NSS 3.40 and 3.41 enable p11-kit proxy. The PKCS#11 proxy loads all
PKCS#11 providers including the default SoftHSM2 token. On Fedora 28
OpenLDAP is patched to use Mozilla NSS. Because the SoftHSM2 token is
protected, the OpenLDAP function tlsmc_extract_cacerts() blocks because
it is waiting for PIN.
Delete the p11-kit policy and regenerate crypto policy.
OpenLDAP debug output:
ldap_url_parse_ext(ldap://master.ipa.test:389/)
TLSMC: MozNSS compatibility interception begins.
tlsmc_intercept_initialization: INFO: entry options follow:
tlsmc_intercept_initialization: INFO: cacertdir = `/etc/dirsrv/slapd-IPA-TEST'
tlsmc_intercept_initialization: INFO: certfile = `(null)'
tlsmc_intercept_initialization: INFO: keyfile = `(null)'
tlsmc_convert: INFO: trying to open NSS DB with CACertDir = `/etc/dirsrv/slapd-IPA-TEST'.
tlsmc_open_nssdb: INFO: trying to initialize moznss using security dir `/etc/dirsrv/slapd-IPA-TEST` prefix ``.
tlsmc_open_nssdb: INFO: initialized MozNSS context.
tlsmc_convert: INFO: trying with PEM dir = `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_convert: WARN: will try to create PEM dir.
tlsmc_prepare_dir: INFO: preparing PEM directory `/tmp/openldap-tlsmc-slapd-IPA-TEST--CFD75CD2496FD947611EE486C199DB7DE06AF86D5CD28715BAD24414827D1987'.
tlsmc_prepare_dir: INFO: creating a subdirectory `cacerts'.
tlsmc_prepare_dir: INFO: successfully created PEM directory structure.
***NSS 3.40 BLOCKS HERE***
tlsmc_extract_cacerts: INFO: found cert nick=`Server-Cert', _not_ a trusted CA, skipping.
tlsmc_extract_cacerts: INFO: found cert nick=`Self-Signed-CA', a trusted CA.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
gcc is updated with the dnf builddep line, but annobin is not. Therefore
configure fails with "C compiler cannot create executables".
This is related to https://bugzilla.redhat.com/show_bug.cgi?id=1574478
See: https://pagure.io/freeipa/issue/7740
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove Python 2 related code and configuration from spec file, autoconf
and CI infrastructure. From now on, FreeIPA 4.8 requires at least Python
3.6. Python 2 packages like python2-ipaserver or python2-ipaclient are
no longer available. PR-CI, lint, and tox aren't testing Python 2
compatibility either.
See: https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal
Fixes: https://pagure.io/freeipa/issue/7568
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7559
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
It's no longer necessary to specify "with_python3" to get Python 3
dependencies.
python3-tox pulls in Python 2.6, 3.3, 3.4, 3.5, and pypy as weak
dependency. Use --setopt=install_weak_deps=False to make a build
environment leaner.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Now WebUI unit tests are generating results in qunit format which
is not consumable well by Jenkins.
This patch adds NPM dependency for adding generation results in
JUnit XML format so it can be easily processed.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
- Refactor CertDB to look up values from its NSSDatabase.
- Add run_modutil() helpers to support sql format. modutil does not
auto-detect the NSSDB format.
- Add migration helpers to CertDB.
- Add explicit DB format to NSSCertificateDatabase stanza
- Restore SELinux context when migrating NSSDB.
- Add some debugging and sanity checks to httpinstance.
The actual database format is still dbm. Certmonger on Fedora 27 does
neither auto-detect DB format nor support SQL out of the box.
https://pagure.io/freeipa/issue/7354
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.
Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Felipe Volpone <fbarreto@redhat.com>
When 'make check' is run, automake produces logs for each test to be ran.
Collect all the logs from the tests.
Also prepare the template to quickly enable use of gdb with traceback
in case a test is crashing. To use it, add LOG_COMPILE definition to
the 'make' line.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
dnf makecache does not support the "fast" keyword in its
makecache subcommand in Fedora 26.
https://pagure.io/freeipa/issue/6874
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This check should prevent regressions in already py3 ported server plugins.
Later it may be extened to multiple logs.
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Python version was placed at wrong position, py3 hasn't been tested at
all in travis.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The explicit uninstall will help to catch regressions
such as recently reported https://pagure.io/freeipa/issue/6950
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Set `mode` to `development` in default.conf after ipa-server-install.
https://pagure.io/freeipa/issue/6625
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
This patch allows to install KRA on first IPA server in one step using
ipa-server-install
This option improves containers installation where ipa-server can be
installed with KRA using one call without need to call docker exec.
Please note the the original `kra.install()` calls in
ipaserver/install/server/install.py were empty operations as it did
nothing, so it is safe to move them out from CA block
https://pagure.io/freeipa/issue/6731
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
When a non-lint job fails, all the relevant logs from the test runner
will be gzipped and uploaded to https://transfer.sh file sharing
service. The download link will then be displayed at the very end of the
Travis build log.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Prepare a configuration file for
https://github.com/martbab/ipa-docker-test-runner. The latest
freeipa-fedora-test-runner Docker image (F25 as of time of writing this
message) will be used to run tests. Some of them will be purposefuly excluded
from the test suite, namely:
* test_integration and test_webui: for obvious reasons, CI tests require
complicated multi-host setup which is currently not achievable in Travis CI
* test_ipapython/test_keyring: Docker can not cope with storing and retrieving
secrets from Kernel keyring, that is a known issue
* test_xmlrpc/test_dns_plugin.py:test_dns_soa: There are 2-3 non-deterministic
failures in this suite in Travis CI, this suite was disabled until the root
cause is discovered and fixed/workarounded
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
