The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.
Fixes: https://pagure.io/freeipa/issue/8228
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The SELinux policy defines file contexts that are also used by clients,
e.g. /var/log/ipa/. Make freeipa-selinux a dependency of freeipa-common.
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-custodia is an internal service for IPA. The upstream SELinux policy
has a separate module for ipa_custodia. Fold the current policy from
Fedora rawhide into ipa's SELinux policy.
Related: https://pagure.io/freeipa/issue/6891
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.
Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.
RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.
Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Add a new XMLRPC test trying to apply an IDview:
- to a master
- to a hostgroup containing a master
The command must refuse to apply the IDview to a master node.
Related: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Custom IDViews should not be applied to IPA master nodes. Add a
check enforcing this rule in idview_apply command.
Fixes: https://pagure.io/freeipa/issue/5662
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This partially restores the pre-ec73de969f state of `http_proxy`,
which fails to restart the apache service during master
installation. The failure happens because of apache is not
configured yet on 'pki-tomcatd' installation phase. The mentioned
code and proposed one relies on the installer which bootstraps the
master.
Fixes: https://pagure.io/freeipa/issue/8233
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.
Related: https://pagure.io/SSSD/sssd/issue/4073
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.
Allow all hosts to read some entries from active DNS records.
Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>