Commit Graph

15572 Commits

Author SHA1 Message Date
Florence Blanc-Renaud
04aae0eecc API reference: update dnszone_add generated doc
Update doc/api/dnszone_add.md after commit c74c701
(Set 'idnssoaserial' to deprecated)

Related: https://pagure.io/freeipa/issue/9249

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-25 10:38:56 +01:00
Florence Blanc-Renaud
35876b4e11 API reference: update vault doc
Update doc/api/vault_archive_internal.md and
doc/api/vault_retrieve_internal.md
after the change from commit 93548f2
(default wrapping algo is now des-ede3-cbc instead of aes-128-cbc).

Related: https://pagure.io/freeipa/issue/9259

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-25 10:38:56 +01:00
Antonio Torres
b39d8b9375
Update contributors list
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-11-24 16:30:09 +01:00
Antonio Torres
b928e5da5d
Update translations to FreeIPA master state
Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-11-24 16:26:42 +01:00
Julien Rische
673d2b82d0 Generate CNAMEs for TXT+URI location krb records
The IPA location system relies on DNS record priorities in order to give
higher precedence to servers from the same location. For Kerberos, this
is done by redirecting generic SRV records (e.g.
_kerberos._udp.[domain].) to location-aware records (e.g.
_kerberos._udp.[location]._locations.[domain].) using CNAMEs.

This commit applies the same logic for URI records. URI location-aware
record were created, but there were no redirection from generic URI
records. It was causing them to be ignored in practice.

Kerberos URI and TXT records have the same name: "_kerberos". However,
CNAME records cannot coexist with any other record type. To avoid this
conflict, the generic TXT realm record was replaced by location-aware
records, even if the content of these records is the same for all
locations.

Fixes: https://pagure.io/freeipa/issue/9257
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-23 20:00:17 +01:00
Florence Blanc-Renaud
3d6d7e9fdf ipatests: update vagrant boxes
Use new versions of vagrant boxes:
ci-master-f36 0.0.8
ci-master-f37 0.0.2
ci-master-frawhide 0.8.2

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2022-11-22 11:45:27 +01:00
Florence Blanc-Renaud
29012bb374 ipatests: remove xfail for tests using sssctl domain-status
The tests calling sssctl domain-status were marked xfail
because of SSSD issue #6331. Now that the issue is fixed
and freeipa bumped sssd required version, remove the xfail
annotation.

Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-22 08:49:09 +01:00
Florence Blanc-Renaud
5a23d8ec3f spec file: bump sssd version
Bump sssd version to 2.8.0 on fedora37+ and RHEL
to ensure the fix for SSSD #6631 is present.

No need to bump the version on fedora 36 as the issue
is not seen on versions < 37.

Fixes: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-22 08:49:09 +01:00
Francisco Trivino
93548f2569 Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.

This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:

- when an old client is calling a new server, it doesn't send any value for wrapping_algo
  and the old value is used (3DES), so that the client can decrypt using 3DES.

- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC

- when a new client is calling an old server, it doesn't send any value and the default is
  to use 3DES.

Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.

Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-21 10:41:10 -05:00
Florence Blanc-Renaud
d9ecb12d57 ipatests: re-enable dnssec tests
On fedora 37+ the dnssec tests were broken. The tests
launched for each pull request were disabled or marked
as xfail.
With the bump of bind version, they should now succeed
and can be re-enabled.

Related: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-21 14:24:17 +01:00
Florence Blanc-Renaud
dface55b1f Spec file: bump bind version on f37+
On fedora37+, require at least bind 9.18.7-1 to avoid
dnssec regression (see BZ#2117342) related to bind and
OpenSSL 3.0 engine support.

Fixes: https://pagure.io/freeipa/issue/9216

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-21 14:24:17 +01:00
Rob Crittenden
a7b58b3c07 doc: Design for HSM support
Purpose is to add support for HSM installation of CA and KRA
on both initial server and replicas.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2022-11-18 16:05:31 -05:00
Rob Crittenden
4a2c7b311b Pass the curl write callback by name instead of address
This was reported by Coverity as a potential issue. Passing
by name is the example that curl uses so switch to that to
quiet the warning.

Also change to a static function and pre-declare it to quiet a
compile-time warning.

https://pagure.io/freeipa/issue/9274

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:50:22 -05:00
Rob Crittenden
83161913fb Support tokens and optional password files when opening an NSS db
Each token in an NSS database is likely to have its own
password/PIN. This allows the password to be set per token
available in the PKI password file.

This is necessary for HSM devices where the password is necessary
to access information about the private key (e.g. presence)

This may mean that to see all certificates in a given NSS database
one will need multiple instances of the NSSDatabase class, one for
each desired token (include None for the native token).

https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:47:53 -05:00
Antonio Torres
4caa5ca577 Add basic API usage guide
Add a guide explaining how to use the IPA API through Python. This
includes initializing the API, launching commands and retrieving
results, including batch operations.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-16 14:46:17 -05:00
Antonio Torres
988cb5a535 doc: generate API Reference
Extend the 'make api' target so that we also build an API Reference in
Markdown format. One template for each command gets generated. These
templates include all of the command details (arguments, options and
outputs), and then a section for manually-added notes such as semantics
or version differences. Every time the docs are regenerated, these notes
will be added if they exist.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-16 14:46:17 -05:00
Pavel Březina
c6a16a7e53 docs: add security section to idp
Related: https://pagure.io/freeipa/issue/8805
Related: https://pagure.io/freeipa/issue/8804
Related: https://pagure.io/freeipa/issue/8803
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:44:13 -05:00
Christian Heimes
dbebed2e3a Add PKINIT support to ipa-client-install
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-11-16 14:32:05 +02:00
Carla Martinez
f15da10454 webui: Add name to 'Certificates' table
For testing purposes and uniformity, the 'Certificates'
table generated after a new certificate is added should
also have the 'name' attribute to be able to access its
value.

Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-11-15 13:04:22 +01:00
Mohammad Rizwan
746a036c7e ipatests: Test newly added certificate lable
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-11-15 13:04:22 +01:00
Carla Martinez
b76bb195a5 webui: Add label name to 'Certificates' section
For testing purposes and uniformity, the
'Certificates' label (located under
'Active users' settings ) should also have
'name' attribute, like seen in other parts of the WebUI.

Fixes: https://pagure.io/freeipa/issue/8946
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2022-11-15 13:04:22 +01:00
Alexander Bokovoy
21d99b457d ipa-kdb: for delegation check, use different error codes before and after krb5 1.20
With MIT krb5 1.20, a call to krb5_db_check_allowed_to_delegate()
and krb5_db_check_allowed_to_delegate_from() expects to return either
KRB5KDC_ERR_BADOPTION for a policy denial or KRB5_PLUGIN_OP_NOTSUPP in
case plugin does not handle the policy case. This is part of the MIT
krb5 commit a441fbe329ebbd7775eb5d4ccc4a05eef370f08b which added a
minimal MS-PAC generator.

Prior to MIT krb5 1.20, the same call was expected to return either
KRB5KDC_ERR_POLICY or KRB5_PLUGIN_OP_NOTSUPP errors.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-14 10:12:42 -05:00
Erik Belko
d6a643b798
ipatests: Add test for grace login limit
Test user and pwpolicy entity for grace login limit setting.

Related: https://pagure.io/freeipa/issue/9211

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-11-10 09:30:15 +01:00
Erik Belko
815f18396c
ipatests: test for root using admin password in webUI
Check if there is no infinite loop caused by this
combination of user and password

Related: https://pagure.io/freeipa/issue/9226

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2022-11-09 14:53:16 +01:00
Endi S. Dewata
38728dd518 Explicitly use legacy ID generators by default
The default ID generators used by PKI might change in the
future, so to preserve the current behavior the installation
code has been updated to explicitly use the legacy ID
generators by default.

Signed-off-by: Endi S. Dewata <edewata@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-03 15:18:30 -04:00
Scott Poore
c62e5d7a18 ipatests: xfail test_ipa_login_with_sso_user
There is a crash occurring that causes Keycloak to be unable to
communicate with ipa-tuura on the bridge server (replica0).  This is
much more prevalent in Fedora 37 so we need to xfail that test case
until the crash is resolved.

Related: https://pagure.io/freeipa/issue/9264

Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-11-03 10:55:32 +01:00
Alexander Bokovoy
ce05e5fd40 ipa-kdb: fix comment to make sure we talk about krb5 1.20 or later
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
0c67f0e607 ipa-kdb: fix PAC requester check
PAC requester check was incorrect for in-realm S4U operations. It casted
too wide check which denied some legitimate requests. Fix that by only
applying rejection to non-S4U unknown SIDs, otherwise S4U2Self request
issued by the in-realm service against a trusted domain's user would not
work.

Related: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
e86807b58c ipa-kdb: handle empty S4U proxy in allowed_to_delegate
With krb5 1.20, S4U processing code uses a special case of passing an
empty S4U proxy to allowed_to_delegate() callback to identify if the
server cannot get forwardable S4U2Self tickets according to [MS-PAC]
3.2.5.1.2.

This means we need to ensure NULL proxy is a valid one and return an
appropriate response to that.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
a9018da90d ipa-kdb: handle cross-realm TGT entries when generating PAC
For generating PAC we need to know SID of the object and a number of
required attributes. However, trusted domain objects do not have these
attributes. Luckily, IPA LDAP schema puts them under actual trust
objects which have all the additional (POSIX) attributes.

Refactor PAC generator to accept secondary LDAP entry and use that one
to pull up required attributes. We only use this for trusted domain
objects.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
c1582bd322 ipa-kdb: add krb5 1.20 support
Add basic krb5 1.20 integration without RBCD support. RBCD will come in
a separate series.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Alexander Bokovoy
5e7590981b ipa-kdb: refactor MS-PAC processing to prepare for krb5 1.20
Make sure both krb5 pre 1.20 and 1.20 or later would call into the same
PAC generation code while driven by different API callbacks from the
krb5 KDB interface.

Fixes: https://pagure.io/freeipa/issue/9083
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-11-02 11:03:04 +02:00
Florence Blanc-Renaud
fbda6ea4d3 Spec file: bump the selinux-policy version
selinux-policy introduced a regression in fedora 36, rhel 8
and rhel 9. After a call to ipa trust-add, the credential cache
contains cifs/master.ipa.test@IPA.TEST instead of admin principal.

The fix is available in
- fedora 36: selinux-policy-36.16-1
- rhel 8: 3.14.3-107

Bump the selinux-policy version to install the fix.

Fixes: https://pagure.io/freeipa/issue/9198
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-20 15:42:05 -04:00
Scott Poore
899530bd40 ipatests: add keycloak user login to ipa test
Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.

create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main

test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user

tasks.py:
- add set_user_password to only set password for ipa users

Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-20 08:48:53 -04:00
Florence Blanc-Renaud
06780f4d90 webui tests: fix test_subid suite
The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.

2nd issue: a given record has to be selected in
order to check that there is no "delete" button.

Fixes: https://pagure.io/freeipa/issue/9214

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-19 09:49:04 -04:00
Anuja More
715ee82e3c ipatests : Test query to AD specific attributes is successful.
Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.

Related : https://pagure.io/freeipa/issue/9127

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-10-18 07:03:29 +02:00
Nikola Knazekova
7b855c602e Exclude installed policy module file from RPM verification
selinux: Update based on latest packaging guide
https://fedoraproject.org/wiki/SELinux/IndependentPolicy

Fixes: https://pagure.io/freeipa/issue/9254

Signed-off-by: Nikola Knazekova <nknazeko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2022-10-17 15:57:10 +02:00
Sumedh Sidhaye
42f73ea655 With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.
Previously the message was:

"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

but now the message is:

\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"

PBKDF2_SHA256 has been replaced with PBKDF2-SHA512

Pagure: https://pagure.io/freeipa/issue/9238

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-10-12 12:01:27 +02:00
Alexander Bokovoy
22022ae2ff ipaclient: do not set TLS CA options in ldap.conf anymore
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:

	branches 2.5 and later:
	commit 4962dd6083ae0fe722eb23a618ad39e47611429b
	Author: Howard Guo <hguo@suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

	branch 2.4:
	commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
	Author: Howard Guo <hguo@suse.com>
	Date:   Thu Nov 10 15:39:03 2016 +0100

This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.

There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.

RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.

Fixes: https://pagure.io/freeipa/issue/9258

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-10 09:50:39 +02:00
Viacheslav Sychov
d33a2523ee fix: Handle /proc/1/sched missing error
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-10 09:48:55 +02:00
Sumit Bose
0ce3ab36b4 ipa-kdb: do not fail if certmap rule cannot be added
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.

This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-07 17:02:43 +02:00
Stanislav Levin
d4fa80b224 ipapython: Support openldap 2.6
While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.

Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.

Thanks @abbra!

Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-10-06 10:22:26 +02:00
Alexey Tikhonov
147123e6b9 extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization)
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2022-10-04 14:01:56 +02:00
Alexey Tikhonov
b381acb3d0 extdom: make sure result doesn't miss domain part
This is required to ensure that only objects from requested domain
are returned.

Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2022-10-04 14:01:56 +02:00
Alexey Tikhonov
f0c26fe094 extdom: internal functions should be static
Fixes following compilation warnings:
```
ipa_extdom_common.c:109:5: warning: no previous prototype for ‘__nss_to_err’ [-Wmissing-prototypes]
  109 | int __nss_to_err(enum nss_status errcode)
      |     ^~~~~~~~~~~~
ipa_extdom_common.c:738:5: warning: no previous prototype for ‘pack_ber_name_list’ [-Wmissing-prototypes]
  738 | int pack_ber_name_list(struct extdom_req *req, char **fq_name_list,
      |     ^~~~~~~~~~~~~~~~~~
```

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2022-10-04 14:01:56 +02:00
Florence Blanc-Renaud
96cf293f1f ipatests: mark xfail tests using dnssec
In fedora 37+, the signing of DNS zones is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.

Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-10-04 13:47:48 +02:00
Florence Blanc-Renaud
4a4f7e76da ipatests: mark xfail tests using sssctl domain-status
In fedora 37+, sssctl domain-status is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.

Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-10-04 13:47:48 +02:00
Florence Blanc-Renaud
43fcfe45f1 Tests: test on f37 and f36
Fedora 37 beta is now available, move the testing pipelines to
- fedora 37 for the _latest definitions
- fedora 36 for the _previous definition

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2022-10-04 13:47:48 +02:00
Alexander Bokovoy
76152e0335 Remove empty translation for 'si' which breaks linter
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00
김인수
6e6a07188b Translated using Weblate (Korean)
Currently translated at 2.9% (140 of 4818 strings)

Translation: freeipa/master
Translate-URL: https://translate.fedoraproject.org/projects/freeipa/master/ko/
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2022-10-02 12:07:20 +03:00