diff --git a/SOURCES/0144-install-fix-command-line-option-validation.patch b/SOURCES/0144-install-fix-command-line-option-validation.patch new file mode 100644 index 0000000..814b1f4 --- /dev/null +++ b/SOURCES/0144-install-fix-command-line-option-validation.patch @@ -0,0 +1,60 @@ +From 4ab54ece01d015f6b4e58542e377f60bc6726815 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Mon, 2 Nov 2015 15:32:35 +0100 +Subject: [PATCH] install: fix command line option validation + +The code which calls the validators was accidentally removed, re-add it. + +https://fedorahosted.org/freeipa/ticket/5386 +https://fedorahosted.org/freeipa/ticket/5391 +https://fedorahosted.org/freeipa/ticket/5392 + +Reviewed-By: Martin Babinsky +--- + ipapython/install/cli.py | 7 +++++-- + ipapython/install/core.py | 3 ++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/ipapython/install/cli.py b/ipapython/install/cli.py +index 1ba9a815c4c499dff0e7974f399f2de31eb932cd..f6cc0fc351fd1f9fc3f51987bbb938deca377fe1 100644 +--- a/ipapython/install/cli.py ++++ b/ipapython/install/cli.py +@@ -275,7 +275,8 @@ class ConfigureTool(admintool.AdminTool): + kwargs = {} + + transformed_cls = self._transform(self.configurable_class) +- for owner_cls, name in transformed_cls.knobs(): ++ knob_classes = {n: getattr(c, n) for c, n in transformed_cls.knobs()} ++ for name in knob_classes: + value = getattr(self.options, name, None) + if value is not None: + kwargs[name] = value +@@ -287,8 +288,10 @@ class ConfigureTool(admintool.AdminTool): + try: + cfgr = transformed_cls(**kwargs) + except core.KnobValueError as e: +- knob_cls = getattr(transformed_cls, e.name) ++ knob_cls = knob_classes[e.name] + try: ++ if self.positional_arguments is None: ++ raise IndexError + index = self.positional_arguments.index(e.name) + except IndexError: + cli_name = knob_cls.cli_name or e.name.replace('_', '-') +diff --git a/ipapython/install/core.py b/ipapython/install/core.py +index c313c278e09cbf68e4f5c4b4c57f00d6e2870bea..91ae854cdb2a8846e2a2673a5bfe54b4f75f3823 100644 +--- a/ipapython/install/core.py ++++ b/ipapython/install/core.py +@@ -226,7 +226,8 @@ class Configurable(object): + except KeyError: + pass + else: +- setattr(self, name, value) ++ prop = knob_cls(self) ++ prop.__set__(self, value) + + if kwargs: + extra = sorted(kwargs.keys()) +-- +2.4.3 + diff --git a/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch b/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch new file mode 100644 index 0000000..fa18aa2 --- /dev/null +++ b/SOURCES/0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch @@ -0,0 +1,28 @@ +From 11856273c3819b58f8b5aa28aab2046ff113ffbe Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 19 Nov 2015 08:50:05 +0100 +Subject: [PATCH] install: export KRA agent PEM file in ipa-kra-install + +https://fedorahosted.org/freeipa/ticket/5462 + +Reviewed-By: Martin Babinsky +--- + ipaserver/install/krainstance.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py +index 69fe636732e6d3a8c1e0c460b641f061e519df92..0000192745b6d7f9f402267e435f7223f1bf8849 100644 +--- a/ipaserver/install/krainstance.py ++++ b/ipaserver/install/krainstance.py +@@ -262,6 +262,8 @@ class KRAInstance(DogtagInstance): + + shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12) + ++ export_kra_agent_pem() ++ + self.log.debug("completed creating KRA instance") + + def __create_kra_agent(self): +-- +2.4.3 + diff --git a/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch b/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch new file mode 100644 index 0000000..b7e43e9 --- /dev/null +++ b/SOURCES/0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch @@ -0,0 +1,111 @@ +From 09ead70bf9a081d8e2961a83d5dfe64d8f4c0399 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Mon, 9 Nov 2015 10:53:02 +0100 +Subject: [PATCH] cert renewal: make renewal of ipaCert atomic + +This prevents errors when renewing other certificates during the renewal of +ipaCert. + +https://fedorahosted.org/freeipa/ticket/5436 + +Reviewed-By: David Kupka +--- + install/restart_scripts/Makefile.am | 1 + + install/restart_scripts/renew_ra_cert | 5 ++++- + install/restart_scripts/renew_ra_cert_pre | 18 ++++++++++++++++++ + ipaserver/install/cainstance.py | 2 +- + ipaserver/install/server/upgrade.py | 4 ++-- + 5 files changed, 26 insertions(+), 4 deletions(-) + create mode 100755 install/restart_scripts/renew_ra_cert_pre + +diff --git a/install/restart_scripts/Makefile.am b/install/restart_scripts/Makefile.am +index 58057aa3198c892fc8ebb0df403495566ed77d1d..c4bf8195ea85ee0a9dba53fc2581e90c18a9127d 100644 +--- a/install/restart_scripts/Makefile.am ++++ b/install/restart_scripts/Makefile.am +@@ -7,6 +7,7 @@ app_DATA = \ + renew_ca_cert \ + renew_ra_cert \ + stop_pkicad \ ++ renew_ra_cert_pre \ + $(NULL) + + EXTRA_DIST = \ +diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert +index 3a36f739ae53391e502356f7b6b4fd96a536c3a6..988ada946aed47d1f2b76c1add48ea8c8d64a161 100644 +--- a/install/restart_scripts/renew_ra_cert ++++ b/install/restart_scripts/renew_ra_cert +@@ -77,8 +77,11 @@ def _main(): + + + def main(): +- with certs.renewal_lock: ++ try: + _main() ++ finally: ++ # lock acquired in renew_ra_cert_pre ++ certs.renewal_lock.release('renew_ra_cert') + + + try: +diff --git a/install/restart_scripts/renew_ra_cert_pre b/install/restart_scripts/renew_ra_cert_pre +new file mode 100755 +index 0000000000000000000000000000000000000000..d0f743c099162e4c5afd7d96287e58492246db35 +--- /dev/null ++++ b/install/restart_scripts/renew_ra_cert_pre +@@ -0,0 +1,18 @@ ++#!/usr/bin/python2 -E ++# ++# Copyright (C) 2015 FreeIPA Contributors see COPYING for license ++# ++ ++import syslog ++import traceback ++ ++from ipaserver.install import certs ++ ++ ++def main(): ++ certs.renewal_lock.acquire('renew_ra_cert') ++ ++try: ++ main() ++except Exception: ++ syslog.syslog(syslog.LOG_ERR, traceback.format_exc()) +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index dfe023c08c9b8d1b28f1659b7c5a6395f3afe879..d230c9bdcab68f02cce32a2aeb89ca3e2143eefe 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1305,7 +1305,7 @@ class CAInstance(DogtagInstance): + pin=None, + pinfile=paths.ALIAS_PWDFILE_TXT, + secdir=paths.HTTPD_ALIAS_DIR, +- pre_command=None, ++ pre_command='renew_ra_cert_pre', + post_command='renew_ra_cert') + except RuntimeError, e: + self.log.error( +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index e0a45a097171613397db42e1c035f0d818a3ecf5..c8f744c392c7b859459bda63c1f397226553d4ba 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -799,7 +799,7 @@ def certificate_renewal_update(ca): + dogtag_constants = dogtag.configured_constants() + + # bump version when requests is changed +- version = 3 ++ version = 4 + requests = ( + ( + dogtag_constants.ALIAS_DIR, +@@ -837,7 +837,7 @@ def certificate_renewal_update(ca): + paths.HTTPD_ALIAS_DIR, + 'ipaCert', + 'dogtag-ipa-ca-renew-agent', +- None, ++ 'renew_ra_cert_pre', + 'renew_ra_cert', + None, + ), +-- +2.4.3 + diff --git a/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch b/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch new file mode 100644 index 0000000..919da9e --- /dev/null +++ b/SOURCES/0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch @@ -0,0 +1,73 @@ +From a41ee5aef75e47667defc7b01b89a25309bd4c8d Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Thu, 19 Nov 2015 14:33:49 +0100 +Subject: [PATCH] suppress errors arising from adding existing LDAP entries + during KRA install + +https://fedorahosted.org/freeipa/ticket/5346 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/krainstance.py | 16 ++++++++++++++-- + ipaserver/install/service.py | 4 +++- + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py +index 0000192745b6d7f9f402267e435f7223f1bf8849..a2514debae600bdc46afb92e426a5f616529fde2 100644 +--- a/ipaserver/install/krainstance.py ++++ b/ipaserver/install/krainstance.py +@@ -47,6 +47,8 @@ from ipapython.ipa_log_manager import log_mgr + IPA_KRA_RECORD = "ipa-kra" + + ++LDAPMOD_ERR_ALREADY_EXISTS = 68 ++ + class KRAInstance(DogtagInstance): + """ + We assume that the CA has already been installed, and we use the +@@ -308,8 +310,18 @@ class KRAInstance(DogtagInstance): + conn.disconnect() + + def __add_vault_container(self): +- self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix}) +- self.ldap_disconnect() ++ try: ++ self._ldap_mod('vault.ldif', {'SUFFIX': self.suffix}, ++ raise_on_err=True) ++ except ipautil.CalledProcessError as e: ++ if e.returncode == LDAPMOD_ERR_ALREADY_EXISTS: ++ self.log.debug("Vault container already exists") ++ else: ++ self.log.error("Failed to add vault container: {0}".format(e)) ++ finally: ++ # we need to disconnect from LDAP, because _ldap_mod() makes the ++ # connection without actually using it ++ self.ldap_disconnect() + + def __apply_updates(self): + sub_dict = { +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 2f5f565b16b42bf82889f9d32b80cf6fa584d438..597c20a60c712a6e521a7b9471f6732cceb27fe7 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -155,7 +155,7 @@ class Service(object): + self.admin_conn.unbind() + self.admin_conn = None + +- def _ldap_mod(self, ldif, sub_dict=None): ++ def _ldap_mod(self, ldif, sub_dict=None, raise_on_err=False): + pw_name = None + fd = None + path = ipautil.SHARE_DIR + ldif +@@ -199,6 +199,8 @@ class Service(object): + try: + ipautil.run(args, nolog=nologlist) + except ipautil.CalledProcessError, e: ++ if raise_on_err: ++ raise + root_logger.critical("Failed to load %s: %s" % (ldif, str(e))) + finally: + if pw_name: +-- +2.4.3 + diff --git a/SOURCES/0148-fix-caching-in-get_ipa_config.patch b/SOURCES/0148-fix-caching-in-get_ipa_config.patch new file mode 100644 index 0000000..af0084c --- /dev/null +++ b/SOURCES/0148-fix-caching-in-get_ipa_config.patch @@ -0,0 +1,31 @@ +From 823340f96f16ee7924ba6ce54c8fe43e3ea41469 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Thu, 19 Nov 2015 13:25:49 +0100 +Subject: [PATCH] fix caching in get_ipa_config + +Different opbject types were compared thus always result of comparation +was False and caching does not work. + +https://fedorahosted.org/freeipa/ticket/5463 + +Reviewed-By: Jan Cholasta +--- + ipaserver/plugins/ldap2.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/ldap2.py b/ipaserver/plugins/ldap2.py +index deb0592ab68ab8eb712a6d29fdffd8776e2e289a..5d2945f90f54ba2a099271a3715f4f9c14866e97 100644 +--- a/ipaserver/plugins/ldap2.py ++++ b/ipaserver/plugins/ldap2.py +@@ -204,7 +204,7 @@ class ldap2(CrudBackend, LDAPClient): + + try: + config_entry = getattr(context, 'config_entry') +- if config_entry.conn is self.conn: ++ if config_entry.conn.conn is self.conn: + return config_entry + except AttributeError: + # Not in our context yet +-- +2.4.3 + diff --git a/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch b/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch new file mode 100644 index 0000000..9513440 --- /dev/null +++ b/SOURCES/0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch @@ -0,0 +1,56 @@ +From 64dc38643ead5cb00f3f42562a92769de10ef7b5 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Fri, 20 Nov 2015 09:35:43 +0100 +Subject: [PATCH] client install: do not corrupt OpenSSH config with Match + sections + +https://fedorahosted.org/freeipa/ticket/5461 + +Reviewed-By: Martin Babinsky +--- + ipa-client/ipa-install/ipa-client-install | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..543c6f027f2312792e7ad33533db8e7c10a3cddb 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -1330,6 +1330,7 @@ def change_ssh_config(filename, changes, sections): + section_keys = tuple(key.lower() for key in sections) + + lines = [] ++ in_section = False + for line in f: + line = line.rstrip('\n') + pline = line.strip() +@@ -1338,7 +1339,7 @@ def change_ssh_config(filename, changes, sections): + continue + option = pline.split()[0].lower() + if option in section_keys: +- lines.append(line) ++ in_section = True + break + if option in change_keys: + line = '#' + line +@@ -1346,6 +1347,9 @@ def change_ssh_config(filename, changes, sections): + for option, value in changes.items(): + if value is not None: + lines.append('%s %s' % (option, value)) ++ if in_section: ++ lines.append('') ++ lines.append(line) + for line in f: + line = line.rstrip('\n') + lines.append(line) +@@ -1386,7 +1390,7 @@ def configure_ssh_config(fstore, options): + changes['VerifyHostKeyDNS'] = 'yes' + changes['HostKeyAlgorithms'] = 'ssh-rsa,ssh-dss' + +- change_ssh_config(ssh_config, changes, ['Host']) ++ change_ssh_config(ssh_config, changes, ['Host', 'Match']) + root_logger.info('Configured %s', ssh_config) + + def configure_sshd_config(fstore, options): +-- +2.4.3 + diff --git a/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch b/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch new file mode 100644 index 0000000..d5bf1d4 --- /dev/null +++ b/SOURCES/0150-upgrade-fix-migration-of-old-dns-forward-zones.patch @@ -0,0 +1,221 @@ +From 7623bc99813156ce11167ae429a756f920258151 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Fri, 20 Nov 2015 11:53:06 +0100 +Subject: [PATCH] upgrade: fix migration of old dns forward zones + +Plugins should call self.api not the global one during upgrade + +https://fedorahosted.org/freeipa/ticket/5472 + +Reviewed-By: Petr Spacek +--- + ipalib/plugins/dns.py | 51 +++++++++++++++++++++++++++------------------------ + 1 file changed, 27 insertions(+), 24 deletions(-) + +diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py +index a3d562edb186682a872073e6c83a416b6a4cbc09..37a2c64cbacae5cc5626f17fac68848768af3242 100644 +--- a/ipalib/plugins/dns.py ++++ b/ipalib/plugins/dns.py +@@ -1735,7 +1735,7 @@ def _normalize_zone(zone): + return zone + + +-def _get_auth_zone_ldap(name): ++def _get_auth_zone_ldap(api, name): + """ + Find authoritative zone in LDAP for name. Only active zones are considered. + :param name: +@@ -1781,7 +1781,7 @@ def _get_auth_zone_ldap(name): + return max(matched_auth_zones, key=len), truncated + + +-def _get_longest_match_ns_delegation_ldap(zone, name): ++def _get_longest_match_ns_delegation_ldap(api, zone, name): + """ + Searches for deepest delegation for name in LDAP zone. + +@@ -1857,7 +1857,7 @@ def _get_longest_match_ns_delegation_ldap(zone, name): + return max(matched_records, key=len), truncated + + +-def _find_subtree_forward_zones_ldap(name, child_zones_only=False): ++def _find_subtree_forward_zones_ldap(api, name, child_zones_only=False): + """ + Search for forwardzone and all child forwardzones + Filter: (|(*..)