freeipa.git/install/certmonger, branch pwdpolicy FreeIPA patches renew agent: handle non-replicated certificates 2017-01-16T13:37:25+00:00 Jan Cholasta jcholast@redhat.com 2017-01-06T09:45:38+00:00 d5af11f65cc2a2d6860579a63a173b67cb12bcf3 In addition to replicated certificates (Dogtag certificates, RA certificate), handle non-replicated certificates in dogtag-ipa-ca-renew-agent as well. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
In addition to replicated certificates (Dogtag certificates, RA
certificate), handle non-replicated certificates in
dogtag-ipa-ca-renew-agent as well.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Set explicit confdir option for global contexts 2016-12-02T08:14:35+00:00 Christian Heimes cheimes@redhat.com 2016-11-28T15:24:33+00:00 1e6a204b4372bbbfb722a00370a5ce4e34406b9f Some API contexts are used to modify global state (e.g. files in /etc and /var). These contexts do not support confdir overrides. Initialize the API with an explicit confdir argument to paths.ETC_IPA. The special contexts are: * backup * cli_installer * installer * ipctl * renew * restore * server * updates The patch also corrects the context of the ipa-httpd-kdcproxy script to 'server'. https://fedorahosted.org/freeipa/ticket/6389 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Some API contexts are used to modify global state (e.g. files in /etc
and /var). These contexts do not support confdir overrides. Initialize
the API with an explicit confdir argument to paths.ETC_IPA.

The special contexts are:

* backup
* cli_installer
* installer
* ipctl
* renew
* restore
* server
* updates

The patch also corrects the context of the ipa-httpd-kdcproxy script to
'server'.

https://fedorahosted.org/freeipa/ticket/6389

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Build: remove incorrect use of MAINTAINERCLEANFILES 2016-11-16T08:12:07+00:00 Petr Spacek pspacek@redhat.com 2016-11-11T13:37:18+00:00 d5683726d290b71eb44ab3b3150381f062e74df1 Automake manual section 13 What Gets Cleaned says that make maintainer-clean should not remove files necessary for subsequent runs of ./configure. It practically means that all usage of MAINTAINERCLEANFILES were incorrect so I've removed them. https://fedorahosted.org/freeipa/ticket/6418 Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Automake manual section 13 What Gets Cleaned says that make maintainer-clean
should not remove files necessary for subsequent runs of ./configure.

It practically means that all usage of MAINTAINERCLEANFILES were incorrect
so I've removed them.

https://fedorahosted.org/freeipa/ticket/6418

Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor installer code requesting certificates 2016-11-10T13:15:57+00:00 Florence Blanc-Renaud flo@redhat.com 2016-10-25T06:49:10+00:00 808b1436b4158cb6f926ac2b5bd0979df6ea7e9f - Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA agent cert, using the temp cert created during pkispawn. The cert request is now processed through certmonger, and the helper arguments are restored once the agent cert is obtained. - Modify the installer code creating HTTP and LDAP certificates to use certmonger's IPA helper with temporary parameters (calling dogtag-submit instead of ipa-submit) - Clean-up for the integration tests: sometimes ipa renewal.lock is not released during ipa-server-uninstall. Make sure that the file is removed to allow future installations. https://fedorahosted.org/freeipa/ticket/6433 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
- Temporary modify certmonger dogtag-ipa-ca-renew helper to request the IPA RA
agent cert, using the temp cert created during pkispawn. The cert request
is now processed through certmonger, and the helper arguments are restored
once the agent cert is obtained.

- Modify the installer code creating HTTP and LDAP certificates to use
certmonger's IPA helper with temporary parameters (calling dogtag-submit
instead of ipa-submit)

- Clean-up for the integration tests: sometimes ipa renewal.lock is not
released during ipa-server-uninstall. Make sure that the file is removed
to allow future installations.

https://fedorahosted.org/freeipa/ticket/6433

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Use autobind instead of host keytab authentication in dogtag-ipa-ca-renew-agent 2016-11-10T13:15:57+00:00 Florence Blanc-Renaud flo@redhat.com 2016-11-08T08:02:57+00:00 7462adec13c5b25b6868d2863dc38062c97d0ff7 This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used before Kerberos is configured. Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com> 
This commit makes sure that dogtag-ipa-ca-renew-agent CA helper can be used
before Kerberos is configured.

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
pkcs10: remove pyasn1 PKCS #10 spec 2016-11-10T09:21:47+00:00 Fraser Tweedale ftweedal@redhat.com 2016-10-12T01:03:56+00:00 85487281cdc09720f6a0385ebb7157742d762a0c In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper, we currently use our hand-rolled PKCS #10 pyasn1 specification to parse the friendlyName out of CSRs generated by certmonger (it contains the NSSDB nickname of the cert). Use other information from the renewal helper process environment to determine the nickname and remove our PKCS #10 pyasn1 spec. Part of: https://fedorahosted.org/freeipa/ticket/6398 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
In the dogtag-ipa-ca-renew-agent-submit certmonger renewal helper,
we currently use our hand-rolled PKCS #10 pyasn1 specification to
parse the friendlyName out of CSRs generated by certmonger (it
contains the NSSDB nickname of the cert).

Use other information from the renewal helper process environment to
determine the nickname and remove our PKCS #10 pyasn1 spec.

Part of: https://fedorahosted.org/freeipa/ticket/6398

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
libexec scripts: ldap conn management 2016-11-09T14:32:45+00:00 Tomas Krizek tkrizek@redhat.com 2016-11-09T08:52:28+00:00 33f7b8dc32bc95e0db067ac4df49807ee2b5120e Certificate renewal scripts require connection to LDAP. Properly handle connects and disconnects from LDAP. https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Certificate renewal scripts require connection to LDAP. Properly
handle connects and disconnects from LDAP.

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
install: remove dirman_pw from services 2016-11-07T10:34:03+00:00 Tomas Krizek tkrizek@redhat.com 2016-10-06T15:35:04+00:00 9340a1417acf120fed3e9ffbe9d658d3456743a1 Remove directory manager's password from service's constructors https://fedorahosted.org/freeipa/ticket/6461 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Remove directory manager's password from service's constructors

https://fedorahosted.org/freeipa/ticket/6461

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Pylint: remove unused variables from installers and scripts 2016-10-06T08:43:36+00:00 Martin Basti mbasti@redhat.com 2016-10-04T14:54:44+00:00 d9375881460d63cdd696bb0705da0ac205db9870 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Pylint: enable check for unused-variables 2016-09-27T11:35:58+00:00 Martin Basti mbasti@redhat.com 2016-09-26T16:24:39+00:00 45e3aee35219c89c07d590003a334f8db658a3b2 Unused variables may: * make code less readable * create dead code * potentialy hide issues/errors Enabled check should prevent to leave unused variable in code Check is locally disabled for modules that fix is not clear or easy or have too many occurences of unused variables Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Unused variables may:
* make code less readable
* create dead code
* potentialy hide issues/errors

Enabled check should prevent to leave unused variable in code

Check is locally disabled for modules that fix is not clear or easy or have too many occurences of
unused variables

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>