Commit Graph

22631 Commits

Author SHA1 Message Date
Timo Aaltonen
89021d8b9d version bump 2024-12-09 12:39:05 +02:00
Timo Aaltonen
897198ef20 Merge branch 'master' into m 2024-12-09 12:17:04 +02:00
Timo Aaltonen
74032671f8 tagging IPAv4 4.11.1
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEtAp4+6V2xKP8fXu8NZ+vd3KW9lMFAmWeaSUACgkQNZ+vd3KW
 9lPqmw/9EyzcRgOGcLsVbZCKZ+oBNtfLr0zPB8uZ0KJlBHe9W8C1osLU3d9CmEge
 /iKFbjUkuBwzcal7XeTSvYVR7+6yfmAHflSVMuSze9QuuVtUutPPInZOF+YfdVDq
 HGvf6eobdMsVzYIdkOroIyIoaP+ppXdYfyutOzbYaRwqF4kV8kMpjYudVbkm5C2r
 UjocOXPRkhT1GqnTnbPfmkEF+ZS+4N6lbkKknh+rgJpyjuENzhOLH6y/Xc/tYgBK
 0JYmWQXDBCmWnvb4BzbfVG7Ku6iNFrc/8oKQcDF0eVPquJpfWAsvO6kzczoNCOoA
 5riULlAOULyNvrnm3E3k3EZNqCn8gKbY2MOkRXKmRH1pSKBy4uMR9Qp/TOVRP8B0
 cBEDWfrQpQLHbKliPZA6x10eIW0z8EhITTCAoCPrv0VnkbrT7Y42xR45E12RlBZu
 tTZzyqVmgNP5sx6K8M8L1afW1k4u7ofq1vqtXZI7gDA0e8AAf5z9lwr2Msj5+gXV
 ELZ/A5/t2M1CGtorovmxAr8PlEYCIHIGlsLc1pZJdOQO/ytoFHkTamhbANTupJAk
 OZmpSUCxXaok/8HLdIUVYpdjZFsywnosRWc74Kqrb9v/1ICjyU67KP4NVf8ZrRwE
 nRpZFFHg1NjokCIgI3YVgOY7RBPU173D32N81LCn0qZ8u5xlqRk=
 =AsFD
 -----END PGP SIGNATURE-----

Merge tag 'release-4-11-1' into m

tagging IPAv4 4.11.1
2024-12-09 12:16:59 +02:00
Rob Crittenden
c7da7e0dc9 Become IPA v4.12.2 2024-08-21 11:06:37 -04:00
Sudhir Menon
f5c7237204 ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done
Related: https://pagure.io/freeipa/issue/9635

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-21 16:59:22 +02:00
Sudhir Menon
ed813fe6f0 ipatests: Replace 'usermod -r' command with 'gpasswd -d' in test_hsm.py
Test 'test_hsm_negative_bad_token_dir_permissions'
was failing in RHEL because of the below error.

"ipa: ERROR: stderr: usermod: invalid option -- 'r'"

Hence replaced the usermod with gpasswd command which does the same and
works on both RHEL and Fedora.

Ref: https://pagure.io/freeipa/issue/9626

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-16 17:14:03 +02:00
Rob Crittenden
21c6ccc982 Fix some resource leaks identified by a static analyzer
Fixes: https://pagure.io/freeipa/issue/9367

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-08-16 07:18:33 +02:00
Rob Crittenden
d0684a7ecf Ignore TripleDES python-cryptography import warnings
TripleDES will be deprecated in python-cryptography 48.0.0. We
have code that uses it if it is available and otherwise ignores
it.

Because this gets imports in constants.py this warning is promiment
pretty much everywhere. So let's ignore it since we already handle
the issue.

Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-08-15 10:03:40 +02:00
Rob Crittenden
5cc7941f30 Correct usage of public_key_algorithm_oid in ipalib/x509
public_key_algorithm_oid is property of underlying Certificate object
that is not supposed to be callable. I missed that it contained
() at the end.

Fixes: https://pagure.io/freeipa/issue/9641

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-08-15 10:03:40 +02:00
Florence Blanc-Renaud
f37c2eb878 trust-add: handle unavailable domain
When ipa trust-add fails to retrieve the remote domain information,
it exits with "an internal error has occurred".
Handle the case with a better error message.

Fixes: https://pagure.io/freeipa/issue/9488

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-08-14 18:34:48 +02:00
Florence Blanc-Renaud
1fc63e2b51 HSM: fix the module name
During the server installation, the installer checks if the
SElinux policy module for the specific hardware is detected. The
current code mixed up SElinux policy module name and RPM
package name and resulted in a false warning that the module
was missing.

The module name is ipa-nfast or ipa-luna, not ipa-selinux-nfast
or ipa-selinux-luna.
The name is defined in the spec file as %{module}-nfast
and module=ipa.

Fixes: https://pagure.io/freeipa/issue/9636

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-08-14 17:05:16 +02:00
Florence Blanc-Renaud
84751a26a9 ipatests: skip HSM test if pki < 11.5.9
The test TestHSMNegative should be skipped if PKI is too old,
but its uninstall method does not check the PKI version.

Add a call to check_version in the class uninstall method.

Fixes: https://pagure.io/freeipa/issue/9648

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2024-08-12 07:42:33 +02:00
Sudhir Menon
8046023fc4 ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets

https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-08-08 16:20:26 +02:00
Mohammad Rizwan
ee96c129a6 ipatests: Verify that SIDgen task continue even if it fails to assign sid
related: https://pagure.io/freeipa/issue/9618

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-08 13:37:42 +02:00
Florence Blanc-Renaud
81401e6c01 ipatests: increase the timeout for test_hsm.py::TestHSMInstall
The test is often failing on timeout. Add 15min to the test definitions.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-08-05 21:23:27 +02:00
Rob Crittenden
e83d949c7f Log errors reported by adtrustinstance.check_inst() using logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.

Fixes: https://pagure.io/freeipa/issue/9637

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-05 14:52:12 +02:00
Rob Crittenden
ffba69648a Force a logout in KerberosSession if a login is needed
Remove the client side cookie if a user possesses an IPA session
cookie and the associated credentials can't be found on the
server.

This handles the case where the ccaches are removed for some reason
(maybe cleanup, maybe a container was restarted) and allows for
a successful SSO if the user's Kerberos ticket is still valid.

Without this change the user is always dropped into a the
username/password dialog. The only workaround is to remove
the cookie on the client side.

Fixes: https://pagure.io/freeipa/issue/9624

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-08-05 14:50:10 +02:00
Florence Blanc-Renaud
aadb8051d4 Replica CA installation: ignore time skew during initial replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.

The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.

During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.

Apply the same logic to dsinstance and ipa-replica-manage force-sync.

Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-08-01 09:51:11 +02:00
Alexander Bokovoy
7b5f3d7971 Get rid of unicode and long helpers in ipa-otptoken-import
Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
fc02904340 ipalib/constants.py: factor out TripleDES use
Cryptography 43 started to warn that in version 48 it will remove
TripleDES support. Change the code to detect missing TripleDES algorithm
and do not fail.

Related: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
7f9c890c04 ipalib/x509.py: get rid of unicode helper
Pylint started to complain that 'unicode' variable is accessed before
definition. This is clearly a bug in how 'six' and pylint are working
together.

Replace use of 'unicode()' by 'str()'.

Fixes: https://pagure.io/freeipa/issue/9644

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Alexander Bokovoy
531bd05de9 ipalib/x509.py: support Cryptography 43
Cryptography 43 added two new abstract methods to Certificate class of
which we are using one, public_key_algorithm_oid.

Fixes: https://pagure.io/freeipa/issue/9641

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:20:31 -04:00
Rob Crittenden
38b83c2b93 Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.

Fixes: https://pagure.io/freeipa/issue/9626

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-31 16:19:02 -04:00
Rob Crittenden
f03a96a7b9 ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.

Don't rely on previous running tests installing the token
password file so they can be run individually.

Fixes: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-31 16:17:27 -04:00
Mark Reynolds
0e4fbc3b0d ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.

Fixes: https://pagure.io/freeipa/issue/9642

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 16:14:49 -04:00
Florence Blanc-Renaud
2ddca5d5d5 spec file: do not use nodejs-22 on f39 and f40
Nodejs22 has been released on f39 and f40 and freeipa fails
to build with this version. Nodejs22 will be the default version
in f41+ and adds a symlink from /usr/bin/node-22 to /usr/bin/node
but on older fedora versions, the symlink is not created.
As our build is using /usr/bin/node command, it fails with
command not found.

Stick to Nodejs 20 on these older versions.

Fixes: https://pagure.io/freeipa/issue/9643

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-31 08:25:30 +02:00
Rob Crittenden
fdd471d55c Fix a copy/paste issue when detecting the HSM SELinux subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.

Fixes: https://pagure.io/freeipa/issue/9636

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-22 09:57:34 -04:00
Julien Rische
9f88188204 Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Julien Rische
d1a485a435 Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632

Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-19 08:44:49 -04:00
Florence Blanc-Renaud
6eb6a92930 ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.

Related: https://pagure.io/freeipa/issue/9621

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2024-07-19 08:39:21 -04:00
Florence Blanc-Renaud
de940802bb ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.

Related: https://pagure.io/freeipa/issue/9620

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2024-07-19 08:39:21 -04:00
Mark Reynolds
85a853ba93 Issue 9621 - ipa-migrate - should not update mapped attributes in managed entries
We should not migrate mmapped attributes (uidNumber, gidNumber) from
managed entries

We should also not migrate DNA ranges in staging mode

Fixes: https://pagure.io/freeipa/issue/9621

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-17 09:17:17 +02:00
Anuja More
8b703150a4 ipatests: Test replica installation using AD admin.
Test to verify that replica connection check is not failing when
the AD administrator Administrator@AD.EXAMPLE.COM is
used for the deployment or promotion of a replica

Related: https://pagure.io/freeipa/issue/9542

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-07-17 09:11:13 +02:00
Alexander Bokovoy
051d61fdc3 ipa-pwd-extop: differentiate OTP requirements in LDAP binds
For users who has no OTP tokens defined (yet), a missing token should
not be seen as a failure. This is needed to allow a basic password
change.

The logic around enforcement of OTP over LDAP bind is the following:
----------------------------------------------------------------------
- when LDAP OTP control is requested by the LDAP client, OTP is
  explicitly required
- when EnforceLDAPOTP is set in the IPA configuration, OTP is implicitly
  required, regardless of the state of LDAP client

In either case, only users with 'user-auth-type: otp' are allowed to
authenticate.

If these users have no OTP token associated yet, they will be allowed to
authenticate with their password. This is to allow initial password
change and adding an OTP token.
----------------------------------------------------------------------

Implement test that simulates lifecycle for new user who get to change
their password before adding an OTP token.

Related: https://pagure.io/freeipa/issue/5169

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-17 09:06:14 +02:00
Sudhir Menon
ab47696fa6 Added new testsuite(ipa_ipa_migration) in prci definitions
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-15 17:26:53 -04:00
Mark Reynolds
eeade50933 ipa-migrate - starttls does not work
We were previousily taking the provided ca cert and creating a temporary
file from it. This was incorrect and caused the secure connection to
fail.  Instead just use the file path provided.

Fixes: https://pagure.io/freeipa/issue/9619

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 17:22:19 -04:00
Rob Crittenden
6c53a22a2c Include token password options in ipa-kra-install man page
Related: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Mohammad Rizwan
4ea1ad6aca ipatests: tests related to --token-password-file
Test automation added around the --token-password-file
option for server/replica/kra install.

Related: https://pagure.io/freeipa/issue/9603

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Rob Crittenden
7ab1bcb2d3 Re-organize HSM validation to be more consistent/less duplication
hsm_validator() was more or less bolted in place late in the
development cycle in in order to catch some of the more common
problems: bad token name, bad password, etc.

There was a fair bit of duplication and had the side-effect of not
reading in the token password from the --token-password-file option
in some cases.

This patch also re-adds a lost feature where an exception is raised if
both the --token-password and --token-password-file options are passed
in.

This also needs to be enforced on initial server, replica and when
called by ipa-kra-install. Given that each has a unique subject of
options some duplication remains.

Fixes: https://pagure.io/freeipa/issue/9603

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-07-15 10:26:54 -04:00
Rob Crittenden
1b278de4ab Fix syntax error in the selinux-luna %postun script
It was missing a trailing fi.

This bad syntax was preventing cleanup of the
{free}ipa-selinux-luna SELinux module:

Running scriptlet: freeipa-selinux-luna-4.12.0.dev202402211727+git0ee   34/44
/var/tmp/rpm-tmp.qoCDFi: line 16: syntax error: unexpected end of file
warning: %postun(freeipa-selinux-luna-4.12.0.dev202402211727+git0eeecdcec-0.fc37.noarch) scriptlet failed, exit status

Fixes: https://pagure.io/freeipa/issue/9629

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-07-12 08:32:35 +02:00
Mark Reynolds
efa5719363 ipa-migrate - remove -V option
The versioning in ipa-migrate was removed, but the "-V" option to display the version was not removed.

Fixes: https://pagure.io/freeipa/issue/9620

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-11 13:59:16 +02:00
Shunsuke matsumoto
06c02f5f2c The -d option of the ipa-advise command was able to used.
The -d option of the ipa-advise command was unavailable, so the default value was changed to True to enable its use.

Fixes: https://pagure.io/freeipa/issue/9625
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-11 10:30:59 +02:00
Thomas Woerner
a8e75bbb77 ipa_sidgen: Allow sidgen_task to continue after finding issues
find_sid_for_ldap_entry could fail in several ways if a Posix ID can not
be converted to an unused SID. This could happen for example for ducplicate
IDs or user/group out of range.

This change enables ipa_sidgen_task to continue in the error case to try
to convert the entries without errors. The error messages have been
extended to additionally show the DN string for the bad entries.

Fixes: https://pagure.io/freeipa/issue/9618

Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-08 16:39:16 +02:00
Florence Blanc-Renaud
d635d70110 test_replica_install_after_restore: kinit after restore
After uninstall and restore, kinit is required before
launching any ipa command.

Related: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Florence Blanc-Renaud
6fe268af5b Uninstall: stop sssd-kcm before removing KCM ccaches database
The service is socket-activated and will be restarted whenever
needed. It must be stopped before the database is removed
otherwise it fails to recreate the file.

Fixes: https://pagure.io/freeipa/issue/9616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Florence Blanc-Renaud
2f902efd0e ipa-ods-enforcer: stop must also stop the socket
ipa-ods-enforcer is a socket-activated service. In order to fully stop
the service, IPA needs to call
systemctl stop ipa-ods-enforcer.service ipa-ods-enforcer.socket
otherwise the socket remains active (listening) and can restart the
service.

A consequence of the issue is the backup / uninstall / restore
scenario that is failing to sign the zones. The uninstaller removes
the socket /run/opendnssec/engine.sock but leaves the ipa-ods-enforcer.socket
active. A subsequent restore or install will not re-create the socket.

Fixes: https://pagure.io/freeipa/issue/9613
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-07-08 15:26:24 +02:00
Sudhir Menon
90b22ff888 ipatests: Tests for ipa-ipa migration tool
This patch includes tests for ipa-ipa migration
tool

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mark Reynolds <mreynolds@redhat.com>
2024-07-08 15:21:04 +02:00
TAKAHASHI Masatsuna
52ea4ad46e ipa-advise ipa-backup ipa-restore: Fix --v option of the manual.
Specifying the --v option results in an error.
The --v option is incorrect and should be -v.

Fixes: https://pagure.io/freeipa/issue/9617
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2024-07-04 17:48:04 +02:00
Florence Blanc-Renaud
48ff7da5cb ipatests: fix / permissions for test_nested_group_members
The test test_nested_group_members is performing a ssh login
with a private key and this command may fail if the root directory
does not have the right permissions on the ssh server
(see https://access.redhat.com/solutions/6798261)

Ensure that / has 755 before launching the test.

Fixes: https://pagure.io/freeipa/issue/9615
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2024-07-02 08:53:03 +02:00
Rob Crittenden
9e364910f5 Clean up more files and directories created by the installer(s)
Ideally all files created during an IPA server installation are
removed by the uninstaller. Some files are purposefully left,
like token passwords, private keys, logs and more. Add an
allow list for those files.

Include a test to catch any additional files that may be created
and left behind.

Fixes: https://pagure.io/freeipa/issue/8080

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2024-06-26 13:30:48 +02:00