Re: [Freeipa-users] Test Case for RHEL/Centos
On 01/14/2016 04:36 PM, Adam Kaczka wrote: > Hi, > > I see that there are very detailed test cases written for fedora > https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases (at least for v3) > > Is there an equivalent and preferably updated version written for RHEL? > Although the Red Hat Enterprise Linux 7 Linux Domain Identity, > Authentication, and Policy Guide is very detailed it doesn't devoted much > to testing (at least nowhere near the details that is available on the > Fedora wiki). I think the best we have on top of the documentation guide are the following KB articles that are pointing to other documentation sources, including testing instructions in design pages: * RHEL-7.0: https://access.redhat.com/solutions/630443 * RHEL-7.1: https://access.redhat.com/solutions/1281783 * RHEL-7.2: https://access.redhat.com/solutions/1986213 Does that help? Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Test Case for RHEL/Centos
Hi, I see that there are very detailed test cases written for fedora https://fedoraproject.org/wiki/Category:FreeIPA_Test_Cases (at least for v3) Is there an equivalent and preferably updated version written for RHEL? Although the Red Hat Enterprise Linux 7 Linux Domain Identity, Authentication, and Policy Guide is very detailed it doesn't devoted much to testing (at least nowhere near the details that is available on the Fedora wiki). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards 2015-05-22 15:00 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: Hi, As per attached message, Fedora 22 final release will come to life next week. If you are planning to use FreeIPA in Fedora 22 or upgrade your FreeIPA deployment to Fedora 22, make sure updates-testing repository is enabled. Several last moment bug fixes related to FreeIPA were not rolled into the final Fedora 22 image and they are waiting in updats-testing for the gates to be open after release. One particular area is support for cross-forest trusts with Active Directory --- Samba in Fedora 22 got upgraded to 4.2.1 version which caused some changes in underlying libraries FreeIPA uses for supporting the cross-forest trust. The fixes are awaiting you after install in the updats-testing. Happy Fedora 22 use! -- / Alexander Bokovoy -- Mensaje reenviado -- From: Jaroslav Reznik jrez...@redhat.com To: devel-annou...@lists.fedoraproject.org, test-announce test-annou...@lists.fedoraproject.org, Fedora Logistics List logist...@lists.fedoraproject.org Cc: Date: Fri, 22 May 2015 14:46:39 -0400 (EDT) Subject: [Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015 At the Fedora 22 Final Go/No-Go Meeting #2 that just occurred, it was agreed to Go with the Fedora 22 Final by Fedora QA, Release Engineering and Development. Fedora 22 Final will be publicly available on Tuesday, May 26, 2015. Meeting details can be seen here: Minutes: http://bit.ly/1Bh2pH1 Log: http://bit.ly/1HzMI5g Thank you everyone for a great job, sleepless nights validating TCs, RCs, fixing bugs, composing stuf and everything else needed for smooth releases. Amazing last three years wrangling releases for me! Jaroslav ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Carlos Raúl Laguna wrote: Just for clarification, If i create a user in Windows 2008R2 it propagates to Freeipa 4.1 because freeIPA trust the AD domain, in this scenario where AD equally trust the freeIPA domain (Fedora 22), a user created in freeIPA should not propagate as well to AD ? Regards Users are not copied, you can reference an AD user from IPA. So you can log into an IPA-managed machine using your AD credentials. This does not add the AD user to IPA. Right now you can't reference IPA users in AD resources, in any version of IPA. So no logging into Windows using your IPA credentials (yet). rob 2015-05-22 16:39 GMT-04:00 Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com: On Fri, 22 May 2015, Carlos Raúl Laguna wrote: Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards With cross-forest trust we don't synchronize anything to AD. Think about it as if FreeIPA was a separate AD forest, two AD forests don't synchronize anything to each other, they _refer_ to each other's domain controllers for operations that require authentication or other changes. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Just for clarification, If i create a user in Windows 2008R2 it propagates to Freeipa 4.1 because freeIPA trust the AD domain, in this scenario where AD equally trust the freeIPA domain (Fedora 22), a user created in freeIPA should not propagate as well to AD ? Regards 2015-05-22 16:39 GMT-04:00 Alexander Bokovoy aboko...@redhat.com: On Fri, 22 May 2015, Carlos Raúl Laguna wrote: Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards With cross-forest trust we don't synchronize anything to AD. Think about it as if FreeIPA was a separate AD forest, two AD forests don't synchronize anything to each other, they _refer_ to each other's domain controllers for operations that require authentication or other changes. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
On Fri, 22 May 2015, Carlos Raúl Laguna wrote: Hi Alexander Great news, does this also mean that user created in freeipa are self created/synchronized in the windows ad ? Regtards With cross-forest trust we don't synchronize anything to AD. Think about it as if FreeIPA was a separate AD forest, two AD forests don't synchronize anything to each other, they _refer_ to each other's domain controllers for operations that require authentication or other changes. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] [[Test-Announce] Fedora 22 Final status is Go, release on May 26, 2015]
Hi, As per attached message, Fedora 22 final release will come to life next week. If you are planning to use FreeIPA in Fedora 22 or upgrade your FreeIPA deployment to Fedora 22, make sure updates-testing repository is enabled. Several last moment bug fixes related to FreeIPA were not rolled into the final Fedora 22 image and they are waiting in updats-testing for the gates to be open after release. One particular area is support for cross-forest trusts with Active Directory --- Samba in Fedora 22 got upgraded to 4.2.1 version which caused some changes in underlying libraries FreeIPA uses for supporting the cross-forest trust. The fixes are awaiting you after install in the updats-testing. Happy Fedora 22 use! -- / Alexander Bokovoy ---BeginMessage--- At the Fedora 22 Final Go/No-Go Meeting #2 that just occurred, it was agreed to Go with the Fedora 22 Final by Fedora QA, Release Engineering and Development. Fedora 22 Final will be publicly available on Tuesday, May 26, 2015. Meeting details can be seen here: Minutes: http://bit.ly/1Bh2pH1 Log: http://bit.ly/1HzMI5g Thank you everyone for a great job, sleepless nights validating TCs, RCs, fixing bugs, composing stuf and everything else needed for smooth releases. Amazing last three years wrangling releases for me! Jaroslav ___ test-announce mailing list test-annou...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/test-announce -- devel mailing list de...@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct---End Message--- -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Test connectivity before joining domain
On 10/27/2014 06:13 AM, Innes, Duncan wrote: Hi, Have been using `ping` to test connectivity from our clients to the various IPA servers around the WAN before running an ldapsearch to pull some details about the client from the LDAP database. Several new VLAN's have now come online that do not permit ping traffic to be transmitted outside the VLAN, so clients on these LAN's think they can't see any of my IPA servers and then fail the domain join during the kickstart phase. Wondering if there's a consensus on how to check connectivity to IPA servers on the network? Something that I can use during the kickstart post-install phase. Current effort is: wget --timeout=1 --tries=1 --no-check-certificate https://ipaserver1.example.com and then test $? for result. But this only tests ports 80/443 - which authentication clients wont necessarily have access on. Can I reliably test the other FreeIPA ports? 389, 636, 389: ldapsearch -xLLL -h ipaserver1.example.com -p 389 -s base -b 636: LDAPTLS_REQCERT=never ldapsearch -xLLL -H ldaps://ipaserver1.example.com -s base -b 88, 464? These are the ports that clients have to be allowed access to the IPA servers. Cheers Duncan This message has been checked for viruses and spam by the Virgin Money email scanning system powered by Messagelabs. This e-mail is intended to be confidential to the recipient. If you receive a copy in error, please inform the sender and then delete this message. Virgin Money plc - Registered in England and Wales (Company no. 6952311). Registered office - Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL. Virgin Money plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. The following companies also trade as Virgin Money. They are both authorised and regulated by the Financial Conduct Authority, are registered in England and Wales and have their registered office at Jubilee House, Gosforth, Newcastle upon Tyne NE3 4PL: Virgin Money Personal Financial Service Limited (Company no. 3072766) and Virgin Money Unit Trust Managers Limited (Company no. 3000482). For further details of Virgin Money group companies please visit our website at virginmoney.com -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Test connectivity before joining domain
On Mon, 27 Oct 2014 12:13:46 - Innes, Duncan duncan.in...@virginmoney.com wrote: Hi, Have been using `ping` to test connectivity from our clients to the various IPA servers around the WAN before running an ldapsearch to pull some details about the client from the LDAP database. Several new VLAN's have now come online that do not permit ping traffic to be transmitted outside the VLAN, so clients on these LAN's think they can't see any of my IPA servers and then fail the domain join during the kickstart phase. Wondering if there's a consensus on how to check connectivity to IPA servers on the network? Something that I can use during the kickstart post-install phase. Current effort is: wget --timeout=1 --tries=1 --no-check-certificate https://ipaserver1.example.com and then test $? for result. But this only tests ports 80/443 - which authentication clients wont necessarily have access on. Can I reliably test the other FreeIPA ports? 389, 636, 88, 464? These are the ports that clients have to be allowed access to the IPA servers. Duncan, if you know python you can look into the ipa-replica-install tool, as it does a full check of accessibility. You do not need all those tests (as you do not need connection back from the server for example). But you can take inspiration there to see how we test each service. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] Test Day today
We're participating in the Fedora Test Days, and today is our day! The list of tests can be found at: https://fedoraproject.org/wiki/Test_Day:2012-10-15_FreeIPA The latest Fedora 18 beta test compose is available via https://fedoraproject.org/wiki/Test_Results:Current_Installation_Test Please test with the current freeipa, pki-ca and 389-ds-base packages in Fedora 18. The versions are freeipa-server-3.0.0-2, pki-ca-10.0.0-0.44.b1 and 389-ds-base-1.3.0-0.1.a1. thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Test scenario
On Mon, 2011-09-05 at 21:15 +, Steven Jones wrote: No im looking at this in a fairly agnostic way.what I am looking for are real world scenarios that I can test potential LDAP type solutions against to determine the best for our needsbut you are right the sssd link in is a killer.. BUT I have to prove to my management which solution is the bestI have an uphill struggle as they want to use AD but they also want all the bells and whistles, except they dont know what that means.so I need to construct test cases where I can say here are (say) 5 cases, I want to get them to sign off on as what they want. So I need to use logic against their gut feel.or I'll end up managing a pile of crap In v3 we are planning on having external groups where you can put users from trusted domains. So you can reference these groups locally and are free to determine memberships. That will allow to use HBAC. That said you can only controil HBAC stuff on freeipa-enabled servers. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Test scenario
On Mon, September 5, 2011 00:08, Steven Jones wrote: Hi, From evaluation purposes I am looking to write test cases to evaluate authentication products so here is one I am thinking of. From what I can see of IPA it would be fairly easy to implement centrally? Lets say I have four users Linux users who are in AD...all on the same server/workstation. How would (or is it possible) to set them up so user A can ssh to certain remote servers (group A), but user B cannot get to the group A servers. At the same time user B can get to Group B servers but A cannot.In addition to that User C is an admin and he can get to both groups A and B.User D in the meantime cannot get to A or B groups.but can ssh out to the Internet..as can A, B and C. Does anyone have any others that are real world situations that I can use as test cases? I presume you're referring to your AD users after they've been sync'ed to a IPA instance...? Use Host Based Group Access if the servers are running SSSD, or use old fashioned netgroups if your servers does not run SSSD. http://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/configuring-host-access.html Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Test scenario
Hi, From evaluation purposes I am looking to write test cases to evaluate authentication products so here is one I am thinking of. From what I can see of IPA it would be fairly easy to implement centrally? Lets say I have four users Linux users who are in AD...all on the same server/workstation. How would (or is it possible) to set them up so user A can ssh to certain remote servers (group A), but user B cannot get to the group A servers. At the same time user B can get to Group B servers but A cannot.In addition to that User C is an admin and he can get to both groups A and B.User D in the meantime cannot get to A or B groups.but can ssh out to the Internet..as can A, B and C. Does anyone have any others that are real world situations that I can use as test cases? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] test use cases
NB in the test use case at, https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS With DNS #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign It is coming back with wanting forwarders set So that might need updating... eg #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set? /etc/hosts? regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] test use cases
On 05/09/2011 04:51 PM, Steven Jones wrote: NB in the test use case at, https://fedoraproject.org/wiki/QA:Testcase_freeipav2_installation#With_DNS With DNS #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns -U --selfsign It is coming back with wanting forwarders set So that might need updating... eg #ipa-server-install -a secret123 -p 123Secret --domain=freeipa.org --realm=FREEIPA.ORG --setup-dns --no-forwarders -U --selfsign Also the above is spitting out the install script because the FQDN isnt set, to be correct, where should it be set? /etc/hosts? Yes. If the machine does now have DNS provided identity its name should be added to the /etc/hosts first. See first paragraph. https://fedorahosted.org/freeipa/wiki/QuickStartGuide regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] test
test ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users