e57a97aa67
- Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
72 lines
2.6 KiB
Diff
72 lines
2.6 KiB
Diff
From 02b17c8560a6aabb4be1109a3a794412f527c83c Mon Sep 17 00:00:00 2001
|
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Date: Fri, 24 Nov 2023 13:00:48 +0200
|
|
Subject: [PATCH] ipatests: make sure PKINIT enrollment works with a strict
|
|
policy
|
|
|
|
Previously, for a global policy which does not include
|
|
'password', krb5kdc restart was failing. Now it should succeed.
|
|
|
|
We set admin user authentication type to PASSWORD to simplify
|
|
configuration in the test.
|
|
|
|
What matters here is that global policy does not include PKINIT and that
|
|
means a code in the ticket policy check will allow PKINIT implicitly
|
|
rather than explicitly.
|
|
|
|
Related: https://pagure.io/freeipa/issue/9485
|
|
|
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
|
|
---
|
|
.../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++
|
|
1 file changed, 26 insertions(+)
|
|
|
|
diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py
|
|
index caa0e6a34dc7e50359a41314e419a0d5be0c3aa8..5c2e7af0231677d4653ea2f82fa3dffed711a10d 100644
|
|
--- a/ipatests/test_integration/test_pkinit_install.py
|
|
+++ b/ipatests/test_integration/test_pkinit_install.py
|
|
@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest):
|
|
def install(cls, mh):
|
|
tasks.install_master(cls.master)
|
|
|
|
+ def enforce_password_and_otp(self):
|
|
+ """enforce otp by default and password for admin """
|
|
+ self.master.run_command(
|
|
+ [
|
|
+ "ipa",
|
|
+ "config-mod",
|
|
+ "--user-auth-type=otp",
|
|
+ ]
|
|
+ )
|
|
+ self.master.run_command(
|
|
+ [
|
|
+ "ipa",
|
|
+ "user-mod",
|
|
+ "admin",
|
|
+ "--user-auth-type=password",
|
|
+ ]
|
|
+ )
|
|
+
|
|
def add_certmaperule(self):
|
|
"""add certmap rule to map SAN dNSName to host entry"""
|
|
self.master.run_command(
|
|
@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest):
|
|
cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM)
|
|
client.put_file_contents(self.tmpbundle, cabundle)
|
|
|
|
+ def test_restart_krb5kdc(self):
|
|
+ tasks.kinit_admin(self.master)
|
|
+ self.enforce_password_and_otp()
|
|
+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service'])
|
|
+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service'])
|
|
+ self.master.run_command(['systemctl', 'stop', 'kadmin.service'])
|
|
+ self.master.run_command(['systemctl', 'start', 'kadmin.service'])
|
|
+
|
|
def test_client_install_pkinit(self):
|
|
tasks.kinit_admin(self.master)
|
|
self.add_certmaperule()
|
|
--
|
|
2.43.0
|
|
|