diff --git a/SOURCES/0220-ipa-otptoken-import-Make-PBKDF2-refer-to-the-pkcs5-n.patch b/SOURCES/0220-ipa-otptoken-import-Make-PBKDF2-refer-to-the-pkcs5-n.patch new file mode 100644 index 0000000..b56a901 --- /dev/null +++ b/SOURCES/0220-ipa-otptoken-import-Make-PBKDF2-refer-to-the-pkcs5-n.patch @@ -0,0 +1,84 @@ +From 92f450a4b6eacb7950e5414d40d9949076cb096e Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Tue, 20 Jun 2017 10:31:15 -0400 +Subject: [PATCH] ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace + +For some unknown reason, when I wrote the ipa-otptoken-import script +I used bad input data which had the PBKDF2 parameters in the wrong +XML namespace. I have corrected this input data to match RFC 6030. + +https://pagure.io/freeipa/issue/7035 + +Signed-off-by: Nathaniel McCallum +Reviewed-By: Martin Basti +Reviewed-By: Stanislav Laznicka +--- + ipaserver/install/ipa_otptoken_import.py | 15 ++++++--------- + ipatests/test_ipaserver/data/pskc-figure7.xml | 16 ++++++++-------- + 2 files changed, 14 insertions(+), 17 deletions(-) + +diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py +index 2580e2cfc97f4960af68a5eae407a7ebe3c7a257..31225e96b55c20bd78e9a8650848a28cf9feef63 100644 +--- a/ipaserver/install/ipa_otptoken_import.py ++++ b/ipaserver/install/ipa_otptoken_import.py +@@ -52,6 +52,7 @@ class ValidationError(Exception): + + def fetchAll(element, xpath, conv=lambda x: x): + return [conv(e) for e in element.xpath(xpath, namespaces={ ++ "pkcs5": "http://www.rsasecurity.com/rsalabs/pkcs/schemas/pkcs-5v2-0#", + "pskc": "urn:ietf:params:xml:ns:keyprov:pskc", + "xenc11": "http://www.w3.org/2009/xmlenc11#", + "xenc": "http://www.w3.org/2001/04/xmlenc#", +@@ -175,18 +176,14 @@ class XMLKeyDerivation(six.with_metaclass(abc.ABCMeta, object)): + + class PBKDF2KeyDerivation(XMLKeyDerivation): + def __init__(self, enckey): +- params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/xenc11:PBKDF2-params") ++ params = fetch(enckey, "./xenc11:DerivedKey/xenc11:KeyDerivationMethod/pkcs5:PBKDF2-params") + if params is None: + raise ValueError("XML file is missing PBKDF2 parameters!") + +- salt = fetch( +- params, "./xenc11:Salt/xenc11:Specified/text()", base64.b64decode) +- itrs = fetch( +- params, "./xenc11:IterationCount/text()", int) +- klen = fetch( +- params, "./xenc11:KeyLength/text()", int) +- hmod = fetch( +- params, "./xenc11:PRF/@Algorithm", convertHMACType, hashes.SHA1) ++ salt = fetch(params, "./Salt/Specified/text()", base64.b64decode) ++ itrs = fetch(params, "./IterationCount/text()", int) ++ klen = fetch(params, "./KeyLength/text()", int) ++ hmod = fetch(params, "./PRF/@Algorithm", convertHMACType, hashes.SHA1) + + if salt is None: + raise ValueError("XML file is missing PBKDF2 salt!") +diff --git a/ipatests/test_ipaserver/data/pskc-figure7.xml b/ipatests/test_ipaserver/data/pskc-figure7.xml +index 1fb04fc319d7572d9d25ff34a0ce3378a939dfc6..808e272a5469a1c9eb4087ed53e0907bb80b39ad 100644 +--- a/ipatests/test_ipaserver/data/pskc-figure7.xml ++++ b/ipatests/test_ipaserver/data/pskc-figure7.xml +@@ -8,14 +8,14 @@ + + +- +- +- Ej7/PEpyEpw= +- +- 1000 +- 16 +- +- ++ ++ ++ Ej7/PEpyEpw= ++ ++ 1000 ++ 16 ++ ++ + + + +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0221-Adds-whoami-DS-plugin-in-case-that-plugin-is-missing.patch b/SOURCES/0221-Adds-whoami-DS-plugin-in-case-that-plugin-is-missing.patch new file mode 100644 index 0000000..e247dd1 --- /dev/null +++ b/SOURCES/0221-Adds-whoami-DS-plugin-in-case-that-plugin-is-missing.patch @@ -0,0 +1,59 @@ +From d06b29772609d14dccfe0d556fdb83140fcb2b3f Mon Sep 17 00:00:00 2001 +From: Pavel Vomacka +Date: Mon, 28 Aug 2017 10:51:53 +0200 +Subject: [PATCH] Adds whoami DS plugin in case that plugin is missing + +When first installation of IPA has been done when whoami +plugin was not enabled in DS by default and then IPA was +upgraded to newer versions, then after upgrade to IPA 4.5 +WebUI stops working. This is caused by new requirement on +whoami DS plugin which is used to obtain information about +logged in entity. + +This fix adds the whoami plugin during update in case that the plugin +is not enabled. + +https://pagure.io/freeipa/issue/7126 + +Reviewed-By: Tibor Dudlak +Reviewed-By: Rob Crittenden +--- + install/updates/20-whoami.update | 14 ++++++++++++++ + install/updates/Makefile.am | 1 + + 2 files changed, 15 insertions(+) + create mode 100644 install/updates/20-whoami.update + +diff --git a/install/updates/20-whoami.update b/install/updates/20-whoami.update +new file mode 100644 +index 0000000000000000000000000000000000000000..ed2c6cbd772ec1c2b664e450463bb64d61b1ceab +--- /dev/null ++++ b/install/updates/20-whoami.update +@@ -0,0 +1,14 @@ ++dn: cn=whoami,cn=plugins,cn=config ++default:objectClass: top ++default:objectClass: nsSlapdPlugin ++default:objectClass: extensibleObject ++default:cn: whoami ++default:nsslapd-plugin-depends-on-type: database ++default:nsslapd-pluginDescription: whoami extended operation plugin ++default:nsslapd-pluginEnabled: on ++default:nsslapd-pluginId: whoami-plugin ++default:nsslapd-pluginInitfunc: whoami_init ++default:nsslapd-pluginPath: libwhoami-plugin ++default:nsslapd-pluginType: extendedop ++default:nsslapd-pluginVendor: 389 Project ++default:nsslapd-pluginVersion: 1.0 +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index e18d01127b592a6c7941729d6160d10fb2d3e76c..ae3d3e0528929a30922f0395d7092654dd753a64 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -24,6 +24,7 @@ app_DATA = \ + 20-idoverride_index.update \ + 20-uuid.update \ + 20-default_password_policy.update \ ++ 20-whoami.update \ + 21-replicas_container.update \ + 21-ca_renewal_container.update \ + 21-certstore_container.update \ +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0222-Fix-ipa-config-mod-ca-renewal-master.patch b/SOURCES/0222-Fix-ipa-config-mod-ca-renewal-master.patch new file mode 100644 index 0000000..b4778ba --- /dev/null +++ b/SOURCES/0222-Fix-ipa-config-mod-ca-renewal-master.patch @@ -0,0 +1,88 @@ +From 9a8352637aeb32ddffd83f4477695ec290da8429 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 23 Aug 2017 16:31:18 +0200 +Subject: [PATCH] Fix ipa config-mod --ca-renewal-master + +commit bddb90f38a3505a2768862d2f814c5e749a7dcde added the support for +multivalued server attributes (for pkinit_server_server), but this +introduced an API change where the setter and getter of ServerAttribute +are expecting list of values. + +When a SingleValuedServerAttribute is used, we need to convert one elem +into a list containing this elem and vice-versa, so that the ipa config-mod +and ipa config_show APIs are not modified. + +https://pagure.io/freeipa/issue/7120 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Fraser Tweedale +--- + ipaserver/plugins/serverroles.py | 16 +++++++++++++++- + ipatests/test_ipaserver/test_serverroles.py | 4 ++-- + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/plugins/serverroles.py b/ipaserver/plugins/serverroles.py +index e81635c3315cc3fca84450f43fb7df883aae57d9..04e21090657197b9267f2ffc05048399a7ce3d38 100644 +--- a/ipaserver/plugins/serverroles.py ++++ b/ipaserver/plugins/serverroles.py +@@ -46,6 +46,7 @@ from ipalib import errors, _ + from ipalib.backend import Backend + from ipalib.plugable import Registry + from ipaserver.servroles import (attribute_instances, ENABLED, role_instances) ++from ipaserver.servroles import SingleValuedServerAttribute + + + if six.PY3: +@@ -136,13 +137,26 @@ class serverroles(Backend): + + for name, attr in assoc_attributes.items(): + attr_value = attr.get(self.api) +- result.update({name: attr_value}) ++ ++ if attr_value: ++ # attr can be a SingleValuedServerAttribute ++ # in this case, the API expects a value, not a list of values ++ if isinstance(attr, SingleValuedServerAttribute): ++ attr_value = attr_value[0] ++ result.update({name: attr_value}) + + return result + + def config_update(self, **attrs_values): + for attr, value in attrs_values.items(): + try: ++ # when the attribute is single valued, it will be stored ++ # in a SingleValuedServerAttribute. The set method expects ++ # a list containing a single value. ++ # We need to convert value to a list containing value ++ if isinstance(self.attributes[attr], ++ SingleValuedServerAttribute): ++ value = [value] + self.attributes[attr].set(self.api, value) + except KeyError: + raise errors.NotFound( +diff --git a/ipatests/test_ipaserver/test_serverroles.py b/ipatests/test_ipaserver/test_serverroles.py +index 985c750b64f109e0a83686f31ddb3b8d4171072d..e8967517d0c65fb6e3daebf220cae7df38bfe044 100644 +--- a/ipatests/test_ipaserver/test_serverroles.py ++++ b/ipatests/test_ipaserver/test_serverroles.py +@@ -715,7 +715,7 @@ class TestServerAttributes(object): + non_ca_fqdn = mock_masters.get_fqdn('trust-controller-dns') + + with pytest.raises(errors.ValidationError): +- self.config_update(mock_api, **{attr_name: [non_ca_fqdn]}) ++ self.config_update(mock_api, **{attr_name: non_ca_fqdn}) + + def test_set_unknown_attribute_on_master_raises_notfound( + self, mock_api, mock_masters): +@@ -732,7 +732,7 @@ class TestServerAttributes(object): + original_renewal_master = self.config_retrieve( + role_name, mock_api)[attr_name] + +- other_ca_server = [mock_masters.get_fqdn('trust-controller-ca')] ++ other_ca_server = mock_masters.get_fqdn('trust-controller-ca') + + for host in (other_ca_server, original_renewal_master): + self.config_update(mock_api, **{attr_name: host}) +-- +2.13.5 + diff --git a/SOURCES/0223-Backport-PR-988-to-ipa-4-5-Fix-Certificate-renewal-w.patch b/SOURCES/0223-Backport-PR-988-to-ipa-4-5-Fix-Certificate-renewal-w.patch new file mode 100644 index 0000000..db614e2 --- /dev/null +++ b/SOURCES/0223-Backport-PR-988-to-ipa-4-5-Fix-Certificate-renewal-w.patch @@ -0,0 +1,60 @@ +From 21b0fdb48179e6060eff0ecb11ce6522983ccc00 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 18 Aug 2017 18:02:57 +0200 +Subject: [PATCH] Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext + ca) + +Fix certificate renewal scripts that use IPACertificate object: +- renew_ca_cert adds the C flag to the trust flags and needs to +be adapted to IPACertificate object +- ipa-cacert-manage: fix python3 encoding issue + +https://pagure.io/freeipa/issue/7106 + +Reviewed-By: Fraser Tweedale +Reviewed-By: Stanislav Laznicka +--- + install/restart_scripts/renew_ca_cert | 7 ++++++- + ipaserver/install/ipa_cacert_manage.py | 2 +- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert +index bb31defc0e2bdca044e68ae067f42fb3bd41a57f..3bbf003bad47a189fd26df19e6ab137fcbb67ed0 100644 +--- a/install/restart_scripts/renew_ca_cert ++++ b/install/restart_scripts/renew_ca_cert +@@ -35,6 +35,7 @@ from ipaserver.install import certs, cainstance, installutils + from ipaserver.plugins.ldap2 import ldap2 + from ipaplatform import services + from ipaplatform.paths import paths ++from ipapython.certdb import TrustFlags + + + def _main(): +@@ -180,7 +181,11 @@ def _main(): + # Pass Dogtag's self-tests + for ca_nick in db.find_root_cert(nickname)[-2:-1]: + ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] +- db.trust_root_cert(ca_nick, 'C' + ca_flags) ++ usages = ca_flags.usages or set() ++ ca_flags_modified = TrustFlags(ca_flags.has_key, ++ True, True, ++ usages | {x509.EKU_SERVER_AUTH}) ++ db.trust_root_cert(ca_nick, ca_flags_modified) + finally: + if conn is not None and conn.isconnected(): + conn.disconnect() +diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py +index e88e8b63ae94759ac835f3b3b31b0735d68a67b0..fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb 100644 +--- a/ipaserver/install/ipa_cacert_manage.py ++++ b/ipaserver/install/ipa_cacert_manage.py +@@ -218,7 +218,7 @@ class CACertManage(admintool.AdminTool): + cert_file, ca_file = installutils.load_external_cert( + options.external_cert_files, DN(old_cert_obj.subject)) + +- with open(cert_file.name) as f: ++ with open(cert_file.name, 'rb') as f: + new_cert_data = f.read() + new_cert_der = x509.normalize_certificate(new_cert_data) + new_cert_obj = x509.load_certificate(new_cert_der, x509.DER) +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0224-Backport-PR-1008-to-ipa-4-5-Fix-ipa-server-upgrade-T.patch b/SOURCES/0224-Backport-PR-1008-to-ipa-4-5-Fix-ipa-server-upgrade-T.patch new file mode 100644 index 0000000..7de886b --- /dev/null +++ b/SOURCES/0224-Backport-PR-1008-to-ipa-4-5-Fix-ipa-server-upgrade-T.patch @@ -0,0 +1,213 @@ +From c9fb09190ac243bcf45622693944d7e6785141b4 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 28 Aug 2017 10:50:58 +0200 +Subject: [PATCH] Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This + entry already exists + +ipa-server-upgrade fails when running the ipaload_cacrt plugin. The plugin +finds all CA certificates in /etc/httpd/alias and uploads them in LDAP +below cn=certificates,cn=ipa,cn=etc,$BASEDN. +The issue happens because there is already an entry in LDAP for IPA CA, but +with a different DN. The nickname in /etc/httpd/alias can differ from +$DOMAIN IPA CA. + +To avoid the issue: +1/ during upgrade, run a new plugin that removes duplicates and restarts ldap +(to make sure that uniqueness attr plugin is working after the new plugin) +2/ modify upload_cacert plugin so that it is using $DOMAIN IPA CA instead of +cn=$nickname,cn=ipa,cn=etc,$BASEDN when uploading IPA CA. + +https://pagure.io/freeipa/issue/7125 + +Reviewed-By: Fraser Tweedale +--- + install/updates/90-post_upgrade_plugins.update | 1 + + ipalib/install/certstore.py | 19 +++++ + .../plugins/update_fix_duplicate_cacrt_in_ldap.py | 84 ++++++++++++++++++++++ + ipaserver/install/plugins/upload_cacrt.py | 19 ++++- + 4 files changed, 120 insertions(+), 3 deletions(-) + create mode 100644 ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py + +diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update +index 8477199e07d6729d5847e58bfa67d061bd1410c2..bbc3e29422fc0f139c2ca68a7033863e4c25f8cf 100644 +--- a/install/updates/90-post_upgrade_plugins.update ++++ b/install/updates/90-post_upgrade_plugins.update +@@ -15,6 +15,7 @@ plugin: update_ca_renewal_master + plugin: update_idrange_type + plugin: update_pacs + plugin: update_service_principalalias ++plugin: update_fix_duplicate_cacrt_in_ldap + plugin: update_upload_cacrt + # update_ra_cert_store has to be executed after update_ca_renewal_master + plugin: update_ra_cert_store +diff --git a/ipalib/install/certstore.py b/ipalib/install/certstore.py +index bc2079fb12873444cbe6796eebfdfcfebd0e284d..76181fe47de585974f3fb33ec586f5c576adebb5 100644 +--- a/ipalib/install/certstore.py ++++ b/ipalib/install/certstore.py +@@ -27,6 +27,7 @@ from pyasn1.error import PyAsn1Error + from ipapython.dn import DN + from ipapython.certdb import get_ca_nickname, TrustFlags + from ipalib import errors, x509 ++from ipalib.constants import IPA_CA_CN + + def _parse_cert(dercert): + try: +@@ -381,3 +382,21 @@ def get_ca_certs_nss(ldap, base_dn, compat_realm, compat_ipa_ca, + nss_certs.append((cert, nickname, trust_flags)) + + return nss_certs ++ ++ ++def get_ca_subject(ldap, container_ca, base_dn): ++ """ ++ Look for the IPA CA certificate subject. ++ """ ++ dn = DN(('cn', IPA_CA_CN), container_ca, base_dn) ++ try: ++ cacert_subject = ldap.get_entry(dn)['ipacasubjectdn'][0] ++ except errors.NotFound: ++ # if the entry doesn't exist, we are dealing with a pre-v4.4 ++ # installation, where the default CA subject was always based ++ # on the subject_base. ++ attrs = ldap.get_ipa_config() ++ subject_base = attrs.get('ipacertificatesubjectbase')[0] ++ cacert_subject = DN(('CN', 'Certificate Authority'), subject_base) ++ ++ return cacert_subject +diff --git a/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py +new file mode 100644 +index 0000000000000000000000000000000000000000..cd4f13a8eb6b5bc9e04fcdd407907497528f8be1 +--- /dev/null ++++ b/ipaserver/install/plugins/update_fix_duplicate_cacrt_in_ldap.py +@@ -0,0 +1,84 @@ ++# Authors: ++# Florence Blanc-Renaud ++# ++# Copyright (C) 2017 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++import logging ++ ++from ipalib import Registry, errors ++from ipalib import Updater ++from ipalib.install import certstore ++from ipapython.dn import DN ++from ipapython.certdb import get_ca_nickname ++ ++logger = logging.getLogger(__name__) ++ ++register = Registry() ++ ++ ++@register() ++class update_fix_duplicate_cacrt_in_ldap(Updater): ++ """ ++ When multiple entries exist for IPA CA cert in ldap, remove the duplicate ++ ++ After this plugin, ds needs to be restarted. This ensures that ++ the attribute uniqueness plugin is working and prevents ++ other plugins from adding duplicates. ++ """ ++ ++ def execute(self, **options): ++ # If CA is disabled, no need to check for duplicates of IPA CA ++ ca_enabled = self.api.Command.ca_is_enabled()['result'] ++ if not ca_enabled: ++ return True, [] ++ ++ # Look for the IPA CA cert subject ++ ldap = self.api.Backend.ldap2 ++ cacert_subject = certstore.get_ca_subject( ++ ldap, ++ self.api.env.container_ca, ++ self.api.env.basedn) ++ ++ # Find if there are other certificates with the same subject ++ # They are duplicates resulting of BZ 1480102 ++ base_dn = DN(('cn', 'certificates'), ('cn', 'ipa'), ('cn', 'etc'), ++ self.api.env.basedn) ++ try: ++ filter = ldap.make_filter({'ipaCertSubject': cacert_subject}) ++ result, _truncated = ldap.find_entries( ++ base_dn=base_dn, ++ filter=filter, ++ attrs_list=[]) ++ except errors.NotFound: ++ # No duplicate, we're good ++ logger.debug("No duplicates for IPA CA in LDAP") ++ return True, [] ++ ++ logger.debug("Found %d entrie(s) for IPA CA in LDAP", len(result)) ++ cacert_dn = DN(('cn', get_ca_nickname(self.api.env.realm)), base_dn) ++ for entry in result: ++ if entry.dn == cacert_dn: ++ continue ++ # Remove the duplicate ++ try: ++ ldap.delete_entry(entry) ++ logger.debug("Removed the duplicate %s", entry.dn) ++ except Exception as e: ++ logger.warning("Failed to remove the duplicate %s: %s", ++ entry.dn, e) ++ ++ return True, [] +diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py +index a1957ca5b675b86f0df36dc820ee31305f54f863..985b74c06e80a3620eb6454c0bd9c7590b04184d 100644 +--- a/ipaserver/install/plugins/upload_cacrt.py ++++ b/ipaserver/install/plugins/upload_cacrt.py +@@ -20,7 +20,7 @@ + from ipalib.install import certstore + from ipaplatform.paths import paths + from ipaserver.install import certs +-from ipalib import Registry, errors ++from ipalib import Registry, errors, x509 + from ipalib import Updater + from ipapython import certdb + from ipapython.dn import DN +@@ -41,6 +41,10 @@ class update_upload_cacrt(Updater): + ca_enabled = self.api.Command.ca_is_enabled()['result'] + if ca_enabled: + ca_nickname = certdb.get_ca_nickname(self.api.env.realm) ++ ca_subject = certstore.get_ca_subject( ++ self.api.Backend.ldap2, ++ self.api.env.container_ca, ++ self.api.env.basedn) + else: + ca_nickname = None + server_certs = db.find_server_certs() +@@ -54,9 +58,18 @@ class update_upload_cacrt(Updater): + for nickname, trust_flags