URL: https://github.com/freeipa/freeipa/pull/2464
Author: Tiboris
Title: #2464: Support interactive prompt for ntp options
Action: opened
PR body:
"""
FreeIPA will now ask user for NTP source server
or pool address in interactive mode if there is
no server nor pool specified and autodiscovery
has not found any NTP source in DNS records.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2464/head:pr2464
git checkout pr2464
URL: https://github.com/freeipa/freeipa/pull/2635
Author: Tiboris
Title: #2635: [Backport][ipa-4-7] Added automation for NTP options test scenarios
Action: opened
PR body:
"""
This PR is **manual backport** of https://github.com/freeipa/freeipa/pull/2404 please wait for CI before pushing.
In case of questions or problems contact @varunmylaraiah who is author of the original PR.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2635/head:pr2635
git checkout pr2635
URL: https://github.com/freeipa/freeipa/pull/2638
Author: Tiboris
Title: #2638: Fix test_ntp_options
Action: opened
PR body:
"""
On nightly tests are failing because custom client and replica install methods
Use methods:
- tasks.replica_install()
- tasks.client_isntall()
instead of custom methods.
Move ntp_pool/server to class scope.
Related to: https://pagure.io/freeipa/issue/7719
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2638/head:pr2638
git checkout pr2638
URL: https://github.com/freeipa/freeipa/pull/2584
Author: tiran
Title: #2584: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
The PR was originally PR @abbra's PR https://github.com/freeipa/freeipa/pull/2106. PR-CI was broken for that PR. I also squashed some intermediate commits.
## Original PR message
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2584/head:pr2584
git checkout pr2584
URL: https://github.com/freeipa/freeipa/pull/2163
Author: tiran
Title: #2163: Make ipaclient.csrgen optional
Action: opened
PR body:
"""
ipaclient's csrgen plugin has been turned into an optional dependency.
The ipaclient plugin, helper modules like ipaclient.csrgen and templates
are shipped conditionally.
The ipaclient cert plugin and ipatests handle missing csrgen gracefully.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2163/head:pr2163
git checkout pr2163
URL: https://github.com/freeipa/freeipa/pull/1843
Author: frasertweedale
Title: #1843: Allow issuing certificates with IP addresses in subjectAltName (ftweedal)
Action: opened
PR body:
"""
Continuation of https://github.com/freeipa/freeipa/pull/1700 by @ipilcher,
adding commits by @ftweedal.
Please keep both PRs open for the time being.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1843/head:pr1843
git checkout pr1843
URL: https://github.com/freeipa/freeipa/pull/2697
Author: tiran
Title: #2697: LDAPClient: Prefer LDAPI connections in installer and simplify API
Action: opened
PR body:
"""
On several occasions the installer uses LDAP + simple_bind rather than LDAPI with EXTERNAL bind. LDAPI (LDAP over Unix socket) is more secure, a tiny bit faster, and is immune to some network/DNS related issues.
The changeset simplifies the LDAPClient API by introducing additional constructors. The new constructors are not only easier to use but also prevent some common pitfalls like LDAP connection without StartTSL. Several code paths now use ``LDAPClient.from_realm(realm_name)`` with external bind as root instead of LDAP with DM password.
### Add constructors to ldap client
Add LDAPClient.from_realm(), LDAPClient.from_hostname_secure(), and
LDAPClient.from_hostname_plain() constructors.
The simple_bind() method now also refuses to transmit a password over a
plain, unencrypted line.
LDAPClient.from_hostname_secure() uses start_tls and FreeIPA's CA cert
by default. The constructor also automatically disables start_tls for
ldaps and ldapi connections.
### Use new LDAPClient constructors
Replace get_ldap_uri() + LDAPClient() with new LDAPClient constructors
like LDAPClient.from_realm().
Some places now use LDAPI with external bind instead of LDAP with simple
bind. Although the FQDN *should* resolve to 127.0.0.1 / [::1], there is
no hard guarantee. The draft
tools.ietf.org/html/draft-west-let-localhost-be-localhost-04#section-5.1
specifies that applications must verify that the resulting IP is a
loopback API. LDAPI is always local and a bit more efficient, too.
The simple_bind() method also prevents the caller from sending a
password over an insecure line.
### Use LDAPS when installing CA on replica
On a replica, 389-DS is already configured for secure connections when
the CA is installed.
### Move realm_to_serverid/ldap_uri to ipaldap
The helper function realm_to_serverid() and realm_to_ldap_uri() are
useful outside the server installation framework. They are now in
ipapython.ipaldap along other helpers for LDAP handling in FreeIPA.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2697/head:pr2697
git checkout pr2697