freeipa/ipatests
Alexander Bokovoy 1f82d281cc service delegation: allow to add and remove host principals
Service delegation rules and targets deal with Kerberos principals.
As FreeIPA has separate service objects for hosts and Kerberos services,
it is not possible to specify host principal in the service delegation
rule or a target because the code assumes it always operates on Kerberos
service objects.

Simplify the code to add and remove members from delegation rules and
targets. New code looks up a name of the principal in cn=accounts,$BASEDN
as a krbPrincipalName attribute of an object with krbPrincipalAux object
class. This search path is optimized already for Kerberos KDC driver.

To support host principals, the specified principal name is checked to
have only one component (a host name). Service principals have more than
one component, typically service name and a host name, separated by '/'
sign. If the principal name has only one component, the name is
prepended with 'host/' to be able to find a host principal.

The logic described above allows to capture also aliases of both
Kerberos service and host principals. Additional check was added to
allow specifying single-component aliases ending with '$' sign. These
are typically used for Active Directory-related services like databases
or file services.

RN: service delegation rules and targets now allow to specify hosts as
RN: a rule or a target's member principal.

Fixes: https://pagure.io/freeipa/issue/8289
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2020-05-14 21:47:17 +03:00
..
azure Make api.env.mode consistent 2020-05-14 17:55:59 +02:00
man Simplify ipa-run-tests script 2019-07-16 13:23:21 +03:00
prci_definitions prci: update templates for new Fedora release 2020-04-30 12:05:35 +02:00
pytest_ipa test_smb: test that we can auth as NetBIOS alias 2020-05-08 09:37:37 +03:00
test_cmdline pytest: Migrate unittest/nose to Pytest fixtures 2020-02-12 18:08:32 +02:00
test_install pytest: Migrate unittest/nose to Pytest fixtures 2020-02-12 18:08:32 +02:00
test_integration ipatests: Added testcase to check that ipa-adtrust-install command runs successfully with locale set as LANG=en_IN.UTF-8 2020-05-14 09:05:03 +02:00
test_ipaclient Fix Pytest4.x warning about message 2019-06-19 19:20:14 +10:00
test_ipalib Fix detection logic for api.env.in_tree 2020-05-14 18:16:20 +02:00
test_ipaplatform Don't configure KEYRING ccache in containers 2019-01-18 11:33:11 +01:00
test_ipapython Silence W601 .has_key() is deprecated 2020-05-05 10:42:46 +02:00
test_ipaserver Silence W601 .has_key() is deprecated 2020-05-05 10:42:46 +02:00
test_ipatests_plugins ipatests: Allow zero-length arguments 2020-02-14 09:29:20 +02:00
test_webui WebUI tests: fix PEP8 issues in test_webui/test_user.py 2020-05-06 12:02:51 +02:00
test_xmlrpc service delegation: allow to add and remove host principals 2020-05-14 21:47:17 +03:00
__init__.py Make an ipa-tests package 2013-06-17 19:22:50 +02:00
conftest.py Hard-code in_tree=True for tests 2020-05-14 18:16:20 +02:00
create_external_ca.py Test external CA with DNS name constraints 2019-08-06 12:39:46 +02:00
data.py Fix more bytes/unicode issues 2015-10-22 18:34:46 +02:00
i18n.py Sprinkle raw strings across the code base 2018-09-27 10:23:03 +02:00
ipa-run-tests ipatests: Specify shell implementation 2020-04-21 13:24:50 +02:00
ipa-test-config Rename pytest_plugins to ipatests.pytest_ipa 2018-08-02 17:07:43 +02:00
ipa-test-task Rename pytest_plugins to ipatests.pytest_ipa 2018-08-02 17:07:43 +02:00
Makefile.am Build: fix distribution of static files for web UI 2016-11-09 13:08:32 +01:00
setup.cfg Port all setup.py to setuptools 2016-10-20 18:43:37 +02:00
setup.py Simplify ipa-run-tests script 2019-07-16 13:23:21 +03:00
test_util.py Fix E712 comparison to True / False 2020-05-05 10:42:46 +02:00
util.py ipatests: Remove no longer needed 'skip' compatibility 2020-04-21 13:24:50 +02:00