freeipa.git/ipaserver/install, branch framework Unnamed repository; edit this file 'description' to name the repository. Remove duplicate and unused utility code 2012-05-09T09:54:20+00:00 Petr Viktorin pviktori@redhat.com 2012-04-18T15:22:35+00:00 f19218f7d87f5847d51f79b5d2850f90b0ae8407 IPA has some unused code from abandoned features (Radius, ipa 1.x user input, commant-line tab completion), as well as some duplicate utilities. This patch cleans up the utility modules. Duplicate code consolidated into ipapython.ipautil: {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix {ipaserver,ipapython}.ipautil.CIDict (with style improvements from the ipaserver version) {ipapython.entity,ipaserver.ipautil}.utf8_encode_value {ipapython.entity,ipaserver.ipautil}.utf8_encode_values ipalib.util.get_fqdn was removed in favor of the same function in ipaserver.install.installutils Removed unused code: ipalib.util: load_plugins_in_dir import_plugins_subpackage make_repr (was imported but unused; also removed from tests) ipapython.ipautil: format_list parse_key_value_pairs read_pairs_file read_items_file user_input_plain AttributeValueCompleter ItemCompleter ipaserver.ipautil: get_gsserror (a different version exists in ipapython.ipautil) ipaserver.ipautil ended up empty and is removed entirely. https://fedorahosted.org/freeipa/ticket/2650 
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.

Duplicate code consolidated into ipapython.ipautil:
    {ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
    {ipaserver,ipapython}.ipautil.CIDict
            (with style improvements from the ipaserver version)
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_value
    {ipapython.entity,ipaserver.ipautil}.utf8_encode_values

ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils

Removed unused code:
    ipalib.util:
        load_plugins_in_dir
        import_plugins_subpackage
        make_repr (was imported but unused; also removed from tests)

    ipapython.ipautil:
        format_list
        parse_key_value_pairs
        read_pairs_file
        read_items_file
        user_input_plain
        AttributeValueCompleter
        ItemCompleter

    ipaserver.ipautil:
        get_gsserror (a different version exists in ipapython.ipautil)

ipaserver.ipautil ended up empty and is removed entirely.

https://fedorahosted.org/freeipa/ticket/2650
Use mixed-case for Read DNS Entries permission 2012-04-23T08:00:40+00:00 Rob Crittenden rcritten@redhat.com 2012-04-20T15:07:47+00:00 0423213148a1a2f9762adf243f383398c1ec8b9e https://fedorahosted.org/freeipa/ticket/2569 
https://fedorahosted.org/freeipa/ticket/2569
Remove the running state when uninstalling DS instances. 2012-04-17T09:25:41+00:00 Rob Crittenden rcritten@redhat.com 2012-04-16T21:03:46+00:00 9c39f95f2174d8197102080314eab7a10cf8c86c We don't need to do anything with the state but if it exists in the sysrestore index at the end of uninstallation the uninstaller will complain about it. https://fedorahosted.org/freeipa/ticket/2637 
We don't need to do anything with the state but if it exists in
the sysrestore index at the end of uninstallation the uninstaller will
complain about it.

https://fedorahosted.org/freeipa/ticket/2637
Configure certmonger to execute restart scripts on renewal. 2012-04-10T05:08:41+00:00 Rob Crittenden rcritten@redhat.com 2012-04-10T19:21:08+00:00 717bbcd2bf624ad68ea1cdf08216ab4f06e8bc4d certmonger now has the ability to execute a script when it renews a certificate. This can be used to automatically restart servers so the certificate doesn't expire in the running server. https://fedorahosted.org/freeipa/ticket/2050 
certmonger now has the ability to execute a script when it renews a
certificate. This can be used to automatically restart servers so
the certificate doesn't expire in the running server.

https://fedorahosted.org/freeipa/ticket/2050
Fix installation when server hostname is not in a default domain 2012-04-09T00:35:10+00:00 Martin Kosek mkosek@redhat.com 2012-04-04T14:31:04+00:00 184a066f4abc0ef83434f8cebbec87028258db65 When IPA server is configured with DNS and its hostname is not located in a default domain, SRV records are not valid. Additionally, httpd does not serve XMLRPC interface because it IPA server domain-realm mapping is missing in krb5.conf. All CLI commands were then failing. This patch amends this configuration. It fixes SRV records in served domain to include full FQDN instead of relative hostname when the IPA server hostname is not located in served domain. IPA server forward record is also placed to correct zone. When IPA server is not in a served domain a proper domain-realm mapping is configured to krb5.conf. The template was improved in order to be able to hold this information. https://fedorahosted.org/freeipa/ticket/2602 
When IPA server is configured with DNS and its hostname is not
located in a default domain, SRV records are not valid.
Additionally, httpd does not serve XMLRPC interface because it
IPA server domain-realm mapping is missing in krb5.conf. All CLI
commands were then failing.

This patch amends this configuration. It fixes SRV records in
served domain to include full FQDN instead of relative hostname
when the IPA server hostname is not located in served domain.
IPA server forward record is also placed to correct zone.

When IPA server is not in a served domain a proper domain-realm
mapping is configured to krb5.conf. The template was improved
in order to be able to hold this information.

https://fedorahosted.org/freeipa/ticket/2602
improve handling of ds instances during uninstall 2012-04-05T02:47:08+00:00 John Dennis jdennis@redhat.com 2012-04-04T19:19:29+00:00 af0ac845ff2ebb5a7c045acdc17dc656522039aa Ticket #2502 * remove the "running" flag from backup_state in cainstance.py and dsinstance.py because it does not provide the correct information. In cainstance the running flag was never referenced because restarting dirsrv instances occurs later in dsinstance. In dsinstance when the running flag is set it incorrectly identifed the PKI ds instance configured earlier by cainstance. The intent was to determine if there were any ds instances other than those owned by IPA which will need to be restarted upon uninstall. Clearly the PKI ds instance does not qualify. We were generating a traceback when at the conclusion of dsinstance.uninstall we tried to start the remaining ds instances as indicated by the running flag, but there were none to restart (because the running flag had been set as a consequence of the PKI ds instance). * We only want to restart ds instances if there are other ds instances besides those owned by IPA. We shouldn't be stopping all ds instances either, but that's going to be covered by another ticket. The fix for restarting other ds instances at the end of uninstall is to check and see if there are other ds instances remaining after we've removed ours, if so we restart them. Also it's irrelevant if those ds instances were not present when we installed, it only matters if they exist after we restore things during uninstall. If they are present we have to start them back up because we shut them down during uninstall. * Add new function get_ds_instances() which returns a list of existing ds instances. * fixed error messages that incorrectly stated it "failed to restart" a ds instance when it should be "failed to create". 
Ticket #2502

* remove the "running" flag from backup_state in cainstance.py and
  dsinstance.py because it does not provide the correct
  information. In cainstance the running flag was never referenced
  because restarting dirsrv instances occurs later in dsinstance. In
  dsinstance when the running flag is set it incorrectly identifed the
  PKI ds instance configured earlier by cainstance. The intent was to
  determine if there were any ds instances other than those owned by
  IPA which will need to be restarted upon uninstall. Clearly the PKI
  ds instance does not qualify. We were generating a traceback when at
  the conclusion of dsinstance.uninstall we tried to start the
  remaining ds instances as indicated by the running flag, but there
  were none to restart (because the running flag had been set as a
  consequence of the PKI ds instance).

* We only want to restart ds instances if there are other ds instances
  besides those owned by IPA. We shouldn't be stopping all ds
  instances either, but that's going to be covered by another
  ticket. The fix for restarting other ds instances at the end of
  uninstall is to check and see if there are other ds instances
  remaining after we've removed ours, if so we restart them. Also it's
  irrelevant if those ds instances were not present when we installed,
  it only matters if they exist after we restore things during
  uninstall. If they are present we have to start them back up because
  we shut them down during uninstall.

* Add new function get_ds_instances() which returns a list of existing
  ds instances.

* fixed error messages that incorrectly stated it "failed to restart"
  a ds instance when it should be "failed to create".
Configure SELinux for httpd during upgrades 2012-04-03T22:20:51+00:00 Martin Kosek mkosek@redhat.com 2012-04-03T08:47:40+00:00 17a0738d2d352f9c3d73167b3fb22cd566fd98d4 SELinux configuration for httpd instance was set for new installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x upgrade) missed the configuration. This lead to AVCs when httpd tries to contact ipa_memcached and user not being able to log in. This patch updates ipa-upgradeconfig to configure SELinux in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2603 
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603
Forbid public access to DNS tree 2012-04-02T01:17:04+00:00 Martin Kosek mkosek@redhat.com 2012-04-02T12:57:33+00:00 df13cdcb974e9f8b161be35fcef9651c2ffe0b5e With a publicly accessible DNS tree in LDAP, anyone with an access to the LDAP server can get all DNS data as with a zone transfer which is already restricted with ACL. Making DNS tree not readable to public is a common security practice and should be applied in FreeIPA as well. This patch adds a new deny rule to forbid access to DNS tree to users or hosts without an appropriate permission or users which are not members of admins group. The new permission/aci is applied both for new installs and upgraded servers. bind-dyndb-ldap plugin is allowed to read DNS tree without any change because its principal is already a member of "DNS Servers" privilege. https://fedorahosted.org/freeipa/ticket/2569 
With a publicly accessible DNS tree in LDAP, anyone with an access
to the LDAP server can get all DNS data as with a zone transfer
which is already restricted with ACL. Making DNS tree not readable
to public is a common security practice and should be applied
in FreeIPA as well.

This patch adds a new deny rule to forbid access to DNS tree to
users or hosts without an appropriate permission or users which
are not members of admins group. The new permission/aci is
applied both for new installs and upgraded servers.

bind-dyndb-ldap plugin is allowed to read DNS tree without any
change because its principal is already a member of "DNS
Servers" privilege.

https://fedorahosted.org/freeipa/ticket/2569
Fixed boot.ldif permission. 2012-04-01T20:54:55+00:00 Endi Sukma Dewata edewata@redhat.com 2012-03-16T22:15:26+00:00 874a298b073997ec6b1e5a119210c7f0975aed18 The server installation failed on F17 due to permission problem. The /var/lib/dirsrv/boot.ldif was previously owned and only readable by root. It is now owned by DS user dirsrv. Ticket #2544 
The server installation failed on F17 due to permission problem.
The /var/lib/dirsrv/boot.ldif was previously owned and only readable
by root. It is now owned by DS user dirsrv.

Ticket #2544
Handle updating replication agreements that lack nsDS5ReplicatedAttributeList 2012-04-02T08:49:20+00:00 Rob Crittenden rcritten@redhat.com 2012-03-30T17:42:31+00:00 16b38d39b36eb0b39a77720e30ac4321e902e66b When updating from 2.x we need to add nsDS5ReplicatedAttributeList and nsDS5ReplicatedAttributeListTotal if they aren't present. If nsDS5ReplicatedAttributeList is present and doesn't contain memberof then we want to add it. https://fedorahosted.org/freeipa/ticket/2594 
When updating from 2.x we need to add nsDS5ReplicatedAttributeList and
nsDS5ReplicatedAttributeListTotal if they aren't present.

If nsDS5ReplicatedAttributeList is present and doesn't contain memberof
then we want to add it.

https://fedorahosted.org/freeipa/ticket/2594