(.)) +@@ -1911,7 +1911,7 @@ def _find_subtree_forward_zones_ldap(name, child_zones_only=False): + return result, truncated + + +-def _get_zone_which_makes_fw_zone_ineffective(fwzonename): ++def _get_zone_which_makes_fw_zone_ineffective(api, fwzonename): + """ + Check if forward zone is effective. + +@@ -1936,12 +1936,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename): + """ + assert isinstance(fwzonename, DNSName) + +- auth_zone, truncated_zone = _get_auth_zone_ldap(fwzonename) ++ auth_zone, truncated_zone = _get_auth_zone_ldap(api, fwzonename) + if not auth_zone: + return None, truncated_zone + + delegation_record_name, truncated_ns =\ +- _get_longest_match_ns_delegation_ldap(auth_zone, fwzonename) ++ _get_longest_match_ns_delegation_ldap(api, auth_zone, fwzonename) + + truncated = truncated_ns or truncated_zone + +@@ -1951,12 +1951,12 @@ def _get_zone_which_makes_fw_zone_ineffective(fwzonename): + return auth_zone, truncated + + +-def _add_warning_fw_zone_is_not_effective(result, fwzone, version): ++def _add_warning_fw_zone_is_not_effective(api, result, fwzone, version): + """ + Adds warning message to result, if required + """ + authoritative_zone, truncated = \ +- _get_zone_which_makes_fw_zone_ineffective(fwzone) ++ _get_zone_which_makes_fw_zone_ineffective(api, fwzone) + if authoritative_zone: + # forward zone is not effective and forwarding will not work + messages.add_message( +@@ -2072,7 +2072,7 @@ class DNSZoneBase(LDAPObject): + def _remove_permission(self, zone): + permission_name = self.permission_name(zone) + try: +- api.Command['permission_del'](permission_name, force=True) ++ self.api.Command['permission_del'](permission_name, force=True) + except errors.NotFound, e: + if zone == DNSName.root: # special case root zone + raise +@@ -2082,7 +2082,8 @@ class DNSZoneBase(LDAPObject): + zone.relativize(DNSName.root) + ) + try: +- api.Command['permission_del'](permission_name_rel, force=True) ++ self.api.Command['permission_del'](permission_name_rel, ++ force=True) + except errors.NotFound: + raise e # re-raise original exception + +@@ -2272,7 +2273,8 @@ class DNSZoneBase_add_permission(LDAPQuery): + keys[-1].relativize(DNSName.root) + ) + try: +- api.Object['permission'].get_dn_if_exists(permission_name_rel) ++ self.api.Object['permission'].get_dn_if_exists( ++ permission_name_rel) + except errors.NotFound: + pass + else: +@@ -2283,7 +2285,7 @@ class DNSZoneBase_add_permission(LDAPQuery): + } + ) + +- permission = api.Command['permission_add_noaci'](permission_name, ++ permission = self.api.Command['permission_add_noaci'](permission_name, + ipapermissiontype=u'SYSTEM' + )['result'] + +@@ -2643,12 +2645,12 @@ class dnszone(DNSZoneBase): + """ + zone = keys[-1] + affected_fw_zones, truncated = _find_subtree_forward_zones_ldap( +- zone, child_zones_only=True) ++ self.api, zone, child_zones_only=True) + if not affected_fw_zones: + return + + for fwzone in affected_fw_zones: +- _add_warning_fw_zone_is_not_effective(result, fwzone, ++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone, + options['version']) + + +@@ -2686,7 +2688,8 @@ class dnszone_add(DNSZoneBase_add): + dn = super(dnszone_add, self).pre_callback( + ldap, dn, entry_attrs, attrs_list, *keys, **options) + +- nameservers = [normalize_zone(x) for x in api.Object.dnsrecord.get_dns_masters()] ++ nameservers = [normalize_zone(x) for x in ++ self.api.Object.dnsrecord.get_dns_masters()] + server = normalize_zone(api.env.host) + zone = keys[-1] + +@@ -2735,7 +2738,7 @@ class dnszone_add(DNSZoneBase_add): + not zone.is_reverse() and + zone != DNSName.root): + try: +- api.Command['realmdomains_mod'](add_domain=unicode(zone), ++ self.api.Command['realmdomains_mod'](add_domain=unicode(zone), + force=True) + except (errors.EmptyModlist, errors.ValidationError): + pass +@@ -2769,8 +2772,8 @@ class dnszone_del(DNSZoneBase_del): + not zone.is_reverse() and zone != DNSName.root + ): + try: +- api.Command['realmdomains_mod'](del_domain=unicode(zone), +- force=True) ++ self.api.Command['realmdomains_mod']( ++ del_domain=unicode(zone), force=True) + except (errors.AttrValueNotFound, errors.ValidationError): + pass + +@@ -3476,12 +3479,12 @@ class dnsrecord(LDAPObject): + record_name_absolute = record_name_absolute.derelativize(zone) + + affected_fw_zones, truncated = _find_subtree_forward_zones_ldap( +- record_name_absolute) ++ self.api, record_name_absolute) + if not affected_fw_zones: + return + + for fwzone in affected_fw_zones: +- _add_warning_fw_zone_is_not_effective(result, fwzone, ++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone, + options['version']) + + +@@ -3831,7 +3834,7 @@ class dnsrecord_mod(LDAPUpdate): + + # get DNS record first so that the NotFound exception is raised + # before the helper would start +- dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result'] ++ dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result'] + rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes] + + self.Backend.textui.print_plain(_("No option to modify specific record provided.")) +@@ -4019,7 +4022,7 @@ class dnsrecord_del(LDAPUpdate): + + # get DNS record first so that the NotFound exception is raised + # before the helper would start +- dns_record = api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result'] ++ dns_record = self.api.Command['dnsrecord_show'](kw['dnszoneidnsname'], kw['idnsname'])['result'] + rec_types = [rec_type for rec_type in dns_record if rec_type in _record_attributes] + + self.Backend.textui.print_plain(_("No option to delete specific record provided.")) +@@ -4334,7 +4337,7 @@ class dnsforwardzone(DNSZoneBase): + + def _warning_fw_zone_is_not_effective(self, result, *keys, **options): + fwzone = keys[-1] +- _add_warning_fw_zone_is_not_effective(result, fwzone, ++ _add_warning_fw_zone_is_not_effective(self.api, result, fwzone, + options['version']) + + def _warning_if_forwarders_do_not_work(self, result, new_zone, +@@ -4374,7 +4377,7 @@ class dnsforwardzone(DNSZoneBase): + # validation is configured just in named.conf per replica + + ipa_dns_masters = [normalize_zone(x) for x in +- api.Object.dnsrecord.get_dns_masters()] ++ self.api.Object.dnsrecord.get_dns_masters()] + + if not ipa_dns_masters: + # something very bad happened, DNS is installed, but no IPA DNS +-- +2.4.3 + diff --git a/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch b/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch new file mode 100644 index 0000000..43f99b9 --- /dev/null +++ b/SOURCES/0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch @@ -0,0 +1,62 @@ +From c54278c3c90bb5999e1b7c2ed745f6f2b2a83d19 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 20 Nov 2015 15:39:00 +1100 +Subject: [PATCH] TLS and Dogtag HTTPS request logging improvements + +Pretty printing the TLS peer certificate to logs on every request +introduces a lot of noise; do not log it (subject name, key usage +and validity are still logged). + +Fix and tidy up some HTTP logging messages for Dogtag requests. + +Part of: https://fedorahosted.org/freeipa/ticket/5269 + +Reviewed-By: Jan Cholasta +--- + ipapython/dogtag.py | 9 ++++----- + ipapython/nsslib.py | 3 --- + 2 files changed, 4 insertions(+), 8 deletions(-) + +diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py +index 3f0d08154d21a3072e344c311c3e70e414d9dee4..26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f 100644 +--- a/ipapython/dogtag.py ++++ b/ipapython/dogtag.py +@@ -314,7 +314,7 @@ def _httplib_request( + if isinstance(host, unicode): + host = host.encode('utf-8') + uri = '%s://%s%s' % (protocol, ipautil.format_netloc(host, port), path) +- root_logger.debug('request %r', uri) ++ root_logger.debug('request %s %s', method, uri) + root_logger.debug('request body %r', request_body) + + headers = headers or {} +@@ -337,9 +337,8 @@ def _httplib_request( + except Exception, e: + raise NetworkError(uri=uri, error=str(e)) + +- root_logger.debug('request status %d', http_status) +- root_logger.debug('request reason_phrase %r', http_reason_phrase) +- root_logger.debug('request headers %s', http_headers) +- root_logger.debug('request body %r', http_body) ++ root_logger.debug('response status %d %s', http_status, http_reason_phrase) ++ root_logger.debug('response headers %s', http_headers) ++ root_logger.debug('response body %r', http_body) + + return http_status, http_reason_phrase, http_headers, http_body +diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py +index def6b104e18fa67268a8c5a8629b533783fb5a95..79b8dc5be6a26cd6136ac62a4fa49572d765a9a0 100644 +--- a/ipapython/nsslib.py ++++ b/ipapython/nsslib.py +@@ -39,9 +39,6 @@ def auth_certificate_callback(sock, check_sig, is_server, certdb): + + cert = sock.get_peer_certificate() + +- root_logger.debug("auth_certificate_callback: check_sig=%s is_server=%s\n%s", +- check_sig, is_server, str(cert)) +- + pin_args = sock.get_pkcs11_pin_arg() + if pin_args is None: + pin_args = () +-- +2.4.3 + diff --git a/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch b/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch new file mode 100644 index 0000000..45b175c --- /dev/null +++ b/SOURCES/0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch @@ -0,0 +1,38 @@ +From 08d26c374ae6198b5a1ec59556ca8814329b845f Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 20 Nov 2015 15:59:11 +1100 +Subject: [PATCH] Avoid race condition caused by profile delete and recreate + +When importing IPA-managed certificate profiles into Dogtag, +profiles with the same name (usually caIPAserviceCert) are removed, +then immediately recreated with the new profile data. This causes a +race condition - Dogtag's LDAPProfileSystem profileChangeMonitor +thread could observe and process the deletion after the profile was +recreated, disappearing it again. + +Update the profile instead of deleting and recreating it to avoid +this race condition. + +Fixes: https://fedorahosted.org/freeipa/ticket/5269 +Reviewed-By: Jan Cholasta +--- + ipaserver/install/cainstance.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index d230c9bdcab68f02cce32a2aeb89ca3e2143eefe..3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1812,8 +1812,7 @@ def _create_dogtag_profile(profile_id, profile_data): + root_logger.debug( + "Failed to disable profile '%s' " + "(it is probably already disabled)") +- profile_api.delete_profile(profile_id) +- profile_api.create_profile(profile_data) ++ profile_api.update_profile(profile_id, profile_data) + + # enable the profile + try: +-- +2.4.3 + diff --git a/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch b/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch new file mode 100644 index 0000000..f686c28 --- /dev/null +++ b/SOURCES/0153-ipa-cacert-renew-Fix-connection-to-ldap.patch @@ -0,0 +1,117 @@ +From 87f6b21c9bc837cf90fc8b9d0708aeff060e48f3 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Mon, 23 Nov 2015 06:38:17 +0000 +Subject: [PATCH] ipa-cacert-renew: Fix connection to ldap. + +https://fedorahosted.org/freeipa/ticket/5468 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/ipa_cacert_manage.py | 32 ++++++++++++++------------------ + 1 file changed, 14 insertions(+), 18 deletions(-) + +diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py +index 01ec805fc2094326d119827b4358c143f45f3ec4..8790b7066d7641864f8d83c6339cd0a73c620be0 100644 +--- a/ipaserver/install/ipa_cacert_manage.py ++++ b/ipaserver/install/ipa_cacert_manage.py +@@ -105,9 +105,7 @@ class CACertManage(admintool.AdminTool): + + if ((command == 'renew' and options.external_cert_files) or + command == 'install'): +- self.conn = self.ldap_connect() +- else: +- self.conn = None ++ self.ldap_connect() + + try: + if command == 'renew': +@@ -115,23 +113,21 @@ class CACertManage(admintool.AdminTool): + elif command == 'install': + rc = self.install() + finally: +- if self.conn is not None: +- self.conn.disconnect() ++ if api.Backend.ldap2.isconnected(): ++ api.Backend.ldap2.disconnect() + + return rc + + def ldap_connect(self): +- conn = ldap2(api) +- + password = self.options.password + if not password: + try: + ccache = krbV.default_context().default_ccache() +- conn.connect(ccache=ccache) ++ api.Backend.ldap2.connect(ccache=ccache) + except (krbV.Krb5Error, errors.ACIError): + pass + else: +- return conn ++ return + + password = installutils.read_password( + "Directory Manager", confirm=False, validate=False) +@@ -139,9 +135,8 @@ class CACertManage(admintool.AdminTool): + raise admintool.ScriptError( + "Directory Manager password required") + +- conn.