Adding test case to test_sso.py to cover login to IPA client as Keycloak
user without relying on external IdP.
create_bridge.py:
- getkeytab in setup_scim_server to allow bridge to use IPA API.
- fix unintstall to remove plugin by version instead of main
test_sso.py:
- add keycloak_add_user function
- add test_ipa_login_with_sso_user
tasks.py:
- add set_user_password to only set password for ipa users
Fixes: https://pagure.io/freeipa/issue/9250
Signed-off-by: Scott Poore <spoore@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The webui test test_subid_range_deletion_not_allowed is
adding a new subid for the admin user but a previous
test already took care of that step.
Remove the call adding the subid.
2nd issue: a given record has to be selected in
order to check that there is no "delete" button.
Fixes: https://pagure.io/freeipa/issue/9214
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Test scenario:
configure sssd with ldap_group_name = info for the trusted domain,
so that the group name is read from the "info" attribute
of the AD group entry.
With this setting, it is possible to have a group and a user
that appear on IdM side with the same name.
Ensure that the conflict does not break IdM and that the id,
getent group and getent passwd commands work on an IdM client.
Related : https://pagure.io/freeipa/issue/9127
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Previously the message was:
"\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
but now the message is:
\n\nIn Directory Server, we offer one hash suitable for this "
"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
"\n\nYour configuration does not use these for password storage "
"or the root password storage\nscheme.\n"
PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
Pagure: https://pagure.io/freeipa/issue/9238
Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
OpenLDAP has made it explicit to use default CA store as provided by
OpenSSL in 2016:
branches 2.5 and later:
commit 4962dd6083ae0fe722eb23a618ad39e47611429b
Author: Howard Guo <hguo@suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
branch 2.4:
commit e3affc71e05b33bfac43833c7b95fd7b7c3188f8
Author: Howard Guo <hguo@suse.com>
Date: Thu Nov 10 15:39:03 2016 +0100
This means starting with OpenLDAP 2.4.45 we can drop the explicit CA
configuration in ldap.conf.
There are several use cases where an explicit IPA CA should be specified
in the configuration. These mostly concern situations where a higher
security level must be maintained. For these configurations an
administrator would need to add an explicit CA configuration to
ldap.conf if we wouldn't add it during the ipa-client-install setup.
RN: FreeIPA client installer does not add explicit TLS CA configuration
RN: to OpenLDAP's ldap.conf anymore. Since OpenLDAP 2.4.45, explicit CA
RN: configuration is not required as OpenLDAP uses the default CA store
RN: provided by OpenSSL and IPA CA is installed in the default store
RN: by the installer already.
Fixes: https://pagure.io/freeipa/issue/9258
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Currently if a certificate mapping and matching rule has a typo or is of
an unsupported type the whole rule processing is aborted and the IPA
certmap plugin works without any rules effectively disabling PKINIT for
users. Since each rule would only allow more certificates for PKINIT it
would be more user/admin friendly to just ignore the failed rules with a
log message and continue with what is left or use the default rule if
nothing is left.
This change is done to add more flexibility to define new mapping and
matching templates which are e.g. needed to cover changes planned by
Microsoft as explained in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
While python-ldap is strict dependency of IPA in downstreams, it
is optional for IPA packages published on PyPI.
Openldap 2.6 no longer ships ldap_r-2, that makes
ipapython.dn_ctypes not working against such environments.
Thanks @abbra!
Fixes: https://pagure.io/freeipa/issue/9255
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This is required to ensure that only objects from requested domain
are returned.
Resolves: https://pagure.io/freeipa/issue/9245
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
In fedora 37+, the signing of DNS zones is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.
Related: https://pagure.io/freeipa/issue/9216
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
In fedora 37+, sssctl domain-status is failing.
Mark xfail the gating tests impacted by this issue, to avoid
breaking the CI gating when we move to f37.
Related: https://pagure.io/freeipa/issue/9234
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Fedora 37 beta is now available, move the testing pipelines to
- fedora 37 for the _latest definitions
- fedora 36 for the _previous definition
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>