def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(
self.master, client,
extra_args=['--request-cert'],
user=username, password=password
)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(
client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR
)
assert 'Local IPA host' in result.stdout_text
def test_replica_promotion_with_ntp_options(self):
"""
test to verify that replica promotion with ntp --ntp-server,
--ntp-pool and -N or --no-ntp option would fail
"""
exp_str = "NTP configuration cannot be updated during promotion"
tasks.install_master(self.master, setup_dns=False)
tasks.install_client(self.master, self.replica)
replica_install = self.replica.run_command(
['ipa-replica-install', '--no-ntp'],
raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
replica_install = self.replica.run_command(
['ipa-replica-install', '--ntp-server=%s' % self.ntp_server1],
raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
replica_install = self.replica.run_command(
['ipa-replica-install', '--ntp-pool=%s' % self.ntp_pool],
raiseonerr=False)
assert replica_install.returncode == 1
assert exp_str in replica_install.stderr_text
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
clients = (cls.clients[0], cls.replicas[0], cls.replicas[1])
for client in clients:
cls.fix_resolv_conf(client, cls.master)
tasks.install_client(cls.master, client)
client.run_command(["cat", "/etc/resolv.conf"])
def install(cls, mh):
pki_ini = tasks.upload_temp_contents(cls.master, KEY_OVERRIDE)
extra_args = [
'--pki-config-override', pki_ini,
]
tasks.install_master(
cls.master, setup_dns=False, extra_args=extra_args
)
cls.master.run_command(['rm', '-f', pki_ini])
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
# disable replication agreement
tasks.ldapmodify_dm(master, entry_ldif)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_install(self):
"""
Test server installation when a different profile was present
before server configuration
"""
# Configure a profile winbind with feature with-fingerprint
apply_authselect_profile(
self.master, preconfigured_profile, preconfigured_options)
tasks.install_master(self.master, setup_dns=False)
check_authselect_profile(self.master, default_profile, ('with-sudo',))
def test_userroot_ldif_files_ownership_and_permission(self):
"""backup, uninstall, restore, backup"""
tasks.install_master(self.master)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
# set umask to 077 just to check if restore success.
self.master.run_command('echo "umask 0077" >> /root/.bashrc')
result = self.master.run_command(['umask'])
assert '0077' in result.stdout_text
dirman_password = self.master.config.dirman_password
result = self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert 'Temporary setting umask to 022' in result.stderr_text
# check if umask reset to 077 after restore.
result = self.master.run_command(['umask'])
assert '0077' in result.stdout_text
# check if files have proper owner and group.
dashed_domain = self.master.domain.realm.replace(".", '-')
arg = ['stat',
'-c', '%U:%G',
'{}/ldif/'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain)]
cmd = self.master.run_command(arg)
expected = '{}:{}'.format(constants.DS_USER, constants.DS_GROUP)
assert expected in cmd.stdout_text
# also check of access rights are set to 644.
arg = ['stat',
'-c', '%U:%G:%a',
'{}/ldif/{}-ipaca.ldif'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain, dashed_domain)]
cmd = self.master.run_command(arg)
assert '{}:644'.format(expected) in cmd.stdout_text
arg = ['stat',
'-c', '%U:%G:%a',
'{}/ldif/{}-userRoot.ldif'.format(
paths.VAR_LIB_SLAPD_INSTANCE_DIR_TEMPLATE %
dashed_domain, dashed_domain)]
cmd = self.master.run_command(arg)
assert '{}:644'.format(expected) in cmd.stdout_text
cmd = self.master.run_command(['ipa-backup', '-d'])
unexp_str = "CRITICAL: db2ldif failed:"
assert cmd.returncode == 0
assert unexp_str not in cmd.stdout_text
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
# No need to enable dns service in the firewall as master has been
# installed with dns support enabled
# Firewall(cls.master).enable_services(["dns"])
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def install(cls, mh):
cls.domain = DNSName(cls.master.domain.name).make_absolute()
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True,
setup_ca=False)
tasks.install_replica(cls.master, cls.replicas[1], setup_dns=True,
setup_ca=True)
for host in (cls.master, cls.replicas[0], cls.replicas[1]):
ldap = host.ldap_connect()
tasks.wait_for_replication(ldap)
# give time to named to retrieve new records
time.sleep(20)
def test_KRA_install_after_cert_renew(self):
tasks.install_master(self.master)
# get ca-agent cert and load as pem
dm_pass = self.master.config.dirman_password
admin_pass = self.master.config.admin_password
args = [paths.OPENSSL, "pkcs12", "-in",
paths.DOGTAG_ADMIN_P12, "-nodes",
"-passin", "pass:{}".format(dm_pass)]
cmd = self.master.run_command(args)
certs = x509.load_certificate_list(cmd.stdout_text.encode('utf-8'))
# get expiry date of agent cert
cert_expiry = certs[0].not_valid_after
# move date to grace period so that certs get renewed
self.master.run_command(['systemctl', 'stop', 'chronyd'])
grace_date = cert_expiry - timedelta(days=10)
grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S")
self.master.run_command(['date', '-s', grace_date])
# get the count of certs track by certmonger
cmd = self.master.run_command(['getcert', 'list'])
cert_count = cmd.stdout_text.count('Request ID')
timeout = 600
count = 0
start = time.time()
# wait sometime for cert renewal
while time.time() - start < timeout:
cmd = self.master.run_command(['getcert', 'list'])
count = cmd.stdout_text.count('status: MONITORING')
if count == cert_count:
break
time.sleep(100)
else:
# timeout
raise AssertionError('TimeOut: Failed to renew all the certs')
# move date after 3 days of actual expiry
cert_expiry = cert_expiry + timedelta(days=3)
cert_expiry = datetime.strftime(cert_expiry, "%Y-%m-%d %H:%M:%S")
self.master.run_command(['date', '-s', cert_expiry])
passwd = "{passwd}\n{passwd}\n{passwd}".format(passwd=admin_pass)
self.master.run_command(['kinit', 'admin'], stdin_text=passwd)
cmd = self.master.run_command(['ipa-kra-install', '-p', dm_pass, '-U'])
self.master.run_command(['systemctl', 'start', 'chronyd'])
def test_replica_promotion_without_ntp(self):
"""
test to verify that replica promotion without ntp options
- ipa-client-install with ntp option
- ipa-replica-install without ntp option
will be successful
"""
exp_str = "ipa-replica-install command was successful"
expected_msg = "Configuration of chrony was changed by installer."
ntp_args = ['--ntp-pool=%s' % self.ntp_pool]
server_install = tasks.install_master(self.master, setup_dns=False,
extra_args=ntp_args)
assert expected_msg in server_install.stderr_text
client_install = tasks.install_client(self.master, self.replica,
extra_args=ntp_args)
assert expected_msg in client_install.stderr_text
replica_install = tasks.install_replica(self.master, self.replica,
promote=False)
assert exp_str in replica_install.stderr_text
cmd = self.replica.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_pool in cmd.stdout_text
def test_server_replica_client_install_with_pool_and_srv(self):
"""
test to verify that ipa-server, ipa-replica and ipa-client install
passes with options --ntp-pool and --ntp-server together
"""
expected_msg = "Configuration of chrony was changed by installer."
args = ['--ntp-pool=%s' % self.ntp_pool,
'--ntp-server=%s' % self.ntp_server1]
server_install = tasks.install_master(self.master, setup_dns=False,
extra_args=args)
assert expected_msg in server_install.stderr_text
cmd = self.master.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_pool in cmd.stdout_text
assert self.ntp_server1 in cmd.stdout_text
replica_install = tasks.install_replica(self.master, self.replica,
extra_args=args,
promote=False)
assert expected_msg in replica_install.stderr_text
cmd = self.replica.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_pool in cmd.stdout_text
assert self.ntp_server1 in cmd.stdout_text
client_install = tasks.install_client(self.master, self.client,
extra_args=args)
assert expected_msg in client_install.stderr_text
cmd = self.client.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_pool in cmd.stdout_text
assert self.ntp_server1 in cmd.stdout_text
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
# Enable dns service on master as it has been installed without dns
# support before
Firewall(cls.master).enable_services(["dns"])
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
# backup trusted key
tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_install_master(self):
self.master.run_command('echo "umask 0027" >> /root/.bashrc')
result = self.master.run_command(['umask'])
assert '0027' in result.stdout_text
cmd = tasks.install_master(
self.master, setup_dns=False, raiseonerr=False
)
exp_str = ("Unexpected system mask")
assert (exp_str in cmd.stderr_text and cmd.returncode != 0)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def install(cls, mh):
super(TestForcedClientReenrollment, cls).install(mh)
tasks.install_master(cls.master)
cls.client_dom = cls.clients[0].hostname.split('.', 1)[1]
if cls.client_dom != cls.master.domain.name:
# In cases where client is managed by upstream DNS server we
# overlap its zone so we can save DNS records (e.g. SSHFP) for
# comparison.
servers = [cls.master] + cls.replicas
tasks.add_dns_zone(cls.master, cls.client_dom,
skip_overlap_check=True,
dynamic_update=True,
add_a_record_hosts=servers
)
tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False)
cls.BACKUP_KEYTAB = os.path.join(
cls.master.config.test_dir,
'krb5.keytab'
)
def test_server_client_install_no_ntp(self):
"""
test to verify that ipa-server and ipa-client install invoked with
option -N uses system defined NTP daemon configuration
"""
expected_msg1 = "Excluded by options:"
expected_msg2 = "Using default chrony configuration."
server_install = tasks.install_master(self.master, setup_dns=False,
extra_args=['-N'])
assert expected_msg1 in server_install.stdout_text
assert expected_msg2 not in server_install.stdout_text
client_install = tasks.install_client(self.master, self.client,
extra_args=['--no-ntp'])
assert expected_msg2 not in client_install.stdout_text
def test_server_client_install_without_options(self):
"""
test to verify that ipa-server and ipa-client install uses
default chrony configuration without any NTP options specified
"""
expected_msg1 = "No SRV records of NTP servers found and " \
"no NTP server or pool address was provided."
expected_msg2 = "Using default chrony configuration."
server_install = tasks.install_master(self.master, setup_dns=False)
assert expected_msg1 in server_install.stderr_text
assert expected_msg2 in server_install.stdout_text
client_install = tasks.install_client(self.master, self.client)
assert expected_msg1 in client_install.stderr_text
assert expected_msg2 in client_install.stdout_text
def test_server_client_install_with_multiple_ntp_srv(self):
"""
test to verify that ipa-server-install passes with multiple
--ntp-server option used
"""
expected_msg = "Configuration of chrony was changed by installer."
args = ['--ntp-server=%s' % self.ntp_server1,
'--ntp-server=%s' % self.ntp_server2]
server_install = tasks.install_master(self.master, setup_dns=False,
extra_args=args)
assert expected_msg in server_install.stderr_text
cmd = self.master.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_server1 in cmd.stdout_text
assert self.ntp_server2 in cmd.stdout_text
client_install = tasks.install_client(self.master, self.client,
extra_args=args)
assert expected_msg in client_install.stderr_text
cmd = self.client.run_command(['cat', paths.CHRONY_CONF])
assert self.ntp_server1 in cmd.stdout_text
assert self.ntp_server2 in cmd.stdout_text
def test_install_master(self):
# step 1 install ipa-server
tasks.install_master(self.master)
def test_install_master(self):
result = tasks.install_master(self.master)
assert result.returncode == 0
def install(cls, mh):
# Install the master with PKINIT disabled
tasks.install_master(cls.master, extra_args=['--no-pkinit'])
check_pkinit(cls.master, enabled=False)
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa",
"vault-add",
self.vault_name,
"--password",
self.vault_password,
"--type",
"symmetric",
])
# archive secret
self.master.run_command([
"ipa",
"vault-archive",
self.vault_name,
"--password",
self.vault_password,
"--data",
self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
backup_path = tasks.get_backup_dir(self.master)
# check that no error message in uninstall log for KRA instance
cmd = self.master.run_command(
['ipa-server-install', '--uninstall', '-U'])
assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
if reinstall:
# If the server was reinstalled, reinstall may have changed
# the uid and restore reverts to the original value.
# clear the cache to make sure we get up-to-date values
tasks.clear_sssd_cache(self.master)
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa",
"vault-retrieve",
self.vault_name,
"--password",
self.vault_password,
])
def install(cls, mh):
tasks.install_master(cls.master, setup_kra=True)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def test_interactive_ntp_set_opt(self):
"""
Test to verify that ipa installations with ntp options passed
interactively (without -U/--nattended) will be successful
- ipa-server-install
- ipa-client-install
Both NTP servers and pool passed interactively to options.
"""
server_input = (
# Do you want to configure integrated DNS (BIND)? [no]:
"No\n"
# Server host name [hostname]:
"\n"
# Do you want to configure chrony with NTP server
# or pool address? [no]:
"Yes\n"
# Enter NTP source server addresses separated by comma,
# or press Enter to skip:
"{},{}\n".format(self.ntp_server2, self.ntp_server1) +
# Enter a NTP source pool address, or press Enter to skip:
"{}\n".format(self.ntp_pool) +
# Continue to configure the system with these values? [no]:
"Yes"
)
client_input = (
# Proceed with fixed values and no DNS discovery? [no]:
"Yes\n"
# Do you want to configure chrony with NTP server
# or pool address? [no]:
"Yes\n"
# Enter NTP source server addresses separated by comma,
# or press Enter to skip:
"{},{}\n".format(self.ntp_server2, self.ntp_server1) +
# Enter a NTP source pool address, or press Enter to skip:
"{}\n".format(self.ntp_pool) +
# Continue to configure the system with these values? [no]:
"Yes"
)
server_install = tasks.install_master(self.master,
setup_dns=False,
unattended=False,
stdin_text=server_input)
assert server_install.returncode == 0
assert self.ntp_pool in server_install.stdout_text
assert self.ntp_server1 in server_install.stdout_text
assert self.ntp_server2 in server_install.stdout_text
cmd = self.master.run_command(self.print_chrony_conf)
assert self.ntp_pool in cmd.stdout_text
assert self.ntp_server1 in cmd.stdout_text
assert self.ntp_server2 in cmd.stdout_text
client_install = tasks.install_client(self.master,
self.client,
unattended=False,
stdin_text=client_input,
nameservers=None)
assert client_install.returncode == 0
cmd = self.client.run_command(self.print_chrony_conf)
assert self.ntp_pool in cmd.stdout_text
assert self.ntp_server1 in cmd.stdout_text
assert self.ntp_server2 in cmd.stdout_text
def install(cls, mh):
tasks.install_master(cls.master)
tasks.install_replica(cls.master, cls.replicas[0])
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
cls.client = cls.clients[0]
def install(cls, mh):
tasks.install_master(cls.master)
tasks.create_active_user(cls.master, USER1, PASSWORD)
tasks.create_active_user(cls.master, USER2, PASSWORD)
def install_server_external_ca_step1(host, extra_args=()):
"""Step 1 to install the ipa server with external ca"""
return tasks.install_master(
host, external_ca=True, extra_args=extra_args
)
def test_install_master(self):
tasks.install_master(
self.master,
setup_dns=True,
extra_args=['--zonemgr', '*****@*****.**'],
)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True, setup_kra=True,
setup_adtrust=True)
def test_customized_ds_install_master(self):
tasks.install_master(
self.master,
setup_dns=False,
extra_args=['--dirsrv-config-file', CONFIG_LDIF_PATH])
def install(cls, mh):
tasks.install_master(cls.master, setup_kra=True)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def install(cls, mh):
# Install the master
tasks.install_master(cls.master)
def test_install_master_releatedly(self):
cmd = tasks.install_master(self.master,
setup_dns=True,
raiseonerr=False)
exp_str = ("already exists in DNS")
assert (exp_str not in cmd.stderr_text and cmd.returncode != 2)
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password, password)
self.master.run_command([
'ipa', 'user-add', username, '--first', username, '--last',
username, '--password'
],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command([
'ipa', 'privilege-add-permission', '--permissions',
'System: Add Hosts', 'Add Hosts'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Host Enrollment'
])
self.master.run_command([
'ipa', 'role-add-privilege', 'useradmin', '--privileges',
'Add Hosts'
])
role_member_add = [
'ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)
]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username], stdin_text=user_kinit)
tasks.install_client(self.master,
client,
extra_args=['--request-cert'],
user=username,
password=password)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
result = tasks.run_certutil(client,
['-K', '-f', paths.IPA_NSSDB_PWDFILE_TXT],
paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text
def test_install_master(self):
tasks.install_master(
self.master,
setup_dns=True,
extra_args=['--zonemgr', '*****@*****.**'],
)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def install(cls, mh):
tasks.install_master(cls.master, domain_level=cls.domain_level)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
tf = NamedTemporaryFile()
ldif_file = tf.name
entry_ldif = ("dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname, suffix=suffix)
master.put_file_contents(ldif_file, entry_ldif)
# disable replication agreement
arg = [
'ldapmodify',
'-h',
master.hostname,
'-p',
'389',
'-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w',
master.config.dirman_password,
'-f',
ldif_file
]
master.run_command(arg)
# uninstall master.
tasks.uninstall_master(master, clean=False)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = [
'ipa', 'topologysegment-reinitialize', topo_suffix, topo_name,
'--left'
]
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
def install(cls, mh):
tasks.uninstall_replica(cls.master, cls.replicas[0])
tasks.uninstall_master(cls.master)
tasks.install_master(cls.master, setup_dns=False)
def install(cls, mh):
tasks.install_master(cls.master,
setup_dns=True,
setup_kra=True,
setup_adtrust=True)
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def install(cls, mh):
tasks.install_master(cls.master)
tasks.install_client(cls.master, cls.clients[0])
