ipa-4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0 - Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI - Resolves: rhbz#2115495 group password policy by default does not allow grace logins - Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'
This commit is contained in:
parent
c4b1dec10b
commit
caae578990
15825
0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
Normal file
15825
0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,69 @@
|
||||
From aca97507cd119ad55e0c3c18ca65087cb5576c82 Mon Sep 17 00:00:00 2001
|
||||
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||
Date: Mon, 13 Jun 2022 13:49:08 +0530
|
||||
Subject: [PATCH] Added a check while removing 'cert_dir'. The teardown method
|
||||
is called even if all the tests are skipped since the required PKI version is
|
||||
not present. The teardown is trying to remove a non-existent directory.
|
||||
|
||||
Currently the cert_dir attribute is only present if IPA installation was
|
||||
done. If IPA was not installed the attribute does not exist.
|
||||
In order that the uninstall code finds the attribute a class attribute
|
||||
is added.
|
||||
|
||||
Pagure Issue: https://pagure.io/freeipa/issue/9179
|
||||
|
||||
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_caless.py | 12 +++++++++++-
|
||||
.../test_integration/test_random_serial_numbers.py | 6 ++++++
|
||||
2 files changed, 17 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
|
||||
index 96f477bbe4b0e25184605a80659b5ec6529a2320..4c370f77e84215714e533b1b6ebeb89216319c0f 100644
|
||||
--- a/ipatests/test_integration/test_caless.py
|
||||
+++ b/ipatests/test_integration/test_caless.py
|
||||
@@ -122,6 +122,15 @@ def replica_install_teardown(func):
|
||||
|
||||
|
||||
class CALessBase(IntegrationTest):
|
||||
+ # The teardown method is called even if all the tests are skipped
|
||||
+ # since the required PKI version is not present.
|
||||
+ # The teardown is trying to remove a non-existent directory.
|
||||
+ # Currently the cert_dir attribute is only present if IPA installation was
|
||||
+ # done. If IPA was not installed the attribute does not exist.
|
||||
+ # In order that the uninstall code finds the attribute a class attribute
|
||||
+ # is added.
|
||||
+ cert_dir = None
|
||||
+
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
cls.cert_dir = tempfile.mkdtemp(prefix="ipatest-")
|
||||
@@ -164,7 +173,8 @@ class CALessBase(IntegrationTest):
|
||||
@classmethod
|
||||
def uninstall(cls, mh):
|
||||
# Remove the NSS database
|
||||
- shutil.rmtree(cls.cert_dir)
|
||||
+ if cls.cert_dir:
|
||||
+ shutil.rmtree(cls.cert_dir)
|
||||
super(CALessBase, cls).uninstall(mh)
|
||||
|
||||
@classmethod
|
||||
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
|
||||
index a931c7b562f00f94e10d1e9e891fbf0624d5fd88..c52cfa4ed50e2718791b0844d743fb240d26b365 100644
|
||||
--- a/ipatests/test_integration/test_random_serial_numbers.py
|
||||
+++ b/ipatests/test_integration/test_random_serial_numbers.py
|
||||
@@ -64,3 +64,9 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
|
||||
if not pki_supports_RSNv3(mh.master):
|
||||
raise pytest.skip("RNSv3 not supported")
|
||||
super(TestServerCALessToExternalCA_RSN, cls).install(mh)
|
||||
+
|
||||
+ @classmethod
|
||||
+ def uninstall(cls, mh):
|
||||
+ if not pki_supports_RSNv3(mh.master):
|
||||
+ raise pytest.skip("RSNv3 not supported")
|
||||
+ super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
|
||||
--
|
||||
2.37.2
|
||||
|
@ -0,0 +1,55 @@
|
||||
From c55185d3dc3c6cd2ffebab77fbf8caa40a32bcd1 Mon Sep 17 00:00:00 2001
|
||||
From: Erik <ebelko@redhat.com>
|
||||
Date: Mon, 18 Jul 2022 11:59:24 +0200
|
||||
Subject: [PATCH] ipatests: healthcheck: test if system is FIPS enabled
|
||||
|
||||
Test if FIPS is enabled and the check exists.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8951
|
||||
|
||||
Signed-off-by: Erik Belko <ebelko@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipahealthcheck.py | 25 +++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 23af09f3a7eaa8012e7a898ce6a534d1fad45323..a0c85f79e6e84f9e63072c6d70276480e4af97ad 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -340,6 +340,31 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
assert returncode == 0
|
||||
assert output == "No issues found."
|
||||
|
||||
+ def test_ipa_healthcheck_fips_enabled(self):
|
||||
+ """
|
||||
+ Test if FIPS is enabled and the check exists.
|
||||
+
|
||||
+ https://pagure.io/freeipa/issue/8951
|
||||
+ """
|
||||
+ returncode, check = run_healthcheck(self.master,
|
||||
+ source="ipahealthcheck.meta.core",
|
||||
+ check="MetaCheck",
|
||||
+ output_type="json",
|
||||
+ failures_only=False)
|
||||
+ assert returncode == 0
|
||||
+
|
||||
+ cmd = self.master.run_command(['fips-mode-setup', '--is-enabled'],
|
||||
+ raiseonerr=False)
|
||||
+ returncode = cmd.returncode
|
||||
+
|
||||
+ # If this produces IndexError, the check does not exist
|
||||
+ if check[0]["kw"]["fips"] == "disabled":
|
||||
+ assert returncode == 2
|
||||
+ elif check[0]["kw"]["fips"] == "enabled":
|
||||
+ assert returncode == 0
|
||||
+ else:
|
||||
+ assert returncode == 1
|
||||
+
|
||||
def test_ipa_healthcheck_after_certupdate(self):
|
||||
"""
|
||||
Verify that ipa-certupdate hasn't messed up tracking
|
||||
--
|
||||
2.37.2
|
||||
|
125
0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
Normal file
125
0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
Normal file
@ -0,0 +1,125 @@
|
||||
From 1bb4ff9ed2313fb3c2bd1418258c5bcec557b6a5 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 21 Jul 2022 09:28:46 -0400
|
||||
Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds
|
||||
|
||||
Originally the code treated 0 as disabled. This was
|
||||
changed during the review process to -1 but one remnant
|
||||
was missed effetively allowing gracelimit 0 to also mean
|
||||
disabled.
