freeipa.git/ipaplatform, branch master FreeIPA patches tasks: run `systemctl daemon-reload` after httpd.service.d updates 2017-03-21T15:38:06+00:00 Jan Cholasta jcholast@redhat.com 2017-03-16T12:51:29+00:00 3de09709cc33f1d26f2d605bac82110fe73dde03 Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing `GSS_USE_PROXY=yes` in httpd environment. https://pagure.io/freeipa/issue/6773 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.

https://pagure.io/freeipa/issue/6773

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
ipaplatform/debian/paths: Add some missing values. 2017-03-15T08:53:08+00:00 Timo Aaltonen tjaalton@debian.org 2017-03-14T21:48:44+00:00 e20ad9c251d9118959e501cd49997662de8cdbfc Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT. Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Rename KRA_AGENT_PEM -> OLD_KRA_AGENT_PEM, add CERTMONGER_DOGTAG_SUBMIT.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
httpinstance: disable system trust module in /etc/httpd/alias 2017-03-14T16:12:19+00:00 Jan Cholasta jcholast@redhat.com 2017-03-01T16:54:05+00:00 f037bfa48356a5fb28eebdb76f9dbd5cb461c2d2 Currently the NSS database in /etc/httpd/alias is installed with the system trust module enabled. This is problematic for a number of reasons: * IPA has its own trust store, which is effectively bypassed when the system trust module is enabled in the database. This may cause IPA unrelated CAs to be trusted by httpd, or even IPA related CAs not to be trusted by httpd. * On client install, the IPA trust configuration is copied to the system trust store for third parties. When this configuration is removed, it may cause loss of trust information in /etc/httpd/alias (https://bugzilla.redhat.com/show_bug.cgi?id=1427897). * When a CA certificate provided by the user in CA-less install conflicts with a CA certificate in the system trust store, the latter may be used by httpd, leading to broken https (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html). Disable the system trust module on install and upgrade to prevent the system trust store to be used in /etc/httpd/alias and fix all of the above issues. https://pagure.io/freeipa/issue/6132 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipaplatform/debian/paths: Rename IPA_KEYTAB to OLD_IPA_KEYTAB. 2017-03-14T16:09:10+00:00 Timo Aaltonen tjaalton@debian.org 2017-03-14T15:24:56+00:00 c194f74b12a92e3beb01f36b5cbe20255d8247c5 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipaplatform/debian/paths: Add IPA_HTTPD_KDCPROXY. 2017-03-14T16:09:10+00:00 Timo Aaltonen tjaalton@debian.org 2017-03-14T14:43:22+00:00 71db8c264e38502e80f05e9cb234185049450b62 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
ipaplatform/debian/services: Fix is_running arguments. 2017-03-14T16:09:10+00:00 Timo Aaltonen tjaalton@debian.org 2017-03-14T14:32:22+00:00 1a47fcd3ee7fe2878c77de0729e422c40a457600 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Don't allow standalone KRA uninstalls 2017-03-13T15:27:23+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-08T15:38:12+00:00 5d3a0e6758866239c886e998a6d89c5a4b150184 KRA uninstallation is very likely to break the user's setup. Don't allow it at least till we can be safely sure we are able to remove it in a standalone manner without breaking anything. https://pagure.io/freeipa/issue/6538 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
pylint_plugins: add forbidden import checker 2017-03-10T12:04:59+00:00 Jan Cholasta jcholast@redhat.com 2017-02-14T08:58:44+00:00 5d489ac5604ca959cfe439c0594b8739073f3cea Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move csrgen templates into ipaclient package 2017-03-08T14:59:26+00:00 Christian Heimes cheimes@redhat.com 2017-03-02T15:09:53+00:00 80be18162921268be9c8981495c9e8a4de0c85cd csrgen broke packaging of ipaclient for PyPI. All csrgen related resources are now package data of ipaclient package. Package data is accessed with Jinja's PackageLoader() or through pkg_resources. https://pagure.io/freeipa/issue/6714 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Ben Lipton <blipton@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
csrgen broke packaging of ipaclient for PyPI. All csrgen related
resources are now package data of ipaclient package. Package data is
accessed with Jinja's PackageLoader() or through pkg_resources.

https://pagure.io/freeipa/issue/6714

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Ben Lipton <blipton@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>