Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While other password policies were properly ignored the password
history was always being saved if the global history size was
non-zero.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/user_account_management-managing_the_password_policy
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.
The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
- as a user: must succeeed
- as a cn=Directory Manager: must succeed even with a password re-use
- as a user again: must fail due to password re-use
Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.
Do not wait for the entry that would never come by using 'ipa -n'.
Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 42e86692b6)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 9fcae1590d)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit ad3ef9de44)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 047c8cc55d)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 1a0232a693)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted and old translations do not
apply directly anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 2859216b4c)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Several translated strings were splitted into smaller ones. The older
translation either is a duplicate of the new one or does not apply
anymore.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
(cherry picked from commit 117893f03e)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