|
||||
|
||||
Add explicit tests for testing with gracelimit = 0 and
|
||||
gracelimit = -1.
|
||||
|
||||
Also remove some extranous "str(self.master.domain.basedn)"
|
||||
lines from some of the tests.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9206
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
||||
---
|
||||
.../ipa-graceperiod/ipa_graceperiod.c | 2 +-
|
||||
ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++-
|
||||
2 files changed, 53 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
index a3f57cb4bd7a2a66d70fae98cca0f62a8f0c017f..345e1dee7d163167373ca82dedb1e827f0e1bc8c 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
|
||||
@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
|
||||
if (pwresponse_requested) {
|
||||
slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1);
|
||||
}
|
||||
- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) {
|
||||
+ } else if (grace_user_time >= grace_limit) {
|
||||
LOG_TRACE("%s password is expired and out of grace limit\n", dn);
|
||||
errstr = "Password is expired.\n";
|
||||
ret = LDAP_INVALID_CREDENTIALS;
|
||||
diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py
|
||||
index 6d66982848ac5a0061b47d30fad022be055c93e4..41d6e9070a90c2bde7b3182ad6ecf1a923bba203 100644
|
||||
--- a/ipatests/test_integration/test_pwpolicy.py
|
||||
+++ b/ipatests/test_integration/test_pwpolicy.py
|
||||
@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest):
|
||||
cls.master.run_command(['ipa', 'group-add-member', POLICY,
|
||||
'--users', USER])
|
||||
cls.master.run_command(['ipa', 'pwpolicy-add', POLICY,
|
||||
- '--priority', '1'])
|
||||
+ '--priority', '1', '--gracelimit', '-1'])
|
||||
cls.master.run_command(['ipa', 'passwd', USER],
|
||||
stdin_text='{password}\n{password}\n'.format(
|
||||
password=PASSWORD
|
||||
@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest):
|
||||
|
||||
def test_graceperiod_expired(self):
|
||||
"""Test the LDAP bind grace period"""
|
||||
- str(self.master.domain.basedn)
|
||||
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
|
||||
user=USER, base_dn=str(self.master.domain.basedn))
|
||||
|
||||
@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest):
|
||||
|
||||
def test_graceperiod_not_replicated(self):
|
||||
"""Test that the grace period is reset on password reset"""
|
||||
- str(self.master.domain.basedn)
|
||||
dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
|
||||
user=USER, base_dn=str(self.master.domain.basedn))
|
||||
|
||||
@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest):
|
||||
)
|
||||
assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
|
||||
self.reset_password(self.master)
|
||||
+
|
||||
+ def test_graceperiod_zero(self):
|
||||
+ """Test the LDAP bind with zero grace period"""
|
||||
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
|
||||
+ user=USER, base_dn=str(self.master.domain.basedn))
|
||||
+
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ],
|
||||
+ )
|
||||
+
|
||||
+ # Resetting the password will mark it as expired
|
||||
+ self.reset_password(self.master)
|
||||
+
|
||||
+ # Now grace is done and binds should fail.
|
||||
+ result = self.master.run_command(
|
||||
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
|
||||
+ "-w", PASSWORD, "-b", dn], raiseonerr=False
|
||||
+ )
|
||||
+ assert result.returncode == 49
|
||||
+
|
||||
+ assert 'Password is expired' in result.stderr_text
|
||||
+ assert 'Password expired, 0 grace logins remain' in result.stderr_text
|
||||
+
|
||||
+ def test_graceperiod_disabled(self):
|
||||
+ """Test the LDAP bind with grace period disabled (-1)"""
|
||||
+ str(self.master.domain.basedn)
|
||||
+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format(
|
||||
+ user=USER, base_dn=str(self.master.domain.basedn))
|
||||
+
|
||||
+ # This can fail if gracelimit is already -1 so ignore it
|
||||
+ self.master.run_command(
|
||||
+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",],
|
||||
+ raiseonerr=False,
|
||||
+ )
|
||||
+
|
||||
+ # Ensure the password is expired
|
||||
+ self.reset_password(self.master)
|
||||
+
|
||||
+ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD)
|
||||
+
|
||||
+ for _i in range(0, 10):
|
||||
+ result = self.master.run_command(
|
||||
+ ["ldapsearch", "-e", "ppolicy", "-D", dn,
|
||||
+ "-w", PASSWORD, "-b", dn]
|
||||
+ )
|
||||
+
|
||||
+ # With graceperiod disabled it should not increment
|
||||
+ result = tasks.ldapsearch_dm(
|
||||
+ self.master, dn, ['passwordgraceusertime',],
|
||||
+ )
|
||||
