[freeipa PR#5264][opened] [ipatests] Raise log level of 389-ds replication
by stanislavlevin
URL: https://github.com/freeipa/freeipa/pull/5264
Author: stanislavlevin
Title: #5264: [ipatests] Raise log level of 389-ds replication
Action: opened
PR body:
"""
- change log level for replication debugging
According to the docs:
```
default level of logging(16384) used for critical errors and other messages that are always
written to the error log. Messages at this level are always included in the error log, regardless
of the log level setting.
```
- always flush the access logs to filesystem
During the testing access logs may be written with a significant delay, this results in logs are not collected by this test node, but for example, the next one.
- as of now, the changes on `cn=config` are made after the installation of a server or replica. If an error occurs during these stages, then the actual log level will be the default and not as expected.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5264/head:pr5264
git checkout pr5264
1 day, 7 hours
[freeipa PR#5385][opened] selinux: modify policy to allow one-way trust
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/5385
Author: flo-renaud
Title: #5385: selinux: modify policy to allow one-way trust
Action: opened
PR body:
"""
In selinux enforcing mode, the command ipa trust-add fails
to establish a one-way trust, during the step fetching the remote
domains.
This step calls a script over DBus and oddjob, that is executed
with oddjob_t context. The policy must allow noatsecure.
Currently the optional_policy is defined in selinux-policy
repo but is ineffective as ipa_helper_noatsecure is not defined
in this repo. When the optional_policy is defined in our own
module, it is taken into account and ipa trust-add succeeds.
Fixes: https://pagure.io/freeipa/issue/8508
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5385/head:pr5385
git checkout pr5385
1 week, 4 days
[freeipa PR#5338][opened] ipa-cert-fix: do not fail when CSR is missing from CS.cfg
by flo-renaud
URL: https://github.com/freeipa/freeipa/pull/5338
Author: flo-renaud
Title: #5338: ipa-cert-fix: do not fail when CSR is missing from CS.cfg
Action: opened
PR body:
"""
### ipa-cert-fix: do not fail when CSR is missing from CS.cfg
When the CSR for an expired cert is not found in
/etc/pki/pki-tomcat/{ca|kra}/CS.cfg, ipa-cert-fix fails to
renew the certificate and repair the installation.
The CSR can be found using certmonger as it is stored in
/var/lib/certmonger/requests/<ID> in the "csr" attribute.
Prior to calling pki-server cert-fix, make sure that the
CSR is present in CS.cfg, or update CS.cfg with the content
found using certmonger.
Fixes: https://pagure.io/freeipa/issue/8618
### ipatests: add a test for ipa-cert-fix
Add a new test for ipa-cert-fix issue 8618. When the CSR for one
of the certs to be renewed is missing from /etc/pki/pki-tomcat/{ca|kra}/CS.cfg
ipa-cert-fix fails to renew the certificates.
Test scenario:
move the date in the future to expire PKI system certificates (+3 years)
delete the directive ca.sslserver.certreq from CS.cfg
call ipa-cert-fix and ensure that the CSR was found
Related: https://pagure.io/freeipa/issue/8618
### ipatests: add test_ipa_cert_fix to the nightly definitions
Add the new test test_integration/test_ipa_cert_fix.py to the
nightly definitions.
Related: https://pagure.io/freeipa/issue/8618
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5338/head:pr5338
git checkout pr5338
1 week, 6 days