import ipa-4.9.8-5.el9
This commit is contained in:
parent
f6c7a5ebb5
commit
9ea9b7ab0a
@ -0,0 +1,48 @@
|
|||||||
|
From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Fri, 26 Nov 2021 12:11:21 +0530
|
||||||
|
Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
|
||||||
|
teardown
|
||||||
|
|
||||||
|
Fixture `expire_certs` moves date back after renewing the certs.
|
||||||
|
This is causing the ipa-replica to fail. This fix first uninstalls
|
||||||
|
the server then moves back the date.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9052
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
index 39904d5de64c59416f01646f437aabf797d57dd9..5b56054b4f16d5654ebeb61971a8775bfaf341b8 100644
|
||||||
|
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||||
|
@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
|
||||||
|
setup_dns=False, extra_args=['--no-ntp']
|
||||||
|
)
|
||||||
|
|
||||||
|
+ @classmethod
|
||||||
|
+ def uninstall(cls, mh):
|
||||||
|
+ # Uninstall method is empty as the uninstallation is done in
|
||||||
|
+ # the fixture
|
||||||
|
+ pass
|
||||||
|
+
|
||||||
|
@pytest.fixture
|
||||||
|
def expire_certs(self):
|
||||||
|
# move system date to expire certs
|
||||||
|
@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
|
||||||
|
yield
|
||||||
|
|
||||||
|
# move date back on replica and master
|
||||||
|
- for host in self.master, self.replicas[0]:
|
||||||
|
+ for host in self.replicas[0], self.master:
|
||||||
|
+ tasks.uninstall_master(host)
|
||||||
|
tasks.move_date(host, 'start', '-3years-1days')
|
||||||
|
|
||||||
|
def test_renew_expired_cert_replica(self, expire_certs):
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,29 @@
|
|||||||
|
From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Date: Thu, 25 Nov 2021 17:48:20 +0530
|
||||||
|
Subject: [PATCH] Extend test to see if replica is not shown when running
|
||||||
|
`ipa-replica-manage list -v <FQDN>`
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8605
|
||||||
|
|
||||||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_simple_replication.py | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
|
||||||
|
index 8de3851447abdfd36171134cbb683115b34df749..17092a49966e61d5a4a9b04c15abcb1de8be9683 100644
|
||||||
|
--- a/ipatests/test_integration/test_simple_replication.py
|
||||||
|
+++ b/ipatests/test_integration/test_simple_replication.py
|
||||||
|
@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
|
||||||
|
# has to be run with --force, there is no --unattended
|
||||||
|
self.master.run_command(['ipa-replica-manage', 'del',
|
||||||
|
self.replicas[0].hostname, '--force'])
|
||||||
|
- result = self.master.run_command(['ipa-replica-manage', 'list'])
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
|
||||||
|
assert self.replicas[0].hostname not in result.stdout_text
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 13 Dec 2021 17:37:05 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
|
||||||
|
|
||||||
|
related : https://pagure.io/freeipa/issue/8962
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_installation.py | 13 +++++++++++++
|
||||||
|
1 file changed, 13 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 95cfaad54c33a581c6af352097ea95ed435ea2b1..0947241ae2738419c4855e2517670c9033e634f0 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
|
||||||
|
)
|
||||||
|
assert "nsslapd-db-locks" not in result.stdout_text
|
||||||
|
|
||||||
|
+ def test_nsslapd_sizelimit(self):
|
||||||
|
+ """ Test for default value of nsslapd-sizelimit.
|
||||||
|
+
|
||||||
|
+ Related : https://pagure.io/freeipa/issue/8962
|
||||||
|
+ """
|
||||||
|
+ result = tasks.ldapsearch_dm(
|
||||||
|
+ self.master,
|
||||||
|
+ "cn=config",
|
||||||
|
+ ["nsslapd-sizelimit"],
|
||||||
|
+ scope="base"
|
||||||
|
+ )
|
||||||
|
+ assert "nsslapd-sizelimit: 100000" in result.stdout_text
|
||||||
|
+
|
||||||
|
def test_admin_root_alias_CVE_2020_10747(self):
|
||||||
|
# Test for CVE-2020-10747 fix
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1810160
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,123 @@
|
|||||||
|
From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 25 Nov 2021 13:10:05 +0530
|
||||||
|
Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
|
||||||
|
segfault
|
||||||
|
|
||||||
|
When empty cert request is submitted to certmonger, it goes to
|
||||||
|
segfault. This fix test that if something like this happens,
|
||||||
|
certmonger should gracefuly handle it
|
||||||
|
|
||||||
|
and some PEP8 fixes
|
||||||
|
|
||||||
|
related: https://pagure.io/certmonger/issue/191
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
|
||||||
|
1 file changed, 78 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||||
|
index 5ffb8c6086328d563084f1d4b73daa1d01d956e7..0518d79545f7592d17571068e2681474bd9e5b14 100644
|
||||||
|
--- a/ipatests/test_integration/test_cert.py
|
||||||
|
+++ b/ipatests/test_integration/test_cert.py
|
||||||
|
@@ -14,6 +14,7 @@ import random
|
||||||
|
import re
|
||||||
|
import string
|
||||||
|
import time
|
||||||
|
+import textwrap
|
||||||
|
|
||||||
|
from ipaplatform.paths import paths
|
||||||
|
from ipapython.dn import DN
|
||||||
|
@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
|
||||||
|
tasks.kinit_admin(self.master)
|
||||||
|
tasks.user_add(self.master, user)
|
||||||
|
|
||||||
|
- for id in (0,1):
|
||||||
|
+ for id in (0, 1):
|
||||||
|
csr_file = f'{id}.csr'
|
||||||
|
key_file = f'{id}.key'
|
||||||
|
cert_file = f'{id}.crt'
|
||||||
|
@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
|
||||||
|
error_msg = 'ipa: ERROR: The certificate for ' \
|
||||||
|
'{} is not available on this server.'.format(lwca)
|
||||||
|
assert error_msg in result.stderr_text
|
||||||
|
+
|
||||||
|
+ def test_certmonger_empty_cert_not_segfault(self):
|
||||||
|
+ """Test empty cert request doesn't force certmonger to segfault
|
||||||
|
+
|
||||||
|
+ Test scenario:
|
||||||
|
+ create a cert request file in /var/lib/certmonger/requests which is
|
||||||
|
+ missing most of the required information, and ask request a new
|
||||||
|
+ certificate to certmonger. The wrong request file should not make
|
||||||
|
+ certmonger crash.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/certmonger/issue/191
|
||||||
|
+ """
|
||||||
|
+ empty_cert_req_content = textwrap.dedent("""
|
||||||
|
+ id=dogtag-ipa-renew-agent
|
||||||
|
+ key_type=UNSPECIFIED
|
||||||
|
+ key_gen_type=UNSPECIFIED
|
||||||
|
+ key_size=0
|
||||||
|
+ key_gen_size=0
|
||||||
|
+ key_next_type=UNSPECIFIED
|
||||||
|
+ key_next_gen_type=UNSPECIFIED
|
||||||
|
+ key_next_size=0
|
||||||
|
+ key_next_gen_size=0
|
||||||
|
+ key_preserve=0
|
||||||
|
+ key_storage_type=NONE
|
||||||
|
+ key_perms=0
|
||||||
|
+ key_requested_count=0
|
||||||
|
+ key_issued_count=0
|
||||||
|
+ cert_storage_type=FILE
|
||||||
|
+ cert_perms=0
|
||||||
|
+ cert_is_ca=0
|
||||||
|
+ cert_ca_path_length=0
|
||||||
|
+ cert_no_ocsp_check=0
|
||||||
|
+ last_need_notify_check=19700101000000
|
||||||
|
+ last_need_enroll_check=19700101000000
|
||||||
|
+ template_is_ca=0
|
||||||
|
+ template_ca_path_length=-1
|
||||||
|
+ template_no_ocsp_check=0
|
||||||
|
+ state=NEED_KEY_PAIR
|
||||||
|
+ autorenew=0
|
||||||
|
+ monitor=0
|
||||||
|
+ submitted=19700101000000
|
||||||
|
+ """)
|
||||||
|
+ # stop certmonger service
|
||||||
|
+ self.master.run_command(['systemctl', 'stop', 'certmonger'])
|
||||||
|
+
|
||||||
|
+ # place an empty cert request file to certmonger request dir
|
||||||
|
+ self.master.put_file_contents(
|
||||||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||||||
|
+ empty_cert_req_content
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # start certmonger, it should not fail
|
||||||
|
+ self.master.run_command(['systemctl', 'start', 'certmonger'])
|
||||||
|
+
|
||||||
|