+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower()
|
||||
--
|
||||
2.37.2
|
||||
|
144
0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
Normal file
144
0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
Normal file
@ -0,0 +1,144 @@
|
||||
From a39af6b7228d8ba85b9e97aa5decbc056d081c77 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Thu, 23 Jun 2022 16:14:39 +0530
|
||||
Subject: [PATCH] ipatests: ipa-client-install --subid adds entry in
|
||||
nsswitch.conf
|
||||
|
||||
This testcase checks that when ipa-client-install command
|
||||
is run with --subid option, /etc/nsswitch.conf file is updated
|
||||
with the below entry
|
||||
|
||||
subid: nss
|
||||
Related: https://pagure.io/freeipa/issue/9159
|
||||
|
||||
Since the newly added testsuite required client
|
||||
system, hence modified the below yaml files to change the topology
|
||||
from *master_1repl to *master_1repl_1client in the below files
|
||||
|
||||
gating.yaml
|
||||
nightly_latest.yaml
|
||||
nightly_rawhide.yaml
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/prci_definitions/gating.yaml | 2 +-
|
||||
.../nightly_ipa-4-10_latest.yaml | 2 +-
|
||||
.../nightly_ipa-4-10_latest_selinux.yaml | 2 +-
|
||||
.../nightly_ipa-4-10_previous.yaml | 2 +-
|
||||
ipatests/test_integration/test_subids.py | 38 +++++++++++++++++++
|
||||
5 files changed, 42 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
|
||||
index 4083c650a17ce76bdefa243f1a7c5924039ff0bb..db4875dcfae8676287ef771805b34d988330bb40 100644
|
||||
--- a/ipatests/prci_definitions/gating.yaml
|
||||
+++ b/ipatests/prci_definitions/gating.yaml
|
||||
@@ -309,4 +309,4 @@ jobs:
|
||||
test_suite: test_integration/test_subids.py
|
||||
template: *ci-ipa-4-10-latest
|
||||
timeout: 3600
|
||||
- topology: *master_1repl
|
||||
+ topology: *master_1repl_1client
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
index 24aa6e7cf29e448ba9d838d1cb98169213ea63ef..027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
@@ -1748,7 +1748,7 @@ jobs:
|
||||
test_suite: test_integration/test_subids.py
|
||||
template: *ci-ipa-4-10-latest
|
||||
timeout: 3600
|
||||
- topology: *master_1repl
|
||||
+ topology: *master_1repl_1client
|
||||
|
||||
fedora-latest-ipa-4-10/test_custom_plugins:
|
||||
requires: [fedora-latest-ipa-4-10/build]
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
index f22cc08384b3d50e49278d38e73bf93cd7804e80..bcc17bef935666735bfb2c2e51209362a374b511 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
@@ -1887,7 +1887,7 @@ jobs:
|
||||
test_suite: test_integration/test_subids.py
|
||||
template: *ci-ipa-4-10-latest
|
||||
timeout: 3600
|
||||
- topology: *master_1repl
|
||||
+ topology: *master_1repl_1client
|
||||
|
||||
fedora-latest-ipa-4-10/test_custom_plugins:
|
||||
requires: [fedora-latest-ipa-4-10/build]
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
index df98a66871fd90daaebd83f063e48f1580675049..37d38762e696a6394ef146a0e2b68bbc8ced515d 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
@@ -1748,7 +1748,7 @@ jobs:
|
||||
test_suite: test_integration/test_subids.py
|
||||
template: *ci-ipa-4-10-previous
|
||||
timeout: 3600
|
||||
- topology: *master_1repl
|
||||
+ topology: *master_1repl_1client
|
||||
|
||||
fedora-previous-ipa-4-10/test_custom_plugins:
|
||||
requires: [fedora-previous-ipa-4-10/build]
|
||||
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
|
||||
index f6d8607f237bf03358baae008dd2a6ad819751c0..8158499e1a2b71bdc1a308dec0939fd0d491599d 100644
|
||||
--- a/ipatests/test_integration/test_subids.py
|
||||
+++ b/ipatests/test_integration/test_subids.py
|
||||
@@ -17,6 +17,7 @@ from ipatests.test_integration.base import IntegrationTest
|
||||
|
||||
class TestSubordinateId(IntegrationTest):
|
||||
num_replicas = 0
|
||||
+ num_clients = 1
|
||||
topology = "star"
|
||||
|
||||
def _parse_result(self, result):
|
||||
@@ -268,3 +269,40 @@ class TestSubordinateId(IntegrationTest):
|
||||
f"--subuid={subuid}"])
|
||||
owner = self._parse_result(result)["owner"]
|
||||
assert owner == uid
|
||||
+
|
||||
+ def test_nsswitch_doesnot_contain_subid_entry(self):
|
||||
+ """
|
||||
+ This testcase checks that when ipa-client-install
|
||||
+ is installed without subid option, the nsswitch.conf
|
||||
+ does not contain subid entry or does not use sss as
|
||||
+ source for subid
|
||||
+ """
|
||||
+ cmd = self.clients[0].run_command(
|
||||
+ ["grep", "^subid", "/etc/nsswitch.conf"],
|
||||
+ raiseonerr=False
|
||||
+ )
|
||||
+ # a source is defined for the subid database.
|
||||
+ # Ensure it is not "sss"
|
||||
+ if cmd.returncode == 0:
|
||||
+ assert 'sss' not in cmd.stdout_text
|
||||
+ else:
|
||||
+ # grep command returncode 1 means no matching line
|
||||
+ # was found = no source is defined for the subid database,
|
||||
+ # which is valid other return codes would
|
||||
+ # mean an error occurred
|
||||
+ assert cmd.returncode == 1
|
||||
+
|
||||
+ def test_nsswitch_is_updated_with_subid_entry(self):
|
||||
+ """
|
||||
+ This test case checks that when ipa-client-install
|
||||
+ is installed with --subid option, the nsswitch.conf
|
||||
+ file is modified with the entry 'subid: sss'
|
||||
+ """
|
||||
+ tasks.uninstall_client(self.clients[0])
|
||||
+ tasks.install_client(self.master, self.clients[0],
|
||||
+ extra_args=['--subid'])
|
||||
+ cmd = self.clients[0].run_command(
|
||||
+ ["grep", "^subid", "/etc/nsswitch.conf"]
|
||||
+ )
|
||||
+ subid = cmd.stdout_text.split()
|
||||
+ assert ['subid:', 'sss'] == subid
|
||||
--
|
||||
2.37.2
|
||||
|
56
0008-webui-Allow-grace-login-limit.patch
Normal file
56
0008-webui-Allow-grace-login-limit.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From 7a1e1d9f1cb13679c28f12d05b156a08bcc4d856 Mon Sep 17 00:00:00 2001
|
||||
From: Carla Martinez <carlmart@redhat.com>
|
||||
Date: Fri, 29 Jul 2022 13:16:16 +0200
|
||||
Subject: [PATCH] webui: Allow grace login limit
|
||||
|
||||
There was no support for setting the grace login limit on the WebUI. The
|
||||
only way to so was only via CLI:
|
||||
|
||||
`ipa pwpolicy-mod --gracelimit=2 global_policy`
|
||||
|
||||
Thus, the grace login limit must be updated from the policy section and
|
||||
this will reflect also on the user settings (under the 'Password Policy'
|
||||
section)
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9211
|
||||
|
||||
Signed-off-by: Carla Martinez <carlmart@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/policy.js | 3 +++
|
||||
install/ui/src/freeipa/user.js | 5 +++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js
|
||||
index fa2028a52b1118b6125f91153280da0a2ffe0584..7ec103636ced0cce34997d81a02b25ba73bda33f 100644
|
||||
--- a/install/ui/src/freeipa/policy.js
|
||||
+++ b/install/ui/src/freeipa/policy.js
|
||||
@@ -72,6 +72,9 @@ return {
|
||||
{
|
||||
name: 'cospriority',
|
||||
required: true
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'passwordgracelimit'
|
||||
}
|
||||
]
|
||||
}]
|
||||
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
|
||||
index a580db03599457eefd85f8c23d74c284946393c7..b47c97f72008f2f4e75b4cb88e9ff6756827b26e 100644
|
||||
--- a/install/ui/src/freeipa/user.js
|
||||
+++ b/install/ui/src/freeipa/user.js
|
||||
@@ -318,6 +318,11 @@ return {
|
||||
label: '@mo-param:pwpolicy:krbpwdlockoutduration:label',
|
||||
read_only: true,
|
||||
measurement_unit: 'seconds'
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'passwordgracelimit',
|
||||
+ label: '@mo-param:pwpolicy:passwordgracelimit:label',
|
||||
+ read_only: true
|
||||
}
|
||||
]
|
||||
},
|
||||
--
|
||||
2.37.2
|
||||
|
226
0009-Additional-tests-for-RSN-v3.patch
Normal file
226
0009-Additional-tests-for-RSN-v3.patch
Normal file
@ -0,0 +1,226 @@
|
||||
From bfe074ed478c20a9537dc2a714bba50dbc2cd34f Mon Sep 17 00:00:00 2001
|
||||
From: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||
Date: Fri, 5 Aug 2022 11:22:59 +0530
|
||||
Subject: [PATCH] Additional tests for RSN v3
|
||||
|
||||
New Tests include
|
||||
TestRSNPKIConfig
|
||||
TestRSNVault
|
||||
|
||||
The new tests are just extending existing classes to be run
|
||||
with random serial numbers enabled
|
||||
|
||||
The tests also include a new method to check params set in CS.cfg for both CA and
|
||||
KRA, and another test to check Random Serial Number version while
|
||||
running `ipa ca-find`
|
||||
|
||||
Added nightly definitions
|
||||
|
||||
Related Ticket: https://pagure.io/freeipa/issue/2016
|
||||
|
||||
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
.../nightly_ipa-4-10_latest.yaml | 24 +++++++++
|
||||
.../nightly_ipa-4-10_latest_selinux.yaml | 26 ++++++++++
|
||||
.../nightly_ipa-4-10_previous.yaml | 24 +++++++++
|
||||
.../test_random_serial_numbers.py | 51 ++++++++++++++++++-
|
||||
ipatests/test_integration/test_vault.py | 4 +-
|
||||
5 files changed, 127 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
index 027b2a5b6c0b7ec3c3b5784ec4569661a06d4ed7..547320d258f51132266b56e9193533d2291c623c 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest.yaml
|
||||
@@ -1821,3 +1821,27 @@ jobs:
|
||||
template: *ci-ipa-4-10-latest
|
||||
timeout: 5400
|
||||
topology: *master_1repl
|
||||
+
|
||||
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
|
||||
+ requires: [fedora-latest-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
|
||||
+ template: *ci-ipa-4-10-latest
|
||||
+ timeout: 10800
|
||||
+ topology: *master_3repl_1client
|
||||
+
|
||||
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
|
||||
+ requires: [fedora-latest-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
|
||||
+ template: *ci-ipa-4-10-latest
|
||||
+ timeout: 10800
|
||||
+ topology: *master_1repl
|
||||
\ No newline at end of file
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
index bcc17bef935666735bfb2c2e51209362a374b511..f6e5f1cff22de9db4df4577d1cd615499cf0fab3 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_latest_selinux.yaml
|
||||
@@ -1966,3 +1966,29 @@ jobs:
|
||||
template: *ci-ipa-4-10-latest
|
||||
timeout: 5400
|
||||
topology: *master_1repl
|
||||
+
|
||||
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
|
||||
+ requires: [fedora-latest-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
|
||||
+ selinux_enforcing: True
