authconfig in config_redhat_nss_ldap and config_redhat_nss_pam_ldapd got
new option --enableldaptls
It should have effect primarily on el5 systems.
https://fedorahosted.org/freeipa/ticket/5654
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Newer versions of sssd use native IPA schema to process sudo rules.
However, this schema currently has no support for hostmask-based rules
and causes some sudo CI tests to fail. We have to temporarily set
sssd.conf to use ou=sudoers,$SUFFIX as a sudo rule search base when
executing them.
https://fedorahosted.org/freeipa/ticket/5625
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Don't put any IPA certificates to /etc/pki/nssdb - IPA itself uses
/etc/ipa/nssdb and IPA CA certificates are provided to the system using
p11-kit. Remove leftovers on upgrade.
https://fedorahosted.org/freeipa/ticket/5592
Reviewed-By: David Kupka <dkupka@redhat.com>
If number of servers (master+replicas) is equal to 4 + SUM(1, n, 2^n*5) for
any n >= 0:
* every server has replication agreement with 2 - 4 other servers.
* at least two agreements must fail in order to disconnect the topology.
Otherwise there can be server(s) with single agreement on the edge of the
topology.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
Explicitly specifying ip-address of the replica messes up with the current
bind-dyndb-ldap logic, causing reverse zone not to be created.
Enabled reverse-zone creation for the clients residing in different subnet from
master
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Without it any test comprized of more than one cycle of installing-uninstalling
of ipa would fail due to the fact that test folder on the remote machine gets
deleted during ipa uninstallation.
Also removed duplicate call of apply_common fixes and added unapply_fixes to
uninstall_replica
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixes the install invocation in the test to use domain and
realm correctly. Also makes the test aware of domain levels.
https://fedorahosted.org/freeipa/ticket/5605
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
In Python 3, the truncating division operator, //, is needed to
get C-style "int division".
https://fedorahosted.org/freeipa/ticket/5623
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
When resolv.conf is set to point to the master's ip before installation, the
ipa-server-install does not create a reverse zone for it's ip even despite
--auto-reverse option provided. The fix is not to mess around with resolv.conf
before master installation.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
In DNSSEC tests the root zone has to be created, this requires to use
--skip-overlap-check to work properly.
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Without realm provided explicitly, installation calculates it automatically
from the current hostname which may be inconsistent with the configured domain
name. Which, in turn, causes failures in integration tests in the lab.
Reviewed-By: Martin Basti <mbasti@redhat.com>
fix for https://fedorahosted.org/freeipa/ticket/4933 made ipa-dns-install to
use LDAPI and deprecated -p option for directory manager password. This patche
remove the option from calls to ipa-dns-install in CI tests so that
deprecation warning does not clutter the logs.
Reviewed-By: Milan Kubik <mkubik@redhat.com>
IPA sudo tests worked under the assumption that the clients
that are executing the sudo commands have their IPs assigned
within 255.255.255.0 hostmask.
Removes this (invalid) assumption and adds a
dynamic detection of the hostmask of the IPA client.
https://fedorahosted.org/freeipa/ticket/5501
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
Test tests topologies listed bellow with and without CA on replicas:
star topology: 3 replicas
line topology: 3 replicas
complete topology: 3 replicas
Reviewed-By: Oleg Fayans <ofayans@redhat.com>
When creating an A record we used to provide full hostname as a record name,
while we should have provided only the first part of the hostname
https://fedorahosted.org/freeipa/ticket/5419
Reviewed-By: Martin Basti <mbasti@redhat.com>
As of 4.3 the replica installation is performed without preparing a gpg file on
master, but rather enrolling a future replica as a client with subsequent
promotion of the client. This required the corresponding change in the
integration tests
https://fedorahosted.org/freeipa/ticket/5379
Reviewed-By: Martin Basti <mbasti@redhat.com>
In some cases replication may take much more time than we expected. This
patch adds explicit cech if DS records has been replicated.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
