Commit Graph

701 Commits

Author SHA1 Message Date
sumenon
ba213aa448 ipatests: Test for ipahealthcheck tool for IPADomainCheck.
This testcase checks that when trust isn't setup
between IPA server and Windows AD, IPADomainCheck
displays key value as domain-check and result is SUCCESS

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-27 09:18:56 -04:00
Kaleemullah Siddiqui
bba41dc85c Test for check of HostKeyAlgorithms option in ssh_config
Test checks that HostKeyAlgorithms is not present in
/etc/ssh/ssh_config after client install with option
-ssh-trust-dns.

https://pagure.io/freeipa/issue/8082

Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-27 09:09:10 -04:00
sumenon
29fd9602c6 ipatests: Test for ipahealthcheck.ds.ruv check
This test ensures that RUVCheck for ipahealthcheck.ds.ruv
source displays correct result

Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-23 10:29:33 -04:00
Stanislav Levin
d67846fa36
ipatests: Remove deprecated yield_fixture
'yield_fixture' is deprecated since Pytest3 [0].
FreeIPA requires at least 3.9.1. So, it can be safely removed.

[0]: https://docs.pytest.org/en/latest/yieldfixture.html

Fixes: https://pagure.io/freeipa/issue/8101
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-04-21 13:24:50 +02:00
Mohammad Rizwan Yusuf
2c54609d73 ipatests: Test to check password leak in apache error log
Host enrollment with OTP used to log the password in cleartext
to apache error log. This test ensures that the password should
not be log in cleartext.

related: https://pagure.io/freeipa/issue/8017

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-20 08:44:00 -04:00
Michal Polovka
3a64ac08e1 Test for healthcheck being run on replica with stopped master
Test checks whether healthcheck  reports only that master is stopped
with no other false positives when services on IPA master are stopped.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1727900

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-17 08:54:13 -04:00
Christian Heimes
bdf1137169 Use /run and /run/lock instead of /var
Also add runstatedir autoconf var. IPA requires autoconf 2.59. The
variable will be available with autoconf 2.70.

Fixes: https://pagure.io/freeipa/issue/8272
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-15 18:48:50 +02:00
Alexander Bokovoy
dbf5df4a66 CVE-2020-1722: prevent use of too long passwords
NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2:

https://pages.nist.gov/800-63-3/sp800-63b.html#appA

	Users should be encouraged to make their passwords as lengthy as they
	want, within reason. Since the size of a hashed password is independent
	of its length, there is no reason not to permit the use of lengthy
	passwords (or pass phrases) if the user wishes. Extremely long passwords
	(perhaps megabytes in length) could conceivably require excessive
	processing time to hash, so it is reasonable to have some limit.

FreeIPA already applied 256 characters limit for non-random passwords
set through ipa-getkeytab tool. The limit was not, however, enforced in
other places.

MIT Kerberos limits the length of the password to 1024 characters in its
tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not
differentiate between a password larger than 1024 and a password of 1024
characters. As a result, longer passwords are silently cut off.

To prevent silent cut off for user passwords, use limit of 1000
characters.

Thus, this patch enforces common limit of 1000 characters everywhere:
 - LDAP-based password changes
   - LDAP password change control
   - LDAP ADD and MOD operations on clear-text userPassword
   - Keytab setting with ipa-getkeytab
 - Kerberos password setting and changing

Fixes: https://pagure.io/freeipa/issue/8268

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2020-04-14 12:36:01 +03:00
Rob Crittenden
3022bb5fd2 Perform baseline healthcheck
Run healthcheck on a default installation and ensure that there
are no failures. This test ensures that a fresh IPA installation
will pass healthcheck.

https://bugzilla.redhat.com/show_bug.cgi?id=1774032

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-04-06 12:54:20 -04:00
François Cami
a087fd9255 ipatests: move ipa_backup to tasks
* tasks had an ipa_backup() method that was not used anywhere.
* test_backup_and_restore had a backup() method that used to return
  both the path to the backup and the whole result from run_command ;
  The path to the backup can be determined from the result.

Clean up:
* move test_backup_and_restore.backup to tasks.ipa_backup, replacing
  the unused method.
* add tasks.get_backup_dir(host) which runs ipa-backup on host and
  returns the path to the backup directory.
* adjust test_backup_and_restore and test_replica_promotion.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-06 16:53:31 +02:00
Michal Polovka
f5f960ed2a Test for output being indented by default value if not stated implicitly.
Test checks whether output json-line string is indented by default value
if this value is not stated implicitly. Test compares healthcheck
produced json-like string with manually indented one.

Automates: 02272ff39d76f1412483c5e3289564c93d196a03
Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-04-03 08:32:20 -04:00
Sergey Orlov
26233c887e
ipatests: mark test_trustdomain_disable test as expectedly failing
The fix for issue https://pagure.io/SSSD/sssd/issue/4078 have not landed
Fedora 30 version yet.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Sergey Orlov
d8135b7328
ipatests: add test for sssd behavior with disabled trustdomains
When a trusted subdomain is disabled in ipa, users from this domain
should not be able to access ipa resources.

Related to: https://pagure.io/SSSD/sssd/issue/4078

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-03 11:15:57 +02:00
Mohammad Rizwan Yusuf
a02df530a6 ipatests:Test if proper error thrown when AD user tries to run IPA commands
Before fix the error used to implies that the ipa setup is broken.
Fix is to throw the proper error. This test is to check that the
error with 'Invalid credentials' thrown when AD user tries to run
IPA commands.

related: https://pagure.io/freeipa/issue/8163

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-04-02 14:30:52 +02:00
Sergey Orlov
98b6326a8e
ipatests: explicitly save output of certutil
The test setup was failing because output redirection does not work in
run_command() when specifued as list element.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
Sergey Orlov
a2dee05b16
ipatests: add AD DC as a DNS forwarder before establishing trust
"ipa trust-add" was not able to establish trust because it could not
find the AD domain controller.

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-04-01 14:34:40 +02:00
François Cami
9324bba6b7 test_backup_and_restore: add server role verification steps
Add calls to "ipa server-role" to check whether the server role
changes are applied before calling ipa-backup.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
François Cami
3a9b66b530 ipatests: test ipa-backup with different role configurations.
ipa-backup should refuse to execute if the local IPA server does not
have all the roles used in the cluster.
A --disable-role-check knob should also be provided to bypass the
check.

Add an integration test for the new behavior and the knob.

Related: https://pagure.io/freeipa/issue/8217
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-04-01 12:09:16 +02:00
sumenon
fd9f1b3d5b Test for ipahealthcheck.ipa.idns check when integrated DNS is setup
This testcase compares the output of ipahealtcheck.ipa.dns check
with the SRV records displayed by 'ipa dns-update-system-records --dry-run'
command executed on IPA server with integrated DNS setup.

https://bugzilla.redhat.com/show_bug.cgi?id=1695125

Signed-off-by: sumenon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2020-03-31 11:52:42 -04:00
Sumedh Sidhaye
58ad7b74eb Test to check if Certmonger tracks certs in between reboots/interruptions and while in "CA_WORKING" state
When a resubmit request is submitted an "invalid cookie"
error message is no longer shown

Earlier an "invlaid cookie" error message was shown when getcert list was called.

The fix allows an empty cookie in dogtag-ipa-ca-renew-agent-submit

Pagure Issue: https://pagure.io/freeipa/issue/8164

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Fixup for test to verify that POLL will not error out on cookie

Author:    Rob Crittenden <rcritten@redhat.com>
Date:      Tue Mar 24 15:30:38 2020 -0400

Fixed review comments

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-30 15:07:48 -04:00
François Cami
f9804558bb ipatests: test_replica_promotion.py: test KRA on Hidden Replica
The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.

Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
2020-03-26 13:18:14 +01:00
Mohammad Rizwan Yusuf
d07da41739 ipatests: Skip test using paramiko when FIPS is enabled
Test used paramiko to connect to the master from controller.
Hence skip if FIPS is enabled

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 15:18:57 +01:00
Rob Crittenden
8906689215 Test that pwpolicy only applied on Kerberos entries
Also test that a normal user has password history enforcement

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
a620ac0f6f ipatests: test sysaccount password change with a password policy applied
ipa-pwd-extop plugin had a bug which prevented a cn=Directory Manager
to change a password to a value that is not allowed by an associated
password policy. Password policy checks should not apply to any
operations done as cn=Directory Manager.

The test creates a system account with associated policy that prevents
password reuse. It then goes to try to change a password three times:
 - as a user: must succeeed
 - as a cn=Directory Manager: must succeed even with a password re-use
 - as a user again: must fail due to password re-use

Related: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-25 10:11:48 +01:00
Alexander Bokovoy
c1c45df4b2 ipatests: always skip additional input for group-add-member --external
'ipa group-add-member groupname --external some-object' will attempt to
ask interactive questions about other optional parameters (users and
groups) if only external group member was specified. This leads to a
timeout in the tests as there is no input provided.

Do not wait for the entry that would never come by using 'ipa -n'.

Related: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-25 09:39:01 +02:00
Fraser Tweedale
45b5384b6e ipatests: check HTTP certificate contains ipa-ca.$DOMAIN dnsname
Add integration test that confirms that on CA-ful installation, the
(non-3rd-party) HTTP certificate bears the ipa-ca.$DOMAIN DNS name.

For detailed discussion on the purpose of this change and the design
decisions made, see `git log -1 $THIS_COMMIT~4`.

Part of: https://pagure.io/freeipa/issue/8186

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-25 11:13:03 +11:00
Sergey Orlov
aae30eb708
ipatests: provide AD admin password when trying to establish trust
`ipa trust-add --password` command requires that user provides a password.

Related to: https://pagure.io/freeipa/issue/7895

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-24 18:26:03 +01:00
Mohammad Rizwan Yusuf
312d00df90 Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation.
It also checks if compat tree is disable.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-03-24 13:49:57 +01:00
Mohammad Rizwan Yusuf
9120d65e88 Test if schema-compat-entry-attribute is set
This is to ensure if said entry is set after installation with AD.

related: https://pagure.io/freeipa/issue/8193

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
2020-03-24 13:49:57 +01:00
Sergey Orlov
9e47799cc7 ipatests: remove test_ordering
The test_integration/test_ordering.py is a test for pytest_sourceorder
plugin which is not part of freeipa project, it is not an integration test.

The up to date version of this test is available at project repository:
https://pagure.io/python-pytest-sourceorder/blob/master/f/test_sourceorder.py

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-24 10:20:39 +02:00
Rob Crittenden
4a3b7baed7 Test that ipa-healthcheck human output translates error strings
The code rather than the string was being displayed in human
output for non-SUCCESS messages. Verify that in case of an error
the right output will be present.

https://bugzilla.redhat.com/show_bug.cgi?id=1752849

Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-03-21 09:36:40 +01:00
Florence Blanc-Renaud
3753862401 ipatests: wait for SSSD to become online in backup/restore tests
The backup/restore tests are calling 'id admin' after restore
to make sure that the user name can be resolved after a restore.
The test should wait for SSSD backend to become online before
doing any check, otherwise there is a risk that the call to
'id admin' fails.

Fixes: https://pagure.io/freeipa/issue/8228

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-21 07:37:05 +02:00
sumenon
c77f4213e9 ipatests: Added testcase to check logrotate is added for healthcheck tool
Issue: freeipa/freeipa-healthcheck#35
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2020-03-20 08:20:56 +01:00
Alexander Bokovoy
2997a74abc Prevent adding IPA objects as external members of external groups
The purpose of external groups in FreeIPA is to be able to reference
objects only existing in trusted domains. These members get resolved
through SSSD interfaces but there is nothing that prevents SSSD from
resolving any IPA user or group if they have security identifiers
associated.

Enforce a check that a SID returned by SSSD does not belong to IPA
domain and raise a validation error if this is the case. This would
prevent adding IPA users or groups as external members of an external
group.

RN: Command 'ipa group-add-member' allowed to specify any user or group
RN: for '--external' option. A stricter check is added to verify that
RN: a group or user to be added as an external member does not come
RN: from IPA domain.

Fixes: https://pagure.io/freeipa/issue/8236
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-19 13:27:30 +01:00
Anuja More
6018ccaa8d Mark test to skip sssd-2.2.2
Test test_ext_grp_with_ldap is marked as skip as
fix for https://pagure.io/SSSD/sssd/issue/4073
unavailable with sssd-2.2.2

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Anuja More
b2ab2863ca ipatests: User and group with same name should not break reading AD user data.
Regression test resolving trusted users and groups should be
successful when there is a user in IPA with the
same name as a group name.

Related: https://pagure.io/SSSD/sssd/issue/4073

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-17 09:13:16 +02:00
Christian Heimes
7a9ac1f586 Allow hosts to read DNS records for IP SAN
For SAN IPAddress extension the cert plugin verifies that the IP address
matches the host entry. Certmonger uses the host principal to
authenticate and retrieve certificates. But the host principal did not
have permission to read DNS entries from LDAP.

Allow all hosts to read some entries from active DNS records.

Fixes: https://pagure.io/freeipa/issue/8098
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-16 13:04:17 +01:00
Rob Crittenden
44e7342844 Move execution of ipa-healthcheck to a separate function
This removes a lot of duplication and simplifies the test
code.

It returns the command returncode and the JSON data (if any)

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-03-12 17:24:33 -04:00
sumenon
4e3a2bd6bf ipatests: check that ipa-healthcheck warns if no dna range is set
Added testcase to verify that ipa-healthcheck tool displays a
warning if no DNS range is set. It previously just reported at the
SUCCESS level that no range was set.

Issue: freeipa/freeipa-healthcheck#60
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2020-03-12 17:24:33 -04:00
Sergey Orlov
8dd663e0c2 ipatests: add test for SSSD updating expired cache items
New test checks that sssd updates expired cache values both for IPA
domain and trusted AD domain.

Related to: https://pagure.io/SSSD/sssd/issue/4012

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-12 07:39:12 +01:00
Sergey Orlov
7c059c81ce ipatests: provide docstrings instead of imporperly placed comments
Related to: https://bugzilla.redhat.com/show_bug.cgi?id=1685581

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-03-12 07:39:12 +01:00
Mohammad Rizwan Yusuf
9bcc57d9e0 Test if getcert creates cacert file with -F option
It took longer to create the cacert file in older version.
restarting the certmonger service creates the file at the location
specified by -F option. This fix is to check that cacert file
creates immediately after certificate goes into MONITORING state.

related: https://pagure.io/freeipa/issue/8105

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 15:48:42 -04:00
Mohammad Rizwan Yusuf
6739d8722c Move wait_for_request() method to tasks.py
Moved the method so that it can be used by other modules too

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-11 15:48:42 -04:00
Sergey Orlov
e01e7fe6c6
ipatests: remove invalid parameter from sssd.conf
`use_fully_qualified_names` is not a valid parameter for `[sssd]` section
of sssd.conf, it can be specified only in domain section.
According to `man sssd.conf` it simply requires all requests to be fully
qualified, otherwise no result will be found. It is irrelevant to the
test scenario, so removing it.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Sergey Orlov
3dd679b31d
ipatests: use remote_sssd_config to modify sssd.conf
Replace usage of remote_ini_file with remote_sssd_config.
The latter verifies changes against schema which helps to spot the mistakes.

Related to: https://pagure.io/freeipa/issue/8219

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Sergey Orlov
9450aef75f
ipatests: replace utility for editing sssd.conf
There are three patterns for editing sssd.conf in tests now:
1. using modify_sssd_conf() which allows to modify only domain sections
2. using remote_ini_file
3. direct file editing using `sed`

This patch introduces new utility function which combines advantages of
first two approaches:
* changes are verified against schema, so that mistakes can be spotted
  early
* has convenient interface for simple options modification,
  both in domain and service sections
* allows sophisticated modifications through SSSDConfig object

Fixes: https://pagure.io/freeipa/issue/8219
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-09 16:17:13 +01:00
Florence Blanc-Renaud
fc4c3ac795 ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try calling the remote method trust_enable_agent with
a principal missing the required privilege.
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).

Thanks to sorlov for the nightly test definitions and new test.

Related: https://pagure.io/freeipa/issue/7600
Co-authored-by: Sergey Orlov <sorlov@redhat.com>
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-03-05 14:40:58 +01:00
Florence Blanc-Renaud
9ee8657c2a ipatests: fix TestSubCAkeyReplication
The test is using the output of openssl to compare the SubCA issuer name
with the expected value.
Depending on the version of openssl, the issuer can be displayed
differently (with/without space around the = character). On RHEL 7.x,
there is no space by default while on Fedora the space is used.
Calling openssl with -nameopt space_eq forces a consistent output, always
adding space around =.

Reviewed-By: Sudhir Menon <sumenon@redhat.com>
2020-03-05 07:20:15 +01:00
Mohammad Rizwan Yusuf
1556f3f767 Test if server installer lock Bind9 recursion
This test is to check if recursion can be configured.
It checks if newly added file /etc/named/ipa-ext.conf
exists and /etc/named.conf should not have
'allow-recursion { any; };'. It also checks if ipa-backup
command backup the /etc/named/ipa-ext.conf file as well

related : https://pagure.io/freeipa/issue/8079

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-03-03 08:11:51 -05:00
Anuja More
8007cec855 ipatests: Added test when 2FA prompting configurations is set.
Related : https://pagure.io/SSSD/sssd/issue/3264
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-03-03 10:23:58 +02:00