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
|
||||
+ template: *ci-ipa-4-10-latest
|
||||
+ timeout: 10800
|
||||
+ topology: *master_3repl_1client
|
||||
+
|
||||
+ fedora-latest-ipa-4-10/test_random_serial_numbers_TestRSNVault:
|
||||
+ requires: [fedora-latest-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-10/build_url}'
|
||||
+ selinux_enforcing: True
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
|
||||
+ template: *ci-ipa-4-10-latest
|
||||
+ timeout: 10800
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
index 37d38762e696a6394ef146a0e2b68bbc8ced515d..463f4b92fecc7fbc0be969de422352fb7baeb797 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-10_previous.yaml
|
||||
@@ -1821,3 +1821,27 @@ jobs:
|
||||
template: *ci-ipa-4-10-previous
|
||||
timeout: 5400
|
||||
topology: *master_1repl
|
||||
+
|
||||
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNPKIConfig:
|
||||
+ requires: [fedora-previous-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNPKIConfig
|
||||
+ template: *ci-ipa-4-10-previous
|
||||
+ timeout: 10800
|
||||
+ topology: *master_3repl_1client
|
||||
+
|
||||
+ fedora-previous-ipa-4-10/test_random_serial_numbers_TestRSNVault:
|
||||
+ requires: [fedora-previous-ipa-4-10/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-previous-ipa-4-10/build_url}'
|
||||
+ test_suite: test_integration/test_random_serial_numbers.py::TestRSNVault
|
||||
+ template: *ci-ipa-4-10-previous
|
||||
+ timeout: 10800
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
|
||||
index c52cfa4ed50e2718791b0844d743fb240d26b365..ab58b1c622b010994ed93a17dd80cfd02095508d 100644
|
||||
--- a/ipatests/test_integration/test_random_serial_numbers.py
|
||||
+++ b/ipatests/test_integration/test_random_serial_numbers.py
|
||||
@@ -4,12 +4,15 @@
|
||||
|
||||
import pytest
|
||||
|
||||
+from ipaplatform.paths import paths
|
||||
+
|
||||
+from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.test_installation import (
|
||||
TestInstallWithCA_DNS1,
|
||||
TestInstallWithCA_KRA1,
|
||||
)
|
||||
from ipatests.test_integration.test_caless import TestServerCALessToExternalCA
|
||||
-
|
||||
+from ipatests.test_integration.test_vault import TestInstallKRA
|
||||
from ipatests.test_integration.test_commands import TestIPACommand
|
||||
|
||||
|
||||
@@ -26,6 +29,18 @@ def pki_supports_RSNv3(host):
|
||||
return False
|
||||
|
||||
|
||||
+def check_pki_config_params(host):
|
||||
+ # Check CS.cfg
|
||||
+ try:
|
||||
+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
|
||||
+ kra_cfg = host.get_file_contents(paths.KRA_CS_CFG_PATH)
|
||||
+ assert "dbs.cert.id.generator=random".encode() in cs_cfg
|
||||
+ assert "dbs.request.id.generator=random".encode() in cs_cfg
|
||||
+ assert "dbs.key.id.generator=random".encode() in kra_cfg
|
||||
+ except IOError:
|
||||
+ pytest.skip("PKI config not present.Skipping test")
|
||||
+
|
||||
+
|
||||
class TestInstallWithCA_DNS1_RSN(TestInstallWithCA_DNS1):
|
||||
random_serial = True
|
||||
|
||||
@@ -70,3 +85,37 @@ class TestServerCALessToExternalCA_RSN(TestServerCALessToExternalCA):
|
||||
if not pki_supports_RSNv3(mh.master):
|
||||
raise pytest.skip("RSNv3 not supported")
|
||||
super(TestServerCALessToExternalCA_RSN, cls).uninstall(mh)
|
||||
+
|
||||
+
|
||||
+class TestRSNPKIConfig(TestInstallWithCA_KRA1):
|
||||
+ random_serial = True
|
||||
+ num_replicas = 3
|
||||
+
|
||||
+ @classmethod
|
||||
+ def install(cls, mh):
|
||||
+ if not pki_supports_RSNv3(mh.master):
|
||||
+ raise pytest.skip("RSNv3 not supported")
|
||||
+ super(TestRSNPKIConfig, cls).install(mh)
|
||||
+
|
||||
+ def test_check_pki_config(self):
|
||||
+ check_pki_config_params(self.master)
|
||||
+ check_pki_config_params(self.replicas[0])
|
||||
+ check_pki_config_params(self.replicas[1])
|
||||
+
|
||||
+ def test_check_rsn_version(self):
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ res = self.master.run_command(['ipa', 'ca-find'])
|
||||
+ assert 'RSN Version: 3' in res.stdout_text
|
||||
+ tasks.kinit_admin(self.replicas[0])
|
||||
+ res = self.replicas[0].run_command(['ipa', 'ca-find'])
|
||||
+ assert 'RSN Version: 3' in res.stdout_text
|
||||
+
|
||||
+
|
||||
+class TestRSNVault(TestInstallKRA):
|
||||
+ random_serial = True
|
||||
+
|
||||
+ @classmethod
|
||||
+ def install(cls, mh):
|
||||
+ if not pki_supports_RSNv3(mh.master):
|
||||
+ raise pytest.skip("RSNv3 not supported")
|
||||
+ super(TestRSNVault, cls).install(mh)
|
||||
diff --git a/ipatests/test_integration/test_vault.py b/ipatests/test_integration/test_vault.py
|
||||
index 548822d049070d6f9d42da772264eb24010fafda..6288e557f96cae60d031b44c49fbe830712eb7be 100644
|
||||
--- a/ipatests/test_integration/test_vault.py
|
||||
+++ b/ipatests/test_integration/test_vault.py
|
||||
@@ -33,7 +33,9 @@ class TestInstallKRA(IntegrationTest):
|
||||
|
||||
@classmethod
|
||||
def install(cls, mh):
|
||||
- tasks.install_master(cls.master, setup_kra=True)
|
||||
+ tasks.install_master(cls.master,
|
||||
+ setup_kra=True,
|
||||
+ random_serial=cls.random_serial)
|
||||
# do not install KRA on replica, it is part of test
|
||||
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
|
||||
|
||||
--
|
||||
2.37.2
|
||||
|
35
0010-check_repl_update-in-progress-is-a-boolean.patch
Normal file
35
0010-check_repl_update-in-progress-is-a-boolean.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 2003eb6b3d4a27a5de5eaa79418f115dd99886cd Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Sun, 7 Aug 2022 12:44:47 +0200
|
||||
Subject: [PATCH] check_repl_update: in progress is a boolean
|
||||
|
||||
With the fix for https://pagure.io/freeipa/issue/9171,
|
||||
nsds5replicaUpdateInProgress is now handled as a boolean.
