freeipa.git/ipaserver/install, branch cakeysfix FreeIPA patches Make sure remote hosts have our keys 2017-05-03T11:35:53+00:00 Simo Sorce simo@redhat.com 2017-03-31T15:22:45+00:00 06e65f8859164bc7e12a2c42d64b9f7c381a3219 In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <simo@redhat.com> 
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Refresh Dogtag RestClient.ca_host property 2017-05-02T15:33:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-27T10:51:30+00:00 0d406fcb784924bfe685729f3156efb8c902b947 Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
restore: restart/reload gssproxy after restore 2017-04-28T12:56:02+00:00 Petr Vobornik pvoborni@redhat.com 2017-04-26T16:47:53+00:00 3a4c8e39c3e38ec651cfcbb3cac59e0e92e04fe0 So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Do not test anonymous PKINIT after install/upgrade 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-25T17:12:51+00:00 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Local FAST armoring will now work regardless of PKINIT status so there is no need to explicitly test for working PKINIT. If there is, there should be a test case for that. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Upgrade: configure local/full PKINIT depending on the master status 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-06T16:52:05+00:00 a194055c92c7ca4eba29323f990ec3b92026221b The upgrader has been modified to configure either local or full PKINIT depending on the CA status. Additionally, the new PKINIT configuration will be written to the master's KDC entry. https://pagure.io/freeipa/issue/6830 http://www.freeipa.org/page/V4/Kerberos_PKINIT Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
The upgrader has been modified to configure either local or full PKINIT
depending on the CA status. Additionally, the new PKINIT configuration
will be written to the master's KDC entry.

https://pagure.io/freeipa/issue/6830
http://www.freeipa.org/page/V4/Kerberos_PKINIT

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Stop requesting anonymous keytab and purge all references of it 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-05T15:29:26+00:00 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 anonymous kinit using keytab never worked so we may safely remove all code that requests/uses it. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
API for retrieval of master's PKINIT status and publishing it in LDAP 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-31T12:44:29+00:00 86972299d937960bcb713fc73b447cddb4ea44bd An API was provided to report whether PKINIT is enabled for clients or not. If yes, the pkinitEnabled value will be added to the ipaConfigString attribute of master's KDC entry. See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for more details. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
An API was provided to report whether PKINIT is enabled for clients or
not. If yes, the pkinitEnabled value will be added to the
ipaConfigString attribute of master's KDC entry.

See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
more details.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Allow for configuration of all three PKINIT variants when deploying KDC 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-31T13:06:46+00:00 fb52f7a1f328b126626525179d5250692daca2cd The PKINIT setup code now can configure PKINIT using IPA CA signed certificate, 3rd party certificate and local PKINIT with self-signed keypair. The local PKINIT is also selected as a fallback mechanism if the CSR is rejected by CA master or `--no-pkinit` is used. http://www.freeipa.org/page/V4/Kerberos_PKINIT https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.

http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
separate function to set ipaConfigString values on service entry 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-25T16:55:59+00:00 b1a1e104391c84cb9af7b0a7c8748c8652442ddb There is some code duplication regarding setting ipaConfigString values when: * LDAP-enabling a service entry * advertising enabled KDCProxy in LDAP We can delegate the common work to a single re-usable function and thus expose it to future use-cases (like PKINIT advertising). https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
There is some code duplication regarding setting ipaConfigString values
when:
   * LDAP-enabling a service entry
   * advertising enabled KDCProxy in LDAP

We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Move the compat plugin setup at the end of install 2017-04-24T15:11:51+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-13T07:15:47+00:00 ddbbb1c58e8a4fec8129e7d1e941c54660af6a69 The compat plugin was causing deadlocks with the topology plugin. Move its setup at the end of the installation and remove the cn=topology,cn=ipa,cn=etc subtree from its scope. https://pagure.io/freeipa/issue/6821 Reviewed-By: Martin Basti <mbasti@redhat.com> 
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>