From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Tue, 27 Jul 2021 11:54:20 +0200

Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The named user may not be present when ipa-server-dns and bind are not

installed. NAMED_UID and NAMED_GID constants are only used with local

DNS support.

Fixes: https://pagure.io/freeipa/issue/8936

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Co-authored-by: François Cami <fcami@redhat.com>

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

 ipaserver/install/ldapupdate.py               | 14 +++++++---

 .../nightly_ipa-4-9_latest.yaml               | 12 +++++++++

 .../nightly_ipa-4-9_previous.yaml             | 12 +++++++++

 .../test_integration/test_installation.py     | 27 +++++++++++++++++++

 4 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py

index 06cb78e0b..f0e7d6162 100644

--- a/ipaserver/install/ldapupdate.py

+++ b/ipaserver/install/ldapupdate.py

@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):

         idrange_size = idmax - idstart + 1

         subid_base_rid = constants.SUBID_RANGE_START - idrange_size

+    # uid / gid for autobind

+    # user is only defined when ipa-server-dns and bind are installed

+    try:

+        named_uid = platformconstants.NAMED_USER.uid

+        named_gid = platformconstants.NAMED_GROUP.gid

+    except ValueError:

+        named_uid = None

+        named_gid = None

+

     return dict(

         REALM=realm,

         DOMAIN=domain,

@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):

         DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,

         SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,

         SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,

-        # uid / gid for autobind

-        NAMED_UID=platformconstants.NAMED_USER.uid,

-        NAMED_GID=platformconstants.NAMED_GROUP.gid,

+        NAMED_UID=named_uid,

+        NAMED_GID=named_gid,

     )

diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

index 939ee2b7d..1c8c5ddfc 100644

--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml

@@ -547,6 +547,18 @@ jobs:

         timeout: 4800

         topology: *master_1repl_1client

+  fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed:

+    requires: [fedora-latest-ipa-4-9/build]

+    priority: 50

+    job:

+      class: RunPytest

+      args:

+        build_url: '{fedora-latest-ipa-4-9/build_url}'

+        test_suite: test_integration/test_installation.py::TestInstallWithoutNamed

+        template: *ci-ipa-4-9-latest

+        timeout: 4800

+        topology: *master_1repl

+

   fedora-latest-ipa-4-9/test_idviews:

     requires: [fedora-latest-ipa-4-9/build]

     priority: 50

diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

index 03658a934..6d121d59f 100644

--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml

@@ -547,6 +547,18 @@ jobs:

         timeout: 4800

         topology: *master_1repl_1client

+  fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed:

+    requires: [fedora-previous-ipa-4-9/build]

+    priority: 50

+    job:

+      class: RunPytest

+      args:

+        build_url: '{fedora-previous-ipa-4-9/build_url}'

+        test_suite: test_integration/test_installation.py::TestInstallWithoutNamed

+        template: *ci-ipa-4-9-previous

+        timeout: 4800

+        topology: *master_1repl

+

   fedora-previous-ipa-4-9/test_idviews:

     requires: [fedora-previous-ipa-4-9/build]

     priority: 50

diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py

index e76fd0efe..e3c41eaa1 100644

--- a/ipatests/test_integration/test_installation.py

+++ b/ipatests/test_integration/test_installation.py

@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest):

         result = tasks.install_client(self.master, self.clients[0])

         assert self.no_sudo_str not in result.stderr_text

         assert self.sudo_version_str not in result.stdout_text

+

+

+class TestInstallWithoutNamed(IntegrationTest):

+    num_replicas = 1

+

+    @classmethod

+    def remove_named(cls, host):

+        # remove the bind package and make sure the named user does not exist.

+        # https://pagure.io/freeipa/issue/8936

+        result = host.run_command(['id', 'named'], raiseonerr=False)

+        if result.returncode == 0:

+            tasks.uninstall_packages(host, ['bind'])

+            host.run_command(['userdel', constants.NAMED_USER])

+        assert host.run_command(

+            ['id', 'named'], raiseonerr=False

+        ).returncode == 1

+

+    @classmethod

+    def install(cls, mh):

+        for tgt in (cls.master, cls.replicas[0]):

+            cls.remove_named(tgt)

+        tasks.install_master(cls.master, setup_dns=False)

+

+    def test_replica0_install(self):

+        tasks.install_replica(

+            self.master, self.replicas[0], setup_ca=False, setup_dns=False

+        )

-- 

2.31.1