Skip to content

Commit

Permalink
Fixes #29649 - Drop default_server argument in IPA
Browse files Browse the repository at this point in the history 
ipa-getkeytab can figure out the default server on its own[1]. There is no
need to specify it and can even break things. For example, DNS can be
used to detect servers. Then the fact is empty and it fails while the
command would actually pass.

The foreman_ipa fact is removed since it's a major version bump anyway
and nothing else should use our foreman_ipa fact.

[1] #880 (comment)
  • Loading branch information
@ekohl
ekohl committed Jul 9, 2021
1 parent b759778 commit 0d06d2e
Show file tree
Hide file tree
Showing 4 changed files with 2 additions and 37 deletions.
13 changes: 0 additions & 13 deletions lib/facter/sssd.rb
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,6 @@
require 'facter/util/sssd'

if defined? Facter::Util::Sssd
# == Fact: foreman_ipa
Facter.add(:foreman_ipa, :type => :aggregate) do
{
:default_realm => 'global/realm',
:default_server => 'global/server',
}.each do |key, path|
chunk(key) do
val = Facter::Util::Sssd.ipa_value(path)
{key => val} if val
end
end
end

# == Fact: foreman_sssd
Facter.add(:foreman_sssd, :type => :aggregate) do
{
Expand Down
4 changes: 0 additions & 4 deletions lib/facter/util/sssd.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,6 @@ def self.aug_value(lens, file, path)
end
end

def self.ipa_value(path)
aug_value('Puppet.lns', '/etc/ipa/default.conf', path)
end

def self.sssd_value(path)
val = aug_value('Sssd.lns', '/etc/sssd/sssd.conf', path)
val.split(',').map(&:strip) if val
Expand Down
8 changes: 2 additions & 6 deletions manifests/config.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,10 +126,6 @@
$foreman_socket_override = template('foreman/foreman.socket-overrides.erb')

if $foreman::ipa_authentication {
unless fact('foreman_ipa.default_server') {
fail("${facts['networking']['hostname']}: The system does not seem to be IPA-enrolled")
}

if $facts['os']['selinux']['enabled'] {
selboolean { ['allow_httpd_mod_auth_pam', 'httpd_dbus_sssd']:
persistent => true,
Expand Down Expand Up @@ -158,7 +154,7 @@
exec { 'ipa-getkeytab':
command => "/bin/echo Get keytab \
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab kinit -k \
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -s ${facts['foreman_ipa']['default_server']} -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
&& KRB5CCNAME=KEYRING:session:get-http-service-keytab /usr/sbin/ipa-getkeytab -k ${http_keytab} -p HTTP/${facts['networking']['fqdn']} \
&& kdestroy -c KEYRING:session:get-http-service-keytab",
creates => $http_keytab,
}
Expand All @@ -182,7 +178,7 @@


if $foreman::ipa_manage_sssd {
$sssd = $facts['foreman_sssd']
$sssd = pick(fact('foreman_sssd'), {})
$sssd_services = join(unique(pick($sssd['services'], []) + ['ifp']), ', ')
$sssd_ldap_user_extra_attrs = join(unique(pick($sssd['ldap_user_extra_attrs'], []) + ['email:mail', 'lastname:sn', 'firstname:givenname']), ', ')
$sssd_allowed_uids = join(unique(pick($sssd['allowed_uids'], []) + [$apache::user, 'root']), ', ')
Expand Down
14 changes: 0 additions & 14 deletions spec/classes/foreman_config_ipa_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,23 +16,9 @@
context 'with apache' do
let(:params) { super().merge(apache: true) }

describe 'not IPA-enrolled system' do
describe 'ipa_server fact missing' do
it { should raise_error(Puppet::Error, /The system does not seem to be IPA-enrolled/) }
end

describe 'default_ipa_realm fact missing' do
it { should raise_error(Puppet::Error, /The system does not seem to be IPA-enrolled/) }
end
end

describe 'enrolled system' do
let(:facts) do
super().merge(
foreman_ipa: {
default_server: 'ipa.example.com',
default_realm: 'REALM'
},
foreman_sssd: {
services: ['ifp']
}
Expand Down

0 comments on commit 0d06d2e

Please sign in to comment.