def test_replica_install_with_existing_entry(self):
master = self.master
tasks.install_master(master)
replica = self.replicas[0]
tf = NamedTemporaryFile()
ldif_file = tf.name
base_dn = "dc=%s" % (",dc=".join(replica.domain.name.split(".")))
# adding entry for replica on master so that master will have it before
# replica installtion begins and creates a situation for pagure-7174
entry_ldif = textwrap.dedent("""
dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,{base_dn}
changetype: modify
add: memberPrincipal
memberPrincipal: HTTP/{hostname}@{realm}
dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,{base_dn}
changetype: modify
add: memberPrincipal
memberPrincipal: ldap/{hostname}@{realm}""").format(
base_dn=base_dn, hostname=replica.hostname,
realm=replica.domain.name.upper())
master.put_file_contents(ldif_file, entry_ldif)
arg = ['ldapmodify',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-f', ldif_file]
master.run_command(arg)
tasks.install_replica(master, replica)
def test_userroot_ldif_files_ownership(self):
"""backup, uninstall, restore, backup"""
tasks.install_master(self.master)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# check if files have proper owner and group.
dashed_domain = self.master.domain.realm.replace(".", '-')
arg = ['stat',
'-c', '%U%G',
'/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif']
cmd = self.master.run_command(arg)
assert 'dirsrvdirsrv' in cmd.stdout_text
arg = ['stat',
'-c', '%U%G',
'/var/lib/dirsrv/slapd-' + dashed_domain + '/ldif/']
cmd = self.master.run_command(arg)
assert 'dirsrvdirsrv' in cmd.stdout_text
cmd = self.master.run_command(['ipa-backup', '-d'])
unexp_str = "CRITICAL: db2ldif failed:"
assert cmd.returncode == 0
assert unexp_str not in cmd.stdout_text
def _full_backup_restore_with_DNS_zone(self, reinstall=False):
"""backup, uninstall, restore"""
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
])
tasks.resolve_record(self.master.ip, self.example_test_zone)
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.resolve_record(self.master.ip, self.example_test_zone)
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
])
tasks.resolve_record(self.master.ip, self.example2_test_zone)
def install(cls, mh):
super(TestForcedClientReenrollment, cls).install(mh)
tasks.install_master(cls.master)
tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False)
cls.BACKUP_KEYTAB = os.path.join(
cls.master.config.test_dir,
'krb5.keytab'
)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
def test_install(self):
"""
Test server installation when a different profile was present
before server configuration
"""
# Configure a profile winbind with feature with-fingerprint
apply_authselect_profile(
self.master, preconfigured_profile, preconfigured_options)
tasks.install_master(self.master, setup_dns=False)
check_authselect_profile(self.master, default_profile, ('with-sudo',))
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True,
setup_ca=False)
tasks.install_replica(cls.master, cls.replicas[1], setup_dns=True,
setup_ca=False)
for host in (cls.master, cls.replicas[0], cls.replicas[1]):
ldap = host.ldap_connect()
tasks.wait_for_replication(ldap)
# give time to named to retrieve new records
time.sleep(20)
def install(cls, mh):
cls.domain = DNSName(cls.master.domain.name).make_absolute()
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True,
setup_ca=False)
tasks.install_replica(cls.master, cls.replicas[1], setup_dns=True,
setup_ca=True, extra_args=(['--no-ntp']))
for host in (cls.master, cls.replicas[0], cls.replicas[1]):
ldap = host.ldap_connect()
tasks.wait_for_replication(ldap)
# give time to named to retrieve new records
time.sleep(20)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
args = [
"ipa-dns-install",
"--dnssec-master",
"--forwarder", cls.master.config.dns_forwarder,
"-U",
]
cls.master.run_command(args)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
# backup trusted key
tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
def test_installclient_as_user_admin(self):
"""ipa-client-install should not use hardcoded admin for principal
In ipaclient-install.log it should use the username that was entered
earlier in the install process at the prompt.
Related to : https://pagure.io/freeipa/issue/5406
"""
client = self.clients[0]
tasks.install_master(self.master)
tasks.kinit_admin(self.master)
username = '******'
password = '******'
password_confirmation = "%s\n%s\n" % (password,
password)
self.master.run_command(['ipa', 'user-add', username,
'--first', username,
'--last', username,
'--password'],
stdin_text=password_confirmation)
role_add = ['ipa', 'role-add', 'useradmin']
self.master.run_command(role_add)
self.master.run_command(['ipa', 'privilege-add', 'Add Hosts'])
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Add Hosts'])
role_member_add = ['ipa', 'role-add-member', 'useradmin',
'--users={}'.format(username)]
self.master.run_command(role_member_add)
user_kinit = "%s\n%s\n%s\n" % (password, password, password)
self.master.run_command(['kinit', username],
stdin_text=user_kinit)
tasks.install_client(self.master, client, user=username,
password=password)
msg = "args=['/usr/bin/getent', 'passwd', '%s@%s']" % \
(username, client.domain.name)
install_log = client.get_file_contents(paths.IPACLIENT_INSTALL_LOG,
encoding='utf-8')
assert msg in install_log
def _full_backup_restore_with_vault(self, reinstall=False):
with restore_checker(self.master):
# create vault
self.master.run_command([
"ipa", "vault-add",
self.vault_name,
"--password", self.vault_password,
"--type", "symmetric",
])
# archive secret
self.master.run_command([
"ipa", "vault-archive",
self.vault_name,
"--password", self.vault_password,
"--data", self.vault_data,
])
# retrieve secret
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
tasks.kinit_admin(self.master)
# retrieve secret after restore
self.master.run_command([
"ipa", "vault-retrieve",
self.vault_name,
"--password", self.vault_password,
])
def install(cls, mh):
cls.username = '******'
tasks.install_master(cls.master, domain_level=cls.domain_level)
password = cls.master.config.dirman_password
cls.new_password = '******'
adduser_stdin_text = "%s\n%s\n" % (cls.master.config.admin_password,
cls.master.config.admin_password)
user_kinit_stdin_text = "%s\n%s\n%s\n" % (password, cls.new_password,
cls.new_password)
tasks.kinit_admin(cls.master)
cls.master.run_command(['ipa', 'user-add', cls.username, '--password',
'--first', 'John', '--last', 'Donn'],
stdin_text=adduser_stdin_text)
# Now we need to change the password for the user
cls.master.run_command(['kinit', cls.username],
stdin_text=user_kinit_stdin_text)
# And again kinit admin
tasks.kinit_admin(cls.master)
def _full_backup_and_restore_with_DNSSEC_zone(self, reinstall=False):
with restore_checker(self.master):
self.master.run_command([
'ipa', 'dnszone-add',
self.example_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed"
backup_path = backup(self.master)
self.master.run_command(['ipa-server-install',
'--uninstall',
'-U'])
if reinstall:
tasks.install_master(self.master, setup_dns=True)
dirman_password = self.master.config.dirman_password
self.master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
assert (
wait_until_record_is_signed(
self.master.ip, self.example_test_zone)
), "Zone is not signed after restore"
tasks.kinit_admin(self.master)
self.master.run_command([
'ipa', 'dnszone-add',
self.example2_test_zone,
'--dnssec', 'true',
])
assert (
wait_until_record_is_signed(
self.master.ip, self.example2_test_zone)
), "A new zone is not signed"
def install(cls, mh):
super(TestForcedClientReenrollment, cls).install(mh)
tasks.install_master(cls.master)
cls.client_dom = cls.clients[0].hostname.split('.', 1)[1]
if cls.client_dom != cls.master.domain.name:
# In cases where client is managed by upstream DNS server we
# overlap its zone so we can save DNS records (e.g. SSHFP) for
# comparison.
servers = [cls.master] + cls.replicas
tasks.add_dns_zone(cls.master, cls.client_dom,
skip_overlap_check=True,
dynamic_update=True,
add_a_record_hosts=servers
)
tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False)
cls.BACKUP_KEYTAB = os.path.join(
cls.master.config.test_dir,
'krb5.keytab'
)
def test_install_master(self):
tasks.install_master(self.master, setup_dns=True)
def test_install_master(self):
# step 1 install ipa-server
tasks.install_master(self.master)
def test_install_master(self):
result = tasks.install_master(self.master)
assert result.returncode == 0
def install(cls, mh):
tasks.install_master(cls.master, setup_kra=True)
# do not install KRA on replica, it is part of test
tasks.install_replica(cls.master, cls.replicas[0], setup_kra=False)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
def test_replica_install_after_restore(self):
master = self.master
replica1 = self.replicas[0]
replica2 = self.replicas[1]
tasks.install_master(master)
tasks.install_replica(master, replica1)
check_replication(master, replica1, "testuser1")
# backup master.
backup_path = backup(master)
suffix = ipautil.realm_to_suffix(master.domain.realm)
suffix = escape_dn_chars(str(suffix))
tf = NamedTemporaryFile()
ldif_file = tf.name
entry_ldif = (
"dn: cn=meTo{hostname},cn=replica,"
"cn={suffix},"
"cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off\n\n"
"dn: cn=caTo{hostname},cn=replica,"
"cn=o\\3Dipaca,cn=mapping tree,cn=config\n"
"changetype: modify\n"
"replace: nsds5ReplicaEnabled\n"
"nsds5ReplicaEnabled: off").format(
hostname=replica1.hostname,
suffix=suffix)
master.put_file_contents(ldif_file, entry_ldif)
# disable replication agreement
arg = ['ldapmodify',
'-h', master.hostname,
'-p', '389', '-D',
str(master.config.dirman_dn), # pylint: disable=no-member
'-w', master.config.dirman_password,
'-f', ldif_file]
master.run_command(arg)
# uninstall master.
tasks.uninstall_master(master)
# master restore.
dirman_password = master.config.dirman_password
master.run_command(['ipa-restore', backup_path],
stdin_text=dirman_password + '\nyes')
# re-initialize topology after restore.
topo_name = "{}-to-{}".format(master.hostname, replica1.hostname)
for topo_suffix in 'domain', 'ca':
arg = ['ipa',
'topologysegment-reinitialize',
topo_suffix,
topo_name,
'--left']
replica1.run_command(arg)
# wait sometime for re-initialization
tasks.wait_for_replication(replica1.ldap_connect())
# install second replica after restore
tasks.install_replica(master, replica2)
check_replication(master, replica2, "testuser2")
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def install(cls, mh):
# just prepare LDIF file on both master and replica
cls.replicas[0].put_file_contents(CONFIG_LDIF_PATH, DIRSRV_CONFIG_MODS)
tasks.install_master(cls.master)
def install(cls, mh):
tasks.install_master(cls.master, domain_level=cls.domain_level)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False, setup_kra=True)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
cls.client = cls.clients[0]
def test_install_master(self):
# step 1 install ipa-server
tasks.install_master(self.master)
def install(cls, mh):
super(TestForcedClientReenrollment, cls).install(mh)
tasks.install_master(cls.master)
tasks.install_replica(cls.master, cls.replicas[0], setup_ca=False)
cls.BACKUP_KEYTAB = os.path.join(cls.master.config.test_dir,
'krb5.keytab')
def install(cls, mh):
tasks.install_master(cls.master, domain_level=cls.domain_level)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
cls.client = cls.clients[0]
def test_install_master(self):
result = tasks.install_master(self.master)
assert result.returncode == 0
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=True)
tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
def test_install_master(self):
tasks.install_master(
self.master,
setup_dns=True,
extra_args=['--zonemgr', '*****@*****.**'],
)
def install(cls, mh):
tasks.install_master(cls.master, setup_dns=False)
def test_customized_ds_install_master(self):
tasks.install_master(self.master, setup_dns=False, extra_args=[
'--dirsrv-config-file', CONFIG_LDIF_PATH
])
