ipa-4.12.0-7
- Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them - Resolves: RHEL-52306 Unconditionally add MS-PAC to global config - Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync" - Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure - Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages - Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error' - Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w - Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
8b6d847e67
commit
3979c73861
@ -0,0 +1,50 @@
|
|||||||
|
From de940802bb6631fbbc97afd11869d87cba18f47f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 17 Jul 2024 18:32:37 +0200
|
||||||
|
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_version_option
|
||||||
|
|
||||||
|
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
|
||||||
|
test_ipa_migrate_version_option is now passing, issue has been fixed.
|
||||||
|
The -V option has been removed.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9620
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_ipa_ipa_migration.py | 12 +++++-------
|
||||||
|
1 file changed, 5 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
index 7e2d4a34216f6cf168f15dda10ce10538a3c3cb9..9aa8a9f32071f122ebb247ba8a1aff041e4fd49a 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
@@ -846,20 +846,18 @@ class TestIPAMigrateScenario1(IntegrationTest):
|
||||||
|
assert DNS_LOG2 in install_msg
|
||||||
|
assert DNS_LOG3 in install_msg
|
||||||
|
|
||||||
|
- @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003",
|
||||||
|
- strict=True)
|
||||||
|
def test_ipa_migrate_version_option(self):
|
||||||
|
"""
|
||||||
|
- This testcase checks the version of
|
||||||
|
- the ipa-migrate tool using -v option
|
||||||
|
+ The -V option has been removed.
|
||||||
|
"""
|
||||||
|
CONSOLE_LOG = (
|
||||||
|
"ipa-migrate: error: the following arguments are "
|
||||||
|
"required: mode, hostname"
|
||||||
|
)
|
||||||
|
- result = self.master.run_command(["ipa-migrate", "-V"])
|
||||||
|
- assert result.returncode == 0
|
||||||
|
- assert CONSOLE_LOG not in result.stderr_text
|
||||||
|
+ result = self.master.run_command(["ipa-migrate", "-V"],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+ assert result.returncode == 2
|
||||||
|
+ assert CONSOLE_LOG in result.stderr_text
|
||||||
|
|
||||||
|
def test_ipa_migrate_with_log_file_option(self):
|
||||||
|
"""
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,33 @@
|
|||||||
|
From 6eb6a929308c2916df9aed2da9ee6ef9d98e2438 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 17 Jul 2024 18:36:24 +0200
|
||||||
|
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_stage_mode
|
||||||
|
|
||||||
|
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
|
||||||
|
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9621
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_ipa_ipa_migration.py | 3 ---
|
||||||
|
1 file changed, 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
index 9aa8a9f32071f122ebb247ba8a1aff041e4fd49a..a516941047315e07407b8063a7010526d384ab3b 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
@@ -600,9 +600,6 @@ class TestIPAMigrateScenario1(IntegrationTest):
|
||||||
|
)
|
||||||
|
assert SCHEMA_OVERRIDE_LOG in install_msg
|
||||||
|
|
||||||
|
- @pytest.mark.xfail(
|
||||||
|
- reason="https://issues.redhat.com/browse/RHEL-45463", strict=True
|
||||||
|
- )
|
||||||
|
def test_ipa_migrate_stage_mode(self, empty_log_file):
|
||||||
|
"""
|
||||||
|
This test checks that ipa-migrate is successful
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From d1a485a435ea9dba7587d1998451a09d3aa4077b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Wed, 17 Jul 2024 15:45:06 +0200
|
||||||
|
Subject: [PATCH] Unconditionally add MS-PAC to global config on update
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9632
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
install/updates/60-trusts.update | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
|
||||||
|
index 56e392044a2fae97ab2f26d8afcffa6a872d41c8..b2fdccae74accf934c9f9e7d83fe63459c1e48b4 100644
|
||||||
|
--- a/install/updates/60-trusts.update
|
||||||
|
+++ b/install/updates/60-trusts.update
|
||||||
|
@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
|
||||||
|
|
||||||
|
# Add the default PAC type to configuration
|
||||||
|
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||||
|
-addifnew: ipaKrbAuthzData: MS-PAC
|
||||||
|
+add: ipaKrbAuthzData: MS-PAC
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,26 @@
|
|||||||
|
From 9f88188204e443dd5d1d22ebe65b947452558f66 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Wed, 17 Jul 2024 15:47:33 +0200
|
||||||
|
Subject: [PATCH] Remove RC4 and 3DES default encryption types on update
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9633
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
install/updates/50-krbenctypes.update | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
|
||||||
|
index 1058a92d8f5a4971e9ecab52506981b8e470ff77..1bf2bf33a6566586639767771dff501d91a03508 100644
|
||||||
|
--- a/install/updates/50-krbenctypes.update
|
||||||
|
+++ b/install/updates/50-krbenctypes.update
|
||||||
|
@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
|
||||||
|
add: krbSupportedEncSaltTypes: aes128-sha2:special
|
||||||
|
add: krbSupportedEncSaltTypes: aes256-sha2:normal
|
||||||
|
add: krbSupportedEncSaltTypes: aes256-sha2:special
|
||||||
|
+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
|
||||||
|
+remove: krbDefaultEncSaltTypes: arcfour-hmac:special
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,33 @@
|
|||||||
|
From fdd471d55c73503456683b1dea55769700730b16 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Thu, 18 Jul 2024 13:40:28 -0400
|
||||||
|
Subject: [PATCH] Fix a copy/paste issue when detecting the HSM SELinux
|
||||||
|
subpackage
|
||||||
|
|
||||||
|
I made a mistake when trying to detect which HSM is being used
|
||||||
|
to ensure that the appropriate SELinux subpackage is installed.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9636
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ca.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
||||||
|
index b8155d9965712dbce4076e9d73d6712135309ce2..e57dc47587fa0e0a6dbbe7511784af065560d782 100644
|
||||||
|
--- a/ipaserver/install/ca.py
|
||||||
|
+++ b/ipaserver/install/ca.py
|
||||||
|
@@ -265,7 +265,7 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
if 'nfast' in token_library:
|
||||||
|
module = 'ipa-selinux-nfast'
|
||||||
|
elif 'luna' in token_library:
|
||||||
|
- module = 'ipa-selinux-nfast'
|
||||||
|
+ module = 'ipa-selinux-luna'
|
||||||
|
else:
|
||||||
|
module = None
|
||||||
|
if module:
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
36
0028-ipa-migrate-properly-handle-invalid-certificates.patch
Normal file
36
0028-ipa-migrate-properly-handle-invalid-certificates.patch
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Reynolds <mreynolds@redhat.com>
|
||||||
|
Date: Mon, 29 Jul 2024 09:58:30 -0400
|
||||||
|
Subject: [PATCH] ipa-migrate - properly handle invalid certificates
|
||||||
|
|
||||||
|
A ValueError is raised when an invalid certificate is used, so the tool
|
||||||
|
should handle this properly and not produce a stack trace.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9642
|
||||||
|
|
||||||
|
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ipa_migrate.py | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
|
||||||
|
index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644
|
||||||
|
--- a/ipaserver/install/ipa_migrate.py
|
||||||
|
+++ b/ipaserver/install/ipa_migrate.py
|
||||||
|
@@ -761,6 +761,12 @@ class IPAMigrate():
|
||||||
|
try:
|
||||||
|
ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
|
||||||
|
start_tls=True)
|
||||||
|
+ except ValueError:
|
||||||
|
+ # Most likely invalid certificate
|
||||||
|
+ self.handle_error(
|
||||||
|
+ "Failed to connect to remote server: "
|
||||||
|
+ "CA certificate is invalid"
|
||||||
|
+ )
|
||||||
|
except (
|
||||||
|
ldap.LDAPError,
|
||||||
|
errors.NetworkError,
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
73
0029-ipatests-Fix-usage-of-token_password_file.patch
Normal file
73
0029-ipatests-Fix-usage-of-token_password_file.patch
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
From f03a96a7b914eb5130552cea626fd28e26b2108d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 15 Jul 2024 10:21:28 -0400
|
||||||
|
Subject: [PATCH] ipatests: Fix usage of token_password_file
|
||||||
|
|
||||||
|
There were a few hardcoded places where it was set to
|
||||||
|
/tmp/token_passwd instead of using the class variable.
|
||||||
|
|
||||||
|
Don't rely on previous running tests installing the token
|
||||||
|
password file so they can be run individually.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9603
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_hsm.py | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
|
||||||
|
index 3a33c3bda6d072aa16e361b04ac2d668902bb0e9..64305460a5150dfc28a4ab378ac72cd38987184c 100644
|
||||||
|
--- a/ipatests/test_integration/test_hsm.py
|
||||||
|
+++ b/ipatests/test_integration/test_hsm.py
|
||||||
|
@@ -173,6 +173,9 @@ class BaseHSMTest(IntegrationTest):
|
||||||
|
cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods'])
|
||||||
|
|
||||||
|
cls.token_name, cls.token_password = get_hsm_token(cls.master)
|
||||||
|
+ cls.master.put_file_contents(
|
||||||
|
+ cls.token_password_file, cls.token_password
|
||||||
|
+ )
|
||||||
|
tasks.install_master(
|
||||||
|
cls.master, setup_dns=cls.master_with_dns,
|
||||||
|
setup_kra=cls.master_with_kra,
|
||||||
|
@@ -220,10 +223,6 @@ class TestHSMInstall(BaseHSMTest):
|
||||||
|
|
||||||
|
def test_hsm_install_replica0_ca_less_install(self):
|
||||||
|
check_version(self.master)
|
||||||
|
-
|
||||||
|
- self.master.put_file_contents(
|
||||||
|
- self.token_password_file, self.token_password
|
||||||
|
- )
|
||||||
|
tasks.install_replica(
|
||||||
|
self.master, self.replicas[0], setup_ca=False,
|
||||||
|
setup_dns=True,
|
||||||
|
@@ -412,7 +411,7 @@ class TestHSMcertRenewal(BaseHSMTest):
|
||||||
|
cert = tasks.certutil_fetch_cert(
|
||||||
|
self.master,
|
||||||
|
paths.PKI_TOMCAT_ALIAS_DIR,
|
||||||
|
- '/tmp/token_passwd',
|
||||||
|
+ self.token_password_file,
|
||||||
|
nickname,
|
||||||
|
token_name=self.token_name,
|
||||||
|
)
|
||||||
|
@@ -428,13 +427,14 @@ class TestHSMcertRenewal(BaseHSMTest):
|
||||||
|
status = tasks.wait_for_request(self.master, request_id[0], 120)
|
||||||
|
assert status == "MONITORING"
|
||||||
|
|
||||||
|
- args = ['-L', '-h', self.token_name, '-f', '/tmp/token_passwd']
|
||||||
|
+ args = ['-L', '-h', self.token_name, '-f',
|
||||||
|
+ self.token_password_file,]
|
||||||
|
tasks.run_certutil(self.master, args, paths.PKI_TOMCAT_ALIAS_DIR)
|
||||||
|
|
||||||
|
cert = tasks.certutil_fetch_cert(
|
||||||
|
self.master,
|
||||||
|
paths.PKI_TOMCAT_ALIAS_DIR,
|
||||||
|
- '/tmp/token_passwd',
|
||||||
|
+ self.token_password_file,
|
||||||
|
nickname,
|
||||||
|
token_name=self.token_name,
|
||||||
|
)
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
175
0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
Normal file
175
0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
Normal file
@ -0,0 +1,175 @@
|
|||||||
|
From 38b83c2b9329b8b16096d63e83f186c91d578ce8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Wed, 10 Jul 2024 16:14:46 -0400
|
||||||
|
Subject: [PATCH] Run HSM validation as pkiuser to verify token permissions
|
||||||
|
|
||||||
|
Run all commands as pkiuser when validating that the HSM token
|
||||||
|
is available, that the token library path is correct and that
|
||||||
|
the password can read keys. This will avoid issues where the
|
||||||
|
initial validation is ok but the pkiuser is not granted read
|
||||||
|
access to some part of the token. This is very possible
|
||||||
|
when using softhsm2.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9626
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/ca.py | 20 ++++++++--
|
||||||
|
ipatests/test_integration/test_hsm.py | 57 +++++++++++++++++++++++++++
|
||||||
|
2 files changed, 74 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
|
||||||
|
index e57dc47587fa0e0a6dbbe7511784af065560d782..9ff91b9cc42673138eee6fa8e0eb46b323be8b1d 100644
|
||||||
|
--- a/ipaserver/install/ca.py
|
||||||
|
+++ b/ipaserver/install/ca.py
|
||||||
|
@@ -18,6 +18,7 @@ import six
|
||||||
|
from ipalib.constants import IPA_CA_CN
|
||||||
|
from ipalib.install import certstore
|
||||||
|
from ipalib.install.service import enroll_only, master_install_only, replica_install_only
|
||||||
|
+from ipaplatform.constants import constants
|
||||||
|
from ipaserver.install import sysupgrade
|
||||||
|
from ipapython.install import typing
|
||||||
|
from ipapython.install.core import group, knob, extend_knob
|
||||||
|
@@ -208,8 +209,15 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
raise ValueError(
|
||||||
|
"Token library path '%s' does not exist" % token_library
|
||||||
|
)
|
||||||
|
+ pkiuser = constants.PKI_USER
|
||||||
|
+ pkigroup = constants.PKI_GROUP
|
||||||
|
+ if 'libsofthsm' in token_library:
|
||||||
|
+ import grp
|
||||||
|
+ group = grp.getgrnam(constants.ODS_GROUP)
|
||||||
|
+ if str(constants.PKI_USER) in group.gr_mem:
|
||||||
|
+ pkigroup = constants.ODS_GROUP
|
||||||
|
with certdb.NSSDatabase() as tempnssdb:
|
||||||
|
- tempnssdb.create_db()
|
||||||
|
+ tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
|
||||||
|
# Try adding the token library to the temporary database in
|
||||||
|
# case it isn't already available. Ignore all errors.
|
||||||
|
command = [
|
||||||
|
@@ -223,6 +231,7 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
# It may fail if p11-kit has already registered the library, that's
|
||||||
|
# ok.
|
||||||
|
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
|
||||||
|
+ runas=pkiuser, suplementary_groups=[pkigroup],
|
||||||
|
raiseonerr=False)
|
||||||
|
|
||||||
|
command = [
|
||||||
|
@@ -232,7 +241,8 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
'-force'
|
||||||
|
]
|
||||||
|
lines = ipautil.run(
|
||||||
|
- command, cwd=tempnssdb.secdir, capture_output=True).output
|
||||||
|
+ command, cwd=tempnssdb.secdir, capture_output=True,
|
||||||
|
+ runas=pkiuser, suplementary_groups=[pkigroup]).output
|
||||||
|
found = False
|
||||||
|
token_line = f'token: {token_name}'
|
||||||
|
for line in lines.split('\n'):
|
||||||
|
@@ -241,9 +251,11 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
break
|
||||||
|
if not found:
|
||||||
|
raise ValueError(
|
||||||
|
- "Token named '%s' was not found" % token_name
|
||||||
|
+ "Token named '%s' was not found. Check permissions"
|
||||||
|
+ % token_name
|
||||||
|
)
|
||||||
|
pwdfile = ipautil.write_tmp_file(token_password)
|
||||||
|
+ os.fchown(pwdfile.fileno(), pkiuser.uid, pkigroup.gid)
|
||||||
|
args = [
|
||||||
|
paths.CERTUTIL,
|
||||||
|
"-d", '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir),
|
||||||
|
@@ -252,6 +264,8 @@ def hsm_validator(token_name, token_library, token_password):
|
||||||
|
"-f", pwdfile.name,
|
||||||
|
]
|
||||||
|
result = ipautil.run(args, cwd=tempnssdb.secdir,
|
||||||
|
+ runas=pkiuser,
|
||||||
|
+ suplementary_groups=[pkigroup],
|
||||||
|
capture_error=True, raiseonerr=False)
|
||||||
|
if result.returncode != 0 and len(result.error_output):
|
||||||
|
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
|
||||||
|
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
|
||||||
|
index 64305460a5150dfc28a4ab378ac72cd38987184c..974820fc7363b77fd5fdecc7cf0efca412f3af42 100644
|
||||||
|
--- a/ipatests/test_integration/test_hsm.py
|
||||||
|
+++ b/ipatests/test_integration/test_hsm.py
|
||||||
|
@@ -833,6 +833,13 @@ class TestHSMNegative(IntegrationTest):
|
||||||
|
|
||||||
|
cls.token_name, cls.token_password = get_hsm_token(cls.master)
|
||||||
|
|
||||||
|
+ @classmethod
|
||||||
|
+ def uninstall(cls, mh):
|
||||||
|
+ cls.master.run_command(
|
||||||
|
+ ['softhsm2-util', '--delete-token', '--token', cls.token_name],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
def test_hsm_negative_wrong_token_details(self):
|
||||||
|
check_version(self.master)
|
||||||
|
# wrong token name
|
||||||
|
@@ -868,6 +875,51 @@ class TestHSMNegative(IntegrationTest):
|
||||||
|
)
|
||||||
|
assert result.returncode != 0
|
||||||
|
|
||||||
|
+ def test_hsm_negative_bad_token_dir_permissions(self):
|
||||||
|
+ """Create an unreadable softhsm2 token and install should fail.
|
||||||
|
+
|
||||||
|
+ This is most often seen on replicas where the pkiuser is not
|
||||||
|
+ a member of the ods group.
|
||||||
|
+ """
|
||||||
|
+ check_version(self.master)
|
||||||
|
+ token_name = 'bad_perms'
|
||||||
|
+ token_passwd = 'Secret123'
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['softhsm2-util', '--delete-token', '--token', token_name],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['softhsm2-util', '--init-token',
|
||||||
|
+ '--free', '--pin', token_passwd, '--so-pin', token_passwd,
|
||||||
|
+ '--label', token_name]
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['usermod', 'pkiuser', '-r', '-G', 'ods']
|
||||||
|
+ )
|
||||||
|
+ result = tasks.install_master(
|
||||||
|
+ self.master, raiseonerr=False,
|
||||||
|
+ extra_args=(
|
||||||
|
+ '--token-name', token_name,
|
||||||
|
+ '--token-library-path', hsm_lib_path,
|
||||||
|
+ '--token-password', token_passwd
|
||||||
|
+ )
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['softhsm2-util', '--delete-token', '--token', token_name],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode != 0
|
||||||
|
+ assert (
|
||||||
|
+ f"Token named '{token_name}' was not found"
|
||||||
|
+ in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
def test_hsm_negative_special_char_token_name(self):
|
||||||
|
check_version(self.master)
|
||||||
|
token_name = 'hsm:token'
|
||||||
|
@@ -912,6 +964,11 @@ class TestHSMNegative(IntegrationTest):
|
||||||
|
'--token-password-file', self.token_password_file
|
||||||
|
)
|
||||||
|
)
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['softhsm2-util', '--delete-token', '--token', self.token_name],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ # assert 'error message non existing token lib' in result.stderr_text
|
||||||
|
assert result.returncode != 0
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
163
0031-Replica-CA-installation-ignore-time-skew-during-init.patch
Normal file
163
0031-Replica-CA-installation-ignore-time-skew-during-init.patch
Normal file
@ -0,0 +1,163 @@
|
|||||||
|
From aadb8051d4a3172aac3790f47ff4d241a245bab4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Thu, 18 Jul 2024 12:57:36 +0200
|
||||||
|
Subject: [PATCH] Replica CA installation: ignore time skew during initial
|
||||||
|
replication
|
||||||
|
|
||||||
|
During a replica CA installation, the initial replication step may fail
|
||||||
|
if there is too much time skew between the server and replica.
|
||||||
|
|
||||||
|
The replica installer already takes care of this for the replication of
|
||||||
|
the domain suffix but the replica CA installer does not set
|
||||||
|
nssldapd-ignore-time-skew to on for o=ipaca suffix.
|
||||||
|
|
||||||
|
During a replica CA installation, read the initial value of
|
||||||
|
nssldapd-ignore-time-skew, force it to on, start replication and
|
||||||
|
revert to the initial value.
|
||||||
|
|
||||||
|
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9635
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
install/share/Makefile.am | 1 -
|
||||||
|
install/share/replica-prevent-time-skew.ldif | 4 ----
|
||||||
|
install/tools/ipa-replica-manage.in | 4 ++--
|
||||||
|
ipaserver/install/cainstance.py | 4 ++++
|
||||||
|
ipaserver/install/dsinstance.py | 14 ++---------
|
||||||
|
ipaserver/install/service.py | 25 ++++++++++++++++++++
|
||||||
|
6 files changed, 33 insertions(+), 19 deletions(-)
|
||||||
|
delete mode 100644 install/share/replica-prevent-time-skew.ldif
|
||||||
|
|
||||||
|
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
|
||||||
|
index e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8..4029297b76cc2f30dc9eab606e5670667978dd27 100644
|
||||||
|
--- a/install/share/Makefile.am
|
||||||
|
+++ b/install/share/Makefile.am
|
||||||
|
@@ -38,7 +38,6 @@ dist_app_DATA = \
|
||||||
|
default-trust-view.ldif \
|
||||||
|
delegation.ldif \
|
||||||
|
replica-acis.ldif \
|
||||||
|
- replica-prevent-time-skew.ldif \
|
||||||
|
ds-nfiles.ldif \
|
||||||
|
ds-ipa-env.conf.template \
|
||||||
|
dns.ldif \
|
||||||
|
diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif
|
||||||
|
deleted file mode 100644
|
||||||
|
index 5d301feddb56347f3b35be89edaae1a7d91e07de..0000000000000000000000000000000000000000
|
||||||
|
--- a/install/share/replica-prevent-time-skew.ldif
|
||||||
|
+++ /dev/null
|
||||||
|
@@ -1,4 +0,0 @@
|
||||||
|
-dn: cn=config
|
||||||
|
-changetype: modify
|
||||||
|
-replace: nsslapd-ignore-time-skew
|
||||||
|
-nsslapd-ignore-time-skew: $SKEWVALUE
|
||||||
|
diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in
|
||||||
|
index 56145cb8a2249f8c5279d9baec4f34f274990bcf..d6e6ef57c39af70f164d41662227af3dc2535f9c 100644
|
||||||
|
--- a/install/tools/ipa-replica-manage.in
|
||||||
|
+++ b/install/tools/ipa-replica-manage.in
|
||||||
|
@@ -1262,12 +1262,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
|
||||||
|
repl.force_sync(repl.conn, fromhost)
|
||||||
|
else:
|
||||||
|
ds = dsinstance.DsInstance(realm_name=realm)
|
||||||
|
- ds.replica_manage_time_skew(prevent=False)
|
||||||
|
+ ds.replica_ignore_initial_time_skew()
|
||||||
|
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
|
||||||
|
repl.force_sync(repl.conn, thishost)
|
||||||
|
agreement = repl.get_replication_agreement(thishost)
|
||||||
|
repl.wait_for_repl_update(repl.conn, agreement.dn)
|
||||||
|
- ds.replica_manage_time_skew(prevent=True)
|
||||||
|
+ ds.replica_revert_time_skew()
|
||||||
|
|
||||||
|
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
|
||||||
|
nolookup=False):
|
||||||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||||
|
index b4b86024899bc6532f1123503cec63be9435f55b..5dac2c0441752e7bb569cde1fc93bc17c3128cdf 100644
|
||||||
|
--- a/ipaserver/install/cainstance.py
|
||||||
|
+++ b/ipaserver/install/cainstance.py
|
||||||
|
@@ -416,7 +416,11 @@ class CAInstance(DogtagInstance):
|
||||||
|
if promote:
|
||||||
|
# Setup Database
|
||||||
|
self.step("creating certificate server db", self.__create_ds_db)
|
||||||
|
+ self.step("ignore time skew for initial replication",
|
||||||
|
+ self.replica_ignore_initial_time_skew)
|
||||||
|
self.step("setting up initial replication", self.__setup_replication)
|
||||||
|
+ self.step("revert time skew after initial replication",
|
||||||
|
+ self.replica_revert_time_skew)
|
||||||
|
self.step("creating ACIs for admin", self.add_ipaca_aci)
|
||||||
|
self.step("creating installation admin user", self.setup_admin)
|
||||||
|
self.step("configuring certificate server instance",
|
||||||
|
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
|
||||||
|
index 88984d0219033717cefd28d6170535b6c859330f..dab58e42661f500e7aca0e8311e93d421567b8c8 100644
|
||||||
|
--- a/ipaserver/install/dsinstance.py
|
||||||
|
+++ b/ipaserver/install/dsinstance.py
|
||||||
|
@@ -387,11 +387,11 @@ class DsInstance(service.Service):
|
||||||
|
# This helps with initial replication or force-sync because
|
||||||
|
# the receiving side has no valuable changes itself yet.
|
||||||
|
self.step("ignore time skew for initial replication",
|
||||||
|
- self.__replica_ignore_initial_time_skew)
|
||||||
|
+ self.replica_ignore_initial_time_skew)
|
||||||
|
|
||||||
|
self.step("setting up initial replication", self.__setup_replica)
|
||||||
|
self.step("prevent time skew after initial replication",
|
||||||
|
- self.replica_manage_time_skew)
|
||||||
|
+ self.replica_revert_time_skew)
|
||||||
|
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
|
||||||
|
self.step("updating schema", self.__update_schema)
|
||||||
|
# See LDIFs for automember configuration during replica install
|
||||||
|
@@ -997,16 +997,6 @@ class DsInstance(service.Service):
|
||||||
|
def __add_replication_acis(self):
|
||||||
|
self._ldap_mod("replica-acis.ldif", self.sub_dict)
|
||||||
|
|
||||||
|
- def __replica_ignore_initial_time_skew(self):
|
||||||
|
- self.replica_manage_time_skew(prevent=False)
|
||||||
|
-
|
||||||
|
- def replica_manage_time_skew(self, prevent=True):
|
||||||
|
- if prevent:
|
||||||
|
- self.sub_dict['SKEWVALUE'] = 'off'
|
||||||
|
- else:
|
||||||
|
- self.sub_dict['SKEWVALUE'] = 'on'
|
||||||
|
- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
|
||||||
|
-
|
||||||
|
def __setup_s4u2proxy(self):
|
||||||
|
|
||||||
|
def __add_principal(last_cn, principal, self):
|
||||||
|
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
|
||||||
|
index 4c366a184ffdc26aaf7b546af9e4de8b43b7be41..cf0f64ab9794111761adf735bc488269bd1814fc 100644
|
||||||
|
--- a/ipaserver/install/service.py
|
||||||
|
+++ b/ipaserver/install/service.py
|
||||||
|
@@ -862,6 +862,31 @@ class Service:
|
||||||
|
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
|
||||||
|
self.set_keytab_owner()
|
||||||
|
|
||||||
|
+ def replica_ignore_initial_time_skew(self):
|
||||||
|
+ """
|
||||||
|
+ Set nsslapd-ignore-time-skew = on if not already set
|
||||||
|
+ and store the initial value in order to restore it later.
|
||||||
|
+
|
||||||
|
+ The on value allows replica initialization even if there
|
||||||
|
+ are excessive time skews.
|
||||||
|
+ """
|
||||||
|
+ dn = DN(('cn', 'config'))
|
||||||
|
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
|
||||||
|
+ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0]
|
||||||
|
+ if self.original_time_skew != 'on':
|
||||||
|
+ entry_attrs['nsslapd-ignore-time-skew'] = 'on'
|
||||||
|
+ api.Backend.ldap2.update_entry(entry_attrs)
|
||||||
|
+
|
||||||
|
+ def replica_revert_time_skew(self):
|
||||||
|
+ """
|
||||||
|
+ Revert nsslapd-ignore-time-skew to its previous value.
|
||||||
|
+ """
|
||||||
|
+ dn = DN(('cn', 'config'))
|
||||||
|
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
|
||||||
|
+ if self.original_time_skew != 'on':
|
||||||
|
+ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew
|
||||||
|
+ api.Backend.ldap2.update_entry(entry_attrs)
|
||||||
|
+
|
||||||
|
|
||||||
|
class SimpleServiceInstance(Service):
|
||||||
|
def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,49 @@
|
|||||||
|
From e83d949c7f1734dff70379e360e9bbf626149c61 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 19 Jul 2024 14:24:15 -0400
|
||||||
|
Subject: [PATCH] Log errors reported by adtrustinstance.check_inst() using
|
||||||
|
logger
|
||||||
|
|
||||||
|
It previously only printed the issue which made troubleshooting
|
||||||
|
after the fact difficult. Using logger.error() provides the same
|
||||||
|
visual functionality but also logs to the server install log.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9637
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/adtrustinstance.py | 9 +++++----
|
||||||
|
1 file changed, 5 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
||||||
|
index 2ff68dfb46371a6118eb67515347eb762a37e1ec..fd5a5a282fa2a222de85c6b29d8d9621b53c95d2 100644
|
||||||
|
--- a/ipaserver/install/adtrustinstance.py
|
||||||
|
+++ b/ipaserver/install/adtrustinstance.py
|
||||||
|
@@ -65,8 +65,8 @@ and re-run ipa-adtrust-instal again afterwards.
|
||||||
|
def check_inst():
|
||||||
|
for smbfile in [paths.SMBD, paths.NET]:
|
||||||
|
if not os.path.exists(smbfile):
|
||||||
|
- print("%s was not found on this system" % smbfile)
|
||||||
|
- print("Please install the 'samba' packages and " \
|
||||||
|
+ logger.error("%s was not found on this system", smbfile)
|
||||||
|
+ logger.error("Please install the 'samba' packages and "
|
||||||
|
"start the installation again")
|
||||||
|
return False
|
||||||
|
|
||||||
|
@@ -74,9 +74,10 @@ def check_inst():
|
||||||
|
# by looking for the file /usr/share/ipa/smb.conf.empty
|
||||||
|
if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR,
|
||||||
|
"smb.conf.empty")):
|
||||||
|
- print("AD Trust requires the '%s' package" %
|
||||||
|
+ logger.error("AD Trust requires the '%s' package",
|
||||||
|
constants.IPA_ADTRUST_PACKAGE_NAME)
|
||||||
|
- print("Please install the package and start the installation again")
|
||||||
|
+ logger.error(
|
||||||
|
+ "Please install the package and start the installation again")
|
||||||
|
return False
|
||||||
|
|
||||||
|
#TODO: Add check for needed samba4 libraries
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
116
0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
Normal file
116
0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
Normal file
@ -0,0 +1,116 @@
|
|||||||
|
From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 11 Jul 2024 18:14:52 +0530
|
||||||
|
Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails
|
||||||
|
to assign sid
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/9618
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++-
|
||||||
|
1 file changed, 71 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||||
|
index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644
|
||||||
|
--- a/ipatests/test_integration/test_commands.py
|
||||||
|
+++ b/ipatests/test_integration/test_commands.py
|
||||||
|
@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest):
|
||||||
|
|
||||||
|
def get_dirsrv_id(self):
|
||||||
|
serverid = realm_to_serverid(self.master.domain.realm)
|
||||||
|
- return("dirsrv@%s.service" % serverid)
|
||||||
|
+ return ("dirsrv@%s.service" % serverid)
|
||||||
|
|
||||||
|
def test_ipa_nis_manage_enable(self):
|
||||||
|
"""
|
||||||
|
@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||||
|
api.bootstrap_with_global_options(context='server')
|
||||||
|
api.finalize()
|
||||||
|
api.Backend.ldap2.connect()
|
||||||
|
-
|
||||||
|
+
|
||||||
|
api.Command["group_add"]("testgroup1", external=True)
|
||||||
|
api.Command["group_add"]("testgroup2", external=False)
|
||||||
|
result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501
|
||||||
|
@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||||
|
'/tmp/reproducer2_code.py'])
|
||||||
|
assert "missing attribute" not in result.stdout_text
|
||||||
|
|
||||||
|
+ def test_sidgen_task_continue_on_error(self):
|
||||||
|
+ """Verify that SIDgen task continue even if it fails to assign sid
|
||||||
|
+ scenario:
|
||||||
|
+ - add a user with no uid (it will be auto-assigned inside
|
||||||
|
+ the range)
|
||||||
|
+ - add a user with uid 2000
|
||||||
|
+ - add a user with no uid (it will be auto-assigned inside
|
||||||
|
+ the range)
|
||||||
|
+ - edit the first and 3rd users, remove the objectclass
|
||||||
|
+ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier
|
||||||
|
+ - run the sidgen task
|
||||||
|
+ - verify that user1 and user3 have a ipaNTSecurityIdentifier
|
||||||
|
+ - verify that old error message is not seen in dirsrv error log
|
||||||
|
+ - verify that new error message is seen in dirsrv error log
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/9618
|
||||||
|
+ """
|
||||||
|
+ test_user1 = 'test_user1'
|
||||||
|
+ test_user2 = 'test_user2'
|
||||||
|
+ test_user2000 = 'test_user2000'
|
||||||
|
+ base_dn = str(self.master.domain.basedn)
|
||||||
|
+ old_err_msg = 'Cannot add SID to existing entry'
|
||||||
|
+ new_err_msg = r'Finished with [0-9]+ failures, please check the log'
|
||||||
|
+
|
||||||
|
+ tasks.kinit_admin(self.master)
|
||||||
|
+ tasks.user_add(self.master, test_user1)
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['ipa', 'user-add', test_user2000,
|
||||||
|
+ '--first', 'test', '--last', 'user',
|
||||||
|
+ '--uid', '2000']
|
||||||
|
+ )
|
||||||
|
+ tasks.user_add(self.master, test_user2)
|
||||||
|
+
|
||||||
|
+ for user in (test_user1, test_user2):
|
||||||
|
+ entry_ldif = textwrap.dedent("""
|
||||||
|
+ dn: uid={user},cn=users,cn=accounts,{base_dn}
|
||||||
|
+ changetype: modify
|
||||||
|
+ delete: ipaNTSecurityIdentifier
|
||||||
|
+ -
|
||||||
|
+ delete: objectclass
|
||||||
|
+ objectclass: ipaNTUserAttrs
|
||||||
|
+ """).format(
|
||||||
|
+ user=user,
|
||||||
|
+ base_dn=base_dn)
|
||||||
|
+ tasks.ldapmodify_dm(self.master, entry_ldif)
|
||||||
|
+
|
||||||
|
+ # run sidgen task
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['ipa', 'config-mod', '--add-sids', '--enable-sid']
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # ensure that sidgen have added the attr removed above
|
||||||
|
+ for user in (test_user1, test_user2):
|
||||||
|
+ result = tasks.ldapsearch_dm(
|
||||||
|
+ self.master,
|
||||||
|
+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
|
||||||
|
+ user=user, base_dn=base_dn),
|
||||||
|
+ ['ipaNTSecurityIdentifier']
|
||||||
|
+ )
|
||||||
|
+ assert 'ipaNTSecurityIdentifier' in result.stdout_text
|
||||||
|
+
|
||||||
|
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
||||||
|
+ dirsrv_error_log = self.master.get_file_contents(
|
||||||
|
+ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain),
|
||||||
|
+ encoding='utf-8'
|
||||||
|
+ )
|
||||||
|
+ assert old_err_msg not in dirsrv_error_log
|
||||||
|
+ assert re.search(new_err_msg, dirsrv_error_log)
|
||||||
|
+
|
||||||
|
|
||||||
|
class TestIPAautomount(IntegrationTest):
|
||||||
|
@classmethod
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
@ -0,0 +1,76 @@
|
|||||||
|
From 8046023fc46c628c099d84b026ab866f7c6e16d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sudhir Menon <sumenon@redhat.com>
|
||||||
|
Date: Thu, 25 Jul 2024 18:32:21 +0530
|
||||||
|
Subject: [PATCH] ipatests: ipa-migrate tool with -Z option (CACERTFILE)
|
||||||
|
|
||||||
|
This patch add tests to check the scenarios associated with
|
||||||
|
pagure tickets
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
|
||||||
|
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
|
||||||
|
|
||||||
|
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_ipa_ipa_migration.py | 48 +++++++++++++++++++
|
||||||
|
1 file changed, 48 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
index a516941047315e07407b8063a7010526d384ab3b..f697bbfbfc6169309274db689501c99fe148cc70 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
|
||||||
|
@@ -872,3 +872,51 @@ class TestIPAMigrateScenario1(IntegrationTest):
|
||||||
|
extra_args=params,
|
||||||
|
)
|
||||||
|
assert self.replicas[0].transport.file_exists(custom_log_file)
|
||||||
|
+
|
||||||
|
+ def test_ipa_migrate_stage_mode_with_cert(self):
|
||||||
|
+ """
|
||||||
|
+ This testcase checks that ipa-migrate command
|
||||||
|
+ works without the 'ValuerError'
|
||||||
|
+ when -Z <cert> option is used with valid cert
|
||||||
|
+ """
|
||||||
|
+ cert_file = '/tmp/ipa.crt'
|
||||||
|
+ remote_server_cert = self.master.get_file_contents(
|
||||||
|
+ paths.IPA_CA_CRT, encoding="utf-8"
|
||||||
|
+ )
|
||||||
|
+ self.replicas[0].put_file_contents(cert_file, remote_server_cert)
|
||||||
|
+ params = ['-x', '-n', '-Z', cert_file]
|
||||||
|
+ result = run_migrate(
|
||||||
|
+ self.replicas[0],
|
||||||
|
+ "stage-mode",
|
||||||
|
+ self.master.hostname,
|
||||||
|
+ "cn=Directory Manager",
|
||||||
|
+ self.master.config.admin_password,
|
||||||
|
+ extra_args=params,
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+
|
||||||
|
+ def test_ipa_migrate_stage_mode_with_invalid_cert(self):
|
||||||
|
+ """
|
||||||
|
+ This test checks ipa-migrate tool throws
|
||||||
|
+ error when invalid cert is specified with
|
||||||
|
+ -Z option
|
||||||
|
+ """
|
||||||
|
+ cert_file = '/tmp/invaid_cert.crt'
|
||||||
|
+ invalid_cert = (
|
||||||
|
+ b'-----BEGIN CERTIFICATE-----\n'
|
||||||
|
+ b'MIIFazCCDQYJKoZIhvcNAQELBQAw\n'
|
||||||
|
+ b'-----END CERTIFICATE-----\n'
|
||||||
|
+ )
|
||||||
|
+ ERR_MSG = "Failed to connect to remote server: "
|
||||||
|
+ params = ['-x', '-n', '-Z', cert_file]
|
||||||
|
+ self.replicas[0].put_file_contents(cert_file, invalid_cert)
|
||||||
|
+ result = run_migrate(
|
||||||
|
+ self.replicas[0],
|
||||||
|
+ "stage-mode",
|
||||||
|
+ self.master.hostname,
|
||||||
|
+ "cn=Directory Manager",
|
||||||
|
+ self.master.config.admin_password,
|
||||||
|
+ extra_args=params,
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 1
|
||||||
|
+ assert ERR_MSG in result.stderr_text
|
||||||
|
--
|
||||||
|
2.45.2
|
||||||
|
|
24
freeipa.spec
24
freeipa.spec
@ -224,7 +224,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPL-3.0-or-later
|
License: GPL-3.0-or-later
|
||||||
@ -270,6 +270,18 @@ Patch0019: 0019-ipa-migrate-starttls-does-not-work.patch
|
|||||||
Patch0020: 0020-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch
|
Patch0020: 0020-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch
|
||||||
Patch0021: 0021-ipatests-Test-replica-installation-using-AD-admin.patch
|
Patch0021: 0021-ipatests-Test-replica-installation-using-AD-admin.patch
|
||||||
Patch0022: 0022-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch
|
Patch0022: 0022-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch
|
||||||
|
Patch0023: 0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch
|
||||||
|
Patch0024: 0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch
|
||||||
|
Patch0025: 0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch
|
||||||
|
Patch0026: 0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch
|
||||||
|
Patch0027: 0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch
|
||||||
|
Patch0028: 0028-ipa-migrate-properly-handle-invalid-certificates.patch
|
||||||
|
Patch0029: 0029-ipatests-Fix-usage-of-token_password_file.patch
|
||||||
|
Patch0030: 0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
|
||||||
|
Patch0031: 0031-Replica-CA-installation-ignore-time-skew-during-init.patch
|
||||||
|
Patch0032: 0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch
|
||||||
|
Patch0033: 0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
|
||||||
|
Patch0034: 0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -1883,6 +1895,16 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 8 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-7
|
||||||
|
- Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them
|
||||||
|
- Resolves: RHEL-52306 Unconditionally add MS-PAC to global config
|
||||||
|
- Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync"
|
||||||
|
- Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure
|
||||||
|
- Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages
|
||||||
|
- Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error'
|
||||||
|
- Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
|
||||||
|
- Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install
|
||||||
|
|
||||||
* Thu Jul 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-6
|
* Thu Jul 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-6
|
||||||
- Resolves: RHEL-47292 Include latest fixes in python3-ipatests packages
|
- Resolves: RHEL-47292 Include latest fixes in python3-ipatests packages
|
||||||
- Resolves: RHEL-47146 Syntax error uninstalling the selinux-luna subpackage
|
- Resolves: RHEL-47146 Syntax error uninstalling the selinux-luna subpackage
|
||||||
|
Loading…
Reference in New Issue
Block a user