freeipa.git/ipaserver/install, branch webui_isolate FreeIPA patches Fix uninstall stopping ipa.service 2017-02-14T22:37:48+00:00 Simo Sorce simo@redhat.com 2017-01-25T13:56:15+00:00 51ea32d521917fc26f33ef35619802053fbe5a51 When uninstalling systemd is told to disable the service, but it is not told to sopt it, so it believes it is still running. This can cause issues in some cases if a reinstall is performed right after an uninstall, as systemd may decide to stop the disabled service while we are reinstalling, causing the new install to fail. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
When uninstalling systemd is told to disable the service, but it is not
told to sopt it, so it believes it is still running. This can cause
issues in some cases if a reinstall is performed right after an
uninstall, as systemd may decide to stop the disabled service while we
are reinstalling, causing the new install to fail.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Rationalize creation of RA and HTTPD NSS databases 2017-02-14T22:37:40+00:00 Simo Sorce simo@redhat.com 2016-12-22T23:55:33+00:00 6101ef1c1c043ef91d61f1497351f7388625cdfc The RA database sould not be created by the HTTP instance, but in the code path that creates the CA instance. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The RA database sould not be created by the HTTP instance,
but in the code path that creates the CA instance.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Add a new user to run the framework code 2017-02-14T22:37:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 968c07d8a4a6265cf44210a3285eadd216c8e5fb Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Always use /etc/ipa/ca.crt as CA cert file 2017-02-14T22:37:28+00:00 Simo Sorce simo@redhat.com 2016-12-22T18:34:34+00:00 d031ba5c1ca00fab95c5bbd363b0f66550770445 It seem like ALIAS_CACERT_ASC was just a redundant location for the CA cert file which is always available in /etc/ipa/ca.crt Just use the canonical CA cert location in /etc/ipa for all cases and stop creating a separate cacert file. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Simplify NSSDatabase password file handling 2017-02-14T22:37:22+00:00 Simo Sorce simo@redhat.com 2016-12-22T19:24:21+00:00 78ec63b3e2b1b1bbd015ee42554db9a6a3c8e716 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-14T22:37:16+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 63e18ecfe383827678cf77463520463ca7a4d821 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Configure HTTPD to work via Gss-Proxy 2017-02-14T22:37:08+00:00 Simo Sorce simo@redhat.com 2016-11-29T16:10:22+00:00 43233c318b13e0ea38e2ebb1bb3147f6e24ca7fb https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Use Anonymous user to obtain FAST armor ccache 2017-02-14T22:36:58+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 399ab5b87a6d983bd5e3882d0660b81942c184e4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Generate tmpfiles config at install time 2017-02-14T22:36:44+00:00 Simo Sorce simo@redhat.com 2016-12-01T16:37:20+00:00 70ac48f4c532098fd6d7147be1d1864487fe52e0 We do not want to generate runtime directories just because the packages are installed, but only if the server is actually setup and run. Also this will be needed later because we will create a user at install time and some tmpfiles will need to be owned by this user. As we are changing this code also rationalize the directory structure and move it from the http rundir to the ipa specific rundir. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Change session handling 2017-02-14T22:36:04+00:00 Simo Sorce simo@redhat.com 2016-08-19T13:23:55+00:00 8b88ef00331f1fbb28802b3eba5ced62daeffc9e Stop using memcache, use mod_auth_gssapi filesystem based ccaches. Remove custom session handling, use mod_auth_gssapi and mod_session to establish and keep a session cookie. Add loopback to mod_auth_gssapi to do form absed auth and pass back a valid session cookie. And now that we do not remove ccaches files to move them to the memcache, we can avoid the risk of pollutting the filesystem by keeping a common ccache file for all instances of the same user. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>