[Freeipa-devel] [freeipa PR#4903][closed] sshd template must be part of client package
URL: https://github.com/freeipa/freeipa/pull/4903 Author: flo-renaud Title: #4903: sshd template must be part of client package Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4903/head:pr4903 git checkout pr4903 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4905][opened] [Backport][ipa-4-8] sshd template must be part of client package
URL: https://github.com/freeipa/freeipa/pull/4905
Author: abbra
Title: #4905: [Backport][ipa-4-8] sshd template must be part of client package
Action: opened
PR body:
"""
This PR was opened automatically because PR #4903 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4905/head:pr4905
git checkout pr4905
From 1995f2b62b447043f342038e39c72651759edd8d Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 9 Jul 2020 10:35:00 +0200
Subject: [PATCH] sshd template must be part of client package
The sshd_ipa.conf.template must be shipped with the client pkgs
in /usr/share/ipa/client but is currently delivered in /usr/share/ipa.
Fix the file location.
Fixes: https://pagure.io/freeipa/issue/8400
---
client/share/Makefile.am | 1 +
{install => client}/share/sshd_ipa.conf.template | 0
install/share/Makefile.am| 1 -
ipaplatform/base/paths.py| 2 +-
4 files changed, 2 insertions(+), 2 deletions(-)
rename {install => client}/share/sshd_ipa.conf.template (100%)
diff --git a/client/share/Makefile.am b/client/share/Makefile.am
index 472242e621..961a5c8988 100644
--- a/client/share/Makefile.am
+++ b/client/share/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)/client
dist_app_DATA =\
freeipa.template \
+ sshd_ipa.conf.template \
$(NULL)
epnconfdir = $(IPA_SYSCONF_DIR)
diff --git a/install/share/sshd_ipa.conf.template b/client/share/sshd_ipa.conf.template
similarity index 100%
rename from install/share/sshd_ipa.conf.template
rename to client/share/sshd_ipa.conf.template
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 042403f682..e95796dfbb 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -101,7 +101,6 @@ dist_app_DATA =\
ipaca_default.ini \
ipaca_customize.ini \
ipaca_softhsm2.ini \
- sshd_ipa.conf.template \
$(NULL)
kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ba4718f301..f1ccedec4f 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -127,7 +127,7 @@ class BasePathNamespace:
SSH_CONFIG = "/etc/ssh/ssh_config"
SSHD_CONFIG = "/etc/ssh/sshd_config"
SSHD_IPA_CONFIG = "/etc/ssh/sshd_config.d/04-ipa.conf"
-SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/sshd_ipa.conf.template"
+SSHD_IPA_CONFIG_TEMPLATE = "/usr/share/ipa/client/sshd_ipa.conf.template"
SSSD_CONF = "/etc/sssd/sssd.conf"
SSSD_CONF_BKP = "/etc/sssd/sssd.conf.bkp"
SSSD_CONF_DELETED = "/etc/sssd/sssd.conf.deleted"
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4901][closed] [Backport][ipa-4-8] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4901 Author: frasertweedale Title: #4901: [Backport][ipa-4-8] certupdate: only add LWCA tracking requests on CA servers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4901/head:pr4901 git checkout pr4901 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4902][closed] [Backport][ipa-4-6] certupdate: only add LWCA tracking requests on CA servers
URL: https://github.com/freeipa/freeipa/pull/4902 Author: frasertweedale Title: #4902: [Backport][ipa-4-6] certupdate: only add LWCA tracking requests on CA servers Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4902/head:pr4902 git checkout pr4902 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4899][closed] ipatests: bump pr-ci templates
URL: https://github.com/freeipa/freeipa/pull/4899 Author: netoarmando Title: #4899: ipatests: bump pr-ci templates Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4899/head:pr4899 git checkout pr4899 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4818][closed] Populate nshardwareplatform and nsosversion during join operation
URL: https://github.com/freeipa/freeipa/pull/4818 Author: Carbenium Title: #4818: Populate nshardwareplatform and nsosversion during join operation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4818/head:pr4818 git checkout pr4818 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4906][opened] [Backport][ipa-4-8] Populate nshardwareplatform and nsosversion during join operation
URL: https://github.com/freeipa/freeipa/pull/4906
Author: abbra
Title: #4906: [Backport][ipa-4-8] Populate nshardwareplatform and nsosversion
during join operation
Action: opened
PR body:
"""
This PR was opened automatically because PR #4818 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4906/head:pr4906
git checkout pr4906
From 2278b0e790ca6bfd77029afe5a5943fd7c8c8c7e Mon Sep 17 00:00:00 2001
From: Peter Keresztes Schmidt
Date: Mon, 15 Jun 2020 23:51:44 +0200
Subject: [PATCH] Populate nshardwareplatform and nsosversion during join
operation
Fixes: https://pagure.io/freeipa/issue/8370
---
ACI.txt | 2 +-
ipaserver/plugins/host.py | 4 +++-
ipaserver/plugins/join.py | 17 ++---
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/ACI.txt b/ACI.txt
index 174d338468..cd660a4fc1 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -141,7 +141,7 @@ aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "enrolledby || nshardwareplatform || nsosversion || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Certificates";allow (write) groupdn = "ldap:///cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 2223253ca7..c31eb59613 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -361,7 +361,9 @@ class host(LDAPObject):
},
'System: Enroll a Host': {
'ipapermright': {'write'},
-'ipapermdefaultattr': {'objectclass', 'enrolledby'},
+'ipapermdefaultattr': {
+'objectclass', 'enrolledby', 'nshardwareplatform', 'nsosversion'
+},
'replaces': [
'(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
'(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX";)(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)',
diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py
index a4db7404f4..eb0d309ac4 100644
--- a/ipaserver/plugins/join.py
+++ b/ipaserver/plugins/join.py
@@ -97,10 +97,13 @@ def execute(self, hostname, **kw):
assert 'cn' not in kw
ldap = self.api.Backend.ldap2
+# realm parameter is not supported by host_{add,mod}
+kw.pop('realm', None)
+
try:
# First see if the host exists
-kw = {'fqdn': hostname, 'all': True}
-attrs_list = api.Command['host_show'](**kw)['result']
+show_kw = {'fqdn': hostname, 'all': True}
+attrs_list = api.Command['host_show'](**show_kw)['result']
dn = attrs_list['dn']
# No error raised so far means that host entry exists
@@ -112,7 +115,8 @@ def execute(self, hostname, **kw):
# one.
if 'krbprincipalname' not in attrs_list:
service = "host/%s@%s" % (hostname, api.env.realm)
-api.Command['host_mod'](hostname, krbprincipalname=service)
+api.Command['host_mod'](hostname, **kw,
+krbprincipalname=service)
logger.info('No principal set, setting to %s', service)
# It exists, can we write the password attributes?
@@ -122,12 +126,11 @@ def execute(self, hostname, **kw):
"to the 'krbLastPwdChange' attribute of entry '%s'.") % dn)
# Reload the attrs_list and dn so that we return update values
-kw = {'fqdn': hostname, 'all': True}
-attrs_
[Freeipa-devel] [freeipa PR#4724][closed] ipa-join: implement calls to JSON-RPC endpoints
URL: https://github.com/freeipa/freeipa/pull/4724 Author: Carbenium Title: #4724: ipa-join: implement calls to JSON-RPC endpoints Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4724/head:pr4724 git checkout pr4724 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4925][closed] WebUI: Fix error "unknown command 'idoverrideuser_add_member'"
URL: https://github.com/freeipa/freeipa/pull/4925 Author: serg-cymbaluk Title: #4925: WebUI: Fix error "unknown command 'idoverrideuser_add_member'" Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4925/head:pr4925 git checkout pr4925 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4963][opened] [Backport][ipa-4-8] WebUI: Fix error "unknown command 'idoverrideuser_add_member'"
URL: https://github.com/freeipa/freeipa/pull/4963
Author: abbra
Title: #4963: [Backport][ipa-4-8] WebUI: Fix error "unknown command
'idoverrideuser_add_member'"
Action: opened
PR body:
"""
This PR was opened automatically because PR #4925 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4963/head:pr4963
git checkout pr4963
From e3168513da77990071bdf793f154a783822fc016 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk
Date: Thu, 16 Jul 2020 18:52:24 +0200
Subject: [PATCH 1/2] WebUI: Fix error "unknown command
'idoverrideuser_add_member'"
There was wrong IPA.associator class used for 'Groups' -> 'User ID overrides' association,
as a result a wrong command was sent to the server.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk
---
install/ui/src/freeipa/group.js | 1 -
1 file changed, 1 deletion(-)
diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
index 2984bd4b20..61c19a82fe 100644
--- a/install/ui/src/freeipa/group.js
+++ b/install/ui/src/freeipa/group.js
@@ -209,7 +209,6 @@ return {
{
$type: 'association',
name: 'member_idoverrideuser',
-associator: IPA.serial_associator,
add_title: '@i18n:objects.group.add_idoverride_user',
remove_title: '@i18n:objects.group.remove_idoverride_users',
columns: [
From 8d8db7d1a2ede0d42b2218aba837f64e4c266bc8 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk
Date: Wed, 29 Jul 2020 09:41:36 +0200
Subject: [PATCH 2/2] WebUI tests: Add test case to cover user ID override
feature
The test case includes adding an user ID override to Default Trust View
and adding the ID override to some IPA group.
Ticket: https://pagure.io/freeipa/issue/8416
Signed-off-by: Serhii Tsymbaliuk
---
ipatests/test_webui/test_trust.py | 41 +++
1 file changed, 41 insertions(+)
diff --git a/ipatests/test_webui/test_trust.py b/ipatests/test_webui/test_trust.py
index c04c2fcd87..605f8a2a78 100644
--- a/ipatests/test_webui/test_trust.py
+++ b/ipatests/test_webui/test_trust.py
@@ -21,6 +21,8 @@
Trust tests
"""
+import ipatests.test_webui.data_group as group
+import ipatests.test_webui.data_idviews as idview
from ipatests.test_webui.ui_driver import UI_driver
from ipatests.test_webui.ui_driver import screenshot
from ipatests.test_webui.task_range import range_tasks
@@ -29,6 +31,8 @@
ENTITY = 'trust'
CONFIG_ENTITY = 'trustconfig'
+DEFAULT_TRUST_VIEW = 'Default Trust View'
+
CONFIG_DATA = {
'mod': [
['combobox', 'ipantfallbackprimarygroup', 'admins'],
@@ -164,3 +168,40 @@ def test_config_mod(self):
self.mod_record(CONFIG_ENTITY, CONFIG_DATA)
self.mod_record(CONFIG_ENTITY, CONFIG_DATA2)
+
+@screenshot
+def test_group_member_idoverrideuser(self):
+
+self.init_app()
+
+# Create new trust
+data = self.get_data()
+self.add_record(ENTITY, data)
+
+# Create an user ID override
+ad_domain = self.config.get('ad_domain')
+ad_admin = self.config.get('ad_admin')
+idoverrideuser_pkey = '{}@{}'.format(ad_admin, ad_domain).lower()
+
+self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
+self.add_record(idview.ENTITY, {
+'pkey': idoverrideuser_pkey,
+'add': [
+('textbox', 'ipaanchoruuid_default', idoverrideuser_pkey),
+],
+}, facet='idoverrideuser')
+
+# Create new group and add the user ID override there
+self.navigate_to_entity(group.ENTITY)
+self.add_record(group.ENTITY, group.DATA)
+self.navigate_to_record(group.PKEY)
+self.add_associations([idoverrideuser_pkey],
+ facet='member_idoverrideuser', delete=True)
+
+# Clean up data
+self.navigate_to_entity(group.ENTITY)
+self.delete_record(group.PKEY)
+self.navigate_to_record(DEFAULT_TRUST_VIEW, entity=idview.ENTITY)
+self.delete_record(idoverrideuser_pkey)
+self.navigate_to_entity(ENTITY)
+self.delete_record(ad_domain)
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4979][opened] [Backport][ipa-4-8] Issue 8407 - Support changelog integration into main database
URL: https://github.com/freeipa/freeipa/pull/4979
Author: abbra
Title: #4979: [Backport][ipa-4-8] Issue 8407 - Support changelog integration
into main database
Action: opened
PR body:
"""
This PR was opened automatically because PR #4969 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4979/head:pr4979
git checkout pr4979
From 3bc05a628134e26c0cc09f6e2ca4c4eca432eba1 Mon Sep 17 00:00:00 2001
From: Mark Reynolds
Date: Fri, 31 Jul 2020 09:34:45 -0400
Subject: [PATCH] Issue 8407 - Support changelog integration into main database
Description: Add support for both the old and new replication changelogs.
First try to get and update the new entry, if it's not found
then we know we need to update the old global changelog entry.
Fixes: https://pagure.io/freeipa/issue/8407
Signed-off-by: Mark Reynolds
Fix missing self, and missing arg
Fix copy/paste error
---
install/updates/05-pre_upgrade_plugins.update | 1 +
install/updates/20-replication.update | 4 --
.../plugins/update_changelog_maxage.py| 51 +
.../plugins/update_unhashed_password.py | 43 ---
ipaserver/install/replication.py | 72 ++-
5 files changed, 139 insertions(+), 32 deletions(-)
create mode 100644 ipaserver/install/plugins/update_changelog_maxage.py
diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update
index d0e3eb7ced..d7ed5f3aa1 100644
--- a/install/updates/05-pre_upgrade_plugins.update
+++ b/install/updates/05-pre_upgrade_plugins.update
@@ -1,5 +1,6 @@
# first
plugin: update_managed_post_first
+plugin: update_changelog_maxage
# middle
plugin: update_replica_attribute_lists
diff --git a/install/updates/20-replication.update b/install/updates/20-replication.update
index c9d96066d5..34beebc10a 100644
--- a/install/updates/20-replication.update
+++ b/install/updates/20-replication.update
@@ -62,7 +62,3 @@ default: nsslapd-plugin-depends-on-named: Multimaster Replication Plugin
default: nsslapd-pluginVersion: 1.0
default: nsslapd-pluginVendor: none
default: nsslapd-pluginDescription: none
-
-# Set replication changelog limit (#5086)
-dn: cn=changelog5,cn=config
-addifnew: nsslapd-changelogmaxage: 7d
diff --git a/ipaserver/install/plugins/update_changelog_maxage.py b/ipaserver/install/plugins/update_changelog_maxage.py
new file mode 100644
index 00..f3e15e0fcd
--- /dev/null
+++ b/ipaserver/install/plugins/update_changelog_maxage.py
@@ -0,0 +1,51 @@
+#
+# Copyright (C) 2020 FreeIPA Contributors see COPYING for license
+#
+import logging
+from ipalib import Registry, errors
+from ipalib import Updater
+from ipapython.dn import DN
+
+logger = logging.getLogger(__name__)
+
+register = Registry()
+
+
+@register()
+class update_changelog_maxage(Updater):
+"""
+Update the changelog maxage if it is not set
+"""
+
+def update_entry(self, cl_entry, conn):
+maxage = cl_entry.single_value.get('nsslapd-changelogmaxage')
+if maxage is None:
+cl_entry['nsslapd-changelogmaxage'] = '7d'
+conn.update_entry(cl_entry)
+
+def execute(self, **options):
+ldap = self.api.Backend.ldap2
+
+for backend in ('userroot', 'ipaca'):
+dn = DN(
+('cn', 'changelog'),
+('cn', backend),
+('cn', 'ldbm database'),
+('cn', 'plugins'),
+('cn', 'config'))
+try:
+cl_entry = ldap.get_entry(dn, ['nsslapd-changelogmaxage'])
+self.update_entry(cl_entry, ldap)
+except errors.NotFound:
+# Try the old global changelog, and return
+dn = DN(
+('cn', 'changelog5'),
+('cn', 'config'))
+try:
+cl_entry = ldap.get_entry(dn, ['nsslapd-changelogmaxage'])
+self.update_entry(cl_entry, ldap)
+except errors.NotFound:
+logger.warning('Error retrieving: %s', str(dn))
+return False, []
+
+return False, []
diff --git a/ipaserver/install/plugins/update_unhashed_password.py b/ipaserver/install/plugins/update_unhashed_password.py
index 8daf3f018f..1ece372c83 100644
--- a/ipaserver/install/plugins/update_unhashed_password.py
+++ b/ipaserver/install/plugins/update_unhashed_password.py
@@ -78,22 +78,47 @@ def execute(self, **options):
# We are running in a winsync environment
# Log a warning that changelog will contain sensitive data
try:
-cldb_e = ldap.get_entry(
-DN(('cn', 'changelog5'),
+# Check if the new per-backend changelog exists...
+cldb = ldap.get_entry(
+DN(('cn', 'changelog')
[Freeipa-devel] [freeipa PR#4969][closed] Issue 8407 - Support changelog integration into main database
URL: https://github.com/freeipa/freeipa/pull/4969 Author: marcus2376 Title: #4969: Issue 8407 - Support changelog integration into main database Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4969/head:pr4969 git checkout pr4969 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4979][closed] [Backport][ipa-4-8] Issue 8407 - Support changelog integration into main database
URL: https://github.com/freeipa/freeipa/pull/4979 Author: abbra Title: #4979: [Backport][ipa-4-8] Issue 8407 - Support changelog integration into main database Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4979/head:pr4979 git checkout pr4979 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4972][closed] extdom-extop: refactor tests to use unshare+chroot to override nss_fi…
URL: https://github.com/freeipa/freeipa/pull/4972 Author: abbra Title: #4972: extdom-extop: refactor tests to use unshare+chroot to override nss_fi… Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4972/head:pr4972 git checkout pr4972 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4985][opened] [Backport][ipa-4-8] extdom-extop: refactor tests to use unshare+chroot to override nss_fi…
URL: https://github.com/freeipa/freeipa/pull/4985
Author: abbra
Title: #4985: [Backport][ipa-4-8] extdom-extop: refactor tests to use
unshare+chroot to override nss_fi…
Action: opened
PR body:
"""
This PR was opened automatically because PR #4972 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4985/head:pr4985
git checkout pr4985
From d5fffa48c69b87ed39dceb93b880861862f755bc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Sat, 1 Aug 2020 11:49:30 +0300
Subject: [PATCH] extdom-extop: refactor tests to use unshare+chroot to
override nss_files configuration
Unit tests for ipa-extdom-extop plugin use nss_files.so.2 module to test the
functionality instead of relying on SSSD API or nss_sss.so.2 module. The latter
two cannot be used in build environment.
nss_files.so.2 always tries to open /etc/passwd and /etc/group. In past, we
overloaded 'fopen()' to change the path to opened file but this stops working
after glibc consolidate file opening in nss_files with the code starting at
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=299210c1fa67e2dfb564475986fce11cd33db9ad,
this method is not usable anymore and builds against glibc 2.31.9000+ fail in
cmocka unit test execution in Rawhide.
Apply an alternative approach that uses a new user namespace to unshare the
test from its parent and chroot to the test data where expected /etc/passwd and
/etc/group are provided. This method works only on Linux, thus only run the
unit test on Linux.
In case unshare() or chroot() fail, we have to skip tests that use
nss_files.so.2.
Fixes: https://pagure.io/freeipa/issue/8437
Signed-off-by: Alexander Bokovoy
---
configure.ac | 2 +
.../ipa-extdom-extop/Makefile.am | 2 +
.../ipa_extdom_cmocka_tests.c | 60 ---
.../test_data/{ => etc}/group | 0
.../test_data/{ => etc}/passwd| 0
server.m4 | 9 +++
6 files changed, 38 insertions(+), 35 deletions(-)
rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/group (100%)
rename daemons/ipa-slapi-plugins/ipa-extdom-extop/test_data/{ => etc}/passwd (100%)
diff --git a/configure.ac b/configure.ac
index 586b2532af..d066405354 100644
--- a/configure.ac
+++ b/configure.ac
@@ -546,6 +546,8 @@ AS_CASE([$JSLINT],
AC_SUBST([JSLINT])
AM_CONDITIONAL([WITH_JSLINT], [test "x${JSLINT}" != "xno"])
+AM_CONDITIONAL([HAVE_UNSHARE],
+[test "x${ac_cv_func_unshare}" = "xyes" -a "x${ac_cv_func_chroot}" = "xyes"])
# Flags
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index cbdd570eab..1dd1cca5fa 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -50,9 +50,11 @@ TESTS =
check_PROGRAMS =
if HAVE_CMOCKA
+if HAVE_UNSHARE
TESTS += extdom_cmocka_tests
check_PROGRAMS += extdom_cmocka_tests
endif
+endif
extdom_cmocka_tests_SOURCES = \
ipa_extdom_cmocka_tests.c \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
index 1fa4c6af82..04fb0b63ca 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
@@ -21,6 +21,7 @@
*/
#define _GNU_SOURCE
+#include
#include
#include
#include
@@ -36,10 +37,13 @@
#include
#include
+static bool skip_tests = false;
+
#define MAX_BUF (1024*1024*1024)
struct test_data {
struct extdom_req *req;
struct ipa_extdom_ctx *ctx;
+bool skip_test;
};
/*
@@ -138,40 +142,6 @@ int cmocka_extdom_init_context(struct nss_ops_ctx **nss_context)
return -1;
}
-struct {
-const char *o, *n;
-} path_table[] = {
-{ .o = "/etc/passwd", .n = "./test_data/passwd"},
-{ .o = "/etc/group", .n = "./test_data/group"},
-{ .o = NULL, .n = NULL}};
-
-FILE *(*original_fopen)(const char*, const char*) = NULL;
-
-FILE *fopen(const char *path, const char *mode) {
-const char *_path = NULL;
-
-/* Do not handle before-main() cases */
-if (original_fopen == NULL) {
-return NULL;
-}
-for(int i=0; path_table[i].o != NULL; i++) {
-if (strcmp(path, path_table[i].o) == 0) {
-_path = path_table[i].n;
-break;
-}
-}
-return (*original_fopen)(_path ? _path : path, mode);
-}
-
-/* Attempt to initialize original_fopen before main()
- * There is no explicit order when all initializers are called,
- * so we might still be late here compared to a code in a shared
- * library initializer, like libselinux */
-void redefined_fopen_ctor (void) __attribute__ ((constructor));
-void redefined_fopen_ctor(void)
[Freeipa-devel] [freeipa PR#4988][closed] [Backport][ipa-4-8] pylint: Fix warning and error
URL: https://github.com/freeipa/freeipa/pull/4988 Author: rcritten Title: #4988: [Backport][ipa-4-8] pylint: Fix warning and error Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4988/head:pr4988 git checkout pr4988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5013][closed] [Azure] Switch to dockerhub
URL: https://github.com/freeipa/freeipa/pull/5013 Author: stanislavlevin Title: #5013: [Azure] Switch to dockerhub Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5013/head:pr5013 git checkout pr5013 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5017][opened] [Backport][ipa-4-8] [Azure] Switch to dockerhub
URL: https://github.com/freeipa/freeipa/pull/5017
Author: abbra
Title: #5017: [Backport][ipa-4-8] [Azure] Switch to dockerhub
Action: opened
PR body:
"""
This PR was opened automatically because PR #5013 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5017/head:pr5017
git checkout pr5017
From a54c3edbc0c58ca11ab6be32a634de90fbe9cf27 Mon Sep 17 00:00:00 2001
From: Stanislav Levin
Date: Fri, 7 Aug 2020 10:10:52 +0300
Subject: [PATCH 1/2] Azure: Switch to dockerhub provider
`registry.fedoraproject.org/f32/fedora-toolbox` image is used to build
packages on Azure Pipelines.
registry.fedoraproject.org experiences an availability problem and makes
unstable FreeIPA CI.
Fedora also distributes its official images on https://hub.docker.com/_/fedora.
`fedora:32` is already used by FreeIPA CI to build the image for tests.
Signed-off-by: Stanislav Levin
---
freeipa.spec.in| 1 +
ipatests/azure/Dockerfiles/Dockerfile.build.fedora | 4
ipatests/azure/templates/prepare-build-fedora.yml | 1 +
ipatests/azure/templates/variables-fedora.yml | 2 +-
4 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8d24c76c80..0b25a2b1da 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -245,6 +245,7 @@ BuildRequires: python3-wheel
BuildRequires: jsl
BuildRequires: rpmlint
BuildRequires: softhsm
+BuildRequires: keyutils
BuildRequires: python3-augeas
BuildRequires: python3-cffi
BuildRequires: python3-cryptography >= 1.6
diff --git a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
index 07fc573a83..674bf60ed7 100644
--- a/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
+++ b/ipatests/azure/Dockerfiles/Dockerfile.build.fedora
@@ -4,10 +4,6 @@ ENV container=docker LANG=en_US.utf8 LANGUAGE=en_US.utf8 LC_ALL=en_US.utf8
ADD dist /root
RUN echo 'deltarpm = false' >> /etc/dnf/dnf.conf \
-&& dnf install -y dnf-plugins-core \
-&& dnf config-manager --set-enabled updates-testing \
-&& dnf config-manager --set-enabled updates-testing-modular \
-&& dnf config-manager --set-disabled fedora-cisco-openh264 \
&& dnf update -y dnf \
&& sed -i 's/%_install_langs \(.*\)/\0:fr/g' /etc/rpm/macros.image-language-conf \
&& dnf install -y systemd \
diff --git a/ipatests/azure/templates/prepare-build-fedora.yml b/ipatests/azure/templates/prepare-build-fedora.yml
index 9de1be101e..c1d33b36ff 100644
--- a/ipatests/azure/templates/prepare-build-fedora.yml
+++ b/ipatests/azure/templates/prepare-build-fedora.yml
@@ -5,6 +5,7 @@ steps:
sudo dnf makecache || :
echo "Installing base development environment"
sudo dnf install -y \
+'dnf-command(builddep)' \
gdb-minimal \
make \
autoconf \
diff --git a/ipatests/azure/templates/variables-fedora.yml b/ipatests/azure/templates/variables-fedora.yml
index 8475fc40ea..9440942f73 100644
--- a/ipatests/azure/templates/variables-fedora.yml
+++ b/ipatests/azure/templates/variables-fedora.yml
@@ -1,7 +1,7 @@
variables:
IPA_PLATFORM: fedora
# the Docker public image to build IPA packages (rpms)
- DOCKER_BUILD_IMAGE: 'registry.fedoraproject.org/f32/fedora-toolbox'
+ DOCKER_BUILD_IMAGE: 'fedora:32'
# the Dockerfile to build Docker image for running IPA tests
DOCKER_DOCKERFILE: ${{ format('Dockerfile.build.{0}', variables.IPA_PLATFORM) }}
From b2e84aaa9e93b8ed3c514cab3fa29fae8a20038b Mon Sep 17 00:00:00 2001
From: Stanislav Levin
Date: Fri, 7 Aug 2020 11:27:28 +0300
Subject: [PATCH 2/2] ipatests: Skip keyring tests on containerized platforms
The kernel keyrings are not namespaced yet.
Signed-off-by: Stanislav Levin
---
ipatests/azure/azure-pipelines.yml | 8
ipatests/azure/azure_definitions/base-fedora.yml | 2 --
ipatests/test_ipapython/test_keyring.py | 3 +++
3 files changed, 7 insertions(+), 6 deletions(-)
diff --git a/ipatests/azure/azure-pipelines.yml b/ipatests/azure/azure-pipelines.yml
index b4d5cb2fcd..bc7e6bf913 100644
--- a/ipatests/azure/azure-pipelines.yml
+++ b/ipatests/azure/azure-pipelines.yml
@@ -12,7 +12,7 @@ jobs:
vmImage: $(VM_IMAGE)
container:
image: $(DOCKER_BUILD_IMAGE)
-options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --privileged
+options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --privileged --env container=docker
steps:
- template: templates/${{ variables.PREPARE_BUILD_TEMPLATE }}
- script: |
@@ -63,7 +63,7 @@ jobs:
vmImage: $(VM_IMAGE)
container:
image: $(DOCKER_BUILD_IMAGE)
-options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --privileged
+options: --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --privileged --env container=docker
steps:
- template: templ
[Freeipa-devel] [freeipa PR#5014][closed] [Backport][ipa-4-6] WebUI: Fix object class evaluator for user details facet
URL: https://github.com/freeipa/freeipa/pull/5014 Author: flo-renaud Title: #5014: [Backport][ipa-4-6] WebUI: Fix object class evaluator for user details facet Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5014/head:pr5014 git checkout pr5014 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5018][opened] [Backport][ipa-4-8] Treat container subplatforms like main platform
URL: https://github.com/freeipa/freeipa/pull/5018
Author: abbra
Title: #5018: [Backport][ipa-4-8] Treat container subplatforms like main
platform
Action: opened
PR body:
"""
This PR was opened automatically because PR #4992 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5018/head:pr5018
git checkout pr5018
From 5a09058683b77bef6cb4497f8aec874ce3977724 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 5 Aug 2020 12:27:59 +0200
Subject: [PATCH] Treat container subplatforms like main platform
ipa-server-upgrade does not like platform mismatches. Upgrade from an
old container to recent container fails with error message:
```
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
("Unable to execute IPA upgrade: platform mismatch (expected 'fedora', current 'fedora_container')", 1)
```
Upgrade state now treats a container subplatform like its main platform.
``fedora_container`` is really a ``fedora`` platform with some paths
redirected to ``/data`` partition.
The patch also enhances debug logging for installer and upgrader.
Related: https://pagure.io/freeipa/issue/8401
Signed-off-by: Christian Heimes
---
ipapython/admintool.py| 3 +++
ipaserver/install/installutils.py | 25 +++
.../test_install/test_installutils.py | 16
3 files changed, 39 insertions(+), 5 deletions(-)
diff --git a/ipapython/admintool.py b/ipapython/admintool.py
index ededb28bfd..991e85e016 100644
--- a/ipapython/admintool.py
+++ b/ipapython/admintool.py
@@ -28,6 +28,7 @@
import traceback
from optparse import OptionGroup # pylint: disable=deprecated-module
+from ipaplatform.osinfo import osinfo
from ipapython import version
from ipapython import config
from ipapython.ipa_log_manager import standard_logging_setup
@@ -304,6 +305,8 @@ def run(self):
logger.debug('%s was invoked with arguments %s and options: %s',
self.command_name, self.args, self.safe_options)
logger.debug('IPA version %s', version.VENDOR_VERSION)
+logger.debug('IPA platform %s', osinfo.platform)
+logger.debug('IPA os-release %s %s', osinfo.name, osinfo.version)
def log_failure(self, error_message, return_value, exception, backtrace):
logger.debug('%s', ''.join(traceback.format_tb(backtrace)))
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index ce57772ff8..583b1aca0b 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1054,13 +1054,26 @@ def load_external_cert(files, ca_subject):
return cert_file, ca_file
+def get_current_platform():
+"""Get current platform (without container suffix)
+
+'fedora' and 'fedora_container' are considered the same platform. This
+normalization ensures that older freeipa-container images can be upgraded
+without a platform mismatch.
+"""
+platform = ipaplatform.NAME
+if platform.endswith('_container'):
+platform = platform[:-10]
+return platform
+
+
def store_version():
"""Store current data version and platform. This is required for check if
upgrade is required.
"""
sysupgrade.set_upgrade_state('ipa', 'data_version',
version.VENDOR_VERSION)
-sysupgrade.set_upgrade_state('ipa', 'platform', ipaplatform.NAME)
+sysupgrade.set_upgrade_state('ipa', 'platform', get_current_platform())
def check_version():
@@ -1070,12 +1083,14 @@ def check_version():
:raise UpgradeDataNewerVersionError: older version of IPA was detected than data
:raise UpgradeMissingVersionError: if platform or version is missing
"""
-platform = sysupgrade.get_upgrade_state('ipa', 'platform')
-if platform is not None:
-if platform != ipaplatform.NAME:
+state_platform = sysupgrade.get_upgrade_state('ipa', 'platform')
+current_platform = get_current_platform()
+if state_platform is not None:
+if state_platform != current_platform:
raise UpgradePlatformError(
"platform mismatch (expected '%s', current '%s')" % (
-platform, ipaplatform.NAME)
+state_platform, current_platform
+)
)
else:
raise UpgradeMissingVersionError("no platform stored")
diff --git a/ipatests/test_ipaserver/test_install/test_installutils.py b/ipatests/test_ipaserver/test_install/test_installutils.py
index 86e595167e..739a64f470 100644
--- a/ipatests/test_ipaserver/test_install/test_installutils.py
+++ b/ipatests/test_ipaserver/test_install/test_installutils.py
@@ -140,3 +140,19 @@ def test_gpg_asymmetric(tempdir, gpgkey):
assert os.path.isfile(src)
with open(src) as f:
assert f.read() == payload
+
+
+@pyt
[Freeipa-devel] [freeipa PR#4992][closed] Treat container subplatforms like main platform
URL: https://github.com/freeipa/freeipa/pull/4992 Author: tiran Title: #4992: Treat container subplatforms like main platform Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4992/head:pr4992 git checkout pr4992 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5043][closed] [Backport][ipa-4-8] uninstall: Don't fail on missing /var/lib/samba
URL: https://github.com/freeipa/freeipa/pull/5043 Author: stanislavlevin Title: #5043: [Backport][ipa-4-8] uninstall: Don't fail on missing /var/lib/samba Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5043/head:pr5043 git checkout pr5043 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5048][closed] [Backport][ipa-4-8] Improve performance of ipa-server-guard
URL: https://github.com/freeipa/freeipa/pull/5048 Author: rcritten Title: #5048: [Backport][ipa-4-8] Improve performance of ipa-server-guard Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5048/head:pr5048 git checkout pr5048 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5051][closed] [Backport][ipa-4-8] ipatests: Test certmonger rekey command works fine
URL: https://github.com/freeipa/freeipa/pull/5051 Author: rcritten Title: #5051: [Backport][ipa-4-8] ipatests: Test certmonger rekey command works fine Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5051/head:pr5051 git checkout pr5051 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5050][closed] [Backport][ipa-4-8] Increase replication changelog trimming to 30 days
URL: https://github.com/freeipa/freeipa/pull/5050 Author: rcritten Title: #5050: [Backport][ipa-4-8] Increase replication changelog trimming to 30 days Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5050/head:pr5050 git checkout pr5050 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5049][closed] [Backport][ipa-4-8] ipatests: stop the CA during healthcheck expiration test
URL: https://github.com/freeipa/freeipa/pull/5049 Author: rcritten Title: #5049: [Backport][ipa-4-8] ipatests: stop the CA during healthcheck expiration test Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5049/head:pr5049 git checkout pr5049 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5052][opened] Fix resolv conf on smbserver test
URL: https://github.com/freeipa/freeipa/pull/5052
Author: abbra
Title: #5052: Fix resolv conf on smbserver test
Action: opened
PR body:
"""
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5052/head:pr5052
git checkout pr5052
From 0e4fac650d5b989eb99273d5985e6f6b3d801e92 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 21 Aug 2020 10:01:50 +0300
Subject: [PATCH 1/2] test_smb: make sure both smbserver and smbclient use IPA
master for DNS
test_smb test suite sets up IPA master, AD forest, and two clients.
The clients are used as an SMB server and an SMB client and they need to
resolve and authenticate AD users with Kerberos.
Previously, the test only configured SMB client to use IPA master as its
DNS server. SMB server wasn't using IPA master and thus any attempt to
resolve SRV records from AD DNS zone was failing.
Make sure that both SMB client's and SMB server's DNS resolution is set
up in the same way.
