Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".
The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.
This commit answers 'no' to the question and allows to proceed with
the ipa server installation.
Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077
Tests for autounmembership feature has been added in
this PR
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
The command
ipa-replica-manage list -v <node>
can display:
last init ended: 1970-01-01 00:00:00+00:00
last init status: None
when called on a node that never had total update.
The fix for 7716 modifies the command so that it doesn't print
those lines when there is no last init status.
This commit adds a new test checking the output of
ipa-replica-manage list -v <node>.
Related to: https://pagure.io/freeipa/issue/7716
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Wrong logic was triggering the start instead of restart
for pki-tomcatd. This test validates that restart
called on pki-tomcat properly.
related ticket : https://pagure.io/freeipa/issue/7927
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
We recently added validation of externally-signed CA certificate to
ensure certificates signed by external CAs with too-small keys
(according to system crypto policy) are rejected.
Add an integration test that attempts to renew with a 1024-bit
external CA, and asserts failure.
Part of: https://pagure.io/freeipa/issue/7761
Reviewed-By: Christian Heimes <cheimes@redhat.com>
After resolving https://pagure.io/freeipa/issue/7930
an unattended option alongsede with -r 'REALM' option
needs to be passed to tasks which lacks ntp options.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Oleg Kozlov <okozlov@redhat.com>
Add a test checking that the entry cn=CAcert,cn=ipa,cn=etc,BASEDN
is properly updated when the CA is renewed
The test also checks that the entry
cn=DOMAIN IPA CA,cn=certificates,cn=ipa,cn=etc,BASEDN properly
contains ipaconfigstring: compatCA
ipaconfigstring: ipaCA
Related to https://pagure.io/freeipa/issue/7928
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test runs rpm -V in order to check that the file
permissions are consistent with the expectations set
in the spec file. The file mode, owner and group are
checked.
Related to https://pagure.io/freeipa/issue/7934
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The ipatests/test_integration/ package only uses ipaserver in a few
places. Copy some simple constants to decouple the packages.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter
Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Under some conditions, ipa config-show and several other commands were
failing with error message:
ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled
Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.
A new test verifies that config-show works with hidden and configured HTTP
service.
Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.
Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.
IPA server does neither need nor use SoftHSM2 proxied by p11-kit.
Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* override ipa_ca_key_size
* test with SHA512withRSA
Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.
On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.
This extends the existing automount location test and must be
run nightly.
Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Peter Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The signing key for IPA's CA certificate now uses a 3072 bit RSA key by
default.
According to https://www.keylength.com/, NIST 800-57 Part 1 Rev. 4
recommends 3072 bit RSA keys for keys that are used beyond 2030 for 128 bit
strength.
Fixes: https://pagure.io/freeipa/issue/6790
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.
On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.
On systems without NM, fall back to create /etc/resolv.conf directly.
Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Install CA with 4096bit RSA key and SHA-384 signature.
Fixes: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
IPA no verifies that intermediate certs of external CAs have a basic
constraint path len of at least 1 and increasing.
Fixes: https://pagure.io/freeipa/issue/7877
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests in test_trust.py were organized in ten classes, one for each trust type,
requiring ten cycles of ipaserver installation/uninstallation and the full test
run lasted for about 5500 seconds.
There is no need in reinstallation of ipaserver between establishing different
types of trust.
I moved all tests to sinle class, preserving test logic.
Additional changes:
* TestEnforcedPosixADTrust was totally removed as it was duplicate of
TestPosixADTrust
* code of repeated checks was moved to methods
* A task was cretated for cleaning up DNS configuration changes made for
establishing trust
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
AD hosts can now be extracted from list in respective class attributes and host
domain names -- from properties provided by multihost plugin (host.domain.name).
Also removed conditional skips of tests when test configuration contains only
part of required AD machines as this feature never worked:
multihost plugin removes all machines from config which are not explicitly
requested.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Tests for AD trust can use three types (roles) of AD machines:
forest root, subdomain and tree domain.
All those machines were placed in one domain object of multihost configuration,
though they all have different domain names.
This is bad as we can not use domain attributes provided by multihost plugin
like host.domain.name and host.domain.basedn and others and need to reimplement
them, evaluating domain name from host.hostname.
And if we accidently used those properties it would lead to difficult to locate
errors (we would use same domain name for all AD hosts).
I modified multihost fixture function mh() to allow creating several AD domains.
As multihost plugin does not support requesting multiple domains with the same type,
I had to introduce new domain types: AD_SUBDOMAIN and AD_TREEDOMAIN.
Also there was a error in mh() which forced user to provide all three AD
machines when only one was needed (value from test class property num_ad_domains
was applied to subdomains and treedomains requirement).
I changed this behavior and now additional AD machines are specified with
properties num_ad_subdomains and num_ad_treedomains.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test was expecting that when trust is established with forest root, than all
three AD domains should be found when quering trust-find for that domain.
Actually only root domain and its subdomain should be returned, without
the tree domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It was changed in f487233df0
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c5. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test case for hidden replica restore is flaky and sometimes fails.
The general issues is covered by upstream bug 7894.
See: https://pagure.io/freeipa/issue/7894
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Add two tests that expect an error message at install time to catch
too restrictive masks.
Related to: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Use master.external_hostname instead of master.hostname for ssh connection
from controller machine to master. If hostname and external_hostname in
test_config.yml do no match then trying to establish ssh connection
was failing with "[Errno -2] Name or service not known".
Fixes https://pagure.io/freeipa/issue/7874
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The fix for https://pagure.io/freeipa/issue/7868 introduced
a tuple-based OS version management method (osinfo.version_number)
by Christian Heimes.
Convert all occurrences of osinfo.version_id in ipatests to
osinfo.version_number then remove osinfo.version_id.
Related to: https://pagure.io/freeipa/issue/7873
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a test with the following scenario:
ipa-server-install (with ca and pkinit enabled)
check that pkinit is properly enabled:
ipa-pkinit-manage status must return "enabled"
the KDC cert must be signed by IPA CA
Related to: https://pagure.io/freeipa/issue/7795
Reviewed-By: François Cami <fcami@redhat.com>
The test is performing topology changes on the master, then
waits for replication to replicate the changes and checks
the expected outcome on replica1.
The issue is that wait_for_replication was called on replica1,
but should be called on the master. This method is reliable only
if it is executed on the host where the modification was done.
Fixes https://pagure.io/freeipa/issue/7865
Reviewed-By: François Cami <fcami@redhat.com>
The test TestUserPermissions::test_selinux_user_optimized is
testing the fix for SSSD issue 3819, but the fix is not
available in fedora 28. Hence mark the test as xfail when
executed on fedora <=28 (our nightly tests also run on fed 28).
For full ref: fixed in sssd 1.16.4, Fedora 28 provides
1.16.3-2.fc28 only, while Fedora 29 provides 2.0.0-3.fc29.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa users having default semanage context were optimized out.
This test checks if those users are listed.
related ticket : https://pagure.io/SSSD/sssd/issue/3819
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Verify that ipa-server-install with external CA and CA type ms-cs adds
the correct extension to the CSR.
Fixes: https://pagure.io/freeipa/issue/7548
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
389-ds-base has modified one option name in dsctl, and our test
test_uninstallation.py::TestUninstallBase::()::test_failed_uninstall
is still using the old option (--doit) instead of the new one
(--do-it).
Fixes: https://pagure.io/freeipa/issue/7856
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Move common LDAP commands to ldapmodify_dm() and ldapsearch_dm() helper
functions.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Integration tests are now using StartTLS with IPA's CA cert instead of
plain text connections.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
