Commit Graph

12301 Commits

Author SHA1 Message Date
Christian Heimes
f89e501ee1 Handle races in replica config
When multiple replicas are installed in parallel, two replicas may try
to create the cn=replica entry at the same time. This leads to a
conflict on one of the replicas. replica_config() and
ensure_replication_managers() now handle conflicts.

ipaldap now maps TYPE_OR_VALUE_EXISTS to DuplicateEntry(). The type or
value exists exception is raised, when an attribute value or type is
already set.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
2018-07-12 15:26:25 +02:00
Armando Neto
ba954efafd Fix pylint 2.0 conditional-related violations
In order to support pylint 2.0 the following violations must be fixed:

- `chained-comparison` (R1716):
  Simplify chained comparison between the operands This message is
  emitted when pylint encounters boolean operation like
  "a < b and b < c", suggesting instead to refactor it to "a < b < c".

- `consider-using-in` (R1714):
  Consider merging these comparisons with "in" to %r To check if a
  variable is equal to one of many values,combine the values into a
  tuple and check if the variable is contained "in" it instead of
  checking for equality against each of the values.This is faster
  and less verbose.

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-12 08:49:43 +02:00
Christian Heimes
f48f00c692 pylint 2.0: node.path is a list
In pylint 2.0 and astroid 2.0, node.path has become a list. It's usually
a list of one element unless namespace packages are involved.

See 7f46f9341c (diff-f0ac879524bcb98964f7d8738a084820)

See: https://pagure.io/freeipa/issue/7614
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-11 14:35:55 +02:00
Christian Heimes
ec65590c9f Fix XPASS in test_installation
Several test cases in test_installation pass, but are marked as xfail().
Only mark the actual failing tests as failed.

See: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-07-11 10:50:33 +02:00
Christian Heimes
0c1010d6f7 Mark all expected failures as strict
With strict=True, xfail() fails when the test case passes unexpectably.
This allows us to spot passing tests that are expected to fail.

Fixes: https://pagure.io/freeipa/issue/7613
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Petr Cech <pcech@redhat.com>
2018-07-11 10:50:33 +02:00
Armando Neto
b4ad0d19a2 Fix pylint 2.0 return-related violations
Aiming to support pylint 2.0 some functions and methods must have their
return statements updated in order to fix two new violations:

- `useless-return` (R1711):
  Useless return at end of function or method Emitted when a single
  "return" or "return None" statement is found at the end of function
  or method definition. This statement can safely be removed because
  Python will implicitly return None

- `inconsistent-return-statements` (R1710):
  Either all return statements in a function should return an
  expression, or none of them should. According to PEP8, if any return
  statement returns an expression, any return statements where no value
  is returned should explicitly state this as return None, and an
  explicit return statement should be present at the end of the
  function (if reachable)

Issue: https://pagure.io/freeipa/issue/7614

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-11 10:11:38 +02:00
Christian Heimes
9222a08c28
Fix DNSSEC install regression
7284097eed introduced a regression in
DNSSEC master installation. For standalone and replica installation,
services have to be enabled before checking bind config.

Fixes: https://pagure.io/freeipa/issue/7635
See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-07-10 17:51:05 +02:00
Christian Heimes
2b669c52a5 Wait for client certificates
ipa-client-install --request-cert now waits until certmonger has
provided a host certificate. In case of an error, ipa-client-install no
longer pretents to success but fails with an error code.

The --request-cert option also ensures that certmonger is enabled and
running.

See: Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-09 20:15:18 +02:00
Christian Heimes
1fa2a7cd41 Auto-retry failed certmonger requests
During parallel replica installation, a request sometimes fails with
CA_REJECTED or CA_UNREACHABLE. The error occur when the master is
either busy or some information haven't been replicated yet. Even
a stuck request can be recovered, e.g. when permission and group
information have been replicated.

A new function request_and_retry_cert() automatically resubmits failing
requests until it times out.

Fixes: https://pagure.io/freeipa/issue/7623
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-09 20:15:18 +02:00
Stanislav Levin
fcb2a06931 Fix link to browser configuration guide on Login page
There is a mismatch between 'i18n' krb_auth_msg and 'LoginScreen'
widget kerberos_msg. The former links to "unauthorized.html", but the latter
to "ssbrowser.html". Both should link to "ssbrowser.html" page.

Fixes: https://pagure.io/freeipa/issue/7624
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-09 18:27:05 +02:00
Christian Heimes
811b0fdb46 Tune DS replication settings
Tune 389-DS replication settings to improve performance and avoid
timeouts. During installation of a replica, the value of
nsDS5ReplicaBindDnGroupCheckInterval is reduced to 2 seconds. At the end
of the installation, the value is increased sensible production
settings. This avoids long delays during replication.

See: https://pagure.io/freeipa/issue/7617
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-07-09 18:20:17 +02:00
Christian Heimes
199d50a4c8
Fix race condition in get_locations_records()
The method IPASystemRecords.get_locations_records() has a race condition.
The IPASystemRecords object creates a mapping of server names to server
data. get_locations_records() uses server_find() again to get a list of
servers, but then operates on the cached dict of server names.

In parallel replication case, the second server_find() call in
get_locations_records() can return additional servers. Since the rest of
the code operates on the cached data, the method then fails with a KeyError.

server_data is now an OrderedDict to keep same sorting as with
server_find().

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-07-09 14:36:42 +02:00
Armando Neto
b274da726b Replace file.flush() calls with flush_sync() helper
Calls to `os.fsync(f.fileno())` need to be accompained by `f.flush()`.

Commit 8bbeedc93f introduces the helper
`ipapython.ipautil.flush_sync()`, which handles all calls in the right
order.

However, `flush_sync()` takes as parameter a file object with fileno
and name, where name must be a path to the file, this isn't possible
in some cases where file descriptors are used.

Issue: https://pagure.io/freeipa/issue/7251

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-07 10:20:01 +02:00
Rob Crittenden
f29412729e replicainstall: DS SSL replica install pick right certmonger host
Extend fix 0f31564b35 to also move
the DS SSL setup so that the xmlrpc_uri is configured to point
to the remote master we are configuring against.

https://pagure.io/freeipa/issue/7566

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-06 18:25:52 +02:00
Christian Heimes
8fa767622f Fix CA topology warning
Commit 7284097eed kept
find_providing_servers('CA') call before enable_services(). Therefore the
list of known CA servers did not contain the current replica.
ipa-replica-install on the first replica with --setup-ca still printed
the CA topology warning.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-06 17:53:06 +02:00
Florence Blanc-Renaud
e32cfd14a9 ipa client uninstall: clean the state store when restoring hostname
When ipa client was installed with the --hostname= option, it stores
[network]
hostname = (current hostname)
in /var/lib/ipa-client/sysrestore/sysrestore.state and changes the hostname
from (current hostname) to the value provided in --hostname.

During uninstall, the previous hostname is restored but the entry does
not get removed from sysrestore.state. As the uninstaller checks if all
entries from sysrestore.state have been restored, it warns that some
state has not been restored.

The fix calls statestore.restore_state() instead of statestore.get_state()
as this method also clears the entry.

https://pagure.io/freeipa/issue/7620

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-06 17:40:55 +02:00
Christian Heimes
7284097eed Delay enabling services until end of installer
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.

- SRV records are created at the very end of the installer.
- Dogtag installer only picks fully installed servers
- Certmonger ignores all configured but not yet enabled servers.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Christian Heimes
10457a01bf Only create DNS SRV records for ready server
When installing multiple replicas in parallel, one replica may create
SRV entries for other replicas, although the replicas aren't fully
installed yet. This may cause some services to connect to a server, that
isn't ready to serve requests.

The DNS IPASystemRecords framework now skips all servers that aren't
ready IPA masters.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Christian Heimes
7c2ca14118 Query for server role IPA master
server_find and server_role plugin were hiding IPA master role
information. It's now possible to fetch IPA master role information and
to filter by IPA master role, e.g. to ignore servers that have some
services configured but not (yet) enabled.

See: https://pagure.io/freeipa/issue/7566
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-06 13:26:43 +02:00
Armando Neto
e8d33ccfd1 ipa-server-install: fix zonemgr argument validator
Fix `ERROR 'str' object has no attribute 'decode'` when --zonemgr is
passed to ipa-server-install.

Solution copied from commit 75d26e1f01,
function `ipaserver.install.bindinstance.zonemgr_callback` duplicates
the behavior of the method affected by this patch.

Issue: https://pagure.io/freeipa/issue/7612

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-05 23:09:27 +02:00
Christian Heimes
9c86d35a3f Cleanup shebang and executable bit
- Add missing executable bits to all scripts
- Remove executable bits from all files that are not scripts,
  e.g. js, html, and Python libraries.
- Remove Python shebang from all Python library files.

It's frown upon to have executable library files in site-packages.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2018-07-05 19:46:42 +02:00
Christian Heimes
198a2c6112 Import ABCs from collections.abc
Python 3 has moved all collection abstract base classes to
collections.abc. Python 3.7 started to deprecate the old aliases.

The whole import block needs to be protected with import-error and
no-name-in-module, because Python 2 doesn't have collections.abc module and
collections.abc.Mapping, while Python 3 doesn't have collections.Mapping.

Fixes: https://pagure.io/freeipa/issue/7609
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-07-05 19:45:10 +02:00
Armando Neto
53c5496647 ipa-client-install: Update how comments are added by ipachangeconf
Due to how 'openldap-client' parses its configuration files this patch
changes how comments are added, moving them to the line above instead
of appending to the same line.

IPA doesn't want to break existing configuration, if a value already
exists it adds a comment to the modified setting and a note about that
on the line above.

New settings will be added without any note.

Issue: https://pagure.io/freeipa/issue/5202

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-07-05 19:42:43 +02:00
Michal Reznik
417f748682 ipa_tests: ipa-replica-prepare stuck on user input
TestOldReplicaWorksAfterDomainUpgrade is getting stuck while
running "ipa-replica-prepare" as it is asking for user input:
"Do you want to search for missing reverse zones?". Adding
"--auto-reverse" in order to continue.

https://pagure.io/freeipa/issue/7615

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-04 16:03:02 +02:00
Armando Neto
79391ad8e1 ui_tests: fix test_config::test_size_limits
Fix a regression caused by: https://pagure.io/freeipa/issue/7606

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-07-04 15:21:30 +02:00
Michal Reznik
e140d198ea ui_tests: stabilization fixes
This patch aims to fix the following tests which seems to be quite
unstable recently:

test_user::test_actions - closing notification and moving to element
to have screenshot of current place.

test_user::certificates - add wait() / close_notification

Also adds missing @screenshot decorator to test_user_misc method.

Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-07-04 15:21:30 +02:00
Christian Heimes
a7627a7d8a Require JSS 4.4.5 with replication fixes
JSS fixes two issues related to cert replication and trust flags. The
bugs causes the replicated NSS DB to miss public key entries.

See: https://github.com/dogtagpki/jss/pull/13
See: https://github.com/dogtagpki/jss/pull/15
Fixes: https://pagure.io/freeipa/issue/7590
Fixes: https://pagure.io/freeipa/issue/7589
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Christian Heimes
6896c90eb2 Extend Sub CA replication test
Test more scenarios like replication replica -> master. Verify that master
and replica have all expected certs with correct trust flags and all keys.

See: https://pagure.io/freeipa/issue/7590
See: https://pagure.io/freeipa/issue/7589
Fixes: https://pagure.io/freeipa/issue/7611
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2018-07-04 09:32:54 +02:00
Nikhil Dehadrai
dcaa62f6a4 Test for improved Custodia key distribution
The test checks that custodia keys are properly
replicated from the source and are successfully
distributed amongst peer system upon successful
replica installation.

Fixes: https://pagure.io/freeipa/issue/7518

Signed-off-by: Nikhil Dehadrai <ndehadra@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-07-03 11:04:50 -04:00
Justin Stephenson
00dceb434d Skip zone overlap check with auto-reverse
Skip the existing reverse zone overlap check during DNS installation
when both --auto-reverse and --allow-zone-overlap arguments are
provided.

https://pagure.io/freeipa/issue/7239

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Rob Crittenden
627cb490d2 Extend CALessBase::installer_server to accept extra_args
Allow callers to pass abitrary extra arguments to the installer.

This is useful when using a CALess installation in order to
speed up tests that require a full install but do not require
a full PKI.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-07-03 09:37:27 -04:00
Christian Heimes
4084189f09 pylint: Class node has been renamed to ClassDef
nodes.Class has been removed from pylint and astroid 2.0. The new names
have been available for a while.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 17:20:19 +02:00
Christian Heimes
f8159d0be0 Pythhon3.7: re module has no re._pattern_type
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 17:20:19 +02:00
Christian Heimes
52cdd213b4 Catch ACIError instead of invalid credentials
ipaldap's LDAPClient client turns INVALID_CREDENTIAL error into
ACIError. Catch the ACIError and wait until the user has been
replicated.

Apparently no manual or automated test ran into the timeout during
testing.

Fixes: Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2018-06-29 15:48:43 +02:00
Anuja More
0128b3f92e
Test for ipa-client-install should not use hardcoded admin principal
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-29 10:31:50 +02:00
Florence Blanc-Renaud
7bf99e8dc5 Add test for ticket 7604: ipa-client-install --mkhomedir doesn't enable oddjobd
Add a test checking that ipa-client-install --mkhomedir
is properly enableing/starting oddjobd.

Related to:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-28 11:41:17 +02:00
Florence Blanc-Renaud
a39f656340 ipa-client-install: enable and start oddjobd if mkhomedir
Since the switch to authselect, the service oddjobd is not
automatically enabled when ipa client is installed with
--mkhomedir.
The fix makes sure that the service is enabled/started, and
stores the pre-install state in sysrestore.state, in order
to revert to the pre-install state when uninstall is called

Fixes:
https://pagure.io/freeipa/issue/7604

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2018-06-28 11:41:17 +02:00
Armando Neto
d622be295a Prevent the creation on users and groups with numeric characters only
Update regular expression validator to prevent user and group creation.

Fixes: https://pagure.io/freeipa/issue/7572

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 15:25:39 -03:00
Alexander Bokovoy
81f36df7ac ipaserver/dcerpc.py: handle indirect topology conflicts
When AD forest A has a trust with a forest B that claims ownership
of a domain name (TLN) owned by an IPA forest, we need to build
exclusion record for that specific TLN, not our domain name.

Use realmdomains to find a correct exclusion entry to build.

Fixes: https://pagure.io/freeipa/issue/7370
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 12:49:35 -03:00
Varun Mylaraiah
39ac5f442a ui_tests: extend test_pwpolicy.py suite
Extend WebUI test_pwpolicy suite with the following test cases
Details in the ticket https://pagure.io/freeipa/issue/7574

Added tests:
krbpwdminlength: lower range integer
krbmaxpwdlife: non-integer, abc
krbmaxpwdlife: upper range integer,2147483648
krbmaxpwdlife: lower range integer,-1
krbminpwdlife: non-integer,edf
krbminpwdlife: upper range integer,2147483648
krbminpwdlife: lower range integer,-1
krbpwdhistorylength: non-integer,HIJ
krbpwdhistorylength: upper range integer,2147483648
krbpwdhistorylength: lower range integer,-1
krbpwdmindiffchars: noon-integer,3lm
krbpwdmindiffchars: upper range integer,2147483648
krbpwdmindiffchars: lower range integer, -1
krbpwdminlength: non-integer, n0p
krbpwdminlength: upper range integer,2147483648
krbpwdminlength: lower range integer, -1
cospriority: non-integer, abc
cospriority: upper range integer,2147483648
cospriority: lower range integer,-1
krbpwdmaxfailure: non-integer
krbpwdmaxfailure: upper range integer
krbpwdmaxfailure: lower range integer
krbpwdfailurecountinterval: non-integer
krbpwdfailurecountinterval: upper range integer
krbpwdfailurecountinterval: lower range integer
krbpwdlockoutduration: non-integer
krbpwdlockoutduration: upper range integer
krbpwdlockoutduration: lower range integer
deletePolicy_with various scenario
MeasurementUnitAdded_Bug798363
Delete global password policy
add_Policy_adder_dialog_bug910463
delete_Policy_deleter_dialog_bug910463
test field: cospriority
modifyPolicy(undo/refresh/reset)
empty policy name
upper bound of data range
lower bound of data range
non integer for policy priority

Signed-off-by: Varun Mylaraiah <mvarun@redhat.com>
Reviewed-By: Pavel Picka <ppicka@redhat.com>
2018-06-27 13:31:54 +02:00
Christian Heimes
c2eb0f1612
Fix permission of public files in upgrader
Make CA bundles, certs, and cert directories world-accessible in
upgrader.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
89b2137dc2
Make /etc/httpd/alias world readable & executable
The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.

Note: executable for a directory means, that a process is allowed to
traverse into the directory.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
1434f2a203
Always make ipa.p11-kit world-readable
Ensure that ipa.p11-kit is always world-readable.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
ba8cbb8c62
Ensure that public cert and CA bundle are readable
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-27 11:05:01 +02:00
Christian Heimes
0e21d93391
Use 4 WSGI workers on 64bit systems
Commit f1d5ab3a03 increases WSGI worker
count to five. This turned out to be a bit much for our test systems.
Four workers are good enough and still double the old amount.

See: https://pagure.io/freeipa/issue/7587
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
2018-06-25 13:41:18 +02:00
Mohammad Rizwan Yusuf
e90d90c5c3
Check if issuer DN is updated after self-signed > external-ca
This test checks if issuer DN is updated properly after CA is
renewed from self-signed to external-ca

related ticket: https://pagure.io/freeipa/issue/7316

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>

Replaced hardcoded issuer CN for external ca with constant

Signed-off-by: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2018-06-25 10:37:58 +02:00
Sudhir Menon
89ae434131 Adding modified DOAP file
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-22 11:02:40 -04:00
Sudhir Menon
c7ac8b91db DOAP Description for IPA Project
https://pagure.io/freeipa/issue/2536

Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2018-06-22 11:02:40 -04:00
Christian Heimes
ad838c37a9 Fix replication races in Dogtag admin code
DogtagInstance.setup_admin and related methods have multiple LDAP
replication race conditions. The bugs can cause parallel
ipa-replica-install to fail.

The code from __add_admin_to_group() has been changed to use MOD_ADD
ather than search + MOD_REPLACE. The MOD_REPLACE approach can lead to
data loss, when more than one writer changes a group.

setup_admin() now waits until both admin user and group membership have
been replicated to the master peer. The method also adds a new ACI to
allow querying group member in the replication check.

Fixes: https://pagure.io/freeipa/issue/7593
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00
Christian Heimes
1b966f708a Use common replication wait timeout of 5min
Instead of multiple timeout values all over the code base, all
replication waits now use a common timeout value from api.env of 5
minutes. Waiting for HTTP/replica principal takes 90 to 120 seconds, so
5 minutes seem like a sufficient value for slow setups.

Fixes: https://pagure.io/freeipa/issue/7595
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2018-06-22 13:01:55 +02:00