The Identity, Policy and Audit system
CentOS Sources
2017-03-02 ff14fa5fa773ff952717b3f34c10385bc54aab66
import ipa-4.4.0-14.el7_3.6
6 files added
1 files deleted
3 files modified
383 ■■■■ changed files
SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/0156-Use-proper-logging-for-error-messages.patch 45 ●●●●● patch | view | raw | blame | history
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch 6 ●●●● patch | view | raw | blame | history
SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch 42 ●●●●● patch | view | raw | blame | history
SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch 63 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 46 ●●●●● patch | view | raw | blame | history
SOURCES/0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
New file
@@ -0,0 +1,29 @@
From 762573b429c4465aabde8d1a7d8b3bdaa1c3b15b Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 20 Dec 2016 23:29:22 +1000
Subject: [PATCH] Set up DS TLS on replica in CA-less topology
Fixes: https://fedorahosted.org/freeipa/ticket/6226
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 ipaserver/install/dsinstance.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index c93b3b4ff58c4102a9de448247966ad3dd8e4e7c..1249a86d2c4c83eb9426885bfed8910aa3274d21 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -382,7 +382,9 @@ class DsInstance(service.Service):
         if self.promote:
             self.step("creating DS keytab", self.__get_ds_keytab)
-            if self.ca_is_configured:
+            if self.pkcs12_info:
+                self.step("configuring ssl for ds instance", self.__enable_ssl)
+            else:
                 self.step("retrieving DS Certificate", self.__get_ds_cert)
             self.step("restarting directory server", self.__restart_instance)
--
2.9.3
SOURCES/0154-wait_for_entry-use-only-DN-as-parameter.patch
New file
@@ -0,0 +1,63 @@
From a9a9d67637c394ca1490e8e7df790c06b3480c56 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 18 Jan 2017 12:55:13 +0100
Subject: [PATCH] wait_for_entry: use only DN as parameter
Using the whole entry is not needed as parameter because only DN is used
and it prevents easier usage of this function
https://fedorahosted.org/freeipa/ticket/6588
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/install/dogtaginstance.py | 2 +-
 ipaserver/install/replication.py    | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index b65628277d9e361a3ab5674dfd2689e258b1887b..2a2ab6fc7f90514013b5a6f368739c2f1706ed9b 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -470,7 +470,7 @@ class DogtagInstance(service.Service):
                                       port=389,
                                       protocol='ldap')
         master_conn.do_sasl_gssapi_bind()
-        replication.wait_for_entry(master_conn, entry)
+        replication.wait_for_entry(master_conn, entry.dn)
         del master_conn
     def __remove_admin_from_group(self, group):
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index 5f03ddeadfc515255509a1f49d3b38687e561b9f..be4de6dd0037a028bcaf1743be74a80855ba3541 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -150,7 +150,7 @@ def wait_for_task(conn, dn):
     return exit_code
-def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
+def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
     """Wait for entry and/or attr to show up"""
     filter = "(objectclass=*)"
@@ -160,8 +160,6 @@ def wait_for_entry(connection, entry, timeout=7200, attr='', quiet=True):
         attrlist.append(attr)
     timeout += int(time.time())
-    dn = entry.dn
-
     if not quiet:
         sys.stdout.write("Waiting for %s %s:%s " % (connection, dn, attr))
         sys.stdout.flush()
@@ -732,7 +730,7 @@ class ReplicationManager(object):
             # that we will have to set the memberof fixup task
             self.need_memberof_fixup = True
-        wait_for_entry(a_conn, entry)
+        wait_for_entry(a_conn, entry.dn)
     def needs_memberof_fixup(self):
         return self.need_memberof_fixup
--
2.9.3
SOURCES/0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
New file
@@ -0,0 +1,45 @@
From ea3848ae6729fda734ec60167129f4cae5253a44 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 18 Jan 2017 13:56:24 +0100
Subject: [PATCH] Wait until HTTPS principal entry is replicated to replica
Without HTTP principal the steps later fails.
https://fedorahosted.org/freeipa/ticket/6588
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/install/server/replicainstall.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f54ff7da06c57b9c8251429cbdacc5c300805f84..2a1c290351d8ce1dade5eea2f67539659555af2e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -36,7 +36,7 @@ from ipaserver.install import (
 from ipaserver.install.installutils import (
     create_replica_config, ReplicaConfig, load_pkcs12, is_ipa_configured)
 from ipaserver.install.replication import (
-    ReplicationManager, replica_conn_check)
+    ReplicationManager, replica_conn_check, wait_for_entry)
 import SSSDConfig
 from subprocess import CalledProcessError
 from binascii import hexlify
@@ -86,6 +86,14 @@ def install_http_certs(config, fstore, remote_api):
                                         config.master_host_name,
                                         paths.IPA_KEYTAB,
                                         force_service_add=True)
+    dn = DN(
+        ('krbprincipalname', principal),
+        api.env.container_service, api.env.basedn
+    )
+    conn = ipaldap.IPAdmin(realm=config.realm_name, ldapi=True)
+    conn.do_external_bind()
+    wait_for_entry(conn, dn)
+    conn.unbind()
     # Obtain certificate for the HTTP service
     nssdir = certs.NSS_DIR
--
2.9.3
SOURCES/0156-Use-proper-logging-for-error-messages.patch
New file
@@ -0,0 +1,45 @@
From 999042579802d0443307ed18e8bb0b993c102c95 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Wed, 18 Jan 2017 17:08:19 +0100
Subject: [PATCH] Use proper logging for error messages
https://fedorahosted.org/freeipa/ticket/6588r
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
 ipaserver/install/replication.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index be4de6dd0037a028bcaf1743be74a80855ba3541..1f437dad4ed850ebfd59fe9f72a5127df8f56f3e 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -171,7 +171,7 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
         except errors.NotFound:
             pass  # no entry yet
         except Exception as e:  # badness
-            print("\nError reading entry", dn, e)
+            root_logger.error("Error reading entry %s: %s", dn, e)
             break
         if not entry:
             if not quiet:
@@ -180,11 +180,13 @@ def wait_for_entry(connection, dn, timeout=7200, attr='', quiet=True):
             time.sleep(1)
     if not entry and int(time.time()) > timeout:
-        print("\nwait_for_entry timeout for %s for %s" % (connection, dn))
+        root_logger.error(
+            "wait_for_entry timeout for %s for %s", connection, dn)
     elif entry and not quiet:
-        print("\nThe waited for entry is:", entry)
+        root_logger.error("The waited for entry is: %s", entry)
     elif not entry:
-        print("\nError: could not read entry %s from %s" % (dn, connection))
+        root_logger.error(
+            "Error: could not read entry %s from %s", dn, connection)
 class ReplicationManager(object):
--
2.9.3
SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch
@@ -1,4 +1,4 @@
From 4651261af43a311d23efa759e61143a6413c5dc5 Mon Sep 17 00:00:00 2001
From 0ae346b514a1bd093c8ae6166f206138a5035efa Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:24:27 +0200
Subject: [PATCH] Hide pkinit functionality from production version
@@ -174,10 +174,10 @@
     subject = Knob(BaseServerCA.subject)
     ca_signing_algorithm = Knob(BaseServerCA.ca_signing_algorithm)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f54ff7da06c57b9c8251429cbdacc5c300805f84..7695adf0d537237b24660e8871011f04f242e744 100644
index 2a1c290351d8ce1dade5eea2f67539659555af2e..aaa56c4691ae47d764d86b627df913c5e320c411 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1587,7 +1587,6 @@ class Replica(BaseServer):
@@ -1595,7 +1595,6 @@ class Replica(BaseServer):
     mkhomedir = Knob(BaseServer.mkhomedir)
     no_host_dns = Knob(BaseServer.no_host_dns)
     no_ntp = Knob(BaseServer.no_ntp)
SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
From d9499d8d1a40b96e40c956dca25464fc129a9dec Mon Sep 17 00:00:00 2001
From 9095fee099069989d93bcb62a4bf6f8e259e4099 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 5 Sep 2014 11:46:59 +0200
Subject: [PATCH] Change branding to IPA and Identity Management
@@ -736,10 +736,10 @@
     print("This includes:")
     if setup_ca:
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 7695adf0d537237b24660e8871011f04f242e744..582df08094335554edffaed21bcaf4ab5a74e899 100644
index aaa56c4691ae47d764d86b627df913c5e320c411..ad7164c5e2774e448742e6416e40fe9af2dcac83 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -673,7 +673,7 @@ def install_check(installer):
@@ -681,7 +681,7 @@ def install_check(installer):
         above_upper_bound = current > constants.MAX_DOMAIN_LEVEL
 
         if under_lower_bound or above_upper_bound:
SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
New file
@@ -0,0 +1,42 @@
From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Fri, 13 Jan 2017 20:33:45 +1000
Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
CAs consist of a FreeIPA and a corresponding Dogtag object.  When
executing ca-del, ca-enable and ca-disable, changes are made to the
Dogtag object.  In the case of ca-del, the corresponding FreeIPA
object is deleted after the Dogtag CA is deleted.