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password) ++ api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), bind_pw=password) + +- return conn + + def renew(self): + ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR) +@@ -202,9 +197,10 @@ class CACertManage(admintool.AdminTool): + "--external-cert-file=/path/to/external_ca_certificate") + + def renew_external_step_2(self, ca, old_cert): +- print "Importing the renewed CA certificate, please wait" ++ print("Importing the renewed CA certificate, please wait") + + options = self.options ++ conn = api.Backend.ldap2 + cert_file, ca_file = installutils.load_external_cert( + options.external_cert_files, x509.subject_base()) + +@@ -273,21 +269,21 @@ class CACertManage(admintool.AdminTool): + except RuntimeError: + break + certstore.put_ca_cert_nss( +- self.conn, api.env.basedn, ca_cert, nickname, ',,') ++ conn, api.env.basedn, ca_cert, nickname, ',,') + + dn = DN(('cn', self.cert_nickname), ('cn', 'ca_renewal'), + ('cn', 'ipa'), ('cn', 'etc'), api.env.basedn) + try: +- entry = self.conn.get_entry(dn, ['usercertificate']) ++ entry = conn.get_entry(dn, ['usercertificate']) + entry['usercertificate'] = [cert] +- self.conn.update_entry(entry) ++ conn.update_entry(entry) + except errors.NotFound: +- entry = self.conn.make_entry( ++ entry = conn.make_entry( + dn, + objectclass=['top', 'pkiuser', 'nscontainer'], + cn=[self.cert_nickname], + usercertificate=[cert]) +- self.conn.add_entry(entry) ++ conn.add_entry(entry) + except errors.EmptyModlist: + pass + +@@ -362,7 +358,7 @@ class CACertManage(admintool.AdminTool): + + try: + certstore.put_ca_cert_nss( +- self.conn, api.env.basedn, cert, nickname, trust_flags) ++ api.Backend.ldap2, api.env.basedn, cert, nickname, trust_flags) + except ValueError, e: + raise admintool.ScriptError( + "Failed to install the certificate: %s" % e) +-- +2.4.3 + diff --git a/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch b/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch new file mode 100644 index 0000000..f47d768 --- /dev/null +++ b/SOURCES/0154-ipa-otptoken-import-Fix-connection-to-ldap.patch @@ -0,0 +1,40 @@ +From 23adad20399216198b34d9eadaf53b95f755d0be Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Mon, 23 Nov 2015 07:48:40 +0000 +Subject: [PATCH] ipa-otptoken-import: Fix connection to ldap. + +https://fedorahosted.org/freeipa/ticket/5475 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/ipa_otptoken_import.py | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py +index 386ca4273c413d9f6a121956d0db3f0c44fe5c24..9be44cfe677a7d33ce3ec7725e23fdbf8141190a 100644 +--- a/ipaserver/install/ipa_otptoken_import.py ++++ b/ipaserver/install/ipa_otptoken_import.py +@@ -507,10 +507,9 @@ class OTPTokenImport(admintool.AdminTool): + api.bootstrap(in_server=True) + api.finalize() + +- conn = ldap2(api) + try: + ccache = krbV.default_context().default_ccache() +- conn.connect(ccache=ccache) ++ api.Backend.ldap2.connect(ccache=ccache) + except (krbV.Krb5Error, errors.ACIError): + raise admintool.ScriptError("Unable to connect to LDAP! Did you kinit?") + +@@ -525,7 +524,7 @@ class OTPTokenImport(admintool.AdminTool): + self.log.info("Added token: %s", keypkg.id) + keypkg.remove() + finally: +- conn.disconnect() ++ api.Backend.ldap2.disconnect() + + # Write out the XML file without the tokens that succeeded. + self.doc.save(self.output) +-- +2.4.3 + diff --git a/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch b/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch new file mode 100644 index 0000000..2120e45 --- /dev/null +++ b/SOURCES/0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch @@ -0,0 +1,33 @@ +From b5aec7bdc5a164133b247925c41d1d41e29a63e5 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 23 Nov 2015 12:09:32 +1100 +Subject: [PATCH] Do not erroneously reinit NSS in Dogtag interface + +The Dogtag interface always attempts to (re)init NSS, which can fail +with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already +been initialised with the given dbdir. + +Part of: https://fedorahosted.org/freeipa/ticket/5459 + +Reviewed-By: Jan Cholasta +--- + ipapython/dogtag.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py +index 26b2de6ca77202fa9ccc61ee16ed7623e10ecb5f..8996902ba92f0fdd6106e2650c2decde375c593b 100644 +--- a/ipapython/dogtag.py ++++ b/ipapython/dogtag.py +@@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, nickname, + """ + + def connection_factory(host, port): +- conn = nsslib.NSSConnection(host, port, dbdir=secdir, ++ no_init = secdir == nsslib.current_dbdir ++ conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init, + tls_version_min=api.env.tls_version_min, + tls_version_max=api.env.tls_version_max) + conn.set_debuglevel(0) +-- +2.4.3 + diff --git a/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch b/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch new file mode 100644 index 0000000..a3f99a6 --- /dev/null +++ b/SOURCES/0156-Add-profiles-and-default-CA-ACL-on-migration.patch @@ -0,0 +1,381 @@ +From 5fb869896c9ed6327f5f004022cdee42f758f78c Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 23 Nov 2015 12:09:32 +1100 +Subject: [PATCH] Add profiles and default CA ACL on migration + +Profiles and the default CA ACL were not being added during replica +install from pre-4.2 servers. Update ipa-replica-install to add +these if they are missing. + +Also update the caacl plugin to prevent deletion of the default CA +ACL and instruct the administrator to disable it instead. + +To ensure that the cainstance installation can add profiles, supply +the RA certificate as part of the instance configuration. +Certmonger renewal setup is avoided at this point because the NSSDB +gets reinitialised later in installation procedure. + +Also move the addition of the default CA ACL from dsinstance +installation to cainstance installation. + +Fixes: https://fedorahosted.org/freeipa/ticket/5459 +Reviewed-By: Jan Cholasta +--- + install/share/Makefile.am | 1 - + install/share/default-caacl.ldif | 11 --- + install/updates/50-dogtag10-migration.update | 1 + + ipalib/plugins/caacl.py | 8 +++ + ipaserver/install/ca.py | 5 +- + ipaserver/install/cainstance.py | 100 ++++++++++++++++++++------- + ipaserver/install/dsinstance.py | 4 -- + ipaserver/install/server/replicainstall.py | 3 + + ipaserver/install/server/upgrade.py | 13 +--- + 9 files changed, 90 insertions(+), 56 deletions(-) + delete mode 100644 install/share/default-caacl.ldif + +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index d68c40e693a1d86c70d8ccd81ef2c915b2e1f61e..e4cca8708ab0042d6cb37eba31341e53e3cdac4d 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -29,7 +29,6 @@ app_DATA = \ + bootstrap-template.ldif \ + caJarSigningCert.cfg.template \ + default-aci.ldif \ +- default-caacl.ldif \ + default-hbac.ldif \ + default-smb-group.ldif \ + default-trust-view.ldif \ +diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif +deleted file mode 100644 +index f3cd5b4d4e3a79bc6638dc1ffdd7028596ded254..0000000000000000000000000000000000000000 +--- a/install/share/default-caacl.ldif ++++ /dev/null +@@ -1,11 +0,0 @@ +-# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +-dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +-changetype: add +-objectclass: ipaassociation +-objectclass: ipacaacl +-ipauniqueid: autogenerate +-cn: hosts_services_caIPAserviceCert +-ipaenabledflag: TRUE +-ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +-hostcategory: all +-servicecategory: all +diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update +index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644 +--- a/install/updates/50-dogtag10-migration.update ++++ b/install/updates/50-dogtag10-migration.update +@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi + addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations + replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml + replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information ++addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles +diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py +index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..64dbec16e11e9fa2a67287b195b4bd1180a379e7 100644 +--- a/ipalib/plugins/caacl.py ++++ b/ipalib/plugins/caacl.py +@@ -307,6 +307,14 @@ class caacl_del(LDAPDelete): + + msg_summary = _('Deleted CA ACL "%(value)s"') + ++ def pre_callback(self, ldap, dn, *keys, **options): ++ if keys[0] == 'hosts_services_caIPAserviceCert': ++ raise errors.ProtectedEntryError( ++ label=_("CA ACL"), ++ key=keys[0], ++ reason=_("default CA ACL can be only disabled")) ++ return dn ++ + + @register() + class caacl_mod(LDAPUpdate): +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 498cc48a742d1b2d862eb9dfdb18743cfb211b78..0de992cb0c15f8161aae4937699baae2a94d305a 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -126,9 +126,10 @@ def install_step_0(standalone, replica_config, options): + if standalone: + api.Backend.ldap2.disconnect() + +- cainstance.install_replica_ca(replica_config, postinstall) ++ cainstance.install_replica_ca(replica_config, postinstall, ++ ra_p12=getattr(options, 'ra_p12', None)) + +- if standalone: ++ if standalone and not api.Backend.ldap2.isconnected(): + api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=dm_password) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 3e3dce93de2b8ca48a3fe3ea5994ee92a1b0ce49..189876f3c0d980e78165d73eed86b2830ac8c5b8 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -391,7 +391,7 @@ class CAInstance(DogtagInstance): + cert_file=None, cert_chain_file=None, + master_replication_port=None, + subject_base=None, ca_signing_algorithm=None, +- ca_type=None): ++ ca_type=None, ra_p12=None): + """Create a CA instance. + + For Dogtag 9, this may involve creating the pki-ca instance. +@@ -465,7 +465,10 @@ class CAInstance(DogtagInstance): + self.step("requesting RA certificate from CA", self.__request_ra_certificate) + self.step("issuing RA agent certificate", self.__issue_ra_cert) + self.step("adding RA agent as a trusted user", self.__create_ca_agent) +- self.step("authorizing RA to modify profiles", self.__configure_profiles_acl) ++ elif ra_p12 is not None: ++ self.step("importing RA certificate from PKCS #12 file", ++ lambda: self.import_ra_cert(ra_p12, configure_renewal=False)) ++ self.step("authorizing RA to modify profiles", configure_profiles_acl) + self.step("configure certmonger for renewals", self.configure_certmonger_renewal) + self.step("configure certificate renewals", self.configure_renewal) + if not self.clone: +@@ -473,9 +476,12 @@ class CAInstance(DogtagInstance): + self.step("configure Server-Cert certificate renewal", self.track_servercert) + self.step("Configure HTTP to proxy connections", + self.http_proxy) +- if not self.clone: +- self.step("restarting certificate server", self.restart_instance) +- self.step("Importing IPA certificate profiles", import_included_profiles) ++ self.step("restarting certificate server", self.restart_instance) ++ self.step("migrating certificate profiles to LDAP", ++ migrate_profiles_to_ldap) ++ self.step("importing IPA certificate profiles", ++ import_included_profiles) ++ self.step("adding default CA ACL", ensure_default_caacl) + + self.start_creation(runtime=210) + +@@ -887,7 +893,7 @@ class CAInstance(DogtagInstance): + + export_kra_agent_pem() + +- def import_ra_cert(self, rafile): ++ def import_ra_cert(self, rafile, configure_renewal=True): + """ + Cloned RAs will use the same RA agent cert as the master so we + need to import from a PKCS#12 file. +@@ -903,7 +909,8 @@ class CAInstance(DogtagInstance): + finally: + os.remove(agent_name) + +- self.configure_agent_renewal() ++ if configure_renewal: ++ self.configure_agent_renewal() + + export_kra_agent_pem() + +@@ -953,10 +960,6 @@ class CAInstance(DogtagInstance): + + conn.disconnect() + +- def __configure_profiles_acl(self): +- """Allow the Certificate Manager Agents group to modify profiles.""" +- configure_profiles_acl() +- + def __run_certutil(self, args, database=None, pwd_file=None, stdin=None): + if not database: + database = self.ra_agent_db +@@ -1491,7 +1494,7 @@ def replica_ca_install_check(config): + exit('IPA schema missing on master CA directory server') + + +-def install_replica_ca(config, postinstall=False): ++def install_replica_ca(config, postinstall=False, ra_p12=None): + """ + Install a CA on a replica. + +@@ -1533,7 +1536,7 @@ def install_replica_ca(config, postinstall=False): + ca.create_ra_agent_db = False + ca.configure_instance(config.host_name, config.domain_name, + config.dirman_password, config.dirman_password, +- pkcs12_info=(cafile,), ++ pkcs12_info=(cafile,), ra_p12=ra_p12, + master_host=config.master_host_name, + master_replication_port=config.ca_ds_port, + subject_base=config.subject_base) +@@ -1658,6 +1661,14 @@ def update_people_entry(dercert): + return True + + def ensure_ldap_profiles_container(): ++ ensure_entry( ++ DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')), ++ objectclass=['top', 'organizationalUnit'], ++ ou=['certificateProfiles'], ++ ) ++ ++ ++def ensure_entry(dn, **attrs): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + +@@ -1665,40 +1676,39 @@ def ensure_ldap_profiles_container(): + if not conn.isconnected(): + conn.connect(autobind=True) + +- dn = DN(('ou', 'certificateProfiles'), ('ou', 'ca'), ('o', 'ipaca')) + try: + conn.get_entry(dn) + except errors.NotFound: + # entry doesn't exist; add it +- entry = conn.make_entry( +- dn, +- objectclass=['top', 'organizationalUnit'], +- ou=['certificateProfiles'], +- ) ++ entry = conn.make_entry(dn, **attrs) + conn.add_entry(entry) + + conn.disconnect() + + + def configure_profiles_acl(): ++ """Allow the Certificate Manager Agents group to modify profiles.""" + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + updated = False + + dn = DN(('cn', 'aclResources'), ('o', 'ipaca')) +- rule = ( ++ new_rules = [ + 'certServer.profile.configuration:read,modify:allow (read,modify) ' + 'group="Certificate Manager Agents":' +- 'Certificate Manager agents may modify (create/update/delete) and read profiles' +- ) +- modlist = [(ldap.MOD_ADD, 'resourceACLS', [rule])] ++ 'Certificate Manager agents may modify (create/update/delete) and read profiles', ++ ++ 'certServer.ca.account:login,logout:allow (login,logout) ' ++ 'user="anybody":Anybody can login and logout', ++ ] + + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) + if not conn.isconnected(): + conn.connect(autobind=True) +- rules = conn.get_entry(dn).get('resourceACLS', []) +- if rule not in rules: +- conn.conn.modify_s(str(dn), modlist) ++ cur_rules = conn.get_entry(dn).get('resourceACLS', []) ++ add_rules = [rule for rule in new_rules if rule not in cur_rules] ++ if add_rules: ++ conn.conn.modify_s(str(dn), [(ldap.MOD_ADD, 'resourceACLS', add_rules)]) + updated = True + + conn.disconnect() +@@ -1718,6 +1728,17 @@ def import_included_profiles(): + if not conn.isconnected(): + conn.connect(autobind=True) + ++ ensure_entry( ++ DN(('cn', 'ca'), api.env.basedn), ++ objectclass=['top', 'nsContainer'], ++ cn=['ca'], ++ ) ++ ensure_entry( ++ DN(api.env.container_certprofile, api.env.basedn), ++ objectclass=['top', 'nsContainer'], ++ cn=['certprofiles'], ++ ) ++ + api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 + +@@ -1823,6 +1844,33 @@ def _create_dogtag_profile(profile_id, profile_data): + "(it is probably already enabled)") + + ++def ensure_default_caacl(): ++ """Add the default CA ACL if missing.""" ++ if not api.Backend.ldap2.isconnected(): ++ try: ++ api.Backend.ldap2.connect(autobind=True) ++ except errors.PublicError as e: ++ root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) ++ return ++ ++ ensure_entry( ++ DN(('cn', 'ca'), api.env.basedn), ++ objectclass=['top', 'nsContainer'], ++ cn=['ca'], ++ ) ++ ensure_entry( ++ DN(api.env.container_caacl, api.env.basedn), ++ objectclass=['top', 'nsContainer'], ++ cn=['certprofiles'], ++ ) ++ ++ if not api.Command.caacl_find()['result']: ++ api.Command.caacl_add(u'hosts_services_caIPAserviceCert', ++ hostcategory=u'all', servicecategory=u'all') ++ api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', ++ certprofile=(u'caIPAserviceCert',)) ++ ++ + if __name__ == "__main__": + standard_logging_setup("install.log") + ds = dsinstance.DsInstance() +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index f33a9e03a4148dde69fc61441c878f5126f8e455..d78158532c4c88d9aa9acf3c65d278f5151458d8 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -310,7 +310,6 @@ class DsInstance(service.Service): + self.step("adding range check plugin", self.__add_range_check_plugin) + if hbac_allow: + self.step("creating default HBAC rule allow_all", self.add_hbac) +- self.step("creating default CA ACL rule", self.add_caacl) + self.step("adding entries for topology management", self.__add_topology_entries) + + self.__common_post_setup() +@@ -745,9 +744,6 @@ class DsInstance(service.Service): + def add_hbac(self): + self._ldap_mod("default-hbac.ldif", self.sub_dict) + +- def add_caacl(self): +- self._ldap_mod("default-caacl.ldif", self.sub_dict) +- + def change_admin_password(self, password): + root_logger.debug("Changing admin password") + dirname = config_dirname(self.serverid) +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 6f9a6141fe9af44806244ce52df59c191dc966b0..6e9157cabc49161ba27983cbf1de1428d1b48b7d 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -573,6 +573,9 @@ def install(installer): + options.domain_name = config.domain_name + options.host_name = config.host_name + ++ if ipautil.file_exists(config.dir + "/cacert.p12"): ++ options.ra_p12 = config.dir + "/ra.p12" ++ + ca.install(False, config, options) + + krb = install_krb(config, setup_pkinit=not options.no_pkinit) +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index c8f744c392c7b859459bda63c1f397226553d4ba..945cb3ebd63767cb1d57083e1da7c5605ac5a2f9 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1321,18 +1321,7 @@ def add_default_caacl(ca): + return + + if ca.is_configured(): +- if not api.Backend.ldap2.isconnected(): +- try: +- api.Backend.ldap2.connect(autobind=True) +- except ipalib.errors.PublicError as e: +- root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) +- return +- +- if not api.Command.caacl_find()['result']: +- api.Command.caacl_add(u'hosts_services_caIPAserviceCert', +- hostcategory=u'all', servicecategory=u'all') +- api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', +- certprofile=(u'caIPAserviceCert',)) ++ cainstance.ensure_default_caacl() + + sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) + +-- +2.4.3 + diff --git a/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch b/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch new file mode 100644 index 0000000..5f8959b --- /dev/null +++ b/SOURCES/0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch @@ -0,0 +1,33 @@ +From 245f54de1d4e2189b1234000916a7d591fa151b9 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 24 Nov 2015 14:43:10 +0100 +Subject: [PATCH] disconnect ldap2 backend after adding default CA ACL profiles + +ensure_default_caacl() was leaking open api.Backend.ldap2 connection which +could crash server/replica installation at later stages. This patch ensures +that after checking default CA ACL profiles the backend is disconnected. + +https://fedorahosted.org/freeipa/ticket/5459 + +Reviewed-By: Tomas Babej +--- + ipaserver/install/cainstance.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 189876f3c0d980e78165d73eed86b2830ac8c5b8..c72d11d1e0b86c040dc497744cda87aab22caafd 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1870,6 +1870,9 @@ def ensure_default_caacl(): + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + ++ if api.Backend.ldap2.isconnected(): ++ api.Backend.ldap2.disconnect() ++ + + if __name__ == "__main__": + standard_logging_setup("install.log") +-- +2.4.3 + diff --git a/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch b/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch new file mode 100644 index 0000000..ddd390b --- /dev/null +++ b/SOURCES/0158-do-not-disconnect-when-using-existing-connection-to-.patch @@ -0,0 +1,39 @@ +From bce98a84720aa6ffdec72e923248719c3cbea8d3 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 24 Nov 2015 16:40:52 +0100 +Subject: [PATCH] do not disconnect when using existing connection to check + default CA ACLs + +https://fedorahosted.org/freeipa/ticket/5459 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/cainstance.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index c72d11d1e0b86c040dc497744cda87aab22caafd..c20bf39c12cff0777d90efad2b0d8d136ee37ec9 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1846,7 +1846,8 @@ def _create_dogtag_profile(profile_id, profile_data): + + def ensure_default_caacl(): + """Add the default CA ACL if missing.""" +- if not api.Backend.ldap2.isconnected(): ++ is_already_connected = api.Backend.ldap2.isconnected() ++ if not is_already_connected: + try: + api.Backend.ldap2.connect(autobind=True) + except errors.PublicError as e: +@@ -1870,7 +1871,7 @@ def ensure_default_caacl(): + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + +- if api.Backend.ldap2.isconnected(): ++ if not is_already_connected: + api.Backend.ldap2.disconnect() + + +-- +2.4.3 + diff --git a/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch b/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch new file mode 100644 index 0000000..8b3c1f3 --- /dev/null +++ b/SOURCES/0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch @@ -0,0 +1,37 @@ +From c466f49b39869ec9817cda4a0485b00a14c52782 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Wed, 25 Nov 2015 09:57:07 +0100 +Subject: [PATCH] Fix upgrade of forwardzones when zone is in realmdomains + +https://fedorahosted.org/freeipa/ticket/5472 + +Reviewed-By: Petr Spacek +--- + ipalib/plugins/realmdomains.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py +index c53340591bd0f0f02fcc9db3142b74197aff551b..54c07a7a11a23e82717a30e4ac8a50502bfc7b51 100644 +--- a/ipalib/plugins/realmdomains.py ++++ b/ipalib/plugins/realmdomains.py +@@ -185,7 +185,7 @@ class realmdomains_mod(LDAPUpdate): + if d == api.env.domain: + continue + try: +- api.Command['dnsrecord_add']( ++ self.api.Command['dnsrecord_add']( + unicode(d), + u'_kerberos', + txtrecord=api.env.realm +@@ -200,7 +200,7 @@ class realmdomains_mod(LDAPUpdate): + if d == api.env.domain: + continue + try: +- api.Command['dnsrecord_del']( ++ self.api.Command['dnsrecord_del']( + unicode(d), + u'_kerberos', + txtrecord=api.env.realm +-- +2.4.3 + diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch index d61193c..4c2fd45 100644 --- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch +++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch @@ -1,4 +1,4 @@ -From b8147e3295b16164f62d05a78dfd25bfa6f178e2 Mon Sep 17 00:00:00 2001 +From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 5 Sep 2014 11:24:27 +0200 Subject: [PATCH] Hide pkinit functionality from production version @@ -108,10 +108,10 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435 cli_metavar='NAME', ) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfea0c922e1 100644 +index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -655,6 +655,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite): +@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite): no_pkinit = Knob( bool, False, @@ -120,5 +120,5 @@ index 6f9a6141fe9af44806244ce52df59c191dc966b0..2d34fdd02b57eb962cdffba508e53cfe ) -- -2.5.1 +2.4.3 diff --git a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch index b1ea0d0..95a6a14 100644 --- a/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch +++ b/SOURCES/1009-Do-not-allow-installation-in-FIPS-mode.patch @@ -1,4 +1,4 @@ -From e5e637ffe268e7a8d6fe893baac181bf1f74ee86 Mon Sep 17 00:00:00 2001 +From 0ea5a5970f7661e240b6ff3ebec4ea2414c47837 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 21 Oct 2014 14:56:28 +0200 Subject: [PATCH] Do not allow installation in FIPS mode @@ -29,10 +29,10 @@ index acad7ff3771561d5dce530317b65aaf117f153a1..cf906ccbbe5c98013a5f640e90e1f3c9 try: check_IPA_configuration() diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install -index 793de4fc950ad73b1d88f9ab4bd5178afc8b813d..37b1547b815cbf08b2e32c6266d073e1635a1c84 100755 +index 543c6f027f2312792e7ad33533db8e7c10a3cddb..586b11bdf37cf22f50980d6b84d6dcd12cfd50e7 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install -@@ -3047,6 +3047,10 @@ def main(): +@@ -3051,6 +3051,10 @@ def main(): if not os.getegid() == 0: sys.exit("\nYou must be root to run ipa-client-install.\n") @@ -76,5 +76,5 @@ index 55c58335c5bbc6993999da4c465e58f4ce3225aa..1994316c1ff066f7e7e615c51ea7157f client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -- -2.5.1 +2.4.3 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 69f6d9a..a5435f8 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -35,7 +35,7 @@ Name: ipa Version: 4.2.0 -Release: 15%{?dist} +Release: 15%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -43,10 +43,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -194,6 +194,22 @@ Patch0140: 0140-vault-select-a-server-with-KRA-for-vault-operations.patch Patch0141: 0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch Patch0142: 0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch Patch0143: 0143-vault-fix-private-service-vault-creation.patch +Patch0144: 0144-install-fix-command-line-option-validation.patch +Patch0145: 0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch +Patch0146: 0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch +Patch0147: 0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch +Patch0148: 0148-fix-caching-in-get_ipa_config.patch +Patch0149: 0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch +Patch0150: 0150-upgrade-fix-migration-of-old-dns-forward-zones.patch +Patch0151: 0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch +Patch0152: 0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch +Patch0153: 0153-ipa-cacert-renew-Fix-connection-to-ldap.patch +Patch0154: 0154-ipa-otptoken-import-Fix-connection-to-ldap.patch +Patch0155: 0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch +Patch0156: 0156-Add-profiles-and-default-CA-ACL-on-migration.patch +Patch0157: 0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch +Patch0158: 0158-do-not-disconnect-when-using-existing-connection-to-.patch +Patch0159: 0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -205,7 +221,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -337,7 +352,7 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -546,10 +561,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1146,8 +1161,51 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Thu Nov 19 2015 CentOS Sources - 4.2.0-15.el7.centos -- Roll in CentOS Branding +* Wed Nov 25 2015 Jan Cholasta - 4.2.0-15.3 +- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after + upgrade from RHEL 7.0 to RHEL 7.2 + - Fix upgrade of forwardzones when zone is in realmdomains + +* Tue Nov 24 2015 Jan Cholasta - 4.2.0-15.2 +- Resolves: #1283890 installer options are not validated at the beginning of + installation + - Fix incorrectly rebased patch 0144 +- Resolves: #1284803 Default CA ACL rule is not created during + ipa-replica-install + - disconnect ldap2 backend after adding default CA ACL profiles + - do not disconnect when using existing connection to check default CA ACLs + +* Tue Nov 24 2015 Jan Cholasta - 4.2.0-15.1 +- Resolves: #1283882 IPA certificate auto renewal fail with "Invalid + Credential" + - cert renewal: make renewal of ipaCert atomic +- Resolves: #1283883 ipa upgrade causes vault internal error + - install: export KRA agent PEM file in ipa-kra-install +- Resolves: #1283884 ipa-kra-install: fails to apply updates + - suppress errors arising from adding existing LDAP entries during KRA + install +- Resolves: #1283890 installer options are not validated at the beginning of + installation + - install: fix command line option validation +- Resolves: #1283915 Caching of ipaconfig does not work in framework + - fix caching in get_ipa_config +- Resolves: #1284025 sshd_config change on ipa-client-install can prevent sshd + from starting up + - client install: do not corrupt OpenSSH config with Match sections +- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after + upgrade from RHEL 7.0 to RHEL 7.2 + - upgrade: fix migration of old dns forward zones +- Resolves: #1284803 Default CA ACL rule is not created during + ipa-replica-install + - TLS and Dogtag HTTPS request logging improvements + - Avoid race condition caused by profile delete and recreate + - Do not erroneously reinit NSS in Dogtag interface + - Add profiles and default CA ACL on migration +- Resolves: #1284811 ipa-cacert-manage renew fails on nonexistent ldap + connection + - ipa-cacert-renew: Fix connection to ldap. +- Resolves: #1284813 ipa-otptoken-import fails on nonexistent ldap connection + - ipa-otptoken-import: Fix connection to ldap. * Tue Oct 13 2015 Jan Cholasta - 4.2.0-15 - Resolves: #1252556 Missing CLI param and ACL for vault service operations