diff --git a/SOURCES/0045-Add-nsds5ReplicaReleaseTimeout-to-replica-config.patch b/SOURCES/0045-Add-nsds5ReplicaReleaseTimeout-to-replica-config.patch new file mode 100644 index 0000000..7dea73f --- /dev/null +++ b/SOURCES/0045-Add-nsds5ReplicaReleaseTimeout-to-replica-config.patch @@ -0,0 +1,107 @@ +From 7076fd22e744fd51dbcc0c4e4a4089884a3dae48 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Wed, 11 Apr 2018 13:34:41 +0200 +Subject: [PATCH] Add nsds5ReplicaReleaseTimeout to replica config + +The nsds5ReplicaReleaseTimeout setting prevents the monopolization of +replicas during initial or busy master-master replication. 389-DS +documentation suggets a timeout of 60 seconds to improve convergence of +replicas. + +See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html +Fixes: https://pagure.io/freeipa/issue/7488 +Signed-off-by: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Fraser Tweedale +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/replication.py | 21 ++++++++++++++++----- + ipaserver/install/server/upgrade.py | 17 +++++++++++++++++ + 2 files changed, 33 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 3cd871e5df44398fd994504a3807a5648af5e048..e0055b792ce5b51fd411a7ea1f4316bb017984ba 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -468,20 +468,30 @@ class ReplicationManager(object): + + try: + entry = conn.get_entry(dn) ++ except errors.NotFound: ++ pass ++ else: + managers = {DN(m) for m in entry.get('nsDS5ReplicaBindDN', [])} + ++ mods = [] + if replica_binddn not in managers: + # Add the new replication manager +- mod = [(ldap.MOD_ADD, 'nsDS5ReplicaBindDN', +- replica_binddn)] +- conn.modify_s(dn, mod) ++ mods.append( ++ (ldap.MOD_ADD, 'nsDS5ReplicaBindDN', replica_binddn) ++ ) ++ if 'nsds5replicareleasetimeout' not in entry: ++ # See https://pagure.io/freeipa/issue/7488 ++ mods.append( ++ (ldap.MOD_ADD, 'nsds5replicareleasetimeout', ['60']) ++ ) ++ ++ if mods: ++ conn.modify_s(dn, mods) + + self.set_replica_binddngroup(conn, entry) + + # replication is already configured + return +- except errors.NotFound: +- pass + + replica_type = self.get_replica_type() + +@@ -496,6 +506,7 @@ class ReplicationManager(object): + nsds5replicabinddn=[replica_binddn], + nsds5replicabinddngroup=[self.repl_man_group_dn], + nsds5replicabinddngroupcheckinterval=["60"], ++ nsds5replicareleasetimeout=["60"], + nsds5replicalegacyconsumer=["off"], + ) + conn.add_entry(entry) +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 62665d56ca0fb2c632f8ba135f8b6191a18b6aa1..62a75510ad331923f468c28908ea407789ec380c 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1565,6 +1565,19 @@ def disable_httpd_system_trust(http): + db.add_cert(cert, nickname, trust_flags) + + ++def update_replica_config(db_suffix): ++ dn = DN( ++ ('cn', 'replica'), ('cn', db_suffix), ('cn', 'mapping tree'), ++ ('cn', 'config') ++ ) ++ entry = api.Backend.ldap2.get_entry(dn) ++ if 'nsds5replicareleasetimeout' not in entry: ++ # See https://pagure.io/freeipa/issue/7488 ++ root_logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn) ++ entry['nsds5replicareleasetimeout'] = '60' ++ api.Backend.ldap2.update_entry(entry) ++ ++ + def upgrade_configuration(): + """ + Execute configuration upgrade of the IPA services +@@ -1681,6 +1694,10 @@ def upgrade_configuration(): + + ds.configure_dirsrv_ccache() + ++ update_replica_config(ipautil.realm_to_suffix(api.env.realm)) ++ if ca.is_configured(): ++ update_replica_config(DN(('o', 'ipaca'))) ++ + ntpinstance.ntp_ldap_enable(api.env.host, api.env.basedn, api.env.realm) + + ds.stop(ds_serverid) +-- +2.14.3 + diff --git a/SOURCES/0046-Fix-upgrade-update_replica_config-in-single-master-m.patch b/SOURCES/0046-Fix-upgrade-update_replica_config-in-single-master-m.patch new file mode 100644 index 0000000..78b5617 --- /dev/null +++ b/SOURCES/0046-Fix-upgrade-update_replica_config-in-single-master-m.patch @@ -0,0 +1,39 @@ +From 6d868b2dd17ada072553c8d7440ee6fbd95a052a Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Mon, 16 Apr 2018 16:02:03 +1000 +Subject: [PATCH] Fix upgrade (update_replica_config) in single master mode + +Commit afc0d4b62d043cd568ce87400f60e8fa8273495f added an upgrade +step that add an attribute to a replica config entry. The entry +only exists after a replica has been added, so upgrade was broken +for standalone server. Catch and suppress the NotFound error. + +Related to: https://pagure.io/freeipa/issue/7488 + +Reviewed-By: Christian Heimes +Reviewed-By: Fraser Tweedale +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/server/upgrade.