import ipa-4.9.8-1.el9
This commit is contained in:
parent
11a53dc8c9
commit
f6c7a5ebb5
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/freeipa-4.9.6.tar.gz
|
||||
SOURCES/freeipa-4.9.8.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
|
||||
38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 01f4b9d7935ca41c93b17e28543054f36e5baf46 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 30 Jun 2021 14:57:32 +0200
|
||||
Subject: [PATCH] Remove unneeded dependency on python-coverage
|
||||
|
||||
The spec file requires python3-coverage although it is not
|
||||
used in the project.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8905
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 1 -
|
||||
1 file changed, 1 deletion(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index fdca43a24a6e07f77b9cd8a0feec940a0366f128..fbfe4d09eedc169112dcdc18a953134de67b7731 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -872,7 +872,6 @@ BuildArch: noarch
|
||||
Requires: python3-ipaclient = %{version}-%{release}
|
||||
Requires: python3-ipaserver = %{version}-%{release}
|
||||
Requires: iptables
|
||||
-Requires: python3-coverage
|
||||
Requires: python3-cryptography >= 1.6
|
||||
Requires: python3-pexpect
|
||||
%if 0%{?fedora}
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,36 @@
|
||||
From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 26 Nov 2021 17:40:54 +0200
|
||||
Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
|
||||
|
||||
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
|
||||
security fixes added the following requirement:
|
||||
|
||||
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
|
||||
tickets to RODCs)
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9031
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PAC_REQUESTER_SID
|
||||
- {
|
||||
+ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
|
||||
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
|
||||
union PAC_INFO pac_requester_sid;
|
||||
/* == Package PAC_REQUESTER_SID == */
|
||||
memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,134 +0,0 @@
|
||||
From dffccae7193b0616cb84792edec480f5f67e1fc6 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 8 Mar 2021 18:15:50 +0100
|
||||
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
|
||||
services
|
||||
|
||||
Authentication indicators should not be enforced against internal
|
||||
IPA services, since not all users of those services are able to produce
|
||||
Kerberos tickets with all the auth indicator options. This includes
|
||||
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
|
||||
If a client that is being promoted to replica has an auth indicator
|
||||
in its host principal then the promotion is aborted.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8206
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
|
||||
ipaserver/plugins/host.py | 5 ++++-
|
||||
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
|
||||
3 files changed, 41 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||
index 73967a2249d5c8944d70c5c3ca9a9d3b3bfc6b73..f1fb9103687ce9719ef24c8cb3c41088a4003b25 100644
|
||||
--- a/ipaserver/install/server/replicainstall.py
|
||||
+++ b/ipaserver/install/server/replicainstall.py
|
||||
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
|
||||
))
|
||||
|
||||
|
||||
+def promotion_check_host_principal_auth_ind(conn, hostdn):
|
||||
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
|
||||
+ if 'krbprincipalauthind' in entry:
|
||||
+ raise RuntimeError(
|
||||
+ "Client cannot be promoted to a replica if the host principal "
|
||||
+ "has an authentication indicator set."
|
||||
+ )
|
||||
+
|
||||
+
|
||||
@common_cleanup
|
||||
@preserve_enrollment_state
|
||||
def promote_check(installer):
|
||||
@@ -956,6 +965,10 @@ def promote_check(installer):
|
||||
config.master_host_name, None)
|
||||
|
||||
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
||||
+ hostdn = DN(('fqdn', api.env.host),
|
||||
+ api.env.container_host,
|
||||
+ api.env.basedn)
|
||||
+ promotion_check_host_principal_auth_ind(conn, hostdn)
|
||||
|
||||
# Make sure that domain fulfills minimal domain level
|
||||
# requirement
|
||||
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||
index eb1f8ef042faf4b0deadfd5cef47f7688836506e..41fa933e2422184eafc4eae185a163082b96e045 100644
|
||||
--- a/ipaserver/plugins/host.py
|
||||
+++ b/ipaserver/plugins/host.py
|
||||
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
||||
LDAPAddAttributeViaOption,
|
||||
LDAPRemoveAttributeViaOption)
|
||||
from .service import (
|
||||
- validate_realm, normalize_principal,
|
||||
+ validate_realm, validate_auth_indicator, normalize_principal,
|
||||
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
|
||||
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
|
||||
rename_ipaallowedtoperform_to_ldap, revoke_certs)
|
||||
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
|
||||
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
|
||||
if 'krbticketflags' in entry_attrs:
|
||||
entry_attrs['objectclass'].append('krbticketpolicyaux')
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
+
|
||||
return dn
|
||||
|
||||
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
|
||||
if 'krbprincipalaux' not in (item.lower() for item in
|
||||
entry_attrs['objectclass']):
|
||||
entry_attrs['objectclass'].append('krbprincipalaux')
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
||||
|
||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||
index 1c93478049f5bdfdaf8503e459bd962dbbee9b44..cfbbff3c69c6a92535df58c51767c3d0952c7b0b 100644
|
||||
--- a/ipaserver/plugins/service.py
|
||||
+++ b/ipaserver/plugins/service.py
|
||||
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
|
||||
raise errors.RealmMismatch()
|
||||
|
||||
|
||||
+def validate_auth_indicator(entry):
|
||||
+ new_value = entry.get('krbprincipalauthind', None)
|
||||
+ if not new_value:
|
||||
+ return
|
||||
+ # The following services are considered internal IPA services
|
||||
+ # and shouldn't be allowed to have auth indicators.
|
||||
+ # https://pagure.io/freeipa/issue/8206
|
||||
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||
+ principal = kerberos.Principal(pkey)
|
||||
+ server = api.Command.server_find(principal.hostname)['result']
|
||||
+ if server:
|
||||
+ prefixes = ("host", "cifs", "ldap", "HTTP")
|
||||
+ else:
|
||||
+ prefixes = ("cifs",)
|
||||
+ if principal.service_name in prefixes:
|
||||
+ raise errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=_('authentication indicators not allowed '
|
||||
+ 'in service "%s"' % principal.service_name)
|
||||
+ )
|
||||
+
|
||||
+
|
||||
def normalize_principal(value):
|
||||
"""
|
||||
Ensure that the name in the principal is lower-case. The realm is
|
||||
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
|
||||
hostname)
|
||||
|
||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
if not options.get('force', False):
|
||||
# We know the host exists if we've gotten this far but we
|
||||
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
|
||||
assert isinstance(dn, DN)
|
||||
|
||||
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||
+ validate_auth_indicator(entry_attrs)
|
||||
|
||||
# verify certificates
|
||||
certs = entry_attrs.get('usercertificate') or []
|
||||
--
|
||||
2.26.3
|
||||
|
@ -0,0 +1,122 @@
|
||||
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 26 Nov 2021 11:13:51 +0200
|
||||
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
|
||||
MS-SFU updates
|
||||
|
||||
New versions of MS-KILE and MS-SFU after Windows Server November 2021
|
||||
security updates add PAC_REQUESTER_SID buffer check behavior:
|
||||
|
||||
- PAC_REQUESTER_SID should only be added for TGT requests
|
||||
|
||||
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
|
||||
the ticket resolves to the account with the same SID as the
|
||||
PAC_REQUESTER_SID. If it doesn't KDC must respond with
|
||||
KDC_ERR_TKT_REVOKED
|
||||
|
||||
Change requester SID check to skip exact check for non-local
|
||||
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
|
||||
we know about.
|
||||
|
||||
If requester SID is the same as in PAC, we already do cname vs PAC SID
|
||||
verification.
|
||||
|
||||
With these changes FreeIPA works against Windows Server 2019 with
|
||||
November 2021 security fixes in cross-realm S4U2Self operations.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9031
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
|
||||
1 file changed, 34 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
index 538cfbba958068bd2ee0aaae7a2743ae82237898..1b972c167dd50619c7a6bd78eb5c81b0e05a4832 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
|
||||
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
"local [%s], PAC [%s]",
|
||||
dom ? dom : "<failed to display>",
|
||||
sid ? sid : "<failed to display>");
|
||||
- return KRB5KDC_ERR_POLICY;
|
||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
|
||||
if (kerr != 0) {
|
||||
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
|
||||
- return KRB5KDC_ERR_POLICY;
|
||||
+ return KRB5KDC_ERR_TGT_REVOKED;
|
||||
}
|
||||
|
||||
ied = (struct ipadb_e_data *)client_actual->e_data;
|
||||
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
|
||||
"local [%s] vs PAC [%s]",
|
||||
local_sid ? local_sid : "<failed to display>",
|
||||
pac_sid ? pac_sid : "<failed to display>");
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||
goto done;
|
||||
}
|
||||
|
||||
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
|
||||
/* Check that requester SID is the same as in the PAC entry */
|
||||
if (requester_sid != NULL) {
|
||||
struct dom_sid client_sid;
|
||||
+ bool is_from_trusted_domain = false;
|
||||
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
|
||||
if (kerr) {
|
||||
goto done;
|
||||
}
|
||||
result = dom_sid_check(&client_sid, requester_sid, true);
|
||||
if (!result) {
|
||||
- /* memctx is freed by the caller */
|
||||
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||
- "different from what PAC requester claims. "
|
||||
- "PAC [%s] vs PAC requester [%s]",
|
||||
- pac_sid ? pac_sid : "<failed to display>",
|
||||
- req_sid ? req_sid : "<failed to display>");
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
- goto done;
|
||||
+ struct ipadb_context *ipactx = ipadb_get_context(context);
|
||||
+ if (!ipactx || !ipactx->mspac) {
|
||||
+ return KRB5_KDB_DBNOTINITED;
|
||||
+ }
|
||||
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
|
||||
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
|
||||
+ /* Iterate through list of trusts and check if this SID belongs to
|
||||
+ * one of the domains we trust */
|
||||
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
|
||||
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
|
||||
+ requester_sid, false);
|
||||
+ if (result) {
|
||||
+ is_from_trusted_domain = true;
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (!is_from_trusted_domain) {
|
||||
+ /* memctx is freed by the caller */
|
||||
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
|
||||
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
|
||||
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
|
||||
+ "different from what PAC requester claims. "
|
||||
+ "PAC [%s] vs PAC requester [%s]",
|
||||
+ pac_sid ? pac_sid : "<failed to display>",
|
||||
+ req_sid ? req_sid : "<failed to display>");
|
||||
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
|
||||
+ goto done;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,138 +0,0 @@
|
||||
From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 8 Mar 2021 18:20:35 +0100
|
||||
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
|
||||
IPA services
|
||||
|
||||
Authentication indicators should not be added to internal IPA services,
|
||||
since this can lead to a broken IPA setup. In case a client with
|
||||
an auth indicator set in its host principal, promoting it to a replica
|
||||
should fail.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8206
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
.../test_replica_promotion.py | 38 +++++++++++++++++++
|
||||
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
|
||||
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
|
||||
3 files changed, 69 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||
index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
|
||||
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||
assert result.returncode == 1
|
||||
assert expected_err in result.stderr_text
|
||||
|
||||
+ @replicas_cleanup
|
||||
+ def test_install_with_host_auth_ind_set(self):
|
||||
+ """ A client shouldn't be able to be promoted if it has
|
||||
+ any auth indicator set in the host principal.
|
||||
+ https://pagure.io/freeipa/issue/8206
|
||||
+ """
|
||||
+
|
||||
+ client = self.replicas[0]
|
||||
+ # Configure firewall first
|
||||
+ Firewall(client).enable_services(["freeipa-ldap",
|
||||
+ "freeipa-ldaps"])
|
||||
+
|
||||
+ client.run_command(['ipa-client-install', '-U',
|
||||
+ '--domain', self.master.domain.name,
|
||||
+ '--realm', self.master.domain.realm,
|
||||
+ '-p', 'admin',
|
||||
+ '-w', self.master.config.admin_password,
|
||||
+ '--server', self.master.hostname,
|
||||
+ '--force-join'])
|
||||
+
|
||||
+ tasks.kinit_admin(client)
|
||||
+
|
||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
||||
+ client.hostname])
|
||||
+
|
||||
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||
+ self.master.config.dirman_password],
|
||||
+ raiseonerr=False)
|
||||
+
|
||||
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
||||
+ client.hostname])
|
||||
+
|
||||
+ expected_err = ("Client cannot be promoted to a replica if the host "
|
||||
+ "principal has an authentication indicator set.")
|
||||
+ assert res.returncode == 1
|
||||
+ assert expected_err in res.stderr_text
|
||||
+
|
||||
+
|
||||
@replicas_cleanup
|
||||
def test_one_command_installation(self):
|
||||
"""
|
||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
|
||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
||||
error=u'An IPA master host cannot be deleted or disabled')):
|
||||
command()
|
||||
|
||||
+ def test_try_add_auth_ind_master(self, this_host):
|
||||
+ command = this_host.make_update_command({
|
||||
+ u'krbprincipalauthind': u'radius'})
|
||||
+ with raises_exact(errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=u'authentication indicators not allowed '
|
||||
+ 'in service "host"'
|
||||
+ )):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestValidation(XMLRPC_test):
|
||||
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
|
||||
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||
@@ -25,6 +25,7 @@ from ipalib import api, errors
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
||||
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
||||
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
||||
from ipatests.test_xmlrpc import objectclasses
|
||||
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
||||
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
||||
@@ -1552,6 +1553,15 @@ def indicators_host(request):
|
||||
return tracker.make_fixture(request)
|
||||
|
||||
|
||||
+@pytest.fixture(scope='function')
|
||||
+def this_host(request):
|
||||
+ """Fixture for the current master"""
|
||||
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
|
||||
+ fqdn=api.env.host)
|
||||
+ tracker.exists = True
|
||||
+ return tracker
|
||||
+
|
||||
+
|
||||
@pytest.fixture(scope='function')
|
||||
def indicators_service(request):
|
||||
tracker = ServiceTracker(
|
||||
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
||||
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||
)
|
||||
|
||||
+ def test_update_indicator_internal_service(self, this_host):
|
||||
+ command = this_host.make_command('service_mod',
|
||||
+ 'ldap/' + this_host.fqdn,
|
||||
+ **dict(krbprincipalauthind='otp'))
|
||||
+ with raises_exact(errors.ValidationError(
|
||||
+ name='krbprincipalauthind',
|
||||
+ error=u'authentication indicators not allowed '
|
||||
+ 'in service "ldap"'
|
||||
+ )):
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.fixture(scope='function')
|
||||
def managing_host(request):
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,57 +0,0 @@
|
||||
From a8d6257b2cf64c3dd2b1c5d7bcf81acc3b766853 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 5 Jul 2021 09:51:41 +0200
|
||||
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
|
||||
|
||||
The command
|
||||
ipa stageuser-add --user-auth-type=xxx
|
||||
is currently failing because the objectclass ipauserauthtypeclass
|
||||
is missing from the created entry.
|
||||
|
||||
There is code adding the missing objectclass in the
|
||||
pre_common_callback method of user_add, and this code should
|
||||
be common to user_add and stageuser_add. In order to avoid code
|
||||
duplication, it makes more sense to move the existing code to
|
||||
pre_common_callback of baseuser_add, that is called by both
|
||||
classes.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8909
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/baseuser.py | 3 +++
|
||||
ipaserver/plugins/user.py | 4 ----
|
||||
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||
index ae16a978ab01f9c5c257e9cb5567c918a7fafdc5..6035228f19ef8acaf4992490d5512c126881816d 100644
|
||||
--- a/ipaserver/plugins/baseuser.py
|
||||
+++ b/ipaserver/plugins/baseuser.py
|
||||
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
|
||||
if entry_attrs.get('ipatokenradiususername', None):
|
||||
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
||||
entry_attrs, update=False)
|
||||
+ if entry_attrs.get('ipauserauthtype', None):
|
||||
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
|
||||
+ entry_attrs, update=False)
|
||||
|
||||
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||
assert isinstance(dn, DN)
|
||||
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||
index 6f7facb5380ba56feab39b71cd265776f3ab57d8..e4ee572b236c288fd7dcf1d44c5adf1f836f63aa 100644
|
||||
--- a/ipaserver/plugins/user.py
|
||||
+++ b/ipaserver/plugins/user.py
|
||||
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
|
||||
'ipauser' not in entry_attrs['objectclass']:
|
||||
entry_attrs['objectclass'].append('ipauser')
|
||||
|
||||
- if 'ipauserauthtype' in entry_attrs and \
|
||||
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
|
||||
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
|
||||
-
|
||||
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
|
||||
if rcl:
|
||||
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,32 +0,0 @@
|
||||
From 932910456e0269edefe396d4af96447f90ff29b3 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 5 Jul 2021 10:22:31 +0200
|
||||
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8909
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
index 5586fc607e134938225c1c982fc39d169847f549..bc606b093c98ce204ad4ea17e5c16273144fa2e7 100644
|
||||
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
|
||||
result = command()
|
||||
assert result['count'] == 1
|
||||
|
||||
+ def test_create_withuserauthtype(self, stageduser):
|
||||
+ stageduser.ensure_missing()
|
||||
+ command = stageduser.make_create_command(
|
||||
+ options={u'ipauserauthtype': u'password'})
|
||||
+ command()
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestCreateInvalidAttributes(XMLRPC_test):
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 9144526d2d7e7dcd8503c6c38226e17ebb4ed8b9 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 7 Jul 2021 10:49:25 +0200
|
||||
Subject: [PATCH] augeas: bump version for rhel9
|
||||
|
||||
augeas 1.12.1-0.1 adds support for the new chony configuration
|
||||
settings.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8676
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index fbfe4d09eedc169112dcdc18a953134de67b7731..ae4af099f39641a9f5163d61cfb37e1c3afb6f4b 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -162,13 +162,16 @@
|
||||
|
||||
# augeas support for new chrony options
|
||||
# see https://pagure.io/freeipa/issue/8676
|
||||
-# Note: will need to be updated for RHEL9 when a fix is available for
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||||
%if 0%{?fedora} >= 33
|
||||
%global augeas_version 1.12.0-6
|
||||
%else
|
||||
+%if 0%{?rhel} >= 9
|
||||
+%global augeas_version 1.12.1-0
|
||||
+%else
|
||||
%global augeas_version 1.12.0-3
|
||||
%endif
|
||||
+%endif
|
||||
|
||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,35 +0,0 @@
|
||||
From ecb407864fde4d917dabe0aae95881561ed384ab Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 7 Jul 2021 14:11:40 +0200
|
||||
Subject: [PATCH] man page: update ipa-server-upgrade.1
|
||||
|
||||
The man page needs to clarify in which case the command needs
|
||||
to be run.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8913
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
|
||||
index 3db19b0f13da1f5a36bd6e8df23fc916d0401a6d..f01e21c6b599499c4c6dbbcf120b19a3431fb3ed 100644
|
||||
--- a/install/tools/man/ipa-server-upgrade.1
|
||||
+++ b/install/tools/man/ipa-server-upgrade.1
|
||||
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
|
||||
.SH "SYNOPSIS"
|
||||
ipa\-server\-upgrade [options]
|
||||
.SH "DESCRIPTION"
|
||||
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
|
||||
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
|
||||
+the IPA packages are being updated. It is not intended to be executed by
|
||||
+end\-users, unless the automatic execution reports an error. In this case,
|
||||
+the administrator needs to identify and fix the issue that is causing the
|
||||
+upgrade failure (with the help of /var/log/ipaupgrade.log)
|
||||
+and manually re\-run ipa\-server\-upgrade.
|
||||
|
||||
ipa\-server\-upgrade will:
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,113 +0,0 @@
|
||||
From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Fri, 21 May 2021 09:26:33 +0200
|
||||
Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals
|
||||
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 3 ++-
|
||||
install/share/dna.ldif | 1 +
|
||||
install/updates/73-subid.update | 7 ++-----
|
||||
ipaserver/plugins/subid.py | 14 +-------------
|
||||
4 files changed, 6 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -106,8 +106,9 @@
|
||||
%global python_ldap_version 3.1.0-1
|
||||
|
||||
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
|
||||
+# and has DNA interval enabled
|
||||
%if 0%{?fedora} < 34
|
||||
-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
|
||||
+%global ds_version 1.4.4.16-1
|
||||
%else
|
||||
%global ds_version 2.0.5-1
|
||||
%endif
|
||||
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
|
||||
index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644
|
||||
--- a/install/share/dna.ldif
|
||||
+++ b/install/share/dna.ldif
|
||||
@@ -31,6 +31,7 @@ dnaScope: $SUFFIX
|
||||
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
|
||||
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
dnaExcludeScope: cn=provisioning,$SUFFIX
|
||||
+dnaInterval: eval($SUBID_COUNT)
|
||||
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
|
||||
# dnaIntervalAttr: ipasubuidcount
|
||||
# dnaIntervalAttr: ipasubgidcount
|
||||
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
|
||||
index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644
|
||||
--- a/install/updates/73-subid.update
|
||||
+++ b/install/updates/73-subid.update
|
||||
@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
|
||||
# The delete-when-empty check is required because IPA uses MOD_REPLACE to
|
||||
# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
|
||||
#
|
||||
-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
|
||||
-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
|
||||
-# fake_dna_plugin hack has been removed.
|
||||
-#
|
||||
dn: cn=subids,cn=accounts,$SUFFIX
|
||||
-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
|
||||
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
|
||||
|
||||
# DNA plugin and idrange configuration
|
||||
@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX
|
||||
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
|
||||
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
|
||||
default: dnaExcludeScope: cn=provisioning,$SUFFIX
|
||||
+default: dnaInterval: eval($SUBID_COUNT)
|
||||
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
|
||||
# add: dnaIntervalAttr: ipasubuidcount
|
||||
# add: dnaIntervalAttr: ipasubgidcount
|
||||
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
|
||||
index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644
|
||||
--- a/ipaserver/plugins/subid.py
|
||||
+++ b/ipaserver/plugins/subid.py
|
||||
@@ -2,7 +2,6 @@
|
||||
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
|
||||
#
|
||||
|
||||
-import random
|
||||
import uuid
|
||||
|
||||
from ipalib import api
|
||||
@@ -291,12 +290,8 @@ class subid(LDAPObject):
|
||||
_entry_attrs = ldap.get_entry(dn, ["objectclass"])
|
||||
entry_attrs["objectclass"] = _entry_attrs["objectclass"]
|
||||
|
||||
- # XXX HACK, remove later
|
||||
- if subuid == DNA_MAGIC:
|
||||
- subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
|
||||
-
|
||||
entry_attrs["ipasubuidnumber"] = subuid
|
||||
- # enforice subuid == subgid for now
|
||||
+ # enforce subuid == subgid for now
|
||||
entry_attrs["ipasubgidnumber"] = subuid
|
||||
# hard-coded constants
|
||||
entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
|
||||
@@ -350,13 +345,6 @@ class subid(LDAPObject):
|
||||
filters.extend(extra_filters)
|
||||
return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
|
||||
|
||||
- def _fake_dna_plugin(self, ldap, dn, entry_attrs):
|
||||
- """XXX HACK, remove when 389-DS DNA plugin supports steps"""
|
||||
- return (
|
||||
- constants.SUBID_RANGE_START
|
||||
- + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
|
||||
- )
|
||||
-
|
||||
|
||||
@register()
|
||||
class subid_add(LDAPCreate):
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,68 +0,0 @@
|
||||
From 21574b261cf0d346da48e34c0a5383736ca8798b Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Fri, 21 May 2021 14:56:32 +0200
|
||||
Subject: [PATCH] Fix ipa-server-upgrade
|
||||
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
install/share/bootstrap-template.ldif | 2 +-
|
||||
install/updates/73-subid.update | 2 +-
|
||||
ipaserver/install/ldapupdate.py | 3 +++
|
||||
3 files changed, 5 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
|
||||
index 16f2ef822eaf56dd68d4140b22a607539645b151..325eb8450c786899e7b5e4ae2ef8978f42a8425b 100644
|
||||
--- a/install/share/bootstrap-template.ldif
|
||||
+++ b/install/share/bootstrap-template.ldif
|
||||
@@ -491,7 +491,7 @@ cn: ${REALM}_subid_range
|
||||
ipaBaseID: eval($SUBID_RANGE_START)
|
||||
ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
|
||||
# HACK: RIDs to work around adtrust sidgen issue
|
||||
-ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
|
||||
+ipaBaseRID: eval($SUBID_BASE_RID)
|
||||
# 738065-838566 = IPA-SUB
|
||||
ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
|
||||
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
|
||||
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
|
||||
index e10703aa3f9528751233ddebe00b8c8c8fc5ed3f..890eb7f1f6f261af977f26b3457e765ee8e9791f 100644
|
||||
--- a/install/updates/73-subid.update
|
||||
+++ b/install/updates/73-subid.update
|
||||
@@ -102,7 +102,7 @@ default: cn: ${REALM}_subid_range
|
||||
default: ipaBaseID: $SUBID_RANGE_START
|
||||
default: ipaIDRangeSize: $SUBID_RANGE_SIZE
|
||||
# HACK: RIDs to work around adtrust sidgen issue
|
||||
-default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
|
||||
+default: ipaBaseRID: eval($SUBID_BASE_RID)
|
||||
default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
|
||||
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
|
||||
# see https://github.com/SSSD/sssd/issues/5571
|
||||
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
|
||||
index d0516dc3028366df5d03a960866abe72601aa4b6..06cb78e0b7dc2c82f0339c43228045d93b922288 100644
|
||||
--- a/ipaserver/install/ldapupdate.py
|
||||
+++ b/ipaserver/install/ldapupdate.py
|
||||
@@ -59,8 +59,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
|
||||
"""
|
||||
if idstart is None:
|
||||
idrange_size = None
|
||||
+ subid_base_rid = None
|
||||
else:
|
||||
idrange_size = idmax - idstart + 1
|
||||
+ subid_base_rid = constants.SUBID_RANGE_START - idrange_size
|
||||
|
||||
return dict(
|
||||
REALM=realm,
|
||||
@@ -81,6 +83,7 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
|
||||
SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
|
||||
SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
|
||||
SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
|
||||
+ SUBID_BASE_RID=subid_base_rid,
|
||||
DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
|
||||
MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
|
||||
MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,29 +0,0 @@
|
||||
From c8b4fd5bb773a73116350bf8e853246916fe87c2 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Tue, 15 Jun 2021 13:25:18 +0200
|
||||
Subject: [PATCH] Fix oid of ipaUserDefaultSubordinateId
|
||||
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
install/share/60ipaconfig.ldif | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
|
||||
index f84b38ead1d70ff408f5669029f1517b0c98ecf1..005c1dd11e37039132620f1d97f9662ffb8c8c59 100644
|
||||
--- a/install/share/60ipaconfig.ldif
|
||||
+++ b/install/share/60ipaconfig.ldif
|
||||
@@ -47,7 +47,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC
|
||||
## ipaMaxHostnameLength - maximum hostname length to allow
|
||||
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
|
||||
# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
|
||||
-attributeTypes: ( 2.16.840.1.113730.3.8.3.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
|
||||
+attributeTypes: ( 2.16.840.1.113730.3.8.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
|
||||
###############################################
|
||||
##
|
||||
## ObjectClasses
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,275 +0,0 @@
|
||||
From 10418b7f3ea8c682961fc201545169663d507bf6 Mon Sep 17 00:00:00 2001
|
||||
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Date: Thu, 17 Jun 2021 13:56:19 +0200
|
||||
Subject: [PATCH] WebUI: Improve subordinate ids user workflow
|
||||
|
||||
- add "Subordinate ID Statistics" page
|
||||
- add button for generating subid in "Subordinate ids" tab of user details page
|
||||
- allow to navigate directly to owner details from subordinate id page
|
||||
- adjust i18n strings
|
||||
|
||||
Ticket: https://pagure.io/freeipa/issue/8361
|
||||
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/details.js | 8 ++-
|
||||
.../ui/src/freeipa/navigation/menu_spec.js | 19 ++++++-
|
||||
install/ui/src/freeipa/subid.js | 43 +++++++++++++++-
|
||||
install/ui/src/freeipa/user.js | 49 +++++++++++++++----
|
||||
ipaserver/plugins/internal.py | 22 ++++++---
|
||||
5 files changed, 121 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
|
||||
index b557bbcef9a427a87eee3216f4345fc853cbaaff..2704cbd0ba98efa877cf5ec8a878e688ee6807e9 100644
|
||||
--- a/install/ui/src/freeipa/details.js
|
||||
+++ b/install/ui/src/freeipa/details.js
|
||||
@@ -602,6 +602,12 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
|
||||
*/
|
||||
that.facet_group = spec.facet_group || 'settings';
|
||||
|
||||
+ /**
|
||||
+ * Indicates if the details facet depends on pkey
|
||||
+ * @property {boolean}
|
||||
+ */
|
||||
+ that.require_pkey = spec.require_pkey !== undefined ? spec.require_pkey : true;
|
||||
+
|
||||
/**
|
||||
* Widgets
|
||||
* @property {IPA.widget_container}
|
||||
@@ -1105,7 +1111,7 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
|
||||
*/
|
||||
that.refresh = function(on_success, on_error) {
|
||||
|
||||
- if (!that.get_pkey() && that.entity.redirect_facet) {
|
||||
+ if (that.require_pkey && !that.get_pkey() && that.entity.redirect_facet) {
|
||||
that.redirect();
|
||||
return;
|
||||
}
|
||||
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
|
||||
index 6ccd06919fbe04c7e8d2034ff7a1f644f373c607..a205dfade2f9508edbdc23ee6f7247508cc0479c 100644
|
||||
--- a/install/ui/src/freeipa/navigation/menu_spec.js
|
||||
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
|
||||
@@ -104,7 +104,24 @@ var nav = {};
|
||||
}
|
||||
]
|
||||
},
|
||||
- { entity: 'subid' }
|
||||
+ {
|
||||
+ name: 'subid',
|
||||
+ label: '@i18n:tabs.subid',
|
||||
+ children: [
|
||||
+ {
|
||||
+ name: 'subid',
|
||||
+ entity: 'subid',
|
||||
+ facet: 'search',
|
||||
+ label: '@i18n:tabs.subid'
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'subid-stats',
|
||||
+ entity: 'subid',
|
||||
+ facet: 'stats',
|
||||
+ label: '@i18n:objects.subid.stats'
|
||||
+ }
|
||||
+ ]
|
||||
+ }
|
||||
]
|
||||
},
|
||||
{
|
||||
diff --git a/install/ui/src/freeipa/subid.js b/install/ui/src/freeipa/subid.js
|
||||
index f286165070b08badf77cac6c30e93cab916c2acc..32f75bb7854cd3e84417a66870e99d34d49617e3 100644
|
||||
--- a/install/ui/src/freeipa/subid.js
|
||||
+++ b/install/ui/src/freeipa/subid.js
|
||||
@@ -31,6 +31,7 @@ return {
|
||||
},
|
||||
{
|
||||
$type: 'details',
|
||||
+ disable_facet_tabs: true,
|
||||
sections: [
|
||||
{
|
||||
name: 'details',
|
||||
@@ -38,9 +39,11 @@ return {
|
||||
'ipauniqueid',
|
||||
'description',
|
||||
{
|
||||
+ $type: 'link',
|
||||
name: 'ipaowner',
|
||||
label: '@i18n:objects.subid.ipaowner',
|
||||
- title: '@mo-param:subid:ipaowner:label'
|
||||
+ title: '@mo-param:subid:ipaowner:label',
|
||||
+ other_entity: 'user'
|
||||
},
|
||||
{
|
||||
name: 'ipasubgidnumber',
|
||||
@@ -65,6 +68,44 @@ return {
|
||||
]
|
||||
}
|
||||
]
|
||||
+ },
|
||||
+ {
|
||||
+ $type: 'details',
|
||||
+ name: 'stats',
|
||||
+ label: '@i18n:objects.subid.stats',
|
||||
+ refresh_command_name: 'stats',
|
||||
+ check_rights: false,
|
||||
+ no_update: true,
|
||||
+ disable_facet_tabs: true,
|
||||
+ disable_breadcrumb: true,
|
||||
+ require_pkey: false,
|
||||
+ fields: [
|
||||
+ {
|
||||
+ name: 'assigned_subids',
|
||||
+ label: '@i18n:objects.subid.assigned_subids',
|
||||
+ read_only: true
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'baseid',
|
||||
+ label: '@i18n:objects.subid.baseid',
|
||||
+ read_only: true
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'dna_remaining',
|
||||
+ label: '@i18n:objects.subid.dna_remaining',
|
||||
+ read_only: true
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'rangesize',
|
||||
+ label: '@i18n:objects.subid.rangesize',
|
||||
+ read_only: true
|
||||
+ },
|
||||
+ {
|
||||
+ name: 'remaining_subids',
|
||||
+ label: '@i18n:objects.subid.remaining_subids',
|
||||
+ read_only: true
|
||||
+ }
|
||||
+ ]
|
||||
}
|
||||
],
|
||||
adder_dialog: {
|
||||
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
|
||||
index 56bb6f4feffb637d33a57aecf9a98f08d4639550..6a56320c580f58a1aba84e598736631986421113 100644
|
||||
--- a/install/ui/src/freeipa/user.js
|
||||
+++ b/install/ui/src/freeipa/user.js
|
||||
@@ -464,7 +464,7 @@ return {
|
||||
},
|
||||
{
|
||||
$type: 'subid_generate',
|
||||
- hide_cond: ['preserved-user'],
|
||||
+ hide_cond: ['preserved-user', 'self-service-other'],
|
||||
enable_cond: ['no-subid']
|
||||
}
|
||||
],
|
||||
@@ -556,8 +556,35 @@ return {
|
||||
{
|
||||
$type: 'association',
|
||||
name: 'memberof_subid',
|
||||
+ columns: [
|
||||
+ 'ipauniqueid',
|
||||
+ 'ipasubuidnumber',
|
||||
+ 'ipasubgidnumber'
|
||||
+ ],
|
||||
associator: IPA.serial_associator,
|
||||
- read_only: true
|
||||
+ read_only: true,
|
||||
+ state: {
|
||||
+ evaluators: [
|
||||
+ IPA.user.self_service_other_user_evaluator,
|
||||
+ IPA.user.preserved_user_evaluator,
|
||||
+ IPA.user.has_subid_evaluator
|
||||
+ ]
|
||||
+ },
|
||||
+ actions: [
|
||||
+ {
|
||||
+ $type: 'subid_generate',
|
||||
+ name: 'subid_generate',
|
||||
+ hide_cond: ['preserved-user', 'self-service-other'],
|
||||
+ enable_cond: ['no-subid']
|
||||
+ }
|
||||
+ ],
|
||||
+ control_buttons: [
|
||||
+ {
|
||||
+ name: 'subid_generate',
|
||||
+ label: '@i18n:objects.user.auto_subid',
|
||||
+ icon: 'fa-plus'
|
||||
+ }
|
||||
+ ]
|
||||
}
|
||||
],
|
||||
standard_association_facets: {
|
||||
@@ -1216,14 +1243,16 @@ IPA.user.subid_generate_action = function(spec) {
|
||||
var that = IPA.action(spec);
|
||||
|
||||
that.execute_action = function(facet) {
|
||||
-
|
||||
- var subid_e = reg.entity.get('subid');
|
||||
- var dialog = subid_e.get_dialog('add');
|
||||
- dialog.open();
|
||||
- if (!IPA.is_selfservice) {
|
||||
- var owner = facet.get_pkey();
|
||||
- dialog.get_field('ipaowner').set_value([owner]);
|
||||
- }
|
||||
+ var owner = facet.get_pkey();
|
||||
+ var command = rpc.command({
|
||||
+ entity: 'subid',
|
||||
+ method: 'generate'
|
||||
+ });
|
||||
+ command.set_option('ipaowner', owner);
|
||||
+ command.on_success = function(data, text_status, xhr) {
|
||||
+ facet.refresh();
|
||||
+ };
|
||||
+ command.execute();
|
||||
};
|
||||
|
||||
return that;
|
||||
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
|
||||
index 5ef940c2b88cc2b132a15d619772349b30731306..29e09f0067ec60d014e61c49313455d64478ef22 100644
|
||||
--- a/ipaserver/plugins/internal.py
|
||||
+++ b/ipaserver/plugins/internal.py
|
||||
@@ -1364,6 +1364,20 @@ class i18n_messages(Command):
|
||||
"undel_success": _("${count} user(s) restored"),
|
||||
"user_categories": _("User categories"),
|
||||
},
|
||||
+ "subid": {
|
||||
+ "add": _("Add subid"),
|
||||
+ "assigned_subids": _("Assigned subids"),
|
||||
+ "baseid": _("Base ID"),
|
||||
+ "dna_remaining": _("DNA remaining"),
|
||||
+ "ipaowner": _("Owner"),
|
||||
+ "ipasubgidcount": _("SubGID range size"),
|
||||
+ "ipasubgidnumber": _("SubGID range start"),
|
||||
+ "ipasubuidcount": _("SubUID range size"),
|
||||
+ "ipasubuidnumber": _("SubUID range start"),
|
||||
+ "rangesize": _("Range size"),
|
||||
+ "remaining_subids": _("Remaining subids"),
|
||||
+ "stats": _("Subordinate ID Statistics"),
|
||||
+ },
|
||||
"sudocmd": {
|
||||
"add": _("Add sudo command"),
|
||||
"add_into_sudocmdgroups": _(
|
||||
@@ -1547,13 +1561,6 @@ class i18n_messages(Command):
|
||||
"Drive to mount a home directory"
|
||||
),
|
||||
},
|
||||
- "subid": {
|
||||
- "identity": _("Subordinate user and group id"),
|
||||
- "subuidnumber": _("Subordinate user id"),
|
||||
- "subuidcount": _("Subordinate user id count"),
|
||||
- "subgidnumber": _("Subordinate group id"),
|
||||
- "subgidcount": _("Subordinate group id count"),
|
||||
- },
|
||||
"trustconfig": {
|
||||
"options": _("Options"),
|
||||
},
|
||||
@@ -1942,6 +1949,7 @@ class i18n_messages(Command):
|
||||
"network_services": _("Network Services"),
|
||||
"policy": _("Policy"),
|
||||
"role": _("Role-Based Access Control"),
|
||||
+ "subid": _("Subordinate IDs"),
|
||||
"sudo": _("Sudo"),
|
||||
"topology": _("Topology"),
|
||||
"trust": _("Trusts"),
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,57 +0,0 @@
|
||||
From b6ab27acdb07c21f43e9dcc9b777f8fd6a8925e1 Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Fri, 18 Jun 2021 10:51:54 +0200
|
||||
Subject: [PATCH] Test DNA plugin configuration
|
||||
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_subids.py | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
|
||||
index 48e58c26464f52605438afe865575e5ca4c8f1f8..28cd1f765cd63af944bce83f4676a2b1998f5f5d 100644
|
||||
--- a/ipatests/test_integration/test_subids.py
|
||||
+++ b/ipatests/test_integration/test_subids.py
|
||||
@@ -6,8 +6,11 @@
|
||||
"""
|
||||
import os
|
||||
|
||||
-from ipalib.constants import SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX
|
||||
+from ipalib.constants import (
|
||||
+ SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX, SUBID_DNA_THRESHOLD
|
||||
+)
|
||||
from ipaplatform.paths import paths
|
||||
+from ipapython.dn import DN
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
|
||||
@@ -81,6 +84,23 @@ class TestSubordinateId(IntegrationTest):
|
||||
cmd.extend(("--owner", uid))
|
||||
return self.master.run_command(cmd, **kwargs)
|
||||
|
||||
+ def test_dna_config(self):
|
||||
+ conn = self.master.ldap_connect()
|
||||
+ dna_cfg = DN(
|
||||
+ "cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,"
|
||||
+ "cn=plugins,cn=config"
|
||||
+ )
|
||||
+ entry = conn.get_entry(dna_cfg)
|
||||
+
|
||||
+ def single_int(key):
|
||||
+ return int(entry.single_value[key])
|
||||
+
|
||||
+ assert single_int("dnaInterval") == SUBID_COUNT
|
||||
+ assert single_int("dnaThreshold") == SUBID_DNA_THRESHOLD
|
||||
+ assert single_int("dnaMagicRegen") == -1
|
||||
+ assert single_int("dnaMaxValue") == SUBID_RANGE_MAX
|
||||
+ assert set(entry["dnaType"]) == {"ipasubgidnumber", "ipasubuidnumber"}
|
||||
+
|
||||
def test_auto_generate_subid(self):
|
||||
uid = "testuser_auto1"
|
||||
passwd = "Secret123"
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,69 +0,0 @@
|
||||
From 3b7f537dd3022ecb758b2f0f8b2aba530e74bff7 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 12 Jul 2021 11:02:10 -0400
|
||||
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
|
||||
indicators
|
||||
|
||||
When adding a new host the principal cannot be determined because it
|
||||
relies on either:
|
||||
|
||||
a) an entry to already exist
|
||||
b) krbprincipalname be a component of the dn
|
||||
|
||||
As a result the full dn is being passed into ipapython.Kerberos
|
||||
which can't parse it.
|
||||
|
||||
Look into the entry in validate_validate_auth_indicator() for
|
||||
krbprincipalname in this case.
|
||||
|
||||
https://pagure.io/freeipa/issue/8206
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/service.py | 5 +++++
|
||||
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||
index cfbbff3c69c6a92535df58c51767c3d0952c7b0b..498f5e444364c6330e053d1057b727fb5181f70b 100644
|
||||
--- a/ipaserver/plugins/service.py
|
||||
+++ b/ipaserver/plugins/service.py
|
||||
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
|
||||
# and shouldn't be allowed to have auth indicators.
|
||||
# https://pagure.io/freeipa/issue/8206
|
||||
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||
+ if pkey == str(entry.dn):
|
||||
+ # krbcanonicalname may not be set yet if this is a host entry,
|
||||
+ # try krbprincipalname
|
||||
+ if 'krbprincipalname' in entry:
|
||||
+ pkey = entry['krbprincipalname']
|
||||
principal = kerberos.Principal(pkey)
|
||||
server = api.Command.server_find(principal.hostname)['result']
|
||||
if server:
|
||||
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
index 9cfde3565d48e103a0549e2bfb7579e07668f41b..ff50e796cd19fca2c7b6c87d73940779db8daa0b 100644
|
||||
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
|
||||
)):
|
||||
command()
|
||||
|
||||
+ def test_add_non_master_with_auth_ind(self, host5):
|
||||
+ host5.ensure_missing()
|
||||
+ command = host5.make_command(
|
||||
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
|
||||
+ force=True
|
||||
+ )
|
||||
+ result = command()
|
||||
+ # The fact that the command succeeds exercises the change but
|
||||
+ # let's check the indicator as well.
|
||||
+ assert result['result']['krbprincipalauthind'] == ('radius',)
|
||||
+
|
||||
|
||||
@pytest.mark.tier1
|
||||
class TestValidation(XMLRPC_test):
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From aa07f41769765e55c1531b52ad9ef5876e97e0e9 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 10:06:56 +0200
|
||||
Subject: [PATCH] spec file: Trust controller role should pull
|
||||
sssd-winbind-idmap package
|
||||
|
||||
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
|
||||
Fixes: https://pagure.io/freeipa/issue/8923
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index fa649cf4e1abe8e9928ef340a66d48d78f7e3521..c33d2e216e5b0f13ae4fd3f9f506d4983493f03a 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -597,6 +597,7 @@ Requires: %{name}-common = %{version}-%{release}
|
||||
|
||||
Requires: samba >= %{samba_version}
|
||||
Requires: samba-winbind
|
||||
+Requires: sssd-winbind-idmap
|
||||
Requires: libsss_idmap
|
||||
%if 0%{?rhel}
|
||||
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,58 +0,0 @@
|
||||
From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 19 Jul 2021 17:51:44 -0400
|
||||
Subject: [PATCH] Use new method in check to prevent removal of last KRA
|
||||
|
||||
It previously used a vault connection to determine if any
|
||||
KRA servers were installed. This would fail if the last KRA
|
||||
was not available.
|
||||
|
||||
Use server roles instead to determine if the last KRA server
|
||||
is to be removed.
|
||||
|
||||
https://pagure.io/freeipa/issue/8397
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/server.py | 24 +++++++++++++-----------
|
||||
1 file changed, 13 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
|
||||
index b3dda8469..5fa7a58bd 100644
|
||||
--- a/ipaserver/plugins/server.py
|
||||
+++ b/ipaserver/plugins/server.py
|
||||
@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
|
||||
|
||||
if self.api.Command.ca_is_enabled()['result']:
|
||||
try:
|
||||
- vault_config = self.api.Command.vaultconfig_show()['result']
|
||||
- kra_servers = vault_config.get('kra_server_server', [])
|
||||
- except errors.InvocationError:
|
||||
- # KRA is not configured
|
||||
- pass
|
||||
- else:
|
||||
- if kra_servers == [hostname]:
|
||||
- handler(
|
||||
- _("Deleting this server is not allowed as it would "
|
||||
- "leave your installation without a KRA."),
|
||||
- ignore_last_of_role)
|
||||
+ roles = self.api.Command.server_role_find(
|
||||
+ server_server=hostname,
|
||||
+ role_servrole='KRA server',
|
||||
+ status='enabled',
|
||||
+ include_master=True,
|
||||
+ )['result']
|
||||
+ except errors.NotFound:
|
||||
+ roles = ()
|
||||
+ if len(roles) == 1 and roles[0]['server_server'] == hostname:
|
||||
+ handler(
|
||||
+ _("Deleting this server is not allowed as it would "
|
||||
+ "leave your installation without a KRA."),
|
||||
+ ignore_last_of_role)
|
||||
|
||||
ca_servers = ipa_config.get('ca_server_server', [])
|
||||
ca_renewal_master = ipa_config.get(
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,49 +0,0 @@
|
||||
From 8ea8f8b68b5a7217518f68065a5fc1df16126314 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 19 Jul 2021 21:54:22 -0400
|
||||
Subject: [PATCH] ipatests: test removing last KRA when it is not running
|
||||
|
||||
Use the new role-based mechanism, one that doesn't rely
|
||||
on direct communication to the server, to determine whether
|
||||
the server being removed by `ipa server-del` contains the
|
||||
last KRA server.
|
||||
|
||||
https://pagure.io/freeipa/issue/8397
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++
|
||||
1 file changed, 17 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py
|
||||
index 5e627d5db..9d7f5ef7a 100644
|
||||
--- a/ipatests/test_integration/test_server_del.py
|
||||
+++ b/ipatests/test_integration/test_server_del.py
|
||||
@@ -302,6 +302,23 @@ class TestLastServices(ServerDelBase):
|
||||
1
|
||||
)
|
||||
|
||||
+ def test_removal_of_server_raises_error_about_last_kra(self):
|
||||
+ """
|
||||
+ test that removal of server fails on the last KRA
|
||||
+
|
||||
+ We shut it down to verify that it can be removed if it failed.
|
||||
+ """
|
||||
+ tasks.install_kra(self.master)
|
||||
+ self.master.run_command(['ipactl', 'stop'])
|
||||
+ tasks.assert_error(
|
||||
+ tasks.run_server_del(self.replicas[0], self.master.hostname),
|
||||
+ "Deleting this server is not allowed as it would leave your "
|
||||
+ "installation without a KRA.",
|
||||
+ 1
|
||||
+ )
|
||||
+ # Restarting the server we stopped is not necessary as it will
|
||||
+ # be removed in the next test.
|
||||
+
|
||||
def test_forced_removal_of_master(self):
|
||||
"""
|
||||
Tests that we can still force remove the master using
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,30 +0,0 @@
|
||||
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 09:20:33 +0300
|
||||
Subject: [PATCH] rhel platform: add a named crypto-policy support
|
||||
|
||||
RHEL 8+ provides bind system-wide crypto policy support, enable it.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8925
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipaplatform/rhel/paths.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
|
||||
index c081ada32..3631550eb 100644
|
||||
--- a/ipaplatform/rhel/paths.py
|
||||
+++ b/ipaplatform/rhel/paths.py
|
||||
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
|
||||
|
||||
|
||||
class RHELPathNamespace(RedHatPathNamespace):
|
||||
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
|
||||
if HAS_NFS_CONF:
|
||||
SYSCONFIG_NFS = '/etc/nfs.conf'
|
||||
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,40 +0,0 @@
|
||||
From b132956e42a88ab39bb8d6a854e7c5d28d544a11 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 09:43:54 +0200
|
||||
Subject: [PATCH] Index: Fix definition for memberOf
|
||||
|
||||
The index definition for memberOf is inconsistent:
|
||||
|
||||
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
cn: member
|
||||
nsIndexType: eq
|
||||
nsIndexType: sub
|
||||
nsSystemIndex: false
|
||||
objectClass: top
|
||||
objectClass: nsIndex
|
||||
|
||||
The cn attribute should be memberOf, not member. Fix the definition.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8920
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
install/updates/20-indices.update | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
|
||||
index d6df5b37d..cb1a11dd5 100644
|
||||
--- a/install/updates/20-indices.update
|
||||
+++ b/install/updates/20-indices.update
|
||||
@@ -434,7 +434,7 @@ add:nsIndexType: eq
|
||||
add:nsIndexType: pres
|
||||
|
||||
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
-only:cn: member
|
||||
+only:cn: memberOf
|
||||
add:nsIndexType: sub
|
||||
|
||||
dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
|
||||
--
|
||||
2.26.3
|
||||
|
@ -1,35 +0,0 @@
|
||||
From b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Sun, 11 Jul 2021 16:29:16 +0200
|
||||
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
|
||||
|
||||
The test TestSelfExternalSelf::test_switch_back_to_self_signed
|
||||
is checking the content of the journal using journalctl --since ...
|
||||
but provides only the time, not the whole date with year-month-day.
|
||||
As a consequence, if the test is executed around midnight it may
|
||||
find nothing in the journal because it's looking for logs after 11:50PM,
|
||||
which is a date in the future.
|
||||
Fixes: https://pagure.io/freeipa/issue/8918
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_external_ca.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
|
||||
index 72aa57a0b..d48d73deb 100644
|
||||
--- a/ipatests/test_integration/test_external_ca.py
|
||||
+++ b/ipatests/test_integration/test_external_ca.py
|
||||
@@ -301,7 +301,7 @@ class TestSelfExternalSelf(IntegrationTest):
|
||||
def test_switch_back_to_self_signed(self):
|
||||
|
||||
# for journalctl --since
|
||||
- switch_time = time.strftime('%H:%M:%S')
|
||||
+ switch_time = time.strftime('%Y-%m-%d %H:%M:%S')
|
||||
# switch back to self-signed CA
|
||||
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
|
||||
'--self-signed'])
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 26be7ffdba87e0e6294ea035ab3dc9bd933fba43 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Fri, 9 Jul 2021 13:44:12 +0530
|
||||
Subject: [PATCH] ipatests: Fix for
|
||||
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
|
||||
|
||||
Expected error message has been modified for
|
||||
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8889
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 5 +----
|
||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 305d7b945..f6a3043f1 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -499,9 +499,6 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
from host's keytab.
|
||||
"""
|
||||
msg = (
|
||||
- "Failed to obtain host TGT: Major (458752): "
|
||||
- "No credentials were "
|
||||
- "supplied, or the credentials were unavailable or inaccessible, "
|
||||
"Minor (2529639107): No credentials cache found"
|
||||
)
|
||||
|
||||
@@ -514,7 +511,7 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
)
|
||||
assert returncode == 1
|
||||
assert data[0]["result"] == "ERROR"
|
||||
- assert data[0]["kw"]["msg"] == msg
|
||||
+ assert msg in data[0]["kw"]["msg"]
|
||||
|
||||
def test_source_ipahealthcheck_topology_IPATopologyDomainCheck(self):
|
||||
"""
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 7f910eb2dda8595da435b4aed6e759a2916df813 Mon Sep 17 00:00:00 2001
|
||||
From: Michal Polovka <mpolovka@redhat.com>
|
||||
Date: Wed, 23 Jun 2021 14:53:49 +0200
|
||||
Subject: [PATCH] ipatests: test_ipahealthcheck: print a message if a system is
|
||||
healthy
|
||||
|
||||
Test if when the system is completely healthy, informative message is
|
||||
returned and not only empty output (list or json).
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8892
|
||||
|
||||
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 14 +++++++++++++-
|
||||
1 file changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index f6a3043f1..36fe72be7 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -286,7 +286,7 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
for source in sources_avail:
|
||||
assert source in result.stdout_text
|
||||
|
||||
- def test_human_output(self, restart_service):
|
||||
+ def test_human_severity(self, restart_service):
|
||||
"""
|
||||
Test that in human output the severity value is correct
|
||||
|
||||
@@ -306,6 +306,18 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
assert output == \
|
||||
"ERROR: ipahealthcheck.meta.services.sssd: sssd: not running"
|
||||
|
||||
+ def test_human_output(self):
|
||||
+ """
|
||||
+ Test if in case no failures were found, informative string is printed
|
||||
+ in human output.
|
||||
+
|
||||
+ https://pagure.io/freeipa/issue/8892
|
||||
+ """
|
||||
+ returncode, output = run_healthcheck(self.master, output_type="human",
|
||||
+ failures_only=True)
|
||||
+ assert returncode == 0
|
||||
+ assert output == "No issues found."
|
||||
+
|
||||
def test_ipa_healthcheck_after_certupdate(self):
|
||||
"""
|
||||
Verify that ipa-certupdate hasn't messed up tracking
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,104 +0,0 @@
|
||||
From e5df4dc4884f1a66ccbca79b9a0d83874c996d1d Mon Sep 17 00:00:00 2001
|
||||
From: Michal Polovka <mpolovka@redhat.com>
|
||||
Date: Mon, 31 May 2021 14:43:28 +0200
|
||||
Subject: [PATCH] ipatests: test_installation: move tracking_reqs dependency to
|
||||
ipalib constants ipaserver: krainstance: utilize moved tracking_reqs
|
||||
dependency
|
||||
|
||||
KRA instance import depends on lib389 package, which is not always
|
||||
installed and that results in failure. Furthermore, test_installation
|
||||
utilizes krainstance import. This fix moves relevant parts from
|
||||
krainstance to ipalib constants where those are subsequently imported
|
||||
from.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/8795
|
||||
|
||||
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipalib/constants.py | 8 ++++++++
|
||||
ipaserver/install/krainstance.py | 7 ++-----
|
||||
ipatests/test_integration/test_installation.py | 7 +++----
|
||||
3 files changed, 13 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ipalib/constants.py b/ipalib/constants.py
|
||||
index bff899ba6..2aeafac7a 100644
|
||||
--- a/ipalib/constants.py
|
||||
+++ b/ipalib/constants.py
|
||||
@@ -360,3 +360,11 @@ SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT)
|
||||
SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START
|
||||
# threshold before DNA plugin requests a new range
|
||||
SUBID_DNA_THRESHOLD = 500
|
||||
+
|
||||
+# moved from ipaserver/install/krainstance.py::KRAInstance to avoid duplication
|
||||
+# as per https://pagure.io/freeipa/issue/8795
|
||||
+KRA_TRACKING_REQS = {
|
||||
+ 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
|
||||
+ 'transportCert cert-pki-kra': 'caTransportCert',
|
||||
+ 'storageCert cert-pki-kra': 'caStorageCert',
|
||||
+}
|
||||
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
||||
index e63db3fef..13cb2dcaa 100644
|
||||
--- a/ipaserver/install/krainstance.py
|
||||
+++ b/ipaserver/install/krainstance.py
|
||||
@@ -27,6 +27,7 @@ import base64
|
||||
|
||||
from ipalib import api
|
||||
from ipalib import x509
|
||||
+from ipalib.constants import KRA_TRACKING_REQS
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython import directivesetter
|
||||
from ipapython import ipautil
|
||||
@@ -64,11 +65,7 @@ class KRAInstance(DogtagInstance):
|
||||
# Mapping of nicknames for tracking requests, and the profile to
|
||||
# use for that certificate. 'configure_renewal()' reads this
|
||||
# dict. The profile MUST be specified.
|
||||
- tracking_reqs = {
|
||||
- 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
|
||||
- 'transportCert cert-pki-kra': 'caTransportCert',
|
||||
- 'storageCert cert-pki-kra': 'caStorageCert',
|
||||
- }
|
||||
+ tracking_reqs = KRA_TRACKING_REQS
|
||||
|
||||
def __init__(self, realm):
|
||||
super(KRAInstance, self).__init__(
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index 0c96536f0..27f15dbe5 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import hashes
|
||||
from cryptography import x509 as crypto_x509
|
||||
|
||||
from ipalib import x509
|
||||
-from ipalib.constants import DOMAIN_LEVEL_0
|
||||
+from ipalib.constants import DOMAIN_LEVEL_0, KRA_TRACKING_REQS
|
||||
from ipalib.constants import IPA_CA_RECORD
|
||||
from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
|
||||
from ipapython.dn import DN
|
||||
@@ -34,7 +34,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||
from ipaplatform import services
|
||||
-from ipaserver.install import krainstance
|
||||
+
|
||||
|
||||
config = get_global_config()
|
||||
|
||||
@@ -1282,8 +1282,7 @@ class TestInstallMasterKRA(IntegrationTest):
|
||||
"""
|
||||
Test that the KRA subsystem certificates renew properly
|
||||
"""
|
||||
- kra = krainstance.KRAInstance(self.master.domain.realm)
|
||||
- for nickname in kra.tracking_reqs:
|
||||
+ for nickname in KRA_TRACKING_REQS:
|
||||
cert = tasks.certutil_fetch_cert(
|
||||
self.master,
|
||||
paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,31 +0,0 @@
|
||||
From 40e4ccf1ea943aba4d10e8126ffa49feddd2e683 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 13 Jul 2021 18:38:22 +0200
|
||||
Subject: [PATCH] webui tests: close notification when revoking cert
|
||||
|
||||
When a cert is revoked, a notification is displayed
|
||||
and may obscure the buttons. Make sure to close the
|
||||
notification before moving to the next step.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8911
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
---
|
||||
ipatests/test_webui/test_cert.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py
|
||||
index 53dc76faa..7a8ffde91 100644
|
||||
--- a/ipatests/test_webui/test_cert.py
|
||||
+++ b/ipatests/test_webui/test_cert.py
|
||||
@@ -107,6 +107,7 @@ class test_cert(UI_driver):
|
||||
self.action_list_action('revoke_cert', False)
|
||||
self.select('select[name=revocation_reason]', reason)
|
||||
self.dialog_button_click('ok')
|
||||
+ self.close_notifications()
|
||||
self.navigate_to_entity(ENTITY)
|
||||
|
||||
return cert
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,153 +0,0 @@
|
||||
From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Thu, 24 Jun 2021 13:10:00 +0530
|
||||
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
|
||||
missing from CS.cfg
|
||||
|
||||
Earlier it used to fail when startup directive missing from CS.cfg.
|
||||
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
|
||||
a warning than failing.
|
||||
|
||||
related: https://pagure.io/freeipa/issue/8890
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipa_cert_fix.py | 92 ++++++++++++++++++-
|
||||
1 file changed, 90 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index b2e92d4dc..394e85603 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600):
|
||||
return count
|
||||
|
||||
|
||||
+def move_date(host, chrony_state, date_str):
|
||||
+ """Helper method to move the date on given host
|
||||
+ :param host: The host on which date is to be moved
|
||||
+ :param chrony_state: State to which chrony service to be moved
|
||||
+ :param date_str: date string to move the date i.e 2years1month1days
|
||||
+ """
|
||||
+ host.run_command(['systemctl', chrony_state, 'chronyd'])
|
||||
+ host.run_command(['date', '-s', date_str])
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def expire_cert_critical():
|
||||
"""
|
||||
@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest):
|
||||
# the fixture
|
||||
pass
|
||||
|
||||
+ @pytest.fixture
|
||||
+ def expire_ca_cert(self):
|
||||
+ tasks.install_master(self.master, setup_dns=False,
|
||||
+ extra_args=['--no-ntp'])
|
||||
+ move_date(self.master, 'stop', '+20Years+1day')
|
||||
+
|
||||
+ yield
|
||||
+
|
||||
+ tasks.uninstall_master(self.master)
|
||||
+ move_date(self.master, 'start', '-20Years-1day')
|
||||
+
|
||||
def test_missing_csr(self, expire_cert_critical):
|
||||
"""
|
||||
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
|
||||
@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest):
|
||||
|
||||
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
|
||||
- if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'):
|
||||
+ if (tasks.get_pki_version(self.master)
|
||||
+ != tasks.parse_version('10.10.0')):
|
||||
assert result.returncode == 0
|
||||
|
||||
# get the number of certs track by certmonger
|
||||
@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest):
|
||||
raiseonerr=False)
|
||||
assert result.returncode == 2
|
||||
|
||||
+ def test_missing_startup(self, expire_cert_critical):
|
||||
+ """
|
||||
+ Test ipa-cert-fix fails/warns when startup directive is missing
|
||||
+
|
||||
+ This test checks that if 'selftests.container.order.startup' directive
|
||||
+ is missing from CS.cfg, ipa-cert-fix fails and throw proper error
|
||||
+ message. It also checks that underlying command 'pki-server cert-fix'
|
||||
+ should fail to renew the cert.
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/8721
|
||||
+
|
||||
+ With https://github.com/dogtagpki/pki/pull/3466, it changed to display
|
||||
+ a warning than failing.
|
||||
+
|
||||
+ This test also checks that if 'selftests.container.order.startup'
|
||||
+ directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
|
||||
+ (depending on pki version)
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/8890
|
||||
+ """
|
||||
+ expire_cert_critical(self.master)
|
||||
+ # pki must be stopped in order to edit CS.cfg
|
||||
+ self.master.run_command(['ipactl', 'stop'])
|
||||
+ self.master.run_command([
|
||||
+ 'sed', '-i', r'/selftests\.container\.order\.startup/d',
|
||||
+ paths.CA_CS_CFG_PATH
|
||||
+ ])
|
||||
+ # dirsrv needs to be up in order to run ipa-cert-fix
|
||||
+ self.master.run_command(['ipactl', 'start',
|
||||
+ '--ignore-service-failures'])
|
||||
+
|
||||
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
||||
+ stdin_text='yes\n',
|
||||
+ raiseonerr=False)
|
||||
+
|
||||
+ err_msg1 = "ERROR: 'selftests.container.order.startup'"
|
||||
+ # check that pki-server cert-fix command fails
|
||||
+ err_msg2 = ("ERROR: CalledProcessError(Command "
|
||||
+ "['pki-server', 'cert-fix'")
|
||||
+ warn_msg = ("WARNING: No selftests configured in "
|
||||
+ f"{paths.CA_CS_CFG_PATH} "
|
||||
+ "(selftests.container.order.startup)")
|
||||
+
|
||||
+ if (tasks.get_pki_version(self.master)
|
||||
+ < tasks.parse_version('10.11.0')):
|
||||
+ assert (err_msg1 in result.stderr_text
|
||||
+ and err_msg2 in result.stderr_text)
|
||||
+ else:
|
||||
+ assert warn_msg in result.stdout_text
|
||||
+
|
||||
+ def test_expired_CA_cert(self, expire_ca_cert):
|
||||
+ """Test to check ipa-cert-fix when CA certificate is expired
|
||||
+
|
||||
+ In order to fix expired certs using ipa-cert-fix, CA cert should be
|
||||
+ valid. If CA cert expired, ipa-cert-fix won't work.
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/8721
|
||||
+ """
|
||||
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
|
||||
+ stdin_text='yes\n',
|
||||
+ raiseonerr=False)
|
||||
+ # check that pki-server cert-fix command fails
|
||||
+ err_msg = ("ERROR: CalledProcessError(Command "
|
||||
+ "['pki-server', 'cert-fix'")
|
||||
+ assert err_msg in result.stderr_text
|
||||
+
|
||||
|
||||
class TestIpaCertFixThirdParty(CALessBase):
|
||||
"""
|
||||
@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase):
|
||||
'--pin', self.master.config.admin_password,
|
||||
'-d', 'server.p12']
|
||||
self.master.run_command(args)
|
||||
- self.master.run_command(['ipactl', 'restart',])
|
||||
+ self.master.run_command(['ipactl', 'restart'])
|
||||
|
||||
# Run ipa-cert-fix. This is basically a no-op but tests that
|
||||
# the DS nickname is used and not a hardcoded value.
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,40 +0,0 @@
|
||||
From f7997ed0b7d5b915c0184bf8e8864ff935cd6232 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 15:21:48 +0200
|
||||
Subject: [PATCH] webui tests: fix algo for finding available idrange
|
||||
|
||||
The webui tests for ID range evaluate a potentially free id range
|
||||
by looking for existing ranges and picking a range = max value
|
||||
+ 1 million.
|
||||
|
||||
With the addition of subuid range this algorithm produces values
|
||||
over the limit because the subuid range goes from
|
||||
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
|
||||
|
||||
Ignore the subuid range when picking a potential range.
|
||||
Fixes: https://pagure.io/freeipa/issue/8919
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_webui/task_range.py | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_webui/task_range.py b/ipatests/test_webui/task_range.py
|
||||
index db34f6f11..f0664d35a 100644
|
||||
--- a/ipatests/test_webui/task_range.py
|
||||
+++ b/ipatests/test_webui/task_range.py
|
||||
@@ -64,6 +64,12 @@ class range_tasks(UI_driver):
|
||||
max_rid = 0
|
||||
|
||||
for idrange in idranges:
|
||||
+ # IPA.TEST_subid_range is automatically created near the end
|
||||
+ # of the allowed ids, taking from 2,147,483,648 to 4,294,836,224
|
||||
+ # Ignore this range when looking for available ids otherwise
|
||||
+ # we won't find any value < max baseid 4,294,967,295
|
||||
+ if idrange['cn'][0].endswith("_subid_range"):
|
||||
+ continue
|
||||
size = int(idrange['ipaidrangesize'][0])
|
||||
base_id = int(idrange['ipabaseid'][0])
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,61 +0,0 @@
|
||||
From 161d5844eb1214e60c636bdb73713c6a43f1e75c Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Mon, 19 Jul 2021 15:59:01 +0200
|
||||
Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired"
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Change documentation:
|
||||
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
|
||||
|
||||
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
|
||||
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
|
||||
has been replaced with "--use-kerberos=required|desired|off".
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8926
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_smb.py | 23 +++++++++++++++++++++--
|
||||
1 file changed, 21 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
|
||||
index 399ad6209..b2b7ce2e4 100644
|
||||
--- a/ipatests/test_integration/test_smb.py
|
||||
+++ b/ipatests/test_integration/test_smb.py
|
||||
@@ -166,9 +166,28 @@ class TestSMB(IntegrationTest):
|
||||
encoding='utf-8')
|
||||
assert file_contents_at_server == test_string
|
||||
|
||||
- # check access using smbclient utility
|
||||
+ # Detect whether smbclient uses -k or --use-kerberos=required
|
||||
+ # https://pagure.io/freeipa/issue/8926
|
||||
+ # then check access using smbclient.
|
||||
res = run_smb_client(
|
||||
- ['smbclient', '-k', share['unc'], '-c', 'dir'])
|
||||
+ [
|
||||
+ "smbclient",
|
||||
+ "-h",
|
||||
+ ], raiseonerr=False
|
||||
+ )
|
||||
+ if "[-k|--kerberos]" in res.stderr_text:
|
||||
+ smbclient_krb5_knob = "-k"
|
||||
+ else:
|
||||
+ smbclient_krb5_knob = "--use-kerberos=desired"
|
||||
+ res = run_smb_client(
|
||||
+ [
|
||||
+ "smbclient",
|
||||
+ smbclient_krb5_knob,
|
||||
+ share["unc"],
|
||||
+ "-c",
|
||||
+ "dir",
|
||||
+ ]
|
||||
+ )
|
||||
assert test_dir in res.stdout_text
|
||||
|
||||
# check file and dir removal from client side
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,81 +0,0 @@
|
||||
From 86869364a30f071ee79974b301ff68e80c0950ba Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 20 Jul 2021 20:19:16 +0200
|
||||
Subject: [PATCH] test_acme: refactor with tasks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/pytest_ipa/integration/tasks.py | 11 +++++++++++
|
||||
ipatests/test_integration/test_acme.py | 19 ++++---------------
|
||||
2 files changed, 15 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index 22c7ba782..c2e548617 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
|
||||
'is_package_installed: unknown platform %s' % platform
|
||||
)
|
||||
return result.returncode == 0
|
||||
+
|
||||
+
|
||||
+def move_date(host, chrony_cmd, date_str):
|
||||
+ """Helper method to move system date
|
||||
+ :param host: host on which date is to be manipulated
|
||||
+ :param chrony_cmd: systemctl command to apply to
|
||||
+ chrony service, for instance 'start', 'stop'
|
||||
+ :param date_str: date string to change the date i.e '3years2months1day1'
|
||||
+ """
|
||||
+ host.run_command(['systemctl', chrony_cmd, 'chronyd'])
|
||||
+ host.run_command(['date', '-s', date_str])
|
||||
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||
index d90f1ff7d..b4aa1b351 100644
|
||||
--- a/ipatests/test_integration/test_acme.py
|
||||
+++ b/ipatests/test_integration/test_acme.py
|
||||
@@ -35,17 +35,6 @@ skip_mod_md_tests = osinfo.id not in ['rhel', 'fedora', ]
|
||||
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
|
||||
|
||||
|
||||
-def move_date(host, chrony_cmd, date_str):
|
||||
- """Helper method to move system date
|
||||
- :param host: host on which date is to be manipulated
|
||||
- :param chrony_cmd: systemctl command to apply to
|
||||
- chrony service, for instance 'start', 'stop'
|
||||
- :param date_str: date string to change the date i.e '3years2months1day1'
|
||||
- """
|
||||
- host.run_command(['systemctl', chrony_cmd, 'chronyd'])
|
||||
- host.run_command(['date', '-s', date_str])
|
||||
-
|
||||
-
|
||||
def check_acme_status(host, exp_status, timeout=60):
|
||||
"""Helper method to check the status of acme server"""
|
||||
for _i in range(0, timeout, 5):
|
||||
@@ -598,8 +587,8 @@ class TestACMERenew(IntegrationTest):
|
||||
)
|
||||
# move system date to expire acme cert
|
||||
for host in self.clients[0], self.master:
|
||||
- host.run_command(['kdestroy', '-A'])
|
||||
- move_date(host, 'stop', '+90days')
|
||||
+ tasks.kdestroy_all(host)
|
||||
+ tasks.move_date(host, 'stop', '+90days')
|
||||
self.clients[0].run_command(
|
||||
['kinit', 'admin'],
|
||||
stdin_text=cmd_input.format(
|
||||
@@ -611,8 +600,8 @@ class TestACMERenew(IntegrationTest):
|
||||
|
||||
# move back date
|
||||
for host in self.clients[0], self.master:
|
||||
- host.run_command(['kdestroy', '-A'])
|
||||
- move_date(host, 'start', '-90days')
|
||||
+ tasks.kdestroy_all(host)
|
||||
+ tasks.move_date(host, 'start', '-90days')
|
||||
tasks.kinit_admin(host)
|
||||
|
||||
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,66 +0,0 @@
|
||||
From 701adb9185c77194ba1ad0c5fd2f13484417ef6f Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 20 Jul 2021 20:22:23 +0200
|
||||
Subject: [PATCH] test_acme: make password renewal more robust
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
A kinit immediately following a password change can fail.
|
||||
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
|
||||
the cause of failure.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8929
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_acme.py | 28 +++++++++++++-------------
|
||||
1 file changed, 14 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
|
||||
index b4aa1b351..10195a95f 100644
|
||||
--- a/ipatests/test_integration/test_acme.py
|
||||
+++ b/ipatests/test_integration/test_acme.py
|
||||
@@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest):
|
||||
# request a standalone acme cert
|
||||
certbot_standalone_cert(self.clients[0], self.acme_server)
|
||||
|
||||
- cmd_input = (
|
||||
- # Password for admin@{REALM}:
|
||||
- "{pwd}\n"
|
||||
- # Password expired. You must change it now.
|
||||
- # Enter new password:
|
||||
- "{pwd}\n"
|
||||
- # Enter it again:
|
||||
- "{pwd}\n"
|
||||
- )
|
||||
# move system date to expire acme cert
|
||||
for host in self.clients[0], self.master:
|
||||
tasks.kdestroy_all(host)
|
||||
tasks.move_date(host, 'stop', '+90days')
|
||||
- self.clients[0].run_command(
|
||||
- ['kinit', 'admin'],
|
||||
- stdin_text=cmd_input.format(
|
||||
- pwd=self.clients[0].config.admin_password
|
||||
- )
|
||||
+
|
||||
+ tasks.get_kdcinfo(host)
|
||||
+ # Note raiseonerr=False:
|
||||
+ # the assert is located after kdcinfo retrieval.
|
||||
+ result = host.run_command(
|
||||
+ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
|
||||
+ stdin_text='{0}\n{0}\n{0}\n'.format(
|
||||
+ self.clients[0].config.admin_password
|
||||
+ ),
|
||||
+ raiseonerr=False
|
||||
)
|
||||
+ # Retrieve kdc.$REALM after the password change, just in case SSSD
|
||||
+ # domain status flipped to online during the password change.
|
||||
+ tasks.get_kdcinfo(host)
|
||||
+ assert result.returncode == 0
|
||||
|
||||
yield
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,58 +0,0 @@
|
||||
From 5b826ab3582566b15a618f57cb2e002a9c16ef64 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Tue, 20 Jul 2021 20:29:00 +0200
|
||||
Subject: [PATCH] tasks.py: fix flake8-reported issues
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8931
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
---
|
||||
ipatests/pytest_ipa/integration/tasks.py | 14 ++++++++------
|
||||
1 file changed, 8 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
|
||||
index c2e548617..075c05cde 100755
|
||||
--- a/ipatests/pytest_ipa/integration/tasks.py
|
||||
+++ b/ipatests/pytest_ipa/integration/tasks.py
|
||||
@@ -597,7 +597,9 @@ def install_adtrust(host):
|
||||
dig_command = ['dig', 'SRV', '+short', '@localhost',
|
||||
'_ldap._tcp.%s' % host.domain.name]
|
||||
dig_output = '0 100 389 %s.' % host.hostname
|
||||
- dig_test = lambda x: re.search(re.escape(dig_output), x)
|
||||
+
|
||||
+ def dig_test(x):
|
||||
+ return re.search(re.escape(dig_output), x)
|
||||
|
||||
run_repeatedly(host, dig_command, test=dig_test)
|
||||
|
||||
@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user',
|
||||
result = host.run_command(
|
||||
"KRB5_TRACE=/dev/stdout kinit %s" % login,
|
||||
stdin_text='{0}\n{1}\n{1}\n'.format(
|
||||
- temp_password, password, raiseonerr=False
|
||||
- )
|
||||
+ temp_password, password
|
||||
+ ), raiseonerr=False
|
||||
)
|
||||
# Retrieve kdc.$REALM after the password change, just in case SSSD
|
||||
# domain status flipped to online during the password change.
|
||||
@@ -2264,10 +2266,10 @@ class KerberosKeyCopier:
|
||||
[paths.KLIST, "-eK", "-k", keytab], log_stdout=False)
|
||||
|
||||
keys_to_sync = []
|
||||
- for l in result.stdout_text.splitlines():
|
||||
- if (princ in l and any(e in l for e in self.valid_etypes)):
|
||||
+ for line in result.stdout_text.splitlines():
|
||||
+ if (princ in line and any(e in line for e in self.valid_etypes)):
|
||||
|
||||
- els = l.split()
|
||||
+ els = line.split()
|
||||
els[-2] = els[-2].strip('()')
|
||||
els[-1] = els[-1].strip('()')
|
||||
keys_to_sync.append(KeyEntry._make(els))
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,142 +0,0 @@
|
||||
From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001
|
||||
From: Christian Heimes <cheimes@redhat.com>
|
||||
Date: Tue, 27 Jul 2021 11:54:20 +0200
|
||||
Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The named user may not be present when ipa-server-dns and bind are not
|
||||
installed. NAMED_UID and NAMED_GID constants are only used with local
|
||||
DNS support.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8936
|
||||
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
||||
Co-authored-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/ldapupdate.py | 14 +++++++---
|
||||
.../nightly_ipa-4-9_latest.yaml | 12 +++++++++
|
||||
.../nightly_ipa-4-9_previous.yaml | 12 +++++++++
|
||||
.../test_integration/test_installation.py | 27 +++++++++++++++++++
|
||||
4 files changed, 62 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
|
||||
index 06cb78e0b..f0e7d6162 100644
|
||||
--- a/ipaserver/install/ldapupdate.py
|
||||
+++ b/ipaserver/install/ldapupdate.py
|
||||
@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
|
||||
idrange_size = idmax - idstart + 1
|
||||
subid_base_rid = constants.SUBID_RANGE_START - idrange_size
|
||||
|
||||
+ # uid / gid for autobind
|
||||
+ # user is only defined when ipa-server-dns and bind are installed
|
||||
+ try:
|
||||
+ named_uid = platformconstants.NAMED_USER.uid
|
||||
+ named_gid = platformconstants.NAMED_GROUP.gid
|
||||
+ except ValueError:
|
||||
+ named_uid = None
|
||||
+ named_gid = None
|
||||
+
|
||||
return dict(
|
||||
REALM=realm,
|
||||
DOMAIN=domain,
|
||||
@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
|
||||
DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
|
||||
SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
|
||||
SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
|
||||
- # uid / gid for autobind
|
||||
- NAMED_UID=platformconstants.NAMED_USER.uid,
|
||||
- NAMED_GID=platformconstants.NAMED_GROUP.gid,
|
||||
+ NAMED_UID=named_uid,
|
||||
+ NAMED_GID=named_gid,
|
||||
)
|
||||
|
||||
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
index 939ee2b7d..1c8c5ddfc 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
@@ -547,6 +547,18 @@ jobs:
|
||||
timeout: 4800
|
||||
topology: *master_1repl_1client
|
||||
|
||||
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed:
|
||||
+ requires: [fedora-latest-ipa-4-9/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
|
||||
+ template: *ci-ipa-4-9-latest
|
||||
+ timeout: 4800
|
||||
+ topology: *master_1repl
|
||||
+
|
||||
fedora-latest-ipa-4-9/test_idviews:
|
||||
requires: [fedora-latest-ipa-4-9/build]
|
||||
priority: 50
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
index 03658a934..6d121d59f 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
@@ -547,6 +547,18 @@ jobs:
|
||||
timeout: 4800
|
||||
topology: *master_1repl_1client
|
||||
|
||||
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed:
|
||||
+ requires: [fedora-previous-ipa-4-9/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
|
||||
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
|
||||
+ template: *ci-ipa-4-9-previous
|
||||
+ timeout: 4800
|
||||
+ topology: *master_1repl
|
||||
+
|
||||
fedora-previous-ipa-4-9/test_idviews:
|
||||
requires: [fedora-previous-ipa-4-9/build]
|
||||
priority: 50
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index e76fd0efe..e3c41eaa1 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest):
|
||||
result = tasks.install_client(self.master, self.clients[0])
|
||||
assert self.no_sudo_str not in result.stderr_text
|
||||
assert self.sudo_version_str not in result.stdout_text
|
||||
+
|
||||
+
|
||||
+class TestInstallWithoutNamed(IntegrationTest):
|
||||
+ num_replicas = 1
|
||||
+
|
||||
+ @classmethod
|
||||
+ def remove_named(cls, host):
|
||||
+ # remove the bind package and make sure the named user does not exist.
|
||||
+ # https://pagure.io/freeipa/issue/8936
|
||||
+ result = host.run_command(['id', 'named'], raiseonerr=False)
|
||||
+ if result.returncode == 0:
|
||||
+ tasks.uninstall_packages(host, ['bind'])
|
||||
+ host.run_command(['userdel', constants.NAMED_USER])
|
||||
+ assert host.run_command(
|
||||
+ ['id', 'named'], raiseonerr=False
|
||||
+ ).returncode == 1
|
||||
+
|
||||
+ @classmethod
|
||||
+ def install(cls, mh):
|
||||
+ for tgt in (cls.master, cls.replicas[0]):
|
||||
+ cls.remove_named(tgt)
|
||||
+ tasks.install_master(cls.master, setup_dns=False)
|
||||
+
|
||||
+ def test_replica0_install(self):
|
||||
+ tasks.install_replica(
|
||||
+ self.master, self.replicas[0], setup_ca=False, setup_dns=False
|
||||
+ )
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,68 +0,0 @@
|
||||
From e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 28 Jul 2021 18:47:02 +0200
|
||||
Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
python3-pexpect will be removed in RHEL9.
|
||||
Update BuildRequires/Requires accordingly.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8938
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Antonio Torres <antorres@redhat.com>
|
||||
---
|
||||
freeipa.spec.in | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index c33d2e216..9440f3602 100755
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -328,11 +328,18 @@ BuildRequires: python3-m2r
|
||||
# Build dependencies for lint and fastcheck
|
||||
#
|
||||
%if %{with lint}
|
||||
-BuildRequires: git
|
||||
-%if 0%{?fedora} < 34
|
||||
+
|
||||
+# python3-pexpect might not be available in RHEL9
|
||||
+%if 0%{?fedora} || 0%{?rhel} < 9
|
||||
+BuildRequires: python3-pexpect
|
||||
+%endif
|
||||
+
|
||||
# jsl is orphaned in Fedora 34+
|
||||
+%if 0%{?fedora} < 34
|
||||
BuildRequires: jsl
|
||||
%endif
|
||||
+
|
||||
+BuildRequires: git
|
||||
BuildRequires: nss-tools
|
||||
BuildRequires: rpmlint
|
||||
BuildRequires: softhsm
|
||||
@@ -357,7 +364,6 @@ BuildRequires: python3-lxml
|
||||
BuildRequires: python3-netaddr >= %{python_netaddr_version}
|
||||
BuildRequires: python3-netifaces
|
||||
BuildRequires: python3-paste
|
||||
-BuildRequires: python3-pexpect
|
||||
BuildRequires: python3-pki >= %{pki_version}
|
||||
BuildRequires: python3-polib
|
||||
BuildRequires: python3-pyasn1
|
||||
@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release}
|
||||
Requires: python3-ipaserver = %{version}-%{release}
|
||||
Requires: iptables
|
||||
Requires: python3-cryptography >= 1.6
|
||||
-Requires: python3-pexpect
|
||||
%if 0%{?fedora}
|
||||
# These packages do not exist on RHEL and for ipatests use
|
||||
# they are installed on the controller through other means
|
||||
Requires: ldns-utils
|
||||
+Requires: python3-pexpect
|
||||
# update-crypto-policies
|
||||
Requires: crypto-policies-scripts
|
||||
Requires: python3-polib
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,365 +0,0 @@
|
||||
From 42206df69adc9c1eefa3ee576891b2ae3ac269e0 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 15:11:28 -0400
|
||||
Subject: [PATCH] ipa-getkeytab: add option to discover servers using DNS SRV
|
||||
|
||||
The basic flow is:
|
||||
|
||||
- If server is provided by the user then use it
|
||||
- If server the magic value '_srv', check for _ldap._tcp SRV records for
|
||||
the domain in /etc/ipa/default.conf
|
||||
- If no servers are found use the server from default.conf
|
||||
|
||||
https://pagure.io/freeipa/issue/8478
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
client/Makefile.am | 1 +
|
||||
client/ipa-getkeytab.c | 221 +++++++++++++++++++++++++++++++++++++
|
||||
client/man/ipa-getkeytab.1 | 5 +-
|
||||
configure.ac | 10 ++
|
||||
4 files changed, 236 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/client/Makefile.am b/client/Makefile.am
|
||||
index 0031c04a5..72f4cb3dc 100644
|
||||
--- a/client/Makefile.am
|
||||
+++ b/client/Makefile.am
|
||||
@@ -66,6 +66,7 @@ ipa_getkeytab_LDADD = \
|
||||
$(SASL_LIBS) \
|
||||
$(POPT_LIBS) \
|
||||
$(LIBINTL_LIBS) \
|
||||
+ $(RESOLV_LIBS) \
|
||||
$(INI_LIBS) \
|
||||
$(NULL)
|
||||
|
||||
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
|
||||
index 04786be9e..d3673eb05 100644
|
||||
--- a/client/ipa-getkeytab.c
|
||||
+++ b/client/ipa-getkeytab.c
|
||||
@@ -34,9 +34,11 @@
|
||||
#include <time.h>
|
||||
#include <krb5.h>
|
||||
#include <ldap.h>
|
||||
+#include <resolv.h>
|
||||
#include <sasl/sasl.h>
|
||||
#include <popt.h>
|
||||
#include <ini_configobj.h>
|
||||
+#include <openssl/rand.h>
|
||||
|
||||
#include "config.h"
|
||||
|
||||
@@ -46,6 +48,174 @@
|
||||
#include "ipa_ldap.h"
|
||||
|
||||
|
||||
+struct srvrec {
|
||||
+ char *host;
|
||||
+ uint16_t port;
|
||||
+ int priority, weight;
|
||||
+ struct srvrec *next;
|
||||
+};
|
||||
+
|
||||
+static int
|
||||
+srvrec_priority_sort(const void *a, const void *b)
|
||||
+{
|
||||
+ const struct srvrec *sa, *sb;
|
||||
+
|
||||
+ sa = a;
|
||||
+ sb = b;
|
||||
+ return sa->priority - sb->priority;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+srvrec_sort_weight(const void *a, const void *b)
|
||||
+{
|
||||
+ const struct srvrec *sa, *sb;
|
||||
+
|
||||
+ sa = a;
|
||||
+ sb = b;
|
||||
+ return sa->weight - sb->weight;
|
||||
+}
|
||||
+
|
||||
+/* Return a uniform random number between 0 and range */
|
||||
+static double
|
||||
+rand_inclusive(double range)
|
||||
+{
|
||||
+ long long r;
|
||||
+
|
||||
+ if (range == 0) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ if (RAND_bytes((unsigned char *) &r, sizeof(r)) == -1) {
|
||||
+ return 0;
|
||||
+ }
|
||||
+ if (r < 0) {
|
||||
+ r = -r;
|
||||
+ }
|
||||
+ return ((double)r / (double)LLONG_MAX) * range;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+sort_prio_weight(struct srvrec *res, int len)
|
||||
+{
|
||||
+ int i, j;
|
||||
+ double tweight;
|
||||
+ struct srvrec tmp;
|
||||
+ double r;
|
||||
+
|
||||
+ qsort(res, len, sizeof(res[0]), srvrec_sort_weight);
|
||||
+ for (i = 0; i < len - 1; i++) {
|
||||
+ tweight = 0;
|
||||
+ for (j = i; j < len; j++) {
|
||||
+ /* Give records with 0 weight a small chance */
|
||||
+ tweight += res[j].weight ? res[j].weight : 0.01;
|
||||
+ }
|
||||
+ r = rand_inclusive(tweight);
|
||||
+ tweight = 0;
|
||||
+ for (j = i; j < len; j++) {
|
||||
+ tweight += res[j].weight ? res[j].weight : 0.01;
|
||||
+ if (tweight >= r) {
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+ if (j >= len) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ memcpy(&tmp, &res[i], sizeof(tmp));
|
||||
+ memcpy(&res[i], &res[j], sizeof(tmp));
|
||||
+ memcpy(&res[j], &tmp, sizeof(tmp));
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+/* The caller is responsible for freeing the results */
|
||||
+static int
|
||||
+query_srv(const char *name, const char *domain, struct srvrec **results)
|
||||
+{
|
||||
+ int i, j, len;
|
||||
+ unsigned char *answer = NULL;
|
||||
+ size_t answer_len = NS_MAXMSG;
|
||||
+ struct srvrec *res = NULL;
|
||||
+ ns_msg msg;
|
||||
+ ns_rr rr;
|
||||
+ int rv = -1;
|
||||
+
|
||||
+ *results = NULL;
|
||||
+ if ((name == NULL) || (strlen(name) == 0) ||
|
||||
+ (domain == NULL) || (strlen(domain) == 0)) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ res_init();
|
||||
+ answer = malloc(answer_len + 1);
|
||||
+ if (answer == NULL) {
|
||||
+ return -1;
|
||||
+ }
|
||||
+ memset(answer, 0, answer_len + 1);
|
||||
+ i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
|
||||
+ if (i == -1) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ answer_len = i;
|
||||
+ memset(&msg, 0, sizeof(msg));
|
||||
+ if (ns_initparse(answer, answer_len, &msg) != 0) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ memset(&rr, 0, sizeof(rr));
|
||||
+ for (i = 0; ns_parserr(&msg, ns_s_an, i, &rr) == 0; i++) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (i == 0) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ len = i;
|
||||
+ res = malloc(sizeof(*res) * i);
|
||||
+ if (res == NULL) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ memset(res, 0, sizeof(*res) * i);
|
||||
+ for (i = 0, j = 0; i < len; i++) {
|
||||
+ if (ns_parserr(&msg, ns_s_an, i, &rr) != 0) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ if (rr.rdlength < 6) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ res[j].host = malloc(rr.rdlength - 6 + 1);
|
||||
+ if (res[j].host == NULL) {
|
||||
+ goto error;
|
||||
+ }
|
||||
+ res[j].priority = ntohs(*(uint16_t *)rr.rdata);
|
||||
+ res[j].weight = ntohs(*(uint16_t *)(rr.rdata + 2));
|
||||
+ res[j].port = ntohs(*(uint16_t *)(rr.rdata + 4));
|
||||
+ memcpy(res[j].host, rr.rdata + 6, rr.rdlength - 6);
|
||||
+ if (ns_name_ntop(rr.rdata + 6, res[j].host, rr.rdlength - 6) == -1) {
|
||||
+ continue;
|
||||
+ }
|
||||
+ res[j].host[rr.rdlength - 6] = '\0';
|
||||
+ j++;
|
||||
+ }
|
||||
+ len = j;
|
||||
+ qsort(res, len, sizeof(res[0]), srvrec_priority_sort);
|
||||
+ i = 0;
|
||||
+ while (i < len) {
|
||||
+ j = i + 1;
|
||||
+ while (j < len && (res[j].priority == res[i].priority)) {
|
||||
+ j++;
|
||||
+ }
|
||||
+ sort_prio_weight(res + i, j - i);
|
||||
+ i = j;
|
||||
+ }
|
||||
+ /* Fixup the linked-list pointers */
|
||||
+ for (i = 0; i < len - 1; i++) {
|
||||
+ res[i].next = &res[i + 1];
|
||||
+ }
|
||||
+ *results = res;
|
||||
+ rv = 0;
|
||||
+
|
||||
+error:
|
||||
+ free(answer);
|
||||
+ return rv;
|
||||
+}
|
||||
+
|
||||
static int check_sasl_mech(const char *mech)
|
||||
{
|
||||
int i;
|
||||
@@ -619,6 +789,7 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
|
||||
|
||||
struct ipa_config {
|
||||
const char *server_name;
|
||||
+ const char *domain;
|
||||
};
|
||||
|
||||
static int config_from_file(struct ini_cfgobj *cfgctx)
|
||||
@@ -688,6 +859,11 @@ int read_ipa_config(struct ipa_config **ipacfg)
|
||||
if (ret == 0 && obj != NULL) {
|
||||
(*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
|
||||
}
|
||||
+ ret = ini_get_config_valueobj("global", "domain", cfgctx,
|
||||
+ INI_GET_LAST_VALUE, &obj);
|
||||
+ if (ret == 0 && obj != NULL) {
|
||||
+ (*ipacfg)->domain = ini_get_string_config_value(obj, &ret);
|
||||
+ }
|
||||
|
||||
return 0;
|
||||
}
|
||||
@@ -754,6 +930,7 @@ int main(int argc, const char *argv[])
|
||||
static const char *sasl_mech = NULL;
|
||||
static const char *ca_cert_file = NULL;
|
||||
int quiet = 0;
|
||||
+ int verbose = 0;
|
||||
int askpass = 0;
|
||||
int askbindpw = 0;
|
||||
int permitted_enctypes = 0;
|
||||
@@ -761,6 +938,8 @@ int main(int argc, const char *argv[])
|
||||
struct poptOption options[] = {
|
||||
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
|
||||
_("Print as little as possible"), _("Output only on errors")},
|
||||
+ { "verbose", 'v', POPT_ARG_NONE, &verbose, 0,
|
||||
+ _("Print debugging information"), _("Output debug info")},
|
||||
{ "server", 's', POPT_ARG_STRING, &server, 0,
|
||||
_("Contact this specific KDC Server"),
|
||||
_("Server Name") },
|
||||
@@ -906,6 +1085,41 @@ int main(int argc, const char *argv[])
|
||||
exit(2);
|
||||
}
|
||||
|
||||
+ if (server && (strcasecmp(server, "_srv_") == 0)) {
|
||||
+ struct srvrec *srvrecs, *srv;
|
||||
+ struct ipa_config *ipacfg = NULL;
|
||||
+
|
||||
+ ret = read_ipa_config(&ipacfg);
|
||||
+ if (ret == 0 && ipacfg->domain && verbose) {
|
||||
+ fprintf(stderr, _("DNS discovery for domain %s\n"), ipacfg->domain);
|
||||
+ }
|
||||
+ if (query_srv("_ldap._tcp", ipacfg->domain, &srvrecs) == 0) {
|
||||
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
|
||||
+ if (verbose) {
|
||||
+ fprintf(stderr, _("Discovered server %s\n"), srv->host);
|
||||
+ }
|
||||
+ }
|
||||
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
|
||||
+ server = strdup(srv->host);
|
||||
+ if (verbose) {
|
||||
+ fprintf(stderr, _("Using discovered server %s\n"), server);
|
||||
+ }
|
||||
+ break;
|
||||
+ }
|
||||
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
|
||||
+ free(srv->host);
|
||||
+ }
|
||||
+ } else {
|
||||
+ if (verbose) {
|
||||
+ fprintf(stderr, _("DNS Discovery failed\n"));
|
||||
+ }
|
||||
+ }
|
||||
+ if (strcasecmp(server, "_srv_") == 0) {
|
||||
+ /* Discovery failed, fall through to option methods */
|
||||
+ server = NULL;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
if (!server && !ldap_uri) {
|
||||
struct ipa_config *ipacfg = NULL;
|
||||
|
||||
@@ -915,10 +1129,17 @@ int main(int argc, const char *argv[])
|
||||
ipacfg->server_name = NULL;
|
||||
}
|
||||
free(ipacfg);
|
||||
+ if (verbose && server) {
|
||||
+ fprintf(stderr, _("Using server from config %s\n"), server);
|
||||
+ }
|
||||
if (!server) {
|
||||
fprintf(stderr, _("Server name not provided and unavailable\n"));
|
||||
exit(2);
|
||||
}
|
||||
+ } else {
|
||||
+ if (verbose) {
|
||||
+ fprintf(stderr, _("Using provided server %s\n"), server);
|
||||
+ }
|
||||
}
|
||||
if (server) {
|
||||
ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri);
|
||||
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
|
||||
index b57c5489c..07d2d73b3 100644
|
||||
--- a/client/man/ipa-getkeytab.1
|
||||
+++ b/client/man/ipa-getkeytab.1
|
||||
@@ -78,7 +78,10 @@ arcfour\-hmac
|
||||
\fB\-s ipaserver\fR
|
||||
The IPA server to retrieve the keytab from (FQDN). If this option is not
|
||||
provided the server name is read from the IPA configuration file
|
||||
-(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR.
|
||||
+(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. If the
|
||||
+value is _srv_ then DNS discovery will be used to determine a server.
|
||||
+If this discovery fails then it will fall back to using the configuration
|
||||
+file.
|
||||
.TP
|
||||
\fB\-q\fR
|
||||
Quiet mode. Only errors are displayed.
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index dc79d5dce..9d7a33825 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -108,6 +108,16 @@ LDAP_CFLAGS=""
|
||||
AC_SUBST(LDAP_LIBS)
|
||||
AC_SUBST(LDAP_CFLAGS)
|
||||
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+dnl - Check for resolv library
|
||||
+dnl ---------------------------------------------------------------------------
|
||||
+
|
||||
+SAVE_CPPFLAGS=$CPPFLAGS
|
||||
+CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
|
||||
+AC_CHECK_LIB(resolv,main,RESOLV_LIBS=-lresolv)
|
||||
+AC_CHECK_HEADERS(resolv.h)
|
||||
+AC_SUBST(RESOLV_LIBS)
|
||||
+
|
||||
dnl ---------------------------------------------------------------------------
|
||||
dnl - Check for OpenSSL Crypto library
|
||||
dnl ---------------------------------------------------------------------------
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 0114d24ea160676b784ef7010c19bbacc67ceea0 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 15 Jul 2021 17:52:54 -0400
|
||||
Subject: [PATCH] ipa-getkeytab: fix compiler warnings
|
||||
|
||||
Make read_ipa_config and filter_keys static to avoid
|
||||
"no previous prototype" warnings.
|
||||
|
||||
Use correct datatype of return value for ber_scanf to
|
||||
correct different signedness comparision.
|
||||
|
||||
Fixed while working on https://pagure.io/freeipa/issue/8478
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
client/ipa-getkeytab.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
|
||||
index d3673eb05..309b3c704 100644
|
||||
--- a/client/ipa-getkeytab.c
|
||||
+++ b/client/ipa-getkeytab.c
|
||||
@@ -291,7 +291,7 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s
|
||||
return ret;
|
||||
}
|
||||
|
||||
-int filter_keys(krb5_context krbctx, struct keys_container *keys,
|
||||
+static int filter_keys(krb5_context krbctx, struct keys_container *keys,
|
||||
ber_int_t *enctypes)
|
||||
{
|
||||
struct krb_key_salt *ksdata;
|
||||
@@ -507,7 +507,7 @@ static int ldap_set_keytab(krb5_context krbctx,
|
||||
BerElement *sctrl = NULL;
|
||||
struct berval *control = NULL;
|
||||
LDAPControl **srvctrl = NULL;
|
||||
- int ret;
|
||||
+ ber_tag_t ret;
|
||||
int kvno, i;
|
||||
ber_tag_t rtag;
|
||||
ber_int_t *encs = NULL;
|
||||
@@ -826,7 +826,7 @@ static int config_from_file(struct ini_cfgobj *cfgctx)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-int read_ipa_config(struct ipa_config **ipacfg)
|
||||
+static int read_ipa_config(struct ipa_config **ipacfg)
|
||||
{
|
||||
struct ini_cfgobj *cfgctx = NULL;
|
||||
struct value_obj *obj = NULL;
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,92 +0,0 @@
|
||||
From 7a13200fd8b92dd90ebc4b6416ef25659df8aa71 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 16 Jul 2021 12:59:47 -0400
|
||||
Subject: [PATCH] ipatests: test ipa-getkeytab server option
|
||||
|
||||
Test various usages of the -s/--server option:
|
||||
* -s is defined, use it as the server
|
||||
* no -s, use the host value from /etc/ipa/default.conf
|
||||
* -s is '_srv_', do DNS discovery
|
||||
|
||||
https://pagure.io/freeipa/issue/8478
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_commands.py | 58 ++++++++++++++++++++++
|
||||
1 file changed, 58 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||
index d64519eb7..2035ced56 100644
|
||||
--- a/ipatests/test_integration/test_commands.py
|
||||
+++ b/ipatests/test_integration/test_commands.py
|
||||
@@ -1467,6 +1467,64 @@ class TestIPACommand(IntegrationTest):
|
||||
assert 'This account is currently not available' in \
|
||||
result.stdout_text
|
||||
|
||||
+ def test_ipa_getkeytab_server(self):
|
||||
+ """
|
||||
+ Exercise the ipa-getkeytab server options
|
||||
+
|
||||
+ This relies on the behavior that without a TGT
|
||||
+ ipa-getkeytab will quit and not do much of anything.
|
||||
+
|
||||
+ A bogus keytab and principal are passed in to satisfy the
|
||||
+ minimum requirements.
|
||||
+ """
|
||||
+ tasks.kdestroy_all(self.master)
|
||||
+
|
||||
+ # Pass in a server name to use
|
||||
+ result = self.master.run_command(
|
||||
+ [
|
||||
+ paths.IPA_GETKEYTAB,
|
||||
+ "-k",
|
||||
+ "/tmp/keytab",
|
||||
+ "-p",
|
||||
+ "foo",
|
||||
+ "-s",
|
||||
+ self.master.hostname,
|
||||
+ "-v",
|
||||
+ ], raiseonerr=False).stderr_text
|
||||
+
|
||||
+ assert 'Using provided server %s' % self.master.hostname in result
|
||||
+
|
||||
+ # Don't pass in a name, should use /etc/ipa/default.conf
|
||||
+ result = self.master.run_command(
|
||||
+ [
|
||||
+ paths.IPA_GETKEYTAB,
|
||||
+ "-k",
|
||||
+ "/tmp/keytab",
|
||||
+ "-p",
|
||||
+ "foo",
|
||||
+ "-v",
|
||||
+ ], raiseonerr=False).stderr_text
|
||||
+
|
||||
+ assert (
|
||||
+ 'Using server from config %s' % self.master.hostname
|
||||
+ in result
|
||||
+ )
|
||||
+
|
||||
+ # Use DNS SRV lookup
|
||||
+ result = self.master.run_command(
|
||||
+ [
|
||||
+ paths.IPA_GETKEYTAB,
|
||||
+ "-k",
|
||||
+ "/tmp/keytab",
|
||||
+ "-p",
|
||||
+ "foo",
|
||||
+ "-s",
|
||||
+ "_srv_",
|
||||
+ "-v",
|
||||
+ ], raiseonerr=False).stderr_text
|
||||
+
|
||||
+ assert 'Discovered server %s' % self.master.hostname in result
|
||||
+
|
||||
|
||||
class TestIPACommandWithoutReplica(IntegrationTest):
|
||||
"""
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,91 +0,0 @@
|
||||
From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Thu, 22 Jul 2021 14:55:50 +0530
|
||||
Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out.
|
||||
|
||||
Test to verify that when the idle timeout is exceeded (30s idle,
|
||||
60s sleep) then the ipa-otpd process should exit without error.
|
||||
|
||||
Related : https://pagure.io/freeipa/issue/6587
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++
|
||||
1 file changed, 56 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||
index b2e65af1b..fd55898ca 100644
|
||||
--- a/ipatests/test_integration/test_otp.py
|
||||
+++ b/ipatests/test_integration/test_otp.py
|
||||
@@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipaplatform.paths import paths
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
+from ipapython.dn import DN
|
||||
|
||||
|
||||
PASSWORD = "DummyPassword123"
|
||||
@@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest):
|
||||
master.run_command(['ipa', 'user-del', USER2])
|
||||
self.master.run_command(['semanage', 'login', '-D'])
|
||||
sssd_conf_backup.restore()
|
||||
+
|
||||
+ @pytest.fixture
|
||||
+ def setup_otp_nsslapd(self):
|
||||
+ # setting nsslapd-idletimeout
|
||||
+ new_limit = 30
|
||||
+ conn = self.master.ldap_connect()
|
||||
+ dn = DN(('cn', 'config'))
|
||||
+ entry = conn.get_entry(dn) # pylint: disable=no-member
|
||||
+ orig_limit = entry.single_value.get('nsslapd-idletimeout')
|
||||
+ ldap_query = textwrap.dedent("""
|
||||
+ dn: cn=config
|
||||
+ changetype: modify
|
||||
+ replace: nsslapd-idletimeout
|
||||
+ nsslapd-idletimeout: {limit}
|
||||
+ """)
|
||||
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
|
||||
+ # Be sure no services are running and failed units
|
||||
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
||||
+ check_services = self.master.run_command(
|
||||
+ ['systemctl', 'list-units', '--state=failed']
|
||||
+ )
|
||||
+ assert "0 loaded units listed" in check_services.stdout_text
|
||||
+ assert "ipa-otpd" not in check_services.stdout_text
|
||||
+ yield
|
||||
+ # cleanup
|
||||
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
|
||||
+
|
||||
+ def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd):
|
||||
+ """Test for OTP when the LDAP connection timed out.
|
||||
+
|
||||
+ Test for : https://pagure.io/freeipa/issue/6587
|
||||
+
|
||||
+ ipa-otpd was exiting with failure when LDAP connection timed out.
|
||||
+ Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
|
||||
+ 60s sleep) then the ipa-otpd process should exit without error.
|
||||
+ """
|
||||
+ since = time.strftime('%H:%M:%S')
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
|
||||
+ try:
|
||||
+ # kinit with OTP auth
|
||||
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
|
||||
+ time.sleep(60)
|
||||
+ failed_services = self.master.run_command(
|
||||
+ ['systemctl', 'list-units', '--state=failed']
|
||||
+ )
|
||||
+ assert "ipa-otpd" not in failed_services.stdout_text
|
||||
+ cmd_jornalctl = self.master.run_command(
|
||||
+ ['journalctl', '--since={}'.format(since)]
|
||||
+ )
|
||||
+ regex = r".*ipa-otpd@.*\sSucceeded"
|
||||
+ assert re.search(regex, cmd_jornalctl.stdout_text)
|
||||
+ finally:
|
||||
+ del_otptoken(self.master, otpuid)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,51 +0,0 @@
|
||||
From 826b5825bd644fc69a9bee17626d71fe03cc0190 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mon, 26 Jul 2021 16:14:19 -0400
|
||||
Subject: [PATCH] ipatests: verify that getcert output includes the issued date
|
||||
|
||||
certmonger 0.79.14 included a new feature that provides the
|
||||
NotBefore (or issued) date to the certificate list output.
|
||||
|
||||
Verify that it is present in the output.
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_cert.py | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||
index b6bb2f08a..9a90db5e2 100644
|
||||
--- a/ipatests/test_integration/test_cert.py
|
||||
+++ b/ipatests/test_integration/test_cert.py
|
||||
@@ -19,6 +19,7 @@ from ipaplatform.paths import paths
|
||||
from cryptography import x509
|
||||
from cryptography.x509.oid import ExtensionOID
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
+from pkg_resources import parse_version
|
||||
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
@@ -257,6 +258,16 @@ class TestInstallMasterClient(IntegrationTest):
|
||||
raise AssertionError("certmonger request is "
|
||||
"in state {}". format(status))
|
||||
|
||||
+ def test_getcert_notafter_output(self):
|
||||
+ """Test that currrent certmonger includes NotBefore in output"""
|
||||
+ result = self.master.run_command(["certmonger", "-v"]).stdout_text
|
||||
+ if parse_version(result.split()[1]) < parse_version('0.79.14'):
|
||||
+ raise pytest.skip("not_before not provided in this version")
|
||||
+ result = self.master.run_command(
|
||||
+ ["getcert", "list", "-f", paths.HTTPD_CERT_FILE]
|
||||
+ ).stdout_text
|
||||
+ assert 'issued:' in result
|
||||
+
|
||||
|
||||
class TestCertmongerRekey(IntegrationTest):
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,43 +0,0 @@
|
||||
From 96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Mon, 2 Aug 2021 19:26:28 +0530
|
||||
Subject: [PATCH] ipatests: Look for warning into stderr instead of stdout
|
||||
|
||||
In https://github.com/freeipa/freeipa/pull/5855 was looking
|
||||
into stdout_text for warning instead of stderr_text, hence
|
||||
was failing for pki version > 10.11.0.
|
||||
|
||||
related: https://pagure.io/freeipa/issue/8890
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipa_cert_fix.py | 6 ++----
|
||||
1 file changed, 2 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index 394e85603..f3cf59afc 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -241,16 +241,14 @@ class TestIpaCertFix(IntegrationTest):
|
||||
# check that pki-server cert-fix command fails
|
||||
err_msg2 = ("ERROR: CalledProcessError(Command "
|
||||
"['pki-server', 'cert-fix'")
|
||||
- warn_msg = ("WARNING: No selftests configured in "
|
||||
- f"{paths.CA_CS_CFG_PATH} "
|
||||
- "(selftests.container.order.startup)")
|
||||
+ warn_msg = "WARNING: No selftests configured in"
|
||||
|
||||
if (tasks.get_pki_version(self.master)
|
||||
< tasks.parse_version('10.11.0')):
|
||||
assert (err_msg1 in result.stderr_text
|
||||
and err_msg2 in result.stderr_text)
|
||||
else:
|
||||
- assert warn_msg in result.stdout_text
|
||||
+ assert warn_msg in result.stderr_text
|
||||
|
||||
def test_expired_CA_cert(self, expire_ca_cert):
|
||||
"""Test to check ipa-cert-fix when CA certificate is expired
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,56 +0,0 @@
|
||||
From 9ae23e1257478bfee04b08b54f36dda7f5850348 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 11:37:35 +0200
|
||||
Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
tasks.create_active_user can fail in a subtle way when there
|
||||
are two IPA servers due to replication delays.
|
||||
Using the debug-enabled version of create_active_user helps
|
||||
determine whether there is another underlying issue and, in
|
||||
general, prevents the above problem.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8944
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_adtrust_install.py | 14 ++++++++++----
|
||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
|
||||
index bbbb385a5..f23221186 100644
|
||||
--- a/ipatests/test_integration/test_adtrust_install.py
|
||||
+++ b/ipatests/test_integration/test_adtrust_install.py
|
||||
@@ -257,8 +257,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
|
||||
user_princ = '@'.join([user, self.master.domain.realm])
|
||||
passwd = 'Secret123'
|
||||
# Create a user with a password
|
||||
- tasks.create_active_user(self.master, user, passwd, extra_args=[
|
||||
- '--homedir', '/home/{}'.format(user)])
|
||||
+ tasks.create_active_user(
|
||||
+ self.master, user, passwd,
|
||||
+ extra_args=["--homedir", "/home/{}".format(user)],
|
||||
+ krb5_trace=True
|
||||
+ )
|
||||
try:
|
||||
# Defaults: host/... principal for service
|
||||
# keytab in /etc/krb5.keytab
|
||||
@@ -282,8 +285,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
|
||||
user_princ = '@'.join([user, self.master.domain.realm])
|
||||
passwd = 'Secret123'
|
||||
# Create a user with a password
|
||||
- tasks.create_active_user(self.master, user, passwd, extra_args=[
|
||||
- '--homedir', '/home/{}'.format(user)])
|
||||
+ tasks.create_active_user(
|
||||
+ self.master, user, passwd,
|
||||
+ extra_args=["--homedir", "/home/{}".format(user)],
|
||||
+ krb5_trace=True
|
||||
+ )
|
||||
try:
|
||||
# Defaults: host/... principal for service
|
||||
# keytab in /etc/krb5.keytab
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,45 +0,0 @@
|
||||
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 20:03:21 +0530
|
||||
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
|
||||
tree.
|
||||
|
||||
Added test to verify that ldapsearch for compat tree
|
||||
with scope base and sub is not failing.
|
||||
|
||||
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_commands.py | 13 +++++++++++++
|
||||
1 file changed, 13 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||
index 2035ced56..e3a0d867e 100644
|
||||
--- a/ipatests/test_integration/test_commands.py
|
||||
+++ b/ipatests/test_integration/test_commands.py
|
||||
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||
# Run the command again after cache is removed
|
||||
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
|
||||
|
||||
+ def test_basesearch_compat_tree(self):
|
||||
+ """Test ldapsearch against compat tree is working
|
||||
+
|
||||
+ This to ensure that ldapsearch with base scope is not failing.
|
||||
+
|
||||
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||
+ """
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ base_dn = str(self.master.domain.basedn)
|
||||
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
||||
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
|
||||
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
|
||||
+
|
||||
|
||||
class TestIPAautomount(IntegrationTest):
|
||||
@classmethod
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,44 +0,0 @@
|
||||
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 20:23:15 +0530
|
||||
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
|
||||
|
||||
slapi-nis with fix is not part of fedora yet.
|
||||
test requires with fix:
|
||||
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_commands.py | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||
index e3a0d867e..4d9a81652 100644
|
||||
--- a/ipatests/test_integration/test_commands.py
|
||||
+++ b/ipatests/test_integration/test_commands.py
|
||||
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
|
||||
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
|
||||
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
|
||||
from ipaserver.install.installutils import realm_to_serverid
|
||||
+from pkg_resources import parse_version
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
|
||||
|
||||
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
|
||||
"""
|
||||
+ version = self.master.run_command(
|
||||
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
|
||||
+ )
|
||||
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
|
||||
+ version.stdout_text) <= parse_version("0.56.7"):
|
||||
+ pytest.skip("Test requires slapi-nis with fix on fedora")
|
||||
tasks.kinit_admin(self.master)
|
||||
base_dn = str(self.master.domain.basedn)
|
||||
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,89 +0,0 @@
|
||||
From eac03d6828d0bac1925c897090fc77e250eaee04 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 12:27:38 +0530
|
||||
Subject: [PATCH] ipatests: Refactor test_check_otpd_after_idle_timeout
|
||||
|
||||
Use whole date when calling journalctl --since
|
||||
ipa-otpd don't flush its logs to syslog immediately,
|
||||
so check with run_repeatedly.
|
||||
Also list failed units when ldap connection is
|
||||
timed out.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/6587
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_otp.py | 31 ++++++++++++++++-----------
|
||||
1 file changed, 18 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
|
||||
index fd55898ca..353470897 100644
|
||||
--- a/ipatests/test_integration/test_otp.py
|
||||
+++ b/ipatests/test_integration/test_otp.py
|
||||
@@ -313,6 +313,13 @@ class TestOTPToken(IntegrationTest):
|
||||
|
||||
@pytest.fixture
|
||||
def setup_otp_nsslapd(self):
|
||||
+ check_services = self.master.run_command(
|
||||
+ ['systemctl', 'list-units', '--state=failed']
|
||||
+ )
|
||||
+ assert "0 loaded units listed" in check_services.stdout_text
|
||||
+ assert "ipa-otpd" not in check_services.stdout_text
|
||||
+ # Be sure no services are running and failed units
|
||||
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
||||
# setting nsslapd-idletimeout
|
||||
new_limit = 30
|
||||
conn = self.master.ldap_connect()
|
||||
@@ -326,13 +333,6 @@ class TestOTPToken(IntegrationTest):
|
||||
nsslapd-idletimeout: {limit}
|
||||
""")
|
||||
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
|
||||
- # Be sure no services are running and failed units
|
||||
- self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
|
||||
- check_services = self.master.run_command(
|
||||
- ['systemctl', 'list-units', '--state=failed']
|
||||
- )
|
||||
- assert "0 loaded units listed" in check_services.stdout_text
|
||||
- assert "ipa-otpd" not in check_services.stdout_text
|
||||
yield
|
||||
# cleanup
|
||||
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
|
||||
@@ -346,7 +346,7 @@ class TestOTPToken(IntegrationTest):
|
||||
Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
|
||||
60s sleep) then the ipa-otpd process should exit without error.
|
||||
"""
|
||||
- since = time.strftime('%H:%M:%S')
|
||||
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
|
||||
tasks.kinit_admin(self.master)
|
||||
otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
|
||||
try:
|
||||
@@ -354,14 +354,19 @@ class TestOTPToken(IntegrationTest):
|
||||
otpvalue = totp.generate(int(time.time())).decode("ascii")
|
||||
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
|
||||
time.sleep(60)
|
||||
+
|
||||
+ def test_cb(cmd_jornalctl):
|
||||
+ # check if LDAP connection is timed out
|
||||
+ expected_msg = "Can't contact LDAP server"
|
||||
+ return expected_msg in cmd_jornalctl
|
||||
+
|
||||
+ # ipa-otpd don't flush its logs to syslog immediately
|
||||
+ cmd = ['journalctl', '--since={}'.format(since)]
|
||||
+ tasks.run_repeatedly(
|
||||
+ self.master, command=cmd, test=test_cb, timeout=90)
|
||||
failed_services = self.master.run_command(
|
||||
['systemctl', 'list-units', '--state=failed']
|
||||
)
|
||||
assert "ipa-otpd" not in failed_services.stdout_text
|
||||
- cmd_jornalctl = self.master.run_command(
|
||||
- ['journalctl', '--since={}'.format(since)]
|
||||
- )
|
||||
- regex = r".*ipa-otpd@.*\sSucceeded"
|
||||
- assert re.search(regex, cmd_jornalctl.stdout_text)
|
||||
finally:
|
||||
del_otptoken(self.master, otpuid)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,162 +0,0 @@
|
||||
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
|
||||
From: Anuja More <amore@redhat.com>
|
||||
Date: Mon, 9 Aug 2021 20:57:22 +0530
|
||||
Subject: [PATCH] ipatests: Test unsecure nsupdate.
|
||||
|
||||
The test configures an external bind server on the ipa-server
|
||||
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
||||
|
||||
When the IPA client is registered using ipa-client-install,
|
||||
DNS records are added for the client in the bind server using nsupdate.
|
||||
The first try is using GSS-TIG but fails as expected, and the client
|
||||
installer then tries with unauthenticated nsupdate.
|
||||
|
||||
Related : https://pagure.io/freeipa/issue/8402
|
||||
|
||||
Signed-off-by: Anuja More <amore@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
---
|
||||
.../test_installation_client.py | 118 ++++++++++++++++++
|
||||
1 file changed, 118 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
|
||||
index fa59a5255..014b0f6ab 100644
|
||||
--- a/ipatests/test_integration/test_installation_client.py
|
||||
+++ b/ipatests/test_integration/test_installation_client.py
|
||||
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
|
||||
|
||||
from __future__ import absolute_import
|
||||
|
||||
+import pytest
|
||||
+import re
|
||||
import shlex
|
||||
+import textwrap
|
||||
|
||||
+from ipaplatform.paths import paths
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
+from ipatests.pytest_ipa.integration.firewall import Firewall
|
||||
|
||||
|
||||
class TestInstallClient(IntegrationTest):
|
||||
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
|
||||
extra_args=['--ssh-trust-dns'])
|
||||
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
|
||||
assert 'HostKeyAlgorithms' not in result.stdout_text
|
||||
+
|
||||
+
|
||||
+class TestClientInstallBind(IntegrationTest):
|
||||
+ """
|
||||
+ The test configures an external bind server on the ipa-server
|
||||
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
|
||||
+ When the IPA client is registered using ipa-client-install,
|
||||
+ DNS records are added for the client in the bind server using nsupdate.
|
||||
+ The first try is using GSS-TIG but fails as expected, and the client
|
||||
+ installer then tries with unauthenticated nsupdate.
|
||||
+ """
|
||||
+
|
||||
+ num_clients = 1
|
||||
+
|
||||
+ @classmethod
|
||||
+ def install(cls, mh):
|
||||
+ cls.client = cls.clients[0]
|
||||
+
|
||||
+ @pytest.fixture
|
||||
+ def setup_bindserver(self):
|
||||
+ bindserver = self.master
|
||||
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
|
||||
+ # create a zone in the BIND server that is identical to the IPA
|
||||
+ add_zone = textwrap.dedent("""
|
||||
+ zone "{domain}" IN {{ type master;
|
||||
+ file "{domain}.db"; allow-query {{ any; }};
|
||||
+ allow-update {{ any; }}; }};
|
||||
+ """).format(domain=bindserver.domain.name)
|
||||
+
|
||||
+ namedcfg = bindserver.get_file_contents(
|
||||
+ paths.NAMED_CONF, encoding='utf-8')
|
||||
+ namedcfg += '\n' + add_zone
|
||||
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
|
||||
+
|
||||
+ def update_contents(path, pattern, replace):
|
||||
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
|
||||
+ namedcfg_query = re.sub(pattern, replace, contents)
|
||||
+ bindserver.put_file_contents(path, namedcfg_query)
|
||||
+
|
||||
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
|
||||
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
|
||||
+ "#listen-on port 53 { 127.0.0.1; };")
|
||||
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
|
||||
+ "#listen-on-v6 port 53 { ::1; };")
|
||||
+
|
||||
+ add_records = textwrap.dedent("""
|
||||
+ @ IN SOA {fqdn}. root.{domain}. (
|
||||
+ 1001 ;Serial
|
||||
+ 3H ;Refresh
|
||||
+ 15M ;Retry
|
||||
+ 1W ;Expire
|
||||
+ 1D ;Minimum 1D
|
||||
+ )
|
||||
+ @ IN NS {fqdn}.
|
||||
+ ns1 IN A {bindserverip}
|
||||
+ _kerberos.{domain}. IN TXT {zoneupper}
|
||||
+ {fqdn}. IN A {bindserverip}
|
||||
+ ipa-ca.{domain}. IN A {bindserverip}
|
||||
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
|
||||
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
|
||||
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
|
||||
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
|
||||
+ """).format(
|
||||
+ fqdn=bindserver.hostname,
|
||||
+ domain=bindserver.domain.name,
|
||||
+ bindserverip=bindserver.ip,
|
||||
+ zoneupper=bindserver.domain.name.upper()
|
||||
+ )
|
||||
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
|
||||
+ bindserver.put_file_contents(bindserverdb, add_records)
|
||||
+ bindserver.run_command(['systemctl', 'start', 'named'])
|
||||
+ Firewall(bindserver).enable_services(["dns"])
|
||||
+ yield
|
||||
+ named_conf_backup.restore()
|
||||
+ bindserver.run_command(['rm', '-rf', bindserverdb])
|
||||
+
|
||||
+ def test_client_nsupdate(self, setup_bindserver):
|
||||
+ """Test secure nsupdate failed, then try unsecure nsupdate..
|
||||
+
|
||||
+ Test to verify when bind is configured with dynamic update policy,
|
||||
+ and during client-install 'nsupdate -g' fails then it should run with
|
||||
+ second call using unauthenticated nsupdate.
|
||||
+
|
||||
+ Related : https://pagure.io/freeipa/issue/8402
|
||||
+ """
|
||||
+ # with pre-configured bind server, install ipa-server without dns.
|
||||
+ tasks.install_master(self.master, setup_dns=False)
|
||||
+ self.client.resolver.backup()
|
||||
+ self.client.resolver.setup_resolver(
|
||||
+ self.master.ip, self.master.domain.name)
|
||||
+ try:
|
||||
+ self.client.run_command(['ipa-client-install', '-U',
|
||||
+ '--domain', self.client.domain.name,
|
||||
+ '--realm', self.client.domain.realm,
|
||||
+ '-p', self.client.config.admin_name,
|
||||
+ '-w', self.client.config.admin_password,
|
||||
+ '--server', self.master.hostname])
|
||||
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
|
||||
+ str1 = "nsupdate (GSS-TSIG) failed"
|
||||
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
|
||||
+ client_log = self.client.get_file_contents(
|
||||
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
|
||||
+ )
|
||||
+ assert str1 in client_log and str2 in client_log
|
||||
+ dig_after = self.client.run_command(
|
||||
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
|
||||
+ '-t', 'SSHFP'])
|
||||
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
|
||||
+ finally:
|
||||
+ self.client.resolver.restore()
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,88 +0,0 @@
|
||||
From c9bc471e063f2865d6423e4f1c9b81e73a45e43f Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Levin <slev@altlinux.org>
|
||||
Date: Wed, 4 Aug 2021 18:38:16 +0300
|
||||
Subject: [PATCH] ipatests: Fix TestAJPSecretUpgrade tests on systems without
|
||||
pkiuser
|
||||
|
||||
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
|
||||
is pkiuser in OS, but this is not always true (for example, in systems
|
||||
having minimum installed dependencies, in particular, without pki-server
|
||||
RPM package). Since the tests already use the mock and pkiuser entity is
|
||||
not the subject of testing the pwd.getpwnam has been mocked.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8942
|
||||
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../test_secure_ajp_connector.py | 40 ++++++++++++++++---
|
||||
1 file changed, 34 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_ipaserver/test_secure_ajp_connector.py b/ipatests/test_ipaserver/test_secure_ajp_connector.py
|
||||
index 2719dbc48..35ef7407a 100644
|
||||
--- a/ipatests/test_ipaserver/test_secure_ajp_connector.py
|
||||
+++ b/ipatests/test_ipaserver/test_secure_ajp_connector.py
|
||||
@@ -1,5 +1,6 @@
|
||||
# Copyright (C) 2021 FreeIPA Project Contributors - see LICENSE file
|
||||
|
||||
+from collections import namedtuple
|
||||
from io import BytesIO
|
||||
from lxml.etree import parse as myparse # pylint: disable=no-name-in-module
|
||||
import pytest
|
||||
@@ -32,6 +33,32 @@ def mock_etree_parse(data):
|
||||
return myparse(f)
|
||||
|
||||
|
||||
+def mock_pkiuser_entity():
|
||||
+ """Return struct_passwd for mocked pkiuser"""
|
||||
+ StructPasswd = namedtuple(
|
||||
+ "StructPasswd",
|
||||
+ [
|
||||
+ "pw_name",
|
||||
+ "pw_passwd",
|
||||
+ "pw_uid",
|
||||
+ "pw_gid",
|
||||
+ "pw_gecos",
|
||||
+ "pw_dir",
|
||||
+ "pw_shell",
|
||||
+ ]
|
||||
+ )
|
||||
+ pkiuser_entity = StructPasswd(
|
||||
+ constants.PKI_USER,
|
||||
+ pw_passwd="x",
|
||||
+ pw_uid=-1,
|
||||
+ pw_gid=-1,
|
||||
+ pw_gecos="",
|
||||
+ pw_dir="/dev/null",
|
||||
+ pw_shell="/sbin/nologin",
|
||||
+ )
|
||||
+ return pkiuser_entity
|
||||
+
|
||||
+
|
||||
# Format of test_data is:
|
||||
# (
|
||||
# is_newer_tomcat (boolean),
|
||||
@@ -148,14 +175,15 @@ test_data = (
|
||||
|
||||
|
||||
class TestAJPSecretUpgrade:
|
||||
- @patch('os.chown')
|
||||
- @patch('lxml.etree.parse')
|
||||
- @pytest.mark.parametrize('is_newer, data, secret, expect, rewrite',
|
||||
- test_data)
|
||||
- def test_connecter(self, mock_parse, mock_chown, is_newer, data, secret,
|
||||
- expect, rewrite):
|
||||
+ @patch("ipaplatform.base.constants.pwd.getpwnam")
|
||||
+ @patch("ipaplatform.base.constants.os.chown")
|
||||
+ @patch("ipaserver.install.dogtaginstance.lxml.etree.parse")
|
||||
+ @pytest.mark.parametrize("test_data", test_data)
|
||||
+ def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data):
|
||||
+ is_newer, data, secret, expect, rewrite = test_data
|
||||
mock_chown.return_value = None
|
||||
mock_parse.return_value = mock_etree_parse(data)
|
||||
+ mock_getpwnam.return_value = mock_pkiuser_entity()
|
||||
|
||||
dogtag = MyDogtagInstance(is_newer)
|
||||
with patch('ipaserver.install.dogtaginstance.open', mock_open()) \
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,54 +0,0 @@
|
||||
From 488ac7e3ba9f36d6b187687d120920d2d80d8b7f Mon Sep 17 00:00:00 2001
|
||||
From: Michal Polovka <mpolovka@redhat.com>
|
||||
Date: Tue, 10 Aug 2021 18:11:05 +0200
|
||||
Subject: [PATCH] ipatests: test_ipahealthcheck: Verify permissions for
|
||||
/var/log/ files
|
||||
|
||||
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
|
||||
|
||||
Resolves: https://pagure.io/freeipa/issue/8949
|
||||
|
||||
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++
|
||||
1 file changed, 23 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 36fe72be7..089793a2f 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -1227,6 +1227,29 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
)
|
||||
assert msg in cmd.stdout_text
|
||||
|
||||
+ def test_ipahealthcheck_verify_perms_for_source_files(self,
|
||||
+ modify_permissions):
|
||||
+ """
|
||||
+ This tests checks if files in /var/log are checked with ipa.files
|
||||
+ source.
|
||||
+ The test modifies permissions of ipainstall log file and checks the
|
||||
+ response from healthcheck.
|
||||
+
|
||||
+ https://pagure.io/freeipa/issue/8949
|
||||
+ """
|
||||
+ modify_permissions(self.master, path=paths.IPASERVER_INSTALL_LOG,
|
||||
+ mode="0644")
|
||||
+ returncode, data = run_healthcheck(
|
||||
+ self.master, "ipahealthcheck.ipa.files", failures_only=True)
|
||||
+
|
||||
+ assert returncode == 1
|
||||
+ assert len(data) == 1
|
||||
+ assert data[0]["result"] == "WARNING"
|
||||
+ assert data[0]["kw"]["path"] == paths.IPASERVER_INSTALL_LOG
|
||||
+ assert data[0]["kw"]["type"] == "mode"
|
||||
+ assert data[0]["kw"]["expected"] == "0600"
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def remove_healthcheck(self):
|
||||
"""
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,127 +0,0 @@
|
||||
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Mon, 19 Apr 2021 12:08:28 +0530
|
||||
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
|
||||
|
||||
This test checks if ipa-cert-fix renews the certs on replica
|
||||
after cert renewal on master.
|
||||
|
||||
related: https://pagure.io/freeipa/issue/7885
|
||||
|
||||
ipatests: refactor expire_cert_critical fixture
|
||||
|
||||
Defined method to move the date and refactor
|
||||
expire_cert_critical fixture using it
|
||||
|
||||
ipatests: PEP8 fixes
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++-
|
||||
1 file changed, 70 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index f3cf59afc..a20996737 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -6,6 +6,7 @@
|
||||
Module provides tests for ipa-cert-fix CLI.
|
||||
"""
|
||||
import pytest
|
||||
+import re
|
||||
import time
|
||||
|
||||
import logging
|
||||
@@ -74,15 +75,15 @@ def expire_cert_critical():
|
||||
extra_args=['--no-ntp'])
|
||||
if setup_kra:
|
||||
tasks.install_kra(host)
|
||||
- host.run_command(['systemctl', 'stop', 'chronyd'])
|
||||
- host.run_command(['date', '-s', '+3Years+1day'])
|
||||
+
|
||||
+ # move date to expire certs
|
||||
+ move_date(host, 'stop', '+3Years+1day')
|
||||
|
||||
yield _expire_cert_critical
|
||||
|
||||
host = hosts.pop('host')
|
||||
tasks.uninstall_master(host)
|
||||
- host.run_command(['date', '-s', '-3Years-1day'])
|
||||
- host.run_command(['systemctl', 'start', 'chronyd'])
|
||||
+ move_date(host, 'start', '-3Years-1day')
|
||||
|
||||
|
||||
class TestIpaCertFix(IntegrationTest):
|
||||
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
|
||||
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
||||
|
||||
check_status(self.master, 12, "MONITORING")
|
||||
+
|
||||
+
|
||||
+class TestCertFixReplica(IntegrationTest):
|
||||
+
|
||||
+ num_replicas = 1
|
||||
+
|
||||
+ @classmethod
|
||||
+ def install(cls, mh):
|
||||
+ tasks.install_master(
|
||||
+ mh.master, setup_dns=False, extra_args=['--no-ntp']
|
||||
+ )
|
||||
+ tasks.install_replica(
|
||||
+ mh.master, mh.replicas[0],
|
||||
+ setup_dns=False, extra_args=['--no-ntp']
|
||||
+ )
|
||||
+
|
||||
+ def test_renew_expired_cert_replica(self):
|
||||
+ """Test renewal of certificates on replica with ipa-cert-fix
|
||||
+
|
||||
+ This is to check that ipa-cert-fix renews the certificates
|
||||
+ on replica
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/7885
|
||||
+ """
|
||||
+ move_date(self.master, 'stop', '+3years+1days')
|
||||
+
|
||||
+ # wait for cert expiry
|
||||
+ check_status(self.master, 8, "CA_UNREACHABLE")
|
||||
+
|
||||
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
|
||||
+
|
||||
+ check_status(self.master, 9, "MONITORING")
|
||||
+
|
||||
+ # move system date to expire cert on replica
|
||||
+ move_date(self.replicas[0], 'stop', '+3years+1days')
|
||||
+
|
||||
+ # RA agent cert will be expired and in CA_UNREACHABLE state
|
||||
+ check_status(self.replicas[0], 1, "CA_UNREACHABLE")
|
||||
+
|
||||
+ # renew RA agent cert
|
||||
+ self.replicas[0].run_command(
|
||||
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
|
||||
+ )
|
||||
+
|
||||
+ # LDAP/HTTP/PKINIT certs will be renewed automaticaly
|
||||
+ # after moving date on replica. This 3, 1 CA cert,
|
||||
+ # 1 RA agent cert. Check for total 5 valid certs.
|
||||
+ check_status(self.replicas[0], 5, "MONITORING")
|
||||
+
|
||||
+ # get the req ids of all certs to renew remaining
|
||||
+ # certs by re-submitting it
|
||||
+ result = self.replicas[0].run_command(['getcert', 'list'])
|
||||
+ req_ids = re.findall(r'\d{14}', result.stdout_text)
|
||||
+
|
||||
+ # resubmit the certs to renew them
|
||||
+ for req_id in req_ids:
|
||||
+ self.replicas[0].run_command(
|
||||
+ ['getcert', 'resubmit', '-i', req_id]
|
||||
+ )
|
||||
+
|
||||
+ check_status(self.master, 9, "MONITORING")
|
||||
+
|
||||
+ # move date back on replica and master
|
||||
+ move_date(self.replicas[0], 'start', '-3years-1days')
|
||||
+ move_date(self.master, 'start', '-3years-1days')
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,252 +0,0 @@
|
||||
From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001
|
||||
From: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Date: Mon, 26 Apr 2021 15:50:20 +0530
|
||||
Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on
|
||||
replica
|
||||
|
||||
LDAP/HTTP/PKINIT certificates should be renewd on replica after
|
||||
moving system date. Test was failing because ipa-cert-fix ran
|
||||
while these cert was not renewd and it tried to fix it.
|
||||
|
||||
This test adds check for replication before calling ipa-cert-fix
|
||||
on replica.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8815
|
||||
|
||||
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
.../test_integration/test_ipa_cert_fix.py | 172 +++++++++++++++---
|
||||
1 file changed, 144 insertions(+), 28 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index a20996737..fa69743e2 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -5,16 +5,19 @@
|
||||
"""
|
||||
Module provides tests for ipa-cert-fix CLI.
|
||||
"""
|
||||
+from cryptography.hazmat.backends import default_backend
|
||||
+from cryptography import x509
|
||||
+from datetime import datetime, date
|
||||
import pytest
|
||||
-import re
|
||||
import time
|
||||
|
||||
import logging
|
||||
from ipaplatform.paths import paths
|
||||
+from ipapython.ipaldap import realm_to_serverid
|
||||
from ipatests.pytest_ipa.integration import tasks
|
||||
from ipatests.test_integration.base import IntegrationTest
|
||||
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
|
||||
-
|
||||
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str):
|
||||
host.run_command(['date', '-s', date_str])
|
||||
|
||||
|
||||
+def needs_resubmit(host, req_id):
|
||||
+ """Helper method to identify if cert request needs to be resubmitted
|
||||
+ :param host: the host
|
||||
+ :param req_id: request id to perform operation for
|
||||
+
|
||||
+ Returns True if resubmit needed else False
|
||||
+ """
|
||||
+ # check if cert is in monitoring state
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ host, ('MONITORING'), req_id, timeout=600
|
||||
+ )
|
||||
+
|
||||
+ # check if cert is valid and not expired
|
||||
+ cmd = host.run_command(
|
||||
+ 'getcert list -i {} | grep expires'.format(req_id)
|
||||
+ )
|
||||
+ cert_expiry = cmd.stdout_text.split(' ')
|
||||
+ cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
|
||||
+ if cert_expiry > date.today():
|
||||
+ return False
|
||||
+ else:
|
||||
+ return True
|
||||
+
|
||||
+
|
||||
+def get_cert_expiry(host, nssdb_path, cert_nick):
|
||||
+ """Method to get cert expiry date of given certificate
|
||||
+
|
||||
+ :param host: the host
|
||||
+ :param nssdb_path: nssdb path of certificate
|
||||
+ :param cert_nick: certificate nick name for extracting cert from nssdb
|
||||
+ """
|
||||
+ # get initial expiry date to compare later with renewed cert
|
||||
+ host.run_command([
|
||||
+ 'certutil', '-L', '-a',
|
||||
+ '-d', nssdb_path,
|
||||
+ '-n', cert_nick,
|
||||
+ '-o', '/root/cert.pem'
|
||||
+ ])
|
||||
+ data = host.get_file_contents('/root/cert.pem')
|
||||
+ cert = x509.load_pem_x509_certificate(data, backend=default_backend())
|
||||
+ return cert.not_valid_after
|
||||
+
|
||||
+
|
||||
@pytest.fixture
|
||||
def expire_cert_critical():
|
||||
"""
|
||||
@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest):
|
||||
setup_dns=False, extra_args=['--no-ntp']
|
||||
)
|
||||
|
||||
- def test_renew_expired_cert_replica(self):
|
||||
+ @pytest.fixture
|
||||
+ def expire_certs(self):
|
||||
+ # move system date to expire certs
|
||||
+ for host in self.master, self.replicas[0]:
|
||||
+ tasks.move_date(host, 'stop', '+3years+1days')
|
||||
+
|
||||
+ yield
|
||||
+
|
||||
+ # move date back on replica and master
|
||||
+ for host in self.master, self.replicas[0]:
|
||||
+ tasks.move_date(host, 'start', '-3years-1days')
|
||||
+
|
||||
+ def test_renew_expired_cert_replica(self, expire_certs):
|
||||
"""Test renewal of certificates on replica with ipa-cert-fix
|
||||
|
||||
This is to check that ipa-cert-fix renews the certificates
|
||||
@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest):
|
||||
|
||||
related: https://pagure.io/freeipa/issue/7885
|
||||
"""
|
||||
- move_date(self.master, 'stop', '+3years+1days')
|
||||
-
|
||||
# wait for cert expiry
|
||||
check_status(self.master, 8, "CA_UNREACHABLE")
|
||||
|
||||
@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest):
|
||||
|
||||
check_status(self.master, 9, "MONITORING")
|
||||
|
||||
- # move system date to expire cert on replica
|
||||
- move_date(self.replicas[0], 'stop', '+3years+1days')
|
||||
-
|
||||
- # RA agent cert will be expired and in CA_UNREACHABLE state
|
||||
- check_status(self.replicas[0], 1, "CA_UNREACHABLE")
|
||||
-
|
||||
- # renew RA agent cert
|
||||
- self.replicas[0].run_command(
|
||||
- ['ipa-cert-fix', '-v'], stdin_text='yes\n'
|
||||
+ # replica operations
|
||||
+ # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
|
||||
+ cmd = self.replicas[0].run_command(
|
||||
+ ['getcert', 'list',
|
||||
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
+ '-n', 'Server-Cert cert-pki-ca']
|
||||
+ )
|
||||
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
|
||||
+ )
|
||||
+ # get initial expiry date to compare later with renewed cert
|
||||
+ initial_expiry = get_cert_expiry(
|
||||
+ self.replicas[0],
|
||||
+ paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
+ 'Server-Cert cert-pki-ca'
|
||||
)
|
||||
|
||||
- # LDAP/HTTP/PKINIT certs will be renewed automaticaly
|
||||
- # after moving date on replica. This 3, 1 CA cert,
|
||||
- # 1 RA agent cert. Check for total 5 valid certs.
|
||||
- check_status(self.replicas[0], 5, "MONITORING")
|
||||
+ # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
|
||||
+ instance = realm_to_serverid(self.master.domain.realm)
|
||||
+ dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
|
||||
+ cmd = self.replicas[0].run_command(
|
||||
+ ['getcert', 'list', '-f', cert]
|
||||
+ )
|
||||
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
|
||||
+ )
|
||||
|
||||
- # get the req ids of all certs to renew remaining
|
||||
- # certs by re-submitting it
|
||||
- result = self.replicas[0].run_command(['getcert', 'list'])
|
||||
- req_ids = re.findall(r'\d{14}', result.stdout_text)
|
||||
+ cmd = self.replicas[0].run_command(
|
||||
+ ['getcert', 'list', '-d', dirsrv_cert]
|
||||
+ )
|
||||
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
|
||||
+ )
|
||||
|
||||
- # resubmit the certs to renew them
|
||||
- for req_id in req_ids:
|
||||
+ # check if replication working fine
|
||||
+ testuser = 'testuser1'
|
||||
+ password = 'Secret@123'
|
||||
+ stdin = (f"{self.master.config.admin_password}\n"
|
||||
+ f"{self.master.config.admin_password}\n"
|
||||
+ f"{self.master.config.admin_password}\n")
|
||||
+ self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
|
||||
+ tasks.user_add(self.master, testuser, password=password)
|
||||
+ self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
|
||||
+ self.replicas[0].run_command(['ipa', 'user-show', testuser])
|
||||
+
|
||||
+ # renew shared certificates by resubmitting to certmonger
|
||||
+ cmd = self.replicas[0].run_command(
|
||||
+ ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
|
||||
+ )
|
||||
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
|
||||
+ if needs_resubmit(self.replicas[0], req_id):
|
||||
self.replicas[0].run_command(
|
||||
['getcert', 'resubmit', '-i', req_id]
|
||||
)
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
|
||||
+ )
|
||||
+ for cert_nick in ('auditSigningCert cert-pki-ca',
|
||||
+ 'ocspSigningCert cert-pki-ca',
|
||||
+ 'subsystemCert cert-pki-ca'):
|
||||
+ cmd = self.replicas[0].run_command(
|
||||
+ ['getcert', 'list',
|
||||
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
+ '-n', cert_nick]
|
||||
+ )
|
||||
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
|
||||
+ if needs_resubmit(self.replicas[0], req_id):
|
||||
+ self.replicas[0].run_command(
|
||||
+ ['getcert', 'resubmit', '-i', req_id]
|
||||
+ )
|
||||
+ tasks.wait_for_certmonger_status(
|
||||
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
|
||||
+ )
|
||||
|
||||
- check_status(self.master, 9, "MONITORING")
|
||||
+ self.replicas[0].run_command(
|
||||
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
|
||||
+ )
|
||||
|
||||
- # move date back on replica and master
|
||||
- move_date(self.replicas[0], 'start', '-3years-1days')
|
||||
- move_date(self.master, 'start', '-3years-1days')
|
||||
+ check_status(self.replicas[0], 9, "MONITORING")
|
||||
+
|
||||
+ # Sometimes certmonger takes time to update the cert status
|
||||
+ # So check in nssdb instead of relying on getcert command
|
||||
+ renewed_expiry = get_cert_expiry(
|
||||
+ self.replicas[0],
|
||||
+ paths.PKI_TOMCAT_ALIAS_DIR,
|
||||
+ 'Server-Cert cert-pki-ca'
|
||||
+ )
|
||||
+ assert renewed_expiry > initial_expiry
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,73 +0,0 @@
|
||||
From 4a3a15f45aad016730252c09e3e173a18184603e Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Wed, 21 Jul 2021 14:29:31 +0200
|
||||
Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8932
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipa_cert_fix.py | 18 ++++--------------
|
||||
1 file changed, 4 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index fa69743e2..39904d5de 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -52,16 +52,6 @@ def check_status(host, cert_count, state, timeout=600):
|
||||
return count
|
||||
|
||||
|
||||
-def move_date(host, chrony_state, date_str):
|
||||
- """Helper method to move the date on given host
|
||||
- :param host: The host on which date is to be moved
|
||||
- :param chrony_state: State to which chrony service to be moved
|
||||
- :param date_str: date string to move the date i.e 2years1month1days
|
||||
- """
|
||||
- host.run_command(['systemctl', chrony_state, 'chronyd'])
|
||||
- host.run_command(['date', '-s', date_str])
|
||||
-
|
||||
-
|
||||
def needs_resubmit(host, req_id):
|
||||
"""Helper method to identify if cert request needs to be resubmitted
|
||||
:param host: the host
|
||||
@@ -123,13 +113,13 @@ def expire_cert_critical():
|
||||
tasks.install_kra(host)
|
||||
|
||||
# move date to expire certs
|
||||
- move_date(host, 'stop', '+3Years+1day')
|
||||
+ tasks.move_date(host, 'stop', '+3Years+1day')
|
||||
|
||||
yield _expire_cert_critical
|
||||
|
||||
host = hosts.pop('host')
|
||||
tasks.uninstall_master(host)
|
||||
- move_date(host, 'start', '-3Years-1day')
|
||||
+ tasks.move_date(host, 'start', '-3Years-1day')
|
||||
|
||||
|
||||
class TestIpaCertFix(IntegrationTest):
|
||||
@@ -143,12 +133,12 @@ class TestIpaCertFix(IntegrationTest):
|
||||
def expire_ca_cert(self):
|
||||
tasks.install_master(self.master, setup_dns=False,
|
||||
extra_args=['--no-ntp'])
|
||||
- move_date(self.master, 'stop', '+20Years+1day')
|
||||
+ tasks.move_date(self.master, 'stop', '+20Years+1day')
|
||||
|
||||
yield
|
||||
|
||||
tasks.uninstall_master(self.master)
|
||||
- move_date(self.master, 'start', '-20Years-1day')
|
||||
+ tasks.move_date(self.master, 'start', '-20Years-1day')
|
||||
|
||||
def test_missing_csr(self, expire_cert_critical):
|
||||
"""
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,65 +0,0 @@
|
||||
From b5036b5ce9ae4fab011e57fe2b37a35fdd098a70 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 19 Aug 2021 10:51:01 +0200
|
||||
Subject: [PATCH] ipatests: use whole date for journalctl --since
|
||||
|
||||
When a test is executed around midnight and is checking the
|
||||
journal content with --since=date, it needs to specify the
|
||||
whole date (with day and time) to avoid missing entries.
|
||||
|
||||
If for instance --since=23:59:00 is used and the current time is
|
||||
now 00:01:00, --since=23:59:00 would refer to a date in the
|
||||
future and no journal entry will be found.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8953
|
||||
Reviewed-By: Stanislav Levin <slev@altlinux.org>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_cert.py | 2 +-
|
||||
ipatests/test_integration/test_commands.py | 3 ++-
|
||||
ipatests/test_integration/test_nfs.py | 2 +-
|
||||
3 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||
index 9a90db5e2..7d51b76ee 100644
|
||||
--- a/ipatests/test_integration/test_cert.py
|
||||
+++ b/ipatests/test_integration/test_cert.py
|
||||
@@ -69,7 +69,7 @@ class TestInstallMasterClient(IntegrationTest):
|
||||
|
||||
# time to look into journal logs in
|
||||
# test_certmonger_ipa_responder_jsonrpc
|
||||
- cls.since = time.strftime('%H:%M:%S')
|
||||
+ cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
|
||||
|
||||
def test_cacert_file_appear_with_option_F(self):
|
||||
"""Test if getcert creates cacert file with -F option
|
||||
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
||||
index 4d9a81652..fd5d1b472 100644
|
||||
--- a/ipatests/test_integration/test_commands.py
|
||||
+++ b/ipatests/test_integration/test_commands.py
|
||||
@@ -1208,7 +1208,8 @@ class TestIPACommand(IntegrationTest):
|
||||
# start to look at logs a bit before "now"
|
||||
# https://pagure.io/freeipa/issue/8432
|
||||
since = time.strftime(
|
||||
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
|
||||
+ '%Y-%m-%d %H:%M:%S',
|
||||
+ (datetime.now() - timedelta(seconds=10)).timetuple()
|
||||
)
|
||||
|
||||
password = 'WrongPassword'
|
||||
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
|
||||
index 9a6153409..dc53a6da9 100644
|
||||
--- a/ipatests/test_integration/test_nfs.py
|
||||
+++ b/ipatests/test_integration/test_nfs.py
|
||||
@@ -130,7 +130,7 @@ class TestNFS(IntegrationTest):
|
||||
nfsclt = self.clients[1]
|
||||
|
||||
# for journalctl --since
|
||||
- since = time.strftime('%H:%M:%S')
|
||||
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
|
||||
nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
|
||||
time.sleep(WAIT_AFTER_INSTALL)
|
||||
mountpoints = ("/mnt/krb", "/mnt/std", "/home")
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,41 +0,0 @@
|
||||
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 30 Aug 2021 18:40:24 +0200
|
||||
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
|
||||
|
||||
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
|
||||
|
||||
According to gcrypt manual
|
||||
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
|
||||
/proc/cpuinfo is used on ARM architecture to read the hardware
|
||||
capabilities of the CPU. This explains why the issue happens only
|
||||
on aarch64.
|
||||
|
||||
audit2allow suggests to add the following:
|
||||
allow ipa_custodia_t proc_t:file { getattr open read };
|
||||
|
||||
but this policy would be too broad. Instead, the patch is using
|
||||
the interface kernel_read_system_state.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8972
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
||||
---
|
||||
selinux/ipa.te | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
||||
index 68e10941951ac391fda7854d1403558c069dad46..7492fca04d4f0d031ecd83871078247d73cc87e0 100644
|
||||
--- a/selinux/ipa.te
|
||||
+++ b/selinux/ipa.te
|
||||
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
||||
|
||||
kernel_dgram_send(ipa_custodia_t)
|
||||
kernel_read_network_state(ipa_custodia_t)
|
||||
+kernel_read_system_state(ipa_custodia_t)
|
||||
|
||||
auth_read_passwd(ipa_custodia_t)
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,46 +0,0 @@
|
||||
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
|
||||
From: Sumit Bose <sbose@redhat.com>
|
||||
Date: Wed, 25 Aug 2021 17:10:29 +0200
|
||||
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
||||
|
||||
If a client sends a request to lookup an object from a given trusted
|
||||
domain by UID or GID and an object with matching ID is only found in a
|
||||
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
|
||||
indicate to the client that the requested ID does not exists in the
|
||||
given domain.
|
||||
|
||||
Resolves: https://pagure.io/freeipa/issue/8965
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||
index 5d97ff6137d9d660f6121f468261c6878a9aa12a..6f646b9f49ef31e1872e87640c524db972e53b6d 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
|
||||
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
|
||||
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
||||
locat[0] = '\0';
|
||||
} else {
|
||||
- ret = LDAP_INVALID_SYNTAX;
|
||||
+ /* The found object is from a different domain than requested,
|
||||
+ * that means it does not exist in the requested domain */
|
||||
+ ret = LDAP_NO_SUCH_OBJECT;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
|
||||
if (strcasecmp(locat+1, domain_name) == 0 ) {
|
||||
locat[0] = '\0';
|
||||
} else {
|
||||
- ret = LDAP_INVALID_SYNTAX;
|
||||
+ /* The found object is from a different domain than requested,
|
||||
+ * that means it does not exist in the requested domain */
|
||||
+ ret = LDAP_NO_SUCH_OBJECT;
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,35 +0,0 @@
|
||||
From 4785a90946ec694ccc082f062b2181b23c7099e3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
|
||||
Date: Thu, 2 Sep 2021 16:17:01 +0200
|
||||
Subject: [PATCH] subid: subid-match: display the owner's ID not DN
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previously, the subid-match command would output the full
|
||||
DN of the owner of the matched range.
|
||||
With this change, the UID of the owner is displayed, just like
|
||||
for other subid- commands.
|
||||
|
||||
Fixes: https://github.com/freeipa/freeipa/pull/6001
|
||||
Signed-off-by: François Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/subid.py | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
|
||||
index 440f24ee627f0736100f63026158c564b04520c2..132c85c7f198217ba70f2332306ee2550be86035 100644
|
||||
--- a/ipaserver/plugins/subid.py
|
||||
+++ b/ipaserver/plugins/subid.py
|
||||
@@ -524,6 +524,7 @@ class subid_match(subid_find):
|
||||
osubuid = options["ipasubuidnumber"]
|
||||
new_entries = []
|
||||
for entry in entries:
|
||||
+ self.obj.convert_owner(entry, options)
|
||||
esubuid = int(entry.single_value["ipasubuidnumber"])
|
||||
esubcount = int(entry.single_value["ipasubuidcount"])
|
||||
minsubuid = esubuid
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,37 +0,0 @@
|
||||
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Tue, 7 Sep 2021 17:06:53 +0200
|
||||
Subject: [PATCH] migrate-ds: workaround to detect compat tree
|
||||
|
||||
Migrate-ds needs to check if compat tree is enabled before
|
||||
migrating users and groups. The check is doing a base
|
||||
search on cn=compat,$SUFFIX and considers the compat tree
|
||||
enabled when the entry exists.
|
||||
|
||||
Due to a bug in slapi-nis, the base search may return NotFound
|
||||
even though the compat tree is enabled. The workaround is to
|
||||
perform a base search on cn=users,cn=compat,$SUFFIX instead.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8984
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/migration.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
|
||||
index db5241915497b14a12ed2c33003e1c4fc1a5369f..6ee205fc836a463ac250baa6131e43acb0c00efa 100644
|
||||
--- a/ipaserver/plugins/migration.py
|
||||
+++ b/ipaserver/plugins/migration.py
|
||||
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
|
||||
# check whether the compat plugin is enabled
|
||||
if not options.get('compat'):
|
||||
try:
|
||||
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
|
||||
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
|
||||
+ (api.env.basedn)))
|
||||
return dict(result={}, failed={}, enabled=True, compat=False)
|
||||
except errors.NotFound:
|
||||
pass
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,60 +0,0 @@
|
||||
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Thu, 9 Sep 2021 15:26:55 -0400
|
||||
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
|
||||
|
||||
usercertificate often has a subclass and both the plain and
|
||||
subclassed (binary) values are queried. I'm concerned that
|
||||
they are used more or less interchangably in places so not
|
||||
caching these entries is the safest path forward for now until
|
||||
we can dedicate the time to find all usages, determine their
|
||||
safety and/or perhaps handle this gracefully within the cache
|
||||
now.
|
||||
|
||||
What we see in this bug is that usercertificate;binary holds the
|
||||
first certificate value but a user-mod is done with
|
||||
setattr usercertificate=<new_cert>. Since there is no
|
||||
usercertificate value (remember, it's usercertificate;binary)
|
||||
a replace is done and 389-ds wipes the existing value as we've
|
||||
asked it to.
|
||||
|
||||
I'm not comfortable with simply treating them the same because
|
||||
in LDAP they are not.
|
||||
|
||||
https://pagure.io/freeipa/issue/8986
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||||
---
|
||||
ipapython/ipaldap.py | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
|
||||
index f94b784d680f33d026e4d56ec8627d4d2ab87931..ced8f1bd66dc8f1f5c206677d2725d1e72b489f9 100644
|
||||
--- a/ipapython/ipaldap.py
|
||||
+++ b/ipapython/ipaldap.py
|
||||
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
|
||||
entry=None, exception=None):
|
||||
# idnsname - caching prevents delete when mod value to None
|
||||
# cospriority - in a Class of Service object, uncacheable
|
||||
- # TODO - usercertificate was banned at one point and I don't remember
|
||||
- # why...
|
||||
- BANNED_ATTRS = {'idnsname', 'cospriority'}
|
||||
+ # usercertificate* - caching subtypes is tricky, trade less
|
||||
+ # complexity for performance
|
||||
+ #
|
||||
+ # TODO: teach the cache about subtypes
|
||||
+
|
||||
+ BANNED_ATTRS = {
|
||||
+ 'idnsname',
|
||||
+ 'cospriority',
|
||||
+ 'usercertificate',
|
||||
+ 'usercertificate;binary'
|
||||
+ }
|
||||
if not self._enable_cache:
|
||||
return
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,68 +0,0 @@
|
||||
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Fri, 10 Sep 2021 09:01:48 -0400
|
||||
Subject: [PATCH] ipatests: Test that a user can be issued multiple
|
||||
certificates
|
||||
|
||||
Prevent regressions in the LDAP cache layer that caused newly
|
||||
issued certificates to overwrite existing ones.
|
||||
|
||||
https://pagure.io/freeipa/issue/8986
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
|
||||
1 file changed, 29 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
|
||||
index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644
|
||||
--- a/ipatests/test_integration/test_cert.py
|
||||
+++ b/ipatests/test_integration/test_cert.py
|
||||
@@ -16,6 +16,7 @@ import string
|
||||
import time
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
+from ipapython.dn import DN
|
||||
from cryptography import x509
|
||||
from cryptography.x509.oid import ExtensionOID
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
|
||||
)
|
||||
assert "profile: caServerCert" in result.stdout_text
|
||||
|
||||
+ def test_multiple_user_certificates(self):
|
||||
+ """Test that a user may be issued multiple certificates"""
|
||||
+ ldap = self.master.ldap_connect()
|
||||
+
|
||||
+ user = 'user1'
|
||||
+
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ tasks.user_add(self.master, user)
|
||||
+
|
||||
+ for id in (0,1):
|
||||
+ csr_file = f'{id}.csr'
|
||||
+ key_file = f'{id}.key'
|
||||
+ cert_file = f'{id}.crt'
|
||||
+ openssl_cmd = [
|
||||
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
|
||||
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
|
||||
+ self.master.run_command(openssl_cmd)
|
||||
+
|
||||
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
|
||||
+ '--certificate-out', cert_file, csr_file]
|
||||
+ self.master.run_command(cmd_args)
|
||||
+
|
||||
+ # easier to count by pulling the LDAP entry
|
||||
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
|
||||
+ ('cn', 'accounts'), self.master.domain.basedn))
|
||||
+
|
||||
+ assert len(entry.get('usercertificate')) == 2
|
||||
+
|
||||
@pytest.fixture
|
||||
def test_subca_certs(self):
|
||||
"""
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,56 +0,0 @@
|
||||
From 7fb95cc638b1c9b7f2e9a67dba859ef8126f2c5f Mon Sep 17 00:00:00 2001
|
||||
From: Chris Kelley <ckelley@redhat.com>
|
||||
Date: Tue, 27 Jul 2021 21:57:26 +0100
|
||||
Subject: [PATCH] Parse getStatus as JSON not XML
|
||||
|
||||
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
|
||||
return JSON in PKI 11.0+
|
||||
|
||||
The PR for dogtagpki/pki that makes this change necessary is:
|
||||
https://github.com/dogtagpki/pki/pull/3674
|
||||
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
install/tools/ipa-pki-wait-running.in | 18 ++++++++++++++----
|
||||
1 file changed, 14 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
|
||||
index 4f0f2f34a7b0a43210676e7fd50e7029e798f301..9ca6e974e55a4d68afd06e1d9c7b67c5f926e48c 100644
|
||||
--- a/install/tools/ipa-pki-wait-running.in
|
||||
+++ b/install/tools/ipa-pki-wait-running.in
|
||||
@@ -13,6 +13,7 @@ import logging
|
||||
import sys
|
||||
import time
|
||||
from xml.etree import ElementTree
|
||||
+import json
|
||||
|
||||
from ipalib import api
|
||||
from ipaplatform.paths import paths
|
||||
@@ -74,10 +75,19 @@ def get_status(conn, timeout):
|
||||
"""
|
||||
client = SystemStatusClient(conn)
|
||||
response = client.get_status(timeout=timeout)
|
||||
- root = ElementTree.fromstring(response)
|
||||
- status = root.findtext("Status")
|
||||
- error = root.findtext("Error")
|
||||
- logging.debug("Got status '%s', error '%s'", status, error)
|
||||
+ status = None
|
||||
+ error = None
|
||||
+ try:
|
||||
+ json_response = json.loads(response)
|
||||
+ status = json_response['Response']['Status']
|
||||
+ except KeyError as e:
|
||||
+ error = repr(e)
|
||||
+ except json.JSONDecodeError:
|
||||
+ logger.debug("Response is not valid JSON, try XML")
|
||||
+ root = ElementTree.fromstring(response)
|
||||
+ status = root.findtext("Status")
|
||||
+ error = root.findtext("Error")
|
||||
+ logger.debug("Got status '%s', error '%s'", status, error)
|
||||
return status, error
|
||||
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,79 +0,0 @@
|
||||
From 40f76a53f78267b4d2b890defa3e4f7d27fdfb7a Mon Sep 17 00:00:00 2001
|
||||
From: Chris Kelley <ckelley@redhat.com>
|
||||
Date: Thu, 5 Aug 2021 12:00:15 +0100
|
||||
Subject: [PATCH] Parse cert chain as JSON not XML
|
||||
|
||||
On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+
|
||||
|
||||
The PR for dogtagpki/pki that makes this change necessary is:
|
||||
https://github.com/dogtagpki/pki/pull/3677
|
||||
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipapython/dogtag.py | 28 +++++++++++++++++++---------
|
||||
1 file changed, 19 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
|
||||
index 0503938fb9783d397cc7366339bb9fab48033985..8f0f0473ae313edb17e10de8b2ca7f43f231e706 100644
|
||||
--- a/ipapython/dogtag.py
|
||||
+++ b/ipapython/dogtag.py
|
||||
@@ -20,6 +20,7 @@
|
||||
import collections
|
||||
import gzip
|
||||
import io
|
||||
+import json
|
||||
import logging
|
||||
from urllib.parse import urlencode
|
||||
import xml.dom.minidom
|
||||
@@ -100,6 +101,10 @@ def get_ca_certchain(ca_host=None):
|
||||
data = res.read()
|
||||
conn.close()
|
||||
try:
|
||||
+ doc = json.loads(data)
|
||||
+ chain = doc['Response']['ChainBase64']
|
||||
+ except (json.JSONDecodeError, KeyError):
|
||||
+ logger.debug("Response is not valid JSON, try XML")
|
||||
doc = xml.dom.minidom.parseString(data)
|
||||
try:
|
||||
item_node = doc.getElementsByTagName("ChainBase64")
|
||||
@@ -107,9 +112,9 @@ def get_ca_certchain(ca_host=None):
|
||||
except IndexError:
|
||||
raise error_from_xml(
|
||||
doc, _("Retrieving CA cert chain failed: %s"))
|
||||
- finally:
|
||||
- if doc:
|
||||
- doc.unlink()
|
||||
+ finally:
|
||||
+ if doc:
|
||||
+ doc.unlink()
|
||||
else:
|
||||
raise errors.RemoteRetrieveError(
|
||||
reason=_("request failed with HTTP status %d") % res.status)
|
||||
@@ -118,13 +123,18 @@ def get_ca_certchain(ca_host=None):
|
||||
|
||||
|
||||
def _parse_ca_status(body):
|
||||
- doc = xml.dom.minidom.parseString(body)
|
||||
try:
|
||||
- item_node = doc.getElementsByTagName("XMLResponse")[0]
|
||||
- item_node = item_node.getElementsByTagName("Status")[0]
|
||||
- return item_node.childNodes[0].data
|
||||
- except IndexError:
|
||||
- raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
|
||||
+ doc = json.loads(body)
|
||||
+ return doc['Response']['Status']
|
||||
+ except (json.JSONDecodeError, KeyError):
|
||||
+ logger.debug("Response is not valid JSON, try XML")
|
||||
+ doc = xml.dom.minidom.parseString(body)
|
||||
+ try:
|
||||
+ item_node = doc.getElementsByTagName("XMLResponse")[0]
|
||||
+ item_node = item_node.getElementsByTagName("Status")[0]
|
||||
+ return item_node.childNodes[0].data
|
||||
+ except IndexError:
|
||||
+ raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
|
||||
|
||||
|
||||
def ca_status(ca_host=None):
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,84 +0,0 @@
|
||||
From 5abf1bc79f8b32c6638ff98fbe2e4a8dec9a5010 Mon Sep 17 00:00:00 2001
|
||||
From: "Endi S. Dewata" <edewata@redhat.com>
|
||||
Date: Thu, 12 Aug 2021 13:26:42 -0500
|
||||
Subject: [PATCH] Specify PKI installation log paths
|
||||
|
||||
The DogtagInstance.spawn_instance() and uninstall() have
|
||||
been modified to specify the paths of PKI installation
|
||||
logs using --log-file option on PKI 11.0.0 or later.
|
||||
|
||||
This allows IPA to have a full control over the log files
|
||||
instead of relying on PKI's default log files.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8966
|
||||
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
|
||||
---
|
||||
ipaserver/install/dogtaginstance.py | 35 ++++++++++++++++++++++++++---
|
||||
1 file changed, 32 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
||||
index 644acd4eacea22f41a7cd36b54553d6d7cd22690..0d9aebb542f242b81315edd016699697f2fc4091 100644
|
||||
--- a/ipaserver/install/dogtaginstance.py
|
||||
+++ b/ipaserver/install/dogtaginstance.py
|
||||
@@ -36,8 +36,10 @@ from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
|
||||
|
||||
import six
|
||||
|
||||
+import pki
|
||||
from pki.client import PKIConnection
|
||||
import pki.system
|
||||
+import pki.util
|
||||
|
||||
from ipalib import api, errors, x509
|
||||
from ipalib.install import certmonger
|
||||
@@ -202,6 +204,18 @@ class DogtagInstance(service.Service):
|
||||
"-f", cfg_file,
|
||||
"--debug"]
|
||||
|
||||
+ # specify --log-file <path> on PKI 11.0.0 or later
|
||||
+
|
||||
+ pki_version = pki.util.Version(pki.specification_version())
|
||||
+ if pki_version >= pki.util.Version("11.0.0"):
|
||||
+ timestamp = time.strftime(
|
||||
+ "%Y%m%d%H%M%S",
|
||||
+ time.localtime(time.time()))
|
||||
+ log_file = os.path.join(
|
||||
+ paths.VAR_LOG_PKI_DIR,
|
||||
+ "pki-%s-spawn.%s.log" % (self.subsystem.lower(), timestamp))
|
||||
+ args.extend(["--log-file", log_file])
|
||||
+
|
||||
with open(cfg_file) as f:
|
||||
logger.debug(
|
||||
'Contents of pkispawn configuration file (%s):\n%s',
|
||||
@@ -290,10 +304,25 @@ class DogtagInstance(service.Service):
|
||||
if self.is_installed():
|
||||
self.print_msg("Unconfiguring %s" % self.subsystem)
|
||||
|
||||
+ args = [paths.PKIDESTROY,
|
||||
+ "-i", "pki-tomcat",
|
||||
+ "-s", self.subsystem]
|
||||
+
|
||||
+ # specify --log-file <path> on PKI 11.0.0 or later
|
||||
+
|
||||
+ pki_version = pki.util.Version(pki.specification_version())
|
||||
+ if pki_version >= pki.util.Version("11.0.0"):
|
||||
+ timestamp = time.strftime(
|
||||
+ "%Y%m%d%H%M%S",
|
||||
+ time.localtime(time.time()))
|
||||
+ log_file = os.path.join(
|
||||
+ paths.VAR_LOG_PKI_DIR,
|
||||
+ "pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp))
|
||||
+ args.extend(["--log-file", log_file])
|
||||
+
|
||||
try:
|
||||
- ipautil.run([paths.PKIDESTROY,
|
||||
- "-i", 'pki-tomcat',
|
||||
- "-s", self.subsystem])
|
||||
+ ipautil.run(args)
|
||||
+
|
||||
except ipautil.CalledProcessError as e:
|
||||
logger.critical("failed to uninstall %s instance %s",
|
||||
self.subsystem, e)
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,33 +0,0 @@
|
||||
From d43b513927d6dd0a12464dd24287ce40ccaf33e4 Mon Sep 17 00:00:00 2001
|
||||
From: Chris Kelley <ckelley@redhat.com>
|
||||
Date: Fri, 10 Sep 2021 16:47:22 +0100
|
||||
Subject: [PATCH] Make Dogtag return XML for ipa cert-find
|
||||
|
||||
Using JSON by default within Dogtag appears to cause ipa cert-find to
|
||||
return JSON, when the request was made with XML. We can request that XML
|
||||
is returned as before by specifying so in the request header.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/8980
|
||||
Signed-off-by: Chris Kelley <ckelley@redhat.com>
|
||||
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||
---
|
||||
ipaserver/plugins/dogtag.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
|
||||
index be2e4bb4e2a1b96c1bff6056da30c704c36789f3..b4feddfac19a4c5659d29bf7b6f5fd9b1247524c 100644
|
||||
--- a/ipaserver/plugins/dogtag.py
|
||||
+++ b/ipaserver/plugins/dogtag.py
|
||||
@@ -1832,7 +1832,8 @@ class ra(rabase.rabase, RestClient):
|
||||
method='POST',
|
||||
headers={'Accept-Encoding': 'gzip, deflate',
|
||||
'User-Agent': 'IPA',
|
||||
- 'Content-Type': 'application/xml'},
|
||||
+ 'Content-Type': 'application/xml',
|
||||
+ 'Accept': 'application/xml'},
|
||||
body=payload
|
||||
)
|
||||
|
||||
--
|
||||
2.31.1
|
||||
|
@ -1,16 +0,0 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
|
||||
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
|
||||
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
|
||||
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
|
||||
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
|
||||
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
|
||||
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
|
||||
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
|
||||
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
|
||||
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
|
||||
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
|
||||
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
|
||||
=TQFs
|
||||
-----END PGP SIGNATURE-----
|
16
SOURCES/freeipa-4.9.8.tar.gz.asc
Normal file
16
SOURCES/freeipa-4.9.8.tar.gz.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
|
||||
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
|
||||
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
|
||||
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
|
||||
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
|
||||
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
|
||||
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
|
||||
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
|
||||
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
|
||||
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
|
||||
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
|
||||
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
|
||||
=t9up
|
||||
-----END PGP SIGNATURE-----
|
@ -1,3 +1,5 @@
|
||||
%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
|
||||
|
||||
# ipatests enabled by default, can be disabled with --without ipatests
|
||||
%bcond_without ipatests
|
||||
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
|
||||
@ -69,7 +71,7 @@
|
||||
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
|
||||
%global python_netaddr_version 0.7.19
|
||||
# Require 4.7.0 which brings Python 3 bindings
|
||||
%global samba_version 4.12.3-12
|
||||
%global samba_version 4.15.2-2
|
||||
%global selinux_policy_version 3.14.3-52
|
||||
%global slapi_nis_version 0.56.4
|
||||
%global python_ldap_version 3.1.0-1
|
||||
@ -111,7 +113,7 @@
|
||||
%if 0%{?fedora} < 34
|
||||
%global ds_version 1.4.4.16-1
|
||||
%else
|
||||
%global ds_version 2.0.5-1
|
||||
%global ds_version 2.0.7-1
|
||||
%endif
|
||||
|
||||
# Fix for TLS 1.3 PHA, RHBZ#1775146
|
||||
@ -183,7 +185,7 @@
|
||||
|
||||
# Work-around fact that RPM SPEC parser does not accept
|
||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||
%define IPA_VERSION 4.9.6
|
||||
%define IPA_VERSION 4.9.8
|
||||
# Release candidate version -- uncomment with one percent for RC versions
|
||||
#%%global rc_version %%nil
|
||||
%define AT_SIGN @
|
||||
@ -196,7 +198,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 9%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -216,66 +218,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
||||
# RHEL spec file only: START
|
||||
%if %{NON_DEVELOPER_BUILD}
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch0001: 0001-Remove-unneeded-dependency-on-python-coverage.patch
|
||||
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
|
||||
Patch0003: 0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
|
||||
Patch0004: 0004-stageuser-add-ipauserauthtypeclass-when-required.patch
|
||||
Patch0005: 0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
|
||||
Patch0006: 0006-augeas-bump-version-for-rhel9.patch
|
||||
Patch0007: 0007-man-page-update-ipa-server-upgrade.1.patch
|
||||
Patch0008: 0008-Add-basic-support-for-subordinate-user-group-ids.patch
|
||||
Patch0009: 0009-Redesign-subid-feature.patch
|
||||
Patch0010: 0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch
|
||||
Patch0011: 0011-Fix-ipa-server-upgrade.patch
|
||||
Patch0012: 0012-Fix-oid-of-ipaUserDefaultSubordinateId.patch
|
||||
Patch0013: 0013-WebUI-Improve-subordinate-ids-user-workflow.patch
|
||||
Patch0014: 0014-Test-DNA-plugin-configuration.patch
|
||||
Patch0015: 0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
|
||||
Patch0016: 0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
|
||||
Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
|
||||
Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
|
||||
Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch
|
||||
Patch0020: 0020-Index-Fix-definition-for-memberOf.patch
|
||||
Patch0021: 0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch
|
||||
Patch0022: 0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch
|
||||
Patch0023: 0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch
|
||||
Patch0024: 0024-ipatests-test_installation-move-tracking_reqs-depend.patch
|
||||
Patch0025: 0025-webui-tests-close-notification-when-revoking-cert.patch
|
||||
Patch0026: 0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch
|
||||
Patch0027: 0027-webui-tests-fix-algo-for-finding-available-idrange.patch
|
||||
Patch0028: 0028-ipatests-smbclient-k-use-kerberos-desired.patch
|
||||
Patch0029: 0029-test_acme-refactor-with-tasks.patch
|
||||
Patch0030: 0030-test_acme-make-password-renewal-more-robust.patch
|
||||
Patch0031: 0031-tasks.py-fix-flake8-reported-issues.patch
|
||||
Patch0032: 0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch
|
||||
Patch0033: 0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch
|
||||
Patch0034: 0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch
|
||||
Patch0035: 0035-ipa-getkeytab-fix-compiler-warnings.patch
|
||||
Patch0036: 0036-ipatests-test-ipa-getkeytab-server-option.patch
|
||||
Patch0037: 0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch
|
||||
Patch0038: 0038-ipatests-verify-that-getcert-output-includes-the-iss.patch
|
||||
Patch0039: 0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch
|
||||
Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
|
||||
Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
|
||||
Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
|
||||
Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
|
||||
Patch0044: 0044-ipatests-Test-unsecure-nsupdate.patch
|
||||
Patch0045: 0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch
|
||||
Patch0046: 0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch
|
||||
Patch0047: 0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
|
||||
Patch0048: 0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch
|
||||
Patch0049: 0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch
|
||||
Patch0050: 0050-ipatests-use-whole-date-for-journalctl-since.patch
|
||||
Patch0051: 0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch
|
||||
Patch0052: 0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
|
||||
Patch0053: 0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch
|
||||
Patch0054: 0054-migrate-ds-workaround-to-detect-compat-tree.patch
|
||||
Patch0055: 0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch
|
||||
Patch0056: 0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch
|
||||
Patch0057: 0057-Parse-getStatus-as-JSON-not-XML.patch
|
||||
Patch0058: 0058-Parse-cert-chain-as-JSON-not-XML.patch
|
||||
Patch0059: 0059-Specify-PKI-installation-log-paths.patch
|
||||
Patch0060: 0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch
|
||||
Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
|
||||
Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -528,6 +472,8 @@ Requires: gssproxy >= 0.7.0-2
|
||||
Requires: sssd-dbus >= %{sssd_version}
|
||||
Requires: libpwquality
|
||||
Requires: cracklib-dicts
|
||||
# NDR libraries are internal in Samba and change with version without changing SONAME
|
||||
%ipa_requires_gt samba-client-libs
|
||||
|
||||
Provides: %{alt_name}-server = %{version}
|
||||
Conflicts: %{alt_name}-server
|
||||
@ -627,9 +573,11 @@ Requires: %{name}-server = %{version}-%{release}
|
||||
Requires: bind-dyndb-ldap >= 11.2-2
|
||||
Requires: bind >= %{bind_version}
|
||||
Requires: bind-utils >= %{bind_version}
|
||||
# bind-dnssec-utils is required by the OpenDNSSec integration
|
||||
# https://pagure.io/freeipa/issue/9026
|
||||
Requires: bind-dnssec-utils >= %{bind_version}
|
||||
%if %{with bind_pkcs11}
|
||||
Requires: bind-pkcs11 >= %{bind_version}
|
||||
Requires: bind-pkcs11-utils >= %{bind_version}
|
||||
%else
|
||||
Requires: softhsm >= %{softhsm_version}
|
||||
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
|
||||
@ -1433,6 +1381,7 @@ fi
|
||||
%dir %{_libexecdir}/ipa/oddjob
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
|
||||
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
|
||||
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
|
||||
%dir %{_libexecdir}/ipa/certmonger
|
||||
@ -1762,26 +1711,37 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
|
||||
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
|
||||
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
|
||||
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
|
||||
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
|
||||
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
|
||||
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
|
||||
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
|
||||
- ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
|
||||
- ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
|
||||
|
||||
* Tue Oct 5 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-9
|
||||
- Resolves: rhbz#2010195 ipa-server-install fails while 'configuring certificate server instance'
|
||||
- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
|
||||
- Parse getStatus as JSON not XML
|
||||
- Parse cert chain as JSON not XML
|
||||
- Specify PKI installation log paths
|
||||
- Make Dogtag return XML for ipa cert-find
|
||||
|
||||
* Fri Sep 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-8
|
||||
- Resolves: rhbz#2004922 ipa cert-request replaces user certificate instead of adding
|
||||
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
|
||||
- Don't store entries with a usercertificate in the LDAP cache
|
||||
- ipatests: Test that a user can be issued multiple certificates
|
||||
|
||||
* Fri Sep 10 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-7
|
||||
- Resolves: rhbz#2000629 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
|
||||
- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
|
||||
- selinux policy: allow custodia to access /proc/cpuinfo
|
||||
- Resolves: rhbz#2000269 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
|
||||
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
|
||||
- extdom: return LDAP_NO_SUCH_OBJECT if domains differ
|
||||
- Resolves: rhbz#2000947 subid: subid-match displays the DN of the owner, not its UID.
|
||||
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
|
||||
- subid: subid-match: display the owner's ID not DN
|
||||
- Resolves: rhbz #2002285 ipa migrate-ds command fails to warn when compat plugin is enabled
|
||||
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
|
||||
- migrate-ds: workaround to detect compat tree
|
||||
|
||||
* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6
|
||||
|
Loading…
Reference in New Issue
Block a user