[Freeipa-devel] [freeipa PR#1470][opened] RFE: ipa client should setup openldap for GSSAPI
URL: https://github.com/freeipa/freeipa/pull/1470 Author: amitkumar50 Title: #1470: RFE: ipa client should setup openldap for GSSAPI Action: opened PR body: """ The IPA client installer currently edits /etc/openldap/ldap.conf, setting up the client to consume LDAP data from IPA. It currently sets: >URI >BASE >TLS_CACERT This PR makes ipa-client to add these two AV pair: >SASL_MECH GSSAPI >TLS_REQCERT demand Resolves: https://pagure.io/freeipa/issue/7366 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1470/head:pr1470 git checkout pr1470 From 0e0799e343abcb81c6b4c86891f6dd68c5325603 Mon Sep 17 00:00:00 2001 From: amitkuma Date: Tue, 16 Jan 2018 17:34:08 +0530 Subject: [PATCH] RFE: ipa client should setup openldap for GSSAPI The IPA client installer currently edits /etc/openldap/ldap.conf, setting up the client to consume LDAP data from IPA. It currently sets: URI BASE TLS_CACERT This PR makes ipa-client to add these two AV pair: SASL_MECH GSSAPI TLS_REQCERT demand Resolves: https://pagure.io/freeipa/issue/7366 --- ipaclient/install/client.py | 20 ++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index 5173d90bfe..f655ee9ac9 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -522,8 +522,12 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server): { 'name': 'comment', 'type': 'comment', -'value': ' URI, BASE and TLS_CACERT have been added if they ' - 'were not set.' +'value': ' URI, BASE, TLS_CACERT, SASL_MECH and TLS_REQCERT' +}, +{ +'name': 'comment', +'type': 'comment', +'value': ' have been added if they were not set.' }, { 'name': 'comment', @@ -573,6 +577,18 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server): 'type': 'option', 'value': paths.IPA_CA_CRT }, +{ +'action': 'addifnotset', +'name': 'SASL_MECH', +'type': 'option', +'value': 'GSSAPI' +}, +{ +'action': 'addifnotset', +'name': 'TLS_REQCERT', +'type': 'option', +'value': 'demand' +}, ] target_fname = paths.OPENLDAP_LDAP_CONF ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1469][opened] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1469 Author: amitkumar50 Title: #1469: ipa-advise for smartcards updated Action: opened PR body: """ Present ipa-advise for smart cards: `# ipa-advise config-client-for-smart-card-auth` `..` `authconfig --enablesmartcard --smartcardmodule=sssd --updateall` `#` ipa-advise for smart cards to be updated to: `authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall` Resolves: https://pagure.io/freeipa/issue/7358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1469/head:pr1469 git checkout pr1469 From fc8a1af068a29ce0147635886fc77ab309fc1977 Mon Sep 17 00:00:00 2001 From: amitkuma Date: Tue, 16 Jan 2018 15:56:25 +0530 Subject: [PATCH] ipa-advise for smartcards updated # ipa-advise config-client-for-smart-card-auth .. authconfig --enablesmartcard --smartcardmodule=sssd --updateall # Advise is updated to: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall Resolves: https://pagure.io/freeipa/issue/7333 --- ipaserver/advise/plugins/smart_card_auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index fb328f29ca..896123b458 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self): def run_authconfig_to_configure_smart_card_auth(self): self.log.exit_on_failed_command( -'authconfig --enablesmartcard --smartcardmodule=sssd --updateall', + 'authconfig --enablesssd --enablesssdauth --enablesmartcard' + '--smartcardmodule=sssd --smartcardaction=0 --updateall', [ 'Failed to configure Smart Card authentication in SSSD' ] ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1464][closed] [Backport][ipa-4-5] WebUI: fix for negative number in pagination size settings
URL: https://github.com/freeipa/freeipa/pull/1464 Author: flo-renaud Title: #1464: [Backport][ipa-4-5] WebUI: fix for negative number in pagination size settings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1464/head:pr1464 git checkout pr1464 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1468][opened] test_gssproxy: test duplicated sections
URL: https://github.com/freeipa/freeipa/pull/1468 Author: Rezney Title: #1468: test_gssproxy: test duplicated sections Action: opened PR body: """ Related to the issue where ipa-server-install failed because gssproxy was not able to start due to a duplicated section https://pagure.io/freeipa/issue/7363 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1468/head:pr1468 git checkout pr1468 From 3887a8337354c92c704f9e6243e7bbb2caee7d86 Mon Sep 17 00:00:00 2001 From: Michal Reznik Date: Fri, 12 Jan 2018 10:40:46 +0100 Subject: [PATCH] test_gssproxy: test duplicated sections Related to the issue where ipa-server-install failed because gssproxy was not able to start due to a duplicated section https://pagure.io/freeipa/issue/7363 --- ipatests/test_ipaserver/test_gssproxy.py | 61 1 file changed, 61 insertions(+) create mode 100644 ipatests/test_ipaserver/test_gssproxy.py diff --git a/ipatests/test_ipaserver/test_gssproxy.py b/ipatests/test_ipaserver/test_gssproxy.py new file mode 100644 index 00..613975f428 --- /dev/null +++ b/ipatests/test_ipaserver/test_gssproxy.py @@ -0,0 +1,61 @@ +import os +import time +import pytest +import shutil +import contextlib + +from ipapython.ipautil import run + +GSSPROXY_MAIN_CONF = '/etc/gssproxy/gssproxy.conf' +GSSPROXY_MAIN_CONF_BKP = GSSPROXY_MAIN_CONF + '.bkp' + +GSSPROXY_NFS_CLIENT_TEST_SECTION = ''' +[service/nfs-client] + mechs = krb5 + cred_store = keytab:/etc/krb5.keytab + cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U + cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab + cred_usage = initiate + allow_any_uid = no + trusted = yes + euid = 0 +''' + +DUPLICATE_WARNING = 'Duplicate section detected in snippet:' + +# to check journal logs only "since" we started our testcase +test_start = time.strftime('%H:%M:%S') + + +@contextlib.contextmanager +def restore_gss_proxy_conf(): +shutil.copy(GSSPROXY_MAIN_CONF, GSSPROXY_MAIN_CONF_BKP) +try: +yield +finally: +# restore original gssproxy conf +os.rename(GSSPROXY_MAIN_CONF_BKP, GSSPROXY_MAIN_CONF) + +# make sure gssproxy is running fine for the other tests +run(['systemctl', 'restart', 'gssproxy']) + + +@pytest.mark.skipif( +os.getuid() != 0, reason=('we can restart gssproxy and change its config ' + 'only as root')) +def test_duplicate_sections(): +""" Related to the issue where ipa-server-install failed because gssproxy +was not able to start due to a duplicated section""" + +with restore_gss_proxy_conf(): +with open(GSSPROXY_MAIN_CONF, 'a') as fd: +fd.write(GSSPROXY_NFS_CLIENT_TEST_SECTION) + +# test if gssproxy is not failing due to a duplicated section +result = run(['systemctl', 'restart', 'gssproxy'], raiseonerr=False) +assert result.returncode == 0 + +# check if there is the expected warning in the journal +result = run(['journalctl', '-u', 'gssproxy', '--since', test_start], + raiseonerr=False) +assert DUPLICATE_WARNING in result.output_log ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] GitHub assignee labels
Hi people! I could not miss that we stopped using github's assignee label and I have got used to it. Is there possibility to bring this habit back on track? I find it very useful when i am trying to find PR which I want to look into it. Thanks! -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1467][opened] test for broken ipa-restore with python2
URL: https://github.com/freeipa/freeipa/pull/1467 Author: mrizwan93 Title: #1467: test for broken ipa-restore with python2 Action: opened PR body: """ ipa-restore was failing when ran with python2 with the error: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' The ipa-restore command failed. See /var/log/iparestore.log for more information This test checks if ipa-restore success with python2 related ticket: https://pagure.io/freeipa/issue/7231 Signed-off-by: Mohammad Rizwan Yusuf """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1467/head:pr1467 git checkout pr1467 From 0df47f864e97c6c5b5fba9ba702baa5727c235ed Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Yusuf Date: Mon, 15 Jan 2018 14:22:11 +0530 Subject: [PATCH] ipa-restore was failing when ran with python2 with the error: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' The ipa-restore command failed. See /var/log/iparestore.log for more information This test checks if ipa-restore success with python2 related ticket: https://pagure.io/freeipa/issue/7231 Signed-off-by: Mohammad Rizwan Yusuf --- .../test_integration/test_backup_and_restore.py| 24 ++ 1 file changed, 24 insertions(+) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index fbc882aa06..1232ee2b2a 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -203,6 +203,30 @@ def test_full_backup_and_restore_with_selinux_booleans_off(self): assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text +def test_restore_with_python2(self): +"""ipa-restore was failing when ran with python2 with the error +[Errno 2] No such file or directory: +u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' +The ipa-restore command failed. +See /var/log/iparestore.log for more information + +This test checks if ipa-restore success with python2 + +related ticket: https://pagure.io/freeipa/issue/7231"""; + +with restore_checker(self.master): +backup_path = backup(self.master) + +self.master.run_command(['ipa-server-install', + '--uninstall', + '-U']) + +dirman_password = self.master.config.dirman_password +arg = ['python2', 'ipa-restore', backup_path] +cmd = self.master.run_command(arg, +stdin_text=dirman_password + '\nyes') +assert cmd.returncode == 0 + class BaseBackupAndRestoreWithDNS(IntegrationTest): """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1466][closed] [Backport][ipa-4-6] Documenting kinit_lifetime in /etc/ipa/default.conf
URL: https://github.com/freeipa/freeipa/pull/1466 Author: flo-renaud Title: #1466: [Backport][ipa-4-6] Documenting kinit_lifetime in /etc/ipa/default.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1466/head:pr1466 git checkout pr1466 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1465][closed] [Backport][ipa-4-5] Checks if Dir Server is installed and running before IPA installation
URL: https://github.com/freeipa/freeipa/pull/1465 Author: flo-renaud Title: #1465: [Backport][ipa-4-5] Checks if Dir Server is installed and running before IPA installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1465/head:pr1465 git checkout pr1465 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org