Commits on Source (94)
-
Rob Crittenden authored
-
Florence Blanc-Renaud authored
ipa-server-install or ipa-replica-install do not provide a meaningful error message in CA-less mode when the install fails because of a wrong PIN. Update the err msg so that it provides a hint to the user. Fixes https://pagure.io/freeipa/issue/5378 Reviewed-By:
Fraser Tweedale <ftweedal@redhat.com> Reviewed-By:
-
Florence Blanc-Renaud authored
Remove the annotation pytest.mark.xfail as issue 5378 has been fixed. Related to https://pagure.io/freeipa/issue/5378 Reviewed-By:
-
Alexander Bokovoy authored
All Samba utilities load passdb modules from the configuration file. As result, 'net groupmap' call would try to initialize ipasam passdb module and that one would try to connect to LDAP using Kerberos authentication. We should be running it after cifs/ principal is actually created in ipa-adtrust-install or otherwise setting up group mapping will fail. This only affects new installations. For older ones 'net groupmap' would work just fine because adtrust is already configured and all principals exist already. A re-run of 'ipa-server-upgrade' is a workaround too but better to fix the initial setup. Related: https://pagure.io/freeipa/issue/7705 Reviewed-By:
Rob Crittenden <rcritten@redhat.com>
-
Thomas Woerner authored
Client installation with --no-sssd option has already beeen deprecated with https://pagure.io/freeipa/issue/5860. Authconfig support has been removed, therefore --no-ac option can be removed also. ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests. See: https://pagure.io/freeipa/issue/7671 Signed-off-by:
Thomas Woerner <twoerner@redhat.com> Reviewed-By:
Christian Heimes <cheimes@redhat.com> Reviewed-By:
Alexander Bokovoy <abokovoy@redhat.com>
-
Thomas Woerner authored
If groups or hostgroups have been removed after automember rules have been created using them, then automember-rebuild, automember-add, host-add and more commands could fail. A new command has been added to the ipa tool: ipa automember-find-orphans --type={hostgroup,group} [--remove] This command retuns the list of orphan automember rules in the same way as automember-find. With the --remove option the orphan rules are also removed. The IPA API version has been increased and a test case has been added. Using ideas from a patch by: Rob Crittenden <rcritten@redhat.com> See: https://pagure.io/freeipa/issue/6476 Signed-off-by:Florence Blanc-Renaud <flo@redhat.com> Reviewed-By:
-
Rob Crittenden authored
If ipa-join fails due to a TLS connection error when doing an LDAP-based enroll then nothing is logged by default except an Invalid Password error which is misleading (because the failure occurs during the bind). The only way that debugging would have been sufficient is if the user passed --debug to ipa-client-install which is not great. This log level is otherwise very quiet and only logs one or two lines on errors which is perfect. https://pagure.io/freeipa/issue/7728 Signed-off-by:
-
Stanislav Levin authored
systemd 239 complains about the legacy of ipa's tmpfiles which are located on /var/run. Fixes: https://pagure.io/freeipa/issue/7732 Reviewed-By:
-
Florence Blanc-Renaud authored
ipa-replica-install sometimes fails with -- [28/41]: setting up initial replication Starting replication, please wait until this has completed. [ldap://master.ipa.test:389] reports: Replica Busy! Status: [Error (1) Replication error acquiring replica: replica busy] [error] RuntimeError: Failed to start replication -- which is caused by a 389-ds issue (https://pagure.io/389-ds-base/issue/49818) Bump requires to include the fix. Fixes: https://pagure.io/freeipa/issue/7642 Reviewed-By:
-
Florence Blanc-Renaud authored
The test is putting server.p12 / replica.p12 in the test_dir directory, and the error message is printing the file name with its full path. Related to https://pagure.io/freeipa/issue/5378 Reviewed-By:
-
Rob Crittenden authored
There were two separate issues: 1. If not enrolling on a pre-configured client then the ntp-server and ntp-pool options are not being passed down to the client installer invocation. 2. If the client is already enrolled then the ntp options are ignored altogether. In the first case simply pass down the options to the client installer invocation. If the client is pre-enrolled and NTP options are provided then raise an exception. https://pagure.io/freeipa/issue/7723 Signed-off-by:
Florence Blanc-Renaud <frenaud@redhat.com>
-
Petr Voborník authored
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig) the generated advise script downloads this tool from project page and uses it. After decommision of Fedorahosted and move of authconfig project to Pagure, this url was not updated in FreeIPA project. This patch updates the url. https://pagure.io/freeipa/issue/7731 Signed-off-by:
Petr Vobornik <pvoborni@redhat.com> Reviewed-By:
-
Thomas Woerner authored
gcc is updated with the dnf builddep line, but annobin is not. Therefore configure fails with "C compiler cannot create executables". This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478 Same change for .test_runner_config_py3_temp.yaml has been added for 4-7 branch. See: https://pagure.io/freeipa/issue/7740 Signed-off-by:
-
Alexander Bokovoy authored
When we define a group mapping for BUILTIN\Guests to 'nobody' group in we run 'net groupmap add ...' with a default /etc/samba/smb.conf which is now configured to use ipasam passdb module. We authenticate to LDAP with GSSAPI in ipasam passdb module initialization. If GSSAPI authentication failed (KDC is offline, for example, during server upgrade), 'net groupmap add' crashes after ~10 attempts to re-authenticate. This is intended behavior in smbd/winbindd as they cannot work anymore. However, for the command line tools there are plenty of operations where passdb module is not needed. Additionally, GSSAPI authentication uses the default ccache in the environment and a key from /etc/samba/samba.keytab keytab. This means that if you'd run 'net *' as root, it will replace whatever Kerberos tickets you have with a TGT for cifs/`hostname` and a service ticket to ldap/`hostname` of IPA master. Apply a simple solution to avoid using /etc/samba/smb.conf when we set up the group mapping by specifying '-s /dev/null' in 'net groupmap' call. For upgrade code this is enough as in a678336b we enforce use of empty credentials cache during upgrade to prevent tripping on individual ccaches from KEYRING: or KCM: cache collections. Related: https://pagure.io/freeipa/issue/7705 Reviewed-By:
-
Florence Blanc-Renaud authored
When adding the option --setup-adtrust to ipa-replica-install, we need to check that the package freeipa-server-trust-ad is installed. To avoid relying on OS-specific commands like yum, the check is instead ensuring that the file /usr/share/ipa/smb.conf.empty is present (this file is delivered by the package). When the check is unsuccessful, ipa-replica-install exits with an error message. Fixes: https://pagure.io/freeipa/issue/7602 Reviewed-By:
-
Thomas Woerner authored
The leak happens due to using strndup to create a temporary string without freeing it afterwards. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Thomas Woerner authored
The leak happens due to using strndup in a for loop to create a temporary string without freeing it in all cases. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Christian Heimes authored
* ipadb_get_pwd_policy() initializes struct ipadb_multires *res to NULL. * ipadb_multires_free() supports NULL as no-op. * ipadb_multibase_search() consistently frees and NULLs struct ipadb_multires **res on error. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Christian Heimes authored
On two occasions C code abused strncpy()'s length limitation to copy a string of known length without the trailing NULL byte. Recent GCC is raising the compiler warning: warning: ‘strncpy’ output truncated before terminating nul copying as many bytes from a string as its length [-Wstringop-truncation] Use memcpy() instead if strncpy() to copy data of known size. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Christian Heimes authored
Instead of hard-coding python3, the smart card advise script now uses the current executable path from sys.executable as interpreter. Fixes: https://pagure.io/freeipa/issue/7741 Signed-off-by:
-
Rob Crittenden authored
On a plain uninstall there should not be a bunch of confusing warning/error messages. Related to https://pagure.io/freeipa/issue/7729 Signed-off-by:
-
Rob Crittenden authored
Some incorrect errors are possible if a client installation fails and a configuration rollback is required. These include: 1. Unconfigured automount client failed: CalledProcessError(Command ['/usr/sbin/ipa-client-automount', '--uninstall', '--debug'] returned non-zero exit status 1: '') Caused by check_client_configuration() not returning the correct return value (2). 2. WARNING: Unable to revert to the pre-installation state ('authconfig' tool has been deprecated in favor of 'authselect'). The default sssd profile will be used instead. The authconfig arguments would have been: authconfig --disableldap --disablekrb5 --disablesssdauth --disablemkhomedir If installation fails before SSSD is configured there is no state to roll back to. Detect this condition. 3. An error occurred while removing SSSD's cache.Please remove the cache manually by executing sssctl cache-remove -o. Again, if SSSD is not configured yet then there is no cache to remove. Also correct the missing space after the period. https://pagure.io/freeipa/issue/7729 Signed-off-by: -
Rob Crittenden authored
When running the integration tests capture the uninstallation logs as well as the installation logs. Reviewed-By: -
Christian Heimes authored
Don't remove /root/.dogtag/pki-tomcat when performing step 1 of external CA installation process. Dogtag 10.6.7 changed behavior and no longer re-creates the client database in step 2. Fixes: https://pagure.io/freeipa/issue/7742 Signed-off-by:
-
Christian Heimes authored
The install_master() function performs additional steps besides just installing a server. It also sets up log collection and performs additional tests. Signed-off-by:
-
Florence Blanc-Renaud authored
ipa-backup gathers all the files needed for the backup, then compresses the file and finally restarts the IPA services. When the backup is a large file, the compression may take time and widen the unavailabity window. This fix restarts the services as soon as all the required files are gathered, and compresses after services are restarted. Fixes: https://pagure.io/freeipa/issue/7632 Reviewed-By:
-
Florence Blanc-Renaud authored
The test ensures that ipa-backup compresses the files after the IPA services are restarted. Related to: https://pagure.io/freeipa/issue/7632 Reviewed-By:
-
Rob Crittenden authored
During replica installation the local IP addresses should be added to DNS but will fail because a string is being passed to an argument expecting a list. Convert to a list before passing in individual IPs. Discovered when fixing https://pagure.io/freeipa/issue/7408 Signed-off-by:
-
Rob Crittenden authored
This was previously suppressed because of the log level in an installation was set to error so it was never displayed Keeping consistency and demoting it to debug since the log level is increased to info. Related: https://pagure.io/freeipa/issue/7408 Signed-off-by:
-
Rob Crittenden authored
Increase log level to info by setting verbose=True and adding a console format. Signed-off-by:
-
Fraser Tweedale authored
This Dogtag issue that caused KRA clone installation failure in some scenarios has been fixed (https://pagure.io/dogtagpki/issue/3055). This reverts commit 24888132 and bumps the pki-core dependency. Fixes: https://pagure.io/freeipa/issue/7654 Reviewed-By:
-
Christian Heimes authored
10.6.7-3 fixes a problem with ipa-ca-install and ipa-kra-install on replicas. See: https://pagure.io/dogtagpki/issue/3073 Reviewed-By:
-
Christian Heimes authored
Set keys to NULL after free rder to avoid potential double free. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Christian Heimes authored
Fix potential NULL pointer deref in ipadb_mspac_get_trusted_domains(). In theory, dn could be empty and rdn NULL. The man page for ldap_str2dn() does not guarantee that it returns a non-empty result. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Christian Heimes authored
In ipapwd_pre_mod, check userpw for NULL before dereferencing its first element. See: https://pagure.io/freeipa/issue/7738 Signed-off-by:
-
Fraser Tweedale authored
If the server responds 401 and the response body is empty, the client raises ResponseNotReady. This occurs because: 1. For a non-200 response, the response read only if the Content-Length header occurs. 2. The response must be read before another request (e.g. the follow-up request with WWW-Authenticate header set), and this condition was not met. For details see https://github.com/python/cpython/blob/v3.6.7/Lib/http/client.py#L1305-L1321. This situation should not arise in regular use, because the client either has a session cookie, or, knowing the details of the server it is contacting, it establishes the GSS-API context and includes the WWW-Authenticate header in the initial request. Nevertheless, this problem has been observed in the wild. I do not know its ordinary cause(s), but one can force the issue by removing an authenticated user's session cache from /run/ipa/ccaches, then performing a request. Resolve the issue by always reading the response. It is safe to call response.read() regardless of whether the Content-Length header appears, or whether the body is empty. Fixes: https://pagure.io/freeipa/issue/7752 Reviewed-By:
-
Fraser Tweedale authored
ipaldap does not take into account the possibility of the attribute encoding returned by python-ldap differing from the attribute encoding produced by FreeIPA. In particular this can occur with DNs with special characters that require escaping. For example, python-ldap (or the underlying LDAP library) escapes special characters using hex encoding: CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU Whereas FreeIPA, when encoding the DN, escapes the character directly: CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU Therefore it is possible to generate an invalid modlist. For example, during external CA certificate renewal, if the issuer DN includes a comma in one of the attribute values (as above), an invalid modlist will be generated: [ (ldap.MOD_ADD, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\, Inc.,L=Brisbane,C=AU']) , (ldap.MOD_DELETE, 'ipacaissuerdn', [b'CN=Test Sub-CA 201604041620,OU=ftweedal,O=Red Hat\2C Inc.,L=Brisbane,C=AU']) ] Although encoded differently, these are the same value. If this modification is applied to the object, attributeOrValueExists (error 20) occurs. To avoid the issue, put deletes before adds in the modlist. If a value is present (with different encodings) as both an addition and a deletion, it must be because the original object contained the value with a different encoding. Therefore it is safe to delete it, then add it back. Note that the modlist is not optimal. In the simplest case (like above example), there should be no modification to perform. It is considerably more complex (and more computation) to implement this because the raw attribute values must be decoded before comparison. Fixes: https://pagure.io/freeipa/issue/7750 Reviewed-By: -
Christian Heimes authored
Starting with Python 3.7, PEP 538 addresses the locale issue. Python now supports UTF-8 file system encoding with non-UTF-8 C locale. See: https://docs.python.org/3/whatsnew/3.7.html#whatsnew37-pep538 See: https://pagure.io/freeipa/issue/5887 Signed-off-by:
-
Sergey Orlov authored
Test that 1) sudo is not enabled for members of admins group by default 2) sudo is enabled for them after execution of script provided by ipa-advise enable_admins_sudo Related to https://pagure.io/freeipa/issue/7538 Reviewed-By:
-
Christian Heimes authored
For smart card authentication, ipaapi must be able to access to sss-ifp. During installation and upgrade, the ipaapi user is now added to [ifp]allowed_uids. The commit also fixes two related issues: * The server upgrade code now enables ifp service in sssd.conf. The existing code modified sssd.conf but never wrote the changes to disk. * sssd_enable_service() no longer fails after it has detected an unrecognized service. Fixes: https://pagure.io/freeipa/issue/7751 Signed-off-by:
-
Alexander Bokovoy authored
Fix Coverity finding CID 323644: logically dead code path The code to determine whether NetBIOS name was already set or need to be set after deriving it from a domain or asking a user for an interactive input, was refactored at some point to avoid retrieving the whole LDAP entry. Instead, it was provided with the actual NetBIOS name retrieved. As result, a part of the code got neglected and was never executed. Fix this code and provide a test that tries to test predefined, interactively provided and automatically derived NetBIOS name depending on how the installer is being run. We mock up the actual execution so that no access to LDAP or Samba is needed. Backport to ipa-4-7 takes into account Python 2.7 differences: - uses mock instead of unittest.mock if the latter is not available - derives ApiMockup from object Fixes: https://pagure.io/freeipa/issue/7753 Reviewed-By:
-
Christian Heimes authored
Address a bug in the code block for attributeLevelRights for old clients. The backward compatibility code for deprecated options was not triggered, because the new name was checked against wrong dict. Coverity Scan issue 323649, Copy-paste error The copied code will not have its intended effect. In postprocess_result: A copied piece of code is inconsistent with the original (CWE-398) See: Fixes: https://pagure.io/freeipa/issue/7753 Signed-off-by:
-
Christian Heimes authored
"messagebus" is an old, archaic name for dbus. Upstream dbus has started to move away from the old name. Let's use the modern term in FreeIPA, too. Fixes: https://pagure.io/freeipa/issue/7754 Signed-off-by:
-
Christian Heimes authored
0a5a7bde introduced another problem. The test is now failing on systems without a full IPA client or server installation. Use IPA_CONFDIR env var to override location of default.conf, so that the command always fails. Signed-off-by:
Serhii Tsymbaliuk <stsymbal@redhat.com>
-
François Cami authored
It is a standard SELinux user role included in RHEL (like user_r, staff_r, guest_r) and used quite often. Fixes: https://pagure.io/freeipa/issue/7658 Signed-off-by:
François Cami <fcami@redhat.com> Reviewed-By:
-
Fraser Tweedale authored
Installation or IPA CA renewal with externally-signed CA accepts an IPA CA certificate with empty Subject Key Identifier. This is technically legal in X.509, but is an operational issue. Furthermore, due to an extant bug in Dogtag (https://pagure.io/dogtagpki/issue/3079) it will cause Dogtag startup failure. Reject CA certificates with empty Subject Key Identifier. Fixes: https://pagure.io/freeipa/issue/7762 Reviewed-By:
-
Rob Crittenden authored
Some basic tests like re-loading a certificate, loading a PKCS#7 cert and bad cert handling. Signed-off-by:
-
Rob Crittenden authored
Only a single cert in DER or PEM format would be loaded from the provided file. Extend this to include PKCS#7 format and load all certificates found in the file. Signed-off-by:
-
Florence Blanc-Renaud authored
The command "ipa user-add --radius-username" fails with ipa: ERROR: attribute "ipatokenRadiusUserName" not allowed because it does not add the objectclass ipatokenradiusproxyuser that is required by the attribute ipatokenradiususername. The issue happens with ipa user-add / stageuser-add / user-mod / stageuser-mod. The fix adds the objectclass when needed in the pre_common_callback method of baseuser_add and baseuser_mod (ensuring that user and stageuser commands are fixed). Fixes https://pagure.io/freeipa/issue/7569 Reviewed-By:
-
Florence Blanc-Renaud authored
Add a xmlrpc test for ipa user-add/user-mod --radius-username The command were previously failing because the objectclass ipatokenradiusproxyuser was not automatically added when the attribute ipatokenRadiusUserName was added to the entry. The test ensures that the command is now succeeding. Related to https://pagure.io/freeipa/issue/7569 Reviewed-By:
-
Florence Blanc-Renaud authored
A non-admin user which has the "User Administrator" role cannot add a user with ipa user-add --radius=<proxy> because the call needs to read the radius proxy server entries. The fix adds a System permission for reading radius proxy server entries (all attributes except the ipatokenradiussecret). This permission is added to the already existing privileges "User Administrators" and "Stage User Administrators", so that the role "User Administrator" can call ipa [stage]user-add|mod --radius=<proxy> Fixes: https://pagure.io/freeipa/issue/7570 Reviewed-By:
-
Florence Blanc-Renaud authored
Add a new integration test for the following scenario: - create a user with the "User Administrator" role - as this user, create a user with a --radius=<radius_proxy_server> This scenario was previously failing because ipa user-add --radius requires read access to the radius server entries, and there was no permission granting this access. Related to https://pagure.io/freeipa/issue/7570 Reviewed-By:
-
Christian Heimes authored
pycodestyle both complains about "W504 line break after binary operator" and "W503 line break before binary operator" when all warnings are enabled. FreeIPA already ignores W504 in travis config. Let's ignore it in fastcheck, too. Signed-off-by:
-
Christian Heimes authored
Teach pylint that env instance has lite_* members See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
Pylint warns about inconsistent return statements when some paths of a function return None implicitly. Make all implicit returns either explicit or raise a proper exception. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
Ignore new consider-using-enumerate warning for now and clean up code later. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
Replace multiple comparisons with 'in' operation. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
Pylint warns about comparing callable. Replace equality with identity test. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
pytest.config is created dynamically. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
* dict-keys-not-iterating * dict-values-not-iterating * dict-items-not-iterating * dict-iter-method See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
Test code performs comparison to itself in order to verify __eq__ and __ne__ implementations. See: https://pagure.io/freeipa/issue/7758 Signed-off-by:
-
Christian Heimes authored
pylint 2.1.1-2 contains a backport of pylint's fix for RHBZ#1648299: is_subclass_of fails with AttributeError: 'NoneType' object has no attribute 'name' pylint 2.1.1-2 is in @freeipa/freeipa-master COPR. See: https://github.com/PyCQA/pylint/pull/2429 See: https://bugzilla.redhat.com/show_bug.cgi?id=1648299 Signed-off-by:
-
Fraser Tweedale authored
In load_external_cert(), if verification fails for a certificate in the trust chain, the error message contains the last subject name from a previous iteration of the trust chain, instead of the subject name of the current certificate. To report the correct subject, look it up using the current nickname. Part of: https://pagure.io/freeipa/issue/7761 Reviewed-By:
-
Fraser Tweedale authored
When verifying a CA certificate, validate its signature. This causes FreeIPA to reject certificate chains with bad signatures, signatures using unacceptable algorithms, or certificates with unacceptable key sizes. The '-e' option to 'certutil -V' was the missing ingredient. An an example of a problem prevented by this change, a certifiate signed by a 1024-bit intermediate CA, would previously have been imported by ipa-cacert-manage, but would cause Dogtag startup failure due to failing self-test. With this change, ipa-cacert-manage will reject the certificate: # ipa-cacert-manage renew --external-cert-file /tmp/ipa.p7 Importing the renewed CA certificate, please wait CA certificate CN=Certificate Authority,O=IPA.LOCAL 201809261455 in /tmp/ipa.p7 is not valid: certutil: certificate is invalid: The certificate was signed using a signature algorithm that is disabled because it is not secure. Fixes: https://pagure.io/freeipa/issue/7761 Reviewed-By:
-
Alexander Bokovoy authored
Reviewed-By: -
Christian Heimes authored
PR https://github.com/freeipa/freeipa/pull/2554 added the '-e' option for CA cert validation. Let's also verify signature, key size, and signing algorithm of server certs. With the '-e' option, the installer and other tools will catch weak certs early. Fixes: pagure.io/freeipa/issue/7761 Signed-off-by:
-
Christian Heimes authored
conftest uses the Function attribute of a pytest.Function object. Latest pytest has deprecated the attribute: _pytest.warning_types.RemovedInPytest4Warning: usage of Function.Function is deprecated, please use pytest.Function instead Signed-off-by:
-
sudharsanomprakash authored
httpd-2.4+ has deprecated the Order, Allow and Deny directives. Use the Require directive instead. Signed-off-by:
Sudharsan Omprakash <sudharsan.omprakash@yahoo.com> Reviewed-By:
-
Florence Blanc-Renaud authored
freeipa.spec.in is missing BuildRequires for python3-lib389. The consequence is that make fasttest is failing. Fixes https://pagure.io/freeipa/issue/7767 Reviewed-By:
-
Alexander Bokovoy authored
Since LDAP operations used by ipa-kdb driver are synchronous, the timeout specified here is blocking entire KDC. It is worth reducing the timeout and since AS REQ processing timeout in KDC is 1 minute, reducing the timeout for LDAP operations down to 30 seconds allows KDC to respond promptly in worst case scenario as well. Fixes: https://pagure.io/freeipa/issue/7217 Reviewed-By:
Robbie Harwood <rharwood@redhat.com>
-
Florence Blanc-Renaud authored
Currently it is possible to run ipa-replica-install in one step, and provide --password and --admin-password simultaneously. This is confusing as --password is intended for one-time pwd when the ipa-replica-install command is delegated to a user who doesn't know the admin password. The fix makes --password and --admin-password options mutually exclusive. Fixes https://pagure.io/freeipa/issue/6353 Reviewed-By:
-
Florence Blanc-Renaud authored
Add a test checking that --password and --admin-password options are mutually exclusive. Related to https://pagure.io/freeipa/issue/6353 Reviewed-By:
-
Florence Blanc-Renaud authored
test_topology.py is failing because of a wrong scenario. Currently, test_replica_uninstall_deletes_ruvs does: - install master + replica with CA - ipa-replica-manage list-ruv to check that the repl is propery setup - ipa-replica-manage del $replica - (on replica) ipa-server-install --uninstall -U - ipa-replica-manage list-ruv to check that replica does not appear any more in the RUV list When ipa-replica-manage del is run, the topology plugin creates 2 tasks cleanallruvs (one for the domain, one for the ca) and they are run asynchronously. This means that the ruvs may still be present when the test moves forward and calls list-ruv. The test should wait for the cleanallruvs tasks to finish before checking that list-ruv does not display replica anymore. Fixes https://pagure.io/freeipa/issue/7545
-
Sergey Orlov authored
Test ensures that after ipa-restore on the master, the replica can be re-synchronized and a new replica can be created. https://pagure.io/freeipa/issue/7455 Reviewed-By:
Tibor Dudlak <tdudlak@redhat.com>
-
François Cami authored
Add a shared-vault-retrieve test when: * master has KRA installed * replica has no KRA This currently fails because of issue#7691 Related-to: https://pagure.io/freeipa/issue/7691 Signed-off-by:
-
François Cami authored
Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. Fixes: https://pagure.io/freeipa/issue/7691 Signed-off-by:
-
Christian Heimes authored
Every now and then, a PR-CI job fails because rpcbind blocks the kadmin port 749/UDP and kadmin.service fails to start. When NFS secure port is configured, rpcbind reserves a random low port. A new workaround detects the blocked port and restarts rpcbind.service. See: https://pagure.io/freeipa/issue/7769 Signed-off-by:
-
Varun Mylaraiah authored
Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418 Signed-off-by:
Varun Mylaraiah <mvarun@redhat.com> Reviewed-By:
Mohammad Rizwan Yusuf <myusuf@redhat.com> Reviewed-By:
-
Christian Heimes authored
pylint 2.2.0 has a new checker for unnecessary pass statements. There is no need to have a pass statement in functions or classes with a doc string. Fixes: https://pagure.io/freeipa/issue/7772 Signed-off-by:
-
Christian Heimes authored
pylint 2.2 has a checker for duplicate string formatting argument. Instead of passing the same argument multiple times, reference the argument by position. See: https://pagure.io/freeipa/issue/7772 Signed-off-by:
-
Christian Heimes authored
Build all scripts in install/tools/ to check them with pylint, so that ``make pylint`` always checks all scripts. The script files are generated by make. Please note that fastlint does not check script files. See: https://pagure.io/freeipa/issue/7772 Signed-off-by:
-
Christian Heimes authored
The CLI script files have additional pylint issues that were not noticed before. The violations include using dict.keys() without directly iterating of the result, inconsistent return statements and set([]) instead of set literals. * dict-keys-not-iterating * inconsistent-return-statements * onsider-using-set-comprehensio See: https://pagure.io/freeipa/issue/7772 Signed-off-by:
-
Florence Blanc-Renaud authored
ipa user-find --certificate and ipa host-find --certificate fail to return matching entries, because the method transforming the attribute into a LDAP filter does not properly handle IPACertificate objects. Directory Server logs show a filter with (usercertificate=ipalib.x509.IPACertificate object at 0x7fc0a5575b90>) When the attribute contains a cryptography.x509.Certificate, the method needs to extract the public bytes instead of calling str(value). Fixes https://pagure.io/freeipa/issue/7770 Reviewed-By:
-
Florence Blanc-Renaud authored
There were no xmlrpc tests for ipa user-find --certificate or ipa host-find --certificate. The commit adds tests for these commands. Related to https://pagure.io/freeipa/issue/7770 Reviewed-By:
-
Christian Heimes authored
kadmin.service is still failing to start sometimes. List and check both source and destination ports of listening and non-listening TCP and UDP sockets. See: https://pagure.io/freeipa/issue/7769 Signed-off-by:
-
Adam Williamson authored
Since authselect 1.0.2, invoking an authselect command sequence like this: ['authselect', 'sssd', '', '--force'] does not work: authselect barfs on the empty string arg and errors out. We must only pass a features arg if we actually have some text to go in it. This broke uninstallation. In all cases, features are now passed as separate arguments instead of one argument separated by space. Fixes: https://pagure.io/freeipa/issue/7776 Signed-off-by:
Adam Williamson <awilliam@redhat.com> Reviewed-By:
-
Francisco Trivino authored
Memory requirements for master and replica have been increased due to OOM issues. This PR updates prci_definitions accordingly. This PR also roll-back ipaserver mem reqs to the previous value since the WebUI tests were split into different blocks. Fixes https://pagure.io/freeipa/issue/7777 Reviewed-By:
Francisco Trivino <ftrivino@redhat.com>
-
Florence Blanc-Renaud authored
Issue is linked to the ticket #3477 LDAP upload CA cert sometimes double-encodes the value In old FreeIPA releases (< 3.2), the upgrade plugin was encoding twice the value of the certificate in cn=cacert,cn=ipa,cn=etc,$BASEDN. The fix for 3477 is only partial as it prevents double-encoding when a new cert is uploaded but does not fix wrong values already present in LDAP. With this commit, the code first tries to read a der cert. If it fails, it logs a debug message and re-writes the value caCertificate;binary to repair the entry. Fixes https://pagure.io/freeipa/issue/7775 Signed-off-by:
-
Florence Blanc-Renaud authored
Create a test for upgrade with the following scenario: - install master - write a double-encoded cert in the entry cn=cacert,,cn=ipa,cn=etc,$basedn to simulate bug 7775 - call ipa-server-upgrade - check that the upgrade fixed the value The upgrade should finish successfully and repair the double-encoded cert. Related to https://pagure.io/freeipa/issue/7775 Reviewed-By:
-
Francisco Trivino authored
Memory requirements for master and replica have been increased due to OOM issues. This PR updates prci_definitions accordingly. This PR also roll-back ipaserver mem reqs to the previous value since the WebUI tests were split into different blocks. Fixes https://pagure.io/freeipa/issue/7777 Reviewed-By:
Diogo Nunes <dnunes@redhat.com>
-
Christian Heimes authored
The temp_commit.yaml template now uses F29 as well. It also contains all topology configurations from the nightly jobs. Fixes: https://pagure.io/freeipa/issue/7779 Signed-off-by:
-
Alexander Bokovoy authored