in db.list_certs(): + if trust_flags.has_key: + continue +- if nickname == ca_nickname and ca_enabled: +- trust_flags = certdb.IPA_CA_TRUST_FLAGS + cert = db.get_cert_from_db(nickname, pem=False) ++ subject = DN( ++ x509.load_certificate(cert, datatype=x509.DER).subject) ++ if ca_enabled and subject == ca_subject: ++ # When ca is enabled, we can have the IPA CA cert stored ++ # in the nss db with a different nickname (for instance ++ # when the server was installed with --subject to ++ # customize the CA cert subject), but it must always be ++ # stored in LDAP with the DN cn=$DOMAIN IPA CA ++ # This is why we check the subject instead of the nickname here ++ nickname = ca_nickname ++ trust_flags = certdb.IPA_CA_TRUST_FLAGS + trust, _ca, eku = certstore.trust_flags_to_key_policy(trust_flags) + + dn = DN(('cn', nickname), ('cn', 'certificates'), ('cn', 'ipa'), +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0225-Fixing-how-sssd.conf-is-updated-when-promoting-a-cli.patch b/SOURCES/0225-Fixing-how-sssd.conf-is-updated-when-promoting-a-cli.patch new file mode 100644 index 0000000..28455ee --- /dev/null +++ b/SOURCES/0225-Fixing-how-sssd.conf-is-updated-when-promoting-a-cli.patch @@ -0,0 +1,92 @@ +From c8fcaa5dc792e7b87c8f21c7c322ddfabe219980 Mon Sep 17 00:00:00 2001 +From: Felipe Volpone +Date: Wed, 13 Sep 2017 09:26:41 -0300 +Subject: [PATCH] Fixing how sssd.conf is updated when promoting a client to + replica + +When promoting a client to a replica we have to change sssd.conf, +deleting _srv_ part from 'ipa_server' property and setting +'ipa_server_mode' to true. + +Previously, the wrong domain could be updated since the ipa_domain +variable was not being used properly. + +https://pagure.io/freeipa/issue/7127 + +Reviewed-By: Stanislav Laznicka +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipaserver/install/server/replicainstall.py | 27 ++++++++++++--------------- + ipaserver/install/server/upgrade.py | 4 ++++ + 2 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 814925de152809808f726c60ae7f35a24bc32a4a..326daf708f091d9d2c56ad399e46aef659dbba2e 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -432,30 +432,27 @@ def promote_sssd(host_name): + sssdconfig.import_config() + domains = sssdconfig.list_active_domains() + +- ipa_domain = None +- + for name in domains: + domain = sssdconfig.get_domain(name) + try: + hostname = domain.get_option('ipa_hostname') + if hostname == host_name: +- ipa_domain = domain ++ break + except SSSDConfig.NoOptionError: + continue +- +- if ipa_domain is None: +- raise RuntimeError("Couldn't find IPA domain in sssd.conf") + else: +- domain.set_option('ipa_server', host_name) +- domain.set_option('ipa_server_mode', True) +- sssdconfig.save_domain(domain) +- sssdconfig.write() ++ raise RuntimeError("Couldn't find IPA domain in sssd.conf") + +- sssd = services.service('sssd', api) +- try: +- sssd.restart() +- except CalledProcessError: +- root_logger.warning("SSSD service restart was unsuccessful.") ++ domain.set_option('ipa_server', host_name) ++ domain.set_option('ipa_server_mode', True) ++ sssdconfig.save_domain(domain) ++ sssdconfig.write() ++ ++ sssd = services.service('sssd', api) ++ try: ++ sssd.restart() ++ except CalledProcessError: ++ root_logger.warning("SSSD service restart was unsuccessful.") + + + def promote_openldap_conf(hostname, master): +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 732776f2cf513a4bb11d8f3f0dfaac78217e460f..109e922e3a3ea25f882fdd81765788a3881e87bd 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1816,11 +1816,15 @@ def upgrade_configuration(): + cainstance.ensure_ipa_authority_entry() + + set_sssd_domain_option('ipa_server_mode', 'True') ++ set_sssd_domain_option('ipa_server', api.env.host) + + sssdconfig = SSSDConfig.SSSDConfig() + sssdconfig.import_config() + sssd_enable_service(sssdconfig, 'ifp') + ++ sssd = services.service('sssd', api) ++ sssd.restart() ++ + krb = krbinstance.KrbInstance(fstore) + krb.fqdn = fqdn + krb.realm = api.env.realm +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0226-Backport-4-5-Fix-ipa-server-upgrade-with-server-cert.patch b/SOURCES/0226-Backport-4-5-Fix-ipa-server-upgrade-with-server-cert.patch new file mode 100644 index 0000000..27b8c70 --- /dev/null +++ b/SOURCES/0226-Backport-4-5-Fix-ipa-server-upgrade-with-server-cert.patch @@ -0,0 +1,199 @@ +From 8c576e8c3640b84869abacc43a74aa250df5a8e9 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 5 Sep 2017 16:17:31 +0200 +Subject: [PATCH] Backport 4-5: Fix ipa-server-upgrade with server cert + tracking + +ipa-server-upgrade fails with Server-Cert not found, when trying to +track httpd/ldap server certificates. There are 2 issues in the upgrade: +- the certificates should be tracked only if they were issued by IPA CA +(it is possible to have CA configured but 3rd part certs) +- the certificate nickname can be different from Server-Cert + +The fix provides methods to find the server crt nickname for http and ldap, +and a method to check if the server certs are issued by IPA and need to be +tracked by certmonger. + +https://pagure.io/freeipa/issue/7141 + +Reviewed-By: Stanislav Laznicka +Reviewed-By: Fraser Tweedale +--- + ipaserver/install/certs.py | 27 ++++++++++++++++++++++ + ipaserver/install/dsinstance.py | 45 +++++++++++++++++++++++++++++++++---- + ipaserver/install/httpinstance.py | 16 ++++++++++--- + ipaserver/install/server/upgrade.py | 4 ++-- + 4 files changed, 83 insertions(+), 9 deletions(-) + +diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py +index 02c479d92511fcf4043e7d6798c85cf8256c3299..de96318db51b03f2515814d574cfebf1b242b6a6 100644 +--- a/ipaserver/install/certs.py ++++ b/ipaserver/install/certs.py +@@ -42,6 +42,7 @@ from ipapython.certdb import get_ca_nickname, find_cert_from_txt, NSSDatabase + from ipapython.dn import DN + from ipalib import pkcs10, x509, api + from ipalib.errors import CertificateOperationError ++from ipalib.install import certstore + from ipalib.text import _ + from ipaplatform.paths import paths + +@@ -669,6 +670,32 @@ class CertDB(object): + subject=host, + passwd_fname=self.passwd_fname) + ++ def is_ipa_issued_cert(self, api, nickname): ++ """ ++ Return True if the certificate contained in the CertDB with the ++ provided nickname has been issued by IPA. ++ ++ Note that this method can only be executed if api has been initialized ++ """ ++ # This method needs to compare the cert issuer (from the NSS DB ++ # and the subject from the CA (from LDAP), because nicknames are not ++ # always aligned. ++ ++ cacert_subject = certstore.get_ca_subject( ++ api.Backend.ldap2, ++ api.env.container_ca, ++ api.env.basedn) ++ ++ # The cert can be issued directly by IPA. In this case, the cert ++ # issuer is IPA CA subject. ++ cert = self.get_cert_from_db(nickname) ++ if cert is None: ++ raise RuntimeError("Could not find the cert %s in %s" ++ % (nickname, self.secdir)) ++ issuer = DN(x509.load_certificate(cert).issuer) ++ ++ return issuer == cacert_subject ++ + + class _CrossProcessLock(object): + _DATETIME_FORMAT = '%Y%m%d%H%M%S%f' +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 39248edb285ee4d792b4500d83d88b24f5732d10..c9db8ac28c3ca10539b745ca09f4d8aaece02e0c 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -1028,22 +1028,59 @@ class DsInstance(service.Service): + root_logger.error( + 'Unable to restart DS instance %s: %s', ds_instance, e) + ++ def get_server_cert_nickname(self, serverid=None): ++ """ ++ Retrieve the nickname of the server cert used by dirsrv. ++ ++ The method directly reads the dse.ldif to find the attribute ++ nsSSLPersonalitySSL of cn=RSA,cn=encryption,cn=config because ++ LDAP is not always accessible when we need to get the nickname ++ (for instance during uninstall). ++ """ ++ if serverid is None: ++ serverid = self.get_state("serverid") ++ if serverid is not None: ++ dirname = config_dirname(serverid) ++ config_file = os.path.join(dirname, "dse.ldif") ++ rsa_dn = "cn=RSA,cn=encryption,cn=config" ++ with open(config_file, "r") as in_file: ++ parser = upgradeinstance.GetEntryFromLDIF( ++ in_file, ++ entries_dn=[rsa_dn]) ++ parser.parse() ++ try: ++ config_entry = parser.get_results()[rsa_dn] ++ nickname = config_entry["nsSSLPersonalitySSL"][0] ++ return nickname.decode('utf-8') ++ except (KeyError, IndexError): ++ root_logger.error("Unable to find server cert nickname in " ++ "%s", config_file) ++ ++ root_logger.debug("Falling back to nickname Server-Cert") ++ return 'Server-Cert' ++ + def stop_tracking_certificates(self, serverid=None): + if serverid is None: + serverid = self.get_state("serverid") + if not serverid is None: ++ nickname = self.get_server_cert_nickname(serverid) + # drop the trailing / off the config_dirname so the directory + # will match what is in certmonger + dirname = config_dirname(serverid)[:-1] + dsdb = certs.CertDB(self.realm, nssdir=dirname) +- dsdb.untrack_server_cert(self.nickname) ++ dsdb.untrack_server_cert(nickname) + + def start_tracking_certificates(self, serverid): ++ nickname = self.get_server_cert_nickname(serverid) + dirname = config_dirname(serverid)[:-1] + dsdb = certs.CertDB(self.realm, nssdir=dirname) +- dsdb.track_server_cert(self.nickname, self.principal, +- dsdb.passwd_fname, +- 'restart_dirsrv %s' % serverid) ++ if dsdb.is_ipa_issued_cert(api, nickname): ++ dsdb.track_server_cert(nickname, self.principal, ++ dsdb.passwd_fname, ++ 'restart_dirsrv %s' % serverid) ++ else: ++ root_logger.debug("Will not track DS server certificate %s as it " ++ "is not issued by IPA", nickname) + + # we could probably move this function into the service.Service + # class - it's very generic - all we need is a way to get an +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index f637b97db8f21ddbc00c4f70e18e836d300b2f33..e55edebc5d4e45d7cb4cb66d28a270e6d6a56e33 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -266,6 +266,11 @@ class HTTPInstance(service.Service): + installutils.set_directive( + paths.HTTPD_NSS_CONF, 'NSSNickname', quoted_nickname, quotes=False) + ++ def get_mod_nss_nickname(self): ++ cert = installutils.get_directive(paths.HTTPD_NSS_CONF, 'NSSNickname') ++ nickname = installutils.unquote_directive_value(cert, quote_char="'") ++ return nickname ++ + def set_mod_nss_protocol(self): + installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSProtocol', 'TLSv1.0,TLSv1.1,TLSv1.2', False) + +@@ -582,12 +587,17 @@ class HTTPInstance(service.Service): + + def stop_tracking_certificates(self): + db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +- db.untrack_server_cert(self.cert_nickname) ++ db.untrack_server_cert(self.get_mod_nss_nickname()) + + def start_tracking_certificates(self): + db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR) +- db.track_server_cert(self.cert_nickname, self.principal, +- db.passwd_fname, 'restart_httpd') ++ nickname = self.get_mod_nss_nickname() ++ if db.is_ipa_issued_cert(api, nickname): ++ db.track_server_cert(nickname, self.principal, ++ db.passwd_fname, 'restart_httpd') ++ else: ++ root_logger.debug("Will not track HTTP server cert %s as it is " ++ "not issued by IPA", nickname) + + def request_service_keytab(self): + super(HTTPInstance, self).request_service_keytab() +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 109e922e3a3ea25f882fdd81765788a3881e87bd..0947766c076251e7608241803d3a1eabee65ae11 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -957,13 +957,13 @@ def certificate_renewal_update(ca, ds, http): + }, + { + 'cert-database': paths.HTTPD_ALIAS_DIR, +- 'cert-nickname': 'Server-Cert', ++ 'cert-nickname': http.get_mod_nss_nickname(), + 'ca': 'IPA', + 'cert-postsave-command': template % 'restart_httpd', + }, + { + 'cert-database': dsinstance.config_dirname(serverid), +- 'cert-nickname': 'Server-Cert', ++ 'cert-nickname': ds.get_server_cert_nickname(serverid), + 'ca': 'IPA', + 'cert-postsave-command': + '%s %s' % (template % 'restart_dirsrv', serverid), +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0227-Always-check-peer-has-keys-before-connecting.patch b/SOURCES/0227-Always-check-peer-has-keys-before-connecting.patch new file mode 100644 index 0000000..684f4a0 --- /dev/null +++ b/SOURCES/0227-Always-check-peer-has-keys-before-connecting.patch @@ -0,0 +1,73 @@ +From 82e860ae81b9e34fc6a326be4183f37a21ac1564 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 23 Jun 2017 04:48:41 -0400 +Subject: [PATCH] Always check peer has keys before connecting + +When pulling the DM password we may have the same issues reported in +ticket #6838 for CA keys. +This commit makes sure we always check the peer has keys before any +client operation. + +Ticket #6838 + +Signed-off-by: Simo Sorce +Reviewed-By: Stanislav Laznicka +Reviewed-By: Michal Reznik +--- + ipaserver/install/custodiainstance.py | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py +index 390576bc0c0edfb7d8f8895eca9df30079526aa8..bc3cea7063dff183c85b4f6e8ced7567f691001d 100644 +--- a/ipaserver/install/custodiainstance.py ++++ b/ipaserver/install/custodiainstance.py +@@ -13,7 +13,6 @@ from ipaserver.install import ldapupdate + from ipaserver.install import sysupgrade + from base64 import b64decode + from jwcrypto.common import json_decode +-import functools + import shutil + import os + import stat +@@ -31,13 +30,6 @@ class CustodiaInstance(SimpleServiceInstance): + self.ldap_uri = None + self.fqdn = host_name + self.realm = realm +- self.__CustodiaClient = functools.partial( +- CustodiaClient, +- client_service='host@%s' % self.fqdn, +- keyfile=self.server_keys, +- keytab=paths.KRB5_KEYTAB, +- realm=realm, +- ) + + def __config_file(self): + template_file = os.path.basename(self.config_file) + '.template' +@@ -144,6 +136,14 @@ class CustodiaInstance(SimpleServiceInstance): + raise RuntimeError("Timed out trying to obtain keys.") + time.sleep(1) + ++ def __CustodiaClient(self, server): ++ # Before we attempt to fetch keys from this host, make sure our public ++ # keys have been replicated there. ++ self.__wait_keys(server) ++ ++ return CustodiaClient('host@%s' % self.fqdn, self.server_keys, ++ paths.KRB5_KEYTAB, server, realm=self.realm) ++ + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): + # Fecth all needed certs one by one, then combine them in a single + # p12 file +@@ -151,10 +151,6 @@ class CustodiaInstance(SimpleServiceInstance): + prefix = data['prefix'] + certlist = data['list'] + +- # Before we attempt to fetch keys from this host, make sure our public +- # keys have been replicated there. +- self.__wait_keys(ca_host) +- + cli = self.__CustodiaClient(server=ca_host) + + # Temporary nssdb +-- +2.13.5 \ No newline at end of file diff --git a/SOURCES/0228-Make-sure-upgrade-also-checks-for-IPv6-stack.patch b/SOURCES/0228-Make-sure-upgrade-also-checks-for-IPv6-stack.patch new file mode 100644 index 0000000..600401d --- /dev/null +++ b/SOURCES/0228-Make-sure-upgrade-also-checks-for-IPv6-stack.patch @@ -0,0 +1,61 @@ +From 010f6405288b1ca519d684d85ca25ce86de60b66 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Sep 2017 12:06:39 +0300 +Subject: [PATCH] Make sure upgrade also checks for IPv6 stack + + - Add check for IPv6 stack to upgrade process + - Change IPv6 checker to also check that localhost resolves to ::1 + +Part of fixes https://pagure.io/freeipa/issue/7083 + +Reviewed-By: Tomas Krizek +--- + ipaplatform/redhat/tasks.py | 19 ++++++++++++++++--- + ipaserver/install/server/upgrade.py | 1 + + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py +index 07efebab97eabcf2dc39bd345920a1c7be56e9f5..94d1863c5cc20ec6c2399f339ce19498976553bc 100644 +--- a/ipaplatform/redhat/tasks.py ++++ b/ipaplatform/redhat/tasks.py +@@ -153,9 +153,22 @@ class RedHatTaskNamespace(BaseTaskNamespace): + """ + if not os.path.exists(paths.IF_INET6): + raise RuntimeError( +- "IPv6 kernel module has to be enabled. If you do not wish to " +- "use IPv6, please disable it on the interfaces in " +- "sysctl.conf and enable the IPv6 kernel module.") ++ "IPv6 stack has to be enabled in the kernel and some " ++ "interface has to have ::1 address assigned. Typically " ++ "this is 'lo' interface. If you do not wish to use IPv6 " ++ "globally, disable it on the specific interfaces in " ++ "sysctl.conf except 'lo' interface.") ++ ++ try: ++ localhost6 = ipautil.CheckedIPAddress('::1', allow_loopback=True) ++ if localhost6.get_matching_interface() is None: ++ raise ValueError("no interface for ::1 address found") ++ except ValueError: ++ raise RuntimeError( ++ "IPv6 stack is enabled in the kernel but there is no " ++ "interface that has ::1 address assigned. Add ::1 address " ++ "resolution to 'lo' interface. You might need to enable IPv6 " ++ "on the interface 'lo' in sysctl.conf.") + + def restore_pre_ipa_client_configuration(self, fstore, statestore, + was_sssd_installed, +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 0947766c076251e7608241803d3a1eabee65ae11..1c4b2357d5d016b8a7501f46380d5e0a61dc21a0 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1860,6 +1860,7 @@ def upgrade_configuration(): + def upgrade_check(options): + try: + installutils.check_server_configuration() ++ tasks.check_ipv6_stack_enabled() + except RuntimeError as e: + root_logger.error(e) + sys.exit(1) +-- +2.13.5 + diff --git a/SOURCES/0229-control-logging-of-host_port_open-from-caller.patch b/SOURCES/0229-control-logging-of-host_port_open-from-caller.patch new file mode 100644 index 0000000..951e7c2 --- /dev/null +++ b/SOURCES/0229-control-logging-of-host_port_open-from-caller.patch @@ -0,0 +1,103 @@ +From fbaa55fbe8447745a20c99a68d62790f5dd5a0f7 Mon Sep 17 00:00:00 2001 +From: Petr Vobornik +Date: Thu, 3 Aug 2017 15:48:33 +0200 +Subject: [PATCH] control logging of host_port_open from caller + +host_port_open copied logging behavior of ipa-replica-conncheck utility +which doesn't make it much reusable. + +Now log level can be controlled from caller so other callers might use +other logging level without host_port_open guessing what was the +intention. + +https://pagure.io/freeipa/issue/7083 + +Reviewed-By: Tomas Krizek +--- + install/tools/ipa-replica-conncheck | 9 ++++++++- + ipapython/ipautil.py | 17 ++++++----------- + 2 files changed, 14 insertions(+), 12 deletions(-) + +diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck +index 528242268f9992e903781b76a379039d533853c0..f10b7e3d2f94540dba3956bf460c4b9f38da90da 100755 +--- a/install/tools/ipa-replica-conncheck ++++ b/install/tools/ipa-replica-conncheck +@@ -46,6 +46,8 @@ import distutils.spawn + from ipaplatform.paths import paths + import gssapi + from cryptography.hazmat.primitives import serialization ++import logging ++ + + CONNECT_TIMEOUT = 5 + RESPONDER = None +@@ -379,11 +381,16 @@ class PortResponder(threading.Thread): + def port_check(host, port_list): + ports_failed = [] + ports_udp_warning = [] # conncheck could not verify that port is open ++ log_level = { ++ SOCK_DGRAM: logging.WARNING, ++ SOCK_STREAM: logging.ERROR ++ } + for port in port_list: + try: + port_open = ipautil.host_port_open( + host, port.port, port.port_type, +- socket_timeout=CONNECT_TIMEOUT, log_errors=True) ++ socket_timeout=CONNECT_TIMEOUT, log_errors=True, ++ log_level=log_level[port.port_type]) + except socket.gaierror: + raise RuntimeError("Port check failed! Unable to resolve host name '%s'" % host) + if port_open: +diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py +index 5a6bf5a27d5a6e25c51fbaa6e2b1167652e2735d..e1e6e32b15559486caecb070627db82e14a57bdf 100644 +--- a/ipapython/ipautil.py ++++ b/ipapython/ipautil.py +@@ -42,6 +42,7 @@ from contextlib import contextmanager + import locale + import collections + from subprocess import CalledProcessError ++import logging + + from dns import resolver, reversename + from dns.exception import DNSException +@@ -948,7 +949,8 @@ def user_input(prompt, default = None, allow_empty = True): + + + def host_port_open(host, port, socket_type=socket.SOCK_STREAM, +- socket_timeout=None, log_errors=False): ++ socket_timeout=None, log_errors=False, ++ log_level=logging.DEBUG): + """ + host: either hostname or IP address; + if hostname is provided, port MUST be open on ALL resolved IPs +@@ -970,23 +972,16 @@ def host_port_open(host, port, socket_type=socket.SOCK_STREAM, + s.connect(sa) + + if socket_type == socket.SOCK_DGRAM: +- s.send('') ++ s.send(b'') + s.recv(512) + except socket.error: + port_open = False +- + if log_errors: +- msg = ('Failed to connect to port %(port)d %(proto)s on ' ++ msg = ('Failed to connect to port %(port)s %(proto)s on ' + '%(addr)s' % dict(port=port, + proto=PROTOCOL_NAMES[socket_type], + addr=sa[0])) +- +- # Do not log udp failures as errors (to be consistent with +- # the rest of the code that checks for open ports) +- if socket_type == socket.SOCK_DGRAM: +- root_logger.warning(msg) +- else: +- root_logger.error(msg) ++ root_logger.log(log_level, msg) + finally: + if s is not None: + s.close() +-- +2.13.5 + diff --git a/SOURCES/0230-log-progress-of-wait_for_open_ports.patch b/SOURCES/0230-log-progress-of-wait_for_open_ports.patch new file mode 100644 index 0000000..480be17 --- /dev/null +++ b/SOURCES/0230-log-progress-of-wait_for_open_ports.patch @@ -0,0 +1,44 @@ +From 647e23eb307e09597f355fb10abfd4c74a4b6f84 Mon Sep 17 00:00:00 2001 +From: Petr Vobornik +Date: Thu, 3 Aug 2017 16:03:29 +0200 +Subject: [PATCH] log progress of wait_for_open_ports + +To know what to focus on when some check fail. E.g. to detect that +IPv6 address or its resolution for localhost is misconfigured. + +https://pagure.io/freeipa/issue/7083 + +Reviewed-By: Tomas Krizek +--- + ipapython/ipautil.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py +index e1e6e32b15559486caecb070627db82e14a57bdf..59ea84da4ac667a39bdaa9a6fd7d87ab1b6e658d 100644 +--- a/ipapython/ipautil.py ++++ b/ipapython/ipautil.py +@@ -1213,15 +1213,20 @@ def wait_for_open_ports(host, ports, timeout=0): + op_timeout = time.time() + timeout + + for port in ports: ++ root_logger.debug('waiting for port: %s', port) ++ log_error = True + while True: +- port_open = host_port_open(host, port) ++ port_open = host_port_open(host, port, log_errors=log_error) ++ log_error = False # Log only first err so that the log is readable + + if port_open: ++ root_logger.debug('SUCCESS: port: %s', port) + break + if timeout and time.time() > op_timeout: # timeout exceeded + raise socket.timeout("Timeout exceeded") + time.sleep(1) + ++ + def wait_for_open_socket(socket_name, timeout=0): + """ + Wait until the specified socket on the local host is open. Timeout +-- +2.13.5 + diff --git a/SOURCES/0231-Store-help-in-Schema-before-writing-to-disk.patch b/SOURCES/0231-Store-help-in-Schema-before-writing-to-disk.patch new file mode 100644 index 0000000..b336e43 --- /dev/null +++ b/SOURCES/0231-Store-help-in-Schema-before-writing-to-disk.patch @@ -0,0 +1,39 @@ +From 5693c0fe6dfe998fa5ea3f86f477dc9dcbfab881 Mon Sep 17 00:00:00 2001 +From: David Kreitschmann +Date: Fri, 7 Apr 2017 18:22:25 +0200 +Subject: [PATCH] Store help in Schema before writing to disk + +Signed-off-by: David Kreitschmann +Reviewed-By: David Kupka +Reviewed-By: Martin Babinsky +Reviewed-By: David Kupka +Reviewed-By: Martin Babinsky +Reviewed-By: Rob Crittenden +--- + ipaclient/remote_plugins/schema.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py +index 3ecd608f96e336df57739db380a00c2d95b2ece5..9b6668d26352a24d7249bac5e304277563ee450f 100644 +--- a/ipaclient/remote_plugins/schema.py ++++ b/ipaclient/remote_plugins/schema.py +@@ -383,6 +383,7 @@ class Schema(object): + + if fingerprint is None: + fingerprint, ttl = self._fetch(client, ignore_cache=read_failed) ++ self._help = self._generate_help(self._dict) + try: + self._write_schema(fingerprint) + except Exception as e: +@@ -498,7 +499,7 @@ class Schema(object): + + schema.writestr( + '_help', +- json.dumps(self._generate_help(self._dict)).encode('utf-8') ++ json.dumps(self._help).encode('utf-8') + ) + + def read_namespace_member(self, namespace, member): +-- +2.13.5 + diff --git a/SOURCES/0232-Disable-pylint-in-get_help-function-because-of-type-.patch b/SOURCES/0232-Disable-pylint-in-get_help-function-because-of-type-.patch new file mode 100644 index 0000000..6d97395 --- /dev/null +++ b/SOURCES/0232-Disable-pylint-in-get_help-function-because-of-type-.patch @@ -0,0 +1,33 @@ +From df9933a8cbc5c6cf4041709ed61c589adaae7a08 Mon Sep 17 00:00:00 2001 +From: David Kreitschmann +Date: Fri, 9 Jun 2017 17:59:35 +0200 +Subject: [PATCH] Disable pylint in get_help function because of type + confusion. + +Reviewed-By: David Kupka +Reviewed-By: Martin Babinsky +Reviewed-By: David Kupka +Reviewed-By: Martin Babinsky +Reviewed-By: Rob Crittenden +--- + ipaclient/remote_plugins/schema.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ipaclient/remote_plugins/schema.py b/ipaclient/remote_plugins/schema.py +index 9b6668d26352a24d7249bac5e304277563ee450f..2892ab9ec7c6fb092ef470b7e5bd2b9c0760c2af 100644 +--- a/ipaclient/remote_plugins/schema.py ++++ b/ipaclient/remote_plugins/schema.py +@@ -516,7 +516,9 @@ class Schema(object): + + def get_help(self, namespace, member): + if isinstance(self._help, bytes): +- self._help = json.loads(self._help.decode('utf-8')) ++ self._help = json.loads( ++ self._help.decode('utf-8') # pylint: disable=no-member ++ ) + + return self._help[namespace][member] + +-- +2.13.5 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 3eb1df2..24c8cb4 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 27b4f549af4f55b95ff44b9c5a59b9174ab7ad2e Mon Sep 17 00:00:00 2001 +From 7a5799402ddfbe2704afa4449bb597f2feeea6c2 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -982,10 +982,10 @@ index dced253e7f039dc9d66466bf8bcd777e53919f54..2906cad2f4535a5f4aace1e24397314f print("This includes:") if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 814925de152809808f726c60ae7f35a24bc32a4a..05f263cd2b1c6a7cd9d21b0d9a076d32d241ab96 100644 +index 326daf708f091d9d2c56ad399e46aef659dbba2e..0d3fc5a24dcd55aab420db4a6565809dbe8e70a9 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -604,7 +604,7 @@ def check_domain_level_is_supported(current): +@@ -601,7 +601,7 @@ def check_domain_level_is_supported(current): above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: @@ -995,5 +995,5 @@ index 814925de152809808f726c60ae7f35a24bc32a4a..05f263cd2b1c6a7cd9d21b0d9a076d32 "this domain. The Domain Level needs to be " "raised before installing a replica with " -- -2.9.4 +2.13.5 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 3972454..f8d9079 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 85ac8d7f55b26f7d783844acbf942f5db99d0a37 Mon Sep 17 00:00:00 2001 +From 6013929e6ae2ea5cce4437281b3ee019b33ec151 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7 -- -2.9.4 +2.13.5 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 8f4863a..45987ae 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From e419842024b0fc9a774988972fadcbaf4650c395 Mon Sep 17 00:00:00 2001 +From 3faf68ad37710c6650fdb12fc1b5751896a6e7e0 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 01bf9a4f97fc0cf197c0ad12743affa597b54911..d3389ec5d34dba6429986b1c2a6dfb21 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off -- -2.9.4 +2.13.5 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index a532876..5707809 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 12d2356795d64089ce2578031a1297d56c8048ce Mon Sep 17 00:00:00 2001 +From f0851afdf0abd516dcd707e6e3ec0086f09f6090 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -1662,5 +1662,5 @@ index 556f8e096976387d24057084c06d53bcb9998a69..00000000000000000000000000000000 - _script = generator.csr_script( - principal, {}, 'example', 'identity') -- -2.9.4 +2.13.5 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 4fc5d6f..d96d62f 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -68,7 +68,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 21%{?dist}.1.2 +Release: 21%{?dist}.2.2 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -76,10 +76,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -303,6 +303,19 @@ Patch0216: 0216-smart-card-advise-use-password-when-changing-trust-f.patch Patch0217: 0217-smart-card-advises-ensure-that-krb5-pkinit-is-instal.patch Patch0218: 0218-NULL-LDAP-context-in-call-to-ldap_search_ext_s-durin.patch Patch0219: 0219-Restore-old-version-of-caIPAserviceCert-for-upgrade-.patch +Patch0220: 0220-ipa-otptoken-import-Make-PBKDF2-refer-to-the-pkcs5-n.patch +Patch0221: 0221-Adds-whoami-DS-plugin-in-case-that-plugin-is-missing.patch +Patch0222: 0222-Fix-ipa-config-mod-ca-renewal-master.patch +Patch0223: 0223-Backport-PR-988-to-ipa-4-5-Fix-Certificate-renewal-w.patch +Patch0224: 0224-Backport-PR-1008-to-ipa-4-5-Fix-ipa-server-upgrade-T.patch +Patch0225: 0225-Fixing-how-sssd.conf-is-updated-when-promoting-a-cli.patch +Patch0226: 0226-Backport-4-5-Fix-ipa-server-upgrade-with-server-cert.patch +Patch0227: 0227-Always-check-peer-has-keys-before-connecting.patch +Patch0228: 0228-Make-sure-upgrade-also-checks-for-IPv6-stack.patch +Patch0229: 0229-control-logging-of-host_port_open-from-caller.patch +Patch0230: 0230-log-progress-of-wait_for_open_ports.patch +Patch0231: 0231-Store-help-in-Schema-before-writing-to-disk.patch +Patch0232: 0232-Disable-pylint-in-get_help-function-because-of-type-.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch @@ -1104,10 +1117,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1131,8 +1144,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1856,11 +1868,41 @@ fi %changelog -* Wed Sep 06 2017 Johnny Hughes - 4.5.0-21.el7.centos.1.2 -- set ipaplatform to rhel for compatibilty for updates - -* Tue Sep 05 2017 CentOS Sources - 4.5.0-21.el7.centos.1.2 -- Roll in CentOS Branding +* Wed Sep 20 2017 Felipe Barreto - 4.5.0-21.el7.2.2 +- Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports + expecting IPA services listening on IPv6 ports + - Make sure upgrade also checks for IPv6 stack + - control logging of host_port_open from caller + - log progress of wait_for_open_ports +- Resolves: #1493411 ipa help command returns traceback when no cache + is present + - Store help in Schema before writing to disk + - Disable pylint in get_help function because of type confusion. + +* Tue Sep 19 2017 Felipe Barreto - 4.5.0-21.el7.2 +- Resolves: #1486794 - [ipa-replica-install] - 406 Client Error: Failed to + validate message: Incorrect number of results (0) searching forpublic + key for host + - Always check peer has keys before connecting +- Resolves: #1489300 - Unable to set ca renewal master on replica + - Fix ipa config-mod --ca-renewal-master +- Resolves: #1489815 - TypeError in renew_ca_cert prevents from swiching + back to self-signed CA + - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) +- Resolves: #1489817 - ipa-server-upgrade failes with "This entry already exists" + - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists +- Resolves: #1490331 - FreeIPA/IdM installations which were upgraded from + versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and + thus startup of Web UI fails + - Adds whoami DS plugin in case that plugin is missing +- Resolves: #1491545 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 + - Fixing how sssd.conf is updated when promoting a client to replica +- Resolves: #1492616 - ipa-otptoken-import - XML file is missing PBKDF2 + parameters! + - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace +- Resolves: #1493153 - Updating from RHEL 7.3 fails with Server-Cert not found + (ipa-server-upgrade) + - Backport 4-5: Fix ipa-server-upgrade with server cert tracking * Wed Aug 16 2017 Pavel Vomacka - 4.5.0-21.el7.1.2 - Fixing issues reported by Errata tool