The Identity, Policy and Audit system
CentOS Sources
2016-12-06 fef02ceb41188935fdd46f9c58f20da27337fc60
import ipa-4.4.0-14.el7_3
10 files added
1 files deleted
1 files modified
748 ■■■■■ changed files
SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch 52 ●●●●● patch | view | raw | blame | history
SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch 47 ●●●●● patch | view | raw | blame | history
SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch 81 ●●●●● patch | view | raw | blame | history
SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch 34 ●●●●● patch | view | raw | blame | history
SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch 88 ●●●●● patch | view | raw | blame | history
SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch 55 ●●●●● patch | view | raw | blame | history
SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch 46 ●●●●● patch | view | raw | blame | history
SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch 40 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 61 ●●●● patch | view | raw | blame | history
SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
New file
@@ -0,0 +1,52 @@
From 8750c84bbfef36ceeaac8e7c8e3b788c31f68317 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 13 Sep 2016 15:40:04 +0200
Subject: [PATCH] ipa passwd: use correct normalizer for user principals
Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the
handling of user principals supplied to the`ipa passwd` command. This patch
restores the original behavior which lowercases the username portion of the
principal.
https://fedorahosted.org/freeipa/ticket/6329
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/plugins/passwd.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py
index 1576c4ca85cb761d2a124a932a26b371b9e87107..ebc41d90009d7145ada75f3cabe3c01c6d25f6ea 100644
--- a/ipaserver/plugins/passwd.py
+++ b/ipaserver/plugins/passwd.py
@@ -29,7 +29,8 @@ from ipalib.plugable import Registry
 from ipalib.request import context
 from ipapython import kerberos
 from ipapython.dn import DN
-from ipaserver.plugins.service import validate_realm, normalize_principal
+from ipaserver.plugins.baseuser import normalize_user_principal
+from ipaserver.plugins.service import validate_realm
 if six.PY3:
     unicode = str
@@ -66,7 +67,7 @@ def get_current_password(principal):
     be ignored later.
     """
     current_principal = krb_utils.get_principal()
-    if current_principal == unicode(normalize_principal(principal)):
+    if current_principal == unicode(normalize_user_principal(principal)):
         return None
     else:
         return MAGIC_VALUE
@@ -84,7 +85,7 @@ class passwd(Command):
             primary_key=True,
             autofill=True,
             default_from=lambda: kerberos.Principal(krb_utils.get_principal()),
-            normalizer=lambda value: normalize_principal(value),
+            normalizer=lambda value: normalize_user_principal(value),
         ),
         Password('password',
                  label=_('New Password'),
--
2.10.2
SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch
New file
@@ -0,0 +1,47 @@
From 08d3dcb1834fc227dcd9d2071fda58e6dc639394 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkrizek@redhat.com>
Date: Tue, 13 Sep 2016 10:14:47 +0200
Subject: [PATCH] Keep NSS trust flags of existing certificates
Backup and restore trust flags of existing certificates during CA
installation. This prevents marking a previously trusted certificate
as untrusted, as was the case when CA-less was converted to CA-full
with external CA when using the same certificate.
https://fedorahosted.org/freeipa/ticket/5791
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 ipaserver/install/cainstance.py | 8 ++++++++
 1 file changed, 8 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 3551887cd8ff8baa5e17f8969c84fb92d7552ef3..6c57aadfcdc2864f8cdc84c16556dce7163737fc 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -832,6 +832,10 @@ class CAInstance(DogtagInstance):
             raise RuntimeError("Unable to retrieve CA chain: %s" % str(e))
     def __import_ca_chain(self):
+        # Backup NSS trust flags of all already existing certificates
+        certdb = certs.CertDB(self.realm)
+        cert_backup_list = certdb.list_certs()
+
         chain = self.__get_ca_chain()
         # If this chain contains multiple certs then certutil will only import
@@ -882,6 +886,10 @@ class CAInstance(DogtagInstance):
                     os.remove(chain_name)
                     subid += 1
+        # Restore NSS trust flags of all previously existing certificates
+        for nick, trust_flags in cert_backup_list:
+            certdb.trust_root_cert(nick, trust_flags)
+
     def __request_ra_certificate(self):
         # Create a noise file for generating our private key
         noise = array.array('B', os.urandom(128))
--
2.10.2
SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
New file
@@ -0,0 +1,81 @@
From 31007eff1b8d858dfc51f730b47a7aaefc8e33e8 Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum <npmccallum@redhat.com>
Date: Tue, 27 Sep 2016 14:34:05 -0400
Subject: [PATCH] Properly handle LDAP socket closures in ipa-otpd
In at least one case, when an LDAP socket closes, a read event is fired
rather than an error event. Without this patch, ipa-otpd silently
ignores this event and enters a state where all bind auths fail.
