URL: https://github.com/freeipa/freeipa/pull/3216
Author: frasertweedale
Title: #3216: fix LWCA key retrieval on f30
Action: opened
PR body:
"""
This PR includes fixes for LWCA key retrieval on f30 and fixes for handling of
missing LWCA keys in the ca_find and ca_show commands.
Is is based upon https://github.com/freeipa/freeipa/pull/3210 which updates
PR-CI to f30. (This PR revealed the issue on f30; the tests are not passing
hence it has been merged yet.)
```
f029a6e3b (Fraser Tweedale, 7 hours ago)
ipa-pki-retrieve-key: set KRB5CCNAME
On Fedora 30, for some reason LDAP GSS-API bind now fails in the
ipa-pki-retrieve-key program. The Dogtag keytab credential acquisition
does succeed, but those credentials are not used for the LDAP bind.
Update CustodiaClient to support setting KRB5CCNAME when it creates
credentials. This behaviour is optional and disabled by default (no
behavioural change for other use cases). But enable this behaviour in
ipa-pki-retrieve-key so the Dogtag credentials are used for the LDAP bind.
Fixes: https://pagure.io/freeipa/issue/7964
fff5119cd (Fraser Tweedale, 85 minutes ago)
Handle missing LWCA certificate or chain
If lightweight CA key replication has not completed, requests for the
certificate or chain will return 404**. This can occur in normal
operation, and should be a temporary condition. Detect this case and
handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message to the
response.
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print the
warning message, if the expected field is missing from the response, just
ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
b59c49351 (Armando Neto, 2 days ago)
Add Fedora 30 test definitions and bump template version
Signed-off-by: Armando Neto <abiagion(a)redhat.com>
```
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3216/head:pr3216
git checkout pr3216
URL: https://github.com/freeipa/freeipa/pull/3158
Author: rcritten
Title: #3158: admintool: don't display log file on errors unless logging is setup
Action: opened
PR body:
"""
The admintool will display the message when something goes wrong:
See %s for more information" % self.log_file_name
This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.
This can happen if validation catches and raises an exception.
The workaround is to save off and remove the log_file_name value
before calling validation, then restore it if successful. This will
suppress the above error message.
Fixes: https://pagure.io/freeipa/issue/7952
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3158/head:pr3158
git checkout pr3158
URL: https://github.com/freeipa/freeipa/pull/3212
Author: frasertweedale
Title: #3212: dn: sort AVAs when converting from x509.Name
Action: opened
PR body:
"""
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3212/head:pr3212
git checkout pr3212
URL: https://github.com/freeipa/freeipa/pull/3217
Author: wladich
Title: #3217: ipatests: allow to relax security of LDAP connection from controller to IPA host
Action: opened
PR body:
"""
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3217/head:pr3217
git checkout pr3217