+ # request a new cert, should succeed and certmonger doesn't goes
|
||||||
|
+ # to segfault
|
||||||
|
+ result = self.master.run_command([
|
||||||
|
+ "ipa-getcert", "request",
|
||||||
|
+ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
|
||||||
|
+ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
|
||||||
|
+ ])
|
||||||
|
+ request_id = re.findall(r'\d+', result.stdout_text)
|
||||||
|
+
|
||||||
|
+ # check if certificate is in MONITORING state
|
||||||
|
+ status = tasks.wait_for_request(self.master, request_id[0], 50)
|
||||||
|
+ assert status == "MONITORING"
|
||||||
|
+
|
||||||
|
+ self.master.run_command(
|
||||||
|
+ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
|
||||||
|
+ )
|
||||||
|
+ self.master.run_command([
|
||||||
|
+ 'rm', '-rf',
|
||||||
|
+ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
|
||||||
|
+ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
|
||||||
|
+ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
|
||||||
|
+ ])
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
104
SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch
Normal file
104
SOURCES/0007-Test-cases-for-ipa-replica-conncheck-command.patch
Normal file
@ -0,0 +1,104 @@
|
|||||||
|
From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 18 Nov 2021 18:36:58 +0530
|
||||||
|
Subject: [PATCH] Test cases for ipa-replica-conncheck command
|
||||||
|
|
||||||
|
Following test cases would be checked:
|
||||||
|
- when called with --principal (it should then prompt for a password)
|
||||||
|
- when called with --principal / --password
|
||||||
|
- when called without principal and password but with a kerberos TGT,
|
||||||
|
kinit admin done before calling ipa-replica-conncheck
|
||||||
|
- when called without principal and password, and without any kerberos
|
||||||
|
TGT (it should default to principal=admin and prompt for a password)
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/9047
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_replica_promotion.py | 70 +++++++++++++++++++
|
||||||
|
1 file changed, 70 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index b9c56f775d08885cb6b1226eeb7bcf105f87cdc1..1a4e9bc121abf41a3919aedda3d334de9404d1a0 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
|
||||||
|
self.assertCARenewalMaster(master, replica.hostname)
|
||||||
|
self.assertCARenewalMaster(replica, replica.hostname)
|
||||||
|
|
||||||
|
+ def test_replica_concheck(self):
|
||||||
|
+ """Test cases for ipa-replica-conncheck command
|
||||||
|
+
|
||||||
|
+ Following test cases would be checked:
|
||||||
|
+ - when called with --principal (it should then prompt for a password)
|
||||||
|
+ - when called with --principal / --password
|
||||||
|
+ - when called without principal and password but with a kerberos TGT,
|
||||||
|
+ kinit admin done before calling ipa-replica-conncheck
|
||||||
|
+ - when called without principal and password, and without any kerberos
|
||||||
|
+ TGT (it should default to principal=admin and prompt for a password)
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/9047
|
||||||
|
+ """
|
||||||
|
+ exp_str1 = "Connection from replica to master is OK."
|
||||||
|
+ exp_str2 = "Connection from master to replica is OK"
|
||||||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||||||
|
+ # when called with --principal (it should then prompt for a password)
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm,
|
||||||
|
+ '-p', self.replicas[0].config.admin_name],
|
||||||
|
+ stdin_text=self.master.config.admin_password
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called with --principal / --password
|
||||||
|
+ result = self.replicas[0].run_command([
|
||||||
|
+ 'ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm,
|
||||||
|
+ '-p', self.replicas[0].config.admin_name,
|
||||||
|
+ '-w', self.master.config.admin_password
|
||||||
|
+ ])
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called without principal and password, and without
|
||||||
|
+ # any kerberos TGT, it should default to principal=admin
|
||||||
|
+ # and prompt for a password
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm],
|
||||||
|
+ stdin_text=self.master.config.admin_password
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # when called without principal and password but with a kerberos TGT,
|
||||||
|
+ # kinit admin done before calling ipa-replica-conncheck
|
||||||
|
+ tasks.kinit_admin(self.replicas[0])
|
||||||
|
+ result = self.replicas[0].run_command(
|
||||||
|
+ ['ipa-replica-conncheck', '--auto-master-check',
|
||||||
|
+ '--master', self.master.hostname,
|
||||||
|
+ '-r', self.replicas[0].domain.realm]
|
||||||
|
+ )
|
||||||
|
+ assert result.returncode == 0
|
||||||
|
+ assert (
|
||||||
|
+ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
|
||||||
|
+ )
|
||||||
|
+ tasks.kdestroy_all(self.replicas[0])
|
||||||
|
+
|
||||||
|
def test_automatic_renewal_master_transfer_ondelete(self):
|
||||||
|
# Test that after replica uninstallation, master overtakes the cert
|
||||||
|
# renewal master role from replica (which was previously set there)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
59
SOURCES/0008-PEP8-Fixes.patch
Normal file
59
SOURCES/0008-PEP8-Fixes.patch
Normal file
@ -0,0 +1,59 @@
|
|||||||
|
From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Thu, 18 Nov 2021 18:43:22 +0530
|
||||||
|
Subject: [PATCH] PEP8 Fixes
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_replica_promotion.py | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index 1a4e9bc121abf41a3919aedda3d334de9404d1a0..c328b1a08ffc8ac5efb0986d2b18c5074f573432 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
assert res.returncode == 1
|
||||||
|
assert expected_err in res.stderr_text
|
||||||
|
|
||||||
|
-
|
||||||
|
@replicas_cleanup
|
||||||
|
def test_one_command_installation(self):
|
||||||
|
"""
|
||||||
|
@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
|
||||||
|
"freeipa-ldaps"])
|
||||||
|
self.replicas[0].run_command(['ipa-replica-install', '-w',
|
||||||
|
- self.master.config.admin_password,
|
||||||
|
- '-n', self.master.domain.name,
|
||||||
|
- '-r', self.master.domain.realm,
|
||||||
|
- '--server', self.master.hostname,
|
||||||
|
- '-U'])
|
||||||
|
+ self.master.config.admin_password,
|
||||||
|
+ '-n', self.master.domain.name,
|
||||||
|
+ '-r', self.master.domain.realm,
|
||||||
|
+ '--server', self.master.hostname,
|
||||||
|
+ '-U'])
|
||||||
|
# Ensure that pkinit is properly configured, test for 7566
|
||||||
|
result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
|
||||||
|
assert "PKINIT is enabled" in result.stdout_text
|
||||||
|
@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||||||
|
result1 = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||||
|
self.master.config.dirman_password],
|
||||||
|
raiseonerr=False)
|
||||||
|
- assert(result1.returncode == 0), (
|
||||||
|
+ assert (result1.returncode == 0), (
|
||||||
|
'Failed to promote the client installed with the upcase domain name')
|
||||||
|
|
||||||
|
def test_client_rollback(self):
|
||||||
|
@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
|
||||||
|
assert("An error occurred while removing SSSD" not in
|
||||||
|
result.stdout_text)
|
||||||
|
|
||||||
|
+
|
||||||
|
class TestRenewalMaster(IntegrationTest):
|
||||||
|
|
||||||
|
topology = 'star'
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
209
SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch
Normal file
209
SOURCES/0009-ipatests-webui-Tests-for-subordinate-ids.patch
Normal file
@ -0,0 +1,209 @@
|
|||||||
|
From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Mon, 6 Dec 2021 20:50:01 +0530
|
||||||
|
Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
|
||||||
|
|
||||||
|
Added web-ui tests to verify where operations
|
||||||
|
using subordinate ids are working as expected.