|
||||
One remaining occurrence was still handling it as a string
|
||||
and calling lower() on its value.
|
||||
|
||||
Replace with direct boolean comparison.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9218
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/install/replication.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
|
||||
index 16be3760cb14bfeb1cc9a761400752071639dc7c..9d9aa1c4bfc99109c0cf1e6d1619ec1b38e20c02 100644
|
||||
--- a/ipaserver/install/replication.py
|
||||
+++ b/ipaserver/install/replication.py
|
||||
@@ -1152,7 +1152,7 @@ class ReplicationManager:
|
||||
except (ValueError, TypeError, KeyError):
|
||||
end = 0
|
||||
# incremental update is done if inprogress is false and end >= start
|
||||
- done = inprogress and inprogress.lower() == 'false' and start <= end
|
||||
+ done = inprogress is not None and not inprogress and start <= end
|
||||
logger.info("Replication Update in progress: %s: status: %s: "
|
||||
"start: %d: end: %d",
|
||||
inprogress, status, start, end)
|
||||
--
|
||||
2.37.2
|
||||
|
82
0011-ipatests-Fix-expected-object-classes.patch
Normal file
82
0011-ipatests-Fix-expected-object-classes.patch
Normal file
@ -0,0 +1,82 @@
|
||||
From b6520bef2ef05dd87636d8b57e3247d451af81d8 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 14 Dec 2021 16:33:29 +0100
|
||||
Subject: [PATCH] ipatests: Fix expected object classes
|
||||
|
||||
Because the sidgen plugin is a postop plugin, it is not
|
||||
always triggered before the result of an ADD is returned
|
||||
and the objectclasses of the user may / may not contain
|
||||
ipantuserattrs.
|
||||
Fix the expected object classes.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9062
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_user_plugin.py | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
index 74d78b0c6d75590640da1357da1f9f4570307878..c156a8793c5765df96029753f4a278e961d4e895 100644
|
||||
--- a/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
|
||||
@@ -125,7 +125,9 @@ def user_npg(request, group):
|
||||
del tracker.attrs['mepmanagedentry']
|
||||
tracker.attrs.update(
|
||||
description=[], memberof_group=[group.cn],
|
||||
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
|
||||
+ objectclass=fuzzy_set_optional_oc(
|
||||
+ objectclasses.user_base, 'ipantuserattrs'
|
||||
+ ),
|
||||
)
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
@@ -139,7 +141,9 @@ def user_npg2(request, group):
|
||||
del tracker.attrs['mepmanagedentry']
|
||||
tracker.attrs.update(
|
||||
gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
|
||||
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
|
||||
+ objectclass=fuzzy_set_optional_oc(
|
||||
+ objectclasses.user_base, 'ipantuserattrs'
|
||||
+ ),
|
||||
)
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
@@ -151,8 +155,9 @@ def user_radius(request, xmlrpc_setup):
|
||||
sn=u'radiususer1',
|
||||
ipatokenradiususername=u'radiususer')
|
||||
tracker.track_create()
|
||||
- tracker.attrs.update(
|
||||
- objectclass=objectclasses.user + [u'ipatokenradiusproxyuser']
|
||||
+ tracker.attrs.update(objectclass=fuzzy_set_optional_oc(
|
||||
+ objectclasses.user + [u'ipatokenradiusproxyuser'],
|
||||
+ 'ipantuserattrs'),
|
||||
)
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
@@ -647,7 +652,8 @@ class TestCreate(XMLRPC_test):
|
||||
testuser.attrs.update(gidnumber=[u'1000'])
|
||||
testuser.attrs.update(
|
||||
description=[],
|
||||
- objectclass=objectclasses.user_base + [u'ipantuserattrs']
|
||||
+ objectclass=fuzzy_set_optional_oc(
|
||||
+ objectclasses.user_base, 'ipantuserattrs'),
|
||||
)
|
||||
command = testuser.make_create_command()
|
||||
result = command()
|
||||
@@ -865,7 +871,9 @@ class TestUserWithUPGDisabled(XMLRPC_test):
|
||||
testuser.attrs.update(gidnumber=[u'1000'])
|
||||
testuser.attrs.update(
|
||||
description=[],
|
||||
- objectclass=objectclasses.user_base + [u'ipantuserattrs'],
|
||||
+ objectclass=fuzzy_set_optional_oc(
|
||||
+ objectclasses.user_base, 'ipantuserattrs'
|
||||
+ ),
|
||||
)
|
||||
command = testuser.make_create_command()
|
||||
result = command()
|
||||
--
|
||||
2.37.2
|
||||
|
@ -0,0 +1,50 @@
|
||||
From 1aa39529cda4ab9620539dbad705cedd23c21b42 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 18 Aug 2022 08:21:58 -0400
|
||||
Subject: [PATCH] doc: Update LDAP grace period design with default values
|
||||
|
||||
New group password policies will get -1 (unlimited) on creation
|
||||
by default.
