freeipa.git/ipaserver/install, branch mindatefix FreeIPA patches DNS install: Ensure that DNS servers container exists 2016-07-15T12:13:32+00:00 Martin Babinsky mbabinsk@redhat.com 2016-07-14T15:14:59+00:00 37bfd1fdde8906b2b5712d1f99f3f4be8f91ca0a during DNS installation it is assumed that the cn=servers,cn=dns container is always present in LDAP backend when migrating DNS server info to LDAP. This may not always be the case (e.g. when a new replica is set up against older master) so the code must take additional steps to ensure this container is present. https://fedorahosted.org/freeipa/ticket/6083 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
during DNS installation it is assumed that the cn=servers,cn=dns container is
always present in LDAP backend when migrating DNS server info to LDAP.

This may not always be the case (e.g. when a new replica is set up against
older master) so the code must take additional steps to ensure this container
is present.

https://fedorahosted.org/freeipa/ticket/6083

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
uninstall: untrack lightweight CA certs 2016-07-12T08:50:52+00:00 Fraser Tweedale ftweedal@redhat.com 2016-07-04T03:05:28+00:00 88841a561922fd9a57f3c473833f2ff26c8061ec Fixes: https://fedorahosted.org/freeipa/ticket/6020 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Fixes: https://fedorahosted.org/freeipa/ticket/6020
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix upgrade when Dogtag also upgraded from 10.2 -> 10.3 2016-07-01T09:09:53+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-30T11:01:07+00:00 3691e39a62da5134f911f6a798f79a3a2ae0c025 ipa-server-upgrade from pre-lightweight CAs version fails when Dogtag is also being upgraded from pre-lightweight CAs version, because Dogtag needs to be restarted after adding the lightweight CAs container, before requesting information about the host authority. Move the addition of the Dogtag lightweight CAs container entry a bit earlier in the upgrade procedure, ensuring restart. Fixes: https://fedorahosted.org/freeipa/ticket/6011 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
ipa-server-upgrade from pre-lightweight CAs version fails when
Dogtag is also being upgraded from pre-lightweight CAs version,
because Dogtag needs to be restarted after adding the lightweight
CAs container, before requesting information about the host
authority.

Move the addition of the Dogtag lightweight CAs container entry a
bit earlier in the upgrade procedure, ensuring restart.

Fixes: https://fedorahosted.org/freeipa/ticket/6011
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix internal errors in host-add and other commands caused by DNS resolution 2016-07-01T08:35:39+00:00 Petr Spacek pspacek@redhat.com 2016-06-30T18:41:48+00:00 5e78b54d7c532bec0ee5a4ce3f1b6d6c94d17c51 Previously resolver was returning CheckedIPAddress objects. This internal server error in cases where DNS actually returned reserved IP addresses. Now the resolver is returning UnsafeIPAddress objects which do syntactic checks but do not filter IP addresses. From now on we can decide if some IP address should be accepted as-is or if it needs to be contrained to some subset of IP addresses using CheckedIPAddress class. This regression was caused by changes for https://fedorahosted.org/freeipa/ticket/5710 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Previously resolver was returning CheckedIPAddress objects. This
internal server error in cases where DNS actually returned reserved IP
addresses.

Now the resolver is returning UnsafeIPAddress objects which do syntactic
checks but do not filter IP addresses.

From now on we can decide if some IP address should be accepted as-is or
if it needs to be contrained to some subset of IP addresses using
CheckedIPAddress class.

This regression was caused by changes for
https://fedorahosted.org/freeipa/ticket/5710

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix migration from pre-lightweight CAs master 2016-07-01T06:56:26+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-17T04:31:08+00:00 3ac3882631564cd774114e61e607fffdbd667eee Some container objects are not added when migrating from a pre-lightweight CAs master, causing replica installation to fail. Make sure that the containers exist and add an explanatory comment. Fixes: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Some container objects are not added when migrating from a
pre-lightweight CAs master, causing replica installation to fail.
Make sure that the containers exist and add an explanatory comment.