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/8361
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
|
||||||
|
ipatests/test_webui/ui_driver.py | 28 ++++++
|
||||||
|
2 files changed, 169 insertions(+)
|
||||||
|
create mode 100644 ipatests/test_webui/test_subid.py
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000000000000000000000000000000000..26decdba03955f28ab21a41ccffae2a9af7b09fe
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/ipatests/test_webui/test_subid.py
|
||||||
|
@@ -0,0 +1,141 @@
|
||||||
|
+
|
||||||
|
+"""
|
||||||
|
+Tests for subordinateid.
|
||||||
|
+"""
|
||||||
|
+
|
||||||
|
+from ipatests.test_webui.ui_driver import UI_driver
|
||||||
|
+import ipatests.test_webui.data_config as config_data
|
||||||
|
+import ipatests.test_webui.data_user as user_data
|
||||||
|
+from ipatests.test_webui.ui_driver import screenshot
|
||||||
|
+import re
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class test_subid(UI_driver):
|
||||||
|
+
|
||||||
|
+ def add_user(self, pkey, name, surname):
|
||||||
|
+ self.add_record('user', {
|
||||||
|
+ 'pkey': pkey,
|
||||||
|
+ 'add': [
|
||||||
|
+ ('textbox', 'uid', pkey),
|
||||||
|
+ ('textbox', 'givenname', name),
|
||||||
|
+ ('textbox', 'sn', surname),
|
||||||
|
+ ]
|
||||||
|
+ })
|
||||||
|
+
|
||||||
|
+ def set_default_subid(self):
|
||||||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||||||
|
+ self.check_option('ipauserdefaultsubordinateid', 'checked')
|
||||||
|
+ self.facet_button_click('save')
|
||||||
|
+
|
||||||
|
+ def get_user_count(self, user_pkey):
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.apply_search_filter(user_pkey)
|
||||||
|
+ self.wait_for_request()
|
||||||
|
+ return self.get_rows()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_set_defaultsubid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that enable/disable is working for
|
||||||
|
+ adding subids to new users.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.add_record(user_data.ENTITY, user_data.DATA2)
|
||||||
|
+ self.navigate_to_entity(config_data.ENTITY)
|
||||||
|
+ # test subid can be enabled/disabled.
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert not self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_defaultsubid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid is generated for new user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ user_pkey = "some-user"
|
||||||
|
+
|
||||||
|
+ self.set_default_subid()
|
||||||
|
+ assert self.get_field_checked('ipauserdefaultsubordinateid')
|
||||||
|
+
|
||||||
|
+ before_count = self.get_user_count(user_pkey)
|
||||||
|
+ assert len(before_count) == 0
|
||||||
|
+
|
||||||
|
+ self.add_user(user_pkey, 'Some', 'User')
|
||||||
|
+ after_count = self.get_user_count(user_pkey)
|
||||||
|
+ assert len(after_count) == 1
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_subid_mod_desc(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that auto-assigned subid description is modified.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_record("some-user")
|
||||||
|
+ self.switch_to_facet('memberof_subid')
|
||||||
|
+ rows = self.get_rows()
|
||||||
|
+ self.navigate_to_row_record(rows[-1])
|
||||||
|
+ self.fill_textbox("description", "some-user-subid-desc")
|
||||||
|
+ self.facet_button_click('save')
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_admin_subid(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid range is created with owner admin.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', 'admin')
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ self.assert_no_error_dialog()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_admin_subid_negative(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that readding the subid fails with error.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', 'admin')
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
|
||||||
|
+ text = self.get_text('.modal-body div p', err_dialog)
|
||||||
|
+ text = text.strip()
|
||||||
|
+ pattern = r'Subordinate id with with name .* already exists.'
|
||||||
|
+ assert re.search(pattern, text) is not None
|
||||||
|
+ self.close_all_dialogs()
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_user_subid_add(self):
|
||||||
|
+ """
|
||||||
|
+ Test to verify that subid range is created for given user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ before_count = self.get_rows()
|
||||||
|
+ self.facet_button_click('add')
|
||||||
|
+ self.select_combobox('ipaowner', user_data.PKEY2)
|
||||||
|
+ self.dialog_button_click('add')
|
||||||
|
+ self.wait(0.3)
|
||||||
|
+ self.assert_no_error_dialog()
|
||||||
|
+ after_count = self.get_rows()
|
||||||
|
+ assert len(before_count) < len(after_count)
|
||||||
|
+
|
||||||
|
+ @screenshot
|
||||||
|
+ def test_subid_del(self):
|
||||||
|
+ """
|
||||||
|
+ Test to remove subordinate id for given user.
|
||||||
|
+ """
|
||||||
|
+ self.init_app()
|
||||||
|
+ self.navigate_to_entity('subid', facet='search')
|
||||||
|
+ user_uid = self.get_record_pkey("some-user", "ipaowner",
|
||||||
|
+ table_name="ipauniqueid")
|
||||||
|
+ before_count = self.get_rows()
|
||||||
|
+ self.delete_record(user_uid, table_name="ipauniqueid")
|
||||||
|
+ after_count = self.get_rows()
|
||||||
|
+ assert len(before_count) > len(after_count)
|
||||||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||||||
|
index 46fd512ae67bee65be55ae0d4dedec53cc29de97..77fd74e49593183a37fe735bedf2e0d6b9257ac7 100644
|
||||||
|
--- a/ipatests/test_webui/ui_driver.py
|
||||||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||||||
|
@@ -1151,6 +1151,34 @@ class UI_driver:
|
||||||
|
return row
|
||||||
|
return None
|
||||||
|
|
||||||
|
+ def get_row_by_column_value(self, key, column_name, parent=None,
|
||||||
|
+ table_name=None):
|
||||||
|
+ """
|
||||||
|
+ Get the first matched row element of a search table with given key
|
||||||
|
+ matched against selected column. None if not found
|
||||||
|
+ """
|
||||||
|
+ rows = self.get_rows(parent, table_name)
|
||||||
|
+ s = "td div[name='%s']" % column_name
|
||||||
|
+ for row in rows:
|
||||||
|
+ has = self.find(s, By.CSS_SELECTOR, row)
|
||||||
|
+ if has.text == key:
|
||||||
|
+ return row
|
||||||
|
+ return None
|
||||||
|
+
|
||||||
|
+ def get_record_pkey(self, key, column, parent=None, table_name=None):
|
||||||
|
+ """
|
||||||
|
+ Get record pkey if value of column is known
|
||||||
|
+ """
|
||||||
|
+ row = self.get_row_by_column_value(key,
|
||||||
|
+ column_name=column,
|
||||||
|
+ parent=parent,
|
||||||
|
+ table_name=table_name)
|
||||||
|
+ val = None
|
||||||
|
+ if row:
|
||||||
|
+ el = self.find("td input", By.CSS_SELECTOR, row)
|
||||||
|
+ val = el.get_attribute("value")
|
||||||
|
+ return val
|
||||||
|
+
|
||||||
|
def navigate_to_row_record(self, row, pkey_column=None):
|
||||||
|
"""
|
||||||
|
Navigate to record by clicking on a link.
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,39 @@
|
|||||||
|
From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 15 Dec 2021 10:47:02 +0100
|
||||||
|
Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
|
||||||
|
|
||||||
|
When ipa config-mod is called with the option --enable-sid,
|
||||||
|
the code needs to trap EmptyModlist exception (it is expected
|
||||||
|
that no LDAP attribute is modified by this operation).
|
||||||
|
The code had a flaw and was checking:
|
||||||
|
'enable_sid' in options
|
||||||
|
instead of
|
||||||
|
options['enable_sid']
|
||||||
|
|
||||||
|
"'enable_sid' in options" always returns true as this option
|
||||||
|
is a Flag with a default value, hence always present even if
|
||||||
|
not specified on the command line.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9063
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/config.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
|
||||||
|
index eae401fc3f7a1b7628eb211db206ba4bc2b36754..24446beb0b03a1510a96316eae915780817db102 100644
|
||||||
|
--- a/ipaserver/plugins/config.py
|
||||||
|
+++ b/ipaserver/plugins/config.py
|
||||||
|
@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
|
||||||
|
if (isinstance(exc, errors.EmptyModlist) and
|
||||||
|
call_func.__name__ == 'update_entry' and
|
||||||
|
('ca_renewal_master_server' in options or
|
||||||
|
- 'enable_sid' in options)):
|
||||||
|
+ options['enable_sid'])):
|
||||||
|
return
|
||||||
|
|
||||||
|
super(config_mod, self).exc_callback(
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 15 Dec 2021 10:51:05 +0100
|
||||||
|
Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
|
||||||
|
|
||||||
|
Add a test to test_config_plugin, that calls ipa config-mod
|
||||||
|
with the same value as already present in LDAP.
|
||||||
|
The call must return EmptyModlist.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9063
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
index e981bb4a03d39de450fc459d4b1ce4b636c19029..a8ec9f0e558d7efa091b50deca9fa7ca59fd7b11 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
|
||||||
|
@@ -312,4 +312,13 @@ class test_config(Declarative):
|
||||||
|
'value': None,
|
||||||
|
},
|
||||||
|
),
|
||||||
|
+ dict(
|
||||||
|
+ desc='Set the value to the already set value, no modifications',
|
||||||
|
+ command=(
|
||||||
|
+ 'config_mod', [], {
|
||||||
|
+ 'ipasearchrecordslimit': u'100',
|
||||||
|
+ },
|
||||||
|
+ ),
|
||||||
|
+ expected=errors.EmptyModlist(),
|
||||||
|
+ ),
|
||||||
|
]
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Date: Fri, 7 Jan 2022 12:12:26 +0100
|
||||||
|
Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
|
||||||
|
configuration file
|
||||||
|
|
||||||
|
FullLoader class for YAML loader was introduced in version 5.1 which
|
||||||
|
also deprecated default loader. SafeLoader, however, stays consistent
|
||||||
|
across the versions and brings added security.
|
||||||
|
|
||||||
|
This fix is necessary as PyYAML > 5.1 is not available in downstream.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/9009
|
||||||
|
|
||||||
|
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_webui/ui_driver.py | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
|
||||||
|
index 77fd74e49593183a37fe735bedf2e0d6b9257ac7..519efee9bba3de2114d22865a08df87f9b5f348a 100644
|
||||||
|
--- a/ipatests/test_webui/ui_driver.py
|
||||||
|
+++ b/ipatests/test_webui/ui_driver.py
|
||||||
|
@@ -192,7 +192,7 @@ class UI_driver:
|
||||||
|
if not NO_YAML and os.path.isfile(path):
|
||||||
|
try:
|
||||||
|
with open(path, 'r') as conf:
|
||||||
|
- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
|
||||||
|
+ cls.config = yaml.safe_load(stream=conf)
|
||||||
|
except yaml.YAMLError as e:
|
||||||
|
pytest.skip("Invalid Web UI config.\n%s" % e)
|
||||||
|
except IOError as e:
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,107 @@
|
|||||||
|
From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Date: Fri, 14 Jan 2022 19:55:13 +0530
|
||||||
|
Subject: [PATCH] Added test automation for SHA384withRSA CSR support
|
||||||
|
|
||||||
|
Scenario 1:
|
||||||
|
Setup master with --ca-signing-algorithm=SHA384withRSA
|
||||||
|
Run certutil and check Signing Algorithm
|
||||||
|
|
||||||
|
Scenario 2:
|
||||||
|
Setup a master
|
||||||
|
Stop services
|
||||||
|
Modify default.params.signingAlg in CS.cfg
|
||||||
|
Restart services
|
||||||
|
Resubmit cert (Resubmitted cert should have new Algorithm)
|
||||||
|
|
||||||
|
Pagure Link: https://pagure.io/freeipa/issue/8906
|
||||||
|
|
||||||
|
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_installation.py | 63 +++++++++++++++++++
|
||||||
|
1 file changed, 63 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index 0947241ae2738419c4855e2517670c9033e634f0..f2d372c0c0356f244971a2af808db45dd6c8cb5b 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
|
||||||
|
from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||||||
|
from ipatests.test_integration.base import IntegrationTest
|
||||||
|
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||||
|
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||||||
|
from ipaplatform import services
|
||||||
|
|
||||||
|
|
||||||
|
@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
|
||||||
|
tasks.install_replica(
|
||||||
|
self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
||||||
|
)
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+class TestInstallwithSHA384withRSA(IntegrationTest):
|
||||||
|
+ num_replicas = 0
|
||||||
|
+
|
||||||
|
+ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
|
||||||
|
+ tasks.install_master(
|
||||||
|
+ self.master,
|
||||||
|
+ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+ # check Signing Algorithm post installation
|
||||||
|
+ dashed_domain = self.master.domain.realm.replace(".", '-')
|
||||||
|
+ cmd_args = ['certutil', '-L', '-d',
|
||||||
|
+ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
|
||||||
|
+ '-n', 'Server-Cert']
|
||||||
|
+ result = self.master.run_command(cmd_args)
|
||||||
|
+ assert 'SHA-384 With RSA Encryption' in result.stdout_text
|
||||||
|
+
|
||||||
|
+ def test_install_master_modify_existing(self, server_cleanup):
|
||||||
|
+ """
|
||||||
|
+ Setup a master
|
||||||
|
+ Stop services
|
||||||
|
+ Modify default.params.signingAlg in CS.cfg
|
||||||
|
+ Restart services
|
||||||
|
+ Resubmit cert (Resubmitted cert should have new Algorithm)
|
||||||
|
+ """
|
||||||
|
+ tasks.install_master(self.master)
|
||||||
|
+ self.master.run_command(['ipactl', 'stop'])
|
||||||
|
+ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
|
||||||
|
+ encoding='utf-8')
|
||||||
|
+ new_lines = []
|
||||||
|
+ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
|
||||||
|
+ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
|
||||||
|
+ for line in cs_cfg_content.split('\n'):
|
||||||
|
+ if line.startswith('ca.signing.defaultSigningAlgorithm'):
|
||||||
|
+ new_lines.append(replace_str)
|
||||||
|
+ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
|
||||||
|
+ new_lines.append(ocsp_rep_str)
|
||||||
|
+ else:
|
||||||
|
+ new_lines.append(line)
|
||||||
|
+ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
|
||||||
|
+ '\n'.join(new_lines))
|
||||||
|
+ self.master.run_command(['ipactl', 'start'])
|
||||||
|
+
|
||||||
|
+ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
||||||
|
+ result = self.master.run_command(cmd)
|
||||||
|
+ request_id = get_certmonger_fs_id(result.stdout_text)
|
||||||
|
+
|
||||||
|
+ # resubmit RA Agent cert
|
||||||
|
+ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
|
||||||
|
+ self.master.run_command(cmd)
|
||||||
|
+
|
||||||
|
+ tasks.wait_for_certmonger_status(self.master,
|
||||||
|
+ ('CA_WORKING', 'MONITORING'),
|
||||||
|
+ request_id)
|
||||||
|
+
|
||||||
|
+ cmd_args = ['openssl', 'x509', '-in',
|
||||||
|
+ paths.RA_AGENT_PEM, '-noout', '-text']
|
||||||
|
+ result = self.master.run_command(cmd_args)
|
||||||
|
+ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
|
||||||
|
+ assert assert_str in result.stdout_text
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,44 @@
|
|||||||
|
From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Fri, 28 Jan 2022 16:58:42 +0100
|
||||||
|
Subject: [PATCH] ipa-pki-proxy.conf: provide access to
|
||||||
|
/kra/admin/kra/getStatus
|
||||||
|
|
||||||
|
The access to /kra/admin/kra/getStatus will be needed
|
||||||
|
in order to fix pki-healthcheck.
