freeipa.git/ipatests/pytest_ipa/integration, branch fix_ber_scanf FreeIPA patches ipatests: modify run_command to allow specify successful return codes 2019-09-06T10:11:04+00:00 Sergey Orlov sorlov@redhat.com 2019-08-23T13:13:29+00:00 1fe69f352b28c7bbf218c9d3ece4b45eac6ddad6 Reviewed-By: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com> 
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
ipatests: add utility functions related to using and managing user accounts 2019-09-06T10:11:04+00:00 Sergey Orlov sorlov@redhat.com 2019-07-29T09:08:59+00:00 3fa7865ff8c48a35d0d120c74da76ea4076a6aa4 Reviewed-By: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com> 
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
ipatests: allow to pass additional options for clients installation 2019-09-06T10:11:04+00:00 Sergey Orlov sorlov@redhat.com 2019-07-29T09:07:59+00:00 074bf285f185d96d67cf9f410f1e8935078d15eb Reviewed-By: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com> 
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Test external CA with DNS name constraints 2019-08-06T10:39:46+00:00 Christian Heimes cheimes@redhat.com 2019-08-06T07:56:35+00:00 69138c848d605ddcb997c8d3f6d51ebdc561c8a6 Verify that FreeIPA can be installed with an external CA that has a name constraints extension. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Verify that FreeIPA can be installed with an external CA that has a name
constraints extension.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipatests: Add tests for interactive chronyd config 2019-07-31T12:21:37+00:00 Tibor Dudlák tdudlak@redhat.com 2019-07-17T13:46:43+00:00 2bc7fb7fd0b0dec3b7fd8d25b4a30aa453537dfd Add interactive configuration tests for ipa-server-install and ipa-client-install FreeIPA server as it is now is unable to configure NTP interactively for replica installations. Resolves: https://pagure.io/freeipa/issue/7908 Reviewed-By: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Add interactive configuration tests for
ipa-server-install and ipa-client-install
FreeIPA server as it is now is unable to
configure NTP interactively for replica
installations.

Resolves: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipatests: Update test tasks for client to be interactive 2019-07-31T12:21:37+00:00 Tibor Dudlák tdudlak@redhat.com 2019-07-23T13:02:33+00:00 44bcf0990fd5ed64c9997420b19db161b3b407fe Related: https://pagure.io/freeipa/issue/7908 Reviewed-By: Michal Polovka <mpolovka@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Related: https://pagure.io/freeipa/issue/7908
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipatests: rename config_replica_resolvconf_with_master_data() 2019-07-30T21:42:54+00:00 François Cami fcami@redhat.com 2019-07-30T14:30:41+00:00 526b85a66e9ab90a5c4ef3f9ecca200664e1af9e config_replica_resolvconf_with_master_data() is not replica specific. Rename to config_host_resolvconf_with_master_data() as it is not tied to any role (master, replica, client). Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
config_replica_resolvconf_with_master_data() is not replica specific.
Rename to config_host_resolvconf_with_master_data() as it is not tied
to any role (master, replica, client).

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipatests: new test for trust with partially unreachable AD topology 2019-07-15T12:35:51+00:00 Sergey Orlov sorlov@redhat.com 2019-07-02T13:54:39+00:00 843f57abe431bcf493e0bcce8ef07255be986435 Establishing trust with partially unavailable AD hosts require usage of --server option. The new test checks that both commands trust-add and trust-fetch-domains properly use this option and also that trust-add correctly passes the server value when imlicitly invoking trust-fetch-domains. Relates to: https://pagure.io/freeipa/issue/7895. Reviewed-By: Tibor Dudlak <tdudlak@redhat.com> 
Establishing trust with partially unavailable AD hosts require usage
of --server option. The new test checks that both commands trust-add
and trust-fetch-domains properly use this option and also that
trust-add correctly passes the server value when imlicitly invoking
trust-fetch-domains.

Relates to: https://pagure.io/freeipa/issue/7895.

Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Make use of `named` well-known service 2019-06-25T13:33:06+00:00 Stanislav Levin slev@altlinux.org 2019-06-21T21:01:41+00:00 8f7d33356503794463611eb48317c9998187eddb The systemd unit name of `named`(which is actually used) is platform-dependent: debian - bind9-pkcs11.service fedora - named-pkcs11.service redhat - named-pkcs11.service Other systems may have their own name of `bind` service. But the default one (`named-pkcs11`) is assumed in many tests. Of course, these tests fail on such platforms. This can be easily fixed. All platforms define well-knownservice `named`, which is linked to the actually utilized one. Fixes: https://pagure.io/freeipa/issue/7990 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service

Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.

This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.

Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipatests: allow to relax security of LDAP connection from controller to IPA host 2019-06-05T12:45:57+00:00 Sergey Orlov sorlov@redhat.com 2019-05-30T13:20:58+00:00 cd2b2443c5ba2f4885e3d85f98332b2fa8b30432 The Host.ldap_connect() method uses LDAPClient from ipapython package. In a3934a21 we started to use secure connection from tests controller to ipa server. And also 5be9341f changed the LDAPClient.simple_bind method to forbid password based authentiction over insecure connection. This makes it imposible to establish ldap connection in some test configurations where hostnames known to ipa server do not match ones known to tests controller (i.e. when host.hostname != host.external_hostname) because TLS certificate is issued for host.hostname and test controller tries to verify it against host.external_hostname. A sublass of LDAPClient is provided which allows to skip certificate check. Fixes: https://pagure.io/freeipa/issue/7960 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> 
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.

A sublass of LDAPClient is provided which allows to skip certificate check.

Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>