freeipa.git/ipaserver, branch sessionlogout FreeIPA patches Change session logout to kill only the cookie 2017-02-16T16:17:42+00:00 Simo Sorce simo@redhat.com 2017-02-16T16:07:31+00:00 eae1b88a45329fceb385ab80ebf1beda6ab7f522 Removing the ccache goes to far as it will cause unrelated sessions to fail as well, this is a problem for accounts used to do unattended operations and that may operate in parallel. Fixes https://fedorahosted.org/freeipa/ticket/6682 Signed-off-by: Simo Sorce <simo@redhat.com> 
Removing the ccache goes to far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce <simo@redhat.com>
pkinit: make sure to have proper dictionary for Kerberos instance on upgrade 2017-02-16T08:51:38+00:00 Alexander Bokovoy abokovoy@redhat.com 2017-02-15T08:14:58+00:00 14d84daf29543978c6383da10f4f2d913346f013 When running PKINIT upgrade we need to make sure full substitution dictionary is in place or otherwise executing LDAP updates will fail to find proper objects because $SUFFIX, $DOMAIN, and other variables will not be substituted. Fixes https://fedorahosted.org/freeipa/ticket/6670 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
When running PKINIT upgrade we need to make sure full substitution
dictionary is in place or otherwise executing LDAP updates will fail to
find proper objects because $SUFFIX, $DOMAIN, and other variables
will not be substituted.

Fixes https://fedorahosted.org/freeipa/ticket/6670

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Add FIPS-token password of HTTPD NSS database 2017-02-15T16:54:36+00:00 Stanislav Laznicka slaznick@redhat.com 2017-01-09T07:45:33+00:00 0b9b6b52d7f2e64a52ef8fd570839711311fa254 This change is required for httpd to function properly in FIPS https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
This change is required for httpd to function properly in FIPS

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Pretty print JSON in debug mode (debug level >= 2) 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-13T18:09:14+00:00 3cac0378e94efc2ee1070eff2984eb1147bcf463 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Faster JSON encoder/decoder 2017-02-15T16:27:56+00:00 Christian Heimes cheimes@redhat.com 2017-02-13T08:46:39+00:00 8159c2883bf66980582d1227c364df4e592bdd7e Improve performance of FreeIPA's JSON serializer and deserializer. * Don't indent and sort keys. Both options trigger a slow path in Python's json package. Without indention and sorting, encoding mostly happens in optimized C code. * Replace O(n) type checks with O(1) type lookup and eliminate the use of isinstance(). * Check each client capability only once for every conversion. * Use decoder's obj_hook feature to traverse the object tree once and to eliminate calls to isinstance(). Closes: https://fedorahosted.org/freeipa/ticket/6655 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Improve performance of FreeIPA's JSON serializer and deserializer.

* Don't indent and sort keys. Both options trigger a slow path in
  Python's json package. Without indention and sorting, encoding
  mostly happens in optimized C code.
* Replace O(n) type checks with O(1) type lookup and eliminate
  the use of isinstance().
* Check each client capability only once for every conversion.
* Use decoder's obj_hook feature to traverse the object tree once and
  to eliminate calls to isinstance().

Closes: https://fedorahosted.org/freeipa/ticket/6655
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Fix uninstall stopping ipa.service 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2017-01-25T13:56:15+00:00 00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed When uninstalling systemd is told to disable the service, but it is not told to sopt it, so it believes it is still running. This can cause issues in some cases if a reinstall is performed right after an uninstall, as systemd may decide to stop the disabled service while we are reinstalling, causing the new install to fail. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
When uninstalling systemd is told to disable the service, but it is not
told to sopt it, so it believes it is still running. This can cause
issues in some cases if a reinstall is performed right after an
uninstall, as systemd may decide to stop the disabled service while we
are reinstalling, causing the new install to fail.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Rationalize creation of RA and HTTPD NSS databases 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-22T23:55:33+00:00 4bd2d6ad46c9151e11f9223dd5383555fdedb249 The RA database sould not be created by the HTTP instance, but in the code path that creates the CA instance. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
The RA database sould not be created by the HTTP instance,
but in the code path that creates the CA instance.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Always use /etc/ipa/ca.crt as CA cert file 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-22T18:34:34+00:00 c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 It seem like ALIAS_CACERT_ASC was just a redundant location for the CA cert file which is always available in /etc/ipa/ca.crt Just use the canonical CA cert location in /etc/ipa for all cases and stop creating a separate cacert file. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Simplify NSSDatabase password file handling 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-22T19:24:21+00:00 f648c5631afa5e7954eee9a84fb1222d3bce3bf1 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>