To remedy this problem, we pass error events along the same path as read
events. Should the actual read fail, we exit.
https://bugzilla.redhat.com/show_bug.cgi?id=1377858
https://fedorahosted.org/freeipa/ticket/6368
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 daemons/ipa-otpd/bind.c  | 10 ++++------
 daemons/ipa-otpd/query.c | 13 ++++++-------
 2 files changed, 10 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c
index 022525b786705b4f58f861bc3b0a745ab8693755..a98312f906a785bfa9c98603a3577561552bfc0a 100644
--- a/daemons/ipa-otpd/bind.c
+++ b/daemons/ipa-otpd/bind.c
@@ -85,6 +85,9 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev)
         if (rslt <= 0)
             results = NULL;
         ldap_msgfree(results);
+        otpd_log_err(EIO, "IO error received on bind socket");
+        verto_break(ctx.vctx);
+        ctx.exitstatus = 1;
         return;
     }
@@ -137,11 +140,6 @@ void otpd_on_bind_io(verto_ctx *vctx, verto_ev *ev)
     flags = verto_get_fd_state(ev);
     if (flags & VERTO_EV_FLAG_IO_WRITE)
         on_bind_writable(vctx, ev);
-    if (flags & VERTO_EV_FLAG_IO_READ)
+    if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR))
         on_bind_readable(vctx, ev);
-    if (flags & VERTO_EV_FLAG_IO_ERROR) {
-        otpd_log_err(EIO, "IO error received on bind socket");
-        verto_break(ctx.vctx);
-        ctx.exitstatus = 1;
-    }
 }
diff --git a/daemons/ipa-otpd/query.c b/daemons/ipa-otpd/query.c
index 67e2d751d8d1511d077a93d7673439be11812e6f..50e15603322c550a0eb14e1e3c502e1a229d1ebe 100644
--- a/daemons/ipa-otpd/query.c
+++ b/daemons/ipa-otpd/query.c
@@ -133,7 +133,11 @@ static void on_query_readable(verto_ctx *vctx, verto_ev *ev)
     if (i != LDAP_RES_SEARCH_ENTRY && i != LDAP_RES_SEARCH_RESULT) {
         if (i <= 0)
             results = NULL;
-        goto egress;
+        ldap_msgfree(results);
+        otpd_log_err(EIO, "IO error received on query socket");
+        verto_break(ctx.vctx);
+        ctx.exitstatus = 1;
+        return;
     }
     item = otpd_queue_pop_msgid(&ctx.query.responses, ldap_msgid(results));
@@ -243,11 +247,6 @@ void otpd_on_query_io(verto_ctx *vctx, verto_ev *ev)
     flags = verto_get_fd_state(ev);
     if (flags & VERTO_EV_FLAG_IO_WRITE)
         on_query_writable(vctx, ev);
-    if (flags & VERTO_EV_FLAG_IO_READ)
+    if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR))
         on_query_readable(vctx, ev);
-    if (flags & VERTO_EV_FLAG_IO_ERROR) {
-        otpd_log_err(EIO, "IO error received on query socket");
-        verto_break(ctx.vctx);
-        ctx.exitstatus = 1;
-    }
 }
--
2.10.2
SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch
New file
@@ -0,0 +1,54 @@
From c3ceffccc56dea782a3dfac5bc3a14d1d022d33a Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 12 Oct 2016 12:58:46 +0200
Subject: [PATCH] cert: add revocation reason back to cert-find output
In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were
accidentally removed from cert-find output.
In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and
`revoked` were added back.
Add back `revocation_reason` as well. Also, do not include `revoked` with
--raw, as it's a virtual attribute.
https://fedorahosted.org/freeipa/ticket/6269
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
---
 ipaserver/plugins/cert.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 00bae4560d601e28e0b983786bff9144bcc1b065..68516391a54aead8e92f3cdeb33463d8fa624bbd 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1098,16 +1098,17 @@ class cert_find(Search, CertMethod):
                 obj = {'serial_number': serial_number}
             else:
                 obj = ra_obj
-                obj['issuer'] = issuer
-                obj['subject'] = DN(ra_obj['subject'])
-                obj['revoked'] = (
-                    ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
-
                 if all:
-                    ra_obj = ra.get_certificate(str(serial_number))
-                    if not raw:
+                    obj.update(ra.get_certificate(str(serial_number)))
+
+                if not raw:
+                    obj['issuer'] = issuer
+                    obj['subject'] = DN(ra_obj['subject'])
+                    obj['revoked'] = (
+                        ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED'))
+                    if all:
                         obj['certificate'] = (
-                            ra_obj['certificate'].replace('\r\n', ''))
+                            obj['certificate'].replace('\r\n', ''))
                         self.obj._parse(obj)
             obj['cacn'] = ca_obj['cn'][0]
--
2.10.2
SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
New file
@@ -0,0 +1,34 @@
From 3ea5984f2806958dee1b94fe993d20b09f64b107 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Tue, 11 Oct 2016 15:48:47 +0200
Subject: [PATCH] Make httpd publish its CA certificate on DL1
httpd did not publish its certificate on DL1 which could
cause issues during client installation in a rare corner
case where there would be no way of getting the certificate
but from a HTTP instance.
https://fedorahosted.org/freeipa/ticket/6393
Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/httpinstance.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 00f890175ae583f485797da6f913a7f83b302df3..431671eaf55d4ac63dc01190e254931dac096dec 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -175,8 +175,7 @@ class HTTPInstance(service.Service):
         self.step("importing CA certificates from LDAP", self.__import_ca_certs)
         if autoconfig:
             self.step("setting up browser autoconfig", self.__setup_autoconfig)
-        if not self.promote:
-            self.step("publish CA cert", self.__publish_ca_cert)
+        self.step("publish CA cert", self.__publish_ca_cert)
         self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
         self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
         if not self.is_kdcproxy_configured():
--
2.10.2
SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch
New file
@@ -0,0 +1,88 @@
From b3512bae94edc33448466cae6f2716a5527f9eed Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 1 Sep 2016 13:56:24 +0200
Subject: [PATCH] Add cert checks in ipa-server-certinstall
When ipa-server-certinstall is called to install a new server certificate,
the prerequisite is that the certificate issuer must be already known by IPA.
This fix adds new checks to make sure that the tool exits before
modifying the target NSS database if it is not the case.
The fix consists in creating a temp NSS database with the CA certs from the
target NSS database + the new server cert and checking the new server cert
validity.
https://fedorahosted.org/freeipa/ticket/6263
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/ipa_server_certinstall.py | 40 +++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py
index 0a8fb214a232e60a89b6c06940b928f97c007b93..7bc39e356ef3082ab229fa66eaeebba85eaa2802 100644
--- a/ipaserver/install/ipa_server_certinstall.py
+++ b/ipaserver/install/ipa_server_certinstall.py
@@ -25,8 +25,8 @@ import optparse
 from ipaplatform.constants import constants
 from ipaplatform.paths import paths
-from ipapython import admintool
-from ipapython.certdb import get_ca_nickname
+from ipapython import admintool, ipautil
+from ipapython.certdb import get_ca_nickname, NSSDatabase
 from ipapython.dn import DN
 from ipalib import api, errors
 from ipalib.constants import CACERT
@@ -157,6 +157,38 @@ class ServerCertInstall(admintool.AdminTool):
         os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid)
         os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid)
+    def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb):
+        # create a temp nssdb
+        with NSSDatabase() as tempnssdb:
+            db_password = ipautil.ipa_generate_password()
+            db_pwdfile = ipautil.write_tmp_file(db_password)
+            tempnssdb.create_db(db_pwdfile.name)
+
+            # import the PKCS12 file, then delete all CA certificates
+            # this leaves only the server certs in the temp db
+            tempnssdb.import_pkcs12(
+                pkcs12_filename, db_pwdfile.name, pkcs12_pin)
+            for nickname, flags in tempnssdb.list_certs():
+                if 'u' not in flags:
+                    while tempnssdb.has_nickname(nickname):
+                        tempnssdb.delete_cert(nickname)
+
+            # import all the CA certs from nssdb into the temp db
+            for nickname, flags in nssdb.list_certs():
+                if 'u' not in flags:
+                    cert = nssdb.get_cert_from_db(nickname)
+                    tempnssdb.add_cert(cert, nickname, flags)
+
+            # now get the server certs from tempnssdb and check their validity
+            try:
+                for nick, flags in tempnssdb.find_server_certs():
+                    tempnssdb.verify_server_cert_validity(nick, api.env.host)
+            except ValueError as e:
+                raise admintool.ScriptError(
+                    "Peer's certificate issuer is not trusted (%s). "
+                    "Please run ipa-cacert-manage install and ipa-certupdate "
+                    "to install the CA certificate." % str(e))
+
     def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command):
         pkcs12_file, pin, ca_cert = installutils.load_pkcs12(
             cert_files=self.args,
@@ -167,6 +199,10 @@ class ServerCertInstall(admintool.AdminTool):
         dirname = os.path.normpath(dirname)
         cdb = certs.CertDB(api.env.realm, nssdir=dirname)
+
+        # Check that the ca_cert is known and trusted
+        self.check_chain(pkcs12_file.name, pin, cdb)
+
         try:
             ca_enabled = api.Command.ca_is_enabled()['result']
             if ca_enabled:
--
2.10.2
SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch
New file
@@ -0,0 +1,152 @@
From 014aab243a4e7185ad5ebdc0a71e7de81553e501 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Mon, 17 Oct 2016 14:33:07 +0200
Subject: [PATCH] WebUI: services without canonical name are shown correctly
There is a change introduced in 4.4 that new services have canonical name. The old ones
didn't have it, therefore these services were not correctly displayed in WebUI.
This patch adds support for this type of services. Service name is taken from
'krbprincipalname' attribute in case that 'krbcanonicalname' attribute is not present
in server response.
https://fedorahosted.org/freeipa/ticket/6397
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
---
 install/ui/src/freeipa/field.js   | 41 ++++++++++++++++++++++++++++++
 install/ui/src/freeipa/service.js | 52 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 92 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js
index d8b957f5ab28b5ee4bc4ebce2ae6f454083bc4fd..efa2fb6ef4d4b5384661e9023ace511730954153 100644
--- a/install/ui/src/freeipa/field.js
+++ b/install/ui/src/freeipa/field.js
@@ -1306,6 +1306,46 @@ field.ObjectAdapter = declare([field.Adapter], {
 /**
+ * Custom adapter for fields which handles situations when there is no value
+ * for attribute (name) of the field and we want to use alternative attribute
+ * from response. We can set the alternative attribute name to the 'alt_attr'
+ * attribute of the adapter.
+ * This adapter is used i.e. in table in search facet for services. Handles
+ * situations where older services don't have canonical name.
+ *
+ * @class
+ * @extends field.Adapter
+ */
+field.AlternateAttrFieldAdapter = declare([field.Adapter], {
+    /**
+     * In case that the value is not get using field name then use alternative
+     * name.
+     * @param {Object} data Object which contains the record or the record
+     * @param {string} [attribute] attribute name - overrides `context.param`
+     * @param {Mixed} [def_val] default value - overrides `context.default_value`
+     * @returns {Array} attribute value
+     */
+    load: function(data, attribute, def_val) {
+        var record = this.get_record(data);
+        var value = null;
+        var attr = attribute || this.context.param;
+        var def = def_val || this.context.default_value;
+        if (record) {
+            value = this.get_value(record, attr);
+            if (util.is_empty(value) && this.context.adapter.alt_attr) {
+                value = this.get_value(record, this.context.adapter.alt_attr);
+            }
+        }
+        if (util.is_empty(value) && !util.is_empty(def)) {
+            value = util.normalize_value(def);
+        }
+        value = rpc.extract_objects(value);
+        return value;
+    }
+});
+
+
+/**
  * Field for enabling/disabling entity
  *
  * - expects radio widget
@@ -1577,6 +1617,7 @@ field.register = function() {
     l.register('adapter', field.Adapter);
     l.register('object_adapter', field.ObjectAdapter);
+    l.register('alternate_attr_field_adapter', field.AlternateAttrFieldAdapter);
 };
 phases.on('registration', field.register);
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index 30e336c35b8eece2e5e3ef55629d0c98f097fbf5..a6607d22e83047fb2d0dcc7775891445df4910b7 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -58,7 +58,16 @@ return {
     facets: [
         {
             $type: 'search',
-            columns: [ 'krbcanonicalname' ]
+            $factory: IPA.service.search_facet,
+            columns: [
+                {
+                    name: 'krbcanonicalname',
+                    adapter: {
+                        $type: 'alternate_attr_field_adapter',
+                        alt_attr: 'krbprincipalname'
+                    }
+                }
+            ]
         },
         {
             $type: 'details',
@@ -403,6 +412,47 @@ return {
     }
 };};
+
+/**
+ * Custom search facet for services. It has alternative primary key, in case
+ * that the service doesn't have canonical name.
