freeipa.git/ipaserver, branch clisesshandling FreeIPA patches ldap2: use LDAP whoami operation to retrieve bind DN for current connection 2017-03-22T16:19:22+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-03-22T11:00:22+00:00 7324451834ec03786fda947679f750fe2a72f29c For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to find a kerberos data in their LDAP entry. Instead of searching for Kerberos principal use actual DN we are bound to because for get_effective_rights LDAP control we only need the DN itself. Fixes https://pagure.io/freeipa/issue/6797 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Pavel Vomacka <pvomacka@redhat.com> 
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
replica prepare: fix wrong IPA CA nickname in replica file 2017-03-22T14:56:54+00:00 Jan Cholasta jcholast@redhat.com 2017-03-17T09:34:08+00:00 9939aa53630a9c6a66e83140e64ec56539891c13 Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and httpcert.p12, otherwise a generic nickname will be used for the IPA CA certificate instead of "$REALM IPA CA". This fixes replica install on domain level 0 from a replica file created using ipa-replica-install on IPA 4.5. https://pagure.io/freeipa/issue/6777 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".

This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.

https://pagure.io/freeipa/issue/6777

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fixing replica install: fix ldap connection in domlvl 0 2017-03-22T14:31:40+00:00 felipe fbarreto@localhost.localdomain 2017-03-21T12:05:56+00:00 772d4e3d4e9a2756e6a34e265a1219599688cde3 Now, at the domain level 0, the replica install always uses Directory Manager credentials to create the LDAP connection. Since ACIs permitting hosts to manage their own services were added in 4.2 release, the old master denies this operations. https://pagure.io/freeipa/issue/6549 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release,  the old master denies this operations.

https://pagure.io/freeipa/issue/6549

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
httpinstance: clean up /etc/httpd/alias on uninstall 2017-03-22T13:58:18+00:00 Jan Cholasta jcholast@redhat.com 2017-03-08T14:24:15+00:00 e263cb46cba604421d5ed2e1dbf5dd1d66ce0221 Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias from backup on uninstall. Files modified by IPA are kept with .ipasave suffix. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
certs: do not implicitly create DS pin.txt 2017-03-22T13:58:18+00:00 Jan Cholasta jcholast@redhat.com 2017-03-14T08:32:17+00:00 bbd18cf10f2e67e5205a3a3bee883272e89c0042 Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create it explicitly in `DSInstance.__enable_ssl()`. This stops the file from being created in /etc/httpd/alias during classic replica install. https://pagure.io/freeipa/issue/4639 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Fix Python 3 pylint errors 2017-03-15T18:11:32+00:00 Christian Heimes cheimes@redhat.com 2017-03-15T07:47:46+00:00 602b395cf19b0ae0b8ade1c13ddaf09175ed7291 ************* Module ipaserver.install.ipa_kra_install ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse') ************* Module ipapython.install.core ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member) ************* Module ipatests.test_ipapython.test_dn ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals()) ************* Module ipa-ca-install install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member) Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Try out anonymous PKINIT after it is configured 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:04:56+00:00 a1686a90c0cc8c16c89ef1bada7f507729bf3252 After PKINIT certificate is requested and everything is set up, we should attempt to perform anonymous PKINIT and fail hard if it does not work for some reason. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
check for replica's KDC entry on master before requesting PKINIT cert 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:03:19+00:00 b45629fc480e61464b402ac2fc52c6f9fc61df0e This prevents replication-based race conditions to break PKINIT certificate requests on replica installation. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
check that the master requesting PKINIT cert has KDC enabled 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T13:00:49+00:00 8f4abf7bc1607fc44f528b8a443b69cb82269e69 https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Make wait_for_entry raise exceptions 2017-03-15T15:39:39+00:00 Martin Babinsky mbabinsk@redhat.com 2017-03-15T12:31:27+00:00 069948466e81d99a0dd48ffffa32af50351d0189 Instead of only logging errors when timeout is reached or query for the entry fails for other reasons, `wait_for_entry` should raise exceptions so that we can handle them in caller or let them propagate and fail early. https://pagure.io/freeipa/issue/6739 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>