These operations were not correctly authorised; the FreeIPA
permissions are not checked before the Dogtag operations are
executed.  This allows any user to delete, enable or disable a
lightweight CA (except the main IPA CA, for which there are
additional check to prevent deletion or disablement).
Add the proper authorisation checks to the ca-del, ca-enable and
ca-disable commands.
---
 ipaserver/plugins/ca.py | 6 ++++++
 1 file changed, 6 insertions(+)
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
     def pre_callback(self, ldap, dn, *keys, **options):
         ca_enabled_check()
+        # ensure operator has permission to delete CA
+        # before contacting Dogtag
+        if not ldap.can_delete(dn):
+            raise errors.ACIError(info=_(
+                "Insufficient privilege to delete a CA."))
+
         if keys[0] == IPA_CA_CN:
             raise errors.ProtectedEntryError(
                 label=_("CA"),
--
2.9.3
SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
New file
@@ -0,0 +1,63 @@
From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 12 Jan 2017 18:17:15 +0100
Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
    <Connector port="8009"
            protocol="AJP/1.3"
            redirectPort="8443"
            address="::1" />
ie all requests to port 8009 are redirected to port 8443 on address ::1.
If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.
Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
https://fedorahosted.org/freeipa/ticket/6575
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
---
 freeipa.spec.in                 | 4 ++--
 ipaserver/install/cainstance.py | 4 ----
 2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -159,8 +159,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.4
-Requires: pki-kra >= 10.3.4
+Requires: pki-ca >= 10.3.5-11
+Requires: pki-kra >= 10.3.5-11
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
             config.set("CA", "pki_external_step_two", "True")
-        # PKI IPv6 Configuration
-        config.add_section("Tomcat")
-        config.set("Tomcat", "pki_ajp_host", "::1")
-
         # Generate configuration file
         with open(cfg_file, "wb") as f:
             config.write(f)
--
2.9.3
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name:           ipa
Version:        4.4.0
Release:        14%{?dist}.4
Release:        14%{?dist}.6
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -51,10 +51,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -211,6 +211,10 @@
Patch0150:      0150-certprofile-mod-correctly-authorise-config-update.patch
Patch0151:      0151-password-policy-Add-explicit-default-password-policy.patch
Patch0152:      0152-ipa-kdb-search-for-password-policies-globally.patch
Patch0153:      0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
Patch0154:      0154-wait_for_entry-use-only-DN-as-parameter.patch
Patch0155:      0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
Patch0156:      0156-Use-proper-logging-for-error-messages.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -222,7 +226,8 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
Patch1011:      ipa-centos-branding.patch
Patch1011:      1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
Patch1012:      1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -342,8 +347,8 @@
Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= %{slapi_nis_version}
Requires: pki-ca >= 10.3.3-7
Requires: pki-kra >= 10.3.3-7
Requires: pki-ca >= 10.3.3-17
Requires: pki-kra >= 10.3.3-17
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: zip
@@ -802,10 +807,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1541,8 +1546,21 @@
%changelog
* Tue Jan 17 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.4
- Roll in CentOS Branding
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
- Resolves: #1416488 replication race condition prevents IPA to install
  - wait_for_entry: use only DN as parameter
  - Wait until HTTPS principal entry is replicated to replica
  - Use proper logging for error messages
* Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.5
- Resolves: #1410760 ipa-ca-install fails on replica when IPA Master is
  installed without CA
  - Set up DS TLS on replica in CA-less topology
- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for
  ca-del, ca-disable and ca-enable commands
  - ca: correctly authorise ca-del, ca-enable and ca-disable
- Resolves: #1416481 IPA replica install fails with dirsrv errors.
  - Do not configure PKI ajp redirection to use "::1"
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.4
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services