From 941d6a54e163ca0d5eee6ac391c0d2f5afb6cf55 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Tue, 9 Dec 2025 10:27:12 +0100 Subject: [PATCH] Revert "Remove NIS server support" This reverts commit e98a80827bcc42dc16b516355077fed844220107. --- freeipa.spec.in | 2 + install/share/Makefile.am | 2 + install/share/nis-update.uldif | 38 ++++ install/share/nis.uldif | 96 ++++++++++ install/tools/Makefile.am | 2 + install/tools/ipa-compat-manage.in | 17 +- install/tools/ipa-nis-manage.in | 205 +++++++++++++++++++++ install/tools/man/Makefile.am | 1 + install/tools/man/ipa-nis-manage.1 | 51 +++++ install/updates/10-enable-betxn.update | 3 + install/updates/50-nis.update | 3 + install/updates/Makefile.am | 1 + ipaplatform/base/paths.py | 2 + ipaserver/install/ipa_migrate.py | 27 ++- ipaserver/install/ipa_migrate_constants.py | 24 +++ ipaserver/install/plugins/update_nis.py | 92 +++++++++ ipatests/test_cmdline/test_cli.py | 1 + ipatests/test_integration/test_commands.py | 87 +++++++++ 18 files changed, 638 insertions(+), 16 deletions(-) create mode 100644 install/share/nis-update.uldif create mode 100644 install/share/nis.uldif create mode 100644 install/tools/ipa-nis-manage.in create mode 100644 install/tools/man/ipa-nis-manage.1 create mode 100644 install/updates/50-nis.update create mode 100644 ipaserver/install/plugins/update_nis.py diff --git a/freeipa.spec.in b/freeipa.spec.in index b93199a5783a89e0ff58affd3d416556f72dd00c..6ee0f43f059dad4bba2288b1b0d3a63437371861 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1619,6 +1619,7 @@ fi %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage +%{_sbindir}/ipa-nis-manage %{_sbindir}/ipa-managed-entries %{_sbindir}/ipactl %{_sbindir}/ipa-advise @@ -1694,6 +1695,7 @@ fi %{_mandir}/man1/ipa-ca-install.1* %{_mandir}/man1/ipa-kra-install.1* %{_mandir}/man1/ipa-compat-manage.1* +%{_mandir}/man1/ipa-nis-manage.1* %{_mandir}/man1/ipa-managed-entries.1* %{_mandir}/man1/ipa-ldap-updater.1* %{_mandir}/man8/ipactl.8* diff --git a/install/share/Makefile.am b/install/share/Makefile.am index bb2eb7531b083e36827ba1ee111e39c29589acaa..87578d29644f897622f46a56c06cb24c7df3efe6 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -66,6 +66,8 @@ dist_app_DATA = \ master-entry.ldif \ memberof-task.ldif \ memberof-conf.ldif \ + nis.uldif \ + nis-update.uldif \ opendnssec_conf.template \ opendnssec_kasp.template \ unique-attributes.ldif \ diff --git a/install/share/nis-update.uldif b/install/share/nis-update.uldif new file mode 100644 index 0000000000000000000000000000000000000000..e602c1de061fbcece349b2d86970c4db5051473b --- /dev/null +++ b/install/share/nis-update.uldif @@ -0,0 +1,38 @@ +# Updates for NIS + +# Correct syntax error that caused users to not appear +dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") + +# Correct syntax error that caused nested netgroups to not work +# https://bugzilla.redhat.com/show_bug.cgi?id=788625 +dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") + +# Make the padding an expression so usercat and hostcat always gets +# evaluated when displaying entries. +# https://bugzilla.redhat.com/show_bug.cgi?id=767372 +dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +replace:nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") + +dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: ethers.byaddr +default:nis-base: cn=computers, cn=accounts, $SUFFIX +default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: ethers.byname +default:nis-base: cn=computers, cn=accounts, $SUFFIX +default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +default:nis-secure: no diff --git a/install/share/nis.uldif b/install/share/nis.uldif new file mode 100644 index 0000000000000000000000000000000000000000..1735fb55299d28ab40d864b24062309fca43241f --- /dev/null +++ b/install/share/nis.uldif @@ -0,0 +1,96 @@ +dn: cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: nsSlapdPlugin +default:objectclass: extensibleObject +default:cn: NIS Server +default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so +default:nsslapd-plugininitfunc: nis_plugin_init +default:nsslapd-plugintype: object +default:nsslapd-pluginbetxn: on +default:nsslapd-pluginenabled: on +default:nsslapd-pluginid: nis-server +default:nsslapd-pluginversion: 0.10 +default:nsslapd-pluginvendor: redhat.com +default:nsslapd-plugindescription: NIS Server Plugin +default:nis-tcp-wrappers-name: nis-server + +dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: passwd.byname +default:nis-base: cn=users, cn=accounts, $SUFFIX +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: passwd.byuid +default:nis-base: cn=users, cn=accounts, $SUFFIX +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: group.byname +default:nis-base: cn=groups, cn=accounts, $SUFFIX +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: group.bygid +default:nis-base: cn=groups, cn=accounts, $SUFFIX +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: netid.byname +default:nis-base: cn=users, cn=accounts, $SUFFIX +default:nis-secure: no + +# Note that the escapes in this entry can be quite confusing. The trick +# is that each level of nesting requires (2^n) - 1 escapes. So the +# first level is \", the second is \\\", the third is \\\\\\\", etc. +# (1, 3, 7, 15, more than that and you'll go insane) + +# Note that this configuration mirrors the Schema Compat configuration for +# triples. +dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: netgroup +default:nis-base: cn=ng, cn=alt, $SUFFIX +default:nis-filter: (objectClass=ipanisNetgroup) +default:nis-key-format: %{cn} +default:nis-value-format:%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: ethers.byaddr +default:nis-base: cn=computers, cn=accounts, $SUFFIX +default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +default:nis-secure: no + +dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +default:objectclass: top +default:objectclass: extensibleObject +default:nis-domain: $DOMAIN +default:nis-map: ethers.byname +default:nis-base: cn=computers, cn=accounts, $SUFFIX +default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +default:nis-secure: no + diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index 74cd11c67dd3af623dd29802935ae63fe82fcecb..ca484ec37969c9c06ae7b408b55fa30cd4e8e4fe 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -19,6 +19,7 @@ dist_noinst_DATA = \ ipa-server-upgrade.in \ ipactl.in \ ipa-compat-manage.in \ + ipa-nis-manage.in \ ipa-managed-entries.in \ ipa-ldap-updater.in \ ipa-otptoken-import.in \ @@ -56,6 +57,7 @@ nodist_sbin_SCRIPTS = \ ipa-server-upgrade \ ipactl \ ipa-compat-manage \ + ipa-nis-manage \ ipa-managed-entries \ ipa-ldap-updater \ ipa-otptoken-import \ diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in index fb25c22edd5b2fac123144846ffc232cb5bbecc7..9650abd6f83ebc0a8ef347fee83989d4e9f13f09 100644 --- a/install/tools/ipa-compat-manage.in +++ b/install/tools/ipa-compat-manage.in @@ -25,7 +25,6 @@ import sys from ipaplatform.paths import paths try: from ipapython import ipautil, config - from ipapython.ipaldap import realm_to_serverid from ipaserver.install import installutils from ipaserver.install.ldapupdate import LDAPUpdate from ipalib import api, errors @@ -153,19 +152,9 @@ def main(): try: entry = get_entry(nis_config_dn) # We can't disable schema compat if the NIS plugin is enabled - if ( - entry is not None - and entry.get("nsslapd-pluginenabled", [""])[0].lower() == "on" - ): - instance = realm_to_serverid(api.env.realm) - print( - "The NIS plugin is configured, cannot " - "disable compatibility.", file=sys.stderr, - ) - print( - f"Run \"dsconf {instance} plugin set --enabled off " - "'NIS Server'\" first.", file=sys.stderr, - ) + if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': + print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) + print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) retval = 2 except errors.ExecutionError as lde: print("An error occurred while talking to the server.") diff --git a/install/tools/ipa-nis-manage.in b/install/tools/ipa-nis-manage.in new file mode 100644 index 0000000000000000000000000000000000000000..6b156ce6a80d05d9cd2d7cab48e6dba08b0954f5 --- /dev/null +++ b/install/tools/ipa-nis-manage.in @@ -0,0 +1,205 @@ +#!/usr/bin/python3 +# Authors: Rob Crittenden +# Authors: Simo Sorce +# +# Copyright (C) 2009 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +from __future__ import print_function + +import sys +import os +from ipaplatform.paths import paths +try: + from optparse import OptionParser # pylint: disable=deprecated-module + from ipapython import ipautil, config + from ipaserver.install import installutils + from ipaserver.install.ldapupdate import LDAPUpdate + from ipalib import api, errors + from ipapython.ipa_log_manager import standard_logging_setup + from ipapython.dn import DN + from ipaplatform import services +except ImportError as e: + print("""\ +There was a problem importing one of the required Python modules. The +error was: + + %s +""" % e, file=sys.stderr) + sys.exit(1) + +nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config')) + +def parse_options(): + usage = "%prog [options] \n" + usage += "%prog [options]\n" + parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) + + parser.add_option("-d", "--debug", action="store_true", dest="debug", + help="Display debugging information about the update(s)") + parser.add_option("-y", dest="password", + help="File containing the Directory Manager password") + + config.add_standard_options(parser) + options, args = parser.parse_args() + + return options, args + +def get_dirman_password(): + """Prompt the user for the Directory Manager password and verify its + correctness. + """ + password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False) + + return password + +def get_entry(dn): + """ + Return the entry for the given DN. If the entry is not found return + None. + """ + entry = None + try: + entry = api.Backend.ldap2.get_entry(dn) + except errors.NotFound: + pass + return entry + +def main(): + retval = 0 + files = [paths.NIS_ULDIF] + servicemsg = "" + + if os.getegid() != 0: + sys.exit('Must be root to use this tool.') + + installutils.check_server_configuration() + + options, args = parse_options() + + if len(args) != 1: + sys.exit("You must specify one action: enable | disable | status") + elif args[0] not in {"enable", "disable", "status"}: + sys.exit("Unrecognized action [" + args[0] + "]") + + standard_logging_setup(None, debug=options.debug) + dirman_password = "" + if options.password: + try: + pw = ipautil.template_file(options.password, []) + except IOError: + sys.exit("File \"%s\" not found or not readable" % options.password) + dirman_password = pw.strip() + else: + dirman_password = get_dirman_password() + if dirman_password is None: + sys.exit("Directory Manager password required") + + if not dirman_password: + sys.exit("No password supplied") + + api.bootstrap( + context='cli', confdir=paths.ETC_IPA, + debug=options.debug, in_server=True) + api.finalize() + api.Backend.ldap2.connect(bind_pw=dirman_password) + + if args[0] == "enable": + compat = get_entry(compat_dn) + if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': + sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") + entry = None + try: + entry = get_entry(nis_config_dn) + except errors.ExecutionError as lde: + print("An error occurred while talking to the server.") + print(lde) + retval = 1 + + # Enable either the portmap or rpcbind service + portmap = services.knownservices.portmap + rpcbind = services.knownservices.rpcbind + + if portmap.is_installed(): + portmap.enable() + servicemsg = portmap.service_name + elif rpcbind.is_installed(): + rpcbind.enable() + servicemsg = rpcbind.service_name + else: + print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) + retval = 3 + + # The cn=config entry for the plugin may already exist but it + # could be turned off, handle both cases. + if entry is None: + print("Enabling plugin") + ld = LDAPUpdate() + if ld.update(files) != True: + retval = 1 + elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': + print("Enabling plugin") + # Already configured, just enable the plugin + entry['nsslapd-pluginenabled'] = ['on'] + api.Backend.ldap2.update_entry(entry) + else: + print("Plugin already Enabled") + retval = 2 + + elif args[0] == "disable": + try: + entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) + entry['nsslapd-pluginenabled'] = ['off'] + api.Backend.ldap2.update_entry(entry) + except (errors.NotFound, errors.EmptyModlist): + print("Plugin is already disabled") + retval = 2 + except errors.LDAPError as lde: + print("An error occurred while talking to the server.") + print(lde) + retval = 1 + + elif args[0] == "status": + nis_entry = get_entry(nis_config_dn) + enabled = (nis_entry and + nis_entry.get( + 'nsslapd-pluginenabled', '')[0].lower() == "on") + if enabled: + print("Plugin is enabled") + retval = 0 + else: + print("Plugin is not enabled") + retval = 4 + + else: + retval = 1 + + if retval == 0: + if args[0] in {"enable", "disable"}: + print("This setting will not take effect until you restart " + "Directory Server.") + + if args[0] == "enable": + print("The %s service may need to be started." % servicemsg) + + api.Backend.ldap2.disconnect() + + return retval + +if __name__ == '__main__': + installutils.run_script(main, operation_name='ipa-nis-manage') diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am index bffce402c7df428a47c1710bdc47d59a95993a0d..e9542a77bbbb88054eae1e64311d6e9ec5bee499 100644 --- a/install/tools/man/Makefile.am +++ b/install/tools/man/Makefile.am @@ -18,6 +18,7 @@ dist_man1_MANS = \ ipa-kra-install.1 \ ipa-ldap-updater.1 \ ipa-compat-manage.1 \ + ipa-nis-manage.1 \ ipa-managed-entries.1 \ ipa-backup.1 \ ipa-restore.1 \ diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 new file mode 100644 index 0000000000000000000000000000000000000000..1107b7790531aa695defd660040734143c02474d --- /dev/null +++ b/install/tools/man/ipa-nis-manage.1 @@ -0,0 +1,51 @@ +.\" A man page for ipa-nis-manage +.\" Copyright (C) 2009 Red Hat, Inc. +.\" +.\" This program is free software; you can redistribute it and/or modify +.\" it under the terms of the GNU General Public License as published by +.\" the Free Software Foundation, either version 3 of the License, or +.\" (at your option) any later version. +.\" +.\" This program is distributed in the hope that it will be useful, but +.\" WITHOUT ANY WARRANTY; without even the implied warranty of +.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +.\" General Public License for more details. +.\" +.\" You should have received a copy of the GNU General Public License +.\" along with this program. If not, see . +.\" +.\" Author: Rob Crittenden +.\" +.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages" +.SH "NAME" +ipa\-nis\-manage \- Enables or disables the NIS listener plugin +.SH "SYNOPSIS" +ipa\-nis\-manage [options] +.SH "DESCRIPTION" +Run the command with the \fBenable\fR option to enable the NIS plugin. + +Run the command with the \fBdisable\fR option to disable the NIS plugin. + +Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin. + +In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. + +Directory Server will need to be restarted after the NIS listener plugin has been enabled. + +.SH "OPTIONS" +.TP +\fB\-d\fR, \fB\-\-debug\fR +Enable debug logging when more verbose output is needed +.TP +\fB\-y\fR \fIfile\fR +File containing the Directory Manager password +.SH "EXIT STATUS" +0 if the command was successful + +1 if an error occurred + +2 if the plugin is already in the required status (enabled or disabled) + +3 if RPC services cannot be enabled. + +4 if status command detected plugin in disabled state. diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update index 9525292cb2d66a738a2dec9cd881dbf960d2d944..1f89341c7f68616161d03b8a2e0c34f499bc3317 100644 --- a/install/updates/10-enable-betxn.update +++ b/install/updates/10-enable-betxn.update @@ -44,3 +44,6 @@ only: nsslapd-pluginbetxn: on dn: cn=Schema Compatibility, cn=plugins, cn=config onlyifexist: nsslapd-pluginbetxn: on + +dn: cn=NIS Server, cn=plugins, cn=config +onlyifexist: nsslapd-pluginbetxn: on diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update new file mode 100644 index 0000000000000000000000000000000000000000..05a166f003aefc50fc25f10f01f7364d752425bc --- /dev/null +++ b/install/updates/50-nis.update @@ -0,0 +1,3 @@ +# Updates are applied only if NIS plugin has been configured +# update definitions are located in install/share/nis-update.uldif +plugin: update_nis_configuration diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index cce2670a6c31803dc534ac5b0093ec0aa317233e..fd96831d8fd4904b51d933847865d37c58a3508c 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -52,6 +52,7 @@ app_DATA = \ 50-groupuuid.update \ 50-hbacservice.update \ 50-krbenctypes.update \ + 50-nis.update \ 50-ipaconfig.update \ 55-pbacmemberof.update \ 59-trusts-sysacount.update \ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 5bc0e3ac3eed257fd7fa6a0830e3e2dbeb3d01d2..b84925bfc7d9af8584d9d4b185aa04b635c1e325 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -297,6 +297,8 @@ class BasePathNamespace: CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" IPA_HTML_DIR = "/usr/share/ipa/html" CA_CRT = "/usr/share/ipa/html/ca.crt" + NIS_ULDIF = "/usr/share/ipa/nis.uldif" + NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" SUBID_GENERATORS_ULDIF = "/usr/share/ipa/subid-generators.uldif" diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py index f07a878e739002346df894f93745ea60345e0557..b0a27de5dd40aa661271faa3a8a0855226b5892f 100644 --- a/ipaserver/install/ipa_migrate.py +++ b/ipaserver/install/ipa_migrate.py @@ -32,7 +32,7 @@ from ipapython.admintool import admin_cleanup_global_argv from ipaserver.install.ipa_migrate_constants import ( DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, - DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS, + DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS, DB_EXCLUDE_TREES, POLICY_OP_ATTRS, STATE_OPTIONS ) @@ -749,7 +749,8 @@ class IPAMigrate(): self.log_info(title) self.log_info('-' * (len(title) - 1)) logged_something = self.log_stats(DS_CONFIG) - if self.args.verbose: + if self.args.verbose or NIS_PLUGIN['count'] > 0: + self.log_info(f" - NIS Server Plugin: {NIS_PLUGIN['count']}") logged_something = True if not self.log_stats(DS_INDEXES) and not logged_something: self.log_info(" - No updates") @@ -1983,6 +1984,28 @@ class IPAMigrate(): add_missing=True) stats['config_processed'] += 1 + # Slapi NIS Plugin + if DN(NIS_PLUGIN['dn']) == DN(entry['dn']): + # Parent plugin entry + self.process_config_entry( + entry['dn'], entry['attrs'], NIS_PLUGIN, + add_missing=True) + stats['config_processed'] += 1 + elif DN(NIS_PLUGIN['dn']) in DN(entry['dn']): + # Child NIS plugin entry + nis_dn = entry['dn'] + lc_remote_realm = self.remote_realm.lower() + lc_realm = self.realm.lower() + nis_dn = nis_dn.replace(lc_remote_realm, lc_realm) + if 'nis-domain' in entry['attrs']: + value = entry['attrs']['nis-domain'][0] + value = value.replace(lc_remote_realm, lc_realm) + entry['attrs']['nis-domain'][0] = value + # Process the entry + self.process_config_entry(nis_dn, entry['attrs'], NIS_PLUGIN, + add_missing=True) + stats['config_processed'] += 1 + # # Migration # diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py index 65e920d4bdc7511adb60bbdf87db88beb2630645..4fe8b467978936e4f8d621b7297ff577127c7298 100644 --- a/ipaserver/install/ipa_migrate_constants.py +++ b/ipaserver/install/ipa_migrate_constants.py @@ -527,6 +527,30 @@ DS_CONFIG = { }, } +# +# Slpai NIS is an optional plugin. It requires special handling +# +NIS_PLUGIN = { + 'dn': 'cn=NIS Server,cn=plugins,cn=config', + 'attrs': [ + 'nis-domain', + 'nis-base', + 'nis-map', + 'nis-filter', + 'nis-key-format:', + 'nis-values-format:', + 'nis-secure', + 'nis-disallowed-chars', + # Parent plugin entry + 'nsslapd-pluginarg0', + 'nsslapd-pluginenabled' + ], + 'multivalued': [], + 'label': 'NIS Server Plugin', + 'mode': 'all', + 'count': 0, +} + # # This mapping is simliar to above but it handles container entries # This could be built into the above mapping using the "comma" approach diff --git a/ipaserver/install/plugins/update_nis.py b/ipaserver/install/plugins/update_nis.py new file mode 100644 index 0000000000000000000000000000000000000000..c02eb5f838a99b27cdd21e4aee17e5104f0e22e2 --- /dev/null +++ b/ipaserver/install/plugins/update_nis.py @@ -0,0 +1,92 @@ +# +# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +# + +from __future__ import absolute_import + +import logging + +from ipalib.plugable import Registry +from ipalib import errors +from ipalib import Updater +from ipaplatform.paths import paths +from ipapython.dn import DN +from ipaserver.install import sysupgrade +from ipaserver.install.ldapupdate import LDAPUpdate + +logger = logging.getLogger(__name__) + +register = Registry() + + +@register() +class update_nis_configuration(Updater): + """Update NIS configuration + + NIS configuration can be updated only if NIS Server was configured via + ipa-nis-manage command. + """ + + def __recover_from_missing_maps(self, ldap): + # https://fedorahosted.org/freeipa/ticket/5507 + # if all following DNs are missing, but 'NIS Server' container exists + # we are experiencig bug and maps should be fixed + + if sysupgrade.get_upgrade_state('nis', + 'done_recover_from_missing_maps'): + # this recover must be done only once, a user may deleted some + # maps, we do not want to restore them again + return + + logger.debug("Recovering from missing NIS maps bug") + + suffix = "cn=NIS Server,cn=plugins,cn=config" + domain = self.api.env.domain + missing_dn_list = [ + DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [ + "nis-domain={domain}+nis-map=passwd.byname,{suffix}", + "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", + "nis-domain={domain}+nis-map=group.byname,{suffix}", + "nis-domain={domain}+nis-map=group.bygid,{suffix}", + "nis-domain={domain}+nis-map=netid.byname,{suffix}", + "nis-domain={domain}+nis-map=netgroup,{suffix}", + ] + ] + + for dn in missing_dn_list: + try: + ldap.get_entry(dn, attrs_list=['cn']) + except errors.NotFound: + pass + else: + # bug is not effective, at least one of 'possible missing' + # maps was detected + return + + sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', + True) + + # bug is effective run update to recreate missing maps + ld = LDAPUpdate(api=self.api) + ld.update([paths.NIS_ULDIF]) + + def execute(self, **options): + ldap = self.api.Backend.ldap2 + dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) + try: + ldap.get_entry(dn, attrs_list=['cn']) + except errors.NotFound: + # NIS is not configured on system, do not execute update + logger.debug("Skipping NIS update, NIS Server is not configured") + + # container does not exist, bug #5507 is not effective + sysupgrade.set_upgrade_state( + 'nis', 'done_recover_from_missing_maps', True) + else: + self.__recover_from_missing_maps(ldap) + + logger.debug("Executing NIS Server update") + ld = LDAPUpdate(api=self.api) + ld.update([paths.NIS_UPDATE_ULDIF]) + + return False, () diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py index 6c86bbb657a0d9a7b74ef34ad20a796a10073315..4acf8dd5290c687723a9c43a21e194bf663b6a3b 100644 --- a/ipatests/test_cmdline/test_cli.py +++ b/ipatests/test_cmdline/test_cli.py @@ -372,6 +372,7 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' '/usr/share/ipa/updates/05-pre_upgrade_plugins.update'], 2, None, IPA_NOT_CONFIGURED), (['ipa-managed-entries'], 2, None, IPA_NOT_CONFIGURED), + (['ipa-nis-manage'], 2, None, IPA_NOT_CONFIGURED), (['ipa-pkinit-manage'], 2, None, IPA_NOT_CONFIGURED), (['ipa-replica-manage', 'list'], 1, IPA_NOT_CONFIGURED, None), (['ipa-server-certinstall'], 2, None, IPA_NOT_CONFIGURED), diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index 5bc871ab71bc05ec1c26df8352e996a9e627b466..8f8548494eaec3afd00961c096772b9d0b1ab3a4 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1382,6 +1382,93 @@ class TestIPACommand(IntegrationTest): serverid = realm_to_serverid(self.master.domain.realm) return ("dirsrv@%s.service" % serverid) + def test_ipa_nis_manage_enable(self): + """ + This testcase checks if ipa-nis-manage enable + command enables plugin on an IPA master + """ + dirsrv_service = self.get_dirsrv_id() + console_msg = ( + "Enabling plugin\n" + "This setting will not take effect until " + "you restart Directory Server.\n" + "The rpcbind service may need to be started" + ) + status_msg = "Plugin is enabled" + tasks.kinit_admin(self.master) + result = self.master.run_command( + ["ipa-nis-manage", "enable"], + stdin_text=self.master.config.admin_password, + ) + assert console_msg in result.stdout_text + # verify using backend + conn = self.master.ldap_connect() + dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) + entry = conn.get_entry(dn) + nispluginstring = entry.get('nsslapd-pluginEnabled') + assert 'on' in nispluginstring + # restart for changes to take effect + self.master.run_command(["systemctl", "restart", dirsrv_service]) + self.master.run_command(["systemctl", "restart", "rpcbind"]) + time.sleep(DIRSRV_SLEEP) + # check status msg on the console + result = self.master.run_command( + ["ipa-nis-manage", "status"], + stdin_text=self.master.config.admin_password, + ) + assert status_msg in result.stdout_text + + def test_ipa_nis_manage_disable(self): + """ + This testcase checks if ipa-nis-manage disable + command disable plugin on an IPA Master + """ + dirsrv_service = self.get_dirsrv_id() + msg = ( + "This setting will not take effect " + "until you restart Directory Server." + ) + status_msg = "Plugin is not enabled" + tasks.kinit_admin(self.master) + result = self.master.run_command( + ["ipa-nis-manage", "disable"], + stdin_text=self.master.config.admin_password, + ) + assert msg in result.stdout_text + # verify using backend + conn = self.master.ldap_connect() + dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) + entry = conn.get_entry(dn) + nispluginstring = entry.get('nsslapd-pluginEnabled') + assert 'off' in nispluginstring + # restart dirsrv for changes to take effect + self.master.run_command(["systemctl", "restart", dirsrv_service]) + time.sleep(DIRSRV_SLEEP) + # check status msg on the console + result = self.master.run_command( + ["ipa-nis-manage", "status"], + stdin_text=self.master.config.admin_password, + raiseonerr=False, + ) + assert result.returncode == 4 + assert status_msg in result.stdout_text + + def test_ipa_nis_manage_enable_incorrect_password(self): + """ + This testcase checks if ipa-nis-manage enable + command throws error on console for invalid DS admin password + """ + msg1 = "Insufficient access: " + msg2 = "Invalid credentials" + result = self.master.run_command( + ["ipa-nis-manage", "enable"], + stdin_text='Invalid_pwd', + raiseonerr=False, + ) + assert result.returncode == 1 + assert msg1 in result.stderr_text + assert msg2 in result.stderr_text + def test_pkispawn_log_is_present(self): """ This testcase checks if pkispawn logged properly. -- 2.52.0