User add fix #6199 #3

MartinBasti · 2016-08-19T09:39:09Z

We do not have right to write to users delete_container. In case that
user already exists in that container and we tried to add entry, we
receive ACIError. This must be checked and DuplicationEntry error must
be raised before.

https://fedorahosted.org/freeipa/ticket/6199

HonzaCholasta · 2016-08-22T05:33:30Z

This is not very comprehensible. I would rather replace the:

    dn = self.obj.get_either_dn(*keys, **options)

at the beginning of user_add.pre_callback with:

    delete_dn = self.obj.get_delete_dn(*keys, **options)
    try:
        ldap.get_entry(delete_dn, [''])
    except errors.NotFound:
        pass
    else:
        self.obj.handle_duplicate_entry(*keys)

Note that this assumes that the routine to get delete_dn was split off from user.get_either_dn() into user.get_delete_dn() to avoid copy-pasta.

We do not have right to write to users delete_container. In case that user already exists in that container and we tried to add entry, we receive ACIError. This must be checked and DuplicationEntry error must be raised before. https://fedorahosted.org/freeipa/ticket/6199

HonzaCholasta · 2016-08-30T06:22:18Z

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/5c50b265e6b5a0d06f213b5eb581c96e3392aeea

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd for performance enhancement ssh fro ipa client was failing Test Procedure: 1. setup a master and a client 2. add ldap_deref_threshold=0 to sssd.conf 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd for performance enhancement ssh fro ipa client was failing Test Procedure: 1. setup a master and a client 2. add ldap_deref_threshold=0 to sssd.conf 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd for performance enhancement ssh fro ipa client was failing Test Procedure: 1. setup a master and a client 2. add ldap_deref_threshold=0 to sssd.conf 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from client to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

is successful after adding ldap_deref_threshold=0 in sssd.conf Problem: After adding ldap_deref_threshold=0 setting for sssd on master for performance enhancement ssh from ipa client was failing Test Procedure: 1. setup a master 2. add ldap_deref_threshold=0 to sssd.conf on master 3. add an ipa user 4. ssh from controller to master using the user created in step 3 related ticket: https://pagure.io/SSSD/sssd/issue/3979 Removed test_client.py since this test can has added to test_commands.py. SSH after adding performance parameter is tested from controller machine instead of a client machine. Patch freeipa#2 Fixed missing import Patch freeipa#3 Added test cleanup post test Patch freeipa#4 Used modify_sssd_conf instead of parsing lines Patch freeipa#5 Added pytest.xfail based on the sssd package version Patch freeipa#6 Replaced `rpm -qa sssd` call to `sssd --version` Added kinit <username> call Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Patch freeipa#5 added test to nightly yamls Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Problem: If a replica installation fails before all the services have been enabled then it could leave things in a bad state. ipa-replica-manage del <replica> --cleanup --force invalid 'PKINIT enabled server': all masters must have IPA master role enabled Test Steps: 1. Setup server 2. Setup replica 3. modify the replica entry on Master: ldapmodify -D cn="Directory Manager"-w <passwd> dn: cn=KDC,cn=<replicaFQDN>,cn=masters,cn=ipa,cn=etc,<baseDN> changetype: modify replace: ipaconfigstring ipaconfigstring: pkinitEnabled ipaconfigstring: configuredService 4. On master, run ipa-replica-manage del <replicaFQDN> --cleanup --force Related Ticket: https://pagure.io/freeipa/issue/7929 Patch freeipa#2 fixed linting errors Patch freeipa#3 Fixed review comments Patch freeipa#4 Removed hard coded realm Other minor changes Fixed import error Patch freeipa#5 added test to nightly yamls Patch freeipa#6 removed test added to fedora 28 nightly as it is not needed Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>

Note sss_cache -E.

This will be squashed eventually. Keeping it separate so changes are more visible. 1. Change expectation on specific RA cert serial # 2;6 2. Sync SerialNumber error messages with Int 3. Treat a standalone install as a replica install Note that for freeipa#3 I'll need to ensure that CA-less -> CA-ful still works.

HonzaCholasta added ack Pull Request approved, can be merged pushed Pull Request has already been pushed labels Aug 30, 2016

HonzaCholasta closed this Aug 30, 2016

MartinBasti deleted the used-add-fix-6199 branch October 4, 2016 19:50

tiran pushed a commit to tiran/freeipa that referenced this pull request Mar 18, 2020

Merge pull request freeipa#3 from rbtcollins/master

06243da

Note sss_cache -E.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

User add fix #6199 #3

User add fix #6199 #3

MartinBasti commented Aug 19, 2016 •

edited by HonzaCholasta

HonzaCholasta commented Aug 22, 2016

HonzaCholasta commented Aug 30, 2016

User add fix #6199 #3

User add fix #6199 #3

Conversation

MartinBasti commented Aug 19, 2016 • edited by HonzaCholasta

HonzaCholasta commented Aug 22, 2016

HonzaCholasta commented Aug 30, 2016

MartinBasti commented Aug 19, 2016 •

edited by HonzaCholasta