freeipa.git/ipapython, branch 30gatepo FreeIPA project IPA Server check in ipa-replica-manage 2012-10-31T15:54:15+00:00 Tomas Babej tbabej@redhat.com 2012-10-02T13:15:33+00:00 e7c99e7d21f7923c92cf9dae9fd8c7d5ae4aa8cd When executing ipa-replica-manage connect to an master that raises NotFound error we now check if the master is at least IPA server. If so, we inform the user that it is probably foreign or previously deleted master. If not, we inform the user that the master is not an IPA server at all. https://fedorahosted.org/freeipa/ticket/3105 
When executing ipa-replica-manage connect to an master that raises
NotFound error we now check if the master is at least IPA server.
If so, we inform the user that it is probably foreign or previously
deleted master. If not, we inform the user that the master is not
an IPA server at all.

https://fedorahosted.org/freeipa/ticket/3105
Close connection after each request, avoid NSS shutdown problem. 2012-10-24T19:07:53+00:00 Rob Crittenden rcritten@redhat.com 2012-10-17T20:58:54+00:00 fb7575d6b77c1d85539c8e71b7fa931e758704d3 The unit tests were failing when executed against an Apache server in F-18 due to dangling references causing NSS shutdown to fail. https://fedorahosted.org/freeipa/ticket/3180 
The unit tests were failing when executed against an Apache server
in F-18 due to dangling references causing NSS shutdown to fail.

https://fedorahosted.org/freeipa/ticket/3180
Make sure the CA is running when starting services 2012-10-24T02:02:21+00:00 Petr Viktorin pviktori@redhat.com 2012-09-25T13:57:03+00:00 d6fbbd530ee94bc4cdd00c9106fd789e50fb81cf - Provide a function for determinig the CA status using Dogtag 10's new getStatus endpoint. This must be done over HTTPS, but since our client certificate may not be set up yet, we need HTTPS without client authentication. Rather than copying from the existing http_request and https_request function, shared code is factored out to a common helper. - Call the new function when restarting the CA service. Since our Service can only be extended in platform-specific code, do this for Fedora only. Also, the status is only checked with Dogtag 10+. - When a restart call in cainstance failed, users were refered to the installation log, but no info was actually logged. Log the exception. https://fedorahosted.org/freeipa/ticket/3084 
- Provide a function for determinig the CA status using Dogtag 10's new
  getStatus endpoint.
  This must be done over HTTPS, but since our client certificate may not be set
  up yet, we need HTTPS without client authentication.
  Rather than copying from the existing http_request and https_request
  function, shared code is factored out to a common helper.
- Call the new function when restarting the CA service. Since our Service
  can only be extended in platform-specific code, do this for Fedora only.
  Also, the status is only checked with Dogtag 10+.
- When a restart call in cainstance failed, users were refered to the
  installation log, but no info was actually logged. Log the exception.

https://fedorahosted.org/freeipa/ticket/3084
Add fallback for httpd restarts on sysV platforms 2012-10-19T00:53:42+00:00 Martin Kosek mkosek@redhat.com 2012-10-18T14:50:08+00:00 9126b18d8bbf7d8f0f8981deb84f80f2eaa27bfe httpd init script on sysV based platforms cannot guarantee that two consecutive httpd service restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965 
httpd init script on sysV based platforms cannot guarantee that two
consecutive httpd service restarts succeed when run in a small
time distance.

Add fallback procedure that adds additional waiting time after such
failed restart attempt, and then try to stop and start the service
again.

https://fedorahosted.org/freeipa/ticket/2965
ipautil.run: Log the command line before running the command 2012-10-17T22:29:35+00:00 Petr Viktorin pviktori@redhat.com 2012-09-25T13:29:49+00:00 049bc7042e63904555e87dab8997851398ffe05b When the user interrupts a long-running command, this ensures that the command is logged. Also, when watching log files (or the -d output), it's apparent what's being done. https://fedorahosted.org/freeipa/ticket/3174 
When the user interrupts a long-running command, this ensures that
the command is logged. Also, when watching log files (or the -d
output), it's apparent what's being done.

https://fedorahosted.org/freeipa/ticket/3174
Create Firefox extension on upgrade and replica-install 2012-10-10T15:34:19+00:00 Petr Viktorin pviktori@redhat.com 2012-10-08T11:54:47+00:00 1dd103bc8c445a1fe4f5ab59a1e6a343a8984305 If the signing cert is not available, create an unsigned extension. Add a zip dependency to the specfile. https://fedorahosted.org/freeipa/ticket/3150 
If the signing cert is not available, create an unsigned extension.

Add a zip dependency to the specfile.

https://fedorahosted.org/freeipa/ticket/3150
Fix CA CRL migration crash in ipa-upgradeconfig 2012-10-10T12:15:46+00:00 Martin Kosek mkosek@redhat.com 2012-10-10T10:37:24+00:00 fff56ee1c8e4513805d838005777b4ade6c32de9 CRL migrate procedure did not check if a CA was actually configured on an updated master/replica. This caused ipa-upgradeconfig to crash on replicas without a CA. Make sure that CRL migrate procedure is not run when CA is not configured on given master. Also add few try..except clauses to make the procedure more robust. There is also a small refactoring of "<service> is not configured" log messages, so that they have matching log level and message. dogtag.py constants were updated to have a correct path to new CRL directory on Fedora 18 (dogtag 10). https://fedorahosted.org/freeipa/ticket/3159 
CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.

Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
"<service> is not configured" log messages, so that they have matching
log level and message.

dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).

https://fedorahosted.org/freeipa/ticket/3159
Move CRL publish directory to IPA owned directory 2012-10-09T14:00:01+00:00 Martin Kosek mkosek@redhat.com 2012-10-08T13:58:48+00:00 74ebd0fd75fababe7d080080ef019b53e96c0c4f Currently, CRL files are being exported to /var/lib/pki-ca sub-directory, which is then served by httpd to clients. However, this approach has several disadvantages: * We depend on pki-ca directory structure and relevant permissions. If pki-ca changes directory structure or permissions on upgrade, IPA may break. This is also a root cause of the latest error, where the pki-ca directory does not have X permission for others and CRL publishing by httpd breaks. * Since the directory is not static and is generated during ipa-server-install, RPM upgrade of IPA packages report errors when defining SELinux policy for these directories. Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy configuration does not report any error. The new CRL publish directory is used for both new IPA installs and upgrades, where contents of the directory (CRLs) is first migrated to the new location and then the actual configuration change is made. https://fedorahosted.org/freeipa/ticket/3144 
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
 * We depend on pki-ca directory structure and relevant permissions.
   If pki-ca changes directory structure or permissions on upgrade,
   IPA may break. This is also a root cause of the latest error, where
   the pki-ca directory does not have X permission for others and CRL
   publishing by httpd breaks.
 * Since the directory is not static and is generated during
   ipa-server-install, RPM upgrade of IPA packages report errors when
   defining SELinux policy for these directories.

Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.

https://fedorahosted.org/freeipa/ticket/3144
Wait for secure Dogtag ports when starting the pki services 2012-10-03T15:38:42+00:00 Petr Viktorin pviktori@redhat.com 2012-09-25T13:48:47+00:00 9c0426c3ed6045e3af54c5c00be23bb63eb92606 Dogtag opens not only the insecure port (8080 or 9180, for d10 and d9 respectively), but also secure ports (8443 or 9443&9444). Wait for them when starting. Part of the fix for https://fedorahosted.org/freeipa/ticket/3084 
Dogtag opens not only the insecure port (8080 or 9180, for d10 and
d9 respectively), but also secure ports (8443 or 9443&9444).
Wait for them when starting.

Part of the fix for https://fedorahosted.org/freeipa/ticket/3084
Improve DN usage in ipa-client-install 2012-10-02T11:39:11+00:00 Martin Kosek mkosek@redhat.com 2012-09-27T10:40:55+00:00 1a740176ca43d7cfd2647e6a96385772ee940b91 A hotfix pushed in a scope of ticket 3088 forced conversion of DN object (baseDN) in IPA client discovery so that ipa-client-install does not crash when creating an IPA default.conf. Since this is not a preferred way to handle DN objects, improve its usage: - make sure, that baseDN retrieved by client discovery is always a DN object - update ipachangeconf.py code to handle strings better and instead of concatenating objects, make sure they are converted to string first As a side-effect of ipachangeconf changes, default.conf config file generated by ipa-client-install has no longer empty new line at the end of a file. Whole ipachangeconf.py has been modified to be compliant with PEP8. https://fedorahosted.org/freeipa/ticket/3088 
A hotfix pushed in a scope of ticket 3088 forced conversion of DN
object (baseDN) in IPA client discovery so that ipa-client-install
does not crash when creating an IPA default.conf. Since this is not
a preferred way to handle DN objects, improve its usage:

- make sure, that baseDN retrieved by client discovery is always
  a DN object
- update ipachangeconf.py code to handle strings better and instead
  of concatenating objects, make sure they are converted to string
  first

As a side-effect of ipachangeconf changes, default.conf config file
generated by ipa-client-install has no longer empty new line at the
end of a file.

Whole ipachangeconf.py has been modified to be compliant with PEP8.

https://fedorahosted.org/freeipa/ticket/3088