Commit Graph

15527 Commits

Author SHA1 Message Date
Jarl Gullberg
5a0eed0b1a ipaplatform/debian: fix path to ldap.so
bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of
/usr/lib to prevent unintentional usage of an unversioned .so.
The default settings for FreeIPA on Debian used an incomplete
path, resulting in a failure to find ldap.so when bind attempts to
start with bind-dyndb-ldap configured.

This fixes the default path to use the appropriate location in its
multiarch-qualified path.

Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
2023-04-04 09:35:49 -04:00
Jarl Gullberg
a59f6e00d9 install: Fix missing dyndb keytab directive
bind-dyndb-ldap uses the krb5_keytab directive to set the path to
the keytab to use. This directive was not being used in the
configuration template, resulting in a failure to start named if
the keytab path differed from the defaults.

This issue was discovered when packaging FreeIPA for Debian,
which is one of the platforms where the path is customized.

Signed-off-by: Jarl Gullberg <jarl.gullberg@gmail.com>
Fixes: https://pagure.io/freeipa/issue/9344
Reviewed-By: Timo Aaltonen <tjaalton@ubuntu.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-04-03 16:58:27 -04:00
Antonio Torres
c553e3ceb2 doc: allow notes on Param API Reference pages
The notes that Param pages will contain after #6733 are added manually,
and because of it we need to add markers to differentiate between
automated and manual content, equal to what we do for class pages.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-03-29 10:53:25 +02:00
Alexander Bokovoy
3721bca657 ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by
Added in Python Cryptography 40.0
Thanks to @tiran for the code

Fixes: https://pagure.io/freeipa/issue/9355

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-03-29 10:45:07 +02:00
Stanislav Levin
d32c640df0 fastlint: Correct concatenation of file lists
`printf` ignores excessive arguments unused in formatting.
This resulted in only the first file from two file lists was
linted/ stylechecked if both Python template files and Python
modules were changed.

Make use of formatting instead:
> The format is reused as necessary to consume all of the arguments

Fixes: https://pagure.io/freeipa/issue/9318
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-24 11:49:23 +01:00
Florence Blanc-Renaud
07fe877525 ipatests: increase timeout for test_trust
The timeout for test_trust is too short (6000s) and
the nightly tests often fail. Increase to 7200s.

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2023-03-24 09:28:43 +01:00
Antonio Torres
05279ef447 ipaserver: deepcopy objectclasses list from IPA config
We need to deepcopy the list of default objectlasses from IPA config
before assigning it to an entry, in order to avoid further modifications of the
entry affect the cached IPA config.

Fixes: https://pagure.io/freeipa/issue/9349
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2023-03-23 10:12:44 +01:00
Anuja More
1cca609857 ipatests: Test that non admin user can search hbac rule.
Related : https://pagure.io/freeipa/issue/5130

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-22 16:52:49 +01:00
Alexander Bokovoy
3f9d9b2626 Fix tox in Azure CI
Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Alexander Bokovoy
ebac8f6f9b Use system-wide chromium for webui tests
Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Alexander Bokovoy
779aa6bc11 Don't fail if optional RPM macros file is missing
With fix for https://pagure.io/freeipa/issue/7951 we started to modify
RPM macros in Azure CI environment. Don't fail if the file does not
exist anymore like it happens now in Fedora.

Fixes: https://pagure.io/freeipa/issue/9347

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-03-21 16:54:28 +01:00
Erik Belko
4acd9fe9f7 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario
Testing if manager whose rights defined by the group membership
is able to add group members, after upgrade of ipa server.
Using ACI modification to demonstrate unability before upgrading
ipa server.
Related: https://pagure.io/freeipa/issue/9286

Also added some generally helpful functions to tasks.py

Signed-off-by: Erik Belko <ebelko@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-03-15 09:45:08 +01:00
Anuja More
35c36f9b4e ipatests: Test ipa-advise is not failing with error.
The ipa-advise command should not fail
with error in command.

Related: https://pagure.io/freeipa/issue/6044

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2023-03-14 13:49:09 +01:00
Florence Blanc-Renaud
5dba2aa466 ipatests: adapt for new automembership fixup behavior
The automembership fixup task now needs to be called
with --cleanup argument when the user expects automember
to remove user/hosts from automember groups.
Update the test to call create a cleanup task equivalent to
dsconf plugin automember fixup --cleanup
when it is needed.

Fixes: https://pagure.io/freeipa/issue/9313
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-03-14 09:39:17 +01:00
Thorsten Scherf
2aeb963fc9 external-idp: change idp server name to reference name
When you  run "ipa idp-show <idp reference>" the IdP reference is shown
as "Identity Provider server name". This is confusing as we are pointing
to the earlier created IdP reference rather than a server.  Other files
are updated as well to reflect this change.

Additionally some typos are fixed with this patch too.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-03-03 05:08:02 +01:00
Carla Martinez
16b3977119 Update 'Auth indicators' doc string
The doc string located in the 'Authentication
indicators' ('Services' settings page) was
missing the usage explanation for the 'ipd'
checkbox option.

Fixes: https://pagure.io/freeipa/issue/9338
Signed-off-by: Carla Martinez <carlmart@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-03-02 15:25:44 -05:00
Stanislav Levin
1420599165 dns: Fix support for dnspython 1.1x
`nameservers` was transformed into the property in dnspython 2:
bbf0cfd239

This causes
> AttributeError: type object 'Resolver' has no attribute 'nameservers'
on the previous dnspython 1.1x.

Fixes: https://pagure.io/freeipa/issue/9339
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-03-02 10:06:04 -05:00
Rafael Guterres Jeffman
02b0e46b7f Migrated to SPDX license.
According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the freeipa spec template to comply with
this change.

[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1

Fixes: https://pagure.io/freeipa/issue/9342

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-03-02 05:03:41 +01:00
Christian Heimes
074c2f5421 Don't block when kinit_pkinit() fails
Installation of ipa-client with PKINIT authentication can block when
there is a problem with PKINIT, e.g. KDC does not accept the cert or the
anchor chain is incomplete. `kinit` falls back to password
authentication and asks the user to enter a password.

`kinit` does not have an option to force non-interactive mode. Sending
`\n` to stdin seems to be the only solution here.

Fixes: https://pagure.io/freeipa/issue/9333
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2023-02-28 17:23:02 -05:00
Florence Blanc-Renaud
9ee16e8acc ipatests: increase timeout for test_acme
The test test_integration/test_acme.py times out frequently
and has a current timeout set to 2h, which is roughly
the average time for a successful run.

Increase by 15 minutes, so that even the tests requiring
packages update have enough time (for instance rawhide
run needs to update all the packages to the latest version).

Also create a separate job for the new test TestACMEPrune.

Fixes: https://pagure.io/freeipa/issue/9324

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-22 15:47:26 +01:00
mbhalodi
14a3d85a15 ipatests: WebUI - ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage
in the WebUI. Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2023-02-22 09:16:30 +01:00
Mohammad Rizwan
e76b219c21 ipatests: fix tests in TestACMEPrune
When cron_minute + 5 > 59, cron job throwing error for it.
i.e 58 + 5 = 63 which is not acceptable value for cron minute.

Second fix is related to mismatch of confing setting and corresponding
assert.

Third fix is related to extending time by 60 minutes to properly
expire the certs.

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-21 15:19:02 +01:00
Rob Crittenden
50d40b5a9f doc: Update pruning design with implement enable/disable options
Instead of passing TRUE/FALSE to a single --enable option
use two flags instead, which IMHO is clearer.

So --enable=TRUE to --enable and --enable=FALSE to --disable

Fixes: https://pagure.io/freeipa/issue/9323

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-20 10:43:17 +01:00
mbhalodi
6a809ff58f ipatests: ensure that ipa automember-rebuild prints a warning
ipa automember-rebuild now prints a warning about CPU usage.
Ensure that the warning is properly displayed.

Related: https://pagure.io/freeipa/issue/9320

Signed-off-by: mbhalodi <mbhalodi@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-18 09:04:20 +01:00
David Pascual
b0636c5408 doc: Use case examples for PR-CI checker tool
This document showcases common usecases for the user to
interact with the PR-CI checker tool.

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-18 09:02:27 +01:00
Stanislav Levin
64fa6b7241 tests: webui: Update vendored qunit
Updated qunit to latest supported version from
https://code.jquery.com/qunit.

See https://qunitjs.com/intro/#release-channels for details.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Stanislav Levin
8d634d8abf AP: webui: List installed nodejs packages
It's helpful for debugging regressions.

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Stanislav Levin
a7e13f9719 tests: webui: Load qunit only once
webui unit tests fail with grunt-contrib-qunit:
```
Testing test/all_tests.html

>> Error: Error: QUnit has already been defined.
>>     at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12)
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3
>>     at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2

>> Error: TypeError: Cannot set properties of undefined (setting 'reorder')
>>     at <anonymous>:175:24
>>     at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157)
>>     at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541)
>>     at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002
>>     at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707)
>>     at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854)
>>     at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296)
>>     at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209)
```

Load `qunit` with `dojo.require` that among other useful things helps
> Preventing loading Dojo packages twice.
  dojo.require will simply return if the package is already loaded.

See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Stanislav Levin
5c35405e78 tests: webui: Allow file access from files in tests
https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files
> By default, file:// URIs cannot read other file:// URIs. This is an
  override for developers who need the old behavior for testing.

Fixes webui tests on CI:
```
Testing test/all_tests.html
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/.
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https.
Failed to load resource: net::ERR_FAILED
>> Error: Error: Couldn't receive translations
```

Related: https://pagure.io/freeipa/issue/9329
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-17 09:44:53 +01:00
Anuja More
8d92546447 PRCI: update test_trust.py for nightly pipelines.
test_integration/test_trust.py is divided into two parts.
1: class TestTrust
2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup

Fixes: https://pagure.io/freeipa/issue/9326

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-15 08:26:44 +01:00
Mohammad Rizwan
828f6e7c92 ipatests: tests for certificate pruning
1. Test to prune the expired certificate by manual run
2. Test to prune expired certificate by cron job
3. Test to prune expired certificate with retention unit option
4. Test to prune expired certificate with search size limit option
5. Test to check config-show command shows set param
6. Test prune command shows proper status after disabling the pruning

related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-13 14:30:05 -05:00
Anuja More
0b762d2b2a Add test for SSH with GSSAPI auth.
Added test for aduser with GSSAPI authentication.

Related : https://pagure.io/freeipa/issue/9316

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-09 14:29:38 -05:00
Alexander Bokovoy
0c32ebf858 ipa-kdb: PAC consistency checker needs to handle child domains as well
When PAC check is performed, we might get a signing TGT instead of the
client DB entry. This means it is a principal from a trusted domain but
we don't know which one exactly because we only have a krbtgt for the
forest root. This happens in MIT Kerberos 1.20 or later where KDB's
issue_pac() callback never gets the original client principal directly.

Look into known child domains as well and make pass the check if both
NetBIOS name and SID correspond to one of the trusted domains under this
forest root. Move check for the SID before NetBIOS name check because we
can use SID of the domain in PAC to find out the right child domain in
our trusted domains' topology list.

Fixes: https://pagure.io/freeipa/issue/9316

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-09 14:29:38 -05:00
Rob Crittenden
c38546d085 Wipe the ipa-ca DNS record when updating system records
If a server with a CA has been marked as hidden and
contains the last A or AAAA address then that address
would remain in the ipa-ca entry.

This is because update-dns-system-records did not delete
values, it just re-computed them. So if no A or AAAA
records were found then the existing value was left.

Fixes: https://pagure.io/freeipa/issue/9195

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
2023-02-09 14:24:14 -05:00
Rob Crittenden
724c8314b5 Fix setting values of 0 in ACME pruning
Replace comparisons of "if value" with "if value is not None"
in order to handle 0.

Add a short reference to the man page to indicat that a cert
or request retention time of 0 means remove at the next
execution.

Also indicate that the search time limit is in seconds.

Fixes: https://pagure.io/freeipa/issue/9325

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-09 13:28:23 -05:00
Chris Kelley
614d3bd9c0 Check that CADogtagCertsConfigCheck can handle cert renewal
Renewal causes two certs to have the same nickname. Dogtag is
patched to allow for N certs with the same nickname, and this test
is to verify that CADogtagCertsConfigCheck still passes.

Related: https://github.com/dogtagpki/pki/pull/4285
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-02-09 10:22:07 -05:00
Antonio Torres
a2667b249e API doc: add usage guides for groups, HBAC and sudo rules
Include guides with examples for groups, HBAC and sudo rules management.
These cover most of available commands related to these topics.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-08 14:20:38 -05:00
Antonio Torres
53f7a44c5c API doc: add note about ipa show-mappings to usage guide
As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list
command arguments and options directly through the CLI.

Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-07 13:37:20 -05:00
Rob Crittenden
414b5fe352 tests: add wrapper around ACME RSNv3 test
This test is located outside of the TestACMEPrune because
it enables RSNv3 while the server installed by TestACME doesn't.

It still needs a wrapper to enforce a version of PKI that
supports pruning because that is checked first in the tool.
Re-ordering that wouldn't be a good user experience.

https://pagure.io/freeipa/issue/9322

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-04 17:10:51 +01:00
David Pascual
07927b21ba ipatests: fix (prci_checker) duplicated check & error return code
Fix 1: timeout field was being checked twice and did not return fail code on error

Fix 2: Tool did not return error code on single file check unsuccessful run

Signed-off-by: David Pascual <davherna@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-02-03 08:29:46 -05:00
Rob Crittenden
7d1d91fc86 doc: add the --run command for manual job execution
A manual method was mentioned with no specificity. Include
the --run command. Also update the troubleshooting section
to show what failure to restart the CA after configuration
looks like.

Import the IPA CA chain for manual execution.

Also fix up some $ -> # to indicate root is needed.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-02 07:36:16 +01:00
Rob Crittenden
78298fd4e1 ipa-acme-manage: add certificate/request pruning management
Configures PKI to remove expired certificates and non-resolved
requests on a schedule.

This is geared towards ACME which can generate a lot of certificates
over a short period of time but is general purpose. It lives in
ipa-acme-manage because that is the primary reason for including it.

Random Serial Numbers v3 must be enabled for this to work.

Enabling pruning enables the job scheduler within CS and sets the
job user as the IPA RA user which has full rights to certificates
and requests.

Disabling pruning does not disable the job scheduler because the
tool is stateless. Having the scheduler enabled should not be a
problem.

A restart of PKI is required to apply any changes. This tool forks
out to pki-server which does direct writes to CS.cfg. It might
be easier to use our own tooling for this but this makes the
integration tighter so we pick up any improvements in PKI.

The "cron" setting is quite limited, taking only integer values
and *. It does not accept ranges, either - or /.

No error checking is done in PKI when setting a value, only when
attempting to use it, so some rudimentary validation is done.

Fixes: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden rcritten@redhat.com
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-02 07:36:16 +01:00
Florence Blanc-Renaud
5154f8e639 automember-rebuild: add a notice about high CPU usage
The automember-rebuild task may require high CPU usage
if many users/hosts/groups are processed.
Add a note in the ipa automember-rebuild CLI output
and in the WebUI confirmation message.

Fixes: https://pagure.io/freeipa/issue/9320
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2023-02-02 07:33:36 +01:00
Stanislav Levin
2996cc8eae tests: Configure DNSResolver as platform agnostic resolver
Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver`
unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf`
or this file may not contain any configured name servers.

`TestDNSResolver` unit tests check only customized `nameservers`
property and should not depend on existence of `/etc/resolv.conf`.

Resolver accepts `configure` option.
https://dnspython.readthedocs.io/en/latest/resolver-class.html :
> configure, a bool. If True (the default), the resolver instance is
  configured in the normal fashion for the operating system the resolver
  is running on. (I.e. by reading a /etc/resolv.conf file on POSIX
  systems and from the registry on Windows systems.)

Fixes: https://pagure.io/freeipa/issue/9319
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-01 17:49:43 +01:00
Rob Crittenden
6897ad9972 tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck
freeipa-healthcheck changed some messages related to ipa-ca
DNS record validation in IPADNSSystemRecordsCheck. Include support
for it and retain backwards compatibility.

Fixes: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-01 11:00:57 +01:00
Rob Crittenden
bf9797f27b tests: Add ipa_ca_name checking to DNS system records
freeipa-healthcheck 0.12 includes a SUCCESS message if the
ipa-ca records are as expected so a user will know they
were checked. For that version and beyond test that it
is included.

Related: https://pagure.io/freeipa/issue/9291

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2023-02-01 11:00:57 +01:00
Stanislav Levin
a5c99a6b04 spec: Drop no longer used build dependency on paste
With ff6e701b00 it was replaced
with `werkzeug`.

https://pypi.org/project/Paste/
> Paste is in maintenance mode and recently moved from bitbucket to
  github. Patches are accepted to keep it on life support, but for the
  most part, please consider using other options.

Fixes: https://pagure.io/freeipa/issue/9314
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-01-31 09:57:24 -05:00
Stanislav Levin
203b7d1cb5 ipatests: healthcheck: Handle missing fips-mode-setup
freeipa-healthcheck prechecks existance of `fips-mode-setup` and
reports if it's missing:
> "fips": "missing /bin/fips-mode-setup"

Fixes: https://pagure.io/freeipa/issue/9315
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-01-30 15:26:24 -05:00
Rob Crittenden
5d9f59038d doc: Design for certificate pruning
This describes how the certificate pruning capability of PKI
introduced in v11.3.0 will be integrated into IPA, primarily for
ACME.

Related: https://pagure.io/freeipa/issue/9294

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2023-01-26 17:31:26 -05:00
Florence Blanc-Renaud
07975b52c3 trust-add: handle missing msSFU30MaxGidNumber
When ipa trust-add is executed with --range-type ad-trust-posix,
the server tries to find the max uidnumber and max gidnumber
from AD domain controller.
The values are extracted from the entry
CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.

msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
In case msSFU30MaxGidNumber is missing, the code is currently assigning
a "None" value and later on evaluates the max between this value and
msSFU30MaxUidNumber. The max function cannot compare None and a list
of string and triggers an exception.

To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
is missing. This way, the comparison succeeds and max returns the
value from msSFU30MaxUidNumber.

Fixes: https://pagure.io/freeipa/issue/9310
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-01-25 15:23:29 +01:00