WIP: test GC in Azure pipelines #4219
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As for now, a list of tests which will be ignored by Pytest is mandatory. But actually, a list of tests to run is explicitly set in yaml config. And thus, 'ignore' list should be an optional field.
This setups: - run SSH daemon - allow root user access via SSH
For now, a list of YAML files' paths is hardcoded (even after globbing) into Makefile.am. Moreover, Azure templates are not checked at all until Azure triggered. With this change, the list of YAMLs is populated automatically on yamllinting. Jinja templates are not parseable by a regular yaml module, to skip such the YAML_TEMPLATE_FILES is utilized.
TODO: send to upstream
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
The schema for Active Directory is imported from [MSFT-ADSCHEMA] https://www.microsoft.com/en-us/download/details.aspx?id=23782 in LDIF format, as referenced in [MS-ADSC] specification. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
convert-schema is a tool to convert Microsoft Active Directory schema format to the format understood by 389-ds. The converter is based on a similar tool from Samba AD. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Add Active Directory schema translated to 389-ds format Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
In Active Directory schema, attributes marked with isMemberOfPartialAttributeSet: TRUE attribute are replicated to Global Catalog. Other attributes aren't visible in Global Catalog. Remove non-replicated attributes from the classes. This dramatically reduces schema and possible conflicts with 389-ds core schema.
…ificates Certmonger allows to specify multiple Kerberos principals when requesting certificates. However, ipalib/install/certmonger.py:request_cert() assumes we pass only a single principal and implicitly converts inserts it into a list. Support passing list or tuple of principals. This is needed for Global Catalog support where a three-component Kerberos principal (ldap/host/domain@REALM) is used and certificate has to have both. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Add installer/uninstaller for Global Catalog In order to install: /usr/libexec/ipa/gc/ipa-gc-install --gc-password 'pwd' -U - installs the global catalog as a dirsrv instance in /etc/dirsrv/slapd-GLOBAL-CATALOG - the instance has a cn=Directory Manager user with 'pwd' - the instance is listening on ports 3268 and 3269 - for CA-less installs, specify --gc-cert-file 'pkcs12' --gc-pin 'pin' In order to uninstall: /usr/libexec/ipa/ipa-gc-install --uninstall -U - removes the instance The installation creates an entry cn=GLOBAL-CATALOG,cn=$hostname,cn=masters,cn=ipa,cn=etc,$BASEDN which means that ipactl start/ipactl stop also starts/stops the GC. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Fixes: https://pagure.io/freeipa/issue/3125
Prepare ipaserver.install.upgradeinstance code to operate on different directory server instance. TODO: - api.Backend.ldap2 always operates on the primary instance, make sure to not use it in the GC upgrade, provide local connection - create IPAGCUpgrade class that predefines schema and updates paths and connects to GC instance - Plug IPAGCUpgrade into ipa-server-upgrade after the primary instance upgrade - Add options to ipa-ldap-updater to choose instance to operate on - Add documentation for server upgrade semantics and behavior
Active Directory LDAP schema includes objectGUID attribute which is encoded as an octet string. For containers in Global Catalog we need to specify objectGUID value in each object. For those objects that describe a structure of Global Catalog, it is easier to autogenerate them directly. Add support to produce base64-encoded autogenerated uuid to ipa-uuid plugin. If configuration has 'ipaUuidEncode: TRUE' attribute value, it will be created as base64-encoded one. This is incompatible with prefixed UUIDs and should be only used for octet strings.
Global Catalog is read-only. As result, we map any successfully authenticated SASL user to a DN of an object assigned read-only rights. Both full-qualified and name-only SASL mappings are required.
Global Catalog is read-only. We grant read-only access to a majority of objects in the GC tree to ldap:///all but the only object that will be allowed to access it is controlled by the SASL mapping to uid=read-only-principal,cn=configuration,$SUFFIX.
Remove (objectclass=*) target filter.
Two SASL mappings for fully qualified and non-fully qualified names can be combined into the one that works for both IPA and trusted AD users.
- make ipa-server-install work even if samba-client is not installed currently ipa-server-install calls gc code to check if it needs to be uninstalled, and it creates a dependency on samba. Move the import so that there is no dependency on installation. - make ipa-gc-install check that ad trust is installed
At the end of the global catalog install, update the DNS records with SRV records for the global catalog: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs _ldap._tcp.gc._msdcs _gc._tcp.Default-First-Site-Name._sites _gc._tcp
At the end of the global catalog install, the --populate option allows to copy the users and groups from IdM to the GC.
AD is performing a search using showInAdvancedViewOnly attribute when looking for users/groups over the trust. This attribute is needed in the schema in order to add an ACI allowing its use.
The foreign security principals will be stored in this container in the GC.
When a group is copied from 389-ds instance to the global catalog, its groupType attribute depends on its type: - posix groups are mapped to a security group/global - external groups are mapped to a security group/domain-local - non posix groups are mapped to a distribution group/global
The transformation library builds a SID for each user/group from the value of ipantsecurityidentifier, but some entries don't contain this attribute (for instance the non-posix groups). For these entries, the SID is created from the ipauniqueid and a special SID prefix S-1-738065- (ASCII codes of IPA concatenated) .
In order to avoid later circular dependency.
LDAPUpdate is currently able to connect only to 389-DS instance. Modify the code to allow connection to a different instance, based on its instance name / serverid.
1/ When the uninstaller is called but there is no GC, a scary message is printed. Modify the message so that it reflects the status with no need to raise any alarm. 2/ If the uninstaller is called on a node where the main 389ds instance has already been uninstalled, trap the exception so that GC uninstaller proceeds anyway.
|
Sorry, wrong target for a pull request, the whole work is not ready yet, so I closed the pull request. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based on master...stanislavlevin:azure_integration_tests, experiment with building multi-container environment for testing GC in Azure Pipelines.
Steps to be done: