| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3652
|
| |
|
|
|
|
|
|
|
|
|
| |
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.
This ensures proper creation/removeal, group ownership
and SELinux context.
https://fedorahosted.org/freeipa/ticket/3727
|
| |
|
|
|
|
|
|
| |
Adds a new simple service called OtpdInstance, that manages
ipa-otpd.socket service. Added to server/replica installer
and ipa-upgradeconfig script.
https://fedorahosted.org/freeipa/ticket/3680
|
| |
|
|
|
|
|
|
|
|
|
| |
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/dirsrv.
https://fedorahosted.org/freeipa/ticket/3628
|
| |
|
|
|
|
|
|
|
|
|
| |
The DIR ccache format is now the default in krb5-server 1.11.2-4
but /run/user/<uid> isn't created for Apache by anything so it
has no ccache (and it doesn't have SELinux permissions to write here
either).
Use KRB5CCNAME to set a file path instead in /etc/sysconfig/httpd.
https://fedorahosted.org/freeipa/ticket/3607
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- add missing closing parenthesis in idnsRecord declaration
- remove extra dollar sign from ipaSudoRule declaration
- handle missing/extraneous X-ORIGIN lines in 10-selinuxusermap.update
This does not use the schema updater because the syntax needs to be
fixed in the files themselves, otherwise 389 1.3.2+ will fail
to start.
Older DS versions transparently fix the syntax errors.
The existing ldap-updater directive for ipaSudoRule is fixed
(ldap-updater runs after upgradeconfig).
https://fedorahosted.org/freeipa/ticket/3578
|
| |
|
|
|
|
|
|
|
| |
This will convert a master with a selfsign CA to a CA-less one in
ipa-upgradeconfig.
The relevant files are left in place and can be used to manage certs
manually.
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3547
|
| |
|
|
|
|
|
|
|
| |
Fedora 19 has splitted /var/run and /run directories while in Fedora
18 it used to be a symlink. Thus, named may expect its PID file to be
in other direct than it really is and fail to start.
Add pid-file configuration option to named.conf both for new
installations and for upgraded machines.
|
| |
|
|
|
|
| |
We used to set connections argument for bind-dyndb-ldap even when
the attribute was not in named.conf. This is not necessary as
the bind-dyndb-ldap plugin chooses a sane default instead of us.
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential
and tkey-domain and replace them with tkey-gssapi-keytab which avoids
unnecessary Kerberos checks on BIND startup and can cause issues when
KDC is not available.
Both new and current IPA installations are updated.
https://fedorahosted.org/freeipa/ticket/3429
|
| |
|
|
| |
Part of the work for: https://fedorahosted.org/freeipa/ticket/2660
|
| |
|
|
| |
https://fedorahosted.org/freeipa/ticket/3381
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.
Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.
Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.
https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When either dirsrv or krb5kdc is down, named service restart in
ipa-upgradeconfig will fail and cause a crash of the whole upgrade
process.
Rather only report a failure to restart the service and continue
with the upgrade as it does not need the named service running. Do
the same precaution for pki-ca service restart.
https://fedorahosted.org/freeipa/ticket/3350
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When CRL files are being migrated to a new directory, the upgrade
log may contain an error message raised during MasterCRL.bin symlink
migration. This is actually being caused by `chown' operation which
tried to chown a symlinked file that was not migrated yet.
Sort migrated files before the migration process and put symlinks
at the end of the list. Also do not run chown on the symlinks as
it is a redundant operation since the symlinked file will be
chown'ed on its own.
https://fedorahosted.org/freeipa/ticket/3336
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify the default IPA CA certificate profile to include CRL and
OCSP extensions which will add URIs to IPA CRL&OCSP to published
certificates.
Both CRL and OCSP extensions have 2 URIs, one pointing directly to
the IPA CA which published the certificate and one to a new CNAME
ipa-ca.$DOMAIN which was introduced as a general CNAME pointing
to all IPA replicas which have CA configured.
The new CNAME is added either during new IPA server/replica/CA
installation or during upgrade.
https://fedorahosted.org/freeipa/ticket/3074
https://fedorahosted.org/freeipa/ticket/1431
|
| |
|
|
|
|
|
|
| |
This brings /etc/dirsrv/slapd-REALM/certmap.conf under IPA control.
The file is overwritten on upgrades.
This ensures that the cert for the ipaca user is recognized when
ipa-ca-install is run on older masters.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Report errors just like with ipa-ldap-updater. These messages should warn
user that some parts of the upgrades may have not been successful and
he should follow up on them. Otherwise, user may not notice them at all.
ipa-upgradeconfig now has a new --quiet option to make it output only error
level log messages or higher. ipa-upgradeconfig run without options still
pring INFO log messages as it can provide a clean overview about its
actions (unlike ipa-ldap-updater).
https://fedorahosted.org/freeipa/ticket/3157
|
| |
|
|
|
|
|
|
| |
Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
https://fedorahosted.org/freeipa/ticket/3051
|
| |
|
|
|
|
|
|
| |
If the signing cert is not available, create an unsigned extension.
Add a zip dependency to the specfile.
https://fedorahosted.org/freeipa/ticket/3150
|
| |
|
|
| |
This function was never called from anywhere.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CRL migrate procedure did not check if a CA was actually configured
on an updated master/replica. This caused ipa-upgradeconfig to
crash on replicas without a CA.
Make sure that CRL migrate procedure is not run when CA is not
configured on given master. Also add few try..except clauses to
make the procedure more robust. There is also a small refactoring of
"<service> is not configured" log messages, so that they have matching
log level and message.
dogtag.py constants were updated to have a correct path to new CRL
directory on Fedora 18 (dogtag 10).
https://fedorahosted.org/freeipa/ticket/3159
|
| |
|
|
|
|
|
|
| |
The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.
https://fedorahosted.org/freeipa/ticket/2951
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, CRL files are being exported to /var/lib/pki-ca
sub-directory, which is then served by httpd to clients. However,
this approach has several disadvantages:
* We depend on pki-ca directory structure and relevant permissions.
If pki-ca changes directory structure or permissions on upgrade,
IPA may break. This is also a root cause of the latest error, where
the pki-ca directory does not have X permission for others and CRL
publishing by httpd breaks.
* Since the directory is not static and is generated during
ipa-server-install, RPM upgrade of IPA packages report errors when
defining SELinux policy for these directories.
Move CRL publish directory to /var/lib/ipa/pki-ca/publish (common for
both dogtag 9 and 10) which is created on RPM upgrade, i.e. SELinux policy
configuration does not report any error. The new CRL publish directory
is used for both new IPA installs and upgrades, where contents of
the directory (CRLs) is first migrated to the new location and then the
actual configuration change is made.
https://fedorahosted.org/freeipa/ticket/3144
|
| |
|
|
|
|
|
|
|
|
|
| |
Put the changes from Ade's dogtag 10 patch into namespaced constants in
dogtag.py, which are then referenced in the code.
Make ipaserver.install.CAInstance use the service name specified in the
configuration. Uninstallation, where config is removed before CA uninstall,
also uses the (previously) configured value.
This and Ade's patch address https://fedorahosted.org/freeipa/ticket/2846
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Convert every string specifying a DN into a DN object
* Every place a dn was manipulated in some fashion it was replaced by
the use of DN operators
* Add new DNParam parameter type for parameters which are DN's
* DN objects are used 100% of the time throughout the entire data
pipeline whenever something is logically a dn.
* Many classes now enforce DN usage for their attributes which are
dn's. This is implmented via ipautil.dn_attribute_property(). The
only permitted types for a class attribute specified to be a DN are
either None or a DN object.
* Require that every place a dn is used it must be a DN object.
This translates into lot of::
assert isinstance(dn, DN)
sprinkled through out the code. Maintaining these asserts is
valuable to preserve DN type enforcement. The asserts can be
disabled in production.
The goal of 100% DN usage 100% of the time has been realized, these
asserts are meant to preserve that.
The asserts also proved valuable in detecting functions which did
not obey their function signatures, such as the baseldap pre and
post callbacks.
* Moved ipalib.dn to ipapython.dn because DN class is shared with all
components, not just the server which uses ipalib.
* All API's now accept DN's natively, no need to convert to str (or
unicode).
* Removed ipalib.encoder and encode/decode decorators. Type conversion
is now explicitly performed in each IPASimpleLDAPObject method which
emulates a ldap.SimpleLDAPObject method.
* Entity & Entry classes now utilize DN's
* Removed __getattr__ in Entity & Entity clases. There were two
problems with it. It presented synthetic Python object attributes
based on the current LDAP data it contained. There is no way to
validate synthetic attributes using code checkers, you can't search
the code to find LDAP attribute accesses (because synthetic
attriutes look like Python attributes instead of LDAP data) and
error handling is circumscribed. Secondly __getattr__ was hiding
Python internal methods which broke class semantics.
* Replace use of methods inherited from ldap.SimpleLDAPObject via
IPAdmin class with IPAdmin methods. Directly using inherited methods
was causing us to bypass IPA logic. Mostly this meant replacing the
use of search_s() with getEntry() or getList(). Similarly direct
access of the LDAP data in classes using IPAdmin were replaced with
calls to getValue() or getValues().
* Objects returned by ldap2.find_entries() are now compatible with
either the python-ldap access methodology or the Entity/Entry access
methodology.
* All ldap operations now funnel through the common
IPASimpleLDAPObject giving us a single location where we interface
to python-ldap and perform conversions.
* The above 4 modifications means we've greatly reduced the
proliferation of multiple inconsistent ways to perform LDAP
operations. We are well on the way to having a single API in IPA for
doing LDAP (a long range goal).
* All certificate subject bases are now DN's
* DN objects were enhanced thusly:
- find, rfind, index, rindex, replace and insert methods were added
- AVA, RDN and DN classes were refactored in immutable and mutable
variants, the mutable variants are EditableAVA, EditableRDN and
EditableDN. By default we use the immutable variants preserving
important semantics. To edit a DN cast it to an EditableDN and
cast it back to DN when done editing. These issues are fully
described in other documentation.
- first_key_match was removed
- DN equalty comparison permits comparison to a basestring
* Fixed ldapupdate to work with DN's. This work included:
- Enhance test_updates.py to do more checking after applying
update. Add test for update_from_dict(). Convert code to use
unittest classes.
- Consolidated duplicate code.
- Moved code which should have been in the class into the class.
- Fix the handling of the 'deleteentry' update action. It's no longer
necessary to supply fake attributes to make it work. Detect case
where subsequent update applies a change to entry previously marked
for deletetion. General clean-up and simplification of the
'deleteentry' logic.
- Rewrote a couple of functions to be clearer and more Pythonic.
- Added documentation on the data structure being used.
- Simplfy the use of update_from_dict()
* Removed all usage of get_schema() which was being called prior to
accessing the .schema attribute of an object. If a class is using
internal lazy loading as an optimization it's not right to require
users of the interface to be aware of internal
optimization's. schema is now a property and when the schema
property is accessed it calls a private internal method to perform
the lazy loading.
* Added SchemaCache class to cache the schema's from individual
servers. This was done because of the observation we talk to
different LDAP servers, each of which may have it's own
schema. Previously we globally cached the schema from the first
server we connected to and returned that schema in all contexts. The
cache includes controls to invalidate it thus forcing a schema
refresh.
* Schema caching is now senstive to the run time context. During
install and upgrade the schema can change leading to errors due to
out-of-date cached schema. The schema cache is refreshed in these
contexts.
* We are aware of the LDAP syntax of all LDAP attributes. Every
attribute returned from an LDAP operation is passed through a
central table look-up based on it's LDAP syntax. The table key is
the LDAP syntax it's value is a Python callable that returns a
Python object matching the LDAP syntax. There are a handful of LDAP
attributes whose syntax is historically incorrect
(e.g. DistguishedNames that are defined as DirectoryStrings). The
table driven conversion mechanism is augmented with a table of
hard coded exceptions.
Currently only the following conversions occur via the table:
- dn's are converted to DN objects
- binary objects are converted to Python str objects (IPA
convention).
- everything else is converted to unicode using UTF-8 decoding (IPA
convention).
However, now that the table driven conversion mechanism is in place
it would be trivial to do things such as converting attributes
which have LDAP integer syntax into a Python integer, etc.
* Expected values in the unit tests which are a DN no longer need to
use lambda expressions to promote the returned value to a DN for
equality comparison. The return value is automatically promoted to
a DN. The lambda expressions have been removed making the code much
simpler and easier to read.
* Add class level logging to a number of classes which did not support
logging, less need for use of root_logger.
* Remove ipaserver/conn.py, it was unused.
* Consolidated duplicate code wherever it was found.
* Fixed many places that used string concatenation to form a new
string rather than string formatting operators. This is necessary
because string formatting converts it's arguments to a string prior
to building the result string. You can't concatenate a string and a
non-string.
* Simplify logic in rename_managed plugin. Use DN operators to edit
dn's.
* The live version of ipa-ldap-updater did not generate a log file.
The offline version did, now both do.
https://fedorahosted.org/freeipa/ticket/1670
https://fedorahosted.org/freeipa/ticket/1671
https://fedorahosted.org/freeipa/ticket/1672
https://fedorahosted.org/freeipa/ticket/1673
https://fedorahosted.org/freeipa/ticket/1674
https://fedorahosted.org/freeipa/ticket/1392
https://fedorahosted.org/freeipa/ticket/2872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Certificate renewal can be done only one one CA as the certificates need
to be shared amongst them. certmonger has been trained to communicate
directly with dogtag to perform the renewals. The initial CA installation
is the defacto certificate renewal master.
A copy of the certificate is stored in the IPA LDAP tree in
cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX, the rdn being the nickname of the
certificate, when a certificate is renewed. Only the most current
certificate is stored. It is valid to have no certificates there, it means
that no renewals have taken place.
The clones are configured with a new certmonger CA type that polls this
location in the IPA tree looking for an updated certificate. If one is
not found then certmonger is put into the CA_WORKING state and will poll
every 8 hours until an updated certificate is available.
The RA agent certificate, ipaCert in /etc/httpd/alias, is a special case.
When this certificate is updated we also need to update its entry in
the dogtag tree, adding the updated certificate and telling dogtag which
certificate to use. This is the certificate that lets IPA issue
certificates.
On upgrades we check to see if the certificate tracking is already in
place. If not then we need to determine if this is the master that will
do the renewals or not. This decision is made based on whether it was
the first master installed. It is concievable that this master is no
longer available meaning that none are actually tracking renewal. We
will need to document this.
https://fedorahosted.org/freeipa/ticket/2803
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade script set the "psearch" directive in some circumstances,
but did not remember that it was set, so later, when setting
minimum_connections, it assumed psearch is not set.
Also, the script did not set minimum_connections if the directive wasn't
already there. It should be set in that case.
Related to https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
|
| |
|
|
|
|
|
|
| |
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.
https://fedorahosted.org/freeipa/ticket/2839
|
| |
|
|
|
|
|
|
|
| |
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log
Will output basic stauts information if executed from the command-line.
https://fedorahosted.org/freeipa/ticket/2696
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).
Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.
ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
|
| |
|
|
|
|
|
|
|
|
|
|
| |
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.
This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2603
|
| |
|
|
|
|
|
|
|
|
| |
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
|
| |
|
|
|
|
|
| |
Adding the memcache service requires 389-ds to be running because we
add an entry to cn=masters.
https://fedorahosted.org/freeipa/ticket/2411
|
| |
|
|
|
|
| |
These were used by ipa_kpasswd and krb5-server-ldap respectivily.
https://fedorahosted.org/freeipa/ticket/2397
|
| |
|
|
|
|
|
|
|
|
| |
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
|
| |
|
|
|
|
|
| |
Make this removal a common function that can be shared between installer
and upgrade tool.
https://fedorahosted.org/freeipa/ticket/2395
|
| |
|
|
|
|
|
|
|
|
|
| |
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
|
| |
|
|
|
|
|
| |
Require that the tool be run as root to avoid a permission-related
backtrace.
https://fedorahosted.org/freeipa/ticket/1758
|
| |
|
|
|
|
|
| |
In checking to see if the dogtag proxy configuration needed to be updated
we didn't handle the case where dogtag isn't installed at all.
https://fedorahosted.org/freeipa/ticket/1951
|
| | |
|
| |
|
|
|
|
|
| |
This patch broke installation of a new master. Reverting until
we develop a better solution.
This reverts commit f42da4357eac7e64e803b53c78d6cff9175d20a4.
|
| |
|
|
|
|
|
| |
This also corrects a slight bug where if add is True then we always
re-update the file.
https://fedorahosted.org/freeipa/ticket/1755
|
| |
|
|
|
|
|
|
|
| |
- Remove ipa-pki-proxy.conf when IPA is uninstalled
- Move file removal to httpinstance.py and use remove_file()
- Add a version stanza
- Create the file if it doesn't exist on upgraded installs
https://fedorahosted.org/freeipa/ticket/1771
|
| |
|
|
|
|
|
|
| |
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
|
| |
|
|
|
|
|
|
|
|
| |
The changes include:
* Change license blobs in source files to mention GPLv3+ not GPLv2 only
* Add GPLv3+ license text
* Package COPYING not LICENSE as the license blobs (even the old ones)
mention COPYING specifically, it is also more common, I think
https://fedorahosted.org/freeipa/ticket/239
|
| |
|
|
|
|
| |
Also add copyright
519414
|