|
||||
|
||||
Existing group password policies will remain untouched and
|
||||
those created prior will be treated as no BIND allowed.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9212
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
doc/designs/ldap_grace_period.md | 17 ++++++++++++++++-
|
||||
1 file changed, 16 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md
|
||||
index 4b9db34247c1446aec3f5bcce7dfa1bd8a2bd359..e26aedda976b19f3ba26593ba3b3c06c30506a21 100644
|
||||
--- a/doc/designs/ldap_grace_period.md
|
||||
+++ b/doc/designs/ldap_grace_period.md
|
||||
@@ -51,7 +51,22 @@ The basic flow is:
|
||||
|
||||
On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0.
|
||||
|
||||
-The default value on install/upgrade will be -1 to retail existing behavior.
|
||||
+Range values for passwordgracelimit are:
|
||||
+
|
||||
+-1 : password grace checking is disabled
|
||||
+ 0 : no grace BIND are allowed at all post-expiration
|
||||
+ 1..MAXINT: the number of BIND allowed post-expiration
|
||||
+
|
||||
+The default value for the global policy on install/upgrade will be -1 to
|
||||
+retain existing behavior.
|
||||
+
|
||||
+New group password policies will default to -1 to retain previous
|
||||
+behavior.
|
||||
+
|
||||
+Existing group policies with no grace limit set are updated to use
|
||||
+the default unlimited value, -1. This is done because lack of value in
|
||||
+LDAP is treated as 0 so any existing group policies would not allow
|
||||
+post-expiration BIND so this will avoid confusion.
|
||||
|
||||
The per-user attempts will not be replicated.
|
||||
|
||||
--
|
||||
2.37.2
|
||||
|
@ -0,0 +1,74 @@
|
||||
From 45e6d49b94da78cd82eb016b3266a17a1359a087 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 4 Aug 2022 12:04:22 -0400
|
||||
Subject: [PATCH] Set default gracelimit on group password policies to -1
|
||||
|
||||
This will retain previous behavior of unlimited LDAP BIND
|
||||
post-expiration.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9212
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
API.txt | 2 +-
|
||||
ipaserver/plugins/pwpolicy.py | 2 ++
|
||||
ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++
|
||||
3 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/API.txt b/API.txt
|
||||
index 66929b921b197e27ede847fb6b10bf1e44c3464a..210bfc4950e6a7346dbdd6e29d1096b2f8750b1e 100644
|
||||
--- a/API.txt
|
||||
+++ b/API.txt
|
||||
@@ -4076,7 +4076,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime')
|
||||
option: Int('krbpwdmaxfailure?', cli_name='maxfail')
|
||||
option: Int('krbpwdmindiffchars?', cli_name='minclasses')
|
||||
option: Int('krbpwdminlength?', cli_name='minlength')
|
||||
-option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1)
|
||||
+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1)
|
||||
option: Flag('raw', autofill=True, cli_name='raw', default=False)
|
||||
option: Str('setattr*', cli_name='setattr')
|
||||
option: Str('version?')
|
||||
diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py
|
||||
index 4428aede2dcc7a2a0b6128bf7f58eb47e4a8e07d..f4ebffd5c8f06a53b6c4d5e48ff6eeafa240e3a4 100644
|
||||
--- a/ipaserver/plugins/pwpolicy.py
|
||||
+++ b/ipaserver/plugins/pwpolicy.py
|
||||
@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject):
|
||||
minvalue=-1,
|
||||
maxvalue=Int.MAX_UINT32,
|
||||
default=-1,
|
||||
+ autofill=True,
|
||||
),
|
||||
)
|
||||
|
||||
@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate):
|
||||
keys[-1], krbpwdpolicyreference=dn,
|
||||
cospriority=options.get('cospriority')
|
||||
)
|
||||
+
|
||||
return dn
|
||||
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
||||
index 8eee69c185b15be72870050ed247f252c72d1c66..fc785223bfe56269ad8b211e8f1c3ac9f4064c3c 100644
|
||||
--- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py
|
||||
@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
|
||||
krbpwdhistorylength=[u'10'],
|
||||
krbpwdmindiffchars=[u'3'],
|
||||
krbpwdminlength=[u'8'],
|
||||
+ passwordgracelimit=[u'-1'],
|
||||
objectclass=objectclasses.pwpolicy,
|
||||
),
|
||||
summary=None,
|
||||
@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative):
|
||||
krbpwdhistorylength=[u'10'],
|
||||
krbpwdmindiffchars=[u'3'],
|
||||
krbpwdminlength=[u'8'],
|
||||
+ passwordgracelimit=[u'-1'],
|
||||
),
|
||||
summary=None,
|
||||
value=u'ipausers',
|
||||
--
|
||||
2.37.2
|
||||
|
106
0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Normal file
106
0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From de6f074538f6641fd9d84bed204a3d4d50eccbe5 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 4 Aug 2022 12:04:41 -0400
|
||||
Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade
|
||||
|
||||
If an existing group policy lacks a password grace limit
|
||||
update it to -1 on upgrade.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9212
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
.../updates/90-post_upgrade_plugins.update | 1 +
|
||||
ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++
|
||||
2 files changed, 67 insertions(+)
|
||||
|
||||
diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
|
||||
index c7ec71d492b0ac0e7641d586b7e7fa7501743bc2..6fe91aa6c6310a69a7f0feb1ad62243945db67f9 100644
|
||||
--- a/install/updates/90-post_upgrade_plugins.update
|
||||
+++ b/install/updates/90-post_upgrade_plugins.update
|
||||
@@ -26,6 +26,7 @@ plugin: update_ra_cert_store
|
||||
plugin: update_mapping_Guests_to_nobody
|
||||
plugin: fix_kra_people_entry
|
||||
plugin: update_pwpolicy
|
||||
+plugin: update_pwpolicy_grace
|
||||
|
||||
# last
|
||||
# DNS version 1
|
||||
diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py
|
||||
index dca44ce4369dfc11f83a412a1249bb045d46713f..4185f034313bd49ca68e86c620043af6ead5f6d6 100644
|
||||
--- a/ipaserver/install/plugins/update_pwpolicy.py
|
||||
+++ b/ipaserver/install/plugins/update_pwpolicy.py
|
||||
@@ -78,3 +78,69 @@ class update_pwpolicy(Updater):
|
||||
return False, []
|
||||
|
||||
return False, []
|
||||
+
|
||||
+
|
||||
+@register()
|
||||
+class update_pwpolicy_grace(Updater):
|
||||
+ """
|
||||
+ Ensure all group policies have a grace period set.
