FreeIPA-devel December 2018

freeipa-devel@lists.fedorahosted.org

6 participants
126 discussions

[freeipa PR#2634][opened] [temp-test] [WIP] Temporary execution.
by varunmylaraiah 03 Dec '18

03 Dec '18

URL: https://github.com/freeipa/freeipa/pull/2634 Author: varunmylaraiah Title: #2634: [temp-test] [WIP] Temporary execution. Action: opened PR body: """ Temporary execution. -test_sudo.py -test_authselect.py -test_user_permissions.py Signed-off-by: Varun Mylaraiah <mvarun(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2634/head:pr2634 git checkout pr2634

1 1

Announcing FreeIPA v4.7.2
by Alexander Bokovoy 03 Dec '18

03 Dec '18

The FreeIPA team would like to announce FreeIPA 4.7.2 release! It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora 29 and Fedora 28 will be available in the official [https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-7/ COPR repository] and also published to Fedora 28 and Fedora 29 updates. == Highlights in 4.7.2 == Bugfixes to make FreeIPA 4.7 work well on Fedora 29 and RHEL 8.0 beta. === Known Issues === === Bug fixes === FreeIPA 4.7.2 is a stabilization release for the features delivered as a part of 4.7 release series. There are more than 10 bug-fixes details of which can be seen in the list of resolved tickets below. == Upgrading == Upgrade instructions are available on [[Upgrade]] page. == Feedback == Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…) or #freeipa channel on Freenode. == Resolved tickets == * 7779 Update PR-CI definitions to use Fedora 29 * 7776 authselect 1.0.2 fails on unknown feature * 7772 pylint 2.2.0 violations * 7769 Installer does not detect that kadmin port 749/UDP is blocked * 7767 make fasttest errors because of missing python3-lib389 * 7758 pylint-2.1.1 errors on Fedora 29 * 7754 Replace archaic term messagebus with dbus * 7753 CID 323644: logically dead code in ipaserver.install.adtrust.py * 7741 Smart card advise script uses hard-coded Python interpreter * 7729 Bad output on failed client installation rollback * 7728 RFE: Validation and better error messages when novajoin fails because of SSL errors * 7723 NTP options fails on ipa replica * 7671 Remove --no-sssd and --noac options * 7658 [RFE] sysadm_r should be included in default SELinux user map order * 7651 ipa-replica-install --setup-kra broken on DL1 * 7408 ipa-replica-install command should display proper message on the console. * 5378 Incorrect error message at wrong password from private key file == Detailed changelog since 4.7.1 == === Alexander Bokovoy (6) === * Become IPA 4.7.2 * ipa-kdb: reduce LDAP operations timeout to 30 seconds * ipa-4-7: merge translations from zanata * ipaserver.install.adtrust: fix CID 323644 * net groupmap: force using empty config when mapping Guests * adtrust: define Guests mapping after creating cifs/ principal === Adam Williamson (1) === * Fix authselect invocations to work with 1.0.2 === Christian Heimes (35) === * Update temp commit template to F29 * Increase debugging for blocked port 749 and 464 * Address misc pylint issues in CLI scripts * pylint: also verify scripts * pylint: Fix duplicate-string-formatting-argument * pylint 2.2: Fix unnecessary pass statement * PR-CI: Restart rpcbind when it blocks kadmin port * Fix pytest deprecation warning * certdb: validate server cert signature * Require pylint 2.1.1-2 * Silence comparison-with-itself in tests * Fix raising-format-tuple * Fix various dict related pylint warnings * Fix Module 'pytest' has no 'config' member * Fix useless-import-alias * Fix comparison-with-callable * Address consider-using-in * Ignore consider-using-enumerate for now * Address inconsistent-return-statements * Address pylint violations in lite-server * Ignore W504 code style like in travis config * Fix test_cli_fsencoding on Python 3.7, take 2 * Replace messagebus with modern name dbus * Copy-paste error in permssions plugin, CID 323649 * Allow ipaapi user to access SSSD's info pipe * Fix test_cli_fsencoding on Python 3.7 * ipapwd_pre_mod: NULL ptr deref * ipadb_mspac_get_trusted_domains: NULL ptr deref * has_krbprincipalkey: avoid double free * Require Dogtag 10.6.7-3 * Use tasks.install_master() in external_ca tests * Keep Dogtag's client db in external CA step 1 * Replace hard-coded interpreter with sys.executable * Don't abuse strncpy() length limitation * Fix ipadb_multires resource handling === François Cami (3) === * Add a "Find enabled services" ACI in 20-aci.update so that all users can find IPA servers and services. ACI suggested by Christian Heimes. * Add a shared-vault-retrieve test * Add sysadm_r to default SELinux user map order === Florence Blanc-Renaud (19) === * ipatests: add upgrade test for double-encoded cacert * ipa upgrade: handle double-encoded certificates * ipatests: add xmlrpc test for user|host-find --certificate * ipaldap.py: fix method creating a ldap filter for IPACertificate * ipatests: fix test_replica_uninstall_deletes_ruvs * ipatests: add test for ipa-replica-install options * ipa-replica-install: password and admin-password options mutually exclusive * freeipa.spec.in: add BuildRequires for python3-lib389 * ipatests: add integration test for "Read radius servers" perm * radiusproxy: add permission for reading radius proxy servers * tests: add xmlrpc test for ipa user-add --radius-username * ipa user-add: add optional objectclass for radius-username * ipatest: add functional test for ipa-backup * ipa-backup: restart services before compressing the backup * ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad * ipatests: fix path in expected error message * Bump requires 389-ds-base * ipa tests: CA less * certdb: provide meaningful err msg for wrong PIN === Francisco Trivino (2) === * PR-CI: Move to Fedora 29 template, version 0.2.0 * prci_definitions: update vagrant memory topology requirements === Fraser Tweedale (6) === * certdb: validate certificate signatures * Print correct subject on CA cert verification failure * certdb: ensure non-empty Subject Key Identifier * ipaldap: avoid invalid modlist when attribute encoding differs * rpc: always read response * Restore KRA clone installation integration test === Varun Mylaraiah (1) === * Added test for ipa-client-install with a non-standard ldap.conf file Ticket: https://pagure.io/freeipa/issue/7418 === Petr Vobornik (1) === * ipa-advise: update url of cacerdir_rehash tool === Rob Crittenden (10) === * Add support for multiple certificates/formats to ipa-cacert-manage * Add tests for ipa-cacert-manage install * Enable replica install info logging to match ipa-server-install * Demote log message in custodia _wait_keys to debug * Pass a list of values into add_master_dns_records * Collect the client and server uninstall logs in tests * Fix misleading errors during client install rollback * Remove the authselect profile warning if sssd was not configured. * Handle NTP configuration in a replica server installation * Enable LDAP debug output in client to display TLS errors in join === Stanislav Levin (1) === * Move ipa's systemd tmpfiles from /var/run to /run === Sergey Orlov (2) === * ipatests: add test for ipa-restore in multi-master configuration * ipatests: add test for ipa-advise for enabling sudo for admins group === sudharsanomprakash (1) === * Don't use deprecated Apache Access options. === Thomas Woerner (5) === * Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon * Fix ressource leak in client/config.c get_config_entry * Update annobin to fix continuous-integration/travis-ci/pr issues * Find orphan automember rules * ipaclient: Remove --no-sssd and --no-ac options -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland

1 0

[freeipa PR#2542][opened] Enable firewall in the tests
by t-woerner 03 Dec '18

03 Dec '18

URL: https://github.com/freeipa/freeipa/pull/2542 Author: t-woerner Title: #2542: Enable firewall in the tests Action: opened PR body: """ Currently the firewall is not enabled in the tests. The goal is to enable the file firewall using firewalld in the tests. All uses of iptables and ip6tables commands in the tests need to be replaced. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2542/head:pr2542 git checkout pr2542

1 1

[freeipa PR#2623][opened] [Backport][ipa-4-7] Update temp commit template to F29
by tiran 03 Dec '18

03 Dec '18

URL: https://github.com/freeipa/freeipa/pull/2623 Author: tiran Title: #2623: [Backport][ipa-4-7] Update temp commit template to F29 Action: opened PR body: """ Manual backport of PR #2619 The temp_commit.yaml template now uses F29 as well. It also contains all topology configurations from the nightly jobs. Fixes: https://pagure.io/freeipa/issue/7779 Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2623/head:pr2623 git checkout pr2623

2 1

[freeipa PR#2622][opened] certupdate: add commentary about certmonger behaviour
by frasertweedale 03 Dec '18

03 Dec '18

URL: https://github.com/freeipa/freeipa/pull/2622 Author: frasertweedale Title: #2622: certupdate: add commentary about certmonger behaviour Action: opened PR body: """ It is not obvious why we "renew" (reuse only) the IPA CA certificate in ipa-certupdate. Add some commentary to explain this behaviour. Related: https://pagure.io/freeipa/issue/7751 See also: https://github.com/freeipa/freeipa/pull/2576#issuecomment-442220840 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2622/head:pr2622 git checkout pr2622

2 1

[DESIGN] IPA healthcheck design
by Rob Crittenden 03 Dec '18

03 Dec '18

I started a design of an IPA healthcheck framework at https://www.freeipa.org/page/V4/Healthcheck Have at it. Note that this concentrates more on how it will work big picture and less on individual checks that may be performed. I'm happy to add any ideas you come up with for specific tests. rob

4 10

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel December 2018