search

freeipa / freeipa-container

FreeIPA server in containers — images at https://quay.io/repository/freeipa/freeipa-server?tab=tags
https://quay.io/repository/freeipa/freeipa-server?tab=tags
Apache License 2.0
605 stars 258 forks source link

please add EPN tool #527

Closed hillar closed 1 year ago

hillar commented 1 year ago

please add Expiring Password Notification (EPN) tool

adelton commented 1 year ago

It is already in the images, see for example:

$ podman run --rm -ti --entrypoint rpm quay.io/freeipa/freeipa-server:fedora-38 -ql python3-ipaclient | grep ipa_epn.py
/usr/lib/python3.11/site-packages/ipaclient/install/ipa_epn.py
hillar commented 1 year ago

yeah, sorry just found it ;/

so as i understand only thin i am missing is https://github.com/freeipa/freeipa/blob/master/client/ipa-epn.in

adelton commented 1 year ago

That file does not seem to be packaged by any of the rpms in Fedora so you wouldn't get it on non-container installations either. If it is needed for anything, please work with the FreeIPA team to get it packaged and distributed -- it will then trickle down the the container images automatically.

abbra commented 1 year ago

@adelton it is freeipa-client-epn.

hillar commented 1 year ago 
@b447dbac4ae1 /]# dnf provides ipa-epn
Last metadata expiration check: 1:08:21 ago on Thu May  4 07:08:44 2023.
freeipa-client-epn-4.10.0-6.fc37.x86_64 : Tools to configure Expiring Password Notification in IPA
Repo        : fedora
Matched from:
Filename    : /usr/sbin/ipa-epn

freeipa-client-epn-4.10.1-1.fc37.x86_64 : Tools to configure Expiring Password Notification in IPA
Repo        : updates
Matched from:
Filename    : /usr/sbin/ipa-epn

that was inside 

"ImageDigest": "sha256:86ae34efebfa3bc44e7420c7184c131f8ace1e797743a5d82cb38777e3593f27",
"ImageName": "docker.io/freeipa/freeipa-server:fedora-37",
adelton commented 1 year ago

Well, I was searching for

$ podman run --rm -ti registry.fedoraproject.org/fedora:38 dnf whatprovides '*/ipa-epn.in'
Fedora 38 - x86_64                              7.7 MB/s |  83 MB     00:10    
Fedora 38 openh264 (From Cisco) - x86_64        2.2 kB/s | 2.5 kB     00:01    
Fedora Modular 38 - x86_64                      1.9 MB/s | 2.8 MB     00:01    
Fedora 38 - x86_64 - Updates                    4.4 MB/s |  12 MB     00:02    
Fedora Modular 38 - x86_64 - Updates            632  B/s | 257  B     00:00    
Error: No matches found. If searching for a file, try specifying the full path or using a wildcard prefix ("*/") at the beginning.

:-)

I wonder what the functional expectation would be here and if this should indeed be part of the freeipa-server container, rather than being in a separate container. The name of the package having client in it suggests that this might be meant to be decoupled from the server.

From the technical point of view, the /etc/ipa/ is already a symlink to /data/etc/ipa/ in the freeipa-server container, so configuring epn.conf should work, and so should enabling the timer in /data/etc/systemd/system/.

adelton commented 1 year ago

@hillar @abbra Any opinion about including it in the FreeIPA server container image vs. having it in a separate (client) container?

abbra commented 1 year ago

@adelton If you have that separate container, then add there. If not, adding it to IPA server container probably wouldn't hurt much.

adelton commented 1 year ago

Makes sense. Thanks, added to master and to images based on recent OS versions.