diff --git a/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch b/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch new file mode 100644 index 0000000..2402c56 --- /dev/null +++ b/SOURCES/0181-ipa-kdb-map_groups-consider-all-results.patch @@ -0,0 +1,145 @@ +From d9d27cae99fe6f71daf250bfff71ee406fa3d23c Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Wed, 16 Dec 2015 12:38:16 +0100 +Subject: [PATCH] ipa-kdb: map_groups() consider all results + +Resolves https://fedorahosted.org/freeipa/ticket/5573 + +Reviewed-By: Jakub Hrozek +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 108 +++++++++++++++++++++------------------- + 1 file changed, 56 insertions(+), 52 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 3c0dca839314273ae309b3b65ec7cf103e9c6da7..de40a145210c36ea0d35e0cc491fe9d3d76efea0 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1082,68 +1082,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext, + continue; + } + +- ldap_derefresponse_free(deref_results); +- ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); +- switch (ret) { +- case ENOENT: +- /* No entry found, try next SID */ +- break; +- case 0: +- if (deref_results == NULL) { +- krb5_klog_syslog(LOG_ERR, "No results."); ++ do { ++ ldap_derefresponse_free(deref_results); ++ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); ++ switch (ret) { ++ case ENOENT: ++ /* No entry found, try next SID */ + break; +- } ++ case 0: ++ if (deref_results == NULL) { ++ krb5_klog_syslog(LOG_ERR, "No results."); ++ break; ++ } + +- for (dres = deref_results; dres; dres = dres->next) { +- count++; +- } ++ for (dres = deref_results; dres; dres = dres->next) { ++ count++; ++ } + +- sids = talloc_realloc(memctx, sids, struct dom_sid, count); +- if (sids == NULL) { +- krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); +- kerr = ENOMEM; +- goto done; +- } ++ sids = talloc_realloc(memctx, sids, struct dom_sid, count); ++ if (sids == NULL) { ++ krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); ++ kerr = ENOMEM; ++ goto done; ++ } + +- for (dres = deref_results; dres; dres = dres->next) { +- gid = 0; +- memset(&sid, '\0', sizeof(struct dom_sid)); +- for (dval = dres->attrVals; dval; dval = dval->next) { +- if (strcasecmp(dval->type, "gidNumber") == 0) { +- errno = 0; +- gid = strtoul((char *)dval->vals[0].bv_val, +- &endptr,10); +- if (gid == 0 || gid >= UINT32_MAX || errno != 0 || +- *endptr != '\0') { +- continue; ++ for (dres = deref_results; dres; dres = dres->next) { ++ gid = 0; ++ memset(&sid, '\0', sizeof(struct dom_sid)); ++ for (dval = dres->attrVals; dval; dval = dval->next) { ++ if (strcasecmp(dval->type, "gidNumber") == 0) { ++ errno = 0; ++ gid = strtoul((char *)dval->vals[0].bv_val, ++ &endptr,10); ++ if (gid == 0 || gid >= UINT32_MAX || errno != 0 || ++ *endptr != '\0') { ++ continue; ++ } + } +- } +- if (strcasecmp(dval->type, +- "ipaNTSecurityIdentifier") == 0) { +- kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); +- if (kerr != 0) { +- continue; ++ if (strcasecmp(dval->type, ++ "ipaNTSecurityIdentifier") == 0) { ++ kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); ++ if (kerr != 0) { ++ continue; ++ } + } + } +- } +- if (gid != 0 && sid.sid_rev_num != 0) { +- /* TODO: check if gid maps to sid */ +- if (sid_index >= count) { +- krb5_klog_syslog(LOG_ERR, "Index larger than " +- "array, this shoould " +- "never happen."); +- kerr = EFAULT; +- goto done; ++ if (gid != 0 && sid.sid_rev_num != 0) { ++ /* TODO: check if gid maps to sid */ ++ if (sid_index >= count) { ++ krb5_klog_syslog(LOG_ERR, "Index larger than " ++ "array, this shoould " ++ "never happen."); ++ kerr = EFAULT; ++ goto done; ++ } ++ memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); ++ sid_index++; + } +- memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); +- sid_index++; + } +- } + +- break; +- default: +- goto done; +- } ++ break; ++ default: ++ goto done; ++ } ++ ++ lentry = ldap_next_entry(ipactx->lcontext, lentry); ++ } while (lentry != NULL); + } + + *_ipa_group_sids_count = sid_index; +-- +2.7.1 + diff --git a/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch b/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch new file mode 100644 index 0000000..9941c4a --- /dev/null +++ b/SOURCES/0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch @@ -0,0 +1,44 @@ +From 3d13e08deee3586635e583c1d5ac8c722530ac2f Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 15 Jul 2015 14:15:49 +0200 +Subject: [PATCH] ipa-ca-install: print more specific errors when CA is already + installed + +This patch implements a more thorough checking for already installed CAs +during standalone CA installation using ipa-ca-install. The installer now +differentiates between CA that is already installed locally and CA installed +on one or more masters in topology and prints an appropriate error message. + +https://fedorahosted.org/freeipa/ticket/4492 + +Reviewed-By: Martin Basti +--- + ipaserver/install/ca.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 0de992cb0c15f8161aae4937699baae2a94d305a..84cbf423246534259cd6b7a8cca25caa16e5594f 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -45,8 +45,16 @@ def install_check(standalone, replica_config, options): + + return + +- if standalone and api.Command.ca_is_enabled()['result']: +- sys.exit("CA is already installed.\n") ++ if standalone: ++ if cainstance.is_ca_installed_locally(): ++ sys.exit("CA is already installed on this host.") ++ elif api.Command.ca_is_enabled()['result']: ++ sys.exit( ++ "One or more CA masters are already present in IPA realm " ++ "'%s'.\nIf you wish to replicate CA to this host, please " ++ "re-run 'ipa-ca-install'\nwith a replica file generated on " ++ "an existing CA master as argument." % realm_name ++ ) + + if options.external_cert_files: + if not cainstance.is_step_one_done(): +-- +2.5.0 + diff --git a/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch b/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch new file mode 100644 index 0000000..02b9eaf --- /dev/null +++ b/SOURCES/0183-installer-Propagate-option-values-from-components-in.patch @@ -0,0 +1,132 @@ +From 95447911535974731a931b1d758f6cfd985c1e59 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Wed, 16 Dec 2015 12:43:13 +0000 +Subject: [PATCH] installer: Propagate option values from components instead of + copying them. + +https://fedorahosted.org/freeipa/ticket/5556 + +Reviewed-By: Jan Cholasta +--- + ipapython/install/core.py | 21 ++++++++++++++++++--- + ipaserver/install/server/install.py | 25 ------------------------- + ipaserver/install/server/replicainstall.py | 12 +----------- + 3 files changed, 19 insertions(+), 39 deletions(-) + +diff --git a/ipapython/install/core.py b/ipapython/install/core.py +index 91ae854cdb2a8846e2a2673a5bfe54b4f75f3823..3bb13267326b8cf1f22bb34dcf1e03402479446e 100644 +--- a/ipapython/install/core.py ++++ b/ipapython/install/core.py +@@ -484,6 +484,21 @@ class Composite(Configurable): + for comp_cls in result: + yield comp_cls.__outer_class__, comp_cls.__outer_name__ + ++ def __getattr__(self, name): ++ for owner_cls, knob_name in self.knobs(): ++ if knob_name == name: ++ break ++ else: ++ raise AttributeError(name) ++ ++ for component in self.__components: ++ if isinstance(component, owner_cls): ++ break ++ else: ++ raise AttributeError(name) ++ ++ return getattr(component, name) ++ + def _reset(self): + self.__components = list(self._get_components()) + +@@ -501,8 +516,7 @@ class Composite(Configurable): + try: + validator.next() + except StopIteration: +- if child.done(): +- self.__components.remove(child) ++ pass + else: + new_validate.append((child, validator)) + if not new_validate: +@@ -516,7 +530,8 @@ class Composite(Configurable): + + yield from_(super(Composite, self)._configure()) + +- execute = [(c, c._executor()) for c in self.__components] ++ execute = [(c, c._executor()) for c in self.__components ++ if not c.done()] + while True: + new_execute = [] + for child, executor in execute: +diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py +index 9d7036a7786a35e6aa2429254d62c8afb30970db..71992db0d39e1969649587486031a8fb1a03419d 100644 +--- a/ipaserver/install/server/install.py ++++ b/ipaserver/install/server/install.py +@@ -1592,35 +1592,10 @@ class Server(common.Installable, common.Interactive, core.Composite): + + self.setup_ca = False + self.setup_kra = False +- self.external_ca = self.ca.external_ca +- self.external_ca_type = self.ca.external_ca_type +- self.external_cert_files = self.ca.external_cert_files +- self.no_pkinit = self.ca.no_pkinit +- self.dirsrv_cert_files = self.ca.dirsrv_cert_files +- self.http_cert_files = self.ca.http_cert_files +- self.pkinit_cert_files = self.ca.pkinit_cert_files +- self.dirsrv_pin = self.ca.dirsrv_pin +- self.http_pin = self.ca.http_pin +- self.pkinit_pin = self.ca.pkinit_pin +- self.dirsrv_cert_name = self.ca.dirsrv_cert_name +- self.http_cert_name = self.ca.http_cert_name +- self.pkinit_cert_name = self.ca.pkinit_cert_name +- self.ca_cert_files = self.ca.ca_cert_files +- self.subject = self.ca.subject +- self.ca_signing_algorithm = self.ca.ca_signing_algorithm +- self.setup_dns = self.dns.setup_dns +- self.forwarders = self.dns.forwarders +- self.no_forwarders = self.dns.no_forwarders +- self.reverse_zones = self.dns.reverse_zones +- self.no_reverse = self.dns.no_reverse +- self.no_dnssec_validation = self.dns.no_dnssec_validation + self.dnssec_master = False + self.disable_dnssec_master = False + self.kasp_db_file = None + self.force = False +- self.zonemgr = self.dns.zonemgr +- self.no_host_dns = self.dns.no_host_dns +- self.no_dns_sshfp = self.dns.no_dns_sshfp + + self.unattended = not self.interactive + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..a5d4a77f3daa8110ad0be064085b12b20da853cf 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -847,22 +847,12 @@ class Replica(common.Installable, common.Interactive, core.Composite): + + self.external_ca = False + self.external_cert_files = None +- self.no_pkinit = self.ca.no_pkinit +- self.skip_schema_check = self.ca.skip_schema_check +- +- self.setup_dns = self.dns.setup_dns +- self.forwarders = self.dns.forwarders +- self.no_forwarders = self.dns.no_forwarders +- self.reverse_zones = self.dns.reverse_zones +- self.no_reverse = self.dns.no_reverse +- self.no_dnssec_validation = self.dns.no_dnssec_validation ++ + self.dnssec_master = False + self.disable_dnssec_master = False + self.kasp_db_file = None + self.force = False + self.zonemgr = None +- self.no_host_dns = self.dns.no_host_dns +- self.no_dns_sshfp = self.dns.no_dns_sshfp + + self.unattended = not self.interactive + +-- +2.5.0 + diff --git a/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch b/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch new file mode 100644 index 0000000..ef50523 --- /dev/null +++ b/SOURCES/0184-installer-Fix-logic-of-reading-option-values-from-ca.patch @@ -0,0 +1,44 @@ +From 71809fb6071a86156f881e20d4845cbd47606862 