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 62a75510ad331923f468c28908ea407789ec380c..c55242a4af990c3218d8451fac7b082066a23be3 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1570,7 +1570,11 @@ def update_replica_config(db_suffix): + ('cn', 'replica'), ('cn', db_suffix), ('cn', 'mapping tree'), + ('cn', 'config') + ) +- entry = api.Backend.ldap2.get_entry(dn) ++ try: ++ entry = api.Backend.ldap2.get_entry(dn) ++ except ipalib.errors.NotFound: ++ return # entry does not exist until a replica is installed ++ + if 'nsds5replicareleasetimeout' not in entry: + # See https://pagure.io/freeipa/issue/7488 + root_logger.info("Adding nsds5replicaReleaseTimeout=60 to %s", dn) +-- +2.14.3 + diff --git a/SOURCES/0047-Use-single-Custodia-instance-in-installers.patch b/SOURCES/0047-Use-single-Custodia-instance-in-installers.patch new file mode 100644 index 0000000..6ff3f36 --- /dev/null +++ b/SOURCES/0047-Use-single-Custodia-instance-in-installers.patch @@ -0,0 +1,620 @@ +From 11e597217fe6f1dcee3a918eef0bc3a0d2928e6d Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 26 Apr 2018 12:06:36 +0200 +Subject: [PATCH] Use single Custodia instance in installers + +Installers now pass a single CustodiaInstance object around, instead of +creating new instances on demand. In case of replica promotion with CA, +the instance gets all secrets from a master with CA present. Before, an +installer created multiple instances and may have requested CA key +material from a different machine than DM password hash. + +In case of Domain Level 1 and replica promotion, the CustodiaInstance no +longer adds the keys to the local instance and waits for replication to +other replica. Instead the installer directly uploads the new public +keys to the remote 389-DS instance. + +Without promotion, new Custodia public keys are still added to local +389-DS over LDAPI. + +Fixes: https://pagure.io/freeipa/issue/7518 +Signed-off-by: Christian Heimes +Reviewed-By: Simo Sorce +Reviewed-By: Simo Sorce +--- + install/tools/ipa-ca-install | 13 ++- + ipaserver/install/ca.py | 26 +++-- + ipaserver/install/cainstance.py | 9 +- + ipaserver/install/custodiainstance.py | 150 ++++++++++++++++++++++------- + ipaserver/install/ipa_kra_install.py | 10 +- + ipaserver/install/kra.py | 6 +- + ipaserver/install/server/install.py | 14 +-- + ipaserver/install/server/replicainstall.py | 15 +-- + 8 files changed, 165 insertions(+), 78 deletions(-) + +diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install +index f84b4749a3e2a80aca002a2aa057b200e6187f18..a3694007e5815d1c44f642057c749879d336dfc5 100755 +--- a/install/tools/ipa-ca-install ++++ b/install/tools/ipa-ca-install +@@ -31,6 +31,7 @@ from ipaserver.install.installutils import create_replica_config + from ipaserver.install.installutils import check_creds, ReplicaConfig + from ipaserver.install import dsinstance, ca + from ipaserver.install import cainstance, service ++from ipaserver.install import custodiainstance + from ipapython import version + from ipalib import api + from ipalib.constants import DOMAIN_LEVEL_0 +@@ -193,13 +194,17 @@ def install_replica(safe_options, options, filename): + options.domain_name = config.domain_name + options.dm_password = config.dirman_password + options.host_name = config.host_name ++ options.ca_host_name = config.ca_host_name + if os.path.exists(cafile): + options.ca_cert_file = cafile + else: + options.ca_cert_file = None + + ca.install_check(True, config, options) +- ca.install(True, config, options) ++ ++ custodia = custodiainstance.get_custodia_instance( ++ options, custodiainstance.CustodiaModes.CA_PEER) ++ ca.install(True, config, options, custodia=custodia) + + + def install_master(safe_options, options): +@@ -228,7 +233,11 @@ def install_master(safe_options, options): + sys.exit("CA subject: {}".format(e.message)) + + ca.install_check(True, None, options) +- ca.install(True, None, options) ++ ++ # No CA peer available yet. ++ custodia = custodiainstance.get_custodia_instance( ++ options, custodiainstance.CustodiaModes.STANDALONE) ++ ca.install(True, None, options, custodia=custodia) + + + def install(safe_options, options, filename): +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 52cb20f1cb3612394544a6a41f10e9e939bc0657..2ac4382ccd24d217832950b94baddd113f7a8930 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -19,10 +19,7 @@ from ipalib.install.service import enroll_only, master_install_only, replica_ins + from ipaserver.install import sysupgrade + from ipapython.install import typing + from ipapython.install.core import group, knob, extend_knob +-from ipaserver.install import (cainstance, +- custodiainstance, +- dsinstance, +- bindinstance) ++from ipaserver.install import cainstance, bindinstance, dsinstance + from ipapython import ipautil, certdb + from ipapython.admintool import ScriptError + from ipaplatform import services +@@ -201,12 +198,12 @@ def install_check(standalone, replica_config, options): + "cannot continue." % (subject, db.secdir)) + + +-def install(standalone, replica_config, options): +- install_step_0(standalone, replica_config, options) +- install_step_1(standalone, replica_config, options) ++def install(standalone, replica_config, options, custodia): ++ install_step_0(standalone, replica_config, options, custodia=custodia) ++ install_step_1(standalone, replica_config, options, custodia=custodia) + + +-def install_step_0(standalone, replica_config, options): ++def install_step_0(standalone, replica_config, options, custodia): + realm_name = options.realm_name + dm_password = options.dm_password + host_name = options.host_name +@@ -237,9 +234,6 @@ def install_step_0(standalone, replica_config, options): + else: + cafile = os.path.join(replica_config.dir, 'cacert.p12') + if options.promote: +- custodia = custodiainstance.CustodiaInstance( +- replica_config.host_name, +- replica_config.realm_name) + custodia.get_ca_keys( + replica_config.ca_host_name, + cafile, +@@ -266,7 +260,9 @@ def install_step_0(standalone, replica_config, options): + 'certmap.conf', 'subject_base', str(subject_base)) + dsinstance.write_certmap_conf(realm_name, ca_subject) + +- ca = cainstance.CAInstance(realm_name, host_name=host_name) ++ ca = cainstance.CAInstance( ++ realm=realm_name, host_name=host_name, custodia=custodia ++ ) + ca.configure_instance(host_name, dm_password, dm_password, + subject_base=subject_base, + ca_subject=ca_subject, +@@ -284,7 +280,7 @@ def install_step_0(standalone, replica_config, options): + use_ldaps=standalone) + + +-def install_step_1(standalone, replica_config, options): ++def install_step_1(standalone, replica_config, options, custodia): + if replica_config is not None and not replica_config.setup_ca: + return + +@@ -293,7 +289,9 @@ def install_step_1(standalone, replica_config, options): + subject_base = options._subject_base + basedn = ipautil.realm_to_suffix(realm_name) + +- ca = cainstance.CAInstance(realm_name, host_name=host_name) ++ ca = cainstance.CAInstance( ++ realm=realm_name, host_name=host_name, custodia=custodia ++ ) + + ca.stop('pki-tomcat') + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 20635eae22268ff72de73b8b9c430050114bb45b..eefc30b6e01dcf744703b8607cbe169fbec5d859 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -59,7 +59,6 @@ from ipapython.ipa_log_manager import log_mgr,\ + from ipaserver.secrets.kem import IPAKEMKeys + + from ipaserver.install import certs +-from ipaserver.install import custodiainstance + from ipaserver.install import dsinstance + from ipaserver.install import installutils + from ipaserver.install import ldapupdate +@@ -285,7 +284,7 @@ class CAInstance(DogtagInstance): + 'caSigningCert cert-pki-ca') + server_cert_name = 'Server-Cert cert-pki-ca' + +- def __init__(self, realm=None, host_name=None): ++ def __init__(self, realm=None, host_name=None, custodia=None): + super(CAInstance, self).__init__( + realm=realm, + subsystem="CA", +@@ -310,6 +309,8 @@ class CAInstance(DogtagInstance): + self.no_db_setup = False + self.keytab = os.path.join( + paths.PKI_TOMCAT, self.service_prefix + '.keytab') ++ # Custodia instance for RA key retrieval ++ self._custodia = custodia + + def configure_instance(self, host_name, dm_password, admin_password, + pkcs12_info=None, master_host=None, csr_file=None, +@@ -711,9 +712,7 @@ class CAInstance(DogtagInstance): + self.configure_agent_renewal() + + def __import_ra_key(self): +- custodia = custodiainstance.CustodiaInstance(host_name=self.fqdn, +- realm=self.realm) +- custodia.import_ra_key(self.master_host) ++ self._custodia.import_ra_key(self.master_host) + self.__set_ra_cert_perms() + + self.configure_agent_renewal() +diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py +index 0a90bb3954486b9773e3553e9981d2a8d0d4e44a..262ae5857c64719ff5cebde31b4b107e1245d458 100644 +--- a/ipaserver/install/custodiainstance.py ++++ b/ipaserver/install/custodiainstance.py +@@ -1,5 +1,9 @@ + # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. + ++from __future__ import print_function, absolute_import ++ ++import enum ++ + from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap + from ipaserver.secrets.client import CustodiaClient + from ipaplatform.paths import paths +@@ -21,12 +25,84 @@ import time + import pwd + + ++class CustodiaModes(enum.Enum): ++ # peer must have a CA ++ CA_PEER = 'Custodia CA peer' ++ # peer must have a CA, KRA preferred ++ KRA_PEER = 'Custodia KRA peer' ++ # any master will do ++ MASTER_PEER = 'Custodia master peer' ++ # standalone / local instance ++ STANDALONE = 'Custodia standalone' ++ ++ ++def get_custodia_instance(config, mode): ++ """Create Custodia instance ++ ++ :param config: configuration/installer object ++ :param mode: CustodiaModes member ++ :return: CustodiaInstance object ++ ++ The config object must have the following attribute ++ ++ *host_name* ++ FQDN of the new replica/master ++ *realm_name* ++ Kerberos realm ++ *promote* ++ True, when instance will be promoted from client to replica ++ *master_host_name* (for *CustodiaModes.MASTER_PEER*) ++ hostname of a master (may not have a CA) ++ *ca_host_name* (for *CustodiaModes.CA_PEER*) ++ hostname of a master with CA ++ *kra_host_name* (for *CustodiaModes.KRA_PEER*) ++ hostname of a master with KRA or CA ++ ++ For promotion, the instance will upload new keys and retrieve secrets ++ from the same host. Therefore it uses *ca_host_name* instead of ++ *master_host_name* to create a replica with CA. ++ """ ++ assert isinstance(mode, CustodiaModes) ++ root_logger.info( ++ "Custodia client for '%r' with promotion %s.", ++ mode, 'yes' if config.promote else 'no' ++ ) ++ if config.promote: ++ if mode == CustodiaModes.CA_PEER: ++ # In case we install replica with CA, prefer CA host as source for ++ # all Custodia secret material. ++ custodia_master = config.ca_host_name ++ elif mode == CustodiaModes.KRA_PEER: ++ custodia_master = config.kra_host_name ++ elif mode == CustodiaModes.MASTER_PEER: ++ custodia_master = config.master_host_name ++ elif mode == CustodiaModes.STANDALONE: ++ custodia_master = None ++ else: ++ custodia_master = None ++ ++ if custodia_master is None: ++ # use ldapi with local dirsrv instance ++ root_logger.info("Custodia uses LDAPI.") ++ ldap_uri = None ++ else: ++ root_logger.info("Custodia uses '%s' as master peer.", ++ custodia_master) ++ ldap_uri = 'ldap://{}'.format(custodia_master) ++ ++ return CustodiaInstance( ++ host_name=config.host_name, ++ realm=config.realm_name, ++ ldap_uri=ldap_uri ++ ) ++ ++ + class CustodiaInstance(SimpleServiceInstance): +- def __init__(self, host_name=None, realm=None): ++ def __init__(self, host_name=None, realm=None, ldap_uri=None): + super(CustodiaInstance, self).