|
||||
+ """
|
||||
+
|
||||
+ def execute(self, **options):
|
||||
+ ldap = self.api.Backend.ldap2
|
||||
+
|
||||
+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'),
|
||||
+ self.api.env.basedn)
|
||||
+ search_filter = (
|
||||
+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))"
|
||||
+ )
|
||||
+
|
||||
+ while True:
|
||||
+ # Run the search in loop to avoid issues when LDAP limits are hit
|
||||
+ # during update
|
||||
+
|
||||
+ try:
|
||||
+ (entries, truncated) = ldap.find_entries(
|
||||
+ search_filter, ['objectclass'], base_dn, time_limit=0,
|
||||
+ size_limit=0)
|
||||
+
|
||||
+ except errors.EmptyResult:
|
||||
+ logger.debug("update_pwpolicy: no policies without "
|
||||
+ "passwordgracelimit set")
|
||||
+ return False, []
|
||||
+
|
||||
+ except errors.ExecutionError as e:
|
||||
+ logger.error("update_pwpolicy: cannot retrieve list "
|
||||
+ "of policies missing passwordgracelimit: %s", e)
|
||||
+ return False, []
|
||||
+
|
||||
+ logger.debug("update_pwpolicy: found %d "
|
||||
+ "policies to update, truncated: %s",
|
||||
+ len(entries), truncated)
|
||||
+
|
||||
+ error = False
|
||||
+
|
||||
+ for entry in entries:
|
||||
+ # Set unlimited BIND by default
|
||||
+ entry['passwordgracelimit'] = -1
|
||||
+ try:
|
||||
+ ldap.update_entry(entry)
|
||||
+ except (errors.EmptyModlist, errors.NotFound):
|
||||
+ pass
|
||||
+ except errors.ExecutionError as e:
|
||||
+ logger.debug("update_pwpolicy: cannot "
|
||||
+ "update policy: %s", e)
|
||||
+ error = True
|
||||
+
|
||||
+ if error:
|
||||
+ # Exit loop to avoid infinite cycles
|
||||
+ logger.error("update_pwpolicy: error(s) "
|
||||
+ "detected during pwpolicy update")
|
||||
+ return False, []
|
||||
+
|
||||
+ elif not truncated:
|
||||
+ # All affected entries updated, exit the loop
|
||||
+ logger.debug("update_pwpolicy: all policies updated")
|
||||
+ return False, []
|
||||
+
|
||||
+ return False, []
|
||||
--
|
||||
2.37.2
|
||||
|
20
freeipa.spec
20
freeipa.spec
@ -198,7 +198,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 5%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -220,6 +220,18 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch0001: 0001-Only-calculate-LDAP-password-grace-when-the-password.patch
|
||||
Patch0002: 0002-webui-Do-not-allow-empty-pagination-size.patch
|
||||
Patch0003: 0003-ipatests-add-nightly-definitions-for-ipa-4-10-branch.patch
|
||||
Patch0004: 0004-Added-a-check-while-removing-cert_dir-.-The-teardown.patch
|
||||
Patch0005: 0005-ipatests-healthcheck-test-if-system-is-FIPS-enabled.patch
|
||||
Patch0006: 0006-Disabling-gracelimit-does-not-prevent-LDAP-binds.patch
|
||||
Patch0007: 0007-ipatests-ipa-client-install-subid-adds-entry-in-nssw.patch
|
||||
Patch0008: 0008-webui-Allow-grace-login-limit.patch
|
||||
Patch0009: 0009-Additional-tests-for-RSN-v3.patch
|
||||
Patch0010: 0010-check_repl_update-in-progress-is-a-boolean.patch
|
||||
Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
|
||||
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
|
||||
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
|
||||
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -1728,6 +1740,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
|
||||
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
|
||||
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
|
||||
- Resolves: rhbz#2115495 group password policy by default does not allow grace logins
|
||||
- Resolves: rhbz#2116966 ipa-replica-manage displays traceback: Unexpected error: 'bool' object has no attribute 'lower'
|
||||
|
||||
* Thu Jul 28 2022 Francisco Trivino <ftrivino@redhat.com> - 4.10.0-5
|
||||
- Resolves: rhbz#2109645
|
||||
- Rebuild for samba-4.16.3-101.el9
|
||||
|
Loading…
Reference in New Issue
Block a user