freeipa.git/ipaserver, branch webui_isolate FreeIPA patches Prefetch ldap ticket to optimize ldap connections 2017-02-14T22:51:08+00:00 Simo Sorce simo@redhat.com 2017-02-14T22:51:08+00:00 4936fc7947ab306b329a72019443af8b6fb9b38a Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Fix uninstall stopping ipa.service 2017-02-14T22:37:48+00:00 Simo Sorce simo@redhat.com 2017-01-25T13:56:15+00:00 51ea32d521917fc26f33ef35619802053fbe5a51 When uninstalling systemd is told to disable the service, but it is not told to sopt it, so it believes it is still running. This can cause issues in some cases if a reinstall is performed right after an uninstall, as systemd may decide to stop the disabled service while we are reinstalling, causing the new install to fail. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
When uninstalling systemd is told to disable the service, but it is not
told to sopt it, so it believes it is still running. This can cause
issues in some cases if a reinstall is performed right after an
uninstall, as systemd may decide to stop the disabled service while we
are reinstalling, causing the new install to fail.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Rationalize creation of RA and HTTPD NSS databases 2017-02-14T22:37:40+00:00 Simo Sorce simo@redhat.com 2016-12-22T23:55:33+00:00 6101ef1c1c043ef91d61f1497351f7388625cdfc The RA database sould not be created by the HTTP instance, but in the code path that creates the CA instance. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The RA database sould not be created by the HTTP instance,
but in the code path that creates the CA instance.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Add a new user to run the framework code 2017-02-14T22:37:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 968c07d8a4a6265cf44210a3285eadd216c8e5fb Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Always use /etc/ipa/ca.crt as CA cert file 2017-02-14T22:37:28+00:00 Simo Sorce simo@redhat.com 2016-12-22T18:34:34+00:00 d031ba5c1ca00fab95c5bbd363b0f66550770445 It seem like ALIAS_CACERT_ASC was just a redundant location for the CA cert file which is always available in /etc/ipa/ca.crt Just use the canonical CA cert location in /etc/ipa for all cases and stop creating a separate cacert file. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
It seem like ALIAS_CACERT_ASC was just a redundant location for the CA
cert file which is always available in /etc/ipa/ca.crt

Just use the canonical CA cert location in /etc/ipa for all cases and
stop creating a separate cacert file.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Simplify NSSDatabase password file handling 2017-02-14T22:37:22+00:00 Simo Sorce simo@redhat.com 2016-12-22T19:24:21+00:00 78ec63b3e2b1b1bbd015ee42554db9a6a3c8e716 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Separate RA cert store from the HTTP cert store 2017-02-14T22:37:16+00:00 Simo Sorce simo@redhat.com 2016-12-13T15:32:32+00:00 63e18ecfe383827678cf77463520463ca7a4d821 This is in preparation for separating out the user under which the ipa api framework runs as. This commit also removes certs.NSS_DIR to avoid confusion and replaces it where appropriate with the correct NSS DB directory, either the old HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is removed altogether as it was simply not necessary. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
This is in preparation for separating out the user under which the
ipa api framework runs as.

This commit also removes certs.NSS_DIR to avoid confusion and replaces
it where appropriate with the correct NSS DB directory, either the old
HTTPD_ALIAS_DIR ot the RA DB IPA_RADB_DIR. In some cases its use is
removed altogether as it was simply not necessary.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Configure HTTPD to work via Gss-Proxy 2017-02-14T22:37:08+00:00 Simo Sorce simo@redhat.com 2016-11-29T16:10:22+00:00 43233c318b13e0ea38e2ebb1bb3147f6e24ca7fb https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Use Anonymous user to obtain FAST armor ccache 2017-02-14T22:36:58+00:00 Simo Sorce simo@redhat.com 2016-12-02T11:48:35+00:00 399ab5b87a6d983bd5e3882d0660b81942c184e4 The anonymous user allows the framework to obtain an armor ccache without relying on usable credentials, either via a keytab or a pkinit and public certificates. This will be needed once the HTTP keytab is moved away for privilege separation. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Drop use of kinit_as_http from trust code 2017-02-14T22:36:50+00:00 Simo Sorce simo@redhat.com 2016-12-07T09:33:40+00:00 09886c1e89532a64c4f1e5b5a68135390113f5b3 The framework will not have direct access to the keytab anymore. This function was used in two places, to fetch the domain list and to re-initialize the PAC when enabling or disabling a domain trust. The domian list is normally fetched via oddjob anyway so this use is not necesary anymore, and the MS-PAC re-initialization can be moved later to oddjob if needed. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> 
The framework will not have direct access to the keytab anymore.
This function was used in two places, to fetch the domain list and to
re-initialize the PAC when enabling or disabling a domain trust.
The domian list is normally fetched via oddjob anyway so this use is
not necesary anymore, and the MS-PAC re-initialization can be moved
later to oddjob if needed.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>