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Wed, 16 Dec 2015 12:45:24 +0000 +Subject: [PATCH] installer: Fix logic of reading option values from cache. + +Only options explicitly set must be stored before installer exits first step +of external CA setup. When installer continues all stored option values must +be restored. + +https://fedorahosted.org/freeipa/ticket/5556 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/server/install.py | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py +index 71992db0d39e1969649587486031a8fb1a03419d..01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd 100644 +--- a/ipaserver/install/server/install.py ++++ b/ipaserver/install/server/install.py +@@ -343,9 +343,7 @@ def install_check(installer): + sys.exit("Directory Manager password required") + try: + cache_vars = read_cache(dm_password) +- for name, value in cache_vars.iteritems(): +- if name not in options.__dict__: +- options.__dict__[name] = value ++ options.__dict__.update(cache_vars) + if cache_vars.get('external_ca', False): + options.external_ca = False + options.interactive = False +@@ -767,7 +765,8 @@ def install(installer): + options.host_name = host_name + options.forwarders = dns.dns_forwarders + options.reverse_zones = dns.reverse_zones +- cache_vars = {n: getattr(options, n) for o, n in installer.knobs()} ++ cache_vars = {n: options.__dict__[n] for o, n in installer.knobs() ++ if n in options.__dict__} + write_cache(cache_vars) + + ca.install_step_0(False, None, options) +-- +2.5.0 + diff --git a/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch b/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch new file mode 100644 index 0000000..d9aa1d0 --- /dev/null +++ b/SOURCES/0185-Fixed-login-error-message-box-in-LoginScreen-page.patch @@ -0,0 +1,47 @@ +From 303e3aea45c310e8a2508ac540264520d5d3eda4 Mon Sep 17 00:00:00 2001 +From: Abhijeet Kasurde +Date: Mon, 28 Dec 2015 12:33:11 +0530 +Subject: [PATCH] Fixed login error message box in LoginScreen page + +Fix added for showing error message returned from server to client +browser. User is now notified with proper error messages returned by +server. + +https://bugzilla.redhat.com/show_bug.cgi?id=1293870 + +Signed-off-by: Abhijeet Kasurde +Reviewed-By: Petr Vobornik +--- + install/ui/src/freeipa/widgets/LoginScreen.js | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js +index eb95b9161f05eeac1ec9aed286c9730dada85d59..2c778b50cfb10bfa8eef25c5456c6ce913e02695 100644 +--- a/install/ui/src/freeipa/widgets/LoginScreen.js ++++ b/install/ui/src/freeipa/widgets/LoginScreen.js +@@ -272,12 +272,12 @@ define(['dojo/_base/declare', + } + this.set('view', 'login'); + } else { ++ otp_f.set_value(''); ++ new_f.set_value(''); ++ ver_f.set_value(''); + val_summary.add_error('login', result.message); + } + +- otp_f.set_value(''); +- new_f.set_value(''); +- ver_f.set_value(''); + }, + + refresh: function() { +@@ -426,4 +426,4 @@ define(['dojo/_base/declare', + ]; + + return LoginScreen; +-}); +\ No newline at end of file ++}); +-- +2.5.0 + diff --git a/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch b/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch new file mode 100644 index 0000000..3cebd4e --- /dev/null +++ b/SOURCES/0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch @@ -0,0 +1,79 @@ +From 8d651ef5a00c418138c355aa95259246090705b7 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 21 Jan 2016 08:58:56 +0100 +Subject: [PATCH] cert renewal: import all external CA certs on IPA CA cert + renewal + +Import all external CA certs to the Dogtag NSS database on IPA CA cert +renewal. This fixes Dogtag not being able to connect to DS which uses 3rd +party server cert after ipa-certupdate. + +https://fedorahosted.org/freeipa/ticket/5595 + +Reviewed-By: Martin Babinsky +--- + install/restart_scripts/renew_ca_cert | 28 +++++++++------------------- + 1 file changed, 9 insertions(+), 19 deletions(-) + +diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert +index 86f5765b7d8bbeafd5379831020a952a7aa6db41..92dc0e6685f61f34bd6df941ef63ac138ad7965b 100644 +--- a/install/restart_scripts/renew_ca_cert ++++ b/install/restart_scripts/renew_ca_cert +@@ -28,7 +28,6 @@ import shutil + import traceback + + from ipapython import dogtag, ipautil +-from ipapython.dn import DN + from ipalib import api, errors, x509, certstore + from ipaserver.install import certs, cainstance, installutils + from ipaserver.plugins.ldap2 import ldap2 +@@ -158,11 +157,9 @@ def _main(): + "Updating CA certificate failed: %s" % e) + + # Add external CA certificates +- ca_issuer = str(x509.get_issuer(cert, x509.DER)) + try: +- ca_certs = certstore.get_ca_certs( +- conn, api.env.basedn, api.env.realm, False, +- filter_subject=ca_issuer) ++ ca_certs = certstore.get_ca_certs_nss( ++ conn, api.env.basedn, api.env.realm, False) + except Exception, e: + syslog.syslog( + syslog.LOG_ERR, +@@ -170,25 +167,18 @@ def _main(): + "%s" % e) + ca_certs = [] + +- for ca_cert, ca_nick, ca_trusted, ca_eku in ca_certs: +- ca_subject = DN(str(x509.get_subject(ca_cert, x509.DER))) +- nick_base = ' - '.join(rdn[-1].value for rdn in ca_subject) +- nick = nick_base +- i = 1 +- while db.has_nickname(nick): +- nick = '%s [%s]' % (nick_base, i) +- i += 1 +- if ca_trusted is False: +- flags = 'p,p,p' +- else: +- flags = 'CT,c,' +- ++ for ca_cert, ca_nick, ca_flags in ca_certs: + try: +- db.add_cert(ca_cert, nick, flags) ++ db.add_cert(ca_cert, ca_nick, ca_flags) + except ipautil.CalledProcessError, e: + syslog.syslog( + syslog.LOG_ERR, + "Failed to add certificate %s" % ca_nick) ++ ++ # Pass Dogtag's self-tests ++ for ca_nick in db.find_root_cert(nickname)[-2:-1]: ++ ca_flags = dict(cc[1:] for cc in ca_certs)[ca_nick] ++ db.trust_root_cert(ca_nick, 'C' + ca_flags) + finally: + if conn is not None and conn.isconnected(): + conn.disconnect() +-- +2.5.0 + diff --git a/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch b/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch new file mode 100644 index 0000000..5d9d2ff --- /dev/null +++ b/SOURCES/0187-CA-install-explicitly-set-dogtag_version-to-10.patch @@ -0,0 +1,78 @@ +From c7f76e4f6c0f288b184152f5f6f45d11287914b3 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Mon, 25 Jan 2016 08:48:42 +0100 +Subject: [PATCH] CA install: explicitly set dogtag_version to 10 + +When installing new CA master, explicitly set the dogtag_version option to +10 in api.bootstrap() to prevent failures in code which expects the value +to be 10 rather than the default value of 9. + +https://fedorahosted.org/freeipa/ticket/5611 + +Reviewed-By: Martin Babinsky +--- + install/tools/ipa-ca-install | 2 +- + ipaserver/install/cainstance.py | 6 +++--- + ipaserver/install/server/upgrade.py | 2 +- + 3 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install +index 6564e4d0304d4e189b133c495b75f200b04e2988..e8ccaef5b90807f452f77c2b62641df3952180d6 100755 +--- a/install/tools/ipa-ca-install ++++ b/install/tools/ipa-ca-install +@@ -162,7 +162,7 @@ def install_master(safe_options, options): + + # override ra_plugin setting read from default.conf so that we have + # functional dogtag backend plugins during CA install +- api.bootstrap(in_server=True, ra_plugin='dogtag') ++ api.bootstrap(in_server=True, ra_plugin='dogtag', dogtag_version=10) + api.finalