[freeipa PR#5207][opened] Use a state to determine if a 389-ds upgrade is in progress
by rcritten
URL: https://github.com/freeipa/freeipa/pull/5207
Author: rcritten
Title: #5207: Use a state to determine if a 389-ds upgrade is in progress
Action: opened
PR body:
"""
When applying update files to 389 the listeners are disabled.
There is a large try/except around this so that if a failure
happens then the configuration should be automatically
restored.
We've seen multiple cases where this doesn't occur. Best guess
is that users are killing or ^C breaking out of the script.
What happens in that case is that when the next upgrade is run
the configuration is backed up again overwriting the original
values. This leaves dirsrv with no listener on 389.
Add a new state, upgrade-in-progress, so that the backup of the
config information can be skipped when the upgrader is executed
again after a failure.
The idea behind using a new state value is that if additional
attributes are ever backed up we don't need to remember to update
the list of possible saved values to check to decide if the
upgrade is in progress.
https://pagure.io/freeipa/issue/7534
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
**NOTE**: automated testing is very difficult because getting the timing right would be nearly impossible. I manually tested in two ways:
* Used the pdb module so that the upgrade stopped in the middle and I killed the upgrade process
* Spammed the keyboard with ^C in the middle of the DS upgrade process
Look for the last three elements in ```/var/lib/ipa/sysrestore/sysrestore.state```
```
[dirsrv]
serverid = EXAMPLE-TEST
enabled = True
upgrade-in-progress = True
nsslapd-port = 389
nsslapd-security = on
schema_compat_enabled = on
```
If these are left over killing the upgrader then re-running it should debug log that the values aren't being saved again.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5207/head:pr5207
git checkout pr5207
3 years, 6 months
[freeipa PR#5206][opened] [WIP] ipa-kdb: support subordinate/superior UPN suffixes
by abbra
URL: https://github.com/freeipa/freeipa/pull/5206
Author: abbra
Title: #5206: [WIP] ipa-kdb: support subordinate/superior UPN suffixes
Action: opened
PR body:
"""
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.com
sub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5206/head:pr5206
git checkout pr5206
3 years, 6 months
[freeipa PR#5107][opened] [Container] Unify access to FQDN
by tiran
URL: https://github.com/freeipa/freeipa/pull/5107
Author: tiran
Title: #5107: [Container] Unify access to FQDN
Action: opened
PR body:
"""
FreeIPA's Python and C code used different approaches to get the FQDN of
the host. Some places assumed that gethostname() returns a FQDN. Other
code paths used glibc's resolver to resolve the current node name to a
FQDN.
Python code now uses the ipalib.constants.FQDN where a fully qualified
domain name is expected. The variable is initialized only once and avoids
potential DNS lookups.
C code uses a new helper function ipa_gethostfqdn() in util package. The
function implements similar logic as gethostfqdn() except it uses more
modern getaddrinfo(). The result is cached as well.
Signed-off-by: Christian Heimes <cheimes(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5107/head:pr5107
git checkout pr5107
3 years, 6 months
[freeipa PR#5160][opened] Add libpwquality checking to IPA password policy
by rcritten
URL: https://github.com/freeipa/freeipa/pull/5160
Author: rcritten
Title: #5160: Add libpwquality checking to IPA password policy
Action: opened
PR body:
"""
This adds support for some of the libpwquality password checking features:
* palindromes (automatic)
* maximum number of repeats in a row
* maximum number of monotonic sequences (abcde, 1234, etc)
* check for username in the password
* dict check via cracklib
I attempted to retain backwards compatibility so didn't enable the character class evaluations. We could totally do this but it add six more knobs.
I didn't enable the gecos check to avoid an nss lookup which would pass through a lot of libraries only to end up back at IPA :-)
Note that pwquality has a minimum character limit of six which is different than IPA so a limit of six is enforced if any of the pwqualtiy values are set.
I suspect the SELinux policy I wrote isn't awesome.
TODO: finalize the IANA attributes and objectclasses values
TODO: merge the test into another class or determine frequency to execute
TODO: I'm open to ipa-next only
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5160/head:pr5160
git checkout pr5160
3 years, 6 months