Fixes: https://pagure.io/freeipa/issue/8344
Signed-off-by: Alexander Bokovoy
---
ipatests/test_integration/test_smb.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index b86b383663..7a6247519c 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -61,8 +61,9 @@ def install(cls, mh):
cls.smbclient = cls.clients[1]
cls.ad_user = '{}@{}'.format(cls.ad_user_login, cls.ad.domain.name)
-tasks.config_host_resolvconf_with_master_data(cls.master,
- cls.smbclient)
+for h in [cls.smbserver, cls.smbclient]:
+tasks.config_host_resolvconf_with_master_data(cls.master, h)
+
tasks.install_adtrust(cls.master)
tasks.configure_dns_for_trust(cls.master, cls.ad)
tasks.configure_windows_dns_for_trust(cls.ad, cls.master)
From 42030688cc117581131cefc97345823bf055b07a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 21 Aug 2020 10:11:29 +0300
Subject: [PATCH 2/2] Temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 25 +++---
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index e337068145..80fbdf8c18 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -47,7 +47,7 @@ topologies:
memory: 14500
jobs:
- fedora-latest/build:
+ testing-fedora/build:
requires: []
priority: 100
job:
@@ -55,20 +55,21 @@ jobs:
args:
git_repo: '{git_repo}'
git_refspec: '{git_refspec}'
-template: &ci-master-latest
- name: freeipa/ci-master-f32
- version: 0.0.7
+template: &testing-master-latest
+ name: freeipa/testing-master-f32
+ version: 0.0.2
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
-requires: [fedora-latest/build]
+ testing-fedora/test_smb:
+requires: [testing-fedora/build]
priority: 50
job:
- class: RunPytest
+ class: RunADTests
args:
-build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
-template: *ci-master-latest
-timeout: 3600
-topology: *master_1repl_1client
+build_url: '{testing-fedora/build_url}'
+update_packages: True
+test_suite: test_integration/test_smb.py
+template: *testing-master-latest
+timeout: 7200
+topology: *ad_master_2client
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5056][opened] Update pylintrc to ignore aggressive errors from pylint 2.6.0
URL: https://github.com/freeipa/freeipa/pull/5056 Author: abbra Title: #5056: Update pylintrc to ignore aggressive errors from pylint 2.6.0 Action: opened PR body: """ pylint 2.6.0 forces aggressive switch to Python 3 constructs that would make FreeIPA 4.8+ incompatible with most of FreeIPA 4.6 code base. Disable 'raise-missing-from' and 'super-with-arguments' right now. Signed-off-by: Alexander Bokovoy """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5056/head:pr5056 git checkout pr5056 From 7850d5f4083931c429e05d7fd9568e27d24311a1 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sat, 22 Aug 2020 13:56:00 +0300 Subject: [PATCH] Update pylintrc to ignore aggressive errors from pylint 2.6.0 pylint 2.6.0 forces aggressive switch to Python 3 constructs that would make FreeIPA 4.8+ incompatible with most of FreeIPA 4.6 code base. Disable 'raise-missing-from' and 'super-with-arguments' right now. Signed-off-by: Alexander Bokovoy --- pylintrc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pylintrc b/pylintrc index 32a671daf5..db7f2eb16e 100644 --- a/pylintrc +++ b/pylintrc @@ -103,6 +103,8 @@ disable= no-else-raise, # python 2.4.0 import-outside-toplevel, # pylint 2.4.2 f-string-without-interpolation, # pylint 2.5.0, bare f-strings are ok +raise-missing-from, # pylint 2.6.0 +super-with-arguments, # pylint 2.6.0 [REPORTS] ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5057][closed] [Backport][ipa-4-8] pylint: Fix several warnings on dev branch
URL: https://github.com/freeipa/freeipa/pull/5057 Author: abbra Title: #5057: [Backport][ipa-4-8] pylint: Fix several warnings on dev branch Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5057/head:pr5057 git checkout pr5057 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5060][opened] [Backport][ipa-4-8] ipatests: Add PTR record for IP SAN
URL: https://github.com/freeipa/freeipa/pull/5060
Author: abbra
Title: #5060: [Backport][ipa-4-8] ipatests: Add PTR record for IP SAN
Action: opened
PR body:
"""
This PR was opened automatically because PR #5046 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5060/head:pr5060
git checkout pr5060
From 294986ac362d3ae1be2b44817f201834380a55fc Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Wed, 19 Aug 2020 12:38:41 +0530
Subject: [PATCH 1/3] ipatests: Add PTR record for IP SAN
If PTR record is missing for an IP address then cert request
with SAN option throws an error. This fix is to add the PTR
record so that cert request doesn't throw an error.
Signed-off-by: Mohammad Rizwan
---
ipatests/test_integration/test_cert.py | 11 +++
1 file changed, 11 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index f4e4d9fc63..2ac32a72f3 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -99,6 +99,17 @@ def test_ipa_getcert_san_aci(self):
certfile = '/etc/pki/tls/certs/test2.pem'
tasks.kinit_admin(self.master)
+
+zone = tasks.prepare_reverse_zone(self.master, self.clients[0].ip)[0]
+
+# add PTR dns record for cert request with SAN extention
+rec = str(self.clients[0].ip).split('.')[3]
+result = self.master.run_command(
+['ipa', 'dnsrecord-add', zone, rec, '--ptr-rec', hostname]
+)
+assert 'Record name: {}'.format(rec) in result.stdout_text
+assert 'PTR record: {}'.format(hostname) in result.stdout_text
+
name, zone = hostname.split('.', 1)
self.master.run_command(['ipa', 'dnsrecord-show', zone, name])
tasks.kdestroy_all(self.master)
From 138cc90f81b341b23d9e05a7cce80674043964b4 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Thu, 20 Aug 2020 15:31:16 +0530
Subject: [PATCH 2/3] ipatests: add --skip-overlap-check option to
prepare_reverse_zone()
add --skip-overlap-check in case it overlap with an existing zone
or with dnszone outside of IPA.
---
ipatests/pytest_ipa/integration/tasks.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 6db05e8094..3abaccfa65 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -89,7 +89,8 @@ def prepare_reverse_zone(host, ip):
zone = get_reverse_zone_default(ip)
result = host.run_command(["ipa",
"dnszone-add",
- zone], raiseonerr=False)
+ zone,
+ '--skip-overlap-check'], raiseonerr=False)
if result.returncode > 0:
logger.warning("%s", result.stderr_text)
return zone, result.returncode
From 6cfd6b4acd0438b8cc6ebc2b1df438f45b19258f Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan
Date: Thu, 20 Aug 2020 15:47:53 +0530
Subject: [PATCH 3/3] PEP8 fixes
PEP8 fixes for visual indent, line > 79, blank line required etc
---
ipatests/pytest_ipa/integration/tasks.py | 35 +++-
1 file changed, 22 insertions(+), 13 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index 3abaccfa65..b7ddaea432 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -79,7 +79,8 @@ def check_arguments_are(slice, instanceof):
def wrapper(func):
def wrapped(*args, **kwargs):
for i in args[slice[0]:slice[1]]:
-assert isinstance(i, instanceof), "Wrong type: %s: %s" % (i, type(i))
+assert isinstance(i, instanceof), "Wrong type: %s: %s" % (
+i, type(i))
return func(*args, **kwargs)
return wrapped
return wrapper
@@ -87,10 +88,10 @@ def wrapped(*args, **kwargs):
def prepare_reverse_zone(host, ip):
zone = get_reverse_zone_default(ip)
-result = host.run_command(["ipa",
- "dnszone-add",
- zone,
- '--skip-overlap-check'], raiseonerr=False)
+result = host.run_command(
+["ipa", "dnszone-add", zone, '--skip-overlap-check'],
+raiseonerr=False
+)
if result.returncode > 0:
logger.warning("%s", result.stderr_text)
return zone, result.returncode
@@ -193,8 +194,10 @@ def fix_apache_semaphores(master):
master.run_command([paths.SBIN_SERVICE, 'httpd', 'stop'],
raiseonerr=False)
-master.run_command('for line in `ipcs -s | grep apache | cut -d " " -f 2`; '
- 'do ipcrm -s $line; done', raiseonerr=False)
+master.run_command(
+'for line in `ipcs -s | grep apache ''| cut -d " " -
[Freeipa-devel] [freeipa PR#5046][closed] ipatests: Add PTR record for IP SAN
URL: https://github.com/freeipa/freeipa/pull/5046 Author: mrizwan93 Title: #5046: ipatests: Add PTR record for IP SAN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5046/head:pr5046 git checkout pr5046 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5060][closed] [Backport][ipa-4-8] ipatests: Add PTR record for IP SAN
URL: https://github.com/freeipa/freeipa/pull/5060 Author: abbra Title: #5060: [Backport][ipa-4-8] ipatests: Add PTR record for IP SAN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5060/head:pr5060 git checkout pr5060 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5054][closed] [Backport][ipa-4-8] Support older servers in is_ipa_configured() call
URL: https://github.com/freeipa/freeipa/pull/5054 Author: rcritten Title: #5054: [Backport][ipa-4-8] Support older servers in is_ipa_configured() call Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5054/head:pr5054 git checkout pr5054 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5065][closed] [Backport][ipa-4-8] ipatests: refactor new tests in test_smb
URL: https://github.com/freeipa/freeipa/pull/5065 Author: rcritten Title: #5065: [Backport][ipa-4-8] ipatests: refactor new tests in test_smb Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5065/head:pr5065 git checkout pr5065 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5030][closed] WIP: Troubleshoot Azure
URL: https://github.com/freeipa/freeipa/pull/5030 Author: netoarmando Title: #5030: WIP: Troubleshoot Azure Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5030/head:pr5030 git checkout pr5030 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5068][closed] [Backport][ipa-4-8] ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
URL: https://github.com/freeipa/freeipa/pull/5068 Author: flo-renaud Title: #5068: [Backport][ipa-4-8] ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5068/head:pr5068 git checkout pr5068 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#3774][closed] [DNSSEC] Allow using of a custom OpenSSL engine for BIND
URL: https://github.com/freeipa/freeipa/pull/3774 Author: stanislavlevin Title: #3774: [DNSSEC] Allow using of a custom OpenSSL engine for BIND Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3774/head:pr3774 git checkout pr3774 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5047][closed] [Azure] Add rawhide definitions
URL: https://github.com/freeipa/freeipa/pull/5047 Author: stanislavlevin Title: #5047: [Azure] Add rawhide definitions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5047/head:pr5047 git checkout pr5047 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5070][closed] DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one
URL: https://github.com/freeipa/freeipa/pull/5070 Author: stanislavlevin Title: #5070: DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5070/head:pr5070 git checkout pr5070 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5070][reopened] DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one
URL: https://github.com/freeipa/freeipa/pull/5070 Author: stanislavlevin Title: #5070: DNSResolver: Make use of `resolve_address` of a current resolver instead of the global one Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5070/head:pr5070 git checkout pr5070 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5069][closed] [Backport][ipa-4-8] [Azure] Add rawhide definitions
URL: https://github.com/freeipa/freeipa/pull/5069 Author: stanislavlevin Title: #5069: [Backport][ipa-4-8] [Azure] Add rawhide definitions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5069/head:pr5069 git checkout pr5069 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5086][opened] ipa-kdb: support getprincs request in kadmin.local
URL: https://github.com/freeipa/freeipa/pull/5086
Author: abbra
Title: #5086: ipa-kdb: support getprincs request in kadmin.local
Action: opened
PR body:
"""
kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.
The whole filter looks like this
```
(&(|
(objectclass=krbprincipalaux)
(objectclass=krbprincipal)
(objectclass=ipakrbprincipal))
(|(ipakrbprincipalalias=*)
(krbprincipalname:caseIgnoreIA5Match:=*)))
```
There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:
```
extensible = ( attr [dnattrs]
[matchingrule] COLON EQUALS assertionvalue )
/ ( [dnattrs]
matchingrule COLON EQUALS assertionvalue )
```
In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.
Fixes: https://pagure.io/freeipa/issue/8490
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5086/head:pr5086
git checkout pr5086
From 9e88057e6f4dd370ec747f9d3ada8aca73608424 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 9 Sep 2020 16:09:12 +0300
Subject: [PATCH 1/2] ipa-kdb: support getprincs request in kadmin.local
kadmin.local getprincs command results in passing '*' as a principal to
KDB driver function that looks up the principals.
The whole filter looks like this
(&(|
(objectclass=krbprincipalaux)
(objectclass=krbprincipal)
(objectclass=ipakrbprincipal))
(|(ipakrbprincipalalias=*)
(krbprincipalname:caseIgnoreIA5Match:=*)))
There are two parts of the LDAP filter we use to look up principals, the
part with 'krbprincipalname' uses extensible filter syntax of RFC 4515
section 3:
extensible = ( attr [dnattrs]
[matchingrule] COLON EQUALS assertionvalue )
/ ( [dnattrs]
matchingrule COLON EQUALS assertionvalue )
In case we've got a principal name as '*' we have to follow RFC 4515
section 3 and reencode it using rule from RFC 4511
section 4.1.6 but only to the part of the filter that does use assertion
value.
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_principals.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index cdfb3223dc..39b6ca902d 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -966,6 +966,7 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
krb5_error_code kerr;
char *src_filter = NULL, *esc_original_princ = NULL;
int ret;
+int len = 0;
if (!ipactx->lcontext) {
ret = ipadb_get_connection(ipactx);
@@ -983,6 +984,8 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
goto done;
}
+len = strlen(esc_original_princ);
+
/* Starting in DAL 8.0, aliases are always okay. */
#ifdef KRB5_KDB_FLAG_ALIAS_OK
if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) {
@@ -996,12 +999,24 @@ ipadb_fetch_principals_with_extra_filter(struct ipadb_context *ipactx,
} else
#endif
{
+/* In case we've got a principal name as '*' we have to
+ * follow RFC 4515 section 3 and reencode it using
+ * rule from RFC 4511 section 4.1.6 but
+ * only to the part of the filter that does use assertion
+ * value. */
+const char *asterisk = "%x2A";
+char *assertion_value = esc_original_princ;
+
+if ((len == 1) && (esc_original_princ[0] == '*')) {
+assertion_value = asterisk;
+}
+
if (filter == NULL) {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER,
- esc_original_princ, esc_original_princ);
+ esc_original_princ, assertion_value);
} else {
ret = asprintf(&src_filter, PRINC_TGS_SEARCH_FILTER_EXTRA,
- esc_original_princ, esc_original_princ, filter);
+ esc_original_princ, assertion_value, filter);
}
}
From 6bf7b3ba33d1a2845cd361fba4f37629d28a14e2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 9 Sep 2020 16:26:56 +0300
Subject: [PATCH 2/2] ipa-kdb: test kadmin.local getprincs command
Fixes: https://pagure.io/freeipa/issue/8490
Signed-off-by: Alexander Bokovoy
---
ipatests/test_ipaserver/test_kadmin.py | 6 ++
1 file changed, 6 insertions(+)
diff --git a/ipatests/t
[Freeipa-devel] [freeipa PR#5091][closed] Don't allow both a zone name and --name-from-ip to be provided
URL: https://github.com/freeipa/freeipa/pull/5091 Author: rcritten Title: #5091: Don't allow both a zone name and --name-from-ip to be provided Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5091/head:pr5091 git checkout pr5091 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5097][opened] [Backport][ipa-4-8] Don't allow both a zone name and --name-from-ip to be provided
URL: https://github.com/freeipa/freeipa/pull/5097
Author: abbra
Title: #5097: [Backport][ipa-4-8] Don't allow both a zone name and
--name-from-ip to be provided
Action: opened
PR body:
"""
This PR was opened automatically because PR #5091 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5097/head:pr5097
git checkout pr5097
From 68f2add4413a0e32e191b977bb8d130d4496804c Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 10 Sep 2020 14:00:49 -0400
Subject: [PATCH 1/2] Don't allow both a zone name and --name-from-ip to be
provided
--name-from-ip will generate a zone name so there is no point in
the user providing one. If one is provided and doesn't match the
generated name then a validation exception is raised.
https://pagure.io/freeipa/issue/8446
Signed-off-by: Rob Crittenden
---
ipaserver/plugins/dns.py | 8
1 file changed, 8 insertions(+)
diff --git a/ipaserver/plugins/dns.py b/ipaserver/plugins/dns.py
index 7130f8f7dc..5fd7922549 100644
--- a/ipaserver/plugins/dns.py
+++ b/ipaserver/plugins/dns.py
@@ -2142,6 +2142,14 @@ class DNSZoneBase_add(LDAPCreate):
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
assert isinstance(dn, DN)
+if options.get('name_from_ip'):
+zone = _reverse_zone_name(options.get('name_from_ip'))
+if keys[-1] != DNSName(zone):
+raise errors.ValidationError(
+name='name-from-ip',
+error=_("cannot be used when a zone is specified")
+)
+
try:
entry = ldap.get_entry(dn)
except errors.NotFound:
From cbfdd485b58443c31703569d51780b98ed743911 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 10 Sep 2020 14:02:06 -0400
Subject: [PATCH 2/2] ipatests: test that a zone name and name-from-ip will be
rejected
If a zone name is provided then name-from-ip makes little sense,
don't allow it.
https://pagure.io/freeipa/issue/8446
Signed-off-by: Rob Crittenden
---
ipatests/test_xmlrpc/test_dns_plugin.py | 14 ++
1 file changed, 14 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 5818d252af..5bc3e06ae8 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -685,6 +685,20 @@ def dns_setup(self, declarative_setup):
),
+dict(
+desc='Try to create a zone w/ a name and name-from-ipa %r' % zone1,
+command=(
+'dnszone_add', [zone1], {
+'idnssoarname': zone1_rname,
+'name_from_ip': revzone1_ip,
+}
+),
+expected=errors.ValidationError(
+message=u'invalid \'name-from-ip\': cannot be used when a '
+'zone is specified'),
+),
+
+
dict(
desc='Retrieve zone %r' % zone1,
command=('dnszone_show', [zone1], {}),
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5094][closed] De-duplicate ACI attributes and permissions
URL: https://github.com/freeipa/freeipa/pull/5094 Author: rcritten Title: #5094: De-duplicate ACI attributes and permissions Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5094/head:pr5094 git checkout pr5094 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5098][opened] [Backport][ipa-4-8] De-duplicate ACI attributes and permissions
URL: https://github.com/freeipa/freeipa/pull/5098
Author: abbra
Title: #5098: [Backport][ipa-4-8] De-duplicate ACI attributes and permissions
Action: opened
PR body:
"""
This PR was opened automatically because PR #5094 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5098/head:pr5098
git checkout pr5098
From bfb9dc252653cee0ae23c73ecb0922abfdd0e9c8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Fri, 11 Sep 2020 12:03:01 -0400
Subject: [PATCH 1/3] De-duplicate ACI attributes and permissions
Ensure uniqueuess in attributes and permissions in the ACI class.
A set() is not used because it doesn't guarantee order which ends up
causing cascading and unpredictable test failures. Since all we
really need is de-duplication and not a true mathematical set iterating
through the list is sufficiently fast, particularly since the number
of elements will always be low.
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden
---
ipalib/aci.py | 27 ---
1 file changed, 24 insertions(+), 3 deletions(-)
diff --git a/ipalib/aci.py b/ipalib/aci.py
index acd803331c..1bf7895ed8 100644
--- a/ipalib/aci.py
+++ b/ipalib/aci.py
@@ -83,7 +83,7 @@ def export_to_string(self):
op = v['operator']
if type(v['expression']) in (tuple, list):
target = ""
-for l in v['expression']:
+for l in self._unique_list(v['expression']):
target = target + l + " || "
target = target[:-4]
aci = aci + "(%s %s \"%s\")" % (t, op, target)
@@ -92,6 +92,20 @@ def export_to_string(self):
aci = aci + "(version 3.0;acl \"%s\";%s (%s) %s %s \"%s\"" % (self.name, self.action, ",".join(self.permissions), self.bindrule['keyword'], self.bindrule['operator'], self.bindrule['expression']) + ";)"
return aci
+def _unique_list(self, l):
+"""
+A set() doesn't maintain order so make a list unique ourselves.
+
+The number of entries in our lists are always going to be
+relatively low and this code will be called infrequently
+anyway so the overhead will be small.
+"""
+unique = []
+for item in l:
+if item not in unique:
+unique.append(item)
+return unique
+
def _remove_quotes(self, s):
# Remove leading and trailing quotes
if s.startswith('"'):
@@ -149,7 +163,9 @@ def _parse_acistr(self, acistr):
if not bindperms or len(bindperms.groups()) < 3:
raise SyntaxError("malformed ACI, permissions match failed %s" % acistr)
self.action = bindperms.group(1)
-self.permissions = bindperms.group(2).replace(' ','').split(',')
+self.permissions = self._unique_list(
+bindperms.group(2).replace(' ','').split(',')
+)
self.set_bindrule(bindperms.group(3))
def validate(self):
@@ -175,6 +191,11 @@ def validate(self):
raise SyntaxError("bindrule is missing a component")
return True
+def set_permissions(self, permissions):
+if type(permissions) not in (tuple, list):
+permissions = [permissions]
+self.permissions = self._unique_list(permissions)
+
def set_target_filter(self, filter, operator="="):
self.target['targetfilter'] = {}
if not filter.startswith("("):
@@ -190,7 +211,7 @@ def set_target_attr(self, attr, operator="="):
if type(attr) not in (tuple, list):
attr = [attr]
self.target['targetattr'] = {}
-self.target['targetattr']['expression'] = attr
+self.target['targetattr']['expression'] = self._unique_list(attr)
self.target['targetattr']['operator'] = operator
def set_target(self, target, operator="="):
From edc960d83137ecbd73e71e4511d4808b692b4968 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Fri, 11 Sep 2020 12:43:14 -0400
Subject: [PATCH 2/3] Use ACI class set_permissions() method to set permissions
This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.
https://pagure.io/freeipa/issue/8443
Signed-off-by: Rob Crittenden
---
ipaserver/plugins/aci.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/plugins/aci.py b/ipaserver/plugins/aci.py
index cb87074043..f15eea876d 100644
--- a/ipaserver/plugins/aci.py
+++ b/ipaserver/plugins/aci.py
@@ -271,7 +271,7 @@ def _make_aci(ldap, current, aciname, kw):
try:
a = ACI(current)
a.name = _make_aci_name(kw['aciprefix'], aciname)
-a.permissions = kw['permissions']
+a.set_permissions(kw['permissions'])
if 'selfaci' in kw and kw['selfaci']:
a.set_bindrule('userdn = "ldap:///self";')
else:
From 13698173a9b65b15a4ced83fa44617f
[Freeipa-devel] [freeipa PR#5099][opened] [Backport][ipa-4-8] Require at least 2Gb of available RAM to install the server
URL: https://github.com/freeipa/freeipa/pull/5099
Author: abbra
Title: #5099: [Backport][ipa-4-8] Require at least 2Gb of available RAM to
install the server
Action: opened
PR body:
"""
This PR was opened automatically because PR #5067 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5099/head:pr5099
git checkout pr5099
From 8eecd088e64bc512c0795b5680487b12c64ac2af Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Thu, 27 Aug 2020 15:22:12 -0400
Subject: [PATCH 1/2] Require at least 1.6Gb of available RAM to install the
server
Verify that there is at least 1.6Gb of usable RAM on the system. Swap
is not considered. While swap would allow a user to minimally install
IPA it would not be a great experience.
Using any proc-based method to check for available RAM does not
work in containers unless /proc is re-mounted so use cgroups
instead. This also handles the case if the container has memory
constraints on it (-m).
There are envs which mount 'proc' with enabled hidepid option 1
so don't assume that is readable.
Add a switch to skip this memory test if the user is sure they
know what they are doing.
is_hidepid() contributed by Stanislav Levin
https://pagure.io/freeipa/issue/8404
---
freeipa.spec.in| 2 +
ipaserver/install/installutils.py | 80 ++
ipaserver/install/server/__init__.py | 6 ++
ipaserver/install/server/install.py| 2 +
ipaserver/install/server/replicainstall.py | 6 +-
5 files changed, 94 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 70f5bf7ae9..96b5113661 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -221,6 +221,7 @@ BuildRequires: python3-netaddr >= %{python_netaddr_version}
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-six
+BuildRequires: python3-psutil
#
# Build dependencies for wheel packaging and PyPI upload
@@ -418,6 +419,7 @@ Requires: python3-lxml
Requires: python3-pki >= %{pki_version}
Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-sssdconfig >= %{sssd_version}
+Requires: python3-psutil
Requires: rpm-libs
# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support
%if 0%{?rhel}
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a46acf9f5f..0e304a490a 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -18,6 +18,7 @@
#
from __future__ import absolute_import
+from __future__ import division
from __future__ import print_function
import logging
@@ -28,6 +29,7 @@
import os
import re
import fileinput
+import psutil
import sys
import tempfile
import shutil
@@ -975,6 +977,84 @@ def check_entropy():
logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e)
+def is_hidepid():
+"""Determine if /proc is mounted with hidepid=1/2 option"""
+try:
+os.lstat('/proc/1/stat')
+except (FileNotFoundError, PermissionError):
+return True
+return False
+
+
+def in_container():
+"""Determine if we're running in a container.
+
+ virt-what will return the underlying machine information so
+ isn't usable here.
+
+ systemd-detect-virt requires the whole systemd subsystem which
+ isn't a reasonable require in a container.
+"""
+if not is_hidepid():
+with open('/proc/1/sched', 'r') as sched:
+data_sched = sched.readline()
+else:
+data_sched = []
+
+with open('/proc/self/cgroup', 'r') as cgroup:
+data_cgroup = cgroup.readline()
+
+checks = [
+data_sched.split()[0] not in ('systemd', 'init',),
+data_cgroup.split()[0] in ('libpod'),
+os.path.exists('/.dockerenv'),
+os.path.exists('/.dockerinit'),
+os.getenv('container', None) is not None
+]
+
+return any(checks)
+
+
+def check_available_memory(ca=False):
+"""
+Raise an exception if there isn't enough memory for IPA to install.
+
+In a container then psutil will most likely return the host memory
+and not the container. If in a container use the cgroup values which
+also may not be constrained but it's the best approximation.
+
+2GB is the rule-of-thumb minimum but the server is installable with
+less.
+
+The CA uses ~150MB in a fresh install.
+
+Use Kb instead of KiB to leave a bit of slush for the OS
+"""
+minimum_suggested = 1000 * 1000 * 1000 * 1.6
+if not ca:
+minimum_suggested -= 150 * 1000 * 1000
+if in_container():
+if os.path.exists(
+'/sys/fs/cgroup/memory/memory.limit_in_bytes'
+) and os.path.exists('/sys/fs/cgroup/memory/memory.usage_in_bytes'):
+with open('/sys/fs/cgroup/memory/memory.limit_in_bytes') as fd:
+limit = int(fd.readline())
[Freeipa-devel] [freeipa PR#5067][closed] Require at least 2Gb of available RAM to install the server
URL: https://github.com/freeipa/freeipa/pull/5067 Author: rcritten Title: #5067: Require at least 2Gb of available RAM to install the server Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5067/head:pr5067 git checkout pr5067 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5096][closed] Add index for more trust-related attributes
URL: https://github.com/freeipa/freeipa/pull/5096 Author: rcritten Title: #5096: Add index for more trust-related attributes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5096/head:pr5096 git checkout pr5096 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5100][opened] [Backport][ipa-4-8] Add index for more trust-related attributes
URL: https://github.com/freeipa/freeipa/pull/5100 Author: abbra Title: #5100: [Backport][ipa-4-8] Add index for more trust-related attributes Action: opened PR body: """ This PR was opened automatically because PR #5096 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5100/head:pr5100 git checkout pr5100 From d9e8d8f5f8216819d61122ccc541d259688282b0 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Fri, 11 Sep 2020 15:15:53 -0400 Subject: [PATCH] Add index for more trust-related attributes Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and krbprincipalname https://pagure.io/freeipa/issue/8491 Signed-off-by: Rob Crittenden --- install/updates/20-indices.update | 21 + 1 file changed, 21 insertions(+) diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 506fe51b7d..feb637a6bc 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -395,3 +395,24 @@ default: objectClass: top default: objectClass: nsIndex default: nsSystemIndex: false default: nsIndexType: eq + +dn: cn=ipaNTTrustPartner,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default: cn: ipaNTTrustPartner +default: objectClass: top +default: objectClass: nsIndex +default: nsSystemIndex: false +default: nsIndexType: pres + +dn: cn=ipaNTSecurityIdentifier,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default: cn: ipaNTSecurityIdentifier +default: objectClass: top +default: objectClass: nsIndex +default: nsSystemIndex: false +default: nsIndexType: pres + +dn: cn=krbprincipalname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default: cn: krbprincipalname +default: objectClass: top +default: objectClass: nsIndex +default: nsSystemIndex: false +default: nsIndexType: pres ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5103][opened] Specify memory limits as strings for docker compose
URL: https://github.com/freeipa/freeipa/pull/5103 Author: abbra Title: #5103: Specify memory limits as strings for docker compose Action: opened PR body: """ Fixes the following error in Azure Pipelines CI after upgrade of Docker setup: [2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because: [2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string Fixes: https://pagure.io/freeipa/issue/8494 Signed-off-by: Alexander Bokovoy """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5103/head:pr5103 git checkout pr5103 From ea03516b82e927f088984aac16d2e012ed9c498a Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 14 Sep 2020 11:22:02 +0300 Subject: [PATCH] Specify memory limits as strings for docker compose Fixes the following error in Azure Pipelines CI after upgrade of Docker setup: [2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because: [2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string Fixes: https://pagure.io/freeipa/issue/8494 Signed-off-by: Alexander Bokovoy --- ipatests/azure/Dockerfiles/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipatests/azure/Dockerfiles/docker-compose.yml b/ipatests/azure/Dockerfiles/docker-compose.yml index 8db097bfb3..3bfd1a14c2 100644 --- a/ipatests/azure/Dockerfiles/docker-compose.yml +++ b/ipatests/azure/Dockerfiles/docker-compose.yml @@ -8,7 +8,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 1900m +mem_limit: "1900m" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd - ./ipa-test-config.yaml:/root/.ipa/ipa-test-config.yaml:ro @@ -25,7 +25,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 1900m +mem_limit: "1900m" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd networks: @@ -39,7 +39,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 536870912 +mem_limit: "536870912" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd # nfs server ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5104][opened] [Backport][ipa-4-8] Specify memory limits as strings for docker compose
URL: https://github.com/freeipa/freeipa/pull/5104 Author: abbra Title: #5104: [Backport][ipa-4-8] Specify memory limits as strings for docker compose Action: opened PR body: """ This PR was opened automatically because PR #5103 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5104/head:pr5104 git checkout pr5104 From cc8b6d876a7c32ad4dd4286ddb220a7542f4913d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 14 Sep 2020 11:22:02 +0300 Subject: [PATCH] Specify memory limits as strings for docker compose Fixes the following error in Azure Pipelines CI after upgrade of Docker setup: [2020-09-14 06:50:07] The Compose file './docker-compose.yml' is invalid because: [2020-09-14 06:50:07] services.client.mem_limit contains an invalid type, it should be a string Fixes: https://pagure.io/freeipa/issue/8494 Signed-off-by: Alexander Bokovoy --- ipatests/azure/Dockerfiles/docker-compose.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipatests/azure/Dockerfiles/docker-compose.yml b/ipatests/azure/Dockerfiles/docker-compose.yml index 8db097bfb3..3bfd1a14c2 100644 --- a/ipatests/azure/Dockerfiles/docker-compose.yml +++ b/ipatests/azure/Dockerfiles/docker-compose.yml @@ -8,7 +8,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 1900m +mem_limit: "1900m" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd - ./ipa-test-config.yaml:/root/.ipa/ipa-test-config.yaml:ro @@ -25,7 +25,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 1900m +mem_limit: "1900m" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd networks: @@ -39,7 +39,7 @@ services: security_opt: - apparmor:unconfined - seccomp:./seccomp.json -mem_limit: 536870912 +mem_limit: "536870912" volumes: - /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd # nfs server ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5103][closed] Specify memory limits as strings for docker compose
URL: https://github.com/freeipa/freeipa/pull/5103 Author: abbra Title: #5103: Specify memory limits as strings for docker compose Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5103/head:pr5103 git checkout pr5103 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5101][closed] Add krbPrincipalName pres index correctly
URL: https://github.com/freeipa/freeipa/pull/5101 Author: tiran Title: #5101: Add krbPrincipalName pres index correctly Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5101/head:pr5101 git checkout pr5101 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5106][opened] [Backport][ipa-4-8] Add krbPrincipalName pres index correctly
URL: https://github.com/freeipa/freeipa/pull/5106 Author: abbra Title: #5106: [Backport][ipa-4-8] Add krbPrincipalName pres index correctly Action: opened PR body: """ This PR was opened automatically because PR #5101 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5106/head:pr5106 git checkout pr5106 From f30b77b6bde0ffdfc534830834a397140911666f Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Mon, 14 Sep 2020 09:57:01 +0200 Subject: [PATCH] Add krbPrincipalName pres index correctly See: 20b55f4017ab42113f1ced829a4b4afa17839b55 See: https://pagure.io/freeipa/issue/8491 Signed-off-by: Christian Heimes --- install/share/indices.ldif| 1 + install/updates/20-indices.update | 8 +--- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/install/share/indices.ldif b/install/share/indices.ldif index f5c3829fc1..1e83c1046d 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -6,6 +6,7 @@ cn:krbPrincipalName nsSystemIndex:false nsIndexType:eq nsIndexType:sub +nsIndexType:pres nsMatchingRule:caseIgnoreIA5Match nsMatchingRule:caseExactIA5Match diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index feb637a6bc..65ee183a80 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -282,6 +282,7 @@ only: nsMatchingRule: caseIgnoreIA5Match only: nsMatchingRule: caseExactIA5Match only:nsIndexType: eq only:nsIndexType: sub +only:nsIndexType: pres dn: cn=krbCanonicalName,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config default: cn: krbCanonicalName @@ -409,10 +410,3 @@ default: objectClass: top default: objectClass: nsIndex default: nsSystemIndex: false default: nsIndexType: pres - -dn: cn=krbprincipalname,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config -default: cn: krbprincipalname -default: objectClass: top -default: objectClass: nsIndex -default: nsSystemIndex: false -default: nsIndexType: pres ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5153][opened] Pre-populate IP addresses for the name server upgrades
URL: https://github.com/freeipa/freeipa/pull/5153
Author: abbra
Title: #5153: Pre-populate IP addresses for the name server upgrades
Action: opened
PR body:
"""
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5153/head:pr5153
git checkout pr5153
From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Sat, 26 Sep 2020 16:30:58 +0300
Subject: [PATCH] Pre-populate IP addresses for the name server upgrades
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy
---
ipaserver/install/server/upgrade.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 332f8b2517..144b340a43 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore):
# resolve1's stub resolver config file.
has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF)
if not has_resolved_ipa_conf and detect_resolve1_resolv_conf():
+ip_addresses = installutils.get_server_ip_address(
+api.env.host, True, False, [])
+bind.ip_addresses = ip_addresses
bind.setup_resolv_conf()
logger.info("Updated systemd-resolved configuration")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5152][closed] [Backport][ipa-4-8] Fix various C compiler warnings
URL: https://github.com/freeipa/freeipa/pull/5152 Author: abbra Title: #5152: [Backport][ipa-4-8] Fix various C compiler warnings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5152/head:pr5152 git checkout pr5152 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5206][opened] [WIP] ipa-kdb: support subordinate/superior UPN suffixes
URL: https://github.com/freeipa/freeipa/pull/5206
Author: abbra
Title: #5206: [WIP] ipa-kdb: support subordinate/superior UPN suffixes
Action: opened
PR body:
"""
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5206/head:pr5206
git checkout pr5206
From 4223ef8329487ef08714d27db2a1c1b104c6bb92 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 23 Oct 2020 18:45:09 +0300
Subject: [PATCH] ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 30 +
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 +
2 files changed, 31 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 2f1480a95b3..0c1b7eecae7 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2393,6 +2393,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].upn_suffixes[j]);
}
free((*mspac)->trusts[i].upn_suffixes);
+free((*mspac)->trusts[i].upn_suffixes_len);
}
}
free((*mspac)->trusts);
@@ -2603,6 +2604,24 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
}
}
+t[n].upn_suffixes_len = NULL;
+if (t[n].upn_suffixes != NULL) {
+size_t len = 0;
+
+for (; t[n].upn_suffixes[len] != NULL; len++);
+
+if (len != 0) {
+t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+if (t[n].upn_suffixes_len == NULL) {
+ret = EINVAL;
+goto done;
+}
+for (i = 0; i < len; i++) {
+t[n].upn_suffixes_len[i] = strlen(t[n].upn_suffixes[i]);
+}
+}
+}
+
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
&sid_blocklist_incoming);
@@ -2972,6 +2991,17 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].upn_suffixes[j],
size) == 0;
+if (!result) {
+ /* if UPN suffix did not match exactly, find if it is
+ * superior to the test_realm, e.g. if test_realm ends
+ * with the UPN suffix prefixed with dot*/
+ size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+ result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trus
[Freeipa-devel] [freeipa PR#5209][opened] [Backport][ipa-4-8] ipa-kdb: support subordinate/superior UPN suffixes
URL: https://github.com/freeipa/freeipa/pull/5209
Author: abbra
Title: #5209: [Backport][ipa-4-8] ipa-kdb: support subordinate/superior UPN
suffixes
Action: opened
PR body:
"""
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
Reviewed-By: Rob Crittenden
Reviewed-By: Robbie Harwood
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5209/head:pr5209
git checkout pr5209
From fed1a16572e9d4de97a20afc2d9066d2d0c8c3ba Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 23 Oct 2020 18:45:09 +0300
Subject: [PATCH] ipa-kdb: support subordinate/superior UPN suffixes
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
Reviewed-By: Rob Crittenden
Reviewed-By: Robbie Harwood
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 30 +
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 +
2 files changed, 31 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 29dadc1835c..692f542c9df 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2393,6 +2393,7 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
free((*mspac)->trusts[i].upn_suffixes[j]);
}
free((*mspac)->trusts[i].upn_suffixes);
+free((*mspac)->trusts[i].upn_suffixes_len);
}
}
free((*mspac)->trusts);
@@ -2603,6 +2604,24 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
}
}
+t[n].upn_suffixes_len = NULL;
+if (t[n].upn_suffixes != NULL) {
+size_t len = 0;
+
+for (; t[n].upn_suffixes[len] != NULL; len++);
+
+if (len != 0) {
+t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+if (t[n].upn_suffixes_len == NULL) {
+ret = ENOMEM;
+goto done;
+}
+for (i = 0; i < len; i++) {
+t[n].upn_suffixes_len[i] = strlen(t[n].upn_suffixes[i]);
+}
+}
+}
+
ret = ipadb_ldap_attr_to_strlist(lc, le, "ipaNTSIDBlacklistIncoming",
&sid_blacklist_incoming);
@@ -2972,6 +2991,17 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].upn_suffixes[j],
size) == 0;
+if (!result) {
+ /* if UPN suffix did not match exactly, find if it is
+ * superior to the test_realm, e.g. if test_realm ends
+ * with the UPN suffix prefixed with dot
[Freeipa-devel] [freeipa PR#5213][opened] rpcserver: fallback to non-armored kinit in case of trusted domains
URL: https://github.com/freeipa/freeipa/pull/5213 Author: abbra Title: #5213: rpcserver: fallback to non-armored kinit in case of trusted domains Action: opened PR body: """ MIT Kerberos implements FAST negotiation as specified in RFC 6806 section 11. The implementation relies on the caller to provide a hint whether FAST armoring must be used. FAST armor can only be used when both client and KDC have a shared secret. When KDC is from a trusted domain, there is no way to have a shared secret between a generic Kerberos client and that KDC. [MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST' allows KILE clients (Kerberos clients) to have local settings that direct it to enforce use of FAST. This is equal to the current implementation of 'kinit' utility in MIT Kerberos requiring to use FAST if armor cache (option '-T') is provided. [MS-KILE] section 3.3.5.7.4 defines a way for a computer from a different realm to use compound identity TGS-REQ to create FAST TGS-REQ explicitly armored with the computer's TGT. However, this method is not available to IPA framework as we don't have access to the IPA server's host key. In addition, 'kinit' utility does not support this method. Active Directory has a policy to force use of FAST when client advertizes its use. Since we cannot know in advance whether a principal to obtain initial credentials for belongs to our realm or to a trusted one due to enterprise principal canonicalization, we have to try to kinit. Right now we fail unconditionally if FAST couldn't be used and libkrb5 communication with a KDC from the user realm (e.g. from a trusted forest) causes enforcement of a FAST. In the latter case, as we cannot use FAST anyway, try to kinit again without advertizing FAST. This works even in the situations when FAST enforcement is enabled on Active Directory side: if client doesn't advertize FAST capability, it is not required. Additionally, FAST cannot be used for any practical need for a trusted domain's users yet. Signed-off-by: Alexander Bokovoy """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5213/head:pr5213 git checkout pr5213 From 5d1f386de0fe69b021a98fa74248f5365cda6161 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 28 Oct 2020 17:46:56 +0200 Subject: [PATCH] rpcserver: fallback to non-armored kinit in case of trusted domains MIT Kerberos implements FAST negotiation as specified in RFC 6806 section 11. The implementation relies on the caller to provide a hint whether FAST armoring must be used. FAST armor can only be used when both client and KDC have a shared secret. When KDC is from a trusted domain, there is no way to have a shared secret between a generic Kerberos client and that KDC. [MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST' allows KILE clients (Kerberos clients) to have local settings that direct it to enforce use of FAST. This is equal to the current implementation of 'kinit' utility in MIT Kerberos requiring to use FAST if armor cache (option '-T') is provided. [MS-KILE] section 3.3.5.7.4 defines a way for a computer from a different realm to use compound identity TGS-REQ to create FAST TGS-REQ explicitly armored with the computer's TGT. However, this method is not available to IPA framework as we don't have access to the IPA server's host key. In addition, 'kinit' utility does not support this method. Active Directory has a policy to force use of FAST when client advertizes its use. Since we cannot know in advance whether a principal to obtain initial credentials for belongs to our realm or to a trusted one due to enterprise principal canonicalization, we have to try to kinit. Right now we fail unconditionally if FAST couldn't be used and libkrb5 communication with a KDC from the user realm (e.g. from a trusted forest) causes enforcement of a FAST. In the latter case, as we cannot use FAST anyway, try to kinit again without advertizing FAST. This works even in the situations when FAST enforcement is enabled on Active Directory side: if client doesn't advertize FAST capability, it is not required. Additionally, FAST cannot be used for any practical need for a trusted domain's users yet. Signed-off-by: Alexander Bokovoy --- ipalib/errors.py | 6 +++ ipaserver/rpcserver.py | 95 ++ 2 files changed, 66 insertions(+), 35 deletions(-) diff --git a/ipalib/errors.py b/ipalib/errors.py index 1b17ca7edcd..b514669e484 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -245,6 +245,12 @@ class PluginModuleError(PrivateError): format = '%(name)s is not a valid plugin module' +class KrbPrincipalSkipFAST(PrivateError): +""" +Raised when it is not possible to use our FAST armor for kinit +""" +format = '%(principal) cannot use Anonymous PKINIT as a FAST armor' + ## # P
[Freeipa-devel] [freeipa PR#5223][closed] ipatests: curl outputs the cookie in stderr and not in sdtout
URL: https://github.com/freeipa/freeipa/pull/5223 Author: flo-renaud Title: #5223: ipatests: curl outputs the cookie in stderr and not in sdtout Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5223/head:pr5223 git checkout pr5223 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5226][opened] [Backport][ipa-4-8] ipatests: curl outputs the cookie in stderr and not in sdtout
URL: https://github.com/freeipa/freeipa/pull/5226
Author: abbra
Title: #5226: [Backport][ipa-4-8] ipatests: curl outputs the cookie in stderr
and not in sdtout
Action: opened
PR body:
"""
This PR was opened automatically because PR #5223 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5226/head:pr5226
git checkout pr5226
From 4ed03758e7862a4e8c6155bdcbf80f783061c80c Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Mon, 2 Nov 2020 14:43:04 +0100
Subject: [PATCH] ipatests: curl outputs the cookie in stderr and not in sdtout
The integration test test_trust.py::TestTrust::test_password_login_as_aduser
is expecting curl to output the cookie obtained after password login
in stdout but should use stderr instead.
Fixes: https://pagure.io/freeipa/issue/8559
---
ipatests/test_integration/test_trust.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index bec918a3142..7e4dbcc6e30 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -193,7 +193,7 @@ def test_password_login_as_aduser(self):
'--data', user_and_password,
'https://{}/ipa/session/login_password'.format(host)]
result = self.master.run_command(cmd_args)
-assert "Set-Cookie: ipa_session=MagBearerToken" in result.stdout_text
+assert "Set-Cookie: ipa_session=MagBearerToken" in result.stderr_text
tasks.kinit_admin(self.master)
def test_ipauser_authentication_with_nonposix_trust(self):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5230][opened] wgi/plugins.py: ignore empty plugin directories
URL: https://github.com/freeipa/freeipa/pull/5230
Author: abbra
Title: #5230: wgi/plugins.py: ignore empty plugin directories
Action: opened
PR body:
"""
Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.
Check that 'foo/foo.js' actual exists when including a plugin into the
registry.
Test the registry generator by creating fake plugins and removing them
during the test.
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5230/head:pr5230
git checkout pr5230
From 58126b696aadac7b8c05077089e34aa717343502 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 6 Nov 2020 09:53:35 +0200
Subject: [PATCH] wgi/plugins.py: ignore empty plugin directories
Dynamic plugin registry returns as a plugin any folder within the
plugins directory. Web UI then attempts to load for each plugin 'foo' a
JavaScript file named 'foo/foo.js'. The problem is that if 'foo/foo.js'
does not exist, Web UI breaks and it is impossible to recover until the
empty folder is removed or 'foo/foo.js' (even empty) is created at the
server side.
Check that 'foo/foo.js' actual exists when including a plugin into the
registry.
Test the registry generator by creating fake plugins and removing them
during the test.
Signed-off-by: Alexander Bokovoy
---
install/wsgi/plugins.py | 5 +-
ipatests/test_ipaserver/test_jsplugins.py | 82 +++
2 files changed, 86 insertions(+), 1 deletion(-)
create mode 100644 ipatests/test_ipaserver/test_jsplugins.py
diff --git a/install/wsgi/plugins.py b/install/wsgi/plugins.py
index f80cfb9feba..4c43e7f8790 100644
--- a/install/wsgi/plugins.py
+++ b/install/wsgi/plugins.py
@@ -36,7 +36,10 @@ def get_plugin_index():
dirs = os.listdir(paths.IPA_JS_PLUGINS_DIR)
index = 'define([],function(){return['
-index += ','.join("'"+x+"'" for x in dirs)
+for x in dirs:
+p = os.path.join(paths.IPA_JS_PLUGINS_DIR, x, x + '.js')
+if os.path.exists(p):
+index += "'" + x + "',"
index += '];});'
return index.encode('utf-8')
diff --git a/ipatests/test_ipaserver/test_jsplugins.py b/ipatests/test_ipaserver/test_jsplugins.py
new file mode 100644
index 000..9bf11c667ea
--- /dev/null
+++ b/ipatests/test_ipaserver/test_jsplugins.py
@@ -0,0 +1,82 @@
+# Authors:
+# Martin Kosek
+#
+# Copyright (C) 2012 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
[Freeipa-devel] [freeipa PR#5232][opened] ipa-kdb: fix crash in MS-PAC cache init code
URL: https://github.com/freeipa/freeipa/pull/5232
Author: abbra
Title: #5232: ipa-kdb: fix crash in MS-PAC cache init code
Action: opened
PR body:
"""
When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.
Add unit test for multiple UPN suffixes.
Fixes: https://pagure.io/freeipa/issue/8566
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5232/head:pr5232
git checkout pr5232
From 2f0e1173c5b4acc616bd565597335dab7209e2b2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 6 Nov 2020 14:07:10 +0200
Subject: [PATCH] ipa-kdb: fix crash in MS-PAC cache init code
When initializing UPN suffixes, we calculate their sizes and didn't use
the right variable to allocate their size. This affects us if there are
more than one UPN suffix available for a trust due to memory corruption
while filling in sizes.
Add unit test for multiple UPN suffixes.
Fixes: https://pagure.io/freeipa/issue/8566
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 56 +++
2 files changed, 57 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index dd29db19010..fe5b586b6ae 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2610,7 +2610,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
for (; t[n].upn_suffixes[len] != NULL; len++);
if (len != 0) {
-t[n].upn_suffixes_len = calloc(n, sizeof(size_t));
+t[n].upn_suffixes_len = calloc(len, sizeof(size_t));
if (t[n].upn_suffixes_len == NULL) {
ret = ENOMEM;
goto done;
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index d3ef5c00d47..644660e9fba 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -71,6 +71,10 @@ struct test_ctx {
#define DOM_SID "S-1-5-21-1-2-3"
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLOCKLIST_SID "S-1-5-1"
+#define NUM_SUFFIXES 10
+#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
+#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
+#define EXTERNAL_REALM "WRONG.DOMAIN"
static int setup(void **state)
{
@@ -92,6 +96,9 @@ static int setup(void **state)
ipa_ctx = calloc(1, sizeof(struct ipadb_context));
assert_non_null(ipa_ctx);
+kerr = krb5_get_default_realm(krb5_ctx, &ipa_ctx->realm);
+assert_int_equal(kerr, 0);
+
ipa_ctx->mspac = calloc(1, sizeof(struct ipadb_mspac));
assert_non_null(ipa_ctx->mspac);
@@ -126,6 +133,15 @@ static int setup(void **state)
&ipa_ctx->mspac->trusts[0].sid_blocklist_incoming[0]);
assert_int_equal(ret, 0);
+ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
+ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
+for (size_t i = 0; i < NUM_SUFFIXES; i++) {
+ asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
+ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
+strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
+
+}
+
ipa_ctx->kcontext = krb5_ctx;
kerr = krb5_db_set_context(krb5_ctx, ipa_ctx);
assert_int_equal(kerr, 0);
@@ -478,6 +494,44 @@ void test_dom_sid_string(void **state)
}
+void test_check_trusted_realms(void **state)
+{
+struct test_ctx *test_ctx;
+
+test_ctx = (struct test_ctx *) *state;
+
+for(size_t i = 0; i < NUM_SUFFIXES; i++) {
+char *test_realm = NULL;
+char *trusted_realm = NULL;
+asprintf(&test_realm, TEST_REALM_TEMPLATE, i);
+ krb5_error_code kerr = 0;
+
+if (test_realm) {
+kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ test_realm,
+ strlen(test_realm),
+ &trusted_realm);
+assert_int_equal(kerr, 0);
+free(test_realm);
+free(trusted_realm);
+}
+
+asprintf(&test_realm, EXTERNAL_REALM, i);
+ kerr = 0;
+
+if (test_realm) {
+kerr = ipadb_is_princ_from_trusted_realm(
+ test_ctx->krb5_ctx,
+ test_realm,
+ strlen(test_realm),
+ &trusted_realm);
+assert_int_equal(kerr, KRB5_KDB_NOENTRY);
+free(test_realm);
+}
+}
+}
+
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
@@ -488,6 +542,8 @@ int main(int argc, const char *argv[])
[Freeipa-devel] [freeipa PR#5202][closed] Translations update from Weblate
URL: https://github.com/freeipa/freeipa/pull/5202 Author: weblate Title: #5202: Translations update from Weblate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5202/head:pr5202 git checkout pr5202 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#4980][closed] Translations update from Weblate
URL: https://github.com/freeipa/freeipa/pull/4980 Author: weblate Title: #4980: Translations update from Weblate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4980/head:pr4980 git checkout pr4980 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5239][closed] dns: allow PTR records in arbitrary zones
URL: https://github.com/freeipa/freeipa/pull/5239 Author: frasertweedale Title: #5239: dns: allow PTR records in arbitrary zones Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5239/head:pr5239 git checkout pr5239 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5203][closed] On password reset also set krbLastAdminUnlock to unlock account
URL: https://github.com/freeipa/freeipa/pull/5203 Author: rcritten Title: #5203: On password reset also set krbLastAdminUnlock to unlock account Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5203/head:pr5203 git checkout pr5203 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5249][closed] mailmap: add ftweedal
URL: https://github.com/freeipa/freeipa/pull/5249 Author: frasertweedale Title: #5249: mailmap: add ftweedal Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5249/head:pr5249 git checkout pr5249 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5248][closed] [Backport][ipa-4-8] On password reset also set krbLastAdminUnlock to unlock account
URL: https://github.com/freeipa/freeipa/pull/5248 Author: abbra Title: #5248: [Backport][ipa-4-8] On password reset also set krbLastAdminUnlock to unlock account Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5248/head:pr5248 git checkout pr5248 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5257][closed] [EPN] SMTP client enhancements
URL: https://github.com/freeipa/freeipa/pull/5257 Author: stanislavlevin Title: #5257: [EPN] SMTP client enhancements Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5257/head:pr5257 git checkout pr5257 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5268][opened] [Backport][ipa-4-8] [EPN] SMTP client enhancements
URL: https://github.com/freeipa/freeipa/pull/5268 Author: abbra Title: #5268: [Backport][ipa-4-8] [EPN] SMTP client enhancements Action: opened PR body: """ This PR was opened automatically because PR #5257 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5268/head:pr5268 git checkout pr5268 From 51a61cae7d29d98543c82009cea711b76f2c31a5 Mon Sep 17 00:00:00 2001 From: Stanislav Levin Date: Mon, 30 Sep 2019 14:59:25 +0300 Subject: [PATCH 1/6] ipatests: Respect platform's openssl dir There are different build configurations of OpenSSL from one distro to another. For example, Debian: '--openssldir=/usr/lib/ssl', Fedora: '--openssldir=/etc/pki/tls', openSUSE: '--openssldir=/etc/ssl', ALTLinux: '--openssldir=/var/lib/ssl'. Signed-off-by: Stanislav Levin --- ipaplatform/base/paths.py | 3 + ipaplatform/debian/paths.py | 3 + ipaplatform/suse/paths.py | 3 + ipatests/test_integration/test_cert.py| 92 --- ipatests/test_integration/test_epn.py | 55 +-- .../test_replica_promotion.py | 9 +- 6 files changed, 119 insertions(+), 46 deletions(-) diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 0c5494612d8..024d9b167fe 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -208,6 +208,9 @@ class BasePathNamespace: ODS_ENFORCER = "/usr/sbin/ods-enforcer" ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup" OPENSSL = "/usr/bin/openssl" +OPENSSL_DIR = "/etc/pki/tls" +OPENSSL_CERTS_DIR = "/etc/pki/tls/certs" +OPENSSL_PRIVATE_DIR = "/etc/pki/tls/private" PK12UTIL = "/usr/bin/pk12util" SOFTHSM2_UTIL = "/usr/bin/softhsm2-util" SSLGET = "/usr/bin/sslget" diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py index c97007acead..e9ba639ee98 100644 --- a/ipaplatform/debian/paths.py +++ b/ipaplatform/debian/paths.py @@ -43,6 +43,9 @@ class DebianPathNamespace(BasePathNamespace): NAMED_MANAGED_KEYS_DIR = "/var/cache/bind/dynamic" CHRONY_CONF = "/etc/chrony/chrony.conf" OPENLDAP_LDAP_CONF = "/etc/ldap/ldap.conf" +OPENSSL_DIR = "/usr/lib/ssl" +OPENSSL_CERTS_DIR = "/usr/lib/ssl/certs" +OPENSSL_PRIVATE_DIR = "/usr/lib/ssl/private" ETC_DEBIAN_VERSION = "/etc/debian_version" # Old versions of freeipa wrote all trusted certificates to a single # file, which is not supported by ca-certificates. diff --git a/ipaplatform/suse/paths.py b/ipaplatform/suse/paths.py index e5baf30b8bb..383f191db03 100644 --- a/ipaplatform/suse/paths.py +++ b/ipaplatform/suse/paths.py @@ -29,6 +29,9 @@ class SusePathNamespace(BasePathNamespace): NAMED_CUSTOM_OPTIONS_CONF = "/etc/named.d/ipa-options-ext.conf" NAMED_VAR_DIR = "/var/lib/named" NAMED_MANAGED_KEYS_DIR = "/var/lib/named/dyn" +OPENSSL_DIR = "/etc/ssl" +OPENSSL_CERTS_DIR = "/etc/ssl/certs" +OPENSSL_PRIVATE_DIR = "/etc/ssl/private" IPA_P11_KIT = "/etc/pki/trust/ipa.p11-kit" # Those files are only here to be able to configure them, we copy those in # rpm spec to fillupdir diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 2ac32a72f33..d84c7f1fc7f 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -6,6 +6,8 @@ Module provides tests which testing ability of various certificate related scenarios. """ +import os + import ipaddress import pytest import random @@ -78,11 +80,13 @@ def test_cacert_file_appear_with_option_F(self): related: https://pagure.io/freeipa/issue/8105 """ -cmd_arg = ['ipa-getcert', 'request', - '-f', '/etc/pki/tls/certs/test.pem', - '-k', '/etc/pki/tls/private/test.key', - '-K', 'test/%s' % self.clients[0].hostname, - '-F', '/etc/pki/tls/test.CA'] +cmd_arg = [ +"ipa-getcert", "request", +"-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), +"-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), +"-K", "test/%s" % self.clients[0].hostname, +"-F", os.path.join(paths.OPENSSL_DIR, "test.CA"), +] result = self.clients[0].run_command(cmd_arg) request_id = re.findall(r'\d+', result.stdout_text) @@ -90,13 +94,15 @@ def test_cacert_file_appear_with_option_F(self): status = tasks.wait_for_request(self.clients[0], request_id[0], 50) assert status == "MONITORING" -self.clients[0].run_command(['ls', '-l', '/etc/pki/tls/test.CA']) +self.clients[0].run_command( +["ls", "-l", os.path.join(paths.OPENSSL_DIR, "test.CA")] +) def test_ipa_getcert_san_aci(self): """Test for DNS and IP SAN extensions +
[Freeipa-devel] [freeipa PR#5245][closed] ipa-kdb: implement AS-REQ lifetime jitter
URL: https://github.com/freeipa/freeipa/pull/5245 Author: frozencemetery Title: #5245: ipa-kdb: implement AS-REQ lifetime jitter Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5245/head:pr5245 git checkout pr5245 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5269][opened] [Backport][ipa-4-8] ipa-kdb: implement AS-REQ lifetime jitter
URL: https://github.com/freeipa/freeipa/pull/5269
Author: abbra
Title: #5269: [Backport][ipa-4-8] ipa-kdb: implement AS-REQ lifetime jitter
Action: opened
PR body:
"""
This PR was opened automatically because PR #5245 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5269/head:pr5269
git checkout pr5269
From 203aa2a29a8962ce0ddbbd94c1d906dd65c5f957 Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Tue, 10 Nov 2020 16:02:30 -0500
Subject: [PATCH 1/2] Update kdcpolicy design doc for jitter implementation
Signed-off-by: Robbie Harwood
---
doc/designs/krb-ticket-policy.md | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/doc/designs/krb-ticket-policy.md b/doc/designs/krb-ticket-policy.md
index 0961044132e..b704b066597 100644
--- a/doc/designs/krb-ticket-policy.md
+++ b/doc/designs/krb-ticket-policy.md
@@ -91,8 +91,10 @@ where administrators can specify max renew and life for each supported auth indi
### Ticket lifetime jitter
-Ticket lifetimes can be jittered so that renewals / re-issues do not overwhelm the KDC at a certain moment.
-The feature is enabled automatically so that we can avoid triggering an LDAP query on every `AS_REQ` and `TGS_REQ`.
+All TGT lifetimes are varied slightly to avoid overwhelming the KDC with
+simultaneous renewal requests. Jitter will reduce lifetimes by up to one hour
+from the configured maximum lifetime (per policy). Significantly shorter
+requested lifetimes will be unaffected.
## Implementation
From 21e798384e61d5e411bcaab5f37cc9590a64847f Mon Sep 17 00:00:00 2001
From: Robbie Harwood
Date: Tue, 10 Nov 2020 14:07:47 -0500
Subject: [PATCH 2/2] ipa-kdb: implement AS-REQ lifetime jitter
Jitter is always enabled, so there is no additional configuration.
An earlier version of this patch was authored by Becky Shanley.
Fixes: https://pagure.io/freeipa/issue/8010
Signed-off-by: Robbie Harwood
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 37 +-
ipatests/test_integration/test_krbtpolicy.py | 53 +---
2 files changed, 69 insertions(+), 21 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index 8d2ad66f715..7f03f2f03fc 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -1,14 +1,44 @@
/*
- * Copyright (C) 2018 FreeIPA Contributors see COPYING for license
+ * Copyright (C) 2018,2020 FreeIPA Contributors see COPYING for license
*/
#include
#include
+#include
+
#include
#include "ipa_krb5.h"
#include "ipa_kdb.h"
+#define ONE_DAY_SECONDS (24 * 60 * 60)
+#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
+
+static void
+jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
+{
+krb5_deltat offset;
+ssize_t ret;
+
+if (baseline < JITTER_WINDOW_SECONDS) {
+/* A negative value here would correspond to a never-valid ticket,
+ * which isn't the goal. */
+*lifetime_out = baseline;
+return;
+}
+
+do {
+ret = getrandom(&offset, sizeof(offset), 0);
+} while (ret == -1 && errno == EINTR);
+if (ret < 0) {
+krb5_klog_syslog(LOG_INFO, "IPA kdcpolicy: getrandom failed (errno %d); skipping jitter...",
+ errno);
+return;
+}
+
+*lifetime_out = baseline - offset % JITTER_WINDOW_SECONDS;
+}
+
static krb5_error_code
ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
const krb5_kdc_req *request,
@@ -56,6 +86,7 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
/* If no mechanisms are set, allow every auth method */
if (ua == IPADB_USER_AUTH_NONE) {
+jitter(ONE_DAY_SECONDS, lifetime_out);
return 0;
}
@@ -108,7 +139,9 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata,
* apply them */
if (pol_limits != NULL) {
if (pol_limits->max_life != 0) {
-*lifetime_out = pol_limits->max_life;
+jitter(pol_limits->max_life, lifetime_out);
+} else {
+jitter(ONE_DAY_SECONDS, lifetime_out);
}
if (pol_limits->max_renewable_life != 0) {
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index 98aa1210b5f..e43c8d122b1 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -1,5 +1,5 @@
#
-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+# Copyright (C) 2019,2020 FreeIPA Contributors see COPYING for license
#
"""
@@ -8,6 +8,7 @@
from __future__ import absolute_import
+import pytest
import time
from datetime import datetime
@@ -44,10 +45,17 @@ def reset_to_default_policy(host, user):
"""Reset default user authentication and user a
[Freeipa-devel] [freeipa PR#5270][opened] Merge fixes from rawhide experiments
URL: https://github.com/freeipa/freeipa/pull/5270
Author: abbra
Title: #5270: Merge fixes from rawhide experiments
Action: opened
PR body:
"""
- 11f8ec48c spec: use pkgconf to find out krb5 version
- eecf4dbb3 Drop upper bound on krb5 version in freeipa.spec
- aaf0232f0 Azure CI: use PPA to provide newer libseccomp version
- dde3528ee Azure CI: use Ubuntu-20.04 image by default
- 70175f61b ipa-acme-manage: user a cookie created for the communication with
dogtag REST endpoints
- ed3258563 ipa-otpd: fix gcc complaints in Rawhide
- 95bd6402e ipa-sam: fix gcc complaints on Rawhide
- 300961a13 ipa-kdb: fix gcc complaints in kdb tests
- bb2369329 ipa-kdb: fix gcc complaints
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5270/head:pr5270
git checkout pr5270
From bb236932973ee7861e247709d1699795ba0d348f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 13 Nov 2020 13:31:51 +0200
Subject: [PATCH 1/9] ipa-kdb: fix gcc complaints
In file included from /usr/include/string.h:519,
from /usr/include/lber.h:30,
from /usr/include/ldap.h:30,
from ipa_kdb.h:37,
from ipa_kdb_mspac.c:26:
In function 'strncpy',
inlined from 'get_server_netbios_name' at ipa_kdb_mspac.c:2358:5,
inlined from 'ipadb_reinit_mspac' at ipa_kdb_mspac.c:2813:39:
/usr/include/bits/string_fortified.h:91:10: warning: 'strncpy' specified bound 255 equals destination size [-Wstringop-truncation]
91 | return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
| ^~
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index fe5b586b6ae..bb9d85c104b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2352,7 +2352,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
static char *get_server_netbios_name(struct ipadb_context *ipactx)
{
-char hostname[IPA_HOST_FQDN_LEN]; /* NOTE: long enough for DNS name */
+char hostname[IPA_HOST_FQDN_LEN + 1]; /* NOTE: long enough for DNS name */
char *p;
strncpy(hostname, ipactx->kdc_hostname, IPA_HOST_FQDN_LEN);
From 300961a133cc5fdf3790e3957727833aea99ce0d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Fri, 13 Nov 2020 13:46:38 +0200
Subject: [PATCH 2/9] ipa-kdb: fix gcc complaints in kdb tests
We use string_to_sid() from internal Samba libraries, so we have to link
to it properly.
In addition, size_t is (long unsigned int), just cast to (int) in
asprintf.
Fixes: https://pagure.io/freeipa/issue/8585
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/Makefile.am | 2 ++
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 7 ---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 11aeec5f0ae..14c0546e0a5 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -92,6 +92,7 @@ ipa_kdb_tests_SOURCES += ipa_kdb_kdcpolicy.c
endif
ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
+ipa_kdb_tests_LDFLAGS = -L$(libdir)/samba -Wl,-rpath=$(libdir)/samba
ipa_kdb_tests_LDADD = \
$(CMOCKA_LIBS) \
$(KRB5_LIBS)\
@@ -102,6 +103,7 @@ ipa_kdb_tests_LDADD = \
$(top_builddir)/util/libutil.la \
-lkdb5 \
-lsss_idmap \
+ -lsamba-security-samba4 \
$(NULL)
appdir = $(libexecdir)/ipa
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 752b24ea47d..2a174ce6b60 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -72,7 +72,7 @@ struct test_ctx {
#define DOM_SID_TRUST "S-1-5-21-4-5-6"
#define BLOCKLIST_SID "S-1-5-1"
#define NUM_SUFFIXES 10
-#define SUFFIX_TEMPLATE "d%0d" DOMAIN_NAME
+#define SUFFIX_TEMPLATE "d%zu" DOMAIN_NAME
#define TEST_REALM_TEMPLATE "some." SUFFIX_TEMPLATE
#define EXTERNAL_REALM "WRONG.DOMAIN"
@@ -136,7 +136,8 @@ static int setup(void **state)
ipa_ctx->mspac->trusts[0].upn_suffixes = calloc(NUM_SUFFIXES + 1, sizeof(char *));
ipa_ctx->mspac->trusts[0].upn_suffixes_len = calloc(NUM_SUFFIXES, sizeof(size_t));
for (size_t i = 0; i < NUM_SUFFIXES; i++) {
- asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]), SUFFIX_TEMPLATE, i);
+ assert_int_not_equal(asprintf(&(ipa_ctx->mspac->trusts[0].upn_suffixes[i]),
+ SUFFIX_TEMPLATE, i), -1);
ipa_ctx->mspac->trusts[0].upn_suffixes_len[i] =
strlen(ipa_ctx->mspac->trusts[0].upn_suffixes[i]);
@@ -504,7 +505,7 @@ void test_check_trusted_realms(void **state)
for(size_t i = 0; i < NUM
[Freeipa-devel] [freeipa PR#5270][closed] Merge fixes from rawhide experiments
URL: https://github.com/freeipa/freeipa/pull/5270 Author: abbra Title: #5270: Merge fixes from rawhide experiments Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5270/head:pr5270 git checkout pr5270 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5273][opened] util: Fix client-only build
URL: https://github.com/freeipa/freeipa/pull/5273
Author: abbra
Title: #5273: util: Fix client-only build
Action: opened
PR body:
"""
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5273/head:pr5273
git checkout pr5273
From 5c903487874bc1ec0a014e35ad1d544c1e47437f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 18 Nov 2020 12:35:38 +0200
Subject: [PATCH] util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy
---
configure.ac | 4 +++-
util/ipa_pwd.c | 9 -
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index ef1a1c6867e..5d04d446e0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,9 @@ dnl ---
dnl - Check for pwquality library
dnl ---
AM_COND_IF([ENABLE_SERVER], [
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
+ )
])
dnl ---
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index dbff5ef1cba..0785a4f7aaf 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -23,6 +23,7 @@
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
+#include "config.h"
#include
#include
#include
@@ -31,7 +32,9 @@
#include
#include
#include
+#if defined(USE_PWQUALITY)
#include
+#endif
#include
#include
#include
@@ -417,9 +420,11 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
{
int pwdlen, blen;
int ret;
+#if defined(USE_PWQUALITY)
pwquality_settings_t *pwq;
+#endif
int check_pwquality = 0;
-int entropy;
+int entropy = 0
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
}
}
+#if defined(USE_PWQUALITY)
/* Only call into libpwquality if at least one setting is made
* because there are a number of checks that don't have knobs
* so preserve the previous behavior.
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
#endif
}
}
+#endif /* USE_PWQUALITY */
if (pwd_history) {
char *hash;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5273][closed] util: Fix client-only build
URL: https://github.com/freeipa/freeipa/pull/5273 Author: abbra Title: #5273: util: Fix client-only build Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5273/head:pr5273 git checkout pr5273 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5275][opened] [Backport][ipa-4-8] util: Fix client-only build
URL: https://github.com/freeipa/freeipa/pull/5275
Author: abbra
Title: #5275: [Backport][ipa-4-8] util: Fix client-only build
Action: opened
PR body:
"""
This PR was opened automatically because PR #5273 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5275/head:pr5275
git checkout pr5275
From c0bcfcff08f52ebb35ac45b5159e8b89f43a761f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 18 Nov 2020 12:35:38 +0200
Subject: [PATCH] util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy
---
configure.ac | 4 +++-
util/Makefile.am | 10 +++---
util/ipa_pwd.c | 9 -
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index 490c52adc93..70923417ee7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -109,7 +109,9 @@ dnl ---
dnl - Check for pwquality library
dnl ---
AM_COND_IF([ENABLE_SERVER], [
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
+ )
])
dnl ---
diff --git a/util/Makefile.am b/util/Makefile.am
index 319809ba3c5..8e7dec2eb14 100644
--- a/util/Makefile.am
+++ b/util/Makefile.am
@@ -15,7 +15,11 @@ libutil_la_SOURCES = ipa_krb5.c \
libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
-check_PROGRAMS = t_pwd t_policy
-TESTS = $(check_PROGRAMS)
+check_PROGRAMS = t_pwd
t_pwd_LDADD = libutil.la
-t_policy_LDADD = libutil.la
+if ENABLE_SERVER
+check_PROGRAMS += t_policy
+t_policy_LDADD = libutil.la
+endif
+
+TESTS = $(check_PROGRAMS)
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index dbff5ef1cba..8fa413c69cf 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -23,6 +23,7 @@
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
+#include "config.h"
#include
#include
#include
@@ -31,7 +32,9 @@
#include
#include
#include
+#if defined(USE_PWQUALITY)
#include
+#endif
#include
#include
#include
@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
{
int pwdlen, blen;
int ret;
+#if defined(USE_PWQUALITY)
pwquality_settings_t *pwq;
int check_pwquality = 0;
-int entropy;
+int entropy = 0;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
+#endif
if (!policy || !password) {
return IPAPWD_POLICY_ERROR;
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
}
}
+#if defined(USE_PWQUALITY)
/* Only call into libpwquality if at least one setting is made
* because there are a number of checks that don't have knobs
* so preserve the previous behavior.
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
#endif
}
}
+#endif /* USE_PWQUALITY */
if (pwd_history) {
char *hash;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5276][opened] [Backport][ipa-4-9] util: Fix client-only build
URL: https://github.com/freeipa/freeipa/pull/5276
Author: abbra
Title: #5276: [Backport][ipa-4-9] util: Fix client-only build
Action: opened
PR body:
"""
This PR was opened automatically because PR #5273 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5276/head:pr5276
git checkout pr5276
From 346f92dd52645df4dd9a2bc3aea4c538325da865 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 18 Nov 2020 12:35:38 +0200
Subject: [PATCH] util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy
---
configure.ac | 4 +++-
util/Makefile.am | 10 +++---
util/ipa_pwd.c | 9 -
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ef1a1c6867e..5d04d446e0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,9 @@ dnl ---
dnl - Check for pwquality library
dnl ---
AM_COND_IF([ENABLE_SERVER], [
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
+ )
])
dnl ---
diff --git a/util/Makefile.am b/util/Makefile.am
index 5e21c098f14..b3803777809 100644
--- a/util/Makefile.am
+++ b/util/Makefile.am
@@ -21,7 +21,11 @@ libutil_la_SOURCES = \
libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
-check_PROGRAMS = t_pwd t_policy
-TESTS = $(check_PROGRAMS)
+check_PROGRAMS = t_pwd
t_pwd_LDADD = libutil.la
-t_policy_LDADD = libutil.la
+if ENABLE_SERVER
+check_PROGRAMS += t_policy
+t_policy_LDADD = libutil.la
+endif
+
+TESTS = $(check_PROGRAMS)
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index dbff5ef1cba..8fa413c69cf 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -23,6 +23,7 @@
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
+#include "config.h"
#include
#include
#include
@@ -31,7 +32,9 @@
#include
#include
#include
+#if defined(USE_PWQUALITY)
#include
+#endif
#include
#include
#include
@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
{
int pwdlen, blen;
int ret;
+#if defined(USE_PWQUALITY)
pwquality_settings_t *pwq;
int check_pwquality = 0;
-int entropy;
+int entropy = 0;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
+#endif
if (!policy || !password) {
return IPAPWD_POLICY_ERROR;
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
}
}
+#if defined(USE_PWQUALITY)
/* Only call into libpwquality if at least one setting is made
* because there are a number of checks that don't have knobs
* so preserve the previous behavior.
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
#endif
}
}
+#endif /* USE_PWQUALITY */
if (pwd_history) {
char *hash;
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5246][closed] Use host keytab to obtain credentials needed for ipa-certupdate
URL: https://github.com/freeipa/freeipa/pull/5246 Author: rcritten Title: #5246: Use host keytab to obtain credentials needed for ipa-certupdate Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5246/head:pr5246 git checkout pr5246 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5277][opened] [Backport][ipa-4-9] Use host keytab to obtain credentials needed for ipa-certupdate
URL: https://github.com/freeipa/freeipa/pull/5277
Author: abbra
Title: #5277: [Backport][ipa-4-9] Use host keytab to obtain credentials needed
for ipa-certupdate
Action: opened
PR body:
"""
This PR was opened automatically because PR #5246 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5277/head:pr5277
git checkout pr5277
From 429dc67f84bd8984d9761cc9baf20c5977f9e684 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 10 Nov 2020 14:27:27 -0500
Subject: [PATCH 1/2] Use host keytab to obtain credentials needed for
ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.
It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.
Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden
---
ipaclient/install/ipa_certupdate.py | 66 +
1 file changed, 29 insertions(+), 37 deletions(-)
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index 7c6fa6959e0..f6f2dec4dea 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -21,14 +21,11 @@
import logging
import os
-import tempfile
-import shutil
from urllib.parse import urlsplit
from ipalib.install import certmonger, certstore
from ipalib.facts import is_ipa_configured
-from ipalib.install.kinit import kinit_keytab
from ipapython import admintool, certdb, ipaldap, ipautil
from ipaplatform import services
from ipaplatform.paths import paths
@@ -54,12 +51,22 @@ def validate_options(self):
def run(self):
check_client_configuration()
-api.bootstrap(context='cli_installer', confdir=paths.ETC_IPA)
-api.finalize()
+old_krb5ccname = os.environ.get('KRB5CCNAME')
+os.environ['KRB5_CLIENT_KTNAME'] = '/etc/krb5.keytab'
+os.environ['KRB5CCNAME'] = "MEMORY:"
-api.Backend.rpcclient.connect()
-run_with_args(api)
-api.Backend.rpcclient.disconnect()
+try:
+api.bootstrap(context='cli_installer', confdir=paths.ETC_IPA)
+api.finalize()
+
+api.Backend.rpcclient.connect()
+run_with_args(api)
+api.Backend.rpcclient.disconnect()
+finally:
+if old_krb5ccname is None:
+del os.environ['KRB5CCNAME']
+else:
+os.environ['KRB5CCNAME'] = old_krb5ccname
def run_with_args(api):
@@ -73,37 +80,22 @@ def run_with_args(api):
server = urlsplit(api.env.jsonrpc_uri).hostname
ldap = ipaldap.LDAPClient.from_hostname_secure(server)
-tmpdir = tempfile.mkdtemp(prefix="tmp-")
-ccache_name = os.path.join(tmpdir, 'ccache')
-old_krb5ccname = os.environ.get('KRB5CCNAME')
try:
-principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name)
-os.environ['KRB5CCNAME'] = ccache_name
+result = api.Command.ca_is_enabled(version=u'2.107')
+ca_enabled = result['result']
+except (errors.CommandError, errors.NetworkError):
+result = api.Command.env(server=True, version=u'2.0')
+ca_enabled = result['result']['enable_ra']
-try:
-result = api.Command.ca_is_enabled(version=u'2.107')
-ca_enabled = result['result']
-except (errors.CommandError, errors.NetworkError):
-result = api.Command.env(server=True, version=u'2.0')
-ca_enabled = result['result']['enable_ra']
-
-ldap.gssapi_bind()
-
-certs = certstore.get_ca_certs(
-ldap, api.env.basedn, api.env.realm, ca_enabled)
-
-if ca_enabled:
-lwcas = api.Command.ca_find()['result']
-else:
-lwcas = []
-
-finally:
-if old_krb5ccname is None:
-del os.environ['KRB5CCNAME']
-else:
-os.environ['KRB5CCNAME'] = old_krb5ccname
-shutil.rmtree(tmpdir)
+ldap.gssapi_bind()
+
+certs = certstore.get_ca_certs(
+ldap, api.env.basedn, api.env.realm, ca_enabled)
+
+if ca_enabled:
+lwcas = api.Command.ca_find()['result']
+else:
+lwcas = []
if is_ipa_configured():
# look up CA servers before service restarts
From b7887df7415ad303ec74aba7b1a7d87e7e087276 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 10 Nov 2020 15:27:16 -0500
Subject: [PATCH 2/2] ipatests: Test that ipa-certupdate can run without
credentials
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden
---
ipatests/test_integration/test_commands.py | 20 +++
[Freeipa-devel] [freeipa PR#5278][opened] [Backport][ipa-4-8] Use host keytab to obtain credentials needed for ipa-certupdate
URL: https://github.com/freeipa/freeipa/pull/5278
Author: abbra
Title: #5278: [Backport][ipa-4-8] Use host keytab to obtain credentials needed
for ipa-certupdate
Action: opened
PR body:
"""
This PR was opened automatically because PR #5246 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5278/head:pr5278
git checkout pr5278
From 535b340bc88bd66f6cae5fcbb30364e9bb06992e Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 10 Nov 2020 14:27:27 -0500
Subject: [PATCH 1/2] Use host keytab to obtain credentials needed for
ipa-certupdate
This command doesn't require any permissions that a host doesn't
already have and it simplifies overall credential handling.
It also corrects the case where the server API cache is out of
date and there are no credentials available to refresh it which
can lead to a confusing error message.
Also switch to MEMORY-based ccache rather than file to avoid
having to clean up the filesystem.
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden
---
ipaclient/install/ipa_certupdate.py | 66 +
1 file changed, 29 insertions(+), 37 deletions(-)
diff --git a/ipaclient/install/ipa_certupdate.py b/ipaclient/install/ipa_certupdate.py
index 6f2a4c5d11b..d8d65f26b24 100644
--- a/ipaclient/install/ipa_certupdate.py
+++ b/ipaclient/install/ipa_certupdate.py
@@ -21,14 +21,11 @@
import logging
import os
-import tempfile
-import shutil
from urllib.parse import urlsplit
from ipalib.install import certmonger, certstore
from ipalib.facts import is_ipa_configured
-from ipalib.install.kinit import kinit_keytab
from ipapython import admintool, certdb, ipaldap, ipautil
from ipaplatform import services
from ipaplatform.paths import paths
@@ -54,12 +51,22 @@ def validate_options(self):
def run(self):
check_client_configuration()
-api.bootstrap(context='cli_installer', confdir=paths.ETC_IPA)
-api.finalize()
+old_krb5ccname = os.environ.get('KRB5CCNAME')
+os.environ['KRB5_CLIENT_KTNAME'] = '/etc/krb5.keytab'
+os.environ['KRB5CCNAME'] = "MEMORY:"
-api.Backend.rpcclient.connect()
-run_with_args(api)
-api.Backend.rpcclient.disconnect()
+try:
+api.bootstrap(context='cli_installer', confdir=paths.ETC_IPA)
+api.finalize()
+
+api.Backend.rpcclient.connect()
+run_with_args(api)
+api.Backend.rpcclient.disconnect()
+finally:
+if old_krb5ccname is None:
+del os.environ['KRB5CCNAME']
+else:
+os.environ['KRB5CCNAME'] = old_krb5ccname
def run_with_args(api):
@@ -73,37 +80,22 @@ def run_with_args(api):
server = urlsplit(api.env.jsonrpc_uri).hostname
ldap = ipaldap.LDAPClient.from_hostname_secure(server)
-tmpdir = tempfile.mkdtemp(prefix="tmp-")
-ccache_name = os.path.join(tmpdir, 'ccache')
-old_krb5ccname = os.environ.get('KRB5CCNAME')
try:
-principal = str('host/%s@%s' % (api.env.host, api.env.realm))
-kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name)
-os.environ['KRB5CCNAME'] = ccache_name
+result = api.Command.ca_is_enabled(version=u'2.107')
+ca_enabled = result['result']
+except (errors.CommandError, errors.NetworkError):
+result = api.Command.env(server=True, version=u'2.0')
+ca_enabled = result['result']['enable_ra']
-try:
-result = api.Command.ca_is_enabled(version=u'2.107')
-ca_enabled = result['result']
-except (errors.CommandError, errors.NetworkError):
-result = api.Command.env(server=True, version=u'2.0')
-ca_enabled = result['result']['enable_ra']
-
-ldap.gssapi_bind()
-
-certs = certstore.get_ca_certs(
-ldap, api.env.basedn, api.env.realm, ca_enabled)
-
-if ca_enabled:
-lwcas = api.Command.ca_find()['result']
-else:
-lwcas = []
-
-finally:
-if old_krb5ccname is None:
-del os.environ['KRB5CCNAME']
-else:
-os.environ['KRB5CCNAME'] = old_krb5ccname
-shutil.rmtree(tmpdir)
+ldap.gssapi_bind()
+
+certs = certstore.get_ca_certs(
+ldap, api.env.basedn, api.env.realm, ca_enabled)
+
+if ca_enabled:
+lwcas = api.Command.ca_find()['result']
+else:
+lwcas = []
if is_ipa_configured():
update_server(certs)
From 55922068c9a7e0892881b1b0df715dcb9f359e8b Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 10 Nov 2020 15:27:16 -0500
Subject: [PATCH 2/2] ipatests: Test that ipa-certupdate can run without
credentials
https://pagure.io/freeipa/issue/8531
Signed-off-by: Rob Crittenden
---
ipatests/test_integration/test_commands.py | 20
1 file changed, 20 in
[Freeipa-devel] [freeipa PR#5272][closed] [Backport][ipa-4-8] WebUI: Fix topology graph navigation crash
URL: https://github.com/freeipa/freeipa/pull/5272 Author: serg-cymbaluk Title: #5272: [Backport][ipa-4-8] WebUI: Fix topology graph navigation crash Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5272/head:pr5272 git checkout pr5272 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5262][closed] Fix TLS/SSL related issues in EPN
URL: https://github.com/freeipa/freeipa/pull/5262 Author: tiran Title: #5262: Fix TLS/SSL related issues in EPN Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5262/head:pr5262 git checkout pr5262 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5279][opened] freeipa.spec.in: unify spec files across upstream RHEL, and Fedora
URL: https://github.com/freeipa/freeipa/pull/5279
Author: abbra
Title: #5279: freeipa.spec.in: unify spec files across upstream RHEL, and
Fedora
Action: opened
PR body:
"""
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.
This gives us an opportunity to:
- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
it is better to have macro support in the common spec file
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5279/head:pr5279
git checkout pr5279
From 394ca0e4bc6dd3d30987600d5605e132ddf9bc05 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 18 Nov 2020 16:14:52 +0200
Subject: [PATCH] freeipa.spec.in: unify spec files across upstream RHEL, and
Fedora
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.
This gives us an opportunity to:
- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
it is better to have macro support in the common spec file
Signed-off-by: Alexander Bokovoy
---
freeipa.spec.in | 195 ++--
1 file changed, 105 insertions(+), 90 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 13b569abb6b..e34d55a81f3 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1,3 +1,18 @@
+# ipatests enabled by default, can be disabled with --without ipatests
+%bcond_without ipatests
+# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
+# On RHEL 8 we should use --with ipa_join_xml
+%bcond_with ipa_join_xml
+
+# Linting is disabled by default, needed for upstream testing
+%bcond_with lint
+
+# Build documentation with sphinx
+%bcond_with doc
+
+# Build Python wheels
+%bcond_with wheels
+
# 389-ds-base 1.4 no longer supports i686 platform, build only client
# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
%if 0%{?fedora} >= 28 || 0%{?rhel} > 7
@@ -15,29 +30,19 @@
%global enable_server_option --enable-server
%endif
-# Build ipatests
-%if 0%{?rhel}
+%if %{ONLY_CLIENT}
%global with_ipatests 0
%endif
-%if ! %{ONLY_CLIENT}
-%{!?with_ipatests:%global with_ipatests 1}
-%endif
-%if 0%{?with_ipatests}
-%global with_ipatests_option --with-ipatests
-%else
-%global with_ipatests_option --without-ipatests
-%endif
-# Use XML-RPC with ipa-join
-%if 0%{?with_ipa_join_xml}
-%global with_ipa_join_xml_option --with-ipa-join-xml
-%else
-%global with_ipa_join_xml_option --without-ipa-join-xml
-%endif
+# Whether to build ipatests
+%global with_ipatests_option %{?_with_ipatests}
+
+# Whether to use XML-RPC with ipa-join
+%global with_ipa_join_xml_option %{?_with_ipa_join_xml}
# lint is not executed during rpmbuild
# %%global with_lint 1
-%if 0%{?with_lint}
+%if %{with lint}
%global linter_options --enable-pylint --with-jslint
%else
%global linter_options --disable-pylint --without-jslint
@@ -53,46 +58,43 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
-%global krb5_version 1.18
+%global krb5_version 1.18.2
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
-%global python_netaddr_version 0.7.16
+%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.7.0
-%global selinux_policy_version 3.14.3-21
-%global slapi_nis_version 0.56.1-4
+%global samba_version 4.12.3-12
+%global selinux_policy_version 3.14.3-52
+%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
-# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-# https://pagure.io/freeipa/issue/8515
-%global ds_version 1.4.3
+# python3-lib389
+# Fix for "Installation fails: Replica Busy"
+# https://pagure.io/389-ds-base/issue/49818
+%global ds_version 1.4.2.4-6
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
-%global systemd_version 239
%else
# Fedora
%global package_name freeipa
%global alt_name ipa
# Fix for CVE-2018-20217
-%global krb5_version 1.16.1-24
+%global krb5_version 1.18
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
-%global samba_version 2:4.7.0
+# Require 4.12 which has DsRGe
[Freeipa-devel] [freeipa PR#5287][opened] ad trust: accept subordinate domains of the forest trust root
URL: https://github.com/freeipa/freeipa/pull/5287
Author: abbra
Title: #5287: ad trust: accept subordinate domains of the forest trust root
Action: opened
PR body:
"""
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5287/head:pr5287
git checkout pr5287
From c6af8f849579dbad86631eaaecd91e8eb7224970 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH] ad trust: accept subordinate domains of the forest trust root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index bb9d85c104b..07c433e14f9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2975,10 +2975,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_name,
+ len) == 0;
+ }
+ }
+
if (!result && (ipactx->mspac->trusts[i].flat_name != NULL)) {
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].flat_name,
@@ -2994,7 +3004,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* if UPN suffix did not match exactly, find if it is
* superior to the test_realm, e.g. if test_realm ends
* with the UPN suffix prefixed with dot*/
- size_t len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
+ len = ipactx->mspac->trusts[i].upn_suffixes_len[j];
if ((size > len) && (test_realm[size - len - 1] == '.')) {
result = strncasecmp(test_realm + (size - len),
ipactx->mspac->trusts[i].upn_suffixes[j],
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5254][closed] ipatests: support subordinate upn suffixes
URL: https://github.com/freeipa/freeipa/pull/5254 Author: menonsudhir Title: #5254: ipatests: support subordinate upn suffixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5254/head:pr5254 git checkout pr5254 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5298][opened] [Backport][ipa-4-9] ipatests: support subordinate upn suffixes
URL: https://github.com/freeipa/freeipa/pull/5298
Author: abbra
Title: #5298: [Backport][ipa-4-9] ipatests: support subordinate upn suffixes
Action: opened
PR body:
"""
This PR was opened automatically because PR #5254 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5298/head:pr5298
git checkout pr5298
From d832de125c00ba60ff57eaa1e183803f842a9a1e Mon Sep 17 00:00:00 2001
From: Sudhir Menon
Date: Wed, 11 Nov 2020 14:55:32 +0530
Subject: [PATCH 1/2] ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon
---
ipatests/test_integration/test_trust.py | 45 +
1 file changed, 45 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 7e4dbcc6e30..31349ced76a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -245,6 +245,51 @@ def test_upn_user_authentication_in_nonposix_trust(self):
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
stdin_text=self.upn_password)
+def test_subordinate_suffix(self):
+"""Test subordinate UPN Suffixes"""
+tasks.configure_dns_for_trust(self.master, self.ad)
+tasks.establish_trust_with_ad(
+self.master, self.ad_domain,
+extra_args=['--range-type', 'ipa-ad-trust'])
+# Clear all UPN Suffixes
+ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+self.ad.run_command(["powershell", "-c", ps_cmd])
+result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+assert (
+"ipantadditionalsuffixes: {}".format(self.upn_suffix)
+not in result.stdout_text
+)
+# Run Get-ADForest
+ps_cmd1 = "Get-ADForest"
+self.ad.run_command(["powershell", "-c", ps_cmd1])
+# Add new UPN for AD
+ps_cmd2 = (
+'Get-ADForest | Set-ADForest -UPNSuffixes '
+'@{add="new.ad.test", "upn.dom"}'
+)
+self.ad.run_command(["powershell", "-c", ps_cmd2])
+self.ad.run_command(["powershell", "-c", ps_cmd1])
+self.master.run_command(
+["ipa", "trust-fetch-domains", self.ad_domain],
+raiseonerr=False)
+self.master.run_command(["ipa", "trust-show", self.ad_domain])
+# Set UPN for the aduser
+ps_cmd3 = (
+'set-aduser -UserPrincipalName '
+'administra...@new.ad.test -Identity Administrator'
+)
+self.ad.run_command(["powershell", "-c", ps_cmd3])
+# kinit to IPA using AD user administra...@new.ad.test
+result = self.master.run_command(
+["getent", "passwd", "administra...@new.ad.test"]
+)
+assert result.returncode == 0
+self.master.run_command(
+["kinit", "-E", "administra...@new.ad.test"],
+stdin_text="Secret123",
+)
+tasks.kdestroy_all(self.master)
+
def test_remove_nonposix_trust(self):
self.remove_trust(self.ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad)
From bbe0ff66eaaa6b33bf5187622f6d83b8c85f316e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH 2/2] ad trust: accept subordinate domains of the forest trust
root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index bb9d85c104b..07c433e14f9 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2975,10 +2975,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_
[Freeipa-devel] [freeipa PR#5299][opened] [Backport][ipa-4-8] ipatests: support subordinate upn suffixes
URL: https://github.com/freeipa/freeipa/pull/5299
Author: abbra
Title: #5299: [Backport][ipa-4-8] ipatests: support subordinate upn suffixes
Action: opened
PR body:
"""
This PR was opened automatically because PR #5254 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5299/head:pr5299
git checkout pr5299
From d53c7ef8f4e85514cbf023e112bc83e3f2f3c19f Mon Sep 17 00:00:00 2001
From: Sudhir Menon
Date: Wed, 11 Nov 2020 14:55:32 +0530
Subject: [PATCH 1/2] ipatests: support subordinate upn suffixes
This test adds new UPN Suffix on the AD side
within the ad.test subtree i.e new.ad.test and this
UPN is then assigned to aduser and then try to
kinit using aduser along with the UPN set, to ensure
that the kinit succeeds
Signed-off-by: Sudhir Menon
---
ipatests/test_integration/test_trust.py | 45 +
1 file changed, 45 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 7e4dbcc6e30..31349ced76a 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -245,6 +245,51 @@ def test_upn_user_authentication_in_nonposix_trust(self):
self.master.run_command(['kinit', '-C', '-E', self.upn_principal],
stdin_text=self.upn_password)
+def test_subordinate_suffix(self):
+"""Test subordinate UPN Suffixes"""
+tasks.configure_dns_for_trust(self.master, self.ad)
+tasks.establish_trust_with_ad(
+self.master, self.ad_domain,
+extra_args=['--range-type', 'ipa-ad-trust'])
+# Clear all UPN Suffixes
+ps_cmd = "Get-ADForest | Set-ADForest -UPNSuffixes $null"
+self.ad.run_command(["powershell", "-c", ps_cmd])
+result = self.master.run_command(["ipa", "trust-show", self.ad_domain])
+assert (
+"ipantadditionalsuffixes: {}".format(self.upn_suffix)
+not in result.stdout_text
+)
+# Run Get-ADForest
+ps_cmd1 = "Get-ADForest"
+self.ad.run_command(["powershell", "-c", ps_cmd1])
+# Add new UPN for AD
+ps_cmd2 = (
+'Get-ADForest | Set-ADForest -UPNSuffixes '
+'@{add="new.ad.test", "upn.dom"}'
+)
+self.ad.run_command(["powershell", "-c", ps_cmd2])
+self.ad.run_command(["powershell", "-c", ps_cmd1])
+self.master.run_command(
+["ipa", "trust-fetch-domains", self.ad_domain],
+raiseonerr=False)
+self.master.run_command(["ipa", "trust-show", self.ad_domain])
+# Set UPN for the aduser
+ps_cmd3 = (
+'set-aduser -UserPrincipalName '
+'administra...@new.ad.test -Identity Administrator'
+)
+self.ad.run_command(["powershell", "-c", ps_cmd3])
+# kinit to IPA using AD user administra...@new.ad.test
+result = self.master.run_command(
+["getent", "passwd", "administra...@new.ad.test"]
+)
+assert result.returncode == 0
+self.master.run_command(
+["kinit", "-E", "administra...@new.ad.test"],
+stdin_text="Secret123",
+)
+tasks.kdestroy_all(self.master)
+
def test_remove_nonposix_trust(self):
self.remove_trust(self.ad)
tasks.unconfigure_dns_for_trust(self.master, self.ad)
From 458c4e7e7c933bbd76ba4a26f77370f7495b074b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 24 Nov 2020 16:03:36 +0200
Subject: [PATCH 2/2] ad trust: accept subordinate domains of the forest trust
root
Commit 8b6d1ab854387840f7526d6d59ddc7102231957f added support for
subordinate UPN suffixes but missed the case where subordinate UPN is a
subdomain of the forest root domain and not mentioned in the UPN
suffixes list.
Correct this situation by applying the same check to the trusted domain
name as well.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index f2bd60e11f4..c6ac593ca57 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2976,10 +2976,20 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext,
/* Iterate through list of trusts and check if input realm belongs to any of the trust */
for(i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ size_t len = 0;
result = strncasecmp(test_realm,
ipactx->mspac->trusts[i].domain_name,
size) == 0;
+ if (!result) {
+ len = strlen(ipactx->mspac->trusts[i].domain_name);
+ if ((size > len) && (test_realm[size - len - 1] == '.')) {
+result = strncasecmp(test_realm + (size - len),
+ ipactx->mspac->trusts[i].domain_
[Freeipa-devel] [freeipa PR#4867][reopened] ipatests: test_epn - generate large batch of users
URL: https://github.com/freeipa/freeipa/pull/4867 Author: miskopo Title: #4867: ipatests: test_epn - generate large batch of users Action: reopened To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4867/head:pr4867 git checkout pr4867 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5110][closed] ipatests: webui: test_host.py Fix expected item visibility
URL: https://github.com/freeipa/freeipa/pull/5110 Author: miskopo Title: #5110: ipatests: webui: test_host.py Fix expected item visibility Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5110/head:pr5110 git checkout pr5110 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5294][closed] Allow Apache to answer to ipa-ca requests without a redirect
URL: https://github.com/freeipa/freeipa/pull/5294 Author: rcritten Title: #5294: Allow Apache to answer to ipa-ca requests without a redirect Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5294/head:pr5294 git checkout pr5294 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5314][opened] [Backport][ipa-4-9] Allow Apache to answer to ipa-ca requests without a redirect
URL: https://github.com/freeipa/freeipa/pull/5314
Author: abbra
Title: #5314: [Backport][ipa-4-9] Allow Apache to answer to ipa-ca requests
without a redirect
Action: opened
PR body:
"""
This PR was opened automatically because PR #5294 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5314/head:pr5314
git checkout pr5314
From fc5a2f72aae691a7922f51d8be90e5af684df21f Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 24 Nov 2020 16:15:17 -0500
Subject: [PATCH 1/2] Allow Apache to answer to ipa-ca requests without a
redirect
Any request other than the FQDN is redirected with a permanent
move (301). Allowing ipa-ca as a valid name saves a round-trip.
This is only allowed on /ca, /kra, /pki, /acme and /ipa/crl.
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden
---
install/share/ipa-rewrite.conf.template | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/install/share/ipa-rewrite.conf.template b/install/share/ipa-rewrite.conf.template
index 37661b8200e..c3d61646f51 100644
--- a/install/share/ipa-rewrite.conf.template
+++ b/install/share/ipa-rewrite.conf.template
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE
RewriteEngine on
@@ -9,6 +9,7 @@ ${AUTOREDIR}RewriteRule ^/$$ https://$FQDN/ipa/ui [L,NC,R=301]
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}!^$FQDN$$ [NC]
+RewriteCond %{HTTP_HOST}!^ipa-ca.$DOMAIN$$ [NC]
RewriteRule ^/ipa/(.*) http://$FQDN/ipa/$$1 [L,R=301]
# Redirect to the secure port if not displaying an error or retrieving
@@ -18,5 +19,10 @@ RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI} !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
+RewriteCond %{HTTP_HOST}^ipa-ca.$DOMAIN$$ [NC]
+RewriteCond %{REQUEST_URI} !^/ipa/crl
+RewriteCond %{REQUEST_URI} !^/(ca|kra|pki|acme)
+RewriteRule ^/(.*) https://$FQDN/$$1 [L,R=301]
+
# Rewrite for plugin index, make it like it's a static file
RewriteRule ^/ipa/ui/js/freeipa/plugins.js$$/ipa/wsgi/plugins.py [PT]
From 510e73aeb6ffe4844f4a3e993b2be01c435895a7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 24 Nov 2020 17:17:50 -0500
Subject: [PATCH 2/2] ipatests: Test that ipa-ca.$domain can retrieve CRLs
without redirect
https://pagure.io/freeipa/issue/8595
Signed-off-by: Rob Crittenden
---
.../test_integration/test_installation.py | 59 +++
1 file changed, 59 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index b5df42b6705..1335b29306f 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -21,6 +21,7 @@
from ipalib import x509
from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.constants import IPA_CA_RECORD
from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipapython.dn import DN
from ipaplatform.constants import constants
@@ -1039,6 +1040,64 @@ def test_ipa_selinux_policy(self):
}
assert ('200', 'ipa', 'pp') in entries
+def test_ipaca_no_redirect(self):
+"""Test that ipa-ca.$DOMAIN does not redirect
+
+ ipa-ca is a valid name for an IPA server. It should not
+ require a redirect.
+
+ CRL generation does not need to be enabled for this test.
+ We aren't exactly testing that a CRL can be retrieved, just
+ that the redirect doesn't happen.
+"""
+
+def run_request(url, expected_stdout=None, expected_stderr=None):
+result = self.master.run_command(['curl', '-s', '-v', url])
+if expected_stdout:
+assert expected_stdout in result.stdout_text
+if expected_stderr:
+assert expected_stderr in result.stderr_text
+
+# CRL publishing on start-up is disabled so drop a file there
+crlfile = os.path.join(paths.PKI_CA_PUBLISH_DIR, 'MasterCRL.bin')
+self.master.put_file_contents(crlfile, 'secret')
+
+hosts = (
+f'{IPA_CA_RECORD}.{self.master.domain.name}',
+self.master.hostname,
+)
+
+# Positive tests. Both hosts can serve these.
+urls = (
+'http://{host}/ipa/crl/MasterCRL.bin',
+'http://{host}/ca/ocsp',
+'https://{host}/ca/admin/ca/getCertChain',
+'https://{host}/acme/',
+)
+for url in urls:
+for host in hosts:
+run_request(
+url.format(host=host),
+expected_stderr='HTTP/1.1 200'
+
[Freeipa-devel] [freeipa PR#5305][closed] Add IPA RA Agent to ACME group on the CA
URL: https://github.com/freeipa/freeipa/pull/5305 Author: rcritten Title: #5305: Add IPA RA Agent to ACME group on the CA Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5305/head:pr5305 git checkout pr5305 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5315][opened] [Backport][ipa-4-9] Add IPA RA Agent to ACME group on the CA
URL: https://github.com/freeipa/freeipa/pull/5315
Author: abbra
Title: #5315: [Backport][ipa-4-9] Add IPA RA Agent to ACME group on the CA
Action: opened
PR body:
"""
This PR was opened automatically because PR #5305 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5315/head:pr5315
git checkout pr5315
From 769c28163be6dd4d034a05b8604bec1e1d43aee8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Mon, 30 Nov 2020 09:55:22 -0500
Subject: [PATCH 1/2] Remove test for minimum ACME support and rely on package
deps
This method was added temporarily while the required packages
were still under development and not available in stable
repositories.
Signed-off-by: Rob Crittenden
---
ipaserver/install/cainstance.py| 41 +++---
ipatests/test_integration/test_acme.py | 5
2 files changed, 4 insertions(+), 42 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 535407cde2f..1b7941a80fe 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -37,7 +37,6 @@
import time
import tempfile
from configparser import RawConfigParser
-from pkg_resources import parse_version
from ipalib import api
from ipalib import x509
@@ -430,8 +429,7 @@ def configure_instance(self, host_name, dm_password, admin_password,
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
-if minimum_acme_support():
-self.step("deploying ACME service", self.setup_acme)
+self.step("deploying ACME service", self.setup_acme)
# Materialize config changes and new ACLs
self.step("starting certificate server instance",
self.start_instance)
@@ -771,10 +769,9 @@ def __create_ca_agent(self):
self.basedn)
conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
-if minimum_acme_support():
-group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
- self.basedn)
-conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
+group_dn = DN(('cn', ACME_AGENT_GROUP), ('ou', 'groups'),
+ self.basedn)
+conn.add_entry_to_group(user_dn, group_dn, 'uniqueMember')
def __get_ca_chain(self):
try:
@@ -1487,9 +1484,6 @@ def setup_acme(self) -> bool:
logger.debug('ACME service is already deployed')
return False
-if not minimum_acme_support():
-return False
-
self._ldap_mod('/usr/share/pki/acme/database/ds/schema.ldif')
configure_acme_acls()
@@ -1732,33 +1726,6 @@ def ensure_lightweight_cas_container():
)
-def minimum_acme_support(data=None):
-"""
-ACME with global enable/disable is required.
-
-This first shipped in dogtag version 10.10.0.
-
-Parse the version string to determine if the minimum version
-is met. If parsing fails return False.
-
-:param: data: The string value to parse for version. Defaults to
- reading from the filesystem.
-"""
-if not data:
-with open('/usr/share/pki/VERSION', 'r') as fd:
-data = fd.read()
-
-groups = re.match(r'.*\nSpecification-Version: ([\d+\.]*)\n.*', data)
-if groups:
-version_string = groups.groups(0)[0]
-minimum_version = parse_version('10.10.0')
-
-return parse_version(version_string) >= minimum_version
-else:
-logger.debug('Unable to parse version from %s', data)
-return False
-
-
def ensure_acme_containers():
"""
Create the ACME container objects under ou=acme,o=ipaca if
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 3fd322f05e6..ccb96fa7012 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -14,7 +14,6 @@
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
-from ipaserver.install import cainstance
from ipatests.test_integration.test_external_ca import (
install_server_external_ca_step1,
install_server_external_ca_step2,
@@ -61,8 +60,6 @@ def wrapped(*args):
return wrapped
-@pytest.mark.skipif(not cainstance.minimum_acme_support(),
-reason="does not provide ACME")
class TestACME(CALessBase):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -402,8 +399,6 @@ def test_third_party_certs(self):
assert "invalid 'certificate'" in result.stderr_text
-@pytest.mark.skipif(not cainstance.minimum_acme_support(),
-reason="does not provide ACME")
class TestACMECALess(IntegrationTe
[Freeipa-devel] [freeipa PR#5312][closed] Move where the restore state is marked during IPA server upgrade
URL: https://github.com/freeipa/freeipa/pull/5312 Author: rcritten Title: #5312: Move where the restore state is marked during IPA server upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5312/head:pr5312 git checkout pr5312 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5316][opened] [Backport][ipa-4-9] Move where the restore state is marked during IPA server upgrade
URL: https://github.com/freeipa/freeipa/pull/5316
Author: abbra
Title: #5316: [Backport][ipa-4-9] Move where the restore state is marked
during IPA server upgrade
Action: opened
PR body:
"""
This PR was opened automatically because PR #5312 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5316/head:pr5316
git checkout pr5316
From 266651f0af6c0681eb965432d5d6a3c238460e8e Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 1 Dec 2020 16:35:26 -0500
Subject: [PATCH] Move where the restore state is marked during IPA server
upgrade
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.
I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.
If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden
---
ipaserver/install/upgradeinstance.py | 19 ++-
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index 855d7f236c5..a239dd035a8 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -199,11 +199,11 @@ def __enable_ds_global_write_lock(self):
shutil.copy2(ldif_outfile, self.filename)
def __restore_config(self):
-port = self.restore_state('nsslapd-port')
-security = self.restore_state('nsslapd-security')
-global_lock = self.restore_state('nsslapd-global-backend-lock')
-schema_compat_enabled = self.restore_state('schema_compat_enabled')
-self.restore_state('upgrade-in-progress')
+# peek the values during the restoration
+port = self.get_state('nsslapd-port')
+security = self.get_state('nsslapd-security')
+global_lock = self.get_state('nsslapd-global-backend-lock')
+schema_compat_enabled = self.get_state('schema_compat_enabled')
ldif_outfile = "%s.modified.out" % self.filename
with open(ldif_outfile, "w") as out_file:
@@ -231,6 +231,15 @@ def __restore_config(self):
shutil.copy2(ldif_outfile, self.filename)
+# Now the restore is really done, remove upgrade-in-progress
+self.restore_state('upgrade-in-progress')
+
+# the values are restored, remove from the state file
+self.restore_state('nsslapd-port')
+self.restore_state('nsslapd-security')
+self.restore_state('nsslapd-global-backend-lock')
+self.restore_state('schema_compat_enabled')
+
def __disable_listeners(self):
ldif_outfile = "%s.modified.out" % self.filename
with open(ldif_outfile, "w") as out_file:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5317][opened] [Backport][ipa-4-8] Move where the restore state is marked during IPA server upgrade
URL: https://github.com/freeipa/freeipa/pull/5317
Author: abbra
Title: #5317: [Backport][ipa-4-8] Move where the restore state is marked
during IPA server upgrade
Action: opened
PR body:
"""
This PR was opened automatically because PR #5312 was pushed to master and
backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5317/head:pr5317
git checkout pr5317
From 431d3a35d7ae8b809f79475cd3e9c7ecc9b86b43 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Tue, 1 Dec 2020 16:35:26 -0500
Subject: [PATCH] Move where the restore state is marked during IPA server
upgrade
There is still some exposure to killing in a bad place. This was
reproduced by killing the process in the parser.parse() call within
__restore_config (line 230) so the values were restored from the
backup but the new dse.ldif never written or copied. But the values
had already been restored from the state file.
I'm not sure this can ever be 100% bullet-proof since it can be
externally killed but if rather than calling restore_state() on the
values in __restore_config we use get_state() which will peek at the
values in the state file without removing them. Then the last step
is to pop upgrade-in-progress and then the rest.
If the values have been restored and the new ldif written and copied
then it's only upgrade-in-progress that really matters. The rest will
be overwritten.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden
---
ipaserver/install/upgradeinstance.py | 19 ++-
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/upgradeinstance.py b/ipaserver/install/upgradeinstance.py
index 15f95c1e52e..653e4987999 100644
--- a/ipaserver/install/upgradeinstance.py
+++ b/ipaserver/install/upgradeinstance.py
@@ -199,11 +199,11 @@ def __enable_ds_global_write_lock(self):
shutil.copy2(ldif_outfile, self.filename)
def __restore_config(self):
-port = self.restore_state('nsslapd-port')
-security = self.restore_state('nsslapd-security')
-global_lock = self.restore_state('nsslapd-global-backend-lock')
-schema_compat_enabled = self.restore_state('schema_compat_enabled')
-self.restore_state('upgrade-in-progress')
+# peek the values during the restoration
+port = self.get_state('nsslapd-port')
+security = self.get_state('nsslapd-security')
+global_lock = self.get_state('nsslapd-global-backend-lock')
+schema_compat_enabled = self.get_state('schema_compat_enabled')
ldif_outfile = "%s.modified.out" % self.filename
with open(ldif_outfile, "w") as out_file:
@@ -231,6 +231,15 @@ def __restore_config(self):
shutil.copy2(ldif_outfile, self.filename)
+# Now the restore is really done, remove upgrade-in-progress
+self.restore_state('upgrade-in-progress')
+
+# the values are restored, remove from the state file
+self.restore_state('nsslapd-port')
+self.restore_state('nsslapd-security')
+self.restore_state('nsslapd-global-backend-lock')
+self.restore_state('schema_compat_enabled')
+
def __disable_listeners(self):
ldif_outfile = "%s.modified.out" % self.filename
with open(ldif_outfile, "w") as out_file:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#5303][closed] ipatests: fix TestTrust::test_subordinate_suffix
URL: https://github.com/freeipa/freeipa/pull/5303 Author: flo-renaud Title: #5303: ipatests: fix TestTrust::test_subordinate_suffix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5303/head:pr5303 git checkout pr5303 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
