URL: https://github.com/freeipa/freeipa/pull/2106
Author: abbra
Title: #2106: ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager
Action: opened
PR body:
"""
Password changes performed by cn=Directory Manager are excluded from
password policy checks according to [1]. This is correctly handled by
ipa-pwd-extop in case of a normal Kerberos principal in IPA. However,
non-kerberos accounts were not excluded from the check.
As result, password updates for PKI CA admin account in o=ipaca were
failing if a password policy does not allow a password reuse. We are
re-setting the password for PKI CA admin in ipa-replica-prepare in case
the original directory manager's password was updated since creation of
`cacert.p12`.
Do password policy check for non-Kerberos accounts only if it was set by
a regular user or admin. Changes performed by a cn=Directory Manager and
passsync managers should be excluded from the policy check.
Fixes: https://pagure.io/freeipa/issue/7181
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
[1] https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/h…
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2106/head:pr2106
git checkout pr2106
URL: https://github.com/freeipa/freeipa/pull/4211
Author: wladich
Title: #4211: [Backport][ipa-4-7] ipatests: add test_trust suite to nightly runs
Action: opened
PR body:
"""
This is a manual backport of #4208
The test suite test_trust was missing in nightly definitions
because PR-CI was not able to provision multi-AD topology.
Now that PR-CI is updated, we can start executing this test suite.
It is not reasonable to add it to gating as this suite is
time consuming like other tests requiring provisioning of AD instances.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4211/head:pr4211
git checkout pr4211
URL: https://github.com/freeipa/freeipa/pull/4000
Author: mrizwan93
Title: #4000: ipatests: Test if ipa-backup throws error if /var/lib/ipa/ runs out of space
Action: opened
PR body:
"""
ipa-backup throws error when /var/lib/ipa runs out of space. Earlier
the error was not so clear. Fix mentions about insufficient space.
related : https://pagure.io/freeipa/issue/7647
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4000/head:pr4000
git checkout pr4000
URL: https://github.com/freeipa/freeipa/pull/3955
Author: wladich
Title: #3955: ipatests: add test for SSSD updating expired cache items
Action: opened
PR body:
"""
**Patch 1:**
New test checks that sssd updates expired cahce values both for IPA domain and trusted AD domain.
Related to: https://pagure.io/SSSD/sssd/issue/4012
**Patch 2:**
ipatests: refactor sssd tests for cached_auth_timeout option
No changes in test scenarios or coverage. Changes:
* Renamed parameter user => user_origin for consistency with new tests
* evaluate user name once per testcase to reduce copy-pastes
* evauate wait time in a more natural way
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3955/head:pr3955
git checkout pr3955
URL: https://github.com/freeipa/freeipa/pull/4277
Author: flo-renaud
Title: #4277: ipa-adtrust-install: run remote configuration for new agents
Action: opened
PR body:
"""
### ipa-adtrust-install: run remote configuration for new agents
When ipa-adtrust-install is run, the tool detects masters that are
not enabled as trust agents and propose to configure them. With the
current code, the Schema Compat plugin is not enabled on these new
trust agents and a manual restart of LDAP server + SSSD is required.
With this commit, ipa-adtrust-install now calls remote code on the new
agents through JSON RPC api, in order to configure the missing parts.
On the remote agent, the command is using DBus and oddjob to launch
a new command,
/usr/sbin/ipa-trust-enable-agent [--enable-compat]
This command configures the Schema Compat plugin if --enable-compat is
provided, then restarts LDAP server and SSSD.
If the remote agent is an older version and does not support remote
enablement, or if the remote server is not responding, the tool
ipa-adtrust-install prints a WARNING explaining the steps that need
to be manually executed in order to complete the installation, and
exits successfully (keeping the current behavior).
Fixes: https://pagure.io/freeipa/issue/7600
### ipatests: add test for ipa-adtrust-install --add-agents
Add tests checking the behavior of ipa-adtrust-install when
adding trust agents:
- try adding a trust agent when the remote node is stopped.
The installer must detect that he's not able to run the remote
commands and print a WARNING.
- try adding a trust agent when the remote node is running.
The WARNING must not be printed as the remote configuration is done.
- try adding a trust agent with --enable-compat.
The WARNING must not be printed and the Schema Compatibility plugin
must be enabled (the entries
cn=users/groups,cn=Schema Compatibility,cn=plugins,cn=config
must contain a new attribute schema-compat-lookup-nsswitch
(=user/group).
Notes:
- this PR will have to be rebased after PR #4260 is merged as it's modifying the same test suite
- TBD: add a SELinux policy rule allowing to call the remote command when #4251 is merged
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/4277/head:pr4277
git checkout pr4277