freeipa.git/ipaserver/install, branch master FreeIPA patches replica prepare: fix wrong IPA CA nickname in replica file 2017-03-22T14:56:54+00:00 Jan Cholasta jcholast@redhat.com 2017-03-17T09:34:08+00:00 9939aa53630a9c6a66e83140e64ec56539891c13 Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".

This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.

https://pagure.io/freeipa/issue/6777

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fixing replica install: fix ldap connection in domlvl 0 2017-03-22T14:31:40+00:00 felipe fbarreto@localhost.localdomain 2017-03-21T12:05:56+00:00 772d4e3d4e9a2756e6a34e265a1219599688cde3 Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release,  the old master denies this operations.

https://pagure.io/freeipa/issue/6549

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
httpinstance: clean up /etc/httpd/alias on uninstall 2017-03-22T13:58:18+00:00 Jan Cholasta jcholast@redhat.com 2017-03-08T14:24:15+00:00 e263cb46cba604421d5ed2e1dbf5dd1d66ce0221 Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias from backup on uninstall. Files modified by IPA are kept with .ipasave suffix. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
certs: do not implicitly create DS pin.txt 2017-03-22T13:58:18+00:00 Jan Cholasta jcholast@redhat.com 2017-03-14T08:32:17+00:00 bbd18cf10f2e67e5205a3a3bee883272e89c0042 Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create it explicitly in `DSInstance.__enable_ssl()`. This stops the file from being created in /etc/httpd/alias during classic replica install. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix Python 3 pylint errors 2017-03-15T18:11:32+00:00 Christian Heimes cheimes@redhat.com 2017-03-15T07:47:46+00:00 602b395cf19b0ae0b8ade1c13ddaf09175ed7291 ************* Module ipaserver.install.ipa_kra_install ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse') ************* Module ipapython.install.core ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member) ************* Module ipatests.test_ipapython.test_dn ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals()) ************* Module ipa-ca-install install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Try out anonymous PKINIT after it is configured 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:04:56+00:00 a1686a90c0cc8c16c89ef1bada7f507729bf3252 After PKINIT certificate is requested and everything is set up, we should attempt to perform anonymous PKINIT and fail hard if it does not work for some reason. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
check for replica's KDC entry on master before requesting PKINIT cert 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:03:19+00:00 b45629fc480e61464b402ac2fc52c6f9fc61df0e This prevents replication-based race conditions to break PKINIT certificate requests on replica installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make wait_for_entry raise exceptions 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T12:31:27+00:00 069948466e81d99a0dd48ffffa32af50351d0189 Instead of only logging errors when timeout is reached or query for the entry fails for other reasons, `wait_for_entry` should raise exceptions so that we can handle them in caller or let them propagate and fail early. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Move PKINIT configuration to a later stage of server/replica install 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-09T17:49:54+00:00 bd18b5f91e3f98fa877def245c54c1cd33bd372e This is to ensure that we can request PKINIT certs once all the following requirements are in place: * CA is configured or PKCS#12 file is provided * LDAP, KDC and Apache are configured and the master role is thus completed and enabled https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:

    * CA is configured or PKCS#12 file is provided
    * LDAP, KDC and Apache are configured and the master role is thus
      completed and enabled

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Request PKINIT cert directly from Dogtag API on first master 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-14T12:16:07+00:00 b5b23e073e59930e4dcf14ea8031c2c0441e6344 On the first master the framework may not be fully functional to server certificate requests. It is safer to configure helper that contacts Dogtag REST API directly. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>