__init__("ipa-custodia") + self.config_file = paths.IPA_CUSTODIA_CONF + self.server_keys = paths.IPA_CUSTODIA_KEYS +- self.ldap_uri = None ++ self.ldap_uri = ldap_uri + self.fqdn = host_name + self.realm = realm + +@@ -49,14 +125,19 @@ class CustodiaInstance(SimpleServiceInstance): + ipautil.flush_sync(f) + + def create_instance(self): +- suffix = ipautil.realm_to_suffix(self.realm) ++ if self.ldap_uri is None or self.ldap_uri.startswith('ldapi://'): ++ # local case, ensure container exists ++ self.step("Making sure custodia container exists", ++ self.__create_container) ++ + self.step("Generating ipa-custodia config file", self.__config_file) +- self.step("Making sure custodia container exists", self.__create_container) + self.step("Generating ipa-custodia keys", self.__gen_keys) +- super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', +- fqdn=self.fqdn, +- ldap_suffix=suffix, +- realm=self.realm) ++ super(CustodiaInstance, self).create_instance( ++ gensvc_name='KEYS', ++ fqdn=self.fqdn, ++ ldap_suffix=ipautil.realm_to_suffix(self.realm), ++ realm=self.realm ++ ) + sysupgrade.set_upgrade_state('custodia', 'installed', True) + + def __gen_keys(self): +@@ -81,18 +162,6 @@ class CustodiaInstance(SimpleServiceInstance): + root_logger.info("Secure server.keys mode") + os.chmod(self.server_keys, 0o600) + +- def create_replica(self, master_host_name): +- suffix = ipautil.realm_to_suffix(self.realm) +- self.ldap_uri = 'ldap://%s' % master_host_name +- self.master_host_name = master_host_name +- +- self.step("Generating ipa-custodia config file", self.__config_file) +- self.step("Generating ipa-custodia keys", self.__gen_keys) +- super(CustodiaInstance, self).create_instance(gensvc_name='KEYS', +- fqdn=self.fqdn, +- ldap_suffix=suffix, +- realm=self.realm) +- + def __create_container(self): + """ + Runs the custodia update file to ensure custodia container is present. +@@ -106,7 +175,7 @@ class CustodiaInstance(SimpleServiceInstance): + updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')]) + + def import_ra_key(self, master_host_name): +- cli = self.__CustodiaClient(server=master_host_name) ++ cli = self._get_custodia_client(server=master_host_name) + # please note that ipaCert part has to stay here for historical + # reasons (old servers expect you to ask for ra/ipaCert during + # replication as they store the RA agent cert in an NSS database +@@ -114,14 +183,14 @@ class CustodiaInstance(SimpleServiceInstance): + cli.fetch_key('ra/ipaCert') + + def import_dm_password(self, master_host_name): +- cli = self.__CustodiaClient(server=master_host_name) ++ cli = self._get_custodia_client(server=master_host_name) + cli.fetch_key('dm/DMHash') + +- def __wait_keys(self, host, timeout=300): ++ def _wait_keys(self, host, timeout=300): + ldap_uri = 'ldap://%s' % host + deadline = int(time.time()) + timeout +- root_logger.info("Waiting up to {} seconds to see our keys " +- "appear on host: {}".format(timeout, host)) ++ root_logger.info("Waiting up to %s seconds to see our keys " ++ "appear on host: %s", timeout, host) + + konn = KEMLdap(ldap_uri) + saved_e = None +@@ -129,6 +198,12 @@ class CustodiaInstance(SimpleServiceInstance): + try: + return konn.check_host_keys(self.fqdn) + except Exception as e: ++ # Print message to console only once for first error. ++ if saved_e is None: ++ # FIXME: Change once there's better way to show this ++ # message in installer output, ++ print(" Waiting for keys to appear on host: {}, please " ++ "wait until this has completed.".format(host)) + # log only once for the same error + if not isinstance(e, type(saved_e)): + root_logger.debug( +@@ -138,22 +213,23 @@ class CustodiaInstance(SimpleServiceInstance): + raise RuntimeError("Timed out trying to obtain keys.") + time.sleep(1) + +- def __CustodiaClient(self, server): ++ def _get_custodia_client(self, server): + # Before we attempt to fetch keys from this host, make sure our public + # keys have been replicated there. +- self.__wait_keys(server) +- +- return CustodiaClient('host@%s' % self.fqdn, self.server_keys, +- paths.KRB5_KEYTAB, server, realm=self.realm) ++ self._wait_keys(server) + +- def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): +- # Fecth all needed certs one by one, then combine them in a single +- # p12 file ++ return CustodiaClient( ++ client_service='host@{}'.format(self.fqdn), ++ keyfile=self.server_keys, keytab=paths.KRB5_KEYTAB, ++ server=server, realm=self.realm ++ ) + ++ def _get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): ++ # Fetch all needed certs one by one, then combine them in a single ++ # PKCS12 file + prefix = data['prefix'] + certlist = data['list'] +- +- cli = self.__CustodiaClient(server=ca_host) ++ cli = self._get_custodia_client(server=ca_host) + + # Temporary nssdb + tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) +@@ -203,7 +279,7 @@ class CustodiaInstance(SimpleServiceInstance): + 'subsystemCert cert-pki-ca'] + data = {'prefix': 'ca', + 'list': certlist} +- self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) ++ self._get_keys(ca_host, cacerts_file, cacerts_pwd, data) + + def get_kra_keys(self, ca_host, cacerts_file, cacerts_pwd): + certlist = ['auditSigningCert cert-pki-kra', +@@ -212,7 +288,7 @@ class CustodiaInstance(SimpleServiceInstance): + 'transportCert cert-pki-kra'] + data = {'prefix': 'ca', + 'list': certlist} +- self.__get_keys(ca_host, cacerts_file, cacerts_pwd, data) ++ self._get_keys(ca_host, cacerts_file, cacerts_pwd, data) + + def __start(self): + super(CustodiaInstance, self).__start() +diff --git a/ipaserver/install/ipa_kra_install.py b/ipaserver/install/ipa_kra_install.py +index 3e08f4da94651b49876e1427daddbd957f0027ae..9ebabe057513141ee76d238a3f20e76a27dd932e 100644 +--- a/ipaserver/install/ipa_kra_install.py ++++ b/ipaserver/install/ipa_kra_install.py +@@ -32,6 +32,7 @@ from ipapython import admintool + from ipapython import ipautil + from ipaserver.install import service + from ipaserver.install import cainstance ++from ipaserver.install import custodiainstance + from ipaserver.install import krainstance + from ipaserver.install import dsinstance + from ipaserver.install import installutils +@@ -176,7 +177,6 @@ class KRAInstaller(KRAInstall): + + api.Backend.ldap2.connect() + +- config = None + if self.installing_replica: + if self.options.promote: + config = ReplicaConfig() +@@ -196,6 +196,7 @@ class KRAInstaller(KRAInstall): + config.kra_host_name = config.master_host_name + + config.setup_kra = True ++ config.promote = self.options.promote + + if config.subject_base is None: + attrs = api.Backend.ldap2.get_ipa_config() +@@ -204,6 +205,11 @@ class KRAInstaller(KRAInstall): + if config.kra_host_name is None: + config.kra_host_name = service.find_providing_server( + 'KRA', api.Backend.ldap2, api.env.ca_host) ++ custodia = custodiainstance.get_custodia_instance( ++ config, custodiainstance.CustodiaModes.KRA_PEER) ++ else: ++ config = None ++ custodia = None + + try: + kra.install_check(api, config, self.options) +@@ -213,7 +219,7 @@ class KRAInstaller(KRAInstall): + print(dedent(self.INSTALLER_START_MESSAGE)) + + try: +- kra.install(api, config, self.options) ++ kra.install(api, config, self.options, custodia=custodia) + except: + self.log.error(dedent(self.FAIL_MESSAGE)) + raise +diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py +index 3545b301a977f4b7e7801ca1ef87d594bb3ba54f..3333970e8af9e36d6b7614286cc1e774f6eb9b25 100644 +--- a/ipaserver/install/kra.py ++++ b/ipaserver/install/kra.py +@@ -16,7 +16,6 @@ from ipaplatform.paths import paths + from ipapython import certdb + from ipapython import ipautil + from ipapython.install.core import group +-from ipaserver.install import custodiainstance + from ipaserver.install import cainstance + from ipaserver.install import krainstance + from ipaserver.install import dsinstance +@@ -68,7 +67,7 @@ def install_check(api, replica_config, options): + "new replica file.") + + +-def install(api, replica_config, options): ++def install(api, replica_config, options, custodia): + if replica_config is None: + if not options.setup_kra: + return +@@ -91,9 +90,6 @@ def install(api, replica_config, options): + 'host/{env.host}@{env.realm}'.format(env=api.env), + paths.KRB5_KEYTAB, + ccache) +- custodia = custodiainstance.CustodiaInstance( +- replica_config.host_name, +- replica_config.realm_name) + custodia.get_kra_keys( + replica_config.kra_host_name, + krafile, +diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py +index 422474fa915b4876530f304ef9424f6b31cf26cc..f4338ed0428f7f44decd004f6a183258bef7f795 100644 +--- a/ipaserver/install/server/install.py ++++ b/ipaserver/install/server/install.py +@@ -709,6 +709,7 @@ def install(installer): + host_name = options.host_name + ip_addresses = options.ip_addresses + setup_ca = options.setup_ca ++ options.promote = False # first master, no promotion + + # Installation has started. No IPA sysrestore items are restored in case of + # failure to enable root cause investigation +@@ -789,6 +790,10 @@ def install(installer): + setup_pkinit=not options.no_pkinit, + subject_base=options.subject_base) + ++ custodia = custodiainstance.get_custodia_instance( ++ options, custodiainstance.CustodiaModes.MASTER_PEER) ++ custodia.create_instance() ++ + if setup_ca: + if not options.external_cert_files and options.external_ca: + # stage 1 of external CA installation +@@ -803,7 +808,7 @@ def install(installer): + if n in options.__dict__} + write_cache(cache_vars) + +- ca.install_step_0(False, None, options) ++ ca.install_step_0(False, None, options, custodia=custodia) + else: + # Put the CA cert where other instances expect it + x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) +@@ -823,15 +828,12 @@ def install(installer): + ds.enable_ssl() + + if setup_ca: +- ca.install_step_1(False, None, options) ++ ca.install_step_1(False, None, options, custodia=custodia) + + otpd = otpdinstance.OtpdInstance() + otpd.create_instance('OTPD', host_name, + ipautil.realm_to_suffix(realm_name)) + +- custodia = custodiainstance.CustodiaInstance(host_name, realm_name) +- custodia.create_instance() +- + # Create a HTTP instance + http = httpinstance.HTTPInstance(fstore) + if options.http_cert_files: +@@ -863,7 +865,7 @@ def install(installer): + krb.restart() + + if options.setup_kra: +- kra.install(api, None, options) ++ kra.install(api, None, options, custodia=custodia) + + if options.setup_dns: + dns.install(False, False, options) +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9..2ecc0abe0c5918cf5aefccc1bd6f09e70503baab 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -1357,6 +1357,7 @@ def install(installer): + fstore = installer._fstore + sstore = installer._sstore + config = installer._config ++ config.promote = installer.promote + promote = installer.promote + cafile = installer._ca_file + dirsrv_pkcs12_info = installer._dirsrv_pkcs12_info +@@ -1483,19 +1484,19 @@ def install(installer): + otpd.create_instance('OTPD', config.host_name, + ipautil.realm_to_suffix(config.realm_name)) + +- custodia = custodiainstance.CustodiaInstance(config.host_name, +- config.realm_name) +- if promote: +- custodia.create_replica(config.master_host_name) ++ if ca_enabled: ++ mode = custodiainstance.CustodiaModes.CA_PEER + else: +- custodia.create_instance() ++ mode = custodiainstance.CustodiaModes.MASTER_PEER ++ custodia = custodiainstance.get_custodia_instance(config, mode) ++ custodia.create_instance() + + if ca_enabled: + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name + options.dm_password = config.dirman_password +- ca.install(False, config, options) ++ ca.install(False, config, options, custodia=custodia) + + # configure PKINIT now that all required services are in place + krb.enable_ssl() +@@ -1505,7 +1506,7 @@ def install(installer): + ds.apply_updates() + + if kra_enabled: +- kra.install(api, config, options) ++ kra.install(api, config, options, custodia=custodia) + + service.print_msg("Restarting the KDC") + krb.restart() +-- +2.14.3 + diff --git a/SOURCES/0048-Don-t-try-to-backup-CS.cfg-during-upgrade-if-CA-is-n.patch b/SOURCES/0048-Don-t-try-to-backup-CS.cfg-during-upgrade-if-CA-is-n.patch new file mode 100644 index 0000000..cd44943 --- /dev/null +++ b/SOURCES/0048-Don-t-try-to-backup-CS.cfg-during-upgrade-if-CA-is-n.patch @@ -0,0 +1,33 @@ +From 56326828c7ccf75bd867330606c83a621affab9a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 26 Feb 2018 16:13:58 -0500 +Subject: [PATCH] Don't try to backup CS.cfg during upgrade if CA is not + configured + +https://pagure.io/freeipa/issue/7409 + +Signed-off-by: Rob Crittenden +Reviewed-By: Fraser Tweedale +Reviewed-By: Alexander Bokovoy +Reviewed-By: Fraser Tweedale +--- + ipaserver/install/server/upgrade.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index c55242a4af990c3218d8451fac7b082066a23be3..bf603acb5f931a4194320795874859f5bdc94647 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1630,7 +1630,8 @@ def upgrade_configuration(): + + with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): + # Dogtag must be stopped to be able to backup CS.cfg config +- ca.backup_config() ++ if ca.is_configured(): ++ ca.backup_config() + + # migrate CRL publish dir before the location in ipa.conf is updated + ca_restart = migrate_crl_publish_dir(ca) +-- +2.14.3 + diff --git a/SOURCES/0049-Use-one-Custodia-peer-to-retrieve-all-secrets.patch b/SOURCES/0049-Use-one-Custodia-peer-to-retrieve-all-secrets.patch new file mode 100644 index 0000000..44a243a --- /dev/null +++ b/SOURCES/0049-Use-one-Custodia-peer-to-retrieve-all-secrets.patch @@ -0,0 +1,270 @@ +From d3c09a6de06d8ae19d05c0b96cb9c2a5b789b472 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Thu, 7 Jun 2018 18:17:20 +0200 +Subject: [PATCH] Use one Custodia peer to retrieve all secrets + +Fix 994f71ac8a1bb7ba6bc9caf0f6e4f59af44ad9c4 was incomplete. Under some +circumstancs the DM hash and CA keys were still retrieved from two different +machines. + +Custodia client now uses a single remote to upload keys and download all +secrets. + +Fixes: https://pagure.io/freeipa/issue/7518 +Signed-off-by: Christian Heimes +Reviewed-By: Simo Sorce +--- + ipaserver/install/ca.py | 1 - + ipaserver/install/cainstance.py | 2 +- + ipaserver/install/custodiainstance.py | 74 +++++++++++++++++------------- + ipaserver/install/kra.py | 1 - + ipaserver/install/server/install.py | 4 +- + ipaserver/install/server/replicainstall.py | 2 +- + 6 files changed, 46 insertions(+), 38 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 2ac4382..1c7d375 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -235,7 +235,6 @@ def install_step_0(standalone, replica_config, options, custodia): + cafile = os.path.join(replica_config.dir, 'cacert.p12') + if options.promote: + custodia.get_ca_keys( +- replica_config.ca_host_name, + cafile, + replica_config.dirman_password) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index eefc30b..cc0dbf3 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -712,7 +712,7 @@ class CAInstance(DogtagInstance): + self.configure_agent_renewal() + + def __import_ra_key(self): +- self._custodia.import_ra_key(self.master_host) ++ self._custodia.import_ra_key() + self.__set_ra_cert_perms() + + self.configure_agent_renewal() +diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py +index 262ae58..ada8d03 100644 +--- a/ipaserver/install/custodiainstance.py ++++ b/ipaserver/install/custodiainstance.py +@@ -71,41 +71,45 @@ def get_custodia_instance(config, mode): + if mode == CustodiaModes.CA_PEER: + # In case we install replica with CA, prefer CA host as source for + # all Custodia secret material. +- custodia_master = config.ca_host_name ++ custodia_peer = config.ca_host_name + elif mode == CustodiaModes.KRA_PEER: +- custodia_master = config.kra_host_name ++ custodia_peer = config.kra_host_name + elif mode == CustodiaModes.MASTER_PEER: +- custodia_master = config.master_host_name ++ custodia_peer = config.master_host_name + elif mode == CustodiaModes.STANDALONE: +- custodia_master = None ++ custodia_peer = None + else: +- custodia_master = None ++ custodia_peer = None + +- if custodia_master is None: ++ if custodia_peer is None: + # use ldapi with local dirsrv instance + root_logger.info("Custodia uses LDAPI.") +- ldap_uri = None + else: +- root_logger.info("Custodia uses '%s' as master peer.", +- custodia_master) +- ldap_uri = 'ldap://{}'.format(custodia_master) ++ root_logger.info("Custodia uses '%s' as master peer.", custodia_peer) + + return CustodiaInstance( + host_name=config.host_name, + realm=config.realm_name, +- ldap_uri=ldap_uri ++ custodia_peer=custodia_peer + ) + + + class CustodiaInstance(SimpleServiceInstance): +- def __init__(self, host_name=None, realm=None, ldap_uri=None): ++ def __init__(self, host_name=None, realm=None, custodia_peer=None): + super(CustodiaInstance, self).__init__("ipa-custodia") + self.config_file = paths.IPA_CUSTODIA_CONF + self.server_keys = paths.IPA_CUSTODIA_KEYS +- self.ldap_uri = ldap_uri ++ self.custodia_peer = custodia_peer + self.fqdn = host_name + self.realm = realm + ++ @property ++ def ldap_uri(self): ++ if self.custodia_peer is None: ++ return installutils.realm_to_ldapi_uri(self.realm) ++ else: ++ return "ldap://{}".format(self.custodia_peer) ++ + def __config_file(self): + template_file = os.path.basename(self.config_file) + '.template' + template = os.path.join(paths.USR_SHARE_IPA_DIR, template_file) +@@ -125,7 +129,7 @@ class CustodiaInstance(SimpleServiceInstance): + ipautil.flush_sync(f) + + def create_instance(self): +- if self.ldap_uri is None or self.ldap_uri.startswith('ldapi://'): ++ if self.ldap_uri.startswith('ldapi://'): + # local case, ensure container exists + self.step("Making sure custodia container exists", + self.__create_container) +@@ -174,25 +178,24 @@ class CustodiaInstance(SimpleServiceInstance): + updater = ldapupdate.LDAPUpdate(sub_dict=sub_dict) + updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')]) + +- def import_ra_key(self, master_host_name): +- cli = self._get_custodia_client(server=master_host_name) ++ def import_ra_key(self): ++ cli = self._get_custodia_client() + # please note that ipaCert part has to stay here for historical + # reasons (old servers expect you to ask for ra/ipaCert during + # replication as they store the RA agent cert in an NSS database + # with this nickname) + cli.fetch_key('ra/ipaCert') + +- def import_dm_password(self, master_host_name): +- cli = self._get_custodia_client(server=master_host_name) ++ def import_dm_password(self): ++ cli = self._get_custodia_client() + cli.fetch_key('dm/DMHash') + +- def _wait_keys(self, host, timeout=300): +- ldap_uri = 'ldap://%s' % host ++ def _wait_keys(self, timeout=300): + deadline = int(time.time()) + timeout + root_logger.info("Waiting up to %s seconds to see our keys " +- "appear on host: %s", timeout, host) ++ "appear on host %s", timeout, self.ldap_uri) + +- konn = KEMLdap(ldap_uri) ++ konn = KEMLdap(self.ldap_uri) + saved_e = None + while True: + try: +@@ -202,8 +205,11 @@ class CustodiaInstance(SimpleServiceInstance): + if saved_e is None: + # FIXME: Change once there's better way to show this + # message in installer output, +- print(" Waiting for keys to appear on host: {}, please " +- "wait until this has completed.".format(host)) ++ print( ++ " Waiting for keys to appear on host: {}, please " ++ "wait until this has completed.".format( ++ self.ldap_uri) ++ ) + # log only once for the same error + if not isinstance(e, type(saved_e)): + root_logger.debug( +@@ -213,23 +219,25 @@ class CustodiaInstance(SimpleServiceInstance): + raise RuntimeError("Timed out trying to obtain keys.") + time.sleep(1) + +- def _get_custodia_client(self, server): ++ def _get_custodia_client(self): ++ if self.custodia_peer is None: ++ raise ValueError("Can't replicate secrets without Custodia peer") + # Before we attempt to fetch keys from this host, make sure our public + # keys have been replicated there. +- self._wait_keys(server) ++ self._wait_keys() + + return CustodiaClient( + client_service='host@{}'.format(self.fqdn), + keyfile=self.server_keys, keytab=paths.KRB5_KEYTAB, +- server=server, realm=self.realm ++ server=self.custodia_peer, realm=self.realm + ) + +- def _get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): ++ def _get_keys(self, cacerts_file, cacerts_pwd, data): + # Fetch all needed certs one by one, then combine them in a single + # PKCS12 file + prefix = data['prefix'] + certlist = data['list'] +- cli = self._get_custodia_client(server=ca_host) ++ cli = self._get_custodia_client() + + # Temporary nssdb + tmpnssdir = tempfile.mkdtemp(dir=paths.TMP) +@@ -272,23 +280,23 @@ class CustodiaInstance(SimpleServiceInstance): + finally: + shutil.rmtree(tmpnssdir) + +- def get_ca_keys(self, ca_host, cacerts_file, cacerts_pwd): ++ def get_ca_keys(self, cacerts_file, cacerts_pwd): + certlist = ['caSigningCert cert-pki-ca', + 'ocspSigningCert cert-pki-ca', + 'auditSigningCert cert-pki-ca', + 'subsystemCert cert-pki-ca'] + data = {'prefix': 'ca', + 'list': certlist} +- self._get_keys(ca_host, cacerts_file, cacerts_pwd, data) ++ self._get_keys(cacerts_file, cacerts_pwd, data) + +- def get_kra_keys(self, ca_host, cacerts_file, cacerts_pwd): ++ def get_kra_keys(self, cacerts_file, cacerts_pwd): + certlist = ['auditSigningCert cert-pki-kra', + 'storageCert cert-pki-kra', + 'subsystemCert cert-pki-ca', + 'transportCert cert-pki-kra'] + data = {'prefix': 'ca', + 'list': certlist} +- self._get_keys(ca_host, cacerts_file, cacerts_pwd, data) ++ self._get_keys(cacerts_file, cacerts_pwd, data) + + def __start(self): + super(CustodiaInstance, self).__start() +diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py +index 3333970..d8773b9 100644 +--- a/ipaserver/install/kra.py ++++ b/ipaserver/install/kra.py +@@ -91,7 +91,6 @@ def install(api, replica_config, options, custodia): + paths.KRB5_KEYTAB, + ccache) + custodia.get_kra_keys( +- replica_config.kra_host_name, + krafile, + replica_config.dirman_password) + else: +diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py +index f4338ed..3651cde 100644 +--- a/ipaserver/install/server/install.py ++++ b/ipaserver/install/server/install.py +@@ -1085,7 +1085,9 @@ def uninstall(installer): + dsinstance.DsInstance(fstore=fstore).uninstall() + if _server_trust_ad_installed: + adtrustinstance.ADTRUSTInstance(fstore).uninstall() +- custodiainstance.CustodiaInstance().uninstall() ++ # realm isn't used, but IPAKEMKeys parses /etc/ipa/default.conf ++ # otherwise, see https://pagure.io/freeipa/issue/7474 . ++ custodiainstance.CustodiaInstance(realm='REALM.INVALID').uninstall() + otpdinstance.OtpdInstance().uninstall() + tasks.restore_hostname(fstore, sstore) + fstore.restore_all_files() +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index ef61590..b9cd518 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -1512,7 +1512,7 @@ def install(installer): + krb.restart() + + if promote: +- custodia.import_dm_password(config.master_host_name) ++ custodia.import_dm_password() + promote_sssd(config.host_name) + promote_openldap_conf(config.host_name, config.master_host_name) + +-- +2.9.3 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 28da6fc..dbbe5e9 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -72,7 +72,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 10%{?dist}.1 +Release: 10%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -80,10 +80,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -132,12 +132,15 @@ Patch0041: 0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch Patch0042: 0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch Patch0043: 0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch Patch0044: 0044-replica-install-pass-ip-address-to-client-install.patch - +Patch0045: 0045-Add-nsds5ReplicaReleaseTimeout-to-replica-config.patch +Patch0046: 0046-Fix-upgrade-update_replica_config-in-single-master-m.patch +Patch0047: 0047-Use-single-Custodia-instance-in-installers.patch +Patch0048: 0048-Don-t-try-to-backup-CS.cfg-during-upgrade-if-CA-is-n.patch +Patch0049: 0049-Use-one-Custodia-peer-to-retrieve-all-secrets.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch -Patch1005: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -939,10 +942,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1695,10 +1698,20 @@ fi %changelog -* Mon May 14 2018 CentOS Sources - 4.5.4-10.el7.centos.1 -- Roll in CentOS Branding - -* Tue Apr 10 2018 Florence Blanc-Renaud - 4.5.4-11.el7 +* Mon Jun 11 2018 Rob Crittenden - 4.5.4-10.el7.3 +- Resolves: #1579190 Improve Custodia client and key distribution handling + - Use single Custodia instance in installers + +* Tue May 15 2018 Florence Blanc-Renaud - 4.5.4-10.el7.2 +- Resolves: #1579189 nsds5ReplicaReleaseTimeout should be set by default + - Add nsds5ReplicaReleaseTimeout to replica config + - Fix upgrade (update_replica_config) in single master mode +- Resolves: #1579190 Improve Custodia client and key distribution handling + - Use single Custodia instance in installers +- Resolves: #1579203 4.5.0 -> 4.5.4 upgrade breaks in ipa-server-upgrade: No such file or directory: '/var/lib/pki/pki-tomcat/conf/ca/CS.cfg' + - Don't try to backup CS.cfg during upgrade if CA is not configured + +* Tue Apr 10 2018 Florence Blanc-Renaud - 4.5.4-10.el7.1 - Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1) - Add a notice to restart ipa services after certs are installed - Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode