rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.8-1.el9

This commit is contained in:
CentOS Sources 2022-01-11 11:48:31 -05:00 committed by Stepan Oksanichenko
parent 11a53dc8c9
commit f6c7a5ebb5
67 changed files with 207 additions and 9828 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.6.tar.gz
SOURCES/freeipa-4.9.8.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz

30
SOURCES/0001-Remove-unneeded-dependency-on-python-coverage.patch
View File

@ -1,30 +0,0 @@
From 01f4b9d7935ca41c93b17e28543054f36e5baf46 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 30 Jun 2021 14:57:32 +0200
Subject: [PATCH] Remove unneeded dependency on python-coverage
The spec file requires python3-coverage although it is not
used in the project.
Fixes: https://pagure.io/freeipa/issue/8905
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
freeipa.spec.in | 1 -
1 file changed, 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fdca43a24a6e07f77b9cd8a0feec940a0366f128..fbfe4d09eedc169112dcdc18a953134de67b7731 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -872,7 +872,6 @@ BuildArch: noarch
Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
-Requires: python3-coverage
Requires: python3-cryptography >= 1.6
Requires: python3-pexpect
%if 0%{?fedora}
--
2.26.3

36
SOURCES/0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch Normal file
View File

@ -0,0 +1,36 @@
From 669f3d71161741c676ddd6a08bd08d4a4ccd495b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 17:40:54 +0200
Subject: [PATCH] ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
MS-KILE 3.3.5.6.4.8 in revision after Windows Server November 2021
security fixes added the following requirement:
- PAC_REQUESTER_SID is only added in TGT case (including referrals and
tickets to RODCs)
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f7d1ac15daf17dfca36ebd3265c866725d24717..538cfbba958068bd2ee0aaae7a2743ae82237898 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1148,7 +1148,8 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
#endif
#ifdef HAVE_PAC_REQUESTER_SID
- {
+ /* MS-KILE 3.3.5.6.4.8: add PAC_REQUESTER_SID only in TGT case */
+ if ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0) {
union PAC_INFO pac_requester_sid;
/* == Package PAC_REQUESTER_SID == */
memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
--
2.31.1

134
SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
View File

@ -1,134 +0,0 @@
From dffccae7193b0616cb84792edec480f5f67e1fc6 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:15:50 +0100
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
ipaserver/plugins/host.py | 5 ++++-
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 73967a2249d5c8944d70c5c3ca9a9d3b3bfc6b73..f1fb9103687ce9719ef24c8cb3c41088a4003b25 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
))
+def promotion_check_host_principal_auth_ind(conn, hostdn):
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
+ if 'krbprincipalauthind' in entry:
+ raise RuntimeError(
+ "Client cannot be promoted to a replica if the host principal "
+ "has an authentication indicator set."
+ )
+
+
@common_cleanup
@preserve_enrollment_state
def promote_check(installer):
@@ -956,6 +965,10 @@ def promote_check(installer):
config.master_host_name, None)
promotion_check_ipa_domain(conn, remote_api.env.basedn)
+ hostdn = DN(('fqdn', api.env.host),
+ api.env.container_host,
+ api.env.basedn)
+ promotion_check_host_principal_auth_ind(conn, hostdn)
# Make sure that domain fulfills minimal domain level
# requirement
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index eb1f8ef042faf4b0deadfd5cef47f7688836506e..41fa933e2422184eafc4eae185a163082b96e045 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
LDAPAddAttributeViaOption,
LDAPRemoveAttributeViaOption)
from .service import (
- validate_realm, normalize_principal,
+ validate_realm, validate_auth_indicator, normalize_principal,
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
rename_ipaallowedtoperform_to_ldap, revoke_certs)
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
+ validate_auth_indicator(entry_attrs)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
if 'krbprincipalaux' not in (item.lower() for item in
entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbprincipalaux')
+ validate_auth_indicator(entry_attrs)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 1c93478049f5bdfdaf8503e459bd962dbbee9b44..cfbbff3c69c6a92535df58c51767c3d0952c7b0b 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
raise errors.RealmMismatch()
+def validate_auth_indicator(entry):
+ new_value = entry.get('krbprincipalauthind', None)
+ if not new_value:
+ return
+ # The following services are considered internal IPA services
+ # and shouldn't be allowed to have auth indicators.
+ # https://pagure.io/freeipa/issue/8206
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ principal = kerberos.Principal(pkey)
+ server = api.Command.server_find(principal.hostname)['result']
+ if server:
+ prefixes = ("host", "cifs", "ldap", "HTTP")
+ else:
+ prefixes = ("cifs",)
+ if principal.service_name in prefixes:
+ raise errors.ValidationError(
+ name='krbprincipalauthind',
+ error=_('authentication indicators not allowed '
+ 'in service "%s"' % principal.service_name)
+ )
+
+
def normalize_principal(value):
"""
Ensure that the name in the principal is lower-case. The realm is
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
assert isinstance(dn, DN)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
# verify certificates
certs = entry_attrs.get('usercertificate') or []
--
2.26.3

122
SOURCES/0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch Normal file
View File

@ -0,0 +1,122 @@
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba958068bd2ee0aaae7a2743ae82237898..1b972c167dd50619c7a6bd78eb5c81b0e05a4832 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s], PAC [%s]",
dom ? dom : "<failed to display>",
sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
}
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s] vs PAC [%s]",
local_sid ? local_sid : "<failed to display>",
pac_sid ? pac_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
goto done;
}
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
/* Check that requester SID is the same as in the PAC entry */
if (requester_sid != NULL) {
struct dom_sid client_sid;
+ bool is_from_trusted_domain = false;
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
if (kerr) {
goto done;
}
result = dom_sid_check(&client_sid, requester_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
- "different from what PAC requester claims. "
- "PAC [%s] vs PAC requester [%s]",
- pac_sid ? pac_sid : "<failed to display>",
- req_sid ? req_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
+ struct ipadb_context *ipactx = ipadb_get_context(context);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ requester_sid, false);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!is_from_trusted_domain) {
+ /* memctx is freed by the caller */
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+ "different from what PAC requester claims. "
+ "PAC [%s] vs PAC requester [%s]",
+ pac_sid ? pac_sid : "<failed to display>",
+ req_sid ? req_sid : "<failed to display>");
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
}
}
--
2.31.1

138
SOURCES/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
View File

@ -1,138 +0,0 @@
From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
.../test_replica_promotion.py | 38 +++++++++++++++++++
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
3 files changed, 69 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
+ @replicas_cleanup
+ def test_install_with_host_auth_ind_set(self):
+ """ A client shouldn't be able to be promoted if it has
+ any auth indicator set in the host principal.
+ https://pagure.io/freeipa/issue/8206
+ """
+
+ client = self.replicas[0]
+ # Configure firewall first
+ Firewall(client).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+
+ client.run_command(['ipa-client-install', '-U',
+ '--domain', self.master.domain.name,
+ '--realm', self.master.domain.realm,
+ '-p', 'admin',
+ '-w', self.master.config.admin_password,
+ '--server', self.master.hostname,
+ '--force-join'])
+
+ tasks.kinit_admin(client)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+ client.hostname])
+
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
+ client.hostname])
+
+ expected_err = ("Client cannot be promoted to a replica if the host "
+ "principal has an authentication indicator set.")
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+
@replicas_cleanup
def test_one_command_installation(self):
"""
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
+ def test_try_add_auth_ind_master(self, this_host):
+ command = this_host.make_update_command({
+ u'krbprincipalauthind': u'radius'})
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "host"'
+ )):
+ command()
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
+@pytest.fixture(scope='function')
+def this_host(request):
+ """Fixture for the current master"""
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
+ fqdn=api.env.host)
+ tracker.exists = True
+ return tracker
+
+
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
+ def test_update_indicator_internal_service(self, this_host):
+ command = this_host.make_command('service_mod',
+ 'ldap/' + this_host.fqdn,
+ **dict(krbprincipalauthind='otp'))
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "ldap"'
+ )):
+ command()
+
@pytest.fixture(scope='function')
def managing_host(request):
--
2.26.3

57
SOURCES/0004-stageuser-add-ipauserauthtypeclass-when-required.patch
View File

@ -1,57 +0,0 @@
From a8d6257b2cf64c3dd2b1c5d7bcf81acc3b766853 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 09:51:41 +0200
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/baseuser.py | 3 +++
ipaserver/plugins/user.py | 4 ----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index ae16a978ab01f9c5c257e9cb5567c918a7fafdc5..6035228f19ef8acaf4992490d5512c126881816d 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
+ if entry_attrs.get('ipauserauthtype', None):
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
+ entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6f7facb5380ba56feab39b71cd265776f3ab57d8..e4ee572b236c288fd7dcf1d44c5adf1f836f63aa 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
'ipauser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauser')
- if 'ipauserauthtype' in entry_attrs and \
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
-
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
if rcl:
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
--
2.26.3

32
SOURCES/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
View File

@ -1,32 +0,0 @@
From 932910456e0269edefe396d4af96447f90ff29b3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 10:22:31 +0200
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 5586fc607e134938225c1c982fc39d169847f549..bc606b093c98ce204ad4ea17e5c16273144fa2e7 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
result = command()
assert result['count'] == 1
+ def test_create_withuserauthtype(self, stageduser):
+ stageduser.ensure_missing()
+ command = stageduser.make_create_command(
+ options={u'ipauserauthtype': u'password'})
+ command()
+
@pytest.mark.tier1
class TestCreateInvalidAttributes(XMLRPC_test):
--
2.26.3

40
SOURCES/0006-augeas-bump-version-for-rhel9.patch
View File

@ -1,40 +0,0 @@
From 9144526d2d7e7dcd8503c6c38226e17ebb4ed8b9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 10:49:25 +0200
Subject: [PATCH] augeas: bump version for rhel9
augeas 1.12.1-0.1 adds support for the new chony configuration
settings.
Related: https://pagure.io/freeipa/issue/8676
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
freeipa.spec.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbfe4d09eedc169112dcdc18a953134de67b7731..ae4af099f39641a9f5163d61cfb37e1c3afb6f4b 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -162,13 +162,16 @@
# augeas support for new chrony options
# see https://pagure.io/freeipa/issue/8676
-# Note: will need to be updated for RHEL9 when a fix is available for
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
%if 0%{?fedora} >= 33
%global augeas_version 1.12.0-6
%else
+%if 0%{?rhel} >= 9
+%global augeas_version 1.12.1-0
+%else
%global augeas_version 1.12.0-3
%endif
+%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
--
2.26.3

35
SOURCES/0007-man-page-update-ipa-server-upgrade.1.patch
View File

@ -1,35 +0,0 @@
From ecb407864fde4d917dabe0aae95881561ed384ab Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 14:11:40 +0200
Subject: [PATCH] man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
index 3db19b0f13da1f5a36bd6e8df23fc916d0401a6d..f01e21c6b599499c4c6dbbcf120b19a3431fb3ed 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:
--
2.26.3

2324
SOURCES/0008-Add-basic-support-for-subordinate-user-group-ids.patch
View File

File diff suppressed because it is too large Load Diff

2906
SOURCES/0009-Redesign-subid-feature.patch
View File

File diff suppressed because it is too large Load Diff

113
SOURCES/0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch
View File

@ -1,113 +0,0 @@
From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 09:26:33 +0200
Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 3 ++-
install/share/dna.ldif | 1 +
install/updates/73-subid.update | 7 ++-----
ipaserver/plugins/subid.py | 14 +-------------
4 files changed, 6 insertions(+), 19 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -106,8 +106,9 @@
%global python_ldap_version 3.1.0-1
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+# and has DNA interval enabled
%if 0%{?fedora} < 34
-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
+%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.5-1
%endif
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -31,6 +31,7 @@ dnaScope: $SUFFIX
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
+dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# dnaIntervalAttr: ipasubuidcount
# dnaIntervalAttr: ipasubgidcount
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
# The delete-when-empty check is required because IPA uses MOD_REPLACE to
# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
#
-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
-# fake_dna_plugin hack has been removed.
-#
dn: cn=subids,cn=accounts,$SUFFIX
-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
# DNA plugin and idrange configuration
@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# add: dnaIntervalAttr: ipasubuidcount
# add: dnaIntervalAttr: ipasubgidcount
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -2,7 +2,6 @@
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
-import random
import uuid
from ipalib import api
@@ -291,12 +290,8 @@ class subid(LDAPObject):
_entry_attrs = ldap.get_entry(dn, ["objectclass"])
entry_attrs["objectclass"] = _entry_attrs["objectclass"]
- # XXX HACK, remove later
- if subuid == DNA_MAGIC:
- subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
-
entry_attrs["ipasubuidnumber"] = subuid
- # enforice subuid == subgid for now
+ # enforce subuid == subgid for now
entry_attrs["ipasubgidnumber"] = subuid
# hard-coded constants
entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
@@ -350,13 +345,6 @@ class subid(LDAPObject):
filters.extend(extra_filters)
return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
- def _fake_dna_plugin(self, ldap, dn, entry_attrs):
- """XXX HACK, remove when 389-DS DNA plugin supports steps"""
- return (
- constants.SUBID_RANGE_START
- + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
- )
-
@register()
class subid_add(LDAPCreate):
--
2.26.3

68
SOURCES/0011-Fix-ipa-server-upgrade.patch
View File

@ -1,68 +0,0 @@
From 21574b261cf0d346da48e34c0a5383736ca8798b Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 14:56:32 +0200
Subject: [PATCH] Fix ipa-server-upgrade
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/bootstrap-template.ldif | 2 +-
install/updates/73-subid.update | 2 +-
ipaserver/install/ldapupdate.py | 3 +++
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 16f2ef822eaf56dd68d4140b22a607539645b151..325eb8450c786899e7b5e4ae2ef8978f42a8425b 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -491,7 +491,7 @@ cn: ${REALM}_subid_range
ipaBaseID: eval($SUBID_RANGE_START)
ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
# HACK: RIDs to work around adtrust sidgen issue
-ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+ipaBaseRID: eval($SUBID_BASE_RID)
# 738065-838566 = IPA-SUB
ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index e10703aa3f9528751233ddebe00b8c8c8fc5ed3f..890eb7f1f6f261af977f26b3457e765ee8e9791f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -102,7 +102,7 @@ default: cn: ${REALM}_subid_range
default: ipaBaseID: $SUBID_RANGE_START
default: ipaIDRangeSize: $SUBID_RANGE_SIZE
# HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+default: ipaBaseRID: eval($SUBID_BASE_RID)
default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
# see https://github.com/SSSD/sssd/issues/5571
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index d0516dc3028366df5d03a960866abe72601aa4b6..06cb78e0b7dc2c82f0339c43228045d93b922288 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -59,8 +59,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
"""
if idstart is None:
idrange_size = None
+ subid_base_rid = None
else:
idrange_size = idmax - idstart + 1
+ subid_base_rid = constants.SUBID_RANGE_START - idrange_size
return dict(
REALM=realm,
@@ -81,6 +83,7 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
+ SUBID_BASE_RID=subid_base_rid,
DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
--
2.26.3

29
SOURCES/0012-Fix-oid-of-ipaUserDefaultSubordinateId.patch
View File

@ -1,29 +0,0 @@
From c8b4fd5bb773a73116350bf8e853246916fe87c2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 15 Jun 2021 13:25:18 +0200
Subject: [PATCH] Fix oid of ipaUserDefaultSubordinateId
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/60ipaconfig.ldif | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index f84b38ead1d70ff408f5669029f1517b0c98ecf1..005c1dd11e37039132620f1d97f9662ffb8c8c59 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -47,7 +47,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC
## ipaMaxHostnameLength - maximum hostname length to allow
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
-attributeTypes: ( 2.16.840.1.113730.3.8.3.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
###############################################
##
## ObjectClasses
--
2.26.3

275
SOURCES/0013-WebUI-Improve-subordinate-ids-user-workflow.patch
View File

@ -1,275 +0,0 @@
From 10418b7f3ea8c682961fc201545169663d507bf6 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 17 Jun 2021 13:56:19 +0200
Subject: [PATCH] WebUI: Improve subordinate ids user workflow
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/ui/src/freeipa/details.js | 8 ++-
.../ui/src/freeipa/navigation/menu_spec.js | 19 ++++++-
install/ui/src/freeipa/subid.js | 43 +++++++++++++++-
install/ui/src/freeipa/user.js | 49 +++++++++++++++----
ipaserver/plugins/internal.py | 22 ++++++---
5 files changed, 121 insertions(+), 20 deletions(-)
diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index b557bbcef9a427a87eee3216f4345fc853cbaaff..2704cbd0ba98efa877cf5ec8a878e688ee6807e9 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -602,6 +602,12 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
*/
that.facet_group = spec.facet_group || 'settings';
+ /**
+ * Indicates if the details facet depends on pkey
+ * @property {boolean}
+ */
+ that.require_pkey = spec.require_pkey !== undefined ? spec.require_pkey : true;
+
/**
* Widgets
* @property {IPA.widget_container}
@@ -1105,7 +1111,7 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
*/
that.refresh = function(on_success, on_error) {
- if (!that.get_pkey() && that.entity.redirect_facet) {
+ if (that.require_pkey && !that.get_pkey() && that.entity.redirect_facet) {
that.redirect();
return;
}
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 6ccd06919fbe04c7e8d2034ff7a1f644f373c607..a205dfade2f9508edbdc23ee6f7247508cc0479c 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -104,7 +104,24 @@ var nav = {};
}
]
},
- { entity: 'subid' }
+ {
+ name: 'subid',
+ label: '@i18n:tabs.subid',
+ children: [
+ {
+ name: 'subid',
+ entity: 'subid',
+ facet: 'search',
+ label: '@i18n:tabs.subid'
+ },
+ {
+ name: 'subid-stats',
+ entity: 'subid',
+ facet: 'stats',
+ label: '@i18n:objects.subid.stats'
+ }
+ ]
+ }
]
},
{
diff --git a/install/ui/src/freeipa/subid.js b/install/ui/src/freeipa/subid.js
index f286165070b08badf77cac6c30e93cab916c2acc..32f75bb7854cd3e84417a66870e99d34d49617e3 100644
--- a/install/ui/src/freeipa/subid.js
+++ b/install/ui/src/freeipa/subid.js
@@ -31,6 +31,7 @@ return {
},
{
$type: 'details',
+ disable_facet_tabs: true,
sections: [
{
name: 'details',
@@ -38,9 +39,11 @@ return {
'ipauniqueid',
'description',
{
+ $type: 'link',
name: 'ipaowner',
label: '@i18n:objects.subid.ipaowner',
- title: '@mo-param:subid:ipaowner:label'
+ title: '@mo-param:subid:ipaowner:label',
+ other_entity: 'user'
},
{
name: 'ipasubgidnumber',
@@ -65,6 +68,44 @@ return {
]
}
]
+ },
+ {
+ $type: 'details',
+ name: 'stats',
+ label: '@i18n:objects.subid.stats',
+ refresh_command_name: 'stats',
+ check_rights: false,
+ no_update: true,
+ disable_facet_tabs: true,
+ disable_breadcrumb: true,
+ require_pkey: false,
+ fields: [
+ {
+ name: 'assigned_subids',
+ label: '@i18n:objects.subid.assigned_subids',
+ read_only: true
+ },
+ {
+ name: 'baseid',
+ label: '@i18n:objects.subid.baseid',
+ read_only: true
+ },
+ {
+ name: 'dna_remaining',
+ label: '@i18n:objects.subid.dna_remaining',
+ read_only: true
+ },
+ {
+ name: 'rangesize',
+ label: '@i18n:objects.subid.rangesize',
+ read_only: true
+ },
+ {
+ name: 'remaining_subids',
+ label: '@i18n:objects.subid.remaining_subids',
+ read_only: true
+ }
+ ]
}
],
adder_dialog: {
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 56bb6f4feffb637d33a57aecf9a98f08d4639550..6a56320c580f58a1aba84e598736631986421113 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -464,7 +464,7 @@ return {
},
{
$type: 'subid_generate',
- hide_cond: ['preserved-user'],
+ hide_cond: ['preserved-user', 'self-service-other'],
enable_cond: ['no-subid']
}
],
@@ -556,8 +556,35 @@ return {
{
$type: 'association',
name: 'memberof_subid',
+ columns: [
+ 'ipauniqueid',
+ 'ipasubuidnumber',
+ 'ipasubgidnumber'
+ ],
associator: IPA.serial_associator,
- read_only: true
+ read_only: true,
+ state: {
+ evaluators: [
+ IPA.user.self_service_other_user_evaluator,
+ IPA.user.preserved_user_evaluator,
+ IPA.user.has_subid_evaluator
+ ]
+ },
+ actions: [
+ {
+ $type: 'subid_generate',
+ name: 'subid_generate',
+ hide_cond: ['preserved-user', 'self-service-other'],
+ enable_cond: ['no-subid']
+ }
+ ],
+ control_buttons: [
+ {
+ name: 'subid_generate',
+ label: '@i18n:objects.user.auto_subid',
+ icon: 'fa-plus'
+ }
+ ]
}
],
standard_association_facets: {
@@ -1216,14 +1243,16 @@ IPA.user.subid_generate_action = function(spec) {
var that = IPA.action(spec);
that.execute_action = function(facet) {
-
- var subid_e = reg.entity.get('subid');
- var dialog = subid_e.get_dialog('add');
- dialog.open();
- if (!IPA.is_selfservice) {
- var owner = facet.get_pkey();
- dialog.get_field('ipaowner').set_value([owner]);
- }
+ var owner = facet.get_pkey();
+ var command = rpc.command({
+ entity: 'subid',
+ method: 'generate'
+ });
+ command.set_option('ipaowner', owner);
+ command.on_success = function(data, text_status, xhr) {
+ facet.refresh();
+ };
+ command.execute();
};
return that;
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5ef940c2b88cc2b132a15d619772349b30731306..29e09f0067ec60d014e61c49313455d64478ef22 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1364,6 +1364,20 @@ class i18n_messages(Command):
"undel_success": _("${count} user(s) restored"),
"user_categories": _("User categories"),
},
+ "subid": {
+ "add": _("Add subid"),
+ "assigned_subids": _("Assigned subids"),
+ "baseid": _("Base ID"),
+ "dna_remaining": _("DNA remaining"),
+ "ipaowner": _("Owner"),
+ "ipasubgidcount": _("SubGID range size"),
+ "ipasubgidnumber": _("SubGID range start"),
+ "ipasubuidcount": _("SubUID range size"),
+ "ipasubuidnumber": _("SubUID range start"),
+ "rangesize": _("Range size"),
+ "remaining_subids": _("Remaining subids"),
+ "stats": _("Subordinate ID Statistics"),
+ },
"sudocmd": {
"add": _("Add sudo command"),
"add_into_sudocmdgroups": _(
@@ -1547,13 +1561,6 @@ class i18n_messages(Command):
"Drive to mount a home directory"
),
},
- "subid": {
- "identity": _("Subordinate user and group id"),
- "subuidnumber": _("Subordinate user id"),
- "subuidcount": _("Subordinate user id count"),
- "subgidnumber": _("Subordinate group id"),
- "subgidcount": _("Subordinate group id count"),
- },
"trustconfig": {
"options": _("Options"),
},
@@ -1942,6 +1949,7 @@ class i18n_messages(Command):
"network_services": _("Network Services"),
"policy": _("Policy"),
"role": _("Role-Based Access Control"),
+ "subid": _("Subordinate IDs"),
"sudo": _("Sudo"),
"topology": _("Topology"),
"trust": _("Trusts"),
--
2.26.3

57
SOURCES/0014-Test-DNA-plugin-configuration.patch
View File

@ -1,57 +0,0 @@
From b6ab27acdb07c21f43e9dcc9b777f8fd6a8925e1 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 18 Jun 2021 10:51:54 +0200
Subject: [PATCH] Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_subids.py | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index 48e58c26464f52605438afe865575e5ca4c8f1f8..28cd1f765cd63af944bce83f4676a2b1998f5f5d 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -6,8 +6,11 @@
"""
import os
-from ipalib.constants import SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX
+from ipalib.constants import (
+ SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX, SUBID_DNA_THRESHOLD
+)
from ipaplatform.paths import paths
+from ipapython.dn import DN
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
@@ -81,6 +84,23 @@ class TestSubordinateId(IntegrationTest):
cmd.extend(("--owner", uid))
return self.master.run_command(cmd, **kwargs)
+ def test_dna_config(self):
+ conn = self.master.ldap_connect()
+ dna_cfg = DN(
+ "cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,"
+ "cn=plugins,cn=config"
+ )
+ entry = conn.get_entry(dna_cfg)
+
+ def single_int(key):
+ return int(entry.single_value[key])
+
+ assert single_int("dnaInterval") == SUBID_COUNT
+ assert single_int("dnaThreshold") == SUBID_DNA_THRESHOLD
+ assert single_int("dnaMagicRegen") == -1
+ assert single_int("dnaMaxValue") == SUBID_RANGE_MAX
+ assert set(entry["dnaType"]) == {"ipasubgidnumber", "ipasubuidnumber"}
+
def test_auto_generate_subid(self):
uid = "testuser_auto1"
passwd = "Secret123"
--
2.26.3

69
SOURCES/0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
View File

@ -1,69 +0,0 @@
From 3b7f537dd3022ecb758b2f0f8b2aba530e74bff7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2021 11:02:10 -0400
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/service.py | 5 +++++
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cfbbff3c69c6a92535df58c51767c3d0952c7b0b..498f5e444364c6330e053d1057b727fb5181f70b 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
# and shouldn't be allowed to have auth indicators.
# https://pagure.io/freeipa/issue/8206
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ if pkey == str(entry.dn):
+ # krbcanonicalname may not be set yet if this is a host entry,
+ # try krbprincipalname
+ if 'krbprincipalname' in entry:
+ pkey = entry['krbprincipalname']
principal = kerberos.Principal(pkey)
server = api.Command.server_find(principal.hostname)['result']
if server:
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 9cfde3565d48e103a0549e2bfb7579e07668f41b..ff50e796cd19fca2c7b6c87d73940779db8daa0b 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
)):
command()
+ def test_add_non_master_with_auth_ind(self, host5):
+ host5.ensure_missing()
+ command = host5.make_command(
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
+ force=True
+ )
+ result = command()
+ # The fact that the command succeeds exercises the change but
+ # let's check the indicator as well.
+ assert result['result']['krbprincipalauthind'] == ('radius',)
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
--
2.26.3

30
SOURCES/0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
View File

@ -1,30 +0,0 @@
From aa07f41769765e55c1531b52ad9ef5876e97e0e9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 15 Jul 2021 10:06:56 +0200
Subject: [PATCH] spec file: Trust controller role should pull
sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fa649cf4e1abe8e9928ef340a66d48d78f7e3521..c33d2e216e5b0f13ae4fd3f9f506d4983493f03a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -597,6 +597,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
+Requires: sssd-winbind-idmap
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
--
2.26.3

58
SOURCES/0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
View File

@ -1,58 +0,0 @@
From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 19 Jul 2021 17:51:44 -0400
Subject: [PATCH] Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipaserver/plugins/server.py | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b3dda8469..5fa7a58bd 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
if self.api.Command.ca_is_enabled()['result']:
try:
- vault_config = self.api.Command.vaultconfig_show()['result']
- kra_servers = vault_config.get('kra_server_server', [])
- except errors.InvocationError:
- # KRA is not configured
- pass
- else:
- if kra_servers == [hostname]:
- handler(
- _("Deleting this server is not allowed as it would "
- "leave your installation without a KRA."),
- ignore_last_of_role)
+ roles = self.api.Command.server_role_find(
+ server_server=hostname,
+ role_servrole='KRA server',
+ status='enabled',
+ include_master=True,
+ )['result']
+ except errors.NotFound:
+ roles = ()
+ if len(roles) == 1 and roles[0]['server_server'] == hostname:
+ handler(
+ _("Deleting this server is not allowed as it would "
+ "leave your installation without a KRA."),
+ ignore_last_of_role)
ca_servers = ipa_config.get('ca_server_server', [])
ca_renewal_master = ipa_config.get(
--
2.26.3

49
SOURCES/0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
View File

@ -1,49 +0,0 @@
From 8ea8f8b68b5a7217518f68065a5fc1df16126314 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 19 Jul 2021 21:54:22 -0400
Subject: [PATCH] ipatests: test removing last KRA when it is not running
Use the new role-based mechanism, one that doesn't rely
on direct communication to the server, to determine whether
the server being removed by `ipa server-del` contains the
last KRA server.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py
index 5e627d5db..9d7f5ef7a 100644
--- a/ipatests/test_integration/test_server_del.py
+++ b/ipatests/test_integration/test_server_del.py
@@ -302,6 +302,23 @@ class TestLastServices(ServerDelBase):
1
)
+ def test_removal_of_server_raises_error_about_last_kra(self):
+ """
+ test that removal of server fails on the last KRA
+
+ We shut it down to verify that it can be removed if it failed.
+ """
+ tasks.install_kra(self.master)
+ self.master.run_command(['ipactl', 'stop'])
+ tasks.assert_error(
+ tasks.run_server_del(self.replicas[0], self.master.hostname),
+ "Deleting this server is not allowed as it would leave your "
+ "installation without a KRA.",
+ 1
+ )
+ # Restarting the server we stopped is not necessary as it will
+ # be removed in the next test.
+
def test_forced_removal_of_master(self):
"""
Tests that we can still force remove the master using
--
2.26.3

30
SOURCES/0019-rhel-platform-add-a-named-crypto-policy-support.patch
View File

@ -1,30 +0,0 @@
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipaplatform/rhel/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada32..3631550eb 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
--
2.26.3

40
SOURCES/0020-Index-Fix-definition-for-memberOf.patch
View File

@ -1,40 +0,0 @@
From b132956e42a88ab39bb8d6a854e7c5d28d544a11 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 16 Jul 2021 09:43:54 +0200
Subject: [PATCH] Index: Fix definition for memberOf
The index definition for memberOf is inconsistent:
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
cn: member
nsIndexType: eq
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
The cn attribute should be memberOf, not member. Fix the definition.
Fixes: https://pagure.io/freeipa/issue/8920
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/updates/20-indices.update | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index d6df5b37d..cb1a11dd5 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -434,7 +434,7 @@ add:nsIndexType: eq
add:nsIndexType: pres
dn: cn=memberOf,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
-only:cn: member
+only:cn: memberOf
add:nsIndexType: sub
dn: cn=memberPrincipal,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
--
2.26.3

35
SOURCES/0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch
View File

@ -1,35 +0,0 @@
From b2e6292337c6f7f68ac383db8aa54a1abfa3f6b4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Sun, 11 Jul 2021 16:29:16 +0200
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
The test TestSelfExternalSelf::test_switch_back_to_self_signed
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
Fixes: https://pagure.io/freeipa/issue/8918
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_external_ca.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_external_ca.py b/ipatests/test_integration/test_external_ca.py
index 72aa57a0b..d48d73deb 100644
--- a/ipatests/test_integration/test_external_ca.py
+++ b/ipatests/test_integration/test_external_ca.py
@@ -301,7 +301,7 @@ class TestSelfExternalSelf(IntegrationTest):
def test_switch_back_to_self_signed(self):
# for journalctl --since
- switch_time = time.strftime('%H:%M:%S')
+ switch_time = time.strftime('%Y-%m-%d %H:%M:%S')
# switch back to self-signed CA
result = self.master.run_command([paths.IPA_CACERT_MANAGE, 'renew',
'--self-signed'])
--
2.31.1

43
SOURCES/0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch
View File

@ -1,43 +0,0 @@
From 26be7ffdba87e0e6294ea035ab3dc9bd933fba43 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Fri, 9 Jul 2021 13:44:12 +0530
Subject: [PATCH] ipatests: Fix for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Expected error message has been modified for
test_source_ipahealthcheck_ipa_host_check_ipahostkeytab
Related: https://pagure.io/freeipa/issue/8889
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 305d7b945..f6a3043f1 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -499,9 +499,6 @@ class TestIpaHealthCheck(IntegrationTest):
from host's keytab.
"""
msg = (
- "Failed to obtain host TGT: Major (458752): "
- "No credentials were "
- "supplied, or the credentials were unavailable or inaccessible, "
"Minor (2529639107): No credentials cache found"
)
@@ -514,7 +511,7 @@ class TestIpaHealthCheck(IntegrationTest):
)
assert returncode == 1
assert data[0]["result"] == "ERROR"
- assert data[0]["kw"]["msg"] == msg
+ assert msg in data[0]["kw"]["msg"]
def test_source_ipahealthcheck_topology_IPATopologyDomainCheck(self):
"""
--
2.31.1

52
SOURCES/0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch
View File

@ -1,52 +0,0 @@
From 7f910eb2dda8595da435b4aed6e759a2916df813 Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Wed, 23 Jun 2021 14:53:49 +0200
Subject: [PATCH] ipatests: test_ipahealthcheck: print a message if a system is
healthy
Test if when the system is completely healthy, informative message is
returned and not only empty output (list or json).
Related: https://pagure.io/freeipa/issue/8892
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_ipahealthcheck.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index f6a3043f1..36fe72be7 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -286,7 +286,7 @@ class TestIpaHealthCheck(IntegrationTest):
for source in sources_avail:
assert source in result.stdout_text
- def test_human_output(self, restart_service):
+ def test_human_severity(self, restart_service):
"""
Test that in human output the severity value is correct
@@ -306,6 +306,18 @@ class TestIpaHealthCheck(IntegrationTest):
assert output == \
"ERROR: ipahealthcheck.meta.services.sssd: sssd: not running"
+ def test_human_output(self):
+ """
+ Test if in case no failures were found, informative string is printed
+ in human output.
+
+ https://pagure.io/freeipa/issue/8892
+ """
+ returncode, output = run_healthcheck(self.master, output_type="human",
+ failures_only=True)
+ assert returncode == 0
+ assert output == "No issues found."
+
def test_ipa_healthcheck_after_certupdate(self):
"""
Verify that ipa-certupdate hasn't messed up tracking
--
2.31.1

104
SOURCES/0024-ipatests-test_installation-move-tracking_reqs-depend.patch
View File

@ -1,104 +0,0 @@
From e5df4dc4884f1a66ccbca79b9a0d83874c996d1d Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Mon, 31 May 2021 14:43:28 +0200
Subject: [PATCH] ipatests: test_installation: move tracking_reqs dependency to
ipalib constants ipaserver: krainstance: utilize moved tracking_reqs
dependency
KRA instance import depends on lib389 package, which is not always
installed and that results in failure. Furthermore, test_installation
utilizes krainstance import. This fix moves relevant parts from
krainstance to ipalib constants where those are subsequently imported
from.
Related: https://pagure.io/freeipa/issue/8795
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipalib/constants.py | 8 ++++++++
ipaserver/install/krainstance.py | 7 ++-----
ipatests/test_integration/test_installation.py | 7 +++----
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index bff899ba6..2aeafac7a 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -360,3 +360,11 @@ SUBID_RANGE_MAX = (2 ** 32) - (2 * SUBID_COUNT)
SUBID_RANGE_SIZE = SUBID_RANGE_MAX - SUBID_RANGE_START
# threshold before DNA plugin requests a new range
SUBID_DNA_THRESHOLD = 500
+
+# moved from ipaserver/install/krainstance.py::KRAInstance to avoid duplication
+# as per https://pagure.io/freeipa/issue/8795
+KRA_TRACKING_REQS = {
+ 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
+ 'transportCert cert-pki-kra': 'caTransportCert',
+ 'storageCert cert-pki-kra': 'caStorageCert',
+}
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index e63db3fef..13cb2dcaa 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -27,6 +27,7 @@ import base64
from ipalib import api
from ipalib import x509
+from ipalib.constants import KRA_TRACKING_REQS
from ipaplatform.paths import paths
from ipapython import directivesetter
from ipapython import ipautil
@@ -64,11 +65,7 @@ class KRAInstance(DogtagInstance):
# Mapping of nicknames for tracking requests, and the profile to
# use for that certificate. 'configure_renewal()' reads this
# dict. The profile MUST be specified.
- tracking_reqs = {
- 'auditSigningCert cert-pki-kra': 'caAuditSigningCert',
- 'transportCert cert-pki-kra': 'caTransportCert',
- 'storageCert cert-pki-kra': 'caStorageCert',
- }
+ tracking_reqs = KRA_TRACKING_REQS
def __init__(self, realm):
super(KRAInstance, self).__init__(
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 0c96536f0..27f15dbe5 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -20,7 +20,7 @@ from cryptography.hazmat.primitives import hashes
from cryptography import x509 as crypto_x509
from ipalib import x509
-from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import DOMAIN_LEVEL_0, KRA_TRACKING_REQS
from ipalib.constants import IPA_CA_RECORD
from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipapython.dn import DN
@@ -34,7 +34,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipaplatform import services
-from ipaserver.install import krainstance
+
config = get_global_config()
@@ -1282,8 +1282,7 @@ class TestInstallMasterKRA(IntegrationTest):
"""
Test that the KRA subsystem certificates renew properly
"""
- kra = krainstance.KRAInstance(self.master.domain.realm)
- for nickname in kra.tracking_reqs:
+ for nickname in KRA_TRACKING_REQS:
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
--
2.31.1

31
SOURCES/0025-webui-tests-close-notification-when-revoking-cert.patch
View File

@ -1,31 +0,0 @@
From 40e4ccf1ea943aba4d10e8126ffa49feddd2e683 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 13 Jul 2021 18:38:22 +0200
Subject: [PATCH] webui tests: close notification when revoking cert
When a cert is revoked, a notification is displayed
and may obscure the buttons. Make sure to close the
notification before moving to the next step.
Fixes: https://pagure.io/freeipa/issue/8911
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
---
ipatests/test_webui/test_cert.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py
index 53dc76faa..7a8ffde91 100644
--- a/ipatests/test_webui/test_cert.py
+++ b/ipatests/test_webui/test_cert.py
@@ -107,6 +107,7 @@ class test_cert(UI_driver):
self.action_list_action('revoke_cert', False)
self.select('select[name=revocation_reason]', reason)
self.dialog_button_click('ok')
+ self.close_notifications()
self.navigate_to_entity(ENTITY)
return cert
--
2.31.1

153
SOURCES/0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch
View File

@ -1,153 +0,0 @@
From 02c0da3ef74948579106aab4b669f6e64dd60b24 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 24 Jun 2021 13:10:00 +0530
Subject: [PATCH] ipatests: Test ipa-cert-fix warns when startup directive is
missing from CS.cfg
Earlier it used to fail when startup directive missing from CS.cfg.
With https://github.com/dogtagpki/pki/pull/3466, it changed to display
a warning than failing.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 92 ++++++++++++++++++-
1 file changed, 90 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index b2e92d4dc..394e85603 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -48,6 +48,16 @@ def check_status(host, cert_count, state, timeout=600):
return count
+def move_date(host, chrony_state, date_str):
+ """Helper method to move the date on given host
+ :param host: The host on which date is to be moved
+ :param chrony_state: State to which chrony service to be moved
+ :param date_str: date string to move the date i.e 2years1month1days
+ """
+ host.run_command(['systemctl', chrony_state, 'chronyd'])
+ host.run_command(['date', '-s', date_str])
+
+
@pytest.fixture
def expire_cert_critical():
"""
@@ -82,6 +92,17 @@ class TestIpaCertFix(IntegrationTest):
# the fixture
pass
+ @pytest.fixture
+ def expire_ca_cert(self):
+ tasks.install_master(self.master, setup_dns=False,
+ extra_args=['--no-ntp'])
+ move_date(self.master, 'stop', '+20Years+1day')
+
+ yield
+
+ tasks.uninstall_master(self.master)
+ move_date(self.master, 'start', '-20Years-1day')
+
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -122,7 +143,8 @@ class TestIpaCertFix(IntegrationTest):
# Because of BZ 1897120, pki-cert-fix fails on pki-core 10.10.0
# https://bugzilla.redhat.com/show_bug.cgi?id=1897120
- if tasks.get_pki_version(self.master) != tasks.parse_version('10.10.0'):
+ if (tasks.get_pki_version(self.master)
+ != tasks.parse_version('10.10.0')):
assert result.returncode == 0
# get the number of certs track by certmonger
@@ -180,6 +202,72 @@ class TestIpaCertFix(IntegrationTest):
raiseonerr=False)
assert result.returncode == 2
+ def test_missing_startup(self, expire_cert_critical):
+ """
+ Test ipa-cert-fix fails/warns when startup directive is missing
+
+ This test checks that if 'selftests.container.order.startup' directive
+ is missing from CS.cfg, ipa-cert-fix fails and throw proper error
+ message. It also checks that underlying command 'pki-server cert-fix'
+ should fail to renew the cert.
+
+ related: https://pagure.io/freeipa/issue/8721
+
+ With https://github.com/dogtagpki/pki/pull/3466, it changed to display
+ a warning than failing.
+
+ This test also checks that if 'selftests.container.order.startup'
+ directive is missing from CS.cfg, ipa-cert-fix dsplay proper warning
+ (depending on pki version)
+
+ related: https://pagure.io/freeipa/issue/8890
+ """
+ expire_cert_critical(self.master)
+ # pki must be stopped in order to edit CS.cfg
+ self.master.run_command(['ipactl', 'stop'])
+ self.master.run_command([
+ 'sed', '-i', r'/selftests\.container\.order\.startup/d',
+ paths.CA_CS_CFG_PATH
+ ])
+ # dirsrv needs to be up in order to run ipa-cert-fix
+ self.master.run_command(['ipactl', 'start',
+ '--ignore-service-failures'])
+
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+
+ err_msg1 = "ERROR: 'selftests.container.order.startup'"
+ # check that pki-server cert-fix command fails
+ err_msg2 = ("ERROR: CalledProcessError(Command "
+ "['pki-server', 'cert-fix'")
+ warn_msg = ("WARNING: No selftests configured in "
+ f"{paths.CA_CS_CFG_PATH} "
+ "(selftests.container.order.startup)")
+
+ if (tasks.get_pki_version(self.master)
+ < tasks.parse_version('10.11.0')):
+ assert (err_msg1 in result.stderr_text
+ and err_msg2 in result.stderr_text)
+ else:
+ assert warn_msg in result.stdout_text
+
+ def test_expired_CA_cert(self, expire_ca_cert):
+ """Test to check ipa-cert-fix when CA certificate is expired
+
+ In order to fix expired certs using ipa-cert-fix, CA cert should be
+ valid. If CA cert expired, ipa-cert-fix won't work.
+
+ related: https://pagure.io/freeipa/issue/8721
+ """
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+ # check that pki-server cert-fix command fails
+ err_msg = ("ERROR: CalledProcessError(Command "
+ "['pki-server', 'cert-fix'")
+ assert err_msg in result.stderr_text
+
class TestIpaCertFixThirdParty(CALessBase):
"""
@@ -219,7 +307,7 @@ class TestIpaCertFixThirdParty(CALessBase):
'--pin', self.master.config.admin_password,
'-d', 'server.p12']
self.master.run_command(args)
- self.master.run_command(['ipactl', 'restart',])
+ self.master.run_command(['ipactl', 'restart'])
# Run ipa-cert-fix. This is basically a no-op but tests that
# the DS nickname is used and not a hardcoded value.
--
2.31.1

40
SOURCES/0027-webui-tests-fix-algo-for-finding-available-idrange.patch
View File

@ -1,40 +0,0 @@
From f7997ed0b7d5b915c0184bf8e8864ff935cd6232 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Fri, 16 Jul 2021 15:21:48 +0200
Subject: [PATCH] webui tests: fix algo for finding available idrange
The webui tests for ID range evaluate a potentially free id range
by looking for existing ranges and picking a range = max value
+ 1 million.
With the addition of subuid range this algorithm produces values
over the limit because the subuid range goes from
2,147,483,648 to 4,294,836,224 and the max base id is 4,294,967,295.
Ignore the subuid range when picking a potential range.
Fixes: https://pagure.io/freeipa/issue/8919
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_webui/task_range.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_webui/task_range.py b/ipatests/test_webui/task_range.py
index db34f6f11..f0664d35a 100644
--- a/ipatests/test_webui/task_range.py
+++ b/ipatests/test_webui/task_range.py
@@ -64,6 +64,12 @@ class range_tasks(UI_driver):
max_rid = 0
for idrange in idranges:
+ # IPA.TEST_subid_range is automatically created near the end
+ # of the allowed ids, taking from 2,147,483,648 to 4,294,836,224
+ # Ignore this range when looking for available ids otherwise
+ # we won't find any value < max baseid 4,294,967,295
+ if idrange['cn'][0].endswith("_subid_range"):
+ continue
size = int(idrange['ipaidrangesize'][0])
base_id = int(idrange['ipabaseid'][0])
--
2.31.1

61
SOURCES/0028-ipatests-smbclient-k-use-kerberos-desired.patch
View File

@ -1,61 +0,0 @@
From 161d5844eb1214e60c636bdb73713c6a43f1e75c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 19 Jul 2021 15:59:01 +0200
Subject: [PATCH] ipatests: smbclient "-k" => "--use-kerberos=desired"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Change documentation:
https://download.samba.org/pub/samba/rc/samba-4.15.0rc1.WHATSNEW.txt
As of Samba 4.15rc1, smbclient does not accept "-k" anymore.
The "-k|--kerberos" option ("Try to authenticate with kerberos.")
has been replaced with "--use-kerberos=required|desired|off".
Fixes: https://pagure.io/freeipa/issue/8926
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_smb.py | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 399ad6209..b2b7ce2e4 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -166,9 +166,28 @@ class TestSMB(IntegrationTest):
encoding='utf-8')
assert file_contents_at_server == test_string
- # check access using smbclient utility
+ # Detect whether smbclient uses -k or --use-kerberos=required
+ # https://pagure.io/freeipa/issue/8926
+ # then check access using smbclient.
res = run_smb_client(
- ['smbclient', '-k', share['unc'], '-c', 'dir'])
+ [
+ "smbclient",
+ "-h",
+ ], raiseonerr=False
+ )
+ if "[-k|--kerberos]" in res.stderr_text:
+ smbclient_krb5_knob = "-k"
+ else:
+ smbclient_krb5_knob = "--use-kerberos=desired"
+ res = run_smb_client(
+ [
+ "smbclient",
+ smbclient_krb5_knob,
+ share["unc"],
+ "-c",
+ "dir",
+ ]
+ )
assert test_dir in res.stdout_text
# check file and dir removal from client side
--
2.31.1

81
SOURCES/0029-test_acme-refactor-with-tasks.patch
View File

@ -1,81 +0,0 @@
From 86869364a30f071ee79974b301ff68e80c0950ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:19:16 +0200
Subject: [PATCH] test_acme: refactor with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 11 +++++++++++
ipatests/test_integration/test_acme.py | 19 ++++---------------
2 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 22c7ba782..c2e548617 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -2800,3 +2800,14 @@ def is_package_installed(host, pkg):
'is_package_installed: unknown platform %s' % platform
)
return result.returncode == 0
+
+
+def move_date(host, chrony_cmd, date_str):
+ """Helper method to move system date
+ :param host: host on which date is to be manipulated
+ :param chrony_cmd: systemctl command to apply to
+ chrony service, for instance 'start', 'stop'
+ :param date_str: date string to change the date i.e '3years2months1day1'
+ """
+ host.run_command(['systemctl', chrony_cmd, 'chronyd'])
+ host.run_command(['date', '-s', date_str])
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index d90f1ff7d..b4aa1b351 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -35,17 +35,6 @@ skip_mod_md_tests = osinfo.id not in ['rhel', 'fedora', ]
CERTBOT_DNS_IPA_SCRIPT = '/usr/libexec/ipa/acme/certbot-dns-ipa'
-def move_date(host, chrony_cmd, date_str):
- """Helper method to move system date
- :param host: host on which date is to be manipulated
- :param chrony_cmd: systemctl command to apply to
- chrony service, for instance 'start', 'stop'
- :param date_str: date string to change the date i.e '3years2months1day1'
- """
- host.run_command(['systemctl', chrony_cmd, 'chronyd'])
- host.run_command(['date', '-s', date_str])
-
-
def check_acme_status(host, exp_status, timeout=60):
"""Helper method to check the status of acme server"""
for _i in range(0, timeout, 5):
@@ -598,8 +587,8 @@ class TestACMERenew(IntegrationTest):
)
# move system date to expire acme cert
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'stop', '+90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'stop', '+90days')
self.clients[0].run_command(
['kinit', 'admin'],
stdin_text=cmd_input.format(
@@ -611,8 +600,8 @@ class TestACMERenew(IntegrationTest):
# move back date
for host in self.clients[0], self.master:
- host.run_command(['kdestroy', '-A'])
- move_date(host, 'start', '-90days')
+ tasks.kdestroy_all(host)
+ tasks.move_date(host, 'start', '-90days')
tasks.kinit_admin(host)
@pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
--
2.31.1

66
SOURCES/0030-test_acme-make-password-renewal-more-robust.patch
View File

@ -1,66 +0,0 @@
From 701adb9185c77194ba1ad0c5fd2f13484417ef6f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:22:23 +0200
Subject: [PATCH] test_acme: make password renewal more robust
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
A kinit immediately following a password change can fail.
Setting KRB5_TRACE and retrieving kdcinfo will help to understand
the cause of failure.
Fixes: https://pagure.io/freeipa/issue/8929
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/test_integration/test_acme.py | 28 +++++++++++++-------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index b4aa1b351..10195a95f 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest):
# request a standalone acme cert
certbot_standalone_cert(self.clients[0], self.acme_server)
- cmd_input = (
- # Password for admin@{REALM}:
- "{pwd}\n"
- # Password expired. You must change it now.
- # Enter new password:
- "{pwd}\n"
- # Enter it again:
- "{pwd}\n"
- )
# move system date to expire acme cert
for host in self.clients[0], self.master:
tasks.kdestroy_all(host)
tasks.move_date(host, 'stop', '+90days')
- self.clients[0].run_command(
- ['kinit', 'admin'],
- stdin_text=cmd_input.format(
- pwd=self.clients[0].config.admin_password
- )
+
+ tasks.get_kdcinfo(host)
+ # Note raiseonerr=False:
+ # the assert is located after kdcinfo retrieval.
+ result = host.run_command(
+ "KRB5_TRACE=/dev/stdout kinit %s" % 'admin',
+ stdin_text='{0}\n{0}\n{0}\n'.format(
+ self.clients[0].config.admin_password
+ ),
+ raiseonerr=False
)
+ # Retrieve kdc.$REALM after the password change, just in case SSSD
+ # domain status flipped to online during the password change.
+ tasks.get_kdcinfo(host)
+ assert result.returncode == 0
yield
--
2.31.1

58
SOURCES/0031-tasks.py-fix-flake8-reported-issues.patch
View File

@ -1,58 +0,0 @@
From 5b826ab3582566b15a618f57cb2e002a9c16ef64 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 20 Jul 2021 20:29:00 +0200
Subject: [PATCH] tasks.py: fix flake8-reported issues
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8931
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index c2e548617..075c05cde 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -597,7 +597,9 @@ def install_adtrust(host):
dig_command = ['dig', 'SRV', '+short', '@localhost',
'_ldap._tcp.%s' % host.domain.name]
dig_output = '0 100 389 %s.' % host.hostname
- dig_test = lambda x: re.search(re.escape(dig_output), x)
+
+ def dig_test(x):
+ return re.search(re.escape(dig_output), x)
run_repeatedly(host, dig_command, test=dig_test)
@@ -2122,8 +2124,8 @@ def create_active_user(host, login, password, first='test', last='user',
result = host.run_command(
"KRB5_TRACE=/dev/stdout kinit %s" % login,
stdin_text='{0}\n{1}\n{1}\n'.format(
- temp_password, password, raiseonerr=False
- )
+ temp_password, password
+ ), raiseonerr=False
)
# Retrieve kdc.$REALM after the password change, just in case SSSD
# domain status flipped to online during the password change.
@@ -2264,10 +2266,10 @@ class KerberosKeyCopier:
[paths.KLIST, "-eK", "-k", keytab], log_stdout=False)
keys_to_sync = []
- for l in result.stdout_text.splitlines():
- if (princ in l and any(e in l for e in self.valid_etypes)):
+ for line in result.stdout_text.splitlines():
+ if (princ in line and any(e in line for e in self.valid_etypes)):
- els = l.split()
+ els = line.split()
els[-2] = els[-2].strip('()')
els[-1] = els[-1].strip('()')
keys_to_sync.append(KeyEntry._make(els))
--
2.31.1

142
SOURCES/0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch
View File

@ -1,142 +0,0 @@
From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Jul 2021 11:54:20 +0200
Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.
Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ldapupdate.py | 14 +++++++---
.../nightly_ipa-4-9_latest.yaml | 12 +++++++++
.../nightly_ipa-4-9_previous.yaml | 12 +++++++++
.../test_integration/test_installation.py | 27 +++++++++++++++++++
4 files changed, 62 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 06cb78e0b..f0e7d6162 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
idrange_size = idmax - idstart + 1
subid_base_rid = constants.SUBID_RANGE_START - idrange_size
+ # uid / gid for autobind
+ # user is only defined when ipa-server-dns and bind are installed
+ try:
+ named_uid = platformconstants.NAMED_USER.uid
+ named_gid = platformconstants.NAMED_GROUP.gid
+ except ValueError:
+ named_uid = None
+ named_gid = None
+
return dict(
REALM=realm,
DOMAIN=domain,
@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
- # uid / gid for autobind
- NAMED_UID=platformconstants.NAMED_USER.uid,
- NAMED_GID=platformconstants.NAMED_GROUP.gid,
+ NAMED_UID=named_uid,
+ NAMED_GID=named_gid,
)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 939ee2b7d..1c8c5ddfc 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -547,6 +547,18 @@ jobs:
timeout: 4800
topology: *master_1repl_1client
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 03658a934..6d121d59f 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -547,6 +547,18 @@ jobs:
timeout: 4800
topology: *master_1repl_1client
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index e76fd0efe..e3c41eaa1 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest):
result = tasks.install_client(self.master, self.clients[0])
assert self.no_sudo_str not in result.stderr_text
assert self.sudo_version_str not in result.stdout_text
+
+
+class TestInstallWithoutNamed(IntegrationTest):
+ num_replicas = 1
+
+ @classmethod
+ def remove_named(cls, host):
+ # remove the bind package and make sure the named user does not exist.
+ # https://pagure.io/freeipa/issue/8936
+ result = host.run_command(['id', 'named'], raiseonerr=False)
+ if result.returncode == 0:
+ tasks.uninstall_packages(host, ['bind'])
+ host.run_command(['userdel', constants.NAMED_USER])
+ assert host.run_command(
+ ['id', 'named'], raiseonerr=False
+ ).returncode == 1
+
+ @classmethod
+ def install(cls, mh):
+ for tgt in (cls.master, cls.replicas[0]):
+ cls.remove_named(tgt)
+ tasks.install_master(cls.master, setup_dns=False)
+
+ def test_replica0_install(self):
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=False, setup_dns=False
+ )
--
2.31.1

68
SOURCES/0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch
View File

@ -1,68 +0,0 @@
From e0e1d6f94dd16c8066be8ce3c75ef306890a3e2b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 28 Jul 2021 18:47:02 +0200
Subject: [PATCH] freeipa.spec.in: remove python3-pexpect from Requires
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
python3-pexpect will be removed in RHEL9.
Update BuildRequires/Requires accordingly.
Fixes: https://pagure.io/freeipa/issue/8938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Antonio Torres <antorres@redhat.com>
---
freeipa.spec.in | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index c33d2e216..9440f3602 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -328,11 +328,18 @@ BuildRequires: python3-m2r
# Build dependencies for lint and fastcheck
#
%if %{with lint}
-BuildRequires: git
-%if 0%{?fedora} < 34
+
+# python3-pexpect might not be available in RHEL9
+%if 0%{?fedora} || 0%{?rhel} < 9
+BuildRequires: python3-pexpect
+%endif
+
# jsl is orphaned in Fedora 34+
+%if 0%{?fedora} < 34
BuildRequires: jsl
%endif
+
+BuildRequires: git
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@@ -357,7 +364,6 @@ BuildRequires: python3-lxml
BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-netifaces
BuildRequires: python3-paste
-BuildRequires: python3-pexpect
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-polib
BuildRequires: python3-pyasn1
@@ -878,11 +884,11 @@ Requires: python3-ipaclient = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: iptables
Requires: python3-cryptography >= 1.6
-Requires: python3-pexpect
%if 0%{?fedora}
# These packages do not exist on RHEL and for ipatests use
# they are installed on the controller through other means
Requires: ldns-utils
+Requires: python3-pexpect
# update-crypto-policies
Requires: crypto-policies-scripts
Requires: python3-polib
--
2.31.1

365
SOURCES/0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch
View File

@ -1,365 +0,0 @@
From 42206df69adc9c1eefa3ee576891b2ae3ac269e0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 15 Jul 2021 15:11:28 -0400
Subject: [PATCH] ipa-getkeytab: add option to discover servers using DNS SRV
The basic flow is:
- If server is provided by the user then use it
- If server the magic value '_srv', check for _ldap._tcp SRV records for
the domain in /etc/ipa/default.conf
- If no servers are found use the server from default.conf
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
client/Makefile.am | 1 +
client/ipa-getkeytab.c | 221 +++++++++++++++++++++++++++++++++++++
client/man/ipa-getkeytab.1 | 5 +-
configure.ac | 10 ++
4 files changed, 236 insertions(+), 1 deletion(-)
diff --git a/client/Makefile.am b/client/Makefile.am
index 0031c04a5..72f4cb3dc 100644
--- a/client/Makefile.am
+++ b/client/Makefile.am
@@ -66,6 +66,7 @@ ipa_getkeytab_LDADD = \
$(SASL_LIBS) \
$(POPT_LIBS) \
$(LIBINTL_LIBS) \
+ $(RESOLV_LIBS) \
$(INI_LIBS) \
$(NULL)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index 04786be9e..d3673eb05 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -34,9 +34,11 @@
#include <time.h>
#include <krb5.h>
#include <ldap.h>
+#include <resolv.h>
#include <sasl/sasl.h>
#include <popt.h>
#include <ini_configobj.h>
+#include <openssl/rand.h>
#include "config.h"
@@ -46,6 +48,174 @@
#include "ipa_ldap.h"
+struct srvrec {
+ char *host;
+ uint16_t port;
+ int priority, weight;
+ struct srvrec *next;
+};
+
+static int
+srvrec_priority_sort(const void *a, const void *b)
+{
+ const struct srvrec *sa, *sb;
+
+ sa = a;
+ sb = b;
+ return sa->priority - sb->priority;
+}
+
+static int
+srvrec_sort_weight(const void *a, const void *b)
+{
+ const struct srvrec *sa, *sb;
+
+ sa = a;
+ sb = b;
+ return sa->weight - sb->weight;
+}
+
+/* Return a uniform random number between 0 and range */
+static double
+rand_inclusive(double range)
+{
+ long long r;
+
+ if (range == 0) {
+ return 0;
+ }
+
+ if (RAND_bytes((unsigned char *) &r, sizeof(r)) == -1) {
+ return 0;
+ }
+ if (r < 0) {
+ r = -r;
+ }
+ return ((double)r / (double)LLONG_MAX) * range;
+}
+
+static void
+sort_prio_weight(struct srvrec *res, int len)
+{
+ int i, j;
+ double tweight;
+ struct srvrec tmp;
+ double r;
+
+ qsort(res, len, sizeof(res[0]), srvrec_sort_weight);
+ for (i = 0; i < len - 1; i++) {
+ tweight = 0;
+ for (j = i; j < len; j++) {
+ /* Give records with 0 weight a small chance */
+ tweight += res[j].weight ? res[j].weight : 0.01;
+ }
+ r = rand_inclusive(tweight);
+ tweight = 0;
+ for (j = i; j < len; j++) {
+ tweight += res[j].weight ? res[j].weight : 0.01;
+ if (tweight >= r) {
+ break;
+ }
+ }
+ if (j >= len) {
+ continue;
+ }
+ memcpy(&tmp, &res[i], sizeof(tmp));
+ memcpy(&res[i], &res[j], sizeof(tmp));
+ memcpy(&res[j], &tmp, sizeof(tmp));
+ }
+}
+
+/* The caller is responsible for freeing the results */
+static int
+query_srv(const char *name, const char *domain, struct srvrec **results)
+{
+ int i, j, len;
+ unsigned char *answer = NULL;
+ size_t answer_len = NS_MAXMSG;
+ struct srvrec *res = NULL;
+ ns_msg msg;
+ ns_rr rr;
+ int rv = -1;
+
+ *results = NULL;
+ if ((name == NULL) || (strlen(name) == 0) ||
+ (domain == NULL) || (strlen(domain) == 0)) {
+ return -1;
+ }
+
+ res_init();
+ answer = malloc(answer_len + 1);
+ if (answer == NULL) {
+ return -1;
+ }
+ memset(answer, 0, answer_len + 1);
+ i = res_querydomain(name, domain, C_IN, T_SRV, answer, answer_len);
+ if (i == -1) {
+ goto error;
+ }
+ answer_len = i;
+ memset(&msg, 0, sizeof(msg));
+ if (ns_initparse(answer, answer_len, &msg) != 0) {
+ goto error;
+ }
+ memset(&rr, 0, sizeof(rr));
+ for (i = 0; ns_parserr(&msg, ns_s_an, i, &rr) == 0; i++) {
+ continue;
+ }
+ if (i == 0) {
+ goto error;
+ }
+ len = i;
+ res = malloc(sizeof(*res) * i);
+ if (res == NULL) {
+ goto error;
+ }
+ memset(res, 0, sizeof(*res) * i);
+ for (i = 0, j = 0; i < len; i++) {
+ if (ns_parserr(&msg, ns_s_an, i, &rr) != 0) {
+ continue;
+ }
+ if (rr.rdlength < 6) {
+ continue;
+ }
+ res[j].host = malloc(rr.rdlength - 6 + 1);
+ if (res[j].host == NULL) {
+ goto error;
+ }
+ res[j].priority = ntohs(*(uint16_t *)rr.rdata);
+ res[j].weight = ntohs(*(uint16_t *)(rr.rdata + 2));
+ res[j].port = ntohs(*(uint16_t *)(rr.rdata + 4));
+ memcpy(res[j].host, rr.rdata + 6, rr.rdlength - 6);
+ if (ns_name_ntop(rr.rdata + 6, res[j].host, rr.rdlength - 6) == -1) {
+ continue;
+ }
+ res[j].host[rr.rdlength - 6] = '\0';
+ j++;
+ }
+ len = j;
+ qsort(res, len, sizeof(res[0]), srvrec_priority_sort);
+ i = 0;
+ while (i < len) {
+ j = i + 1;
+ while (j < len && (res[j].priority == res[i].priority)) {
+ j++;
+ }
+ sort_prio_weight(res + i, j - i);
+ i = j;
+ }
+ /* Fixup the linked-list pointers */
+ for (i = 0; i < len - 1; i++) {
+ res[i].next = &res[i + 1];
+ }
+ *results = res;
+ rv = 0;
+
+error:
+ free(answer);
+ return rv;
+}
+
static int check_sasl_mech(const char *mech)
{
int i;
@@ -619,6 +789,7 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2,
struct ipa_config {
const char *server_name;
+ const char *domain;
};
static int config_from_file(struct ini_cfgobj *cfgctx)
@@ -688,6 +859,11 @@ int read_ipa_config(struct ipa_config **ipacfg)
if (ret == 0 && obj != NULL) {
(*ipacfg)->server_name = ini_get_string_config_value(obj, &ret);
}
+ ret = ini_get_config_valueobj("global", "domain", cfgctx,
+ INI_GET_LAST_VALUE, &obj);
+ if (ret == 0 && obj != NULL) {
+ (*ipacfg)->domain = ini_get_string_config_value(obj, &ret);
+ }
return 0;
}
@@ -754,6 +930,7 @@ int main(int argc, const char *argv[])
static const char *sasl_mech = NULL;
static const char *ca_cert_file = NULL;
int quiet = 0;
+ int verbose = 0;
int askpass = 0;
int askbindpw = 0;
int permitted_enctypes = 0;
@@ -761,6 +938,8 @@ int main(int argc, const char *argv[])
struct poptOption options[] = {
{ "quiet", 'q', POPT_ARG_NONE, &quiet, 0,
_("Print as little as possible"), _("Output only on errors")},
+ { "verbose", 'v', POPT_ARG_NONE, &verbose, 0,
+ _("Print debugging information"), _("Output debug info")},
{ "server", 's', POPT_ARG_STRING, &server, 0,
_("Contact this specific KDC Server"),
_("Server Name") },
@@ -906,6 +1085,41 @@ int main(int argc, const char *argv[])
exit(2);
}
+ if (server && (strcasecmp(server, "_srv_") == 0)) {
+ struct srvrec *srvrecs, *srv;
+ struct ipa_config *ipacfg = NULL;
+
+ ret = read_ipa_config(&ipacfg);
+ if (ret == 0 && ipacfg->domain && verbose) {
+ fprintf(stderr, _("DNS discovery for domain %s\n"), ipacfg->domain);
+ }
+ if (query_srv("_ldap._tcp", ipacfg->domain, &srvrecs) == 0) {
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ if (verbose) {
+ fprintf(stderr, _("Discovered server %s\n"), srv->host);
+ }
+ }
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ server = strdup(srv->host);
+ if (verbose) {
+ fprintf(stderr, _("Using discovered server %s\n"), server);
+ }
+ break;
+ }
+ for (srv = srvrecs; (srv != NULL); srv = srv->next) {
+ free(srv->host);
+ }
+ } else {
+ if (verbose) {
+ fprintf(stderr, _("DNS Discovery failed\n"));
+ }
+ }
+ if (strcasecmp(server, "_srv_") == 0) {
+ /* Discovery failed, fall through to option methods */
+ server = NULL;
+ }
+ }
+
if (!server && !ldap_uri) {
struct ipa_config *ipacfg = NULL;
@@ -915,10 +1129,17 @@ int main(int argc, const char *argv[])
ipacfg->server_name = NULL;
}
free(ipacfg);
+ if (verbose && server) {
+ fprintf(stderr, _("Using server from config %s\n"), server);
+ }
if (!server) {
fprintf(stderr, _("Server name not provided and unavailable\n"));
exit(2);
}
+ } else {
+ if (verbose) {
+ fprintf(stderr, _("Using provided server %s\n"), server);
+ }
}
if (server) {
ret = ipa_server_to_uri(server, sasl_mech, &ldap_uri);
diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1
index b57c5489c..07d2d73b3 100644
--- a/client/man/ipa-getkeytab.1
+++ b/client/man/ipa-getkeytab.1
@@ -78,7 +78,10 @@ arcfour\-hmac
\fB\-s ipaserver\fR
The IPA server to retrieve the keytab from (FQDN). If this option is not
provided the server name is read from the IPA configuration file
-(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR.
+(/etc/ipa/default.conf). Cannot be used together with \fB\-H\fR. If the
+value is _srv_ then DNS discovery will be used to determine a server.
+If this discovery fails then it will fall back to using the configuration
+file.
.TP
\fB\-q\fR
Quiet mode. Only errors are displayed.
diff --git a/configure.ac b/configure.ac
index dc79d5dce..9d7a33825 100644
--- a/configure.ac
+++ b/configure.ac
@@ -108,6 +108,16 @@ LDAP_CFLAGS=""
AC_SUBST(LDAP_LIBS)
AC_SUBST(LDAP_CFLAGS)
+dnl ---------------------------------------------------------------------------
+dnl - Check for resolv library
+dnl ---------------------------------------------------------------------------
+
+SAVE_CPPFLAGS=$CPPFLAGS
+CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS"
+AC_CHECK_LIB(resolv,main,RESOLV_LIBS=-lresolv)
+AC_CHECK_HEADERS(resolv.h)
+AC_SUBST(RESOLV_LIBS)
+
dnl ---------------------------------------------------------------------------
dnl - Check for OpenSSL Crypto library
dnl ---------------------------------------------------------------------------
--
2.31.1

55
SOURCES/0035-ipa-getkeytab-fix-compiler-warnings.patch
View File

@ -1,55 +0,0 @@
From 0114d24ea160676b784ef7010c19bbacc67ceea0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 15 Jul 2021 17:52:54 -0400
Subject: [PATCH] ipa-getkeytab: fix compiler warnings
Make read_ipa_config and filter_keys static to avoid
"no previous prototype" warnings.
Use correct datatype of return value for ber_scanf to
correct different signedness comparision.
Fixed while working on https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
client/ipa-getkeytab.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c
index d3673eb05..309b3c704 100644
--- a/client/ipa-getkeytab.c
+++ b/client/ipa-getkeytab.c
@@ -291,7 +291,7 @@ static int ldap_sasl_interact(LDAP *ld, unsigned flags, void *priv_data, void *s
return ret;
}
-int filter_keys(krb5_context krbctx, struct keys_container *keys,
+static int filter_keys(krb5_context krbctx, struct keys_container *keys,
ber_int_t *enctypes)
{
struct krb_key_salt *ksdata;
@@ -507,7 +507,7 @@ static int ldap_set_keytab(krb5_context krbctx,
BerElement *sctrl = NULL;
struct berval *control = NULL;
LDAPControl **srvctrl = NULL;
- int ret;
+ ber_tag_t ret;
int kvno, i;
ber_tag_t rtag;
ber_int_t *encs = NULL;
@@ -826,7 +826,7 @@ static int config_from_file(struct ini_cfgobj *cfgctx)
return 0;
}
-int read_ipa_config(struct ipa_config **ipacfg)
+static int read_ipa_config(struct ipa_config **ipacfg)
{
struct ini_cfgobj *cfgctx = NULL;
struct value_obj *obj = NULL;
--
2.31.1

92
SOURCES/0036-ipatests-test-ipa-getkeytab-server-option.patch
View File

@ -1,92 +0,0 @@
From 7a13200fd8b92dd90ebc4b6416ef25659df8aa71 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 16 Jul 2021 12:59:47 -0400
Subject: [PATCH] ipatests: test ipa-getkeytab server option
Test various usages of the -s/--server option:
* -s is defined, use it as the server
* no -s, use the host value from /etc/ipa/default.conf
* -s is '_srv_', do DNS discovery
https://pagure.io/freeipa/issue/8478
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_commands.py | 58 ++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index d64519eb7..2035ced56 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1467,6 +1467,64 @@ class TestIPACommand(IntegrationTest):
assert 'This account is currently not available' in \
result.stdout_text
+ def test_ipa_getkeytab_server(self):
+ """
+ Exercise the ipa-getkeytab server options
+
+ This relies on the behavior that without a TGT
+ ipa-getkeytab will quit and not do much of anything.
+
+ A bogus keytab and principal are passed in to satisfy the
+ minimum requirements.
+ """
+ tasks.kdestroy_all(self.master)
+
+ # Pass in a server name to use
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-s",
+ self.master.hostname,
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert 'Using provided server %s' % self.master.hostname in result
+
+ # Don't pass in a name, should use /etc/ipa/default.conf
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert (
+ 'Using server from config %s' % self.master.hostname
+ in result
+ )
+
+ # Use DNS SRV lookup
+ result = self.master.run_command(
+ [
+ paths.IPA_GETKEYTAB,
+ "-k",
+ "/tmp/keytab",
+ "-p",
+ "foo",
+ "-s",
+ "_srv_",
+ "-v",
+ ], raiseonerr=False).stderr_text
+
+ assert 'Discovered server %s' % self.master.hostname in result
+
class TestIPACommandWithoutReplica(IntegrationTest):
"""
--
2.31.1

91
SOURCES/0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch
View File

@ -1,91 +0,0 @@
From 25a4acf3ad5964eacddbcb83ddf9f84432968918 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 22 Jul 2021 14:55:50 +0530
Subject: [PATCH] ipatests: Test for OTP when the LDAP connection timed out.
Test to verify that when the idle timeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
Related : https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_otp.py | 56 +++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index b2e65af1b..fd55898ca 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -20,6 +20,7 @@ from cryptography.hazmat.primitives.twofactor.totp import TOTP
from ipatests.test_integration.base import IntegrationTest
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
+from ipapython.dn import DN
PASSWORD = "DummyPassword123"
@@ -309,3 +310,58 @@ class TestOTPToken(IntegrationTest):
master.run_command(['ipa', 'user-del', USER2])
self.master.run_command(['semanage', 'login', '-D'])
sssd_conf_backup.restore()
+
+ @pytest.fixture
+ def setup_otp_nsslapd(self):
+ # setting nsslapd-idletimeout
+ new_limit = 30
+ conn = self.master.ldap_connect()
+ dn = DN(('cn', 'config'))
+ entry = conn.get_entry(dn) # pylint: disable=no-member
+ orig_limit = entry.single_value.get('nsslapd-idletimeout')
+ ldap_query = textwrap.dedent("""
+ dn: cn=config
+ changetype: modify
+ replace: nsslapd-idletimeout
+ nsslapd-idletimeout: {limit}
+ """)
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ yield
+ # cleanup
+ tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
+
+ def test_check_otpd_after_idle_timeout(self, setup_otp_nsslapd):
+ """Test for OTP when the LDAP connection timed out.
+
+ Test for : https://pagure.io/freeipa/issue/6587
+
+ ipa-otpd was exiting with failure when LDAP connection timed out.
+ Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
+ 60s sleep) then the ipa-otpd process should exit without error.
+ """
+ since = time.strftime('%H:%M:%S')
+ tasks.kinit_admin(self.master)
+ otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
+ try:
+ # kinit with OTP auth
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
+ time.sleep(60)
+ failed_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "ipa-otpd" not in failed_services.stdout_text
+ cmd_jornalctl = self.master.run_command(
+ ['journalctl', '--since={}'.format(since)]
+ )
+ regex = r".*ipa-otpd@.*\sSucceeded"
+ assert re.search(regex, cmd_jornalctl.stdout_text)
+ finally:
+ del_otptoken(self.master, otpuid)
--
2.31.1

51
SOURCES/0038-ipatests-verify-that-getcert-output-includes-the-iss.patch
View File

@ -1,51 +0,0 @@
From 826b5825bd644fc69a9bee17626d71fe03cc0190 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 26 Jul 2021 16:14:19 -0400
Subject: [PATCH] ipatests: verify that getcert output includes the issued date
certmonger 0.79.14 included a new feature that provides the
NotBefore (or issued) date to the certificate list output.
Verify that it is present in the output.
https://bugzilla.redhat.com/show_bug.cgi?id=1940261
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_cert.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index b6bb2f08a..9a90db5e2 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -19,6 +19,7 @@ from ipaplatform.paths import paths
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
+from pkg_resources import parse_version
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
@@ -257,6 +258,16 @@ class TestInstallMasterClient(IntegrationTest):
raise AssertionError("certmonger request is "
"in state {}". format(status))
+ def test_getcert_notafter_output(self):
+ """Test that currrent certmonger includes NotBefore in output"""
+ result = self.master.run_command(["certmonger", "-v"]).stdout_text
+ if parse_version(result.split()[1]) < parse_version('0.79.14'):
+ raise pytest.skip("not_before not provided in this version")
+ result = self.master.run_command(
+ ["getcert", "list", "-f", paths.HTTPD_CERT_FILE]
+ ).stdout_text
+ assert 'issued:' in result
+
class TestCertmongerRekey(IntegrationTest):
--
2.31.1

43
SOURCES/0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch
View File

@ -1,43 +0,0 @@
From 96dd8ac1cd2e7fb8177d83e7ba5c6d79f4216ea3 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 2 Aug 2021 19:26:28 +0530
Subject: [PATCH] ipatests: Look for warning into stderr instead of stdout
In https://github.com/freeipa/freeipa/pull/5855 was looking
into stdout_text for warning instead of stderr_text, hence
was failing for pki version > 10.11.0.
related: https://pagure.io/freeipa/issue/8890
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 394e85603..f3cf59afc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -241,16 +241,14 @@ class TestIpaCertFix(IntegrationTest):
# check that pki-server cert-fix command fails
err_msg2 = ("ERROR: CalledProcessError(Command "
"['pki-server', 'cert-fix'")
- warn_msg = ("WARNING: No selftests configured in "
- f"{paths.CA_CS_CFG_PATH} "
- "(selftests.container.order.startup)")
+ warn_msg = "WARNING: No selftests configured in"
if (tasks.get_pki_version(self.master)
< tasks.parse_version('10.11.0')):
assert (err_msg1 in result.stderr_text
and err_msg2 in result.stderr_text)
else:
- assert warn_msg in result.stdout_text
+ assert warn_msg in result.stderr_text
def test_expired_CA_cert(self, expire_ca_cert):
"""Test to check ipa-cert-fix when CA certificate is expired
--
2.31.1

56
SOURCES/0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
View File

@ -1,56 +0,0 @@
From 9ae23e1257478bfee04b08b54f36dda7f5850348 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 5 Aug 2021 11:37:35 +0200
Subject: [PATCH] ipatests: use krb5_trace in TestIpaAdTrustInstall
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
tasks.create_active_user can fail in a subtle way when there
are two IPA servers due to replication delays.
Using the debug-enabled version of create_active_user helps
determine whether there is another underlying issue and, in
general, prevents the above problem.
Fixes: https://pagure.io/freeipa/issue/8944
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/test_integration/test_adtrust_install.py | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
index bbbb385a5..f23221186 100644
--- a/ipatests/test_integration/test_adtrust_install.py
+++ b/ipatests/test_integration/test_adtrust_install.py
@@ -257,8 +257,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
- tasks.create_active_user(self.master, user, passwd, extra_args=[
- '--homedir', '/home/{}'.format(user)])
+ tasks.create_active_user(
+ self.master, user, passwd,
+ extra_args=["--homedir", "/home/{}".format(user)],
+ krb5_trace=True
+ )
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
@@ -282,8 +285,11 @@ class TestIpaAdTrustInstall(IntegrationTest):
user_princ = '@'.join([user, self.master.domain.realm])
passwd = 'Secret123'
# Create a user with a password
- tasks.create_active_user(self.master, user, passwd, extra_args=[
- '--homedir', '/home/{}'.format(user)])
+ tasks.create_active_user(
+ self.master, user, passwd,
+ extra_args=["--homedir", "/home/{}".format(user)],
+ krb5_trace=True
+ )
try:
# Defaults: host/... principal for service
# keytab in /etc/krb5.keytab
--
2.31.1

45
SOURCES/0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
View File

@ -1,45 +0,0 @@
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:03:21 +0530
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 2035ced56..e3a0d867e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
# Run the command again after cache is removed
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
+ def test_basesearch_compat_tree(self):
+ """Test ldapsearch against compat tree is working
+
+ This to ensure that ldapsearch with base scope is not failing.
+
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
+ """
+ tasks.kinit_admin(self.master)
+ base_dn = str(self.master.domain.basedn)
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.31.1

44
SOURCES/0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
View File

@ -1,44 +0,0 @@
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:23:15 +0530
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e3a0d867e..4d9a81652 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
from ipaserver.install.installutils import realm_to_serverid
+from pkg_resources import parse_version
logger = logging.getLogger(__name__)
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
+ version = self.master.run_command(
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
+ )
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
+ version.stdout_text) <= parse_version("0.56.7"):
+ pytest.skip("Test requires slapi-nis with fix on fedora")
tasks.kinit_admin(self.master)
base_dn = str(self.master.domain.basedn)
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
--
2.31.1

89
SOURCES/0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
View File

@ -1,89 +0,0 @@
From eac03d6828d0bac1925c897090fc77e250eaee04 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 12:27:38 +0530
Subject: [PATCH] ipatests: Refactor test_check_otpd_after_idle_timeout
Use whole date when calling journalctl --since
ipa-otpd don't flush its logs to syslog immediately,
so check with run_repeatedly.
Also list failed units when ldap connection is
timed out.
Related: https://pagure.io/freeipa/issue/6587
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_otp.py | 31 ++++++++++++++++-----------
1 file changed, 18 insertions(+), 13 deletions(-)
diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
index fd55898ca..353470897 100644
--- a/ipatests/test_integration/test_otp.py
+++ b/ipatests/test_integration/test_otp.py
@@ -313,6 +313,13 @@ class TestOTPToken(IntegrationTest):
@pytest.fixture
def setup_otp_nsslapd(self):
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+ assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
# setting nsslapd-idletimeout
new_limit = 30
conn = self.master.ldap_connect()
@@ -326,13 +333,6 @@ class TestOTPToken(IntegrationTest):
nsslapd-idletimeout: {limit}
""")
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=new_limit))
- # Be sure no services are running and failed units
- self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
- check_services = self.master.run_command(
- ['systemctl', 'list-units', '--state=failed']
- )
- assert "0 loaded units listed" in check_services.stdout_text
- assert "ipa-otpd" not in check_services.stdout_text
yield
# cleanup
tasks.ldapmodify_dm(self.master, ldap_query.format(limit=orig_limit))
@@ -346,7 +346,7 @@ class TestOTPToken(IntegrationTest):
Test to verify that when the nsslapd-idletimeout is exceeded (30s idle,
60s sleep) then the ipa-otpd process should exit without error.
"""
- since = time.strftime('%H:%M:%S')
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
tasks.kinit_admin(self.master)
otpuid, totp = add_otptoken(self.master, USER, otptype="totp")
try:
@@ -354,14 +354,19 @@ class TestOTPToken(IntegrationTest):
otpvalue = totp.generate(int(time.time())).decode("ascii")
kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
time.sleep(60)
+
+ def test_cb(cmd_jornalctl):
+ # check if LDAP connection is timed out
+ expected_msg = "Can't contact LDAP server"
+ return expected_msg in cmd_jornalctl
+
+ # ipa-otpd don't flush its logs to syslog immediately
+ cmd = ['journalctl', '--since={}'.format(since)]
+ tasks.run_repeatedly(
+ self.master, command=cmd, test=test_cb, timeout=90)
failed_services = self.master.run_command(
['systemctl', 'list-units', '--state=failed']
)
assert "ipa-otpd" not in failed_services.stdout_text
- cmd_jornalctl = self.master.run_command(
- ['journalctl', '--since={}'.format(since)]
- )
- regex = r".*ipa-otpd@.*\sSucceeded"
- assert re.search(regex, cmd_jornalctl.stdout_text)
finally:
del_otptoken(self.master, otpuid)
--
2.31.1

162
SOURCES/0044-ipatests-Test-unsecure-nsupdate.patch
View File

@ -1,162 +0,0 @@
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH] ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255..014b0f6ab 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
class TestInstallClient(IntegrationTest):
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ The test configures an external bind server on the ipa-server
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+ When the IPA client is registered using ipa-client-install,
+ DNS records are added for the client in the bind server using nsupdate.
+ The first try is using GSS-TIG but fails as expected, and the client
+ installer then tries with unauthenticated nsupdate.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""
+ zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};
+ """).format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(
+ fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_client_nsupdate(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ tasks.install_master(self.master, setup_dns=False)
+ self.client.resolver.backup()
+ self.client.resolver.setup_resolver(
+ self.master.ip, self.master.domain.name)
+ try:
+ self.client.run_command(['ipa-client-install', '-U',
+ '--domain', self.client.domain.name,
+ '--realm', self.client.domain.realm,
+ '-p', self.client.config.admin_name,
+ '-w', self.client.config.admin_password,
+ '--server', self.master.hostname])
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = self.client.get_file_contents(
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
+ )
+ assert str1 in client_log and str2 in client_log
+ dig_after = self.client.run_command(
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
+ '-t', 'SSHFP'])
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
+ finally:
+ self.client.resolver.restore()
--
2.31.1

88
SOURCES/0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch
View File

@ -1,88 +0,0 @@
From c9bc471e063f2865d6423e4f1c9b81e73a45e43f Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Wed, 4 Aug 2021 18:38:16 +0300
Subject: [PATCH] ipatests: Fix TestAJPSecretUpgrade tests on systems without
pkiuser
Tests in `test_ipaserver.test_secure_ajp_connector' assume that there
is pkiuser in OS, but this is not always true (for example, in systems
having minimum installed dependencies, in particular, without pki-server
RPM package). Since the tests already use the mock and pkiuser entity is
not the subject of testing the pwd.getpwnam has been mocked.
Fixes: https://pagure.io/freeipa/issue/8942
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_secure_ajp_connector.py | 40 ++++++++++++++++---
1 file changed, 34 insertions(+), 6 deletions(-)
diff --git a/ipatests/test_ipaserver/test_secure_ajp_connector.py b/ipatests/test_ipaserver/test_secure_ajp_connector.py
index 2719dbc48..35ef7407a 100644
--- a/ipatests/test_ipaserver/test_secure_ajp_connector.py
+++ b/ipatests/test_ipaserver/test_secure_ajp_connector.py
@@ -1,5 +1,6 @@
# Copyright (C) 2021 FreeIPA Project Contributors - see LICENSE file
+from collections import namedtuple
from io import BytesIO
from lxml.etree import parse as myparse # pylint: disable=no-name-in-module
import pytest
@@ -32,6 +33,32 @@ def mock_etree_parse(data):
return myparse(f)
+def mock_pkiuser_entity():
+ """Return struct_passwd for mocked pkiuser"""
+ StructPasswd = namedtuple(
+ "StructPasswd",
+ [
+ "pw_name",
+ "pw_passwd",
+ "pw_uid",
+ "pw_gid",
+ "pw_gecos",
+ "pw_dir",
+ "pw_shell",
+ ]
+ )
+ pkiuser_entity = StructPasswd(
+ constants.PKI_USER,
+ pw_passwd="x",
+ pw_uid=-1,
+ pw_gid=-1,
+ pw_gecos="",
+ pw_dir="/dev/null",
+ pw_shell="/sbin/nologin",
+ )
+ return pkiuser_entity
+
+
# Format of test_data is:
# (
# is_newer_tomcat (boolean),
@@ -148,14 +175,15 @@ test_data = (
class TestAJPSecretUpgrade:
- @patch('os.chown')
- @patch('lxml.etree.parse')
- @pytest.mark.parametrize('is_newer, data, secret, expect, rewrite',
- test_data)
- def test_connecter(self, mock_parse, mock_chown, is_newer, data, secret,
- expect, rewrite):
+ @patch("ipaplatform.base.constants.pwd.getpwnam")
+ @patch("ipaplatform.base.constants.os.chown")
+ @patch("ipaserver.install.dogtaginstance.lxml.etree.parse")
+ @pytest.mark.parametrize("test_data", test_data)
+ def test_connecter(self, mock_parse, mock_chown, mock_getpwnam, test_data):
+ is_newer, data, secret, expect, rewrite = test_data
mock_chown.return_value = None
mock_parse.return_value = mock_etree_parse(data)
+ mock_getpwnam.return_value = mock_pkiuser_entity()
dogtag = MyDogtagInstance(is_newer)
with patch('ipaserver.install.dogtaginstance.open', mock_open()) \
--
2.31.1

54
SOURCES/0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch
View File

@ -1,54 +0,0 @@
From 488ac7e3ba9f36d6b187687d120920d2d80d8b7f Mon Sep 17 00:00:00 2001
From: Michal Polovka <mpolovka@redhat.com>
Date: Tue, 10 Aug 2021 18:11:05 +0200
Subject: [PATCH] ipatests: test_ipahealthcheck: Verify permissions for
/var/log/ files
Test if files in /var/log are being checked with ipahealthcheck.ipa.files source.
Resolves: https://pagure.io/freeipa/issue/8949
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 36fe72be7..089793a2f 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -1227,6 +1227,29 @@ class TestIpaHealthCheck(IntegrationTest):
)
assert msg in cmd.stdout_text
+ def test_ipahealthcheck_verify_perms_for_source_files(self,
+ modify_permissions):
+ """
+ This tests checks if files in /var/log are checked with ipa.files
+ source.
+ The test modifies permissions of ipainstall log file and checks the
+ response from healthcheck.
+
+ https://pagure.io/freeipa/issue/8949
+ """
+ modify_permissions(self.master, path=paths.IPASERVER_INSTALL_LOG,
+ mode="0644")
+ returncode, data = run_healthcheck(
+ self.master, "ipahealthcheck.ipa.files", failures_only=True)
+
+ assert returncode == 1
+ assert len(data) == 1
+ assert data[0]["result"] == "WARNING"
+ assert data[0]["kw"]["path"] == paths.IPASERVER_INSTALL_LOG
+ assert data[0]["kw"]["type"] == "mode"
+ assert data[0]["kw"]["expected"] == "0600"
+
+
@pytest.fixture
def remove_healthcheck(self):
"""
--
2.31.1

127
SOURCES/0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
View File

@ -1,127 +0,0 @@
From e0aef5296b66c0b460f7e10993610fe68b312241 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 19 Apr 2021 12:08:28 +0530
Subject: [PATCH] ipatests: test to renew certs on replica using ipa-cert-fix
This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.
related: https://pagure.io/freeipa/issue/7885
ipatests: refactor expire_cert_critical fixture
Defined method to move the date and refactor
expire_cert_critical fixture using it
ipatests: PEP8 fixes
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 74 ++++++++++++++++++-
1 file changed, 70 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f3cf59afc..a20996737 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -6,6 +6,7 @@
Module provides tests for ipa-cert-fix CLI.
"""
import pytest
+import re
import time
import logging
@@ -74,15 +75,15 @@ def expire_cert_critical():
extra_args=['--no-ntp'])
if setup_kra:
tasks.install_kra(host)
- host.run_command(['systemctl', 'stop', 'chronyd'])
- host.run_command(['date', '-s', '+3Years+1day'])
+
+ # move date to expire certs
+ move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
tasks.uninstall_master(host)
- host.run_command(['date', '-s', '-3Years-1day'])
- host.run_command(['systemctl', 'start', 'chronyd'])
+ move_date(host, 'start', '-3Years-1day')
class TestIpaCertFix(IntegrationTest):
@@ -336,3 +337,68 @@ class TestCertFixKRA(IntegrationTest):
self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
check_status(self.master, 12, "MONITORING")
+
+
+class TestCertFixReplica(IntegrationTest):
+
+ num_replicas = 1
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(
+ mh.master, setup_dns=False, extra_args=['--no-ntp']
+ )
+ tasks.install_replica(
+ mh.master, mh.replicas[0],
+ setup_dns=False, extra_args=['--no-ntp']
+ )
+
+ def test_renew_expired_cert_replica(self):
+ """Test renewal of certificates on replica with ipa-cert-fix
+
+ This is to check that ipa-cert-fix renews the certificates
+ on replica
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ move_date(self.master, 'stop', '+3years+1days')
+
+ # wait for cert expiry
+ check_status(self.master, 8, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 9, "MONITORING")
+
+ # move system date to expire cert on replica
+ move_date(self.replicas[0], 'stop', '+3years+1days')
+
+ # RA agent cert will be expired and in CA_UNREACHABLE state
+ check_status(self.replicas[0], 1, "CA_UNREACHABLE")
+
+ # renew RA agent cert
+ self.replicas[0].run_command(
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ )
+
+ # LDAP/HTTP/PKINIT certs will be renewed automaticaly
+ # after moving date on replica. This 3, 1 CA cert,
+ # 1 RA agent cert. Check for total 5 valid certs.
+ check_status(self.replicas[0], 5, "MONITORING")
+
+ # get the req ids of all certs to renew remaining
+ # certs by re-submitting it
+ result = self.replicas[0].run_command(['getcert', 'list'])
+ req_ids = re.findall(r'\d{14}', result.stdout_text)
+
+ # resubmit the certs to renew them
+ for req_id in req_ids:
+ self.replicas[0].run_command(
+ ['getcert', 'resubmit', '-i', req_id]
+ )
+
+ check_status(self.master, 9, "MONITORING")
+
+ # move date back on replica and master
+ move_date(self.replicas[0], 'start', '-3years-1days')
+ move_date(self.master, 'start', '-3years-1days')
--
2.31.1

252
SOURCES/0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch
View File

@ -1,252 +0,0 @@
From a620e5e9e152defe144705913521c3cf556faa0e Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Mon, 26 Apr 2021 15:50:20 +0530
Subject: [PATCH] ipatests: wait while http/ldap/pkinit cert get renew on
replica
LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.
This test adds check for replication before calling ipa-cert-fix
on replica.
Fixes: https://pagure.io/freeipa/issue/8815
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 172 +++++++++++++++---
1 file changed, 144 insertions(+), 28 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index a20996737..fa69743e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -5,16 +5,19 @@
"""
Module provides tests for ipa-cert-fix CLI.
"""
+from cryptography.hazmat.backends import default_backend
+from cryptography import x509
+from datetime import datetime, date
import pytest
-import re
import time
import logging
from ipaplatform.paths import paths
+from ipapython.ipaldap import realm_to_serverid
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
logger = logging.getLogger(__name__)
@@ -59,6 +62,49 @@ def move_date(host, chrony_state, date_str):
host.run_command(['date', '-s', date_str])
+def needs_resubmit(host, req_id):
+ """Helper method to identify if cert request needs to be resubmitted
+ :param host: the host
+ :param req_id: request id to perform operation for
+
+ Returns True if resubmit needed else False
+ """
+ # check if cert is in monitoring state
+ tasks.wait_for_certmonger_status(
+ host, ('MONITORING'), req_id, timeout=600
+ )
+
+ # check if cert is valid and not expired
+ cmd = host.run_command(
+ 'getcert list -i {} | grep expires'.format(req_id)
+ )
+ cert_expiry = cmd.stdout_text.split(' ')
+ cert_expiry = datetime.strptime(cert_expiry[1], '%Y-%m-%d').date()
+ if cert_expiry > date.today():
+ return False
+ else:
+ return True
+
+
+def get_cert_expiry(host, nssdb_path, cert_nick):
+ """Method to get cert expiry date of given certificate
+
+ :param host: the host
+ :param nssdb_path: nssdb path of certificate
+ :param cert_nick: certificate nick name for extracting cert from nssdb
+ """
+ # get initial expiry date to compare later with renewed cert
+ host.run_command([
+ 'certutil', '-L', '-a',
+ '-d', nssdb_path,
+ '-n', cert_nick,
+ '-o', '/root/cert.pem'
+ ])
+ data = host.get_file_contents('/root/cert.pem')
+ cert = x509.load_pem_x509_certificate(data, backend=default_backend())
+ return cert.not_valid_after
+
+
@pytest.fixture
def expire_cert_critical():
"""
@@ -353,7 +399,19 @@ class TestCertFixReplica(IntegrationTest):
setup_dns=False, extra_args=['--no-ntp']
)
- def test_renew_expired_cert_replica(self):
+ @pytest.fixture
+ def expire_certs(self):
+ # move system date to expire certs
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'stop', '+3years+1days')
+
+ yield
+
+ # move date back on replica and master
+ for host in self.master, self.replicas[0]:
+ tasks.move_date(host, 'start', '-3years-1days')
+
+ def test_renew_expired_cert_replica(self, expire_certs):
"""Test renewal of certificates on replica with ipa-cert-fix
This is to check that ipa-cert-fix renews the certificates
@@ -361,8 +419,6 @@ class TestCertFixReplica(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
- move_date(self.master, 'stop', '+3years+1days')
-
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
@@ -370,35 +426,95 @@ class TestCertFixReplica(IntegrationTest):
check_status(self.master, 9, "MONITORING")
- # move system date to expire cert on replica
- move_date(self.replicas[0], 'stop', '+3years+1days')
-
- # RA agent cert will be expired and in CA_UNREACHABLE state
- check_status(self.replicas[0], 1, "CA_UNREACHABLE")
-
- # renew RA agent cert
- self.replicas[0].run_command(
- ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ # replica operations
+ # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', 'Server-Cert cert-pki-ca']
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
+ )
+ # get initial expiry date to compare later with renewed cert
+ initial_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
)
- # LDAP/HTTP/PKINIT certs will be renewed automaticaly
- # after moving date on replica. This 3, 1 CA cert,
- # 1 RA agent cert. Check for total 5 valid certs.
- check_status(self.replicas[0], 5, "MONITORING")
+ # check that HTTP,LDAP,PKINIT are renewed and in MONITORING state
+ instance = realm_to_serverid(self.master.domain.realm)
+ dirsrv_cert = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
+ for cert in (paths.KDC_CERT, paths.HTTPD_CERT_FILE):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # get the req ids of all certs to renew remaining
- # certs by re-submitting it
- result = self.replicas[0].run_command(['getcert', 'list'])
- req_ids = re.findall(r'\d{14}', result.stdout_text)
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-d', dirsrv_cert]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- # resubmit the certs to renew them
- for req_id in req_ids:
+ # check if replication working fine
+ testuser = 'testuser1'
+ password = 'Secret@123'
+ stdin = (f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n"
+ f"{self.master.config.admin_password}\n")
+ self.master.run_command(['kinit', 'admin'], stdin_text=stdin)
+ tasks.user_add(self.master, testuser, password=password)
+ self.replicas[0].run_command(['kinit', 'admin'], stdin_text=stdin)
+ self.replicas[0].run_command(['ipa', 'user-show', testuser])
+
+ # renew shared certificates by resubmitting to certmonger
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
self.replicas[0].run_command(
['getcert', 'resubmit', '-i', req_id]
)
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
+ for cert_nick in ('auditSigningCert cert-pki-ca',
+ 'ocspSigningCert cert-pki-ca',
+ 'subsystemCert cert-pki-ca'):
+ cmd = self.replicas[0].run_command(
+ ['getcert', 'list',
+ '-d', paths.PKI_TOMCAT_ALIAS_DIR,
+ '-n', cert_nick]
+ )
+ req_id = get_certmonger_fs_id(cmd.stdout_text)
+ if needs_resubmit(self.replicas[0], req_id):
+ self.replicas[0].run_command(
+ ['getcert', 'resubmit', '-i', req_id]
+ )
+ tasks.wait_for_certmonger_status(
+ self.replicas[0], ('MONITORING'), req_id, timeout=600
+ )
- check_status(self.master, 9, "MONITORING")
+ self.replicas[0].run_command(
+ ['ipa-cert-fix', '-v'], stdin_text='yes\n'
+ )
- # move date back on replica and master
- move_date(self.replicas[0], 'start', '-3years-1days')
- move_date(self.master, 'start', '-3years-1days')
+ check_status(self.replicas[0], 9, "MONITORING")
+
+ # Sometimes certmonger takes time to update the cert status
+ # So check in nssdb instead of relying on getcert command
+ renewed_expiry = get_cert_expiry(
+ self.replicas[0],
+ paths.PKI_TOMCAT_ALIAS_DIR,
+ 'Server-Cert cert-pki-ca'
+ )
+ assert renewed_expiry > initial_expiry
--
2.31.1

73
SOURCES/0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch
View File

@ -1,73 +0,0 @@
From 4a3a15f45aad016730252c09e3e173a18184603e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 21 Jul 2021 14:29:31 +0200
Subject: [PATCH] ipatests: refactor test_ipa_cert_fix with tasks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index fa69743e2..39904d5de 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -52,16 +52,6 @@ def check_status(host, cert_count, state, timeout=600):
return count
-def move_date(host, chrony_state, date_str):
- """Helper method to move the date on given host
- :param host: The host on which date is to be moved
- :param chrony_state: State to which chrony service to be moved
- :param date_str: date string to move the date i.e 2years1month1days
- """
- host.run_command(['systemctl', chrony_state, 'chronyd'])
- host.run_command(['date', '-s', date_str])
-
-
def needs_resubmit(host, req_id):
"""Helper method to identify if cert request needs to be resubmitted
:param host: the host
@@ -123,13 +113,13 @@ def expire_cert_critical():
tasks.install_kra(host)
# move date to expire certs
- move_date(host, 'stop', '+3Years+1day')
+ tasks.move_date(host, 'stop', '+3Years+1day')
yield _expire_cert_critical
host = hosts.pop('host')
tasks.uninstall_master(host)
- move_date(host, 'start', '-3Years-1day')
+ tasks.move_date(host, 'start', '-3Years-1day')
class TestIpaCertFix(IntegrationTest):
@@ -143,12 +133,12 @@ class TestIpaCertFix(IntegrationTest):
def expire_ca_cert(self):
tasks.install_master(self.master, setup_dns=False,
extra_args=['--no-ntp'])
- move_date(self.master, 'stop', '+20Years+1day')
+ tasks.move_date(self.master, 'stop', '+20Years+1day')
yield
tasks.uninstall_master(self.master)
- move_date(self.master, 'start', '-20Years-1day')
+ tasks.move_date(self.master, 'start', '-20Years-1day')
def test_missing_csr(self, expire_cert_critical):
"""
--
2.31.1

65
SOURCES/0050-ipatests-use-whole-date-for-journalctl-since.patch
View File

@ -1,65 +0,0 @@
From b5036b5ce9ae4fab011e57fe2b37a35fdd098a70 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 19 Aug 2021 10:51:01 +0200
Subject: [PATCH] ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_cert.py | 2 +-
ipatests/test_integration/test_commands.py | 3 ++-
ipatests/test_integration/test_nfs.py | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 9a90db5e2..7d51b76ee 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -69,7 +69,7 @@ class TestInstallMasterClient(IntegrationTest):
# time to look into journal logs in
# test_certmonger_ipa_responder_jsonrpc
- cls.since = time.strftime('%H:%M:%S')
+ cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
def test_cacert_file_appear_with_option_F(self):
"""Test if getcert creates cacert file with -F option
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 4d9a81652..fd5d1b472 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1208,7 +1208,8 @@ class TestIPACommand(IntegrationTest):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+ '%Y-%m-%d %H:%M:%S',
+ (datetime.now() - timedelta(seconds=10)).timetuple()
)
password = 'WrongPassword'
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
index 9a6153409..dc53a6da9 100644
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -130,7 +130,7 @@ class TestNFS(IntegrationTest):
nfsclt = self.clients[1]
# for journalctl --since
- since = time.strftime('%H:%M:%S')
+ since = time.strftime('%Y-%m-%d %H:%M:%S')
nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
time.sleep(WAIT_AFTER_INSTALL)
mountpoints = ("/mnt/krb", "/mnt/std", "/home")
--
2.31.1

41
SOURCES/0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch
View File

@ -1,41 +0,0 @@
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 30 Aug 2021 18:40:24 +0200
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 68e10941951ac391fda7854d1403558c069dad46..7492fca04d4f0d031ecd83871078247d73cc87e0 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
+kernel_read_system_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
--
2.31.1

46
SOURCES/0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
View File

@ -1,46 +0,0 @@
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff6137d9d660f6121f468261c6878a9aa12a..6f646b9f49ef31e1872e87640c524db972e53b6d 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
--
2.31.1

35
SOURCES/0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch
View File

@ -1,35 +0,0 @@
From 4785a90946ec694ccc082f062b2181b23c7099e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 2 Sep 2021 16:17:01 +0200
Subject: [PATCH] subid: subid-match: display the owner's ID not DN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, the subid-match command would output the full
DN of the owner of the matched range.
With this change, the UID of the owner is displayed, just like
for other subid- commands.
Fixes: https://github.com/freeipa/freeipa/pull/6001
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/plugins/subid.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 440f24ee627f0736100f63026158c564b04520c2..132c85c7f198217ba70f2332306ee2550be86035 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -524,6 +524,7 @@ class subid_match(subid_find):
osubuid = options["ipasubuidnumber"]
new_entries = []
for entry in entries:
+ self.obj.convert_owner(entry, options)
esubuid = int(entry.single_value["ipasubuidnumber"])
esubcount = int(entry.single_value["ipasubuidcount"])
minsubuid = esubuid
--
2.31.1

37
SOURCES/0054-migrate-ds-workaround-to-detect-compat-tree.patch
View File

@ -1,37 +0,0 @@
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 7 Sep 2021 17:06:53 +0200
Subject: [PATCH] migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/migration.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index db5241915497b14a12ed2c33003e1c4fc1a5369f..6ee205fc836a463ac250baa6131e43acb0c00efa 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
# check whether the compat plugin is enabled
if not options.get('compat'):
try:
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
+ (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
--
2.31.1

60
SOURCES/0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch
View File

@ -1,60 +0,0 @@
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 9 Sep 2021 15:26:55 -0400
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipapython/ipaldap.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index f94b784d680f33d026e4d56ec8627d4d2ab87931..ced8f1bd66dc8f1f5c206677d2725d1e72b489f9 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
entry=None, exception=None):
# idnsname - caching prevents delete when mod value to None
# cospriority - in a Class of Service object, uncacheable
- # TODO - usercertificate was banned at one point and I don't remember
- # why...
- BANNED_ATTRS = {'idnsname', 'cospriority'}
+ # usercertificate* - caching subtypes is tricky, trade less
+ # complexity for performance
+ #
+ # TODO: teach the cache about subtypes
+
+ BANNED_ATTRS = {
+ 'idnsname',
+ 'cospriority',
+ 'usercertificate',
+ 'usercertificate;binary'
+ }
if not self._enable_cache:
return
--
2.31.1

68
SOURCES/0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch
View File

@ -1,68 +0,0 @@
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Sep 2021 09:01:48 -0400
Subject: [PATCH] ipatests: Test that a user can be issued multiple
certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 7d51b76ee347237450b7484cf48c2e6a1bed7f7d..b4e85eadcf41212fdd16f0f3aa130a916b5019fa 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -16,6 +16,7 @@ import string
import time
from ipaplatform.paths import paths
+from ipapython.dn import DN
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
)
assert "profile: caServerCert" in result.stdout_text
+ def test_multiple_user_certificates(self):
+ """Test that a user may be issued multiple certificates"""
+ ldap = self.master.ldap_connect()
+
+ user = 'user1'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+ for id in (0,1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+ openssl_cmd = [
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
+ self.master.run_command(openssl_cmd)
+
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
+ '--certificate-out', cert_file, csr_file]
+ self.master.run_command(cmd_args)
+
+ # easier to count by pulling the LDAP entry
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
+ ('cn', 'accounts'), self.master.domain.basedn))
+
+ assert len(entry.get('usercertificate')) == 2
+
@pytest.fixture
def test_subca_certs(self):
"""
--
2.31.1

56
SOURCES/0057-Parse-getStatus-as-JSON-not-XML.patch
View File

@ -1,56 +0,0 @@
From 7fb95cc638b1c9b7f2e9a67dba859ef8126f2c5f Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Tue, 27 Jul 2021 21:57:26 +0100
Subject: [PATCH] Parse getStatus as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON, getStatus will
return JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3674
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/tools/ipa-pki-wait-running.in | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
index 4f0f2f34a7b0a43210676e7fd50e7029e798f301..9ca6e974e55a4d68afd06e1d9c7b67c5f926e48c 100644
--- a/install/tools/ipa-pki-wait-running.in
+++ b/install/tools/ipa-pki-wait-running.in
@@ -13,6 +13,7 @@ import logging
import sys
import time
from xml.etree import ElementTree
+import json
from ipalib import api
from ipaplatform.paths import paths
@@ -74,10 +75,19 @@ def get_status(conn, timeout):
"""
client = SystemStatusClient(conn)
response = client.get_status(timeout=timeout)
- root = ElementTree.fromstring(response)
- status = root.findtext("Status")
- error = root.findtext("Error")
- logging.debug("Got status '%s', error '%s'", status, error)
+ status = None
+ error = None
+ try:
+ json_response = json.loads(response)
+ status = json_response['Response']['Status']
+ except KeyError as e:
+ error = repr(e)
+ except json.JSONDecodeError:
+ logger.debug("Response is not valid JSON, try XML")
+ root = ElementTree.fromstring(response)
+ status = root.findtext("Status")
+ error = root.findtext("Error")
+ logger.debug("Got status '%s', error '%s'", status, error)
return status, error
--
2.31.1

79
SOURCES/0058-Parse-cert-chain-as-JSON-not-XML.patch
View File

@ -1,79 +0,0 @@
From 40f76a53f78267b4d2b890defa3e4f7d27fdfb7a Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Thu, 5 Aug 2021 12:00:15 +0100
Subject: [PATCH] Parse cert chain as JSON not XML
On dogtagpki/pki master XML is being replaced by JSON in PKI 11.0+
The PR for dogtagpki/pki that makes this change necessary is:
https://github.com/dogtagpki/pki/pull/3677
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipapython/dogtag.py | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 0503938fb9783d397cc7366339bb9fab48033985..8f0f0473ae313edb17e10de8b2ca7f43f231e706 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -20,6 +20,7 @@
import collections
import gzip
import io
+import json
import logging
from urllib.parse import urlencode
import xml.dom.minidom
@@ -100,6 +101,10 @@ def get_ca_certchain(ca_host=None):
data = res.read()
conn.close()
try:
+ doc = json.loads(data)
+ chain = doc['Response']['ChainBase64']
+ except (json.JSONDecodeError, KeyError):
+ logger.debug("Response is not valid JSON, try XML")
doc = xml.dom.minidom.parseString(data)
try:
item_node = doc.getElementsByTagName("ChainBase64")
@@ -107,9 +112,9 @@ def get_ca_certchain(ca_host=None):
except IndexError:
raise error_from_xml(
doc, _("Retrieving CA cert chain failed: %s"))
- finally:
- if doc:
- doc.unlink()
+ finally:
+ if doc:
+ doc.unlink()
else:
raise errors.RemoteRetrieveError(
reason=_("request failed with HTTP status %d") % res.status)
@@ -118,13 +123,18 @@ def get_ca_certchain(ca_host=None):
def _parse_ca_status(body):
- doc = xml.dom.minidom.parseString(body)
try:
- item_node = doc.getElementsByTagName("XMLResponse")[0]
- item_node = item_node.getElementsByTagName("Status")[0]
- return item_node.childNodes[0].data
- except IndexError:
- raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
+ doc = json.loads(body)
+ return doc['Response']['Status']
+ except (json.JSONDecodeError, KeyError):
+ logger.debug("Response is not valid JSON, try XML")
+ doc = xml.dom.minidom.parseString(body)
+ try:
+ item_node = doc.getElementsByTagName("XMLResponse")[0]
+ item_node = item_node.getElementsByTagName("Status")[0]
+ return item_node.childNodes[0].data
+ except IndexError:
+ raise error_from_xml(doc, _("Retrieving CA status failed: %s"))
def ca_status(ca_host=None):
--
2.31.1

84
SOURCES/0059-Specify-PKI-installation-log-paths.patch
View File

@ -1,84 +0,0 @@
From 5abf1bc79f8b32c6638ff98fbe2e4a8dec9a5010 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 12 Aug 2021 13:26:42 -0500
Subject: [PATCH] Specify PKI installation log paths
The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.
This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.
Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata <edewata@redhat.com>
---
ipaserver/install/dogtaginstance.py | 35 ++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 644acd4eacea22f41a7cd36b54553d6d7cd22690..0d9aebb542f242b81315edd016699697f2fc4091 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -36,8 +36,10 @@ from configparser import DEFAULTSECT, ConfigParser, RawConfigParser
import six
+import pki
from pki.client import PKIConnection
import pki.system
+import pki.util
from ipalib import api, errors, x509
from ipalib.install import certmonger
@@ -202,6 +204,18 @@ class DogtagInstance(service.Service):
"-f", cfg_file,
"--debug"]
+ # specify --log-file <path> on PKI 11.0.0 or later
+
+ pki_version = pki.util.Version(pki.specification_version())
+ if pki_version >= pki.util.Version("11.0.0"):
+ timestamp = time.strftime(
+ "%Y%m%d%H%M%S",
+ time.localtime(time.time()))
+ log_file = os.path.join(
+ paths.VAR_LOG_PKI_DIR,
+ "pki-%s-spawn.%s.log" % (self.subsystem.lower(), timestamp))
+ args.extend(["--log-file", log_file])
+
with open(cfg_file) as f:
logger.debug(
'Contents of pkispawn configuration file (%s):\n%s',
@@ -290,10 +304,25 @@ class DogtagInstance(service.Service):
if self.is_installed():
self.print_msg("Unconfiguring %s" % self.subsystem)
+ args = [paths.PKIDESTROY,
+ "-i", "pki-tomcat",
+ "-s", self.subsystem]
+
+ # specify --log-file <path> on PKI 11.0.0 or later
+
+ pki_version = pki.util.Version(pki.specification_version())
+ if pki_version >= pki.util.Version("11.0.0"):
+ timestamp = time.strftime(
+ "%Y%m%d%H%M%S",
+ time.localtime(time.time()))
+ log_file = os.path.join(
+ paths.VAR_LOG_PKI_DIR,
+ "pki-%s-destroy.%s.log" % (self.subsystem.lower(), timestamp))
+ args.extend(["--log-file", log_file])
+
try:
- ipautil.run([paths.PKIDESTROY,
- "-i", 'pki-tomcat',
- "-s", self.subsystem])
+ ipautil.run(args)
+
except ipautil.CalledProcessError as e:
logger.critical("failed to uninstall %s instance %s",
self.subsystem, e)
--
2.31.1

33
SOURCES/0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch
View File

@ -1,33 +0,0 @@
From d43b513927d6dd0a12464dd24287ce40ccaf33e4 Mon Sep 17 00:00:00 2001
From: Chris Kelley <ckelley@redhat.com>
Date: Fri, 10 Sep 2021 16:47:22 +0100
Subject: [PATCH] Make Dogtag return XML for ipa cert-find
Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.
Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipaserver/plugins/dogtag.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index be2e4bb4e2a1b96c1bff6056da30c704c36789f3..b4feddfac19a4c5659d29bf7b6f5fd9b1247524c 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1832,7 +1832,8 @@ class ra(rabase.rabase, RestClient):
method='POST',
headers={'Accept-Encoding': 'gzip, deflate',
'User-Agent': 'IPA',
- 'Content-Type': 'application/xml'},
+ 'Content-Type': 'application/xml',
+ 'Accept': 'application/xml'},
body=payload
)
--
2.31.1

16
SOURCES/freeipa-4.9.6.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
=TQFs
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.8.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
=t9up
-----END PGP SIGNATURE-----

102
SPECS/freeipa.spec
View File

@ -1,3 +1,5 @@
%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
# ipatests enabled by default, can be disabled with --without ipatests
%bcond_without ipatests
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
@ -69,7 +71,7 @@
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.12.3-12
%global samba_version 4.15.2-2
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@ -111,7 +113,7 @@
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.5-1
%global ds_version 2.0.7-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
@ -183,7 +185,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.6
%define IPA_VERSION 4.9.8
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -196,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 9%{?rc_version:.%rc_version}%{?dist}
Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -216,66 +218,8 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-Remove-unneeded-dependency-on-python-coverage.patch
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
Patch0003: 0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
Patch0004: 0004-stageuser-add-ipauserauthtypeclass-when-required.patch
Patch0005: 0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
Patch0006: 0006-augeas-bump-version-for-rhel9.patch
Patch0007: 0007-man-page-update-ipa-server-upgrade.1.patch
Patch0008: 0008-Add-basic-support-for-subordinate-user-group-ids.patch
Patch0009: 0009-Redesign-subid-feature.patch
Patch0010: 0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch
Patch0011: 0011-Fix-ipa-server-upgrade.patch
Patch0012: 0012-Fix-oid-of-ipaUserDefaultSubordinateId.patch
Patch0013: 0013-WebUI-Improve-subordinate-ids-user-workflow.patch
Patch0014: 0014-Test-DNA-plugin-configuration.patch
Patch0015: 0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
Patch0016: 0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
Patch0017: 0017-Use-new-method-in-check-to-prevent-removal-of-last-K.patch
Patch0018: 0018-ipatests-test-removing-last-KRA-when-it-is-not-runni.patch
Patch0019: 0019-rhel-platform-add-a-named-crypto-policy-support.patch
Patch0020: 0020-Index-Fix-definition-for-memberOf.patch
Patch0021: 0021-ipatests-use-whole-date-when-calling-journalctl-sinc.patch
Patch0022: 0022-ipatests-Fix-for-test_source_ipahealthcheck_ipa_host.patch
Patch0023: 0023-ipatests-test_ipahealthcheck-print-a-message-if-a-sy.patch
Patch0024: 0024-ipatests-test_installation-move-tracking_reqs-depend.patch
Patch0025: 0025-webui-tests-close-notification-when-revoking-cert.patch
Patch0026: 0026-ipatests-Test-ipa-cert-fix-warns-when-startup-direct.patch
Patch0027: 0027-webui-tests-fix-algo-for-finding-available-idrange.patch
Patch0028: 0028-ipatests-smbclient-k-use-kerberos-desired.patch
Patch0029: 0029-test_acme-refactor-with-tasks.patch
Patch0030: 0030-test_acme-make-password-renewal-more-robust.patch
Patch0031: 0031-tasks.py-fix-flake8-reported-issues.patch
Patch0032: 0032-Fix-ldapupdate.get_sub_dict-for-missing-named-user.patch
Patch0033: 0033-freeipa.spec.in-remove-python3-pexpect-from-Requires.patch
Patch0034: 0034-ipa-getkeytab-add-option-to-discover-servers-using-D.patch
Patch0035: 0035-ipa-getkeytab-fix-compiler-warnings.patch
Patch0036: 0036-ipatests-test-ipa-getkeytab-server-option.patch
Patch0037: 0037-ipatests-Test-for-OTP-when-the-LDAP-connection-timed.patch
Patch0038: 0038-ipatests-verify-that-getcert-output-includes-the-iss.patch
Patch0039: 0039-ipatests-Look-for-warning-into-stderr-instead-of-std.patch
Patch0040: 0040-ipatests-use-krb5_trace-in-TestIpaAdTrustInstall.patch
Patch0041: 0041-ipatests-Test-ldapsearch-with-base-scope-works-with-.patch
Patch0042: 0042-ipatests-skip-test_basesearch_compat_tree-on-fedora.patch
Patch0043: 0043-ipatests-Refactor-test_check_otpd_after_idle_timeout.patch
Patch0044: 0044-ipatests-Test-unsecure-nsupdate.patch
Patch0045: 0045-ipatests-Fix-TestAJPSecretUpgrade-tests-on-systems-w.patch
Patch0046: 0046-ipatests-test_ipahealthcheck-Verify-permissions-for-.patch
Patch0047: 0047-ipatests-test-to-renew-certs-on-replica-using-ipa-ce.patch
Patch0048: 0048-ipatests-wait-while-http-ldap-pkinit-cert-get-renew-.patch
Patch0049: 0049-ipatests-refactor-test_ipa_cert_fix-with-tasks.patch
Patch0050: 0050-ipatests-use-whole-date-for-journalctl-since.patch
Patch0051: 0051-selinux-policy-allow-custodia-to-access-proc-cpuinfo.patch
Patch0052: 0052-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
Patch0053: 0053-subid-subid-match-display-the-owner-s-ID-not-DN.patch
Patch0054: 0054-migrate-ds-workaround-to-detect-compat-tree.patch
Patch0055: 0055-Don-t-store-entries-with-a-usercertificate-in-the-LD.patch
Patch0056: 0056-ipatests-Test-that-a-user-can-be-issued-multiple-cer.patch
Patch0057: 0057-Parse-getStatus-as-JSON-not-XML.patch
Patch0058: 0058-Parse-cert-chain-as-JSON-not-XML.patch
Patch0059: 0059-Specify-PKI-installation-log-paths.patch
Patch0060: 0060-Make-Dogtag-return-XML-for-ipa-cert-find.patch
Patch0001: 0001-ipa-kdb-issue-PAC_REQUESTER_SID-only-for-TGTs.patch
Patch0002: 0002-ipa-kdb-fix-requester-SID-check-according-to-MS-KILE.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -528,6 +472,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
%ipa_requires_gt samba-client-libs
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@ -627,9 +573,11 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
# bind-dnssec-utils is required by the OpenDNSSec integration
# https://pagure.io/freeipa/issue/9026
Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
@ -1433,6 +1381,7 @@ fi
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
%dir %{_libexecdir}/ipa/certmonger
@ -1762,26 +1711,37 @@ fi
%endif
%changelog
* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.8-1
- Resolves: rhbz#2015608 - [Rebase] Rebase ipa to latest 4.9.x release RHEL9
- Resolves: rhbz#1825010 - Concerns regarding 'ipa pwpolicy-mod --minlife 24 --maxlife 1'
- Resolves: rhbz#1966289 - Info about searchrecordslimit set search limit to 10,000 after upgrade
- Resolves: rhbz#1980356 - reinstalling samba client causes winbindd coredump
- Resolves: rhbz#1986054 - fix automountlocation-tofiles output
- Resolves: rhbz#2020205 - Missing bind-pkcs11-utils causing failures in OpenDNSSec
- Resolves: rhbz#2021445 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
- ipa-kdb: issue PAC_REQUESTER_SID only for TGTs
- ipa-kdb: fix requester SID check according to MS-KILE and MS-SFU updates
* Tue Oct 5 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-9
- Resolves: rhbz#2010195 ipa-server-install fails while 'configuring certificate server instance'
- Resolves: rhbz#2010701 ipa-server-install fails while 'configuring certificate server instance'
- Parse getStatus as JSON not XML
- Parse cert chain as JSON not XML
- Specify PKI installation log paths
- Make Dogtag return XML for ipa cert-find
* Fri Sep 17 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-8
- Resolves: rhbz#2004922 ipa cert-request replaces user certificate instead of adding
- Resolves: rhbz#2005864 ipa cert-request replaces user certificate instead of adding
- Don't store entries with a usercertificate in the LDAP cache
- ipatests: Test that a user can be issued multiple certificates
* Fri Sep 10 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-7
- Resolves: rhbz#2000629 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
- Resolves: rhbz#2003005 AVC denied { read } comm="ipa-custodia" on aarch64 during installation of ipa-server
- selinux policy: allow custodia to access /proc/cpuinfo
- Resolves: rhbz#2000269 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- Resolves: rhbz#2003004 extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- extdom: return LDAP_NO_SUCH_OBJECT if domains differ
- Resolves: rhbz#2000947 subid: subid-match displays the DN of the owner, not its UID.
- Resolves: rhbz#2003003 subid: subid-match displays the DN of the owner, not its UID.
- subid: subid-match: display the owner's ID not DN
- Resolves: rhbz #2002285 ipa migrate-ds command fails to warn when compat plugin is enabled
- Resolves: rhbz#2013116 ipa migrate-ds command fails to warn when compat plugin is enabled
- migrate-ds: workaround to detect compat tree
* Thu Aug 26 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-6