|
||||||
|
Note that this commit is a pre-requisite for the fix
|
||||||
|
to be done on PKI side. No test added since the full
|
||||||
|
integration test already exists in test_replica_promotion.py,
|
||||||
|
in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9099
|
||||||
|
Related: https://pagure.io/freeipa/issue/8582
|
||||||
|
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
---
|
||||||
|
install/share/ipa-pki-proxy.conf.template | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
|
||||||
|
index 96708482cdac128930efaca33a806daaeba68042..7a46f20b9058bab63238f56295a92533c232d47a 100644
|
||||||
|
--- a/install/share/ipa-pki-proxy.conf.template
|
||||||
|
+++ b/install/share/ipa-pki-proxy.conf.template
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-# VERSION 16 - DO NOT REMOVE THIS LINE
|
||||||
|
+# VERSION 17 - DO NOT REMOVE THIS LINE
|
||||||
|
|
||||||
|
ProxyRequests Off
|
||||||
|
|
||||||
|
@@ -11,7 +11,7 @@ ProxyRequests Off
|
||||||
|
</LocationMatch>
|
||||||
|
|
||||||
|
# matches for admin port and installer
|
||||||
|
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
|
||||||
|
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
|
||||||
|
SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
|
||||||
|
SSLVerifyClient none
|
||||||
|
ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Tue, 1 Feb 2022 16:43:09 +0100
|
||||||
|
Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
|
||||||
|
|
||||||
|
Since 5d51ae5, principal keys were dropped in case user auth indicator
|
||||||
|
was not including password. Thereafter, the key removal behavior was
|
||||||
|
removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
|
||||||
|
Support for hardened pre-auth methods (FAST and SPAKE) was added in
|
||||||
|
d057040, and the removal of principal keys was restored afterwards by
|
||||||
|
f0d12b7, but not taking the new hardened auth indicator into account.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9065
|
||||||
|
Related to: https://pagure.io/freeipa/issue/8001
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
|
||||||
|
1 file changed, 12 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
index 15f3df4fee8bdfadf60a4b1d9a5115407d1bb294..0d0d3748ce63a8252e84220d036140818ffdfb6e 100644
|
||||||
|
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||||
|
@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||||
|
&res_key_data, &result, &mkvno);
|
||||||
|
switch (ret) {
|
||||||
|
case 0:
|
||||||
|
- /* Only set a principal's key if password auth can be used. Otherwise
|
||||||
|
- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
|
||||||
|
- * reply for AS-REQs which indicate the password authentication is
|
||||||
|
- * available. This might confuse applications like e.g. SSSD which try
|
||||||
|
- * to determine suitable authentication methods and corresponding
|
||||||
|
- * prompts with the help of MIT Kerberos' responder interface which
|
||||||
|
- * acts on the returned pre-authentication methods. A typical example
|
||||||
|
- * is enforced OTP authentication where of course keys are available
|
||||||
|
- * for the first factor but password authentication should not be
|
||||||
|
- * advertised by the KDC. */
|
||||||
|
- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
|
||||||
|
+ /* Only set a principal's key if password or hardened auth can be used.
|
||||||
|
+ * Otherwise the KDC would add pre-authentication methods to the
|
||||||
|
+ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
|
||||||
|
+ * authentication is available. This might confuse applications like
|
||||||
|
+ * e.g. SSSD which try to determine suitable authentication methods and
|
||||||
|
+ * corresponding prompts with the help of MIT Kerberos' responder
|
||||||
|
+ * interface which acts on the returned pre-authentication methods. A
|
||||||
|
+ * typical example is enforced OTP authentication where of course keys
|
||||||
|
+ * are available for the first factor but password authentication
|
||||||
|
+ * should not be advertised by the KDC. */
|
||||||
|
+ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
|
||||||
|
+ (ua != IPADB_USER_AUTH_NONE)) {
|
||||||
|
/* This is the same behavior as ENOENT below. */
|
||||||
|
ipa_krb5_free_key_data(res_key_data, result);
|
||||||
|
break;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,63 @@
|
|||||||
|
From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Tue, 1 Feb 2022 19:38:29 +0100
|
||||||
|
Subject: [PATCH] ipatests: add case for hardened-only ticket policy
|
||||||
|
|
||||||
|
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
|
||||||
|
1 file changed, 28 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
index 63e75ae67f493352b1d3a611e7b079d914a7b253..9489fbc97b7836aecf491b57627f254d4849eb56 100644
|
||||||
|
--- a/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
+++ b/ipatests/test_integration/test_krbtpolicy.py
|
||||||
|
@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
|
||||||
|
result = master.run_command('klist | grep krbtgt')
|
||||||
|
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
|
||||||
|
- def test_krbtpolicy_hardended(self):
|
||||||
|
- """Test a hardened kerberos ticket policy with 10 min tickets"""
|
||||||
|
+ def test_krbtpolicy_password_and_hardended(self):
|
||||||
|
+ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
|
||||||
|
master = self.master
|
||||||
|
master.run_command(['ipa', 'user-mod', USER1,
|
||||||
|
'--user-auth-type', 'password',
|
||||||
|
@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
|
||||||
|
result = master.run_command('klist | grep krbtgt')
|
||||||
|
assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
|
||||||
|
+ def test_krbtpolicy_hardended(self):
|
||||||
|
+ """Test a hardened kerberos ticket policy with 30min tickets"""
|
||||||
|
+ master = self.master
|
||||||
|
+ master.run_command(['ipa', 'user-mod', USER1,
|
||||||
|
+ '--user-auth-type', 'hardened'])
|
||||||
|
+ master.run_command(['ipa', 'config-mod',
|
||||||
|
+ '--user-auth-type', 'hardened'])
|
||||||
|
+ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
|
||||||
|
+ '--hardened-maxlife', '1800'])
|
||||||
|
+
|
||||||
|
+ tasks.kdestroy_all(master)
|
||||||
|
+
|
||||||
|
+ master.run_command(['kinit', USER1],
|
||||||
|
+ stdin_text=PASSWORD + '\n')
|
||||||
|
+ result = master.run_command('klist | grep krbtgt')
|
||||||
|
+ assert maxlife_within_policy(result.stdout_text, 1800,
|
||||||
|
+ slush=1800) is True
|
||||||
|
+
|
||||||
|
+ tasks.kdestroy_all(master)
|
||||||
|
+
|
||||||
|
+ # Verify that the short policy only applies to USER1
|
||||||
|
+ master.run_command(['kinit', USER2],
|
||||||
|
+ stdin_text=PASSWORD + '\n')
|
||||||
|
+ result = master.run_command('klist | grep krbtgt')
|
||||||
|
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
|
||||||
|
+
|
||||||
|
def test_krbtpolicy_password(self):
|
||||||
|
"""Test the kerberos ticket policy which issues 20 min tickets"""
|
||||||
|
master = self.master
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,104 @@
|
|||||||
|
From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Fri, 28 Jan 2022 16:46:35 -0500
|
||||||
|
Subject: [PATCH] Don't always override the port in import_included_profiles
|
||||||
|
|
||||||
|
I can only guess to the original purpose of this override. I
|
||||||
|
believe it was because this is called in the installer prior
|
||||||
|
to Apache being set up. The expectation was that this would
|
||||||
|
only be called locally. It predates the RestClient class.
