freeipa.git/ipaplatform/redhat, branch fix_ber_scanf FreeIPA patches authconfig.py: restore user-nsswitch.conf at uninstall time 2019-08-29T15:34:27+00:00 François Cami fcami@redhat.com 2019-08-29T12:24:40+00:00 73f049c75f0b1ed269cb8ebcb5c2158d2bc8b614 Calling authselect at uninstall time before restoring user-nsswitch.conf would result in a sudoers entry in nsswitch.conf which is not activated in the default sssd authselect profile. Make sure user-nsswitch.conf is restored before calling authselect. Fixes: https://pagure.io/freeipa/issue/8054 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.

Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Use tasks to configure automount nsswitch settings 2019-08-29T02:15:50+00:00 Rob Critenden rcritten@redhat.com 2019-08-16T18:10:15+00:00 41ef8fba31ddbb32e2e5b7cccdc9b582a0809111 authselect doesn't allow one to directly write to /etc/nsswitch.conf. It will complain bitterly if it detects it and will refuse to work until reset. Instead it wants the user to write to /etc/authselect/user-nsswitch.conf and then it will handle merging in any differences. To complicate matters some databases are not user configurable like passwd, group and of course, automount. There are some undocumented options to allow one to override these though so we utilize that. tasks are used so that authselect-based installations can still write directly to /etc/nsswitch.conf and operate as it used to. Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Restore SELinux context for p11-kit config overrides 2019-08-09T15:31:14+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-08-01T07:08:36+00:00 8f969a5929e8a2f54fd732ea0c8d0a4931250d23 When 74e09087 started disabling softshm2 module in p11-kit-proxy, we missed to restore SELinux context on the configuration override creation. We don't need an explicit restore_context() when removing the override because restore_file() already calls restore_context(). Related: https://pagure.io/freeipa/issue/7810 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
When 74e09087 started disabling softshm2 module in p11-kit-proxy,
we missed to restore SELinux context on the configuration override
creation.

We don't need an explicit restore_context() when removing the override
because restore_file() already calls restore_context().

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use system-wide crypto policy for TLS ciphers 2019-07-02T14:38:00+00:00 Christian Heimes cheimes@redhat.com 2019-07-02T07:49:59+00:00 b55344888478e2b05dc01200bed87e551aa7d00a IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's also now possible to keep the default policy by setting TLS_HIGH_CIPHERS to None. Fixes: https://pagure.io/freeipa/issue/7998 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
IPA now uses the system-wide crypto policy for TLS ciphers on RHEL. It's
also now possible to keep the default policy by setting TLS_HIGH_CIPHERS
to None.

Fixes: https://pagure.io/freeipa/issue/7998
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use only TLS 1.2 by default 2019-07-01T12:55:29+00:00 Christian Heimes cheimes@redhat.com 2019-07-01T08:41:23+00:00 b57c818fab3bb9627a8c287766cdb5bd8071c837 TLS 1.3 is causing some trouble with client cert authentication. Conditional client cert authentication requires post-handshake authentication extension on TLS 1.3. The new feature is not fully implemented yet. TLS 1.0 and 1.1 are no longer state of the art and now disabled by default. TLS 1.2 works everywhere and supports PFS. Related: https://pagure.io/freeipa/issue/7667 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
TLS 1.3 is causing some trouble with client cert authentication.
Conditional client cert authentication requires post-handshake
authentication extension on TLS 1.3. The new feature is not fully
implemented yet.

TLS 1.0 and 1.1 are no longer state of the art and now disabled by
default.

TLS 1.2 works everywhere and supports PFS.

Related: https://pagure.io/freeipa/issue/7667

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
For Fedora and RHEL use system-wide crypto policy for mod_ssl 2019-07-01T12:55:29+00:00 Rob Crittenden rcritten@redhat.com 2019-05-23T14:45:26+00:00 c484d79ecfa1cc284b47b88377a4c2da23b9db2f Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl will use crypto policies for the set of protocols. For Debian systems configure a similar set of protocols for what was previously configured, but do it in a different way. Rather than iterating the allowed protocols just include the ones not allowed. Fixes: https://pagure.io/freeipa/issue/7667 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
Drop the SSLProtocol directive for Fedora and RHEL systems. mod_ssl
will use crypto policies for the set of protocols.

For Debian systems configure a similar set of protocols for what
was previously configured, but do it in a different way. Rather than
iterating the allowed protocols just include the ones not allowed.

Fixes: https://pagure.io/freeipa/issue/7667

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Refactor tasks to include is_selinux_enabled() 2019-04-26T07:50:23+00:00 Christian Heimes cheimes@redhat.com 2019-04-25T11:24:48+00:00 dcd488b3d94b1c48d90b7947249d0f4ce4da9cdf Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Globally disable softhsm2 in p11-kit-proxy 2019-04-25T10:53:08+00:00 Christian Heimes cheimes@redhat.com 2019-04-24T11:13:45+00:00 74e09087ed0ebf75936d5045eaaad69d71c678d6 The p11-kit configuration injects p11-kit-proxy into all NSS databases. Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes with 389-DS, certmonger, Dogtag and other services. For example certmonger tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at all. It also breaks Dogtag HSM support testing with SoftHSM2. IPA server does neither need nor use SoftHSM2 proxied by p11-kit. Related: https://pagure.io/freeipa/issue/7810 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add ExecStartPost hook to wait for Dogtag PKI 2019-04-24T07:09:28+00:00 Christian Heimes cheimes@redhat.com 2019-04-17T05:45:18+00:00 3f9e23f12573b1b5dbd5284620e86393018aa548 Dogtag PKI typically takes around 10 seconds to start and respond to requests. Dogtag uses a simple systemd service, which means systemd is unable to detect when Dogtag is ready. Commands like ``systemctl start`` and ``systemctl restart`` don't block and wait until the CA is up. There have been various workarounds in Dogtag and IPA. Systemd has an ExecStartPost hook to run programs after the main service is started. The post hook blocks systemctl start and restart until all post hooks report ready, too. The new ipa-pki-wait-running script polls on port 8080 and waits until the CA subsystem returns ``running``. Related: https://pagure.io/freeipa/issue/7916 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Use Network Manager to configure resolv.conf 2019-04-16T08:45:59+00:00 Christian Heimes cheimes@redhat.com 2019-04-05T11:39:13+00:00 80928ba6f5872aab47a3dd5eb361336568dfcc60 IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL, NetworkManager is typically maintaining resolv.conf. On reboot or restart of the service, NM overwrites the custom settings. On systems with NM enabled, the DNS server installer now drops a config file into NM's global config directory and delegates resolv.conf to NM. On systems without NM, fall back to create /etc/resolv.conf directly. Fixes: https://pagure.io/freeipa/issue/7900 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com> 
IPA used to write a custom /etc/resolv.conf. On Fedora and RHEL,
NetworkManager is typically maintaining resolv.conf. On reboot or
restart of the service, NM overwrites the custom settings.

On systems with NM enabled, the DNS server installer now drops a config
file into NM's global config directory and delegates resolv.conf to NM.

On systems without NM, fall back to create /etc/resolv.conf directly.

Fixes: https://pagure.io/freeipa/issue/7900
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>