The Identity, Policy and Audit system
CentOS Sources
2017-11-30 3f8296d9f024827d364d060c2af704edc52ae283
import ipa-4.5.0-22.el7_4
4 files added
1 files modified
264 ■■■■■ changed files
SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch 50 ●●●●● patch | view | raw | blame | history
SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch 75 ●●●●● patch | view | raw | blame | history
SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch 51 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 43 ●●●●● patch | view | raw | blame | history
SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
New file
@@ -0,0 +1,50 @@
From ad0f85945daa0b0bfbddbcde992c5388c170518f Mon Sep 17 00:00:00 2001
From: Aleksei Slaikovskii <aslaikov@redhat.com>
Date: Wed, 18 Oct 2017 09:52:08 +0200
Subject: [PATCH] Less confusing message for PKINIT configuration during
 install
The message about an error during replica setup was causing the
users to think the installation gone wrong even though this was
an expected behavior when ipa-replica-install was ran without
--no-pkinit flag and CA somehow is not reachable which defines
that there is something wrong in a topology but does not lead
to failure of the replica's installation. So now installation
will not print error messages to stdout but rather will give a
recomendation to user and write the old error message to log
as a warning so it still will be easy to find if needed.
https://pagure.io/freeipa/issue/7179
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipaserver/install/krbinstance.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6b51e65d1ec985bfc01f167aea3fe3ca11c7ec29..34fe46aa8ef297bf69eb74953c956ad9c3d30def 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -494,8 +494,17 @@ class KrbInstance(service.Service):
             self._install_pkinit_ca_bundle()
             self.pkinit_enable()
         except RuntimeError as e:
-            root_logger.error("PKINIT certificate request failed: %s", e)
-            root_logger.error("Failed to configure PKINIT")
+            root_logger.warning("PKINIT certificate request failed: %s", e)
+            root_logger.warning("Failed to configure PKINIT")
+
+            self.print_msg("Full PKINIT configuration did not succeed")
+            self.print_msg(
+                "The setup will only install bits "
+                "essential to the server functionality")
+            self.print_msg(
+                "You can enable PKINIT after the "
+                "setup completed using 'ipa-pkinit-manage'")
+
             self.stop_tracking_certs()
             self.issue_selfsigned_pkinit_certs()
--
2.13.5
SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch
New file
@@ -0,0 +1,45 @@
From d71488fd450615ade6c10978af38d0dda27ec859 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Tue, 6 Jun 2017 15:13:26 +0200
Subject: [PATCH] server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/plugins/server.py | 9 +++++++++
 1 file changed, 9 insertions(+)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b1ee4722841509f4614c688ac39095c723aff167..e0dc953a1ef870c95fdcdb629fb6ab3103e8f999 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -692,6 +692,12 @@ class server_del(LDAPDelete):
                     message=_("You may need to manually remove them from the "
                               "tree")))
+    def _cleanup_server_dns_config(self, hostname):
+        try:
+            self.api.Command.dnsserver_del(hostname)
+        except errors.NotFound:
+            pass
+
     def pre_callback(self, ldap, dn, *keys, **options):
         pkey = self.obj.get_primary_key_from_dn(dn)
@@ -731,6 +737,9 @@ class server_del(LDAPDelete):
         # try to clean up the leftover DNS entries
         self._cleanup_server_dns_records(pkey)
+        # try to clean up the DNS config from ldap
+        self._cleanup_server_dns_config(pkey)
+
         return dn
     def exc_callback(self, keys, options, exc, call_func, *call_args,
--
2.13.5
SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
New file
@@ -0,0 +1,75 @@
From a6b7f433c1c8c30e455f345fcd97e7428ae63322 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 9 Aug 2017 17:28:35 -0400
Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA
The CSR generated by `ipa-cacert-manage renew --external-ca` did
not include the CA basic constraint:
  X509v3 Basic Constraints: critical
      CA:TRUE
Add a flag to certmonger::resubmit_request to specify that a
CA is being requested.
Note that this also sets pathlen to -1 which means an unlimited
pathlen. Leave it up to the issuing CA to set this.
