[Freeipa-devel] [freeipa PR#1470][opened] RFE: ipa client should setup openldap for GSSAPI
URL: https://github.com/freeipa/freeipa/pull/1470
Author: amitkumar50
Title: #1470: RFE: ipa client should setup openldap for GSSAPI
Action: opened
PR body:
"""
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA. It currently sets:
>URI
>BASE
>TLS_CACERT
This PR makes ipa-client to add these two AV pair:
>SASL_MECH GSSAPI
>TLS_REQCERT demand
Resolves: https://pagure.io/freeipa/issue/7366
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1470/head:pr1470
git checkout pr1470
From 0e0799e343abcb81c6b4c86891f6dd68c5325603 Mon Sep 17 00:00:00 2001
From: amitkuma
Date: Tue, 16 Jan 2018 17:34:08 +0530
Subject: [PATCH] RFE: ipa client should setup openldap for GSSAPI
The IPA client installer currently edits /etc/openldap/ldap.conf, setting up
the client to consume LDAP data from IPA. It currently sets:
URI
BASE
TLS_CACERT
This PR makes ipa-client to add these two AV pair:
SASL_MECH GSSAPI
TLS_REQCERT demand
Resolves: https://pagure.io/freeipa/issue/7366
---
ipaclient/install/client.py | 20 ++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 5173d90bfe..f655ee9ac9 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -522,8 +522,12 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server):
{
'name': 'comment',
'type': 'comment',
-'value': ' URI, BASE and TLS_CACERT have been added if they '
- 'were not set.'
+'value': ' URI, BASE, TLS_CACERT, SASL_MECH and TLS_REQCERT'
+},
+{
+'name': 'comment',
+'type': 'comment',
+'value': ' have been added if they were not set.'
},
{
'name': 'comment',
@@ -573,6 +577,18 @@ def configure_openldap_conf(fstore, cli_basedn, cli_server):
'type': 'option',
'value': paths.IPA_CA_CRT
},
+{
+'action': 'addifnotset',
+'name': 'SASL_MECH',
+'type': 'option',
+'value': 'GSSAPI'
+},
+{
+'action': 'addifnotset',
+'name': 'TLS_REQCERT',
+'type': 'option',
+'value': 'demand'
+},
]
target_fname = paths.OPENLDAP_LDAP_CONF
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1469][opened] ipa-advise for smartcards updated
URL: https://github.com/freeipa/freeipa/pull/1469 Author: amitkumar50 Title: #1469: ipa-advise for smartcards updated Action: opened PR body: """ Present ipa-advise for smart cards: `# ipa-advise config-client-for-smart-card-auth` `..` `authconfig --enablesmartcard --smartcardmodule=sssd --updateall` `#` ipa-advise for smart cards to be updated to: `authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall` Resolves: https://pagure.io/freeipa/issue/7358 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1469/head:pr1469 git checkout pr1469 From fc8a1af068a29ce0147635886fc77ab309fc1977 Mon Sep 17 00:00:00 2001 From: amitkuma Date: Tue, 16 Jan 2018 15:56:25 +0530 Subject: [PATCH] ipa-advise for smartcards updated # ipa-advise config-client-for-smart-card-auth .. authconfig --enablesmartcard --smartcardmodule=sssd --updateall # Advise is updated to: authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd --smartcardaction=0 --updateall Resolves: https://pagure.io/freeipa/issue/7333 --- ipaserver/advise/plugins/smart_card_auth.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index fb328f29ca..896123b458 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self): def run_authconfig_to_configure_smart_card_auth(self): self.log.exit_on_failed_command( -'authconfig --enablesmartcard --smartcardmodule=sssd --updateall', + 'authconfig --enablesssd --enablesssdauth --enablesmartcard' + '--smartcardmodule=sssd --smartcardaction=0 --updateall', [ 'Failed to configure Smart Card authentication in SSSD' ] ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1464][closed] [Backport][ipa-4-5] WebUI: fix for negative number in pagination size settings
URL: https://github.com/freeipa/freeipa/pull/1464 Author: flo-renaud Title: #1464: [Backport][ipa-4-5] WebUI: fix for negative number in pagination size settings Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1464/head:pr1464 git checkout pr1464 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1468][opened] test_gssproxy: test duplicated sections
URL: https://github.com/freeipa/freeipa/pull/1468
Author: Rezney
Title: #1468: test_gssproxy: test duplicated sections
Action: opened
PR body:
"""
Related to the issue where ipa-server-install failed because gssproxy
was not able to start due to a duplicated section
https://pagure.io/freeipa/issue/7363
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1468/head:pr1468
git checkout pr1468
From 3887a8337354c92c704f9e6243e7bbb2caee7d86 Mon Sep 17 00:00:00 2001
From: Michal Reznik
Date: Fri, 12 Jan 2018 10:40:46 +0100
Subject: [PATCH] test_gssproxy: test duplicated sections
Related to the issue where ipa-server-install failed because gssproxy
was not able to start due to a duplicated section
https://pagure.io/freeipa/issue/7363
---
ipatests/test_ipaserver/test_gssproxy.py | 61
1 file changed, 61 insertions(+)
create mode 100644 ipatests/test_ipaserver/test_gssproxy.py
diff --git a/ipatests/test_ipaserver/test_gssproxy.py b/ipatests/test_ipaserver/test_gssproxy.py
new file mode 100644
index 00..613975f428
--- /dev/null
+++ b/ipatests/test_ipaserver/test_gssproxy.py
@@ -0,0 +1,61 @@
+import os
+import time
+import pytest
+import shutil
+import contextlib
+
+from ipapython.ipautil import run
+
+GSSPROXY_MAIN_CONF = '/etc/gssproxy/gssproxy.conf'
+GSSPROXY_MAIN_CONF_BKP = GSSPROXY_MAIN_CONF + '.bkp'
+
+GSSPROXY_NFS_CLIENT_TEST_SECTION = '''
+[service/nfs-client]
+ mechs = krb5
+ cred_store = keytab:/etc/krb5.keytab
+ cred_store = ccache:FILE:/var/lib/gssproxy/clients/krb5cc_%U
+ cred_store = client_keytab:/var/lib/gssproxy/clients/%U.keytab
+ cred_usage = initiate
+ allow_any_uid = no
+ trusted = yes
+ euid = 0
+'''
+
+DUPLICATE_WARNING = 'Duplicate section detected in snippet:'
+
+# to check journal logs only "since" we started our testcase
+test_start = time.strftime('%H:%M:%S')
+
+
+@contextlib.contextmanager
+def restore_gss_proxy_conf():
+shutil.copy(GSSPROXY_MAIN_CONF, GSSPROXY_MAIN_CONF_BKP)
+try:
+yield
+finally:
+# restore original gssproxy conf
+os.rename(GSSPROXY_MAIN_CONF_BKP, GSSPROXY_MAIN_CONF)
+
+# make sure gssproxy is running fine for the other tests
+run(['systemctl', 'restart', 'gssproxy'])
+
+
+@pytest.mark.skipif(
+os.getuid() != 0, reason=('we can restart gssproxy and change its config '
+ 'only as root'))
+def test_duplicate_sections():
+""" Related to the issue where ipa-server-install failed because gssproxy
+was not able to start due to a duplicated section"""
+
+with restore_gss_proxy_conf():
+with open(GSSPROXY_MAIN_CONF, 'a') as fd:
+fd.write(GSSPROXY_NFS_CLIENT_TEST_SECTION)
+
+# test if gssproxy is not failing due to a duplicated section
+result = run(['systemctl', 'restart', 'gssproxy'], raiseonerr=False)
+assert result.returncode == 0
+
+# check if there is the expected warning in the journal
+result = run(['journalctl', '-u', 'gssproxy', '--since', test_start],
+ raiseonerr=False)
+assert DUPLICATE_WARNING in result.output_log
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] GitHub assignee labels
Hi people! I could not miss that we stopped using github's assignee label and I have got used to it. Is there possibility to bring this habit back on track? I find it very useful when i am trying to find PR which I want to look into it. Thanks! -- Tibor Dudlák Identity management - freeIPA Brno, TPB-C, 2C407 Red Hat ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1467][opened] test for broken ipa-restore with python2
URL: https://github.com/freeipa/freeipa/pull/1467 Author: mrizwan93 Title: #1467: test for broken ipa-restore with python2 Action: opened PR body: """ ipa-restore was failing when ran with python2 with the error: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' The ipa-restore command failed. See /var/log/iparestore.log for more information This test checks if ipa-restore success with python2 related ticket: https://pagure.io/freeipa/issue/7231 Signed-off-by: Mohammad Rizwan Yusuf """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1467/head:pr1467 git checkout pr1467 From 0df47f864e97c6c5b5fba9ba702baa5727c235ed Mon Sep 17 00:00:00 2001 From: Mohammad Rizwan Yusuf Date: Mon, 15 Jan 2018 14:22:11 +0530 Subject: [PATCH] ipa-restore was failing when ran with python2 with the error: [Errno 2] No such file or directory: u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' The ipa-restore command failed. See /var/log/iparestore.log for more information This test checks if ipa-restore success with python2 related ticket: https://pagure.io/freeipa/issue/7231 Signed-off-by: Mohammad Rizwan Yusuf --- .../test_integration/test_backup_and_restore.py| 24 ++ 1 file changed, 24 insertions(+) diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py index fbc882aa06..1232ee2b2a 100644 --- a/ipatests/test_integration/test_backup_and_restore.py +++ b/ipatests/test_integration/test_backup_and_restore.py @@ -203,6 +203,30 @@ def test_full_backup_and_restore_with_selinux_booleans_off(self): assert 'httpd_can_network_connect --> on' in result.stdout_text assert 'httpd_manage_ipa --> on' in result.stdout_text +def test_restore_with_python2(self): +"""ipa-restore was failing when ran with python2 with the error +[Errno 2] No such file or directory: +u'/etc/dirsrv/slapd-IPADOMAIN-COM/dse.ldif' +The ipa-restore command failed. +See /var/log/iparestore.log for more information + +This test checks if ipa-restore success with python2 + +related ticket: https://pagure.io/freeipa/issue/7231"""; + +with restore_checker(self.master): +backup_path = backup(self.master) + +self.master.run_command(['ipa-server-install', + '--uninstall', + '-U']) + +dirman_password = self.master.config.dirman_password +arg = ['python2', 'ipa-restore', backup_path] +cmd = self.master.run_command(arg, +stdin_text=dirman_password + '\nyes') +assert cmd.returncode == 0 + class BaseBackupAndRestoreWithDNS(IntegrationTest): """ ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1466][closed] [Backport][ipa-4-6] Documenting kinit_lifetime in /etc/ipa/default.conf
URL: https://github.com/freeipa/freeipa/pull/1466 Author: flo-renaud Title: #1466: [Backport][ipa-4-6] Documenting kinit_lifetime in /etc/ipa/default.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1466/head:pr1466 git checkout pr1466 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#1465][closed] [Backport][ipa-4-5] Checks if Dir Server is installed and running before IPA installation
URL: https://github.com/freeipa/freeipa/pull/1465 Author: flo-renaud Title: #1465: [Backport][ipa-4-5] Checks if Dir Server is installed and running before IPA installation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/1465/head:pr1465 git checkout pr1465 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
