9744eaabe1
- Resolves: RHEL-84481 Protect all IPA service principals - Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293 - Resolves: RHEL-84276 Ipa client --raw --structured throws internal error - Resolves: RHEL-82707 Search size limit tooltip has Search time limit tooltip text - Resolves: RHEL-82089 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet - Resolves: RHEL-68800 ipa-migrate with LDIF file from backup of remote server, fails with error 'change collided with another change' - Resolves: RHEL-30658 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info) Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
70 lines
2.8 KiB
Diff
70 lines
2.8 KiB
Diff
From ac308ab8f5685465e755b4ba7e5d428fe38bea4d Mon Sep 17 00:00:00 2001
|
|
From: David Hanina <dhanina@redhat.com>
|
|
Date: Mon, 17 Mar 2025 09:26:44 +0100
|
|
Subject: [PATCH] Disallow removal of dogtag and ipa-dnskeysyncd services on
|
|
IPA servers
|
|
|
|
Also removes dogtagldap from unremovable services
|
|
|
|
Fixes: https://pagure.io/freeipa/issue/9764
|
|
Signed-off-by: David Hanina <dhanina@redhat.com>
|
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
ipaserver/plugins/service.py | 2 +-
|
|
ipatests/test_xmlrpc/test_service_plugin.py | 26 +++++++++++++++++++++
|
|
2 files changed, 27 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
|
index 075a1be8aab5d638cb632b64e766231d3761f731..f50406472a7c1d636bd8731dc550c0d850b2264d 100644
|
|
--- a/ipaserver/plugins/service.py
|
|
+++ b/ipaserver/plugins/service.py
|
|
@@ -323,7 +323,7 @@ def check_required_principal(ldap, principal):
|
|
try:
|
|
host_is_master(ldap, principal.hostname)
|
|
except errors.ValidationError:
|
|
- service_types = {'http', 'ldap', 'dns', 'dogtagldap'}
|
|
+ service_types = {'http', 'ldap', 'dns', 'dogtag', 'ipa-dnskeysyncd'}
|
|
if principal.service_name.lower() in service_types:
|
|
raise errors.ValidationError(
|
|
name='principal',
|
|
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
|
index a3b245679a224572a999354bc7d63360b1f06eed..4aeeb9d89971a56a2ccfccd616b15392f5f0e0ee 100644
|
|
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
|
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
|
@@ -864,6 +864,32 @@ class test_service(Declarative):
|
|
),
|
|
),
|
|
|
|
+ dict(
|
|
+ desc=('Delete the current host (master?) %s dogtag service,'
|
|
+ ' should be caught' % api.env.host),
|
|
+ command=('service_del', ['dogtag/%s' % api.env.host], {}),
|
|
+ expected=errors.ValidationError(
|
|
+ name='principal',
|
|
+ error='dogtag/%s@%s is required by the IPA master' % (
|
|
+ api.env.host,
|
|
+ api.env.realm
|
|
+ )
|
|
+ ),
|
|
+ ),
|
|
+
|
|
+ dict(
|
|
+ desc=('Delete the current host (master?) %s ipa-dnskeysyncd'
|
|
+ ' service, should be caught' % api.env.host),
|
|
+ command=('service_del', ['ipa-dnskeysyncd/%s' % api.env.host], {}),
|
|
+ expected=errors.ValidationError(
|
|
+ name='principal',
|
|
+ error='ipa-dnskeysyncd/%s@%s is required by the IPA master' % (
|
|
+ api.env.host,
|
|
+ api.env.realm
|
|
+ )
|
|
+ ),
|
|
+ ),
|
|
+
|
|
|
|
dict(
|
|
desc='Disable the current host (master?) %s HTTP service, should be caught' % api.env.host,
|
|
--
|
|
2.48.1
|
|
|