Fixes: https://fedorahosted.org/freeipa/ticket/5963
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Split CA replica installation steps for domain level 0 2016-07-01T06:56:26+00:00 Fraser Tweedale ftweedal@redhat.com 2016-06-17T00:57:32+00:00 0334693cfc56bc2788ea3b4f3cea9547c9c00340 Installation from replica file is broken because lightweight CA replication setup is attempted before Kerberos is set up. To fix the issue, explicitly execute step 1 before Kerberos setup, and step 2 afterwards. Part of: https://fedorahosted.org/freeipa/ticket/5963 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Installation from replica file is broken because lightweight CA
replication setup is attempted before Kerberos is set up.  To fix
the issue, explicitly execute step 1 before Kerberos setup, and
step 2 afterwards.

Part of: https://fedorahosted.org/freeipa/ticket/5963

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Fix ipa-server-certinstall with certs signed by 3rd-party CA 2016-06-30T12:53:37+00:00 Florence Blanc-Renaud frenaud@redhat.com 2016-06-21T14:34:21+00:00 025cfd911bce6214ef2b4311b16c5b6df6ad173a Multiple issues fixed: - when untracking a certificate, the path to the NSS directory must be exactly identical (no trailing /), otherwise the request is not found and the old certificate is still tracked. - when a cert is issued by a 3rd party CA, no need to track it - the server_cert should not be found using cdb.find_server_certs()[0][0] because this function can return multiple server certificates. For instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert with the trust flags u,u,u. This leads to trying to track ipaCert (which is already tracked). The workaround is looking for server certs before and after the import, and extract server-cert as the certificate in the second list but not in the first list. https://fedorahosted.org/freeipa/ticket/4785 https://fedorahosted.org/freeipa/ticket/4786 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
Multiple issues fixed:
- when untracking a certificate, the path to the NSS directory must be
exactly identical (no trailing /), otherwise the request is not found
and the old certificate is still tracked.

- when a cert is issued by a 3rd party CA, no need to track it

- the server_cert should not be found using cdb.find_server_certs()[0][0]
because this function can return multiple server certificates. For
instance, /etc/httpd/alias contains ipaCert, Server-Cert and Signing-Cert
with the trust flags u,u,u. This leads to trying to track ipaCert (which is
already tracked).
The workaround is looking for server certs before and after the import,
and extract server-cert as the certificate in the second list but not in the
first list.

https://fedorahosted.org/freeipa/ticket/4785
https://fedorahosted.org/freeipa/ticket/4786

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DNS: Reinitialize DNS resolver after changing resolv.conf 2016-06-30T12:08:04+00:00 Petr Spacek pspacek@redhat.com 2016-06-29T17:35:35+00:00 3b79ce005c43c6cb270175dc987eed3ba19e0f53 Previously the installer did not reinitialize resolver so queries for records created using --ip-address option might not be answered. This led to incorrect results during 'Updating DNS system records' phase at the end of installation. This is kind of hack but right now we do not have enough time to extend python-dns's interface with resolver_reinit() method. https://fedorahosted.org/freeipa/ticket/5962 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Previously the installer did not reinitialize resolver so queries for
records created using --ip-address option might not be answered. This led
to incorrect results during 'Updating DNS system records' phase at the
end of installation.

This is kind of hack but right now we do not have enough time to extend
python-dns's interface with resolver_reinit() method.

https://fedorahosted.org/freeipa/ticket/5962

Reviewed-By: Martin Basti <mbasti@redhat.com>
session: move the session module from ipalib to ipaserver 2016-06-30T12:09:24+00:00 Jan Cholasta jcholast@redhat.com 2016-06-29T13:47:07+00:00 dcf8b47471a1795eb00f3aee09ba48b5c4847923 The module is used only on the server, so there's no need to have it in ipalib, which is shared by client and server. https://fedorahosted.org/freeipa/ticket/5988 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
The module is used only on the server, so there's no need to have it in
ipalib, which is shared by client and server.

https://fedorahosted.org/freeipa/ticket/5988

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix replica install with CA 2016-06-30T11:18:51+00:00 Martin Basti mbasti@redhat.com 2016-06-29T17:49:43+00:00 a155f692e7ad7807a5ea28250d1e72b3e821991e The incorrect api was used, and CA record updated was duplicated. https://fedorahosted.org/freeipa/ticket/5966 Reviewed-By: Petr Spacek <pspacek@redhat.com> 
The incorrect api was used, and CA record updated was duplicated.

https://fedorahosted.org/freeipa/ticket/5966

Reviewed-By: Petr Spacek <pspacek@redhat.com>