freeipa.git/ipaserver/install, branch fixlogout FreeIPA patches server upgrade: uninstall ipa_memcached properly 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-20T07:24:47+00:00 6d34c2169fcd520cc726e58e01d008ae3637aad4 Make sure ipa_memcached is not running and no stale state is left in the sysupgrade state file on server upgrade. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Make sure ipa_memcached is not running and no stale state is left in the
sysupgrade state file on server upgrade.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
server upgrade: always upgrade KRA agent PEM file 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-16T10:19:09+00:00 0862e320916e0123df7e8505ba61229db0cb1e4a Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/6675

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
server upgrade: fix upgrade from pre-4.0 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-16T10:13:13+00:00 97e838e10da3b42e3605d230e0b8e01b9148876f update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.

Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
server upgrade: fix upgrade in CA-less 2017-02-20T13:00:50+00:00 Jan Cholasta jcholast@redhat.com 2017-02-16T10:09:04+00:00 ba8a10fbdb39cab672038e1a6dc9c7507070cdf9 Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not configure PKI ajp redirection to use "::1" 2017-02-17T13:58:06+00:00 Florence Blanc-Renaud flo@redhat.com 2017-01-12T17:17:15+00:00 eaa87c75b9f57500265b2dc9480b996b2b92e1e3 When ipa-server-install configures PKI, it provides a configuration file with the parameter pki_ajp_host set to ::1. This parameter is used to configure Tomcat redirection in /etc/pki/pki-tomcat/server.xml: <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="::1" /> ie all requests to port 8009 are redirected to port 8443 on address ::1. If the /etc/hosts config file does not define ::1 for localhost, then AJP redirection fails and replica install is not able to request a certificate for the replica. Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP redirection with "localhost", FreeIPA does not need any more to override this setting. The code now depends on pki 10.3.5-11 which provides the fix in the template and the upgrade. https://fedorahosted.org/freeipa/ticket/6575 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Move AD trust installation code to a separate module 2017-02-17T12:34:35+00:00 Martin Babinsky mbabinsk@redhat.com 2017-02-08T16:02:09+00:00 98bf0cc9663ac281247ac8d9ee8488e3ab8102eb This facilitates calling the necessary checks and configuration code as a module from e.g. a composite installer. The code that checks for the admin credentials stays in the standalone installer as the code inside the adtrust module is expected to operate also without admin credentials. https://fedorahosted.org/freeipa/ticket/6629 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629

Reviewed-By: Martin Basti <mbasti@redhat.com>
Update warning message for replica install 2017-02-17T11:19:37+00:00 Abhijeet Kasurde akasurde@redhat.com 2017-01-30T13:52:12+00:00 c913f810715705c560ae8bd05a33084785f59583 New warning message in replica install describes more about "insufficient privilege" error Fixes https://fedorahosted.org/freeipa/ticket/6352 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
New warning message in replica install describes more about
"insufficient privilege" error

Fixes https://fedorahosted.org/freeipa/ticket/6352

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
custodiainstance: don't use IPA-specific CertDB 2017-02-17T09:14:23+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-06T13:19:12+00:00 b20b0489ea06931bfa7d46bdbd6623bc3f09219b Replaced CertDB with NSSDatabase. Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Replaced CertDB with NSSDatabase.

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add password to certutil calls in NSSDatabase 2017-02-17T09:14:23+00:00 Stanislav Laznicka slaznick@redhat.com 2016-12-06T08:14:54+00:00 ca457eb5ce12291f555f1bf771114d6d7d191987 NSSDatabases should call certutil with a password. Also, removed `password_filename` argument from `.create_db()`. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
pkinit: make sure to have proper dictionary for Kerberos instance on upgrade 2017-02-16T08:51:38+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-02-15T08:14:58+00:00 14d84daf29543978c6383da10f4f2d913346f013 When running PKINIT upgrade we need to make sure full substitution dictionary is in place or otherwise executing LDAP updates will fail to find proper objects because $SUFFIX, $DOMAIN, and other variables will not be substituted. Fixes https://fedorahosted.org/freeipa/ticket/6670 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670

Reviewed-By: Simo Sorce <ssorce@redhat.com>