|
||||||
|
|
||||||
|
RestClient will attempt to find an available service. In this
|
||||||
|
case, during a CA installation, the local server is not
|
||||||
|
considered available because it lacks an entry in
|
||||||
|
cn=masters. So it will never be returned as an option.
|
||||||
|
|
||||||
|
So by overriding the port to 8443 the remote connection will
|
||||||
|
likely fail because we don't require that the port be open.
|
||||||
|
|
||||||
|
So instead, instantiate a RestClient and see what happens.
|
||||||
|
|
||||||
|
There are several use-cases:
|
||||||
|
|
||||||
|
1. Installing an initial server. The RestClient connection
|
||||||
|
should fail, so we will fall back to the override port and
|
||||||
|
use the local server. If Apache happens to be running with
|
||||||
|
a globally-issued certificate then the RestClient will
|
||||||
|
succeed. In this case if the connected host and the local
|
||||||
|
hostname are the same, override in that case as well.
|
||||||
|
|
||||||
|
2. Installing as a replica. In this case the local server should
|
||||||
|
be ignored in all cases and a remote CA will be picked with
|
||||||
|
no override done.
|
||||||
|
|
||||||
|
3. Switching from CA-less to CA-ful. The web server will be
|
||||||
|
trusted but the RestClient login will fail with a 404. Fall
|
||||||
|
back to the override port in this case.
|
||||||
|
|
||||||
|
The motivation for this is trying to install an EL 8.x replica
|
||||||
|
against an EL 7.9 server. 8.5+ includes the ACME service and
|
||||||
|
a new profile is needed which doesn't exist in 7. This was
|
||||||
|
failing because the RestClient determined that the local server
|
||||||
|
wasn't running a CA so tried the remote one (7.9) on the override
|
||||||
|
port 8443. Since this port isn't open: failure.
|
||||||
|
|
||||||
|
Chances are that adding the profile is still going to fail
|
||||||
|
because again, 7.9 lacks ACME capabilities, but it will fail in
|
||||||
|
a way that allows the installation to continue.
|
||||||
|
|
||||||
|
I suspect that all of the overrides can similarly handled, or
|
||||||
|
handled directly within the RestClient class, but for the sake
|
||||||
|
of "do no harm" I'm only changing this instance for now.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/9100
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 29 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
|
||||||
|
index 8c8bf1b3a7bcf8a9c50183579b874a5710a32ac3..ad206aad411b42336e86e0b651a948fccd3a75ac 100644
|
||||||
|
--- a/ipaserver/install/cainstance.py
|
||||||
|
+++ b/ipaserver/install/cainstance.py
|
||||||
|
@@ -1953,7 +1953,35 @@ def import_included_profiles():
|
||||||
|
cn=['certprofiles'],
|
||||||
|
)
|
||||||
|
|
||||||
|
- api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
+ # At this point Apache may or may not be running with a valid
|
||||||
|
+ # certificate. The local server is not yet recognized as a full
|
||||||
|
+ # CA yet so it isn't discoverable. So try to do some detection
|
||||||
|
+ # on what port to use, 443 (remote) or 8443 (local) for importing
|
||||||
|
+ # the profiles.
|
||||||
|
+ #
|
||||||
|
+ # api.Backend.ra_certprofile invokes the RestClient class
|
||||||
|
+ # which will discover and login to the CA REST API. We can
|
||||||
|
+ # use this information to detect where to import the profiles.
|
||||||
|
+ #
|
||||||
|
+ # If the login is successful (e.g. doesn't raise an exception)
|
||||||
|
+ # and it returns our hostname (it prefers the local host) then
|
||||||
|
+ # we override and talk locally.
|
||||||
|
+ #
|
||||||
|
+ # Otherwise a NetworkError means we can't connect on 443 (perhaps
|
||||||
|
+ # a firewall) or we get an HTTP error (valid TLS certificate on
|
||||||
|
+ # Apache but no CA, login fails with 404) so we override to the
|
||||||
|
+ # local server.
|
||||||
|
+ #
|
||||||
|
+ # When override port was always set to 8443 the RestClient could
|
||||||
|
+ # pick a remote server and since 8443 isn't in our firewall profile
|
||||||
|
+ # setting up a new server would fail.
|
||||||
|
+ try:
|
||||||
|
+ with api.Backend.ra_certprofile as profile_api:
|
||||||
|
+ if profile_api.ca_host == api.env.host:
|
||||||
|
+ api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
+ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
|
||||||
|
+ logger.debug('Overriding CA port: %s', e)
|
||||||
|
+ api.Backend.ra_certprofile.override_port = 8443
|
||||||
|
|
||||||
|
for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
|
||||||
|
dn = DN(('cn', profile_id),
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,115 @@
|
|||||||
|
From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 31 Jan 2022 17:31:50 -0500
|
||||||
|
Subject: [PATCH] Remove ipa-join errors from behind the debug option
|
||||||
|
|
||||||
|
This brings it inline with the previous XML-RPC output which
|
||||||
|
only hid the request and response from the output and not
|
||||||
|
any errors returned.
|
||||||
|
|
||||||
|
https://pagure.io/freeipa/issue/9103
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||||
|
Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
|
||||||
|
---
|
||||||
|
client/ipa-join.c | 27 +++++++++------------------
|
||||||
|
1 file changed, 9 insertions(+), 18 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/client/ipa-join.c b/client/ipa-join.c
|
||||||
|
index d98739a9abfb01ecf619187483bfc6677957d498..5888a33bf221eb5d455b2adcfa0f33b38f0969ca 100644
|
||||||
|
--- a/client/ipa-join.c
|
||||||
|
+++ b/client/ipa-join.c
|
||||||
|
@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
|
||||||
|
json_str = json_dumps(json, 0);
|
||||||
|
if (!json_str) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_dumps() failed\n"));
|
||||||
|
+ fprintf(stderr, _("json_dumps() failed\n"));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
CURLcode res = curl_easy_perform(curl);
|
||||||
|
if (res != CURLE_OK)
|
||||||
|
{
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
||||||
|
+ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
|
||||||
|
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
|
||||||
|
|
||||||
|
if (resp_code != 200) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
||||||
|
+ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
|
||||||
|
|
||||||
|
if (!quiet && resp_code == 401)
|
||||||
|
fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
|
||||||
|
@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
||||||
|
|
||||||
|
j_root = json_loads(payload, 0, &j_error);
|
||||||
|
if (!j_root) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
|
||||||
|
|
||||||
|
*j_result_obj = json_object_get(j_root, "result");
|
||||||
|
if (!*j_result_obj) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
||||||
|
+ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
|
||||||
|
&tmp_hostdn,
|
||||||
|
"krbprincipalname", &tmp_princ,
|
||||||
|
"krblastpwdchange", &tmp_pwdch) != 0) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
|
||||||
|
"nshardwareplatform", uinfo.machine);
|
||||||
|
|
||||||
|
if (!json_req) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
|
||||||
|
|
||||||
|
if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
|
||||||
|
"result", result) != 0) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 20;
|
||||||
|
goto cleanup;
|
||||||
|
@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
|
||||||
|
host);
|
||||||
|
|
||||||
|
if (!json_req) {
|
||||||
|
- if (debug)
|
||||||
|
- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
+ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
|
||||||
|
|
||||||
|
rval = 17;
|
||||||
|
goto cleanup;
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,47 @@
|
|||||||
|
From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Date: Mon, 7 Feb 2022 10:39:55 -0500
|
||||||
|
Subject: [PATCH] Enable the ccache sweep timer during installation
|
||||||
|
|
||||||
|
The timer was only being enabled during package installation
|
||||||
|
if IPA was configured. So effectively only on upgrade.
|
||||||
|
|
||||||
|
Add as a separate installation step after the ccache directory
|
||||||
|
is configured.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9107
|
||||||
|
|
||||||
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/httpinstance.py | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
|
||||||
|
index 732bb58d49addcb2a9f7698d577527257a17fe66..50ccf5e5031c37171cebe6f20232f3bd645cedeb 100644
|
||||||
|
--- a/ipaserver/install/httpinstance.py
|
||||||
|
+++ b/ipaserver/install/httpinstance.py
|
||||||
|
@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
|
||||||
|
self.step("publish CA cert", self.__publish_ca_cert)
|
||||||
|
self.step("clean up any existing httpd ccaches",
|
||||||
|
self.remove_httpd_ccaches)
|
||||||
|
+ self.step("enable ccache sweep",
|
||||||
|
+ self.enable_ccache_sweep)
|
||||||
|
self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
|
||||||
|
if not self.is_kdcproxy_configured():
|
||||||
|
self.step("create KDC proxy config", self.create_kdcproxy_conf)
|
||||||
|
@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
|
||||||
|
[paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
|
||||||
|
)
|
||||||
|
|
||||||
|
+ def enable_ccache_sweep(self):
|
||||||
|
+ ipautil.run(
|
||||||
|
+ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
def __configure_http(self):
|
||||||
|
self.update_httpd_service_ipa_conf()
|
||||||
|
self.update_httpd_wsgi_conf()
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,71 @@
|
|||||||
|
From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Date: Wed, 9 Feb 2022 18:56:21 +0530
|
||||||
|
Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
|
||||||
|
installation
|
||||||
|
|
||||||
|
This test checks that ipa-ccache-sweep.timer is enabled by default
|
||||||
|
during the ipa installation.
|
||||||
|
|
||||||
|
related: https://pagure.io/freeipa/issue/9107
|
||||||
|
|
||||||
|
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_integration/test_installation.py | 19 +++++++++++++++++--
|
||||||
|
1 file changed, 17 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||||
|
index f2d372c0c0356f244971a2af808db45dd6c8cb5b..63edbaa2bb4dbae174c6ab8c8f193cc24cc45b14 100644
|
||||||
|
--- a/ipatests/test_integration/test_installation.py
|
||||||
|
+++ b/ipatests/test_integration/test_installation.py
|
||||||
|
@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
|
||||||
|
|
||||||
|
# Tweak sysrestore.state to drop installation section
|
||||||
|
self.master.run_command(
|
||||||
|
- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
|
||||||
|
+ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
|
||||||
|
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
||||||
|
|
||||||
|
# Re-run installation check and it should fall back to old method
|
||||||
|
@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
|
||||||
|
|
||||||
|
# Restore installation section.
|
||||||
|
self.master.run_command(
|
||||||
|
- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
|
||||||
|
+ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
|
||||||
|
os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
|
||||||
|
|
||||||
|
# Uninstall and confirm that the old method reports correctly
|
||||||
|
@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
|
||||||
|
break
|
||||||
|
return(pid)
|
||||||
|
|
||||||
|
+
|
||||||
|
def get_ipa_services_pids(host):
|
||||||
|
ipa_services_name = [
|
||||||
|
"krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
|
||||||
|
@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
|
||||||
|
def test_install_master(self):
|
||||||
|
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
|
||||||
|
|
||||||
|
+ def test_ipa_ccache_sweep_timer_enabled(self):
|
||||||
|
+ """Test ipa-ccache-sweep.timer enabled by default during installation
|
||||||
|
+
|
||||||
|
+ This test checks that ipa-ccache-sweep.timer is enabled by default
|
||||||
|
+ during the ipa installation.
|
||||||
|
+
|
||||||
|
+ related: https://pagure.io/freeipa/issue/9107
|
||||||
|
+ """
|
||||||
|
+ result = self.master.run_command(
|
||||||
|
+ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
|
||||||
|
+ raiseonerr=False
|
||||||
|
+ )
|
||||||
|
+ assert 'enabled' in result.stdout_text
|
||||||
|
+
|
||||||
|
def test_install_dns(self):
|
||||||
|
tasks.install_dns(self.master)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
38
SOURCES/0021-ipa_cldap-fix-memory-leak.patch
Normal file
38
SOURCES/0021-ipa_cldap-fix-memory-leak.patch
Normal file
@ -0,0 +1,38 @@
|
|||||||
|
From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 14:23:12 +0100
|
||||||
|
Subject: [PATCH] ipa_cldap: fix memory leak
|
||||||
|
|
||||||
|
ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
|
||||||
|
berval (bv_val) when processing a CLDAP packet request from a worker. The
|
||||||
|
data is used by ipa_cldap_respond() but bv_val is not freed later on.
|
||||||
|
|
||||||
|
This commit is adding the corresponding free() after ipa_cldap_respond()
|
||||||
|
is completed.
|
||||||
|
|
||||||
|
Discovered by LeakSanitizer
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9110
|
||||||
|
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
|
||||||
|
---
|
||||||
|
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
index db4a3d061..252bcf647 100644
|
||||||
|
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
|
||||||
|
@@ -287,6 +287,7 @@ done:
|
||||||
|
ipa_cldap_respond(ctx, req, &reply);
|
||||||
|
|
||||||
|
ipa_cldap_free_kvps(&req->kvps);
|
||||||
|
+ free(reply.bv_val);
|
||||||
|
free(req);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -0,0 +1,31 @@
|
|||||||
|
From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Anuja More <amore@redhat.com>
|
||||||
|
Date: Thu, 10 Feb 2022 18:49:06 +0530
|
||||||
|
Subject: [PATCH] ipatests: remove additional check for failed units.
|
||||||
|
|
||||||
|
On RHEL tests are randomly failing because of this check
|
||||||
|
and the test doesn't need to check this.
|
||||||
|
|
||||||
|
Related : https://pagure.io/freeipa/issue/9108
|
||||||
|
|
||||||
|
Signed-off-by: Anuja More <amore@redhat.com>
|
||||||
|
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_otp.py | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||||
|
index d8ce527ca..6e70ddcb3 100644
|
||||||
|
--- a/ipatests/test_integration/test_otp.py
|
||||||
|
+++ b/ipatests/test_integration/test_otp.py
|
||||||
|
@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
|
||||||
|
check_services = self.master.run_command(
|
||||||
|
['systemctl', 'list-units', '--state=failed']
|
||||||
|
)
|
||||||
|
- assert "0 loaded units listed" in check_services.stdout_text
|
||||||
|
assert "ipa-otpd" not in check_services.stdout_text
|
||||||
|
# Be sure no services are running and failed units
|
||||||
|
self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
40
SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
Normal file
40
SOURCES/0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Sun, 5 Dec 2021 17:38:58 +0100
|
||||||
|
Subject: [PATCH] ipatests: fix
|
||||||
|
TestOTPToken::test_check_otpd_after_idle_timeout
|
||||||
|
|
||||||
|
The test sets 389-ds nsslapd-idletimeout to 60s, then does a
|
||||||
|
kinit with an otp token (which makes ipa-otpd create a LDAP
|
||||||
|
connection), then sleeps for 60s. The expectation is that
|
||||||
|
ns-slapd will detect that the LDAP conn from ipa-otpd is idle
|
||||||
|
and close the connection.
|
||||||
|
According to 389ds doc, the idle timeout is enforced when the
|
||||||
|
connection table is walked. By doing a ldapsearch, the test
|
||||||
|
"wakes up" ns-slapd and forces the detection of ipa-otpd
|
||||||
|
idle connection.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9044
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_integration/test_otp.py | 3 +++
|
||||||
|
1 file changed, 3 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||||
|
index 353470897..d8ce527ca 100644
|
||||||
|
--- a/ipatests/test_integration/test_otp.py
|
||||||
|
+++ b/ipatests/test_integration/test_otp.py
|
||||||
|
@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
|
||||||
|
otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||||
|
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
|
||||||
|
time.sleep(60)
|
||||||
|
+ # ldapsearch will wake up slapd and force walking through
|
||||||
|
+ # the connection list, in order to spot the idle connections
|
||||||
|
+ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
|
||||||
|
|
||||||
|
def test_cb(cmd_jornalctl):
|
||||||
|
# check if LDAP connection is timed out
|
||||||
|
--
|
||||||
|
2.34.1
|
||||||
|
|
@ -198,7 +198,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -220,6 +220,27 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
|
Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
|
||||||
Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
|
Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
|
||||||
|
Patch0003: 0003-ipatests-Fix-test_ipa_cert_fix.py-TestCertFixReplica.patch
|
||||||
|
Patch0004: 0004-Extend-test-to-see-if-replica-is-not-shown-when-runn.patch
|
||||||
|
Patch0005: 0005-ipatests-Test-default-value-of-nsslapd-sizelimit.patch
|
||||||
|
Patch0006: 0006-ipatests-Test-empty-cert-request-doesn-t-force-certm.patch
|
||||||
|
Patch0007: 0007-Test-cases-for-ipa-replica-conncheck-command.patch
|
||||||
|
Patch0008: 0008-PEP8-Fixes.patch
|
||||||
|
Patch0009: 0009-ipatests-webui-Tests-for-subordinate-ids.patch
|
||||||
|
Patch0010: 0010-Config-plugin-return-EmptyModlist-when-no-change-is-.patch
|
||||||
|
Patch0011: 0011-config-plugin-add-a-test-ensuring-EmptyModlist-is-re.patch
|
||||||
|
Patch0012: 0012-ipatests-webui-Use-safe-loader-for-loading-YAML-conf.patch
|
||||||
|
Patch0013: 0013-Added-test-automation-for-SHA384withRSA-CSR-support.patch
|
||||||
|
Patch0014: 0014-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-g.patch
|
||||||
|
Patch0015: 0015-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled.patch
|
||||||
|
Patch0016: 0016-ipatests-add-case-for-hardened-only-ticket-policy.patch
|
||||||
|
Patch0017: 0017-Don-t-always-override-the-port-in-import_included_pr.patch
|
||||||
|
Patch0018: 0018-Remove-ipa-join-errors-from-behind-the-debug-option.patch
|
||||||
|
Patch0019: 0019-Enable-the-ccache-sweep-timer-during-installation.patch
|
||||||
|
Patch0020: 0020-Test-ipa-ccache-sweep.timer-enabled-by-default-durin.patch
|
||||||
|
Patch0021: 0021-ipa_cldap-fix-memory-leak.patch
|
||||||
|
Patch0022: 0022-ipatests-remove-additional-check-for-failed-units_rhbz#2053025.patch
|
||||||
|
Patch0023: 0023-ipatests-fix-TestOTPToken-rhbz#2053025.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -1711,6 +1732,43 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-5
|
||||||
|
- Resolves: rhbz#2053025
|
||||||
|
- add IPA test suite fixes
|
||||||
|
|
||||||
|
* Mon Feb 14 2022 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.8-4
|
||||||
|
- Resolves: rhbz#2053586 IPA LDAP plugin ipa-cldap memory leak
|
||||||
|
- fix memory leak in CLDAP responder
|
||||||
|
|
||||||
|
* Fri Feb 11 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-3
|
||||||
|
- Resolves: rhbz#2050540 Unable to join RHEL 8.5 Replica to RHEL 7.9 Master for migration purposes
|
||||||
|
- Don't always override the port in import_included_profiles
|
||||||
|
- Resolves: rhbz#2051582 Enable ipa-ccache-sweep.timer during server installation
|
||||||
|
- Test ipa-ccache-sweep.timer enabled by default during installation
|
||||||
|
- Enable the ccache sweep timer during installation
|
||||||
|
- Resolves: rhbz#2051844 ipa-join tests are failing due to changes in expected output
|
||||||
|
- Remove ipa-join errors from behind the debug option
|
||||||
|
|
||||||
|
* Thu Feb 03 2022 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-2
|
||||||
|
- Resolves: rhbz#2040619 - Changing default pac type to 'nfs:NONE and MS-PAC' doesnot display error 'ipa: ERROR: no modifications to be performed'
|
||||||
|
- Config plugin: return EmptyModlist when no change is applied
|
||||||
|
- config plugin: add a test ensuring EmptyModlist is returned
|
||||||
|
- Resolves: rhbz#2048510 - [rhel-9.0] Backport latest test fixes in python3-ipatests
|
||||||
|
- ipatests: webui: Tests for subordinate ids.
|
||||||
|
- ipatests: webui: Use safe-loader for loading YAML configuration file
|
||||||
|
- ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica teardown
|
||||||
|
- Test cases for ipa-replica-conncheck command
|
||||||
|
- PEP8 Fixes
|
||||||
|
- ipatests: Test empty cert request doesn't force certmonger to segfault
|
||||||
|
- ipatests: Test default value of nsslapd-sizelimit.
|
||||||
|
- Extend test to see if replica is not shown when running `ipa-replica-manage list -v <FQDN>`
|
||||||
|
- Added test automation for SHA384withRSA CSR support
|
||||||
|
- Resolves: rhbz#2049104 - User can't log in after ipa-user-mod --user-auth-type=hardened
|
||||||
|
- ipa-kdb: do not remove keys for hardened auth-enabled users
|
||||||
|
- ipatests: add case for hardened-only ticket policy
|
||||||
|
- Resolves: rhbz#2049174 - KRA GetStatus service blocked by IPA proxy
|
||||||
|
- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
|
||||||
|
|
||||||
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
|
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
|
||||||
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
|
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
|
||||||
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
|
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
|
||||||
|
Loading…
Reference in New Issue
Block a user