freeipa.git/ipaserver/secrets, branch cakeysfix FreeIPA patches Make sure remote hosts have our keys 2017-05-03T11:35:53+00:00 Simo Sorce simo@redhat.com 2017-03-31T15:22:45+00:00 06e65f8859164bc7e12a2c42d64b9f7c381a3219 In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <simo@redhat.com> 
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Use Custodia 0.3.1 features 2017-03-28T13:02:06+00:00 Christian Heimes cheimes@redhat.com 2017-02-28T11:07:19+00:00 f5bf5466eda0de2a211b4f2682e5c50b82577701 * Use sd-notify in ipa-custodia.service * Introduce libexec/ipa/ipa-custodia script. It comes with correct default setting for IPA's config file. The new file also makes it simpler to run IPA's custodia instance with its own SELinux context. * ipapython no longer depends on custodia The patch addresses three issues: * https://bugzilla.redhat.com/show_bug.cgi?id=1430247 Forward compatibility with Custodia 0.3 in Fedora rawhide * https://pagure.io/freeipa/issue/5825 Use sd-notify * https://pagure.io/freeipa/issue/6788 Prepare for separate SELinux context Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix replica with --setup-ca issues 2017-03-01T13:39:44+00:00 Stanislav Laznicka slaznick@redhat.com 2017-03-01T13:07:44+00:00 052de4308c64b126bee440e970be4cf8449c5ebc nolog argument of ipautil.run requires tuple, not a string. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
nolog argument of ipautil.run requires tuple, not a string.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Moving ipaCert from HTTPD_ALIAS_DIR 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-13T08:08:42+00:00 5ab85b365ae886558b1f077b0d039a0d24bebfa7 The "ipaCert" nicknamed certificate is not required to be in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy of this file in a separate file anyway. Remove it from there and track only the file. Remove the IPA_RADB_DIR as well as it is not required anymore. https://fedorahosted.org/freeipa/ticket/5695 https://fedorahosted.org/freeipa/ticket/6680 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The "ipaCert" nicknamed certificate is not required to be
in /var/lib/ipa/radb NSSDB anymore as we were keeping a copy
of this file in a separate file anyway. Remove it from there
and track only the file. Remove the IPA_RADB_DIR as well as
it is not required anymore.

https://fedorahosted.org/freeipa/ticket/5695
https://fedorahosted.org/freeipa/ticket/6680

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Added a PEMFileHandler for Custodia store 2017-03-01T09:43:41+00:00 Stanislav Laznicka slaznick@redhat.com 2017-02-01T08:14:56+00:00 24b134c633390343ba76e4091fa612650976280a This is a preparation step to be able to handle sending RA agent certificate over Custodia during domain level 1 replica installation. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This is a preparation step to be able to handle sending RA agent
certificate over Custodia during domain level 1 replica installation.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
added ssl verification using IPA trust anchor 2017-02-27T07:53:05+00:00 Thorsten Scherf tscherf@redhat.com 2017-02-24T10:53:46+00:00 16dac0252e52c8de07fd8a6a86ec0896074cbe9d https://fedorahosted.org/freeipa/ticket/6686 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6686

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 d124e307f3b7d88bca53784f030ed6043b224432 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
custodia: kem.set_keys: replace too-broad exception 2017-02-10T13:03:04+00:00 Martin Basti mbasti@redhat.com 2017-01-31T17:14:33+00:00 d4aa75d10582443b38447985c3fce8e65fcd48a6 Exception is too brod and may hide various issues that show up later. If the code expects that entry may exist, then ldap.ALREADY_EXISTS exception should be used Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Exception is too brod and may hide various issues that show up later. If
the code expects that entry may exist, then ldap.ALREADY_EXISTS
exception should be used

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: kem.py: user bytes with ldap values 2017-02-10T13:03:04+00:00 Martin Basti mbasti@redhat.com 2017-01-31T17:11:42+00:00 8660b9e96801a764e808ca69c3c14a4a019d4eb8 python ldap requires bytes as values https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
python ldap requires bytes as values

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
py3: custodia: basedn must be unicode 2017-02-10T13:03:04+00:00 Martin Basti mbasti@redhat.com 2017-01-27T17:10:37+00:00 c27a46177c710fb18bf5b02beab4bd82c191a4bc basedn in custodia related modules has type bytes, that causes issues in Py3 when strings were concatenated with bytes ``` malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'" ``` https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
basedn in custodia related modules has type bytes, that causes issues in
Py3 when strings were concatenated with bytes

```
malformed RDN string = "cn=custodia,cn=ipa,cn=etc,b'dc=example,dc=com'"
```

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>