From Fedora Project Wiki

Revision as of 14:09, 25 November 2024 by Sumantrom (talk | contribs) (Created page with "{{Infobox_group | name = IPA HSM Test Day | image = 300px|link=QA/Test Days | date = '''2024-12-09''' | time = all day | website = QA/Test Days | matrix = {{matrix|#test-day:fedoraproject.org}} | fedora_mailing_list = test }} {{admon/note | Can't make the date? | If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

IPA HSM Test Day

Date 2024-12-09
Time all day

Website QA/Test Days
Matrix #test-day:fedoraproject.org(other clients|?)
Mailing list test


Can't make the date?
If you come to this page after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find, and add your results to the results section. If this page is more than a month old when you arrive here, please check the current schedule and see if a similar but more recent Test Day is planned or has already happened.

What to test?

This Test Day will focus on FreeIPA HSM

Who's available

The following cast of characters will be available testing, workarounds, bug fixes, and general discussion:

You can chat with me on Matrix. See the infobox on top of the page to learn where to join.

Prerequisite for Test Day

  • A virtual machine or a bare metal machine
  • An installation of Fedora 41 (ideally Server). Make sure to fully update your system. If installing a fresh system, it's recommended to use the latest nightly image.

What to test

Prerequisites

You must install IPA on the new system (local server), and the domain/suffix must be the final expected values. The remote data will be converted to match the new local server. Typically it is expected that this installation be bare. The tool was not designed to merge two different installations (although it might work). IPA to IPA migration design

   IPA-to-IPA migration will be implemented as an AdminTool standalone client tool: /usr/sbin/ipa-migrate
   Migration will consist of three areas:
       Schema - the LDAP schema (objectclasses and attributes)
       Config - the LDAP configuration under cn=config (dse.ldif)
       Database - the main LDAP database
   Allow online (LDAP over the network) or offline (LDIF file) migration. You can mix and match LDIF (offline) with LDAP (online)

Online migration

Online migration consists of contacting the remote server over the network and pulling in all the required information. With very large databases this could impact the tool’s performance Offline migration

Offline migration consists of using LDIF files from the remote server

   Config - the DS config file: /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/dse.ldif
   Schema - all the schema files found under /etc/dirsrv/schema/ and /etc/dirsrv/slapd-YOUR_LDAP_INSTANCE/schema/
   Database - You need to export the userroot database to an ldif file

Then copy these LDIF files to the new local server

How to test?

Install freeIPA packages

  1. dnf -y install freeipa-server-dns

Set up environment variables on each machine/VM

 # export TOKEN_PASSWORD=password
 # export ADMIN_PASSWORD=password
 # export DM_PASSWORD=password

If using a supported hardware HSM ensure that it is working properly and have the token name and PKCS#11 library path handy.

In between tests

To re-use test machines in between installations:

On replica (if there is one)

 # ipa server-del $HOSTNAME
 # ipa-server-install –uninstall -U

On the initial IPA server

 # ipa-server-install –uninstall -U

If using softhsm2 you will also need to delete and re-create the token. To delete the token:

 # softhsm2-util --delete-token --token ipa_token

This should return the machine(s) to the pre-installed state.

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.

Reporting bugs

Perhaps you've found an already-reported bug. Please look at:

All new bugs should be reported into the upstream bug tracker. A less-preferred alternative is to file them into Red Hat JIRA, in most cases against the ipa component.

We really need bug reports!
Please note that just mentioning your problem into the comments section on the results page is not very helpful. Very often those problems only happen in specific circumstances, or with specific steps taken. We need the logs and screenshots, and we need to be able to ask you followup questions. Please file bug reports, it's much more useful than a short comment. Thank you!

When filing the bug, it's very helpful to include:

  • exact steps you've performed (and whether you can reproduce it again)
  • screenshots or videos, if applicable
  • system journal (log), which you can retrieve by journalctl -b > journal.txt
  • all output in a terminal, if started from a terminal
  • your system description

If you are unsure about exactly how to file the report or what other information to include, just ask us.

Please make sure to link to the bug when submitting your test result, thanks!

Test Results

Visit the results page and click on the column title links to see the tests that need to be run: most column titles are links to a specific test case. Follow the instructions there, then enter your results by clicking the Enter result button for the test.