Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.
Related to:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called
Fixes:
https://pagure.io/freeipa/issue/7604
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Update regular expression validator to prevent user and group creation.
Fixes: https://pagure.io/freeipa/issue/7572
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.
Use realmdomains to find a correct exclusion entry to build.
Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574
Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority
Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
Make CA bundles, certs, and cert directories world-accessible in
upgrader.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.
Note: executable for a directory means, that a process is allowed to
traverse into the directory.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Ensure that ipa.p11-kit is always world-readable.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.
Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit f1d5ab3a03 increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.
See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca
related ticket: https://pagure.io/freeipa/issue/7316
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Replaced hardcoded issuer CN for external ca with constant
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.
The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.
setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.
Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
replication.wait_for_entry() now can wait for an attribute value to
appear on a replica.
Fixed timeout handling caused by bad rounding and comparison. For small
timeouts, the actual time was rounded down. For example for 60 seconds
timeout and fast replica, the query accumulated to about 0.45 seconds
plus 60 seconds sleep. 60.45 is large enough to terminate the loop
"while int(time.time()) < timeout", but not large enough to trigger the
exception in "if int(time.time()) > timeout", because int(60.65) == 60.
See: https://pagure.io/freeipa/issue/7593
Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Check if the given search records value is greater than an arbitrary number that is not so close to zero.
https://pagure.io/freeipa/issue/6617
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There are some missing translatable docstrings of commands and modules.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This should prevent from NO_CLI commands have no translatable
description or have no one at all in Web UI API Browser.
Fixes: https://pagure.io/freeipa/issue/7592
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
With shorter TTL, several named restarts are no longer necessary to make
tests pass. The test case TestZoneSigningWithoutNamedRestart is no
longer relevant, too.
Modification of the root zone and disabling/enabling signing still seems
to need a restart. I have marked those cases as TODO.
See: https://pagure.io/freeipa/issue/5348
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.
This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.
This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
DNSSEC tests starrted to fail again, probably due to a bug in
some underlaying component.
This reverts commit 8bc6775122
and makes the xfail test check less strict - it will no longer
mark the test suite red if it passes.
Run DNSSEC tests on PR-CI
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Related https://pagure.io/freeipa/issue/5348
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which has been removed in Python3.
Also some messages to be translated at request time should
not use format()
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable
at all.
Also some messages to be translated at request time should
not use format().
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now formatting is applied for bare messages before translating.
This breaks python-brace-format and message becomes untranslatable.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Translation objects have support for format(). This allows to
get rid of unicode() which is deprecated in Python3.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
For now translation classes have old style % formatting way only.
But 'format' is convenience, preferred in Python3 string formatting method.
Fixes: https://pagure.io/freeipa/issue/7586
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-replica-install only set ca_host in its temporary
/etc/ipa/default.conf, when it wasn't installing a replica with CA. As a
consequence, the replica installer was picking a random CA server from
LDAP.
Always set the replication peer as ca_host. This will ensure that the
installer uses the same replication peer for CA. In case the replication
peer is not a CA master, the installer will automatically pick another
host later.
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Check for nsds5ReplicaReleaseTimeout option was set
relates to: https://pagure.io/freeipa/issue/7488
Reviewed-By: Christian Heimes <cheimes@redhat.com>
While enabling console output in the server installation the
"Allow trust agents to retrieve keytab keys for cross realm
principals" ACI was throwing an unparseable error because
it has a subkey which broke parsing (the extra semi-colon):
userattr="ipaAllowedToPerform;read_keys#GROUPDN";
The regular expression pattern needed to be updated to handle
this case.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The server installer had no console logger set so print
statements were used for communication. Now that a logger
is enabled the extra prints need to be dropped.
A number of logger.info statements have been upgraded
to debug since they do not need to appear on the console
by default.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This otherwise returns a syntax error if trying to set
an empty value.
Related: https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The server installation and uninstallation overlaps both the
server and client installers. The output could be confusing
with a server uninstall finishing with the message:
The ipa-client-install command was successful
This was in part due to the fact that the server was not
configured with a console format and verbose was False which
meant that no logger messages were displayed at all.
In order to suppress client installation errors and avoid
confusion add a list of errors to ignore. If a server install
was not successful and hadn't gotten far enough to do the
client install then we shouldn't complain loudly about it.
https://pagure.io/freeipa/issue/6760
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
FreeIPA has a dependency on /usr/lib/systemd/system/*-domainname.service
file. In fedora <=28, this is provided by package 'initscripts'
but in fedora >= 29, this is provided by package 'hostname'.
Fixes:
https://pagure.io/freeipa/issue/7591
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Python 2 will reach EOL in 18 months. Start to issue deprecation
warnings on Python 2.
No longer claim support for Python 3.5. Python 3.5 is untested.
NOTE: At first I tried to raise the deprecation warning from
ipalib.__init__. This caused some unforseen side-effects with
ipaplatform namespace package on Python 2. Eventually it was easier to
raise the deprecation warning in ipaplatform. RHEL and Debian platforms
don't raise the deprecation warning yet, because they use Python 2.
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
On multiple occasions, SRV query answers were not properly sorted by
priority. Records with same priority weren't randomized and shuffled.
This caused FreeIPA to contact the same remote peer instead of
distributing the load across all available servers.
Two new helper functions now take care of SRV queries. sort_prio_weight()
sorts SRV and URI records. query_srv() combines SRV lookup with
sort_prio_weight().
Fixes: https://pagure.io/freeipa/issue/7475
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
authselect needs to be configured with the 'with-sudo' feature (except
when ipa-client-install is called with the option --no-sudo).
https://pagure.io/freeipa/issue/7562
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks that no multiservers can be added for
radius proxy
Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>