--no-host-dns is supposed to avoid all DNS lookups so pass
this as the force value when creating the host in a replica
installation.
https://pagure.io/freeipa/issue/7656
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
This test checks if the access rights for user/group
is set to 644 on /var/lib/dirsrv/slapd-TESTRELM-TEST/ldif/*
and umask 0022 set while restoring.
related ticket: https://pagure.io/freeipa/issue/6844
Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Ckeck the output of ipa-server-upgrade script for error.
Related to: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
There was an issue with ipa-server-upgrade and it was
showing an error while upgrading:
DN... does not exists or haven't been updated, caused
by not moving pointer to file begining when re-reading.
Resolves: https://pagure.io/freeipa/issue/7644
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The indirect members need to be calculated and the member
attributes converted. This is normally done in
baseldap::LDAPRetrieve but these methods provide their
own execute() in order to handle the option values.
Update sudorule_add|remove_option tests to include check
that converted user/group exists in the proper format.
https://pagure.io/freeipa/issue/7649
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be translatable messages should be marked with '@i18n' and
present in "i18n_messages" dictionary.
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
To be customizable URL should be placed to "config"
Fixes: https://pagure.io/freeipa/issue/7621
Reviewed-By: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Disable tests that use domain level 0. Fail early to catch additional
tests that depend on DL0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
When creating Kerberos keys for trusted domain object account, ipasam
module requests to generate keys using a series of well-known encryption
types. In FIPS mode it is not possible to generate RC4-HMAC key:
MIT Kerberos is using openssl crypto backend and openssl does not allow
use of RC4 in FIPS mode.
Thus, we have to filter out RC4-HMAC encryption type when running in
FIPS mode. A side-effect is that a trust to Active Directory running
with Windows Server 2003 will not be possible anymore in FIPS mode.
Resolves: https://pagure.io/freeipa/issue/7659
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
The code in question was supposed to have the same license as the
rest of the plugin. Fix it by updating the comment header.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The old domain level check to suggest to use ipa-replica-prepare has been
converted to make sure that domain fulfills minimal domain level
requirement (no DL0).
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The hard coded mindomainlevel needs to be increased to 1.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is the minimal domain level setting MIN_DOMAIN_LEVEL, it should
be used instead of DOMAIN_LEVEL_0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This is not needed anymore due to the removal of the DL0 test
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
DL0 is not supported anymore therefore this test is failing.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
This pull should not remove code, therefore it is needed to add addtional
conditionals to calm down pylint beacuse of unreachable code.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
As there is currently only DL1, there is no need to have extra
sentences for "at domain level 1".
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Remove replica_file option and all "DOMAIN LEVEL 0" and "DOMAIN LEVEL 1"
prefixes and also sections specific to DL0 form the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Raise "Domain level 0 is not supported anymore" error if there are
remainaing args after parsing. Remove all "DOMAIN LEVEL 0" and
"DOMAIN LEVEL 1" prefixes from the man page.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In the case that the domain level is set to 0 or replica_file is set (not
None) an error will be raised.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The replica_file option is only supported for DL0. The option will be
marked deprecated for now.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With increasing the minimal domain level to 1 ipa-replica-install will
refuse to install if the domain has domain level 0.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-replica-prepare (script and man page) is only needed for DL0 support.
The script and man page are not installed anymore and also removed from
the spec file.
See: https://pagure.io/freeipa/issue/7669
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Client installation with --no-sssd option has already beeen deprecated
with https://pagure.io/freeipa/issue/5860. Authconfig support has been
removed, therefore --no-ac option can be removed also.
ipatests/test_integration/test_authselect.py: Skip no_sssd and no_ac tests.
See: https://pagure.io/freeipa/issue/7671
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some tests have been identified as frequently failing on timeouts. While
we are investigating PRCI potential issues, increase the timeouts to
make PRCI usable. The rule is to add 30min if the test involves CA/KRA
installation or 20min otherwise for the most problematic tests.
test_forced_client_enrolment: from 1h to 1h20
test_vault: from 1h15 to 1h45
external_ca_1: from 1h to 1h20
test_sudo: from 1h to 1h20
test_authconfig: from 1h to 1h20
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
extend timeout with one hour as timed out many times in PRCI nightly
- test_dnssec
- test_replication_layouts_TestLineTopologyWithCA
- test_replication_layouts_TestLineTopologyWithCAKRA
- test_replication_layouts_TestStarTopologyWithCAKRA
- test_server_del
- test_webui
Signed-off-by: Pavel Picka <ppicka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Add a test for issue 7601:
- add a user, perform kinit user to modify the password, read krblastpwdchange
and krbpasswordexpiration.
- perform a ldapmodify on the password as dir mgr
- make sure that krblastpwdchange and krbpasswordexpiration have been modified
- perform the same check with ldappasswd
Related to:
https://pagure.io/freeipa/issue/7601
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
When making ipa-pwd-extop TXN aware, some callbacks are call twice.
Particularily
ipapwd_pre_add is called during PRE_ADD and TXN_PRE_ADD
ipapwd_pre_mod is called during PRE_MOD and TXN_PRE_MOD
ipapwd_post_modadd is called during POST_ADD and TXN_POST_ADD
ipapwd_post_modadd is called during POST_MOD and TXN_POST_MOD
It is not the expected behavior and it results on some skipped updates krbPasswordExpiration
and krbLastPwdChange
https://pagure.io/freeipa/issue/7601
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The template directory /var/log/dirsrv/slapd-X could be created with the
wrong SELinux context.
Related to: https://pagure.io/freeipa/issue/7662
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The session directory /etc/httpd/alias/ could be created with the wrong
SELinux context. Therefore httpd was not able to write to this directory.
Fixes: https://pagure.io/freeipa/issue/7662
Related-to: 49b4a057f1 (Create missing
/etc/httpd/alias for ipasession.key)
Reviewed-By: Christian Heimes <cheimes@redhat.com>
pytest 3.7.0 doesn't like ipatests.pytest_plugins package. The string
"pytest_plugins" is used as marker to load plugins. By populare vote and
to avoid future conflicts, we decided to rename the directory to pytest_ipa.
Fixes: https://pagure.io/freeipa/issue/7663
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
In the case that enabledService is not found ipaConfigString kdc entry, a
NotFound error was raised without setting the reason. This resulted in a
traceback.
Fixes: https://pagure.io/freeipa/issue/7652
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Some nightly runs didn't have enough resources configured.
See: https://pagure.io/freeipa/issue/7638
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Now the test definition of nightly tests will be on freeipa repo. The
definition that's used on every PR (previously as .freeipa-pr-ci.yaml)
is in ipatests/prci_definitions/gating and the .freeipa-pr-ci.yaml file
is just a symlink to the real file.
In the same dir there is also nightly_master and nightly_rawhide, both
to be used in nightly tests.
Divided test_topology.py into 3 subtests.
Bumped vagrant template to version 0.1.6
This PR is the result of discussion on freeipa-devel mailing list [1].
[1] https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/4VAWJ4SFKKBFFICDLQCTXJWRRQHIYJLL/
Reviewed-By: Michal Reznik <mreznik@redhat.com>
Only spaces should be used for indentation.
It was introduced in commits:
* 7f9f59bae2
* 5d8fde0ac1
Related to: https://pagure.io/freeipa/issue/7559
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Change to use spaces for indentation as it was the the only file
which uses tabs and not spaces.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>