October 2020 - FreeIPA-devel - Fedora mailing-lists

[freeipa PR#5207][opened] Use a state to determine if a 389-ds upgrade is in progress
by rcritten 27 Oct '20

27 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5207 Author: rcritten Title: #5207: Use a state to determine if a 389-ds upgrade is in progress Action: opened PR body: """ When applying update files to 389 the listeners are disabled. There is a large try/except around this so that if a failure happens then the configuration should be automatically restored. We've seen multiple cases where this doesn't occur. Best guess is that users are killing or ^C breaking out of the script. What happens in that case is that when the next upgrade is run the configuration is backed up again overwriting the original values. This leaves dirsrv with no listener on 389. Add a new state, upgrade-in-progress, so that the backup of the config information can be skipped when the upgrader is executed again after a failure. The idea behind using a new state value is that if additional attributes are ever backed up we don't need to remember to update the list of possible saved values to check to decide if the upgrade is in progress. https://pagure.io/freeipa/issue/7534 Signed-off-by: Rob Crittenden <rcritten(a)redhat.com> **NOTE**: automated testing is very difficult because getting the timing right would be nearly impossible. I manually tested in two ways: * Used the pdb module so that the upgrade stopped in the middle and I killed the upgrade process * Spammed the keyboard with ^C in the middle of the DS upgrade process Look for the last three elements in ```/var/lib/ipa/sysrestore/sysrestore.state``` ``` [dirsrv] serverid = EXAMPLE-TEST enabled = True upgrade-in-progress = True nsslapd-port = 389 nsslapd-security = on schema_compat_enabled = on ``` If these are left over killing the upgrader then re-running it should debug log that the values aren't being saved again. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5207/head:pr5207 git checkout pr5207

1 1

[freeipa PR#5206][opened] [WIP] ipa-kdb: support subordinate/superior UPN suffixes
by abbra 26 Oct '20

26 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5206 Author: abbra Title: #5206: [WIP] ipa-kdb: support subordinate/superior UPN suffixes Action: opened PR body: """ [MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of trusted domain information in Active Directory to conform certain rules. One side-effect of those rules is that list of UPN suffixes reported through the netr_DsRGetForestTrustInformation function is dynamically filtered to deduplicate subordinate suffixes. It means that if list of UPN suffixes contains the following top level names (TLNs): fabrikam.com sub.fabrikam.com then netr_DsRGetForestTrustInformation would only return 'fabrikam.com' as the TLN, fully filtering 'sub.fabrikam.com'. IPA KDB driver used exact comparison of the UPN suffixes so any subordinate had to be specified exactly. Modify logic so that if exact check does not succeed, we validate a realm to test being a subordinate of the known UPN suffixes. The subordinate check is done by making sure UPN suffix is at the end of the test realm and is immediately preceded with a dot. Because the function to check suffixes potentially called for every Kerberos principal, precalculate and cache length for each UPN suffix at the time we retrieve the list of them. Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5206/head:pr5206 git checkout pr5206

2 1

[freeipa PR#5205][opened] [Backport][ipa-4-8] Add libpwquality checking to IPA password policy
by rcritten 26 Oct '20

26 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5205 Author: rcritten Title: #5205: [Backport][ipa-4-8] Add libpwquality checking to IPA password policy Action: opened PR body: """ This PR was opened manually because PR #5160 was pushed to master and backport to ipa-4-8 is required. The differences: - There is no design doc directory so f602da4b28fcf8822225b80df241eed6b624bf8e was skipped - The nightly tests were redone """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5205/head:pr5205 git checkout pr5205

1 1

[freeipa PR#5107][opened] [Container] Unify access to FQDN
by tiran 26 Oct '20

26 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5107 Author: tiran Title: #5107: [Container] Unify access to FQDN Action: opened PR body: """ FreeIPA's Python and C code used different approaches to get the FQDN of the host. Some places assumed that gethostname() returns a FQDN. Other code paths used glibc's resolver to resolve the current node name to a FQDN. Python code now uses the ipalib.constants.FQDN where a fully qualified domain name is expected. The variable is initialized only once and avoids potential DNS lookups. C code uses a new helper function ipa_gethostfqdn() in util package. The function implements similar logic as gethostfqdn() except it uses more modern getaddrinfo(). The result is cached as well. Signed-off-by: Christian Heimes <cheimes(a)redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5107/head:pr5107 git checkout pr5107

2 1

[freeipa PR#5201][opened] rebase and temp commit to run nightly CI on #5107
by frasertweedale 25 Oct '20

25 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5201 Author: frasertweedale Title: #5201: rebase and temp commit to run nightly CI on #5107 Action: opened PR body: """ Objective: increase confidence in the FQDN PR #5107 before merging. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5201/head:pr5201 git checkout pr5201

1 1

[freeipa PR#5160][opened] Add libpwquality checking to IPA password policy
by rcritten 23 Oct '20

23 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5160 Author: rcritten Title: #5160: Add libpwquality checking to IPA password policy Action: opened PR body: """ This adds support for some of the libpwquality password checking features: * palindromes (automatic) * maximum number of repeats in a row * maximum number of monotonic sequences (abcde, 1234, etc) * check for username in the password * dict check via cracklib I attempted to retain backwards compatibility so didn't enable the character class evaluations. We could totally do this but it add six more knobs. I didn't enable the gecos check to avoid an nss lookup which would pass through a lot of libraries only to end up back at IPA :-) Note that pwquality has a minimum character limit of six which is different than IPA so a limit of six is enforced if any of the pwqualtiy values are set. I suspect the SELinux policy I wrote isn't awesome. TODO: finalize the IANA attributes and objectclasses values TODO: merge the test into another class or determine frequency to execute TODO: I'm open to ipa-next only """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5160/head:pr5160 git checkout pr5160

1 1

[freeipa PR#5055][opened] Add krbtpolicy for jittered lifetime
by rebeccc 22 Oct '20

22 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5055 Author: rebeccc Title: #5055: Add krbtpolicy for jittered lifetime Action: opened PR body: """ Continuation of #5029 This KDC extension will create a jittered lifetime for services with a lifetime greater than 60 minutes. The lifetime will be set to a random number between max_life - 60 minutes and max_life. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5055/head:pr5055 git checkout pr5055

2 1

[freeipa PR#5200][opened] [Backport][ipa-4-8] Don't restart certmonger after stopping tracking in uninstall
by rcritten 22 Oct '20

22 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5200 Author: rcritten Title: #5200: [Backport][ipa-4-8] Don't restart certmonger after stopping tracking in uninstall Action: opened PR body: """ This PR was opened automatically because PR #5197 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5200/head:pr5200 git checkout pr5200

1 1

[freeipa PR#5180][opened] Temp commit to try to reproduce uninstall issue
by rcritten 21 Oct '20

21 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5180 Author: rcritten Title: #5180: Temp commit to try to reproduce uninstall issue Action: opened PR body: """ Stanislav found that there are some test failures with the updated certmonger package both in ALTLinux and F32. This is an attempt to reproduce using one of the tests that is failing for him. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5180/head:pr5180 git checkout pr5180

1 1

[freeipa PR#5197][opened] Don't restart certmonger after stopping tracking in uninstall
by rcritten 19 Oct '20

19 Oct '20

URL: https://github.com/freeipa/freeipa/pull/5197 Author: rcritten Title: #5197: Don't restart certmonger after stopping tracking in uninstall Action: opened PR body: """ certmonger was later restarted to remove the custom CA entries and the startup delay sometimes caused uninstallation to fail. certmonger is stopped in cainstance.py::uninstall() so it will still be stopped post-install. https://pagure.io/freeipa/issue/8533 There is no real test for this. The uninstall failure happens about once out of every five PR-CI runs in https://github.com/freeipa/freeipa/pull/5180 With this patch (and a few unrelated others) there have been 10 successful runs in that PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5197/head:pr5197 git checkout pr5197

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-devel October 2020