+ */
+IPA.service.search_facet = function(spec) {
+    spec = spec || {};
+
+    spec.alternative_pkey = spec.alternative_pkey || 'krbprincipalname';
+
+    var that = IPA.search_facet(spec);
+
+    that.alternative_pkey = spec.alternative_pkey;
+
+    that.get_records_map = function(data) {
+
+        var records_map = $.ordered_map();
+
+        var result = data.result.result;
+        var pkey_name = that.managed_entity.metadata.primary_key ||
+                                                        that.primary_key_name;
+        var adapter = builder.build('adapter', 'adapter', {context: that});
+
+        for (var i=0; i<result.length; i++) {
+            var record = result[i];
+            var pkey = adapter.load(record, pkey_name)[0];
+            if (pkey === undefined && that.alternative_pkey) {
+                pkey = adapter.load(record, that.alternative_pkey)[0];
+            }
+            if (that.filter_records(records_map, pkey, record)) {
+                records_map.put(pkey, record);
+            }
+        }
+
+        return records_map;
+    };
+
+    return that;
+};
+
+
 IPA.service.details_facet = function(spec, no_init) {
     var that = IPA.details_facet(spec, true);
--
2.7.4
SOURCES/0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
New file
@@ -0,0 +1,55 @@
From eb844fe9e56a30be9462508f1e5330aaa73342b3 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slaznick@redhat.com>
Date: Mon, 31 Oct 2016 16:51:49 +0100
Subject: [PATCH] Fix missing file that fails DL1 replica installation
Replica installation on DL1 would fail to create a httpd instance
due to missing '/etc/httpd/alias/cacert.asc'. Create this file
in the setup_ssl step to avoid the error.
https://fedorahosted.org/freeipa/ticket/6393
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/httpinstance.py | 25 +++++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 431671eaf55d4ac63dc01190e254931dac096dec..aeae10902e6597ca1e494240a625caed9f7b7192 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -343,14 +343,23 @@ class HTTPInstance(service.Service):
             self.__set_mod_nss_nickname(nickname)
             self.add_cert_to_service()
-        elif not self.promote:
-            db.create_password_conf()
-            self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
-                                                 ca_db)
-            db.track_server_cert(self.cert_nickname, self.principal,
-                                 db.passwd_fname, 'restart_httpd')
-            db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
-            self.add_cert_to_service()
+        else:
+            if not self.promote:
+                db.create_password_conf()
+                self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn,
+                                                     ca_db)
+                db.track_server_cert(self.cert_nickname, self.principal,
+                                     db.passwd_fname, 'restart_httpd')
+                db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db)
+                self.add_cert_to_service()
+
+            server_certs = db.find_server_certs()
+            if not server_certs:
+                raise RuntimeError("Could not find a suitable server cert.")
+
+            # We only handle one server cert
+            nickname = server_certs[0][0]
+            db.export_ca_cert(nickname)
         # Fix the database permissions
         os.chmod(certs.NSS_DIR + "/cert8.db", 0o660)
--
2.7.4
SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
New file
@@ -0,0 +1,46 @@
From 99c93ce55d740fd8c6901dc3cfa3ecbf71edbff8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 31 Oct 2016 18:17:35 +0200
Subject: [PATCH] trustdomain-del: fix the way how subdomain is searched
With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic.
Update 'ipa trustdomain-del' command to properly calculate DN to the
actual child domain and handle the case when it is missing correctly.
