Increase the WSGI daemon worker process count from 2 processes to 5
processes. This allows IPA RPC to handle more parallel requests. The
additional processes increase memory consumption by approximante 250 MB
in total.
Since memory is scarce on 32bit platforms, only 64bit platforms are
bumped to 5 workers.
Fixes: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In Fedora 29, the fedora-domainname.service has been renamed to
nis-domainname.service like on RHEL. The ipaplatform service module for
Fedora now only renames the service, when it detects the presence of
fedora-domainname.service.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1588192
Fixes: https://pagure.io/freeipa/issue/7582
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Require python-lesscpy 0.13. with Python 3 fix and use py3-lesscpy to
compile ipa.css.
python2-lesscpy was the last Python 2 dependency.
Fixes: https://pagure.io/freeipa/issue/7585
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test checks that no multiservers can be added for
radius proxy
Pagure: https://pagure.io/freeipa/issue/7542
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The command description is taken from python docstring. Thus
commands should have them and should include the callings of
gettext to be translated.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The external_ca job takes about 38 minutes of testing. Split the tests
into TestExternalCA (~17 minutes) and TestSelfExternalSelf +
TestExternalCAInstall (~20 minutes).
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The schema compat plugin is disabled on upgrades but it is
possible that it is not configured at all and this will
produce a rather nasty looking error message.
Check to see if it is configured at all before trying to
disable it.
https://pagure.io/freeipa/issue/6610
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Sometimes named-pkcs11 is not being stopped or reloaded during
uninstall and it causes a lot of problems while testing, for example,
backup and restore tests are failing because of ipa-server-install
fails on checking DNS step.
Fixes backup/restore tests runs. Maybe something else.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove with_python3 checks and always build Python 3 packages.
Co-authored-by: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The specfile now uses three variables to determinate how to handle
Python support.
with_python2: build python2-ipa* packages
with_python3: build python3-ipa* packages
with_default_python: use Python 3 or 2 for commands and packages
"with_default_python=3" is the default build flavor. "with_python3=0"
implies "with_default_python=2". Python 2 packages are still built on
Fedora by default.
The patch also cleans up and fixes additional issues:
* makeapi/makeaci require Python 3
* remove checks for unsupported distros like F27
* sort dependencies and remove duplicates
* remove python3-memcached dependency
* remove svrcore-devel dependency
* don't assume that gcc, make, and pkgconfig are provided by default
* fix packaging bug with ipa-test-* commands. Unversioned ipa-run-test
were packages with Python 2 RPMs although they had a Python 3 shebang.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1565263
Fixes: https://pagure.io/freeipa/issue/7500
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fix 994f71ac8a was incomplete. Under some
circumstancs the DM hash and CA keys were still retrieved from two different
machines.
Custodia client now uses a single remote to upload keys and download all
secrets.
Fixes: https://pagure.io/freeipa/issue/7518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Fixes 2 issues in WebUI tests. One issue is that we are unable to
confirm a dialog by "Enter" keyboard - "actions.click()" helps
here to get focus on the page.
Second issue is probbaly related to screen resolution as we cannot
click to some of the action buttons (buttons which are having issue
varies).
https://pagure.io/freeipa/issue/7583
Reviewed-By: Pavel Picka <ppicka@redhat.com>
The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.
https://pagure.io/freeipa/issue/6610
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
If this is enabled it can cause a deadlock with SSSD trying
to look up entries and it trying to get data on AD users
from SSSD.
When reading the entry from LDIF try to get the camel-case
nsslapd-pluginEnabled and fall back to the all lower-case
nsslapd-pluginenabled if that is not found. It would be nice
if the fetch function was case sensitive but this is likely
overkill as it is, but better safe than blowing up.
Upon restoring it will always write the camel-case version.
https://pagure.io/freeipa/issue/6721
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The tests listed below are failing and we do not have time to debug them
and understand why. Adding xfail to keep it green.
TestInstallDNSSECLast::test_disable_reenable_signing_master
TestInstallDNSSECLast::test_disable_reenable_signing_replica
TestInstallDNSSECFirst::test_chain_of_trust
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
PR https://github.com/freeipa/freeipa/pull/1747 added the first template
for FreeIPA client package. The template file was added to server
templates, which broke client-only builds.
The template is now part of a new subdirectory for client package shared
data.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa cert_find command has an option called --subject.
The option is documented as --subject=STR Subject.
It is expected that a --subject option searches by X.509 subject field but it does not do so.
It searches for CN not cert subject. Hence changing content of --subject help option.
Resolves: https://pagure.io/freeipa/issue/7322
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The server, replica, and client installer now print the current version
number on the console, before the actual installer starts. It makes it
easier to debug problems with failed installations. Users typically post
the console output in a ticket.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If the element being removed were not the queue head,
otpd_queue_pop_msgid() would not actually remove the element, leading
to potential double frees and request replays.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
When master is restored from backup and replica1 is re-initialize,
second replica installation was failing. The issue was with ipa-backup
tool which was not backing up the /etc/ipa/custodia/custodia.conf and
/etc/ipa/custodia/server.keys.
related ticket: https://pagure.io/freeipa/issue/7247
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Python 2 doesn't have gzip.decompress(data: bytes) -> bytes function.
Backport the two line function from Python 3.6.
Fixes: https://pagure.io/freeipa/issue/7563
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
We currently accept compressed responses for some Dogtag resources,
via an 'Accept: gzip, deflate' header. But we don't decompress the
received data. Inspect the response Content-Encoding header and
decompress the response body according to its value.
The `gzip.decompress` function is only available on Python 3.2 or
later. In earlier versions, it is necessary to use StringIO and
treat the compressed data as a file. This commit avoids this
complexity. Therefore it should only be included in Python 3 based
releases.
Fixes: https://pagure.io/freeipa/issue/7563
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-restore should validate the DM password before executing
the restoration. This adds two test cases:
1. Restore with a bad DM password
2. Restore with dirsrv down so password cannot be checked
Related: https://pagure.io/freeipa/issue/7136
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The password was only indirectly validated when trying to
disable replication agreements for the restoration.
Only validate the password if the IPA configuration is available
and dirsrv is running.
https://pagure.io/freeipa/issue/7136https://pagure.io/freeipa/issue/7535
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The SQL backend of NSS behaves differently than the DBM backend.
Specifically PK11_UnwrapPrivateKey generates a different CKA_ID. JSS 4.4.4
contains a workaround for broken sub CA replication.
Note: FreeIPA doesn't depend on JSS directly. The version requirement
was added to update JSS to a working version
See: https://bugzilla.redhat.com/show_bug.cgi?id=1583140
Fixes: https://pagure.io/freeipa/issue/7536
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
The site and module configs are split on Debian, server setup needs
to match that.
Fixes: https://pagure.io/freeipa/issue/7554
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
And since Fedora 28 dropped support for non-64bit, hardcode default LIBARCH as 64.
Fixes: https://pagure.io/freeipa/issue/7555
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
kadmind doesn't start without it, and Debian doesn't ship it by default.
Fixes: https://pagure.io/freeipa/issue/7553
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
OpenLDAP has deprecated PORT and HOST stanzes in ldap.conf. The presence
of either option causes FreeIPA installation to fail. Refuse
installation when a deprecated and unsupported option is present.
Fixes: https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Common LDAP code from ipa-getkeytab and ipa-join are moved to libutil.a.
The common ipa_ldap_init() and ipa_tls_ssl_init() set the same options
as ldap_initialize()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
LDAP connections no longer depend on sane settings in global ldap.conf
and use good default settings for cert validation, CA, and SASL canonization.
https://pagure.io/freeipa/issue/7418
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
A ref counting bug in python-ldap caused create and retrieve keytab
feature to fail. Additional tests verify, that
ipaallowedtoperform;write_keys attribute is handled correctly.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a test for issue 7526: install a client with a bulk enrollment
password, enrolling to an externally-signed CA master.
Without the fix, the master does not publish the whole cert chain
in /usr/share/ipa/html/ca.crt. As the client installer downloads the
cert from this location, client installation fails.
With the fix, the whole cert chain is available and client installation
succeeds.
The test_external_ca.py::TestExternalCA now requires 1 replica and 1
client, updated .freeipa-pr-ci.yaml accordingly.
Also removed the annotation @tasks.collect_logs from test_external_ca
as it messes with test ordering (and the test collects logs even
without this annotation).
Related to:
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When IPA is installed with an externally signed CA, the master installer
does not publish the whole cert chain in /usr/share/ipa/html/ca.crt (but
/etc/ipa/ca.crt contains the full chain).
If a client is installed with a One-Time Password and without the
--ca-cert-file option, the client installer downloads the cert chain
from http://master.example.com/ipa/config/ca.crt, which is in fact
/usr/share/ipa/html/ca.crt. The client installation then fails.
Note that when the client is installed by providing admin/password,
installation succeeds because the cert chain is read from the LDAP server.
https://pagure.io/freeipa/issue/7526
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The concensus in the review was that the name test_commands was
more generic than test_ipa_cli.
Add a test to change the password for sysaccount users using
using ldappasswd to confirm that a segfault fix does not regress.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This was causing ns-slapd to segfault in the password plugin.
https://pagure.io/freeipa/issue/7561
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-backup and ipa-restore now use GnuPG 2 for asymmetric encryption, too.
The gpg2 command behaves a bit different and requires a gpg2 compatible
config directory. Therefore the --keyring option has been deprecated.
The backup and restore tools now use root's GPG keyring by default.
Custom configuration and keyring can be used by setting GNUPGHOME
environment variables.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The /usr/bin/gpg command is old, legacy GnuPG 1.4 version. The
recommended version is GnuPG 2 provided by /usr/bin/gpg2. For simple
symmentric encryption, gpg2 is a drop-in replacement for gpg.
Fixes: https://pagure.io/freeipa/issue/7560
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
python-ldap 3.1.0 fixes a segfault caused by a reference counting bug.
See: https://pagure.io/freeipa/issue/7324
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Error response used to contain bytes instead of text, which triggered an
exception.
See: https://pagure.io/freeipa/issue/5923
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>