URL: https://github.com/freeipa/freeipa/pull/2337 Author: flo-renaud Title: #2337: [Backport][ipa-4-7] ipa-replica-install: fix pkinit setup Action: opened
PR body: """ This is a manual backport of PR #2326 to ipa-4-7 branch """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2337/head:pr2337 git checkout pr2337
From 78ec64f8bf1115590d4f3229c1664239c7844b51 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 4 Sep 2018 14:15:50 +0200 Subject: [PATCH 1/2] ipa-replica-install: fix pkinit setup commit 7284097 (Delay enabling services until end of installer) introduced a regression in replica installation. When the replica requests a cert for PKINIT, a check is done to ensure that the hostname corresponds to a machine with a KDC service enabled (ipaconfigstring attribute of cn=KDC,cn=<hostname>,cn=masters,cn=ipa,cn=etc,$BASEDN must contain 'enabledService'). With the commit mentioned above, the service is set to enabled only at the end of the installation. The fix makes a less strict check, ensuring that 'enabledService' or 'configuredService' is in ipaconfigstring. Fixes: https://pagure.io/freeipa/issue/7566 Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipaserver/plugins/cert.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index ffe51597e4..9e3d228f8c 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -300,9 +300,11 @@ def ca_kdc_check(api_instance, hostname): ipaconfigstring = {val.lower() for val in kdc_entry['ipaConfigString']} - if 'enabledservice' not in ipaconfigstring: + if 'enabledservice' not in ipaconfigstring \ + and 'configuredservice' not in ipaconfigstring: raise errors.NotFound( - reason=_("enabledService not in ipaConfigString kdc entry")) + reason=_("enabledService/configuredService not in " + "ipaConfigString kdc entry")) except errors.NotFound: raise errors.ACIError( From 7709447a7d9f27b95b9d33ad40ff78ccbc11f8a1 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Tue, 4 Sep 2018 15:50:28 +0200 Subject: [PATCH 2/2] Tests: test successful PKINIT install on replica Add a test checking that ipa-replica-install successfully configures PKINIT on the replica Related to https://pagure.io/freeipa/issue/7566 Reviewed-By: Christian Heimes <chei...@redhat.com> --- ipatests/test_integration/test_replica_promotion.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py index 1eade8330e..3e32938686 100644 --- a/ipatests/test_integration/test_replica_promotion.py +++ b/ipatests/test_integration/test_replica_promotion.py @@ -203,6 +203,9 @@ def test_one_command_installation(self): '-r', self.master.domain.realm, '--server', self.master.hostname, '-U']) + # Ensure that pkinit is properly configured, test for 7566 + result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) + assert "PKINIT is enabled" in result.stdout_text @pytest.mark.xfail(reason="Ticket N 6274", strict=True)
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