Fixes https://fedorahosted.org/freeipa/ticket/6445
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 ipaserver/plugins/trust.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
index 720a45a4d12d59f00e3e63f2b4f62edd45646065..723dba6a26311752ecde8589d22e2911b72e8044 100644
--- a/ipaserver/plugins/trust.py
+++ b/ipaserver/plugins/trust.py
@@ -1614,13 +1614,16 @@ class trustdomain_del(LDAPDelete):
         # to always receive empty keys. We need to catch the case when root domain is being deleted
         for domain in keys[1]:
-            # Fetch the trust to verify that the entered domain is trusted
-            self.api.Command.trust_show(domain)
+            try:
+                self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad')
+            except errors.NotFound:
+                if keys[0].lower() == domain:
+                    raise errors.ValidationError(
+                        name='domain',
+                        error=_("cannot delete root domain of the trust, "
+                                "use trust-del to delete the trust itself"))
+                self.obj.handle_not_found(keys[0], domain)
-            if keys[0].lower() == domain:
-                raise errors.ValidationError(name='domain',
-                    error=_("cannot delete root domain of the trust, "
-                            "use trust-del to delete the trust itself"))
             try:
                 res = self.api.Command.trustdomain_enable(keys[0], domain)
             except errors.AlreadyActive:
--
2.7.4
SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
New file
@@ -0,0 +1,40 @@
From df19f8d314894b747181c5bb360a79e519065798 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 1 Nov 2016 11:36:30 +0100
Subject: [PATCH] spec file: bump minimal required version of 389-ds-base
Require 389-ds-base >= 1.3.5.14 for:
https://fedorahosted.org/389/ticket/48992
https://fedorahosted.org/freeipa/ticket/6369
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7456a9ea77ec289312eb11c05709018b3d6d0c90..dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -135,7 +135,7 @@ Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.5.6
+Requires: 389-ds-base >= 1.3.5.14
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -167,7 +167,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.5.6
+Requires(pre): 389-ds-base >= 1.3.5.14
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
--
2.7.4
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name:           ipa
Version:        4.4.0
Release:        12%{?dist}
Release:        14%{?dist}
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -51,10 +51,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -193,6 +193,16 @@
Patch0132:      0132-Start-named-during-configuration-upgrade.patch
Patch0133:      0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch
Patch0134:      0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch
Patch0135:      0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch
Patch0136:      0136-Keep-NSS-trust-flags-of-existing-certificates.patch
Patch0137:      0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch
Patch0138:      0138-cert-add-revocation-reason-back-to-cert-find-output.patch
Patch0139:      0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch
Patch0140:      0140-Add-cert-checks-in-ipa-server-certinstall.patch
Patch0141:      0141-WebUI-services-without-canonical-name-are-shown-corr.patch
Patch0142:      0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
Patch0143:      0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
Patch0144:      0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -204,7 +214,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -300,7 +309,7 @@
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipaserver = %{version}-%{release}
Requires: 389-ds-base >= 1.3.5.6
Requires: 389-ds-base >= 1.3.5.10-12
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
@@ -332,7 +341,7 @@
Requires: policycoreutils >= 2.1.14-37
Requires: tar
Requires(pre): certmonger >= 0.78
Requires(pre): 389-ds-base >= 1.3.5.6
Requires(pre): 389-ds-base >= 1.3.5.10-12
Requires: fontawesome-fonts
Requires: open-sans-fonts
Requires: openssl >= 1:1.0.1e-42
@@ -784,10 +793,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1523,8 +1532,32 @@
%changelog
* Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 4.4.0-12.el7.centos
- Roll in CentOS Branding
* Tue Nov  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
- Resolves: #1378353 Replica install fails with old IPA master sometimes during
  replication process
  - spec file: bump minimal required version of 389-ds-base
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
  - Fix missing file that fails DL1 replica installation
- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade
  - WebUI: services without canonical name are shown correctly
- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run
  - trustdomain-del: fix the way how subdomain is searched
* Mon Oct 31 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-13
- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca
  - Keep NSS trust flags of existing certificates
- Resolves: #1360813 ipa-server-certinstall does not update all certificate
  stores and doesn't set proper trust permissions
  - Add cert checks in ipa-server-certinstall
- Resolves: #1371479 cert-find --all does not show information about revocation
  - cert: add revocation reason back to cert-find output
- Resolves: #1375133 WinSync users who have First.Last casing creates users who
  can have their password set
  - ipa passwd: use correct normalizer for user principals
- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers
  - Properly handle LDAP socket closures in ipa-otpd
- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1
  - Make httpd publish its CA certificate on DL1
* Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.