https://pagure.io/freeipa/issue/7088
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipalib/install/certmonger.py           | 13 +++++++++++--
 ipaserver/install/ipa_cacert_manage.py |  3 ++-
 2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index c286996ee2318e241b4af190d1a01f42e28aa9f3..d2b782ddb0c746a3dfd96d0222bb31c6a960fdff 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None):
         request.obj_if.modify(update)
-def resubmit_request(request_id, ca=None, profile=None):
+def resubmit_request(request_id, ca=None, profile=None, is_ca=False):
+    """
+    :param request_id: the certmonger numeric request ID
+    :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign
+    :param profile: the dogtag template profile to use, e.g. SubCA
+    :param is_ca: boolean that if True adds the CA basic constraint
+    """
     request = _get_request({'nickname': request_id})
     if request:
-        if ca or profile:
+        if ca or profile or is_ca:
             update = {}
             if ca is not None:
                 cm = _certmonger()
                 update['CA'] = cm.obj_if.find_ca_by_nickname(ca)
             if profile is not None:
                 update['template-profile'] = profile
+            if is_ca:
+                update['template-is-ca'] = True
+                update['template-ca-path-length'] = -1  # no path length
             request.obj_if.modify(update)
         request.obj_if.resubmit()
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb..9607620d6c3e63b70b9e586f94282bf478c8c53e 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -310,7 +310,8 @@ class CACertManage(admintool.AdminTool):
         timeout = api.env.startup_timeout + 60
         self.log.debug("resubmitting certmonger request '%s'", self.request_id)
-        certmonger.resubmit_request(self.request_id, ca=ca, profile=profile)
+        certmonger.resubmit_request(self.request_id, ca=ca, profile=profile,
+                                    is_ca=True)
         try:
             state = certmonger.wait_for_request(self.request_id, timeout)
         except RuntimeError:
--
2.13.5
SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
New file
@@ -0,0 +1,51 @@
From f6ce0099adc7c8508b3bf2f82102c1dd70fa08dc Mon Sep 17 00:00:00 2001
From: Felipe Barreto <fbarreto@redhat.com>
Date: Fri, 13 Oct 2017 09:19:43 +0200
Subject: [PATCH] Checks if replica-s4u2proxy.ldif should be applied
Before applying replica-s3u2proxy.ldif, we check
if the values are already there. The values can be
there if a replica installation was done in the past
and some info was left behind. Also, the code checks
the values independently.
https://pagure.io/freeipa/issue/7174
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/dsinstance.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..f7edcffc5904d8c9ce46f5862d496a4df3ad8d75 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -930,7 +930,24 @@ class DsInstance(service.Service):
         self._ldap_mod("replica-acis.ldif", self.sub_dict)
     def __setup_s4u2proxy(self):
-        self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict)
+
+        def __add_principal(last_cn, principal, self):
+            dn = DN(('cn', last_cn), ('cn', 's4u2proxy'),
+                    ('cn', 'etc'), self.suffix)
+
+            value = '{principal}/{fqdn}@{realm}'.format(fqdn=self.fqdn,
+                                                        realm=self.realm,
+                                                        principal=principal)
+
+            entry = api.Backend.ldap2.get_entry(dn, ['memberPrincipal'])
+            try:
+                entry['memberPrincipal'].append(value)
+                api.Backend.ldap2.update_entry(entry)
+            except errors.EmptyModlist:
+                pass
+
+        __add_principal('ipa-http-delegation', 'HTTP', self)
+        __add_principal('ipa-ldap-delegation-targets', 'ldap', self)
     def __create_indices(self):
         self._ldap_mod("indices.ldif")
--
2.13.5
SPECS/ipa.spec
@@ -68,7 +68,7 @@
Name:           ipa
Version:        %{IPA_VERSION}
Release:        21%{?dist}.2.2
Release:        22%{?dist}
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -76,10 +76,10 @@
URL:            http://www.freeipa.org/
Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -316,6 +316,10 @@
Patch0230:      0230-log-progress-of-wait_for_open_ports.patch
Patch0231:      0231-Store-help-in-Schema-before-writing-to-disk.patch
Patch0232:      0232-Disable-pylint-in-get_help-function-because-of-type-.patch
Patch0233:      0233-Less-confusing-message-for-PKINIT-configuration-duri.patch
Patch0234:      0234-server.py-Removes-dns-server-configuration-from-ldap.patch
Patch0235:      0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch
Patch0236:      0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch
Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002:      1002-Package-copy-schema-to-ca.py.patch
@@ -1117,10 +1121,10 @@
%endif # with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -1144,8 +1148,7 @@
%configure --with-vendor-suffix=-%{release} \
           %{enable_server_option} \
           %{with_ipatests_option} \
           %{linter_options} \
           --with-ipaplatform=rhel
           %{linter_options}
%make_build
@@ -1869,11 +1872,19 @@
%changelog
* Thu Oct 19 2017 Johnny Hughes <johnny@centos.org> - 4.5.0-21.el7.centos.2.2
- set ipaplatform to rhel for compatibilty for updates
* Thu Oct 19 2017 CentOS Sources <bugs@centos.org> - 4.5.0-21.el7.centos.2.2
- Roll in CentOS Branding
* Fri Oct 27 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-22.el7
- Resolves: #1506528 In case full PKINIT configuration is failing during
  server/replica install the error message should be more meaningful.
    - Less confusing message for PKINIT configuration during install
- Resolves: #1506526 Use X509v3 Basic Constraints "CA:TRUE" instead of
  "CA:FALSE" IPA CA CSR
    - Include the CA basic constraint in CSRs when renewing a CA
- Resolves: #1506913 ipa-replica-install might fail because of an already
  existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
    - Checks if replica-s4u2proxy.ldif should be applied
- Resolves: #1506525 server-del doesn't remove dns-server configuration
  from ldap
    - server.py: Removes dns-server configuration from ldap
* Wed Sep 20 2017 Felipe Barreto <fbarreto@redhat.com> - 4.5.0-21.el7.2.2
- Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports