IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
18,319 Commits 11 Branches 60 Tags
614a84da0040489a11d308d0334d480ed0f1a640
Commit Graph

18319 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Timo Aaltonen
614a84da00 control: Drop obsolete depends on python3-nss. 2020-12-03 17:30:43 +02:00
Timo Aaltonen
f0ca9df328 bump krb5 deps properly 2020-11-23 20:53:30 +02:00
Timo Aaltonen
e0b7f7cb78 releasing package freeipa version 4.8.10-2 debian/4.8.10-2 2020-11-23 20:49:03 +02:00
Timo Aaltonen
54824b32e5 control: Rebuild against new krb5. 2020-11-23 20:44:57 +02:00
Timo Aaltonen
165b649d05 Move ipa-epn service to -client-epn package. 2020-10-01 13:53:49 +03:00
Timo Aaltonen
aac67a17a7 client: Drop obsolete nssdb migration, which is now causing an error. (Closes: #971363) 2020-09-29 18:01:20 +03:00
Timo Aaltonen
0d0ccc773c releasing package freeipa version 4.8.10-1 debian/4.8.10-1 2020-09-28 13:12:34 +03:00
Timo Aaltonen
b47b82b9df refresh pkcs11-openssl-for-bind.diff 2020-09-28 11:42:37 +03:00
Timo Aaltonen
e8987b4be7 bump the version 2020-09-28 11:05:05 +03:00
Timo Aaltonen
ee25a47cd9 Merge branch 'upstream' 2020-09-28 11:04:33 +03:00
Alexander Bokovoy
a44bb2e068 Become IPA 4.8.10 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-26 10:57:07 +03:00
Timo Aaltonen
1b34abd605 CI relax bind-dyndb-ldap dep 2020-09-25 11:47:56 +03:00
Timo Aaltonen
cde5e9976d freeipa-client-epn.install: Add epn.conf. 2020-09-25 11:18:59 +03:00
Timo Aaltonen
77045522ed fix-chrony-service-name.diff: Map to correct chrony service name. (Closes: #968428) 2020-09-25 11:18:59 +03:00
Timo Aaltonen
67f42f902a control, pkcs11-openssl-for-bind.diff: Add support for bind 9.16. (LP: #1874568) 2020-09-25 11:18:43 +03:00
Serhii Tsymbaliuk
090a222879 WebUI: Fix jQuery DOM manipulation issues 
The commit includes the following jQuery patches:
- Manipulation: Make jQuery.htmlPrefilter an identity function
  (https://github.com/jquery/jquery/pull/4642)
- Manipulation: Skip the select wrapper for <option> outside of IE 9
  (https://github.com/jquery/jquery/pull/4647)

In addition there is included a script that helps to patch and build
the new version of jQuery:

  $ install/ui/util/make-jquery.js 3.4.1

Ticket: https://pagure.io/freeipa/issue/8507

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 20:39:55 +02:00
Christian Heimes
87e5c0500b Fix nsslapd-db-lock tuning of BDB backend 
nsslapd-db-lock was moved from cn=config,cn=ldbm database,cn=plugins,cn=config
entry to cn=bdb subentry. Manual patching of dse.ldif was no longer
working. Installations with 389-DS 1.4.3 and newer are affected.

Low lock count can affect performance during high load, e.g. mass-import
of users or lots of concurrent connections.

Bump minimal DS version to 1.4.3. Fedora 32 and RHEL 8.3 have 1.4.3.

Fixes: https://pagure.io/freeipa/issue/8515
See: https://pagure.io/freeipa/issue/5914
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
 2020-09-24 18:07:55 +02:00
Rob Crittenden
7cfd03db48 Test that ccaches are cleaned up during installation 
Create a random file and directory in the ccaches directory
prior to installation then confirm that they were removed.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-24 11:35:32 +02:00
Rob Crittenden
ade428f519 Clean up entire /run/ipa/ccaches directory not just files 
If there are any sub-directories in the ccaches directory
then cleaning it up will fail.

Instead remove the whole directory and allow systemd-tmpfiles
to re-create it.

https://pagure.io/freeipa/issue/8248

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-24 11:35:32 +02:00
Rob Crittenden
8255bc7b92 Reduce the memory requirement from 1.6 to 1.2 GB 
We know from practical experience in PR-CI and Azure that 1.2
is the absolute minimum necessary for a base installation.

https://pagure.io/freeipa/issue/8404

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-24 10:38:42 +02:00
Christian Heimes
3b3cb99dc1 Create systemd-resolved configuration on update 
Create systemd-resolved drop-in and restart the service when the drop-in
config file is missing and /etc/resolv.conf points to stub resolver
config file.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 09:04:01 +02:00
Christian Heimes
c67aba230f Configure systemd-resolved to use IPA's BIND 
IPA installer now instructs systemd-resolved to use IPA's BIND DNS
server as primary DNS server.

Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 09:04:01 +02:00
Christian Heimes
6dc5566c7b Use new API for auto-forwarders 
Auto-forwarders and manual configuration now use the new API to get a
list of DNS servers. Manual installer refuses loopback, too.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 09:04:01 +02:00
Christian Heimes
d6827f52b6 Configure NetworkManager to use systemd-resolved 
zzz-ipa.conf now enables NetworkManager's systemd-resolved plugin when
systemd-resolved is detected.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 09:04:01 +02:00
Christian Heimes
489ddc6d87 Add helpers for resolve1 and nameservers 
detect_resolve1_resolv_conf() detects if systemd-resolved is enabled and
manages /etc/resolv.conf.

get_resolve1_nameservers() gets upstream DNS servers from
systemd-resolved's D-Bus interface.

get_dnspython_nameservers() gets upstream DNS servers from
/etc/resolv.conf via dns.python.

get_nameservers() gets a list of unique, non-loopback DNS server IP
addresses.

Also fixes setup.py to include D-Bus for ipalib instead of ipapython.

See: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 09:04:01 +02:00
Christian Heimes
202d7da8df Delay import of psutil to avoid AVC 
Commit cfad7af35d added a check to ensure a
system has sufficient amount of memory. The feature uses psutil to get
available memory. On import psutil opens files in /proc which can result in
an SELinux violations and Python exception.

     PermissionError: [Errno 13] Permission denied: '/proc/stat'

Fixes: https://pagure.io/freeipa/issue/8512
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 08:22:18 +02:00
Christian Heimes
439170633f Make git a build requirement 
FreeIPA uses git in its build process. In the past git was automatically
pulled in. On Fedora 33 builds are failing because git is missing.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-24 08:15:35 +02:00
Zdenek Pytela
c029eb7e73 Add ipa_pki_retrieve_key_exec() interface 
The ipa_pki_retrieve_key_exec() interface is needed to allow other
domains execute ipa-pki-retrieve-key.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-23 21:48:05 +02:00
François Cami
58c3343a67 SELinux: do not double-define node_t and pki_tomcat_cert_t 
node_t and pki_tomcat_cert_t are defined in other modules.
Do not double-define them.

Fixes: https://pagure.io/freeipa/issue/8513
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
 2020-09-23 18:37:35 +02:00
Rob Crittenden
80f66b751f Require a matching server package for the selinux subpackage 
Ensure that the selinux subpackage is upgraded along with the
rest of IPA if it is built.

https://pagure.io/freeipa/issue/8511

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
 2020-09-22 22:50:15 -04:00
François Cami
6a31605c1d SELinux Policy: Allow tomcat_t to read kerberos keytabs 
This is required to fix:
avc: denied  { search } for  pid=1930 comm="ipa-pki-retriev" name="krb5" dev="dm-0" ino=8620822 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:krb5_keytab_t:s0 tclass=dir permissive=0

Macros suggested by: Ondrej Mosnacek

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
7ad0484124 SELinux Policy: make interfaces for kernel modules non-optional 
Interfaces for kernel modules do not need to be in an optional module.
Also make sure ipa_custodia_t can log.
Suggested by Lukas Vrabec.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
25cf7af0d4 SELinux Policy: flag ipa_pki_retrieve_key_exec_t as domain_type 
Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
0518c63768 SELinux Policy: ipa_custodia_pki_tomcat_exec_t => ipa_custodia_pki_tomcat_t 
ipa_custodia_pki_tomcat_exec_t was granted java_exec by mistake ; replace by
ipa_custodia_pki_tomcat_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
310dbd6eec SELinux Policy: ipa_pki_retrieve_key_exec_t => ipa_pki_retrieve_key_t 
Grant pki_manage_tomcat_etc_rw to ipa_pki_retrieve_key_t instead of
ipa_pki_retrieve_key_exec_t.
As suggested by Ondrej Mosnáček.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
c126610ea6 SELinux Policy: let custodia_t map custodia_tmp_t 
This is used by the JVM perf counters.

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
5a5962426d SELinux: Add dedicated policy for ipa-pki-retrieve-key 
Add proper labeling, transition and policy for ipa-pki-retrieve-key.
Make sure tomcat_t can execute ipa-pki-retrieve-key.

Fixes: https://pagure.io/freeipa/issue/8488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
François Cami
52929cbadf ipatests: enhance TestSubCAkeyReplication 
enhance the test suite so that it covers:
- deleting subCAs (disabling them first)
- checking what happens when creating a dozen+ subCAs at a time
- adding a subCA that already exists and expect failure

Related: https://pagure.io/freeipa/issue/8488
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-By: Lukas Vrabec <lvrabec@redhat.com>
Reviewed-By: Zdenek Pytela <zpytela@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
 2020-09-22 23:41:35 +02:00
Florence Blanc-Renaud
707823a370 test_smb: skip test_smb_service_s4u2self for fed31 
The test test_integration/test_smb.py::TestSMB::test_smb_service_s4u2self
is expected to fail in Fedora <= 31 as it requires krb >= 1.18
that is shipped from fedora 32 only.

Skip the test depending on the fedora version.

Fixes: https://pagure.io/freeipa/issue/8505
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-09-22 08:39:57 +02:00
Christian Heimes
d7f39287da Duplicate CA CRT: ignore expected cert 
When search for duplicate CA certs ignore the one expected entry.

Related: https://pagure.io/freeipa/issue/7125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2020-09-21 18:11:00 -04:00
François Cami
97c6d2d2c2 dogtaginstance.py: add --debug to pkispawn 
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-09-17 18:43:24 +02:00
François Cami
d1c860e59b ipatests: check that pkispawn log is not empty 
Since commits:
0102d836f4
de217557a6
pkispawn will not honor the pki_log_level configuration item.
All 10.9 Dogtag versions have these commits.
This affects FreeIPA in that it makes debugging Dogtag installation issues next
to impossible.
Adding --debug to the pkispawn CLI is required to revert to the previous
behavior.
Therefore check that the log is not empty and contains DEBUG+INFO lines.

Fixes: https://pagure.io/freeipa/issue/8503
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-09-17 18:43:24 +02:00
Timo Aaltonen
0610bcd0f3 bump the version 2020-09-17 12:24:48 +03:00
Timo Aaltonen
b84efa8282 Merge branch 'master' into m 2020-09-17 12:23:49 +03:00
Timo Aaltonen
97c3d017e2 Merge tag 'release-4-8-8' into m 
Tagging FreeIPA 4.8.8
 2020-09-17 12:23:43 +03:00
Christian Heimes
672fe14dfa Add krbPrincipalName pres index correctly 
See: 20b55f4017
See: https://pagure.io/freeipa/issue/8491
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 2020-09-16 11:17:54 +02:00
Armando Neto
02698275bc ipatests: Add nightly definitions for enforcing mode 
Duplicates the scenario for nightly_ipa-4-8_latest.yaml and
sets `selinux_enforcing` parameter as True.

Indentation for all definitions have been fixed.

Issue: freeipa/freeipa-pr-ci#391

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 2020-09-15 14:59:37 -03:00
Rob Crittenden
53a952f0cb Add index for more trust-related attributes 
Add index for ipaNTTrustPartner, ipaNTSecurityIdentifier and
krbprincipalname

https://pagure.io/freeipa/issue/8491

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-14 19:02:22 -04:00
Rob Crittenden
a572df9616 ipatests: Add test for ACI attribute and permission uniqueness 
https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-14 19:01:37 -04:00
Rob Crittenden
939a72f47c Use ACI class set_permissions() method to set permissions 
This will ensure uniqueuess and that the ACI has the right
datatype without the caller worrying about it.

https://pagure.io/freeipa/issue/8443

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 2020-09-14 19:01:37 -04:00