URL: https://github.com/freeipa/freeipa/pull/2326 Author: flo-renaud Title: #2326: ipa-replica-install: fix pkinit setup Action: opened
PR body: """ ### ipa-replica-install: fix pkinit setup commit 7284097 (Delay enabling services until end of installer) introduced a regression in replica installation. When the replica requests a cert for PKINIT, a check is done to ensure that the hostname corresponds to a machine with a KDC service enabled (ipaconfigstring attribute of cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain 'enabledService'). With the commit mentioned above, the service is set to enabled only at the end of the installation. The fix makes a less strict check, ensuring that 'enabledService' or 'configuredService' is in ipaconfigstring. Fixes: https://pagure.io/freeipa/issue/7566 ### Tests: test successful PKINIT install on replica Add a test checking that ipa-replica-install successfully configures PKINIT on the replica """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2326/head:pr2326 git checkout pr2326
From 914ae55a120105e3b3d6bf2458157bbd4171084a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 4 Sep 2018 14:15:50 +0200 Subject: [PATCH 1/3] ipa-replica-install: fix pkinit setup commit 7284097 (Delay enabling services until end of installer) introduced a regression in replica installation. When the replica requests a cert for PKINIT, a check is done to ensure that the hostname corresponds to a machine with a KDC service enabled (ipaconfigstring attribute of cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain 'enabledService'). With the commit mentioned above, the service is set to enabled only at the end of the installation. The fix makes a less strict check, ensuring that 'enabledService' or 'configuredService' is in ipaconfigstring. Fixes: https://pagure.io/freeipa/issue/7566 --- ipaserver/plugins/cert.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ffe51597e4..9e3d228f8c 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -300,9 +300,11 @@ def ca_kdc_check(api_instance, hostname): ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']} - if 'enabledservice' not in ipaconfigstring: + if 'enabledservice' not in ipaconfigstring \ + and 'configuredservice' not in ipaconfigstring: raise errors.NotFound( - reason=_("enabledService not in ipaConfigString kdc entry")) + reason=_("enabledService/configuredService not in " + "ipaConfigString kdc entry")) except errors.NotFound: raise errors.ACIError( From 71c3621ca21b10f860ceb68a019018d5382955f8 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 4 Sep 2018 15:50:28 +0200 Subject: [PATCH 2/3] Tests: test successful PKINIT install on replica Add a test checking that ipa-replica-install successfully configures PKINIT on the replica Related to https://pagure.io/freeipa/issue/7566 --- ipatests/test_integration/test_replica_promotion.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index fa94927dfe..a13d0ba71a 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -202,12 +202,15 @@ def test_one_command_installation(self): http://www.freeipa.org/page/V4/Replica_Promotion/Test_plan #Test_case:_Replica_can_be_installed_using_one_command """ - self.replicas[0].run_command(['ipa-replica-install', '-w', + res = self.replicas[0].run_command(['ipa-replica-install', '-w', self.master.config.admin_password, '-n', self.master.domain.name, '-r', self.master.domain.realm, '--server', self.master.hostname, '-U']) + # Ensure that pkinit is properly configured, test for 7566 + err_msg = "Full PKINIT configuration did not succeed" + assert err_msg not in res.stdout_text @pytest.mark.skip(reason="Domain level 0 is not supported anymore") From fc86da1db804b2b70c7a88a4cd9ef18bc0fa4db1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 4 Sep 2018 16:06:40 +0200 Subject: [PATCH 3/3] temp commit to launch test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1 Please remove before pushing --- ipatests/prci_definitions/gating.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml index 362f84e308..e86e314c83 100644 --- a/ipatests/prci_definitions/gating.yaml +++ b/ipatests/prci_definitions/gating.yaml @@ -242,3 +242,15 @@ jobs: template: *ci-master-f28 timeout: 3600 topology: *master_1repl + + fedora-28/test_replica_promotion_TestReplicaPromotionLevel1: + requires: [fedora-28/build] + priority: 50 + job: + class: RunPytest + args: + build_url: '{fedora-28/build_url}' + test_suite: test_integration/test_replica_promotion.py::TestReplicaPromotionLevel1 + template: *ci-master-f28 + timeout: 7200 + topology: *master_1repl
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org