global rc_version %%nil
|
||||||
%define AT_SIGN @
|
%define AT_SIGN @
|
||||||
@ -176,7 +191,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 4%{?rc_version:.%rc_version}%{?dist}
|
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -196,23 +211,24 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
# RHEL spec file only: START
|
# RHEL spec file only: START
|
||||||
%if %{NON_DEVELOPER_BUILD}
|
%if %{NON_DEVELOPER_BUILD}
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
Patch0001: 0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
|
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
|
||||||
Patch0002: 0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
|
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
|
||||||
Patch0003: 0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
|
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
|
||||||
Patch0004: 0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
|
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
|
||||||
Patch0005: 0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
|
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
|
||||||
Patch0006: 0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
|
Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
|
||||||
Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
|
Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
|
||||||
Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
|
Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
|
||||||
Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
|
Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
|
||||||
Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
|
Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
|
||||||
Patch0011: 0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch
|
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
|
||||||
|
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
|
||||||
|
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
# RHEL spec file only: END
|
# RHEL spec file only: END
|
||||||
|
|
||||||
|
|
||||||
# For the timestamp trick in patch application
|
# For the timestamp trick in patch application
|
||||||
BuildRequires: diffstat
|
BuildRequires: diffstat
|
||||||
|
|
||||||
@ -316,7 +332,10 @@ BuildRequires: python3-m2r
|
|||||||
#
|
#
|
||||||
%if %{with lint}
|
%if %{with lint}
|
||||||
BuildRequires: git
|
BuildRequires: git
|
||||||
|
%if 0%{?fedora} < 34
|
||||||
|
# jsl is orphaned in Fedora 34+
|
||||||
BuildRequires: jsl
|
BuildRequires: jsl
|
||||||
|
%endif
|
||||||
BuildRequires: nss-tools
|
BuildRequires: nss-tools
|
||||||
BuildRequires: rpmlint
|
BuildRequires: rpmlint
|
||||||
BuildRequires: softhsm
|
BuildRequires: softhsm
|
||||||
@ -348,12 +367,8 @@ BuildRequires: python3-polib
|
|||||||
BuildRequires: python3-pyasn1
|
BuildRequires: python3-pyasn1
|
||||||
BuildRequires: python3-pyasn1-modules
|
BuildRequires: python3-pyasn1-modules
|
||||||
BuildRequires: python3-pycodestyle
|
BuildRequires: python3-pycodestyle
|
||||||
%if 0%{?fedora} || 0%{?rhel} > 8
|
# .wheelconstraints.in limits pylint version in Azure and tox tests
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
|
BuildRequires: python3-pylint
|
||||||
BuildRequires: python3-pylint >= 2.1.1-2
|
|
||||||
%else
|
|
||||||
BuildRequires: python3-pylint >= 1.7
|
|
||||||
%endif
|
|
||||||
BuildRequires: python3-pytest-multihost
|
BuildRequires: python3-pytest-multihost
|
||||||
BuildRequires: python3-pytest-sourceorder
|
BuildRequires: python3-pytest-sourceorder
|
||||||
BuildRequires: python3-qrcode-core >= 5.0.0
|
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||||
@ -440,7 +455,12 @@ Requires(pre): certmonger >= %{certmonger_version}
|
|||||||
Requires(pre): 389-ds-base >= %{ds_version}
|
Requires(pre): 389-ds-base >= %{ds_version}
|
||||||
Requires: fontawesome-fonts
|
Requires: fontawesome-fonts
|
||||||
Requires: open-sans-fonts
|
Requires: open-sans-fonts
|
||||||
|
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
|
||||||
|
# https://pagure.io/freeipa/issue/8632
|
||||||
|
Requires: openssl > 1.1.1i
|
||||||
|
%else
|
||||||
Requires: openssl
|
Requires: openssl
|
||||||
|
%endif
|
||||||
Requires: softhsm >= 2.0.0rc1-1
|
Requires: softhsm >= 2.0.0rc1-1
|
||||||
Requires: p11-kit
|
Requires: p11-kit
|
||||||
Requires: %{etc_systemd_dir}
|
Requires: %{etc_systemd_dir}
|
||||||
@ -492,6 +512,7 @@ Requires: %{name}-common = %{version}-%{release}
|
|||||||
# we need pre-requires since earlier versions may break upgrade
|
# we need pre-requires since earlier versions may break upgrade
|
||||||
Requires(pre): python3-ldap >= %{python_ldap_version}
|
Requires(pre): python3-ldap >= %{python_ldap_version}
|
||||||
Requires: python3-augeas
|
Requires: python3-augeas
|
||||||
|
Requires: augeas-libs >= %{augeas_version}
|
||||||
Requires: python3-custodia >= 0.3.1
|
Requires: python3-custodia >= 0.3.1
|
||||||
Requires: python3-dbus
|
Requires: python3-dbus
|
||||||
Requires: python3-dns >= 1.15
|
Requires: python3-dns >= 1.15
|
||||||
@ -527,8 +548,8 @@ Requires: %{name}-client-common = %{version}-%{release}
|
|||||||
Requires: httpd >= %{httpd_version}
|
Requires: httpd >= %{httpd_version}
|
||||||
Requires: systemd-units >= %{systemd_version}
|
Requires: systemd-units >= %{systemd_version}
|
||||||
Requires: custodia >= 0.3.1
|
Requires: custodia >= 0.3.1
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8 && ! 0%{?eln}
|
||||||
Requires: redhat-logos-ipa >= 80.4
|
Requires: system-logos-ipa >= 80.4
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
Provides: %{alt_name}-server-common = %{version}
|
Provides: %{alt_name}-server-common = %{version}
|
||||||
@ -582,6 +603,7 @@ Requires: %{name}-common = %{version}-%{release}
|
|||||||
|
|
||||||
Requires: samba >= %{samba_version}
|
Requires: samba >= %{samba_version}
|
||||||
Requires: samba-winbind
|
Requires: samba-winbind
|
||||||
|
Requires: sssd-winbind-idmap
|
||||||
Requires: libsss_idmap
|
Requires: libsss_idmap
|
||||||
%if 0%{?rhel}
|
%if 0%{?rhel}
|
||||||
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
|
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
|
||||||
@ -646,6 +668,11 @@ Requires: nfs-utils
|
|||||||
Requires: sssd-tools >= %{sssd_version}
|
Requires: sssd-tools >= %{sssd_version}
|
||||||
Requires(post): policycoreutils
|
Requires(post): policycoreutils
|
||||||
|
|
||||||
|
# https://pagure.io/freeipa/issue/8530
|
||||||
|
Recommends: libsss_sudo
|
||||||
|
Recommends: sudo
|
||||||
|
Requires: (libsss_sudo if sudo)
|
||||||
|
|
||||||
Provides: %{alt_name}-client = %{version}
|
Provides: %{alt_name}-client = %{version}
|
||||||
Conflicts: %{alt_name}-client
|
Conflicts: %{alt_name}-client
|
||||||
Obsoletes: %{alt_name}-client < %{version}
|
Obsoletes: %{alt_name}-client < %{version}
|
||||||
@ -710,6 +737,7 @@ Requires: %{name}-client-common = %{version}-%{release}
|
|||||||
Requires: %{name}-common = %{version}-%{release}
|
Requires: %{name}-common = %{version}-%{release}
|
||||||
Requires: python3-ipalib = %{version}-%{release}
|
Requires: python3-ipalib = %{version}-%{release}
|
||||||
Requires: python3-augeas
|
Requires: python3-augeas
|
||||||
|
Requires: augeas-libs >= %{augeas_version}
|
||||||
Requires: python3-dns >= 1.15
|
Requires: python3-dns >= 1.15
|
||||||
Requires: python3-jinja2
|
Requires: python3-jinja2
|
||||||
|
|
||||||
@ -804,7 +832,7 @@ Requires: python3-requests
|
|||||||
Requires: python3-six
|
Requires: python3-six
|
||||||
Requires: python3-sss-murmur
|
Requires: python3-sss-murmur
|
||||||
Requires: python3-yubico >= 1.3.2-7
|
Requires: python3-yubico >= 1.3.2-7
|
||||||
%if 0%{?rhel} && 0%{?rhel} >= 8
|
%if 0%{?rhel} && 0%{?rhel} == 8
|
||||||
Requires: platform-python-setuptools
|
Requires: platform-python-setuptools
|
||||||
%else
|
%else
|
||||||
Requires: python3-setuptools
|
Requires: python3-setuptools
|
||||||
@ -1681,20 +1709,76 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Wed May 26 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-4
|
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
|
||||||
- Only attempt to upgrade ACME configuration files if deployed
|
- Don't store entries with a usercertificate in the LDAP cache
|
||||||
Resolves: RHBZ#1959984
|
Resolves: RHBZ#1999893
|
||||||
|
|
||||||
* Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3
|
* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
|
||||||
- ipa-client-install displays false message
|
- Catch and log errors when adding CA profiles
|
||||||
'sudo binary does not seem to be present on this system'
|
Resolves: RHBZ#1999142
|
||||||
Resolves: RHBZ#1939371
|
- selinux policy: allow custodia to access /proc/cpuinfo
|
||||||
|
Resolves: RHBZ#1998129
|
||||||
|
- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
|
||||||
|
Resolves: RHBZ#2000263
|
||||||
|
- ipa migrate-ds command fails to warn when compat plugin is enabled
|
||||||
|
Resolves: RHBZ#1999992
|
||||||
|
- Backport latest test fixes in python3-ipatests
|
||||||
|
Resolves: RHBZ#2000553
|
||||||
|
|
||||||
* Thu Mar 4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-2
|
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
|
||||||
- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
|
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
|
||||||
Resolves: RHBZ#1932289
|
Resolves: RHBZ#1982956
|
||||||
- Fix krb5kdc is crashing intermittently on IPA server
|
|
||||||
Resolves: RHBZ#1932784
|
* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
|
||||||
|
- man page: update ipa-server-upgrade.1
|
||||||
|
Resolves: RHBZ#1973273
|
||||||
|
- Fall back to krbprincipalname when validating host auth indicators
|
||||||
|
Resolves: RHBZ#1979625
|
||||||
|
- Add dependency for sssd-winbind-idmap to server-trust-ad
|
||||||
|
Resolves: RHBZ#1982211
|
||||||
|
|
||||||
|
* Thu Jul 8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
|
||||||
|
- IPA server in debug mode fails to run because time.perf_counter_ns is
|
||||||
|
Python 3.7+
|
||||||
|
Resolves: RHBZ#1974822
|
||||||
|
- Add checks to prevent assigning authentication indicators to internal IPA
|
||||||
|
services
|
||||||
|
Resolves: RHBZ#1979625
|
||||||
|
- Unable to set ipaUserAuthType with stageuser-add
|
||||||
|
Resolves: RHBZ#1979605
|
||||||
|
|
||||||
|
* Thu Jul 1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
|
||||||
|
- Upstream release FreeIPA 4.9.6
|
||||||
|
Related: RHBZ#1945038
|
||||||
|
- Revise PKINIT upgrade code
|
||||||
|
Resolves: RHBZ#1886837
|
||||||
|
- ipa-cert-fix man page: add note about certmonger renewal
|
||||||
|
Resolves: RHBZ#1780317
|
||||||
|
- Certificate Serial Number issue
|
||||||
|
Resolves: RHBZ#1919384
|
||||||
|
|
||||||
|
* Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
|
||||||
|
- Upstream release FreeIPA 4.9.5
|
||||||
|
Related: RHBZ#1945038
|
||||||
|
- IPA to allow setting a new range type
|
||||||
|
Resolves: RHBZ#1688267
|
||||||
|
- ipa-server-install displays debug output when --debug output is not
|
||||||
|
specified.
|
||||||
|
Resolves: RHBZ#1943151
|
||||||
|
- ACME fails to generate a cert on migrated RHEL8.4 server
|
||||||
|
Resolves: RHBZ#1934991
|
||||||
|
- Switch ipa-client to use the JSON API
|
||||||
|
Resolves: RHBZ#1937856
|
||||||
|
- IDM - Allow specifying permanent logging settings for BIND
|
||||||
|
Resolves: RHBZ#1951511
|
||||||
|
- Cache LDAP data within a request
|
||||||
|
Resolves: RHBZ#1953656
|
||||||
|
- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
|
||||||
|
Resolves: RHBZ#1957768
|
||||||
|
|
||||||
|
* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
|
||||||
|
- Upstream release FreeIPA 4.9.3
|
||||||
|
Resolves: RHBZ#1945038
|
||||||
|
|
||||||
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
|
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
|
||||||
- Upstream release FreeIPA 4.9.2
|
- Upstream release FreeIPA 4.9.2
|
||||||
|
Loading…
Reference in New Issue
Block a user