From a1eb13cdbc109da8c028bb886a1207ea2cc23cee Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 27 Jul 2021 11:54:20 +0200
Subject: [PATCH] Fix ldapupdate.get_sub_dict() for missing named user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The named user may not be present when ipa-server-dns and bind are not
installed. NAMED_UID and NAMED_GID constants are only used with local
DNS support.

Fixes: https://pagure.io/freeipa/issue/8936
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Co-authored-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/ldapupdate.py               | 14 +++++++---
 .../nightly_ipa-4-9_latest.yaml               | 12 +++++++++
 .../nightly_ipa-4-9_previous.yaml             | 12 +++++++++
 .../test_integration/test_installation.py     | 27 +++++++++++++++++++
 4 files changed, 62 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 06cb78e0b..f0e7d6162 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -64,6 +64,15 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         idrange_size = idmax - idstart + 1
         subid_base_rid = constants.SUBID_RANGE_START - idrange_size
 
+    # uid / gid for autobind
+    # user is only defined when ipa-server-dns and bind are installed
+    try:
+        named_uid = platformconstants.NAMED_USER.uid
+        named_gid = platformconstants.NAMED_GROUP.gid
+    except ValueError:
+        named_uid = None
+        named_gid = None
+
     return dict(
         REALM=realm,
         DOMAIN=domain,
@@ -99,9 +108,8 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
         DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
         SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
         SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
-        # uid / gid for autobind
-        NAMED_UID=platformconstants.NAMED_USER.uid,
-        NAMED_GID=platformconstants.NAMED_GROUP.gid,
+        NAMED_UID=named_uid,
+        NAMED_GID=named_gid,
     )
 
 
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 939ee2b7d..1c8c5ddfc 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -547,6 +547,18 @@ jobs:
         timeout: 4800
         topology: *master_1repl_1client
 
+  fedora-latest-ipa-4-9/test_installation_TestInstallWithoutNamed:
+    requires: [fedora-latest-ipa-4-9/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest-ipa-4-9/build_url}'
+        test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+        template: *ci-ipa-4-9-latest
+        timeout: 4800
+        topology: *master_1repl
+
   fedora-latest-ipa-4-9/test_idviews:
     requires: [fedora-latest-ipa-4-9/build]
     priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 03658a934..6d121d59f 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -547,6 +547,18 @@ jobs:
         timeout: 4800
         topology: *master_1repl_1client
 
+  fedora-previous-ipa-4-9/test_installation_TestInstallWithoutNamed:
+    requires: [fedora-previous-ipa-4-9/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-previous-ipa-4-9/build_url}'
+        test_suite: test_integration/test_installation.py::TestInstallWithoutNamed
+        template: *ci-ipa-4-9-previous
+        timeout: 4800
+        topology: *master_1repl
+
   fedora-previous-ipa-4-9/test_idviews:
     requires: [fedora-previous-ipa-4-9/build]
     priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index e76fd0efe..e3c41eaa1 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1853,3 +1853,30 @@ class TestInstallWithoutSudo(IntegrationTest):
         result = tasks.install_client(self.master, self.clients[0])
         assert self.no_sudo_str not in result.stderr_text
         assert self.sudo_version_str not in result.stdout_text
+
+
+class TestInstallWithoutNamed(IntegrationTest):
+    num_replicas = 1
+
+    @classmethod
+    def remove_named(cls, host):
+        # remove the bind package and make sure the named user does not exist.
+        # https://pagure.io/freeipa/issue/8936
+        result = host.run_command(['id', 'named'], raiseonerr=False)
+        if result.returncode == 0:
+            tasks.uninstall_packages(host, ['bind'])
+            host.run_command(['userdel', constants.NAMED_USER])
+        assert host.run_command(
+            ['id', 'named'], raiseonerr=False
+        ).returncode == 1
+
+    @classmethod
+    def install(cls, mh):
+        for tgt in (cls.master, cls.replicas[0]):
+            cls.remove_named(tgt)
+        tasks.install_master(cls.master, setup_dns=False)
+
+    def test_replica0_install(self):
+        tasks.install_replica(
+            self.master, self.replicas[0], setup_ca=False, setup_dns=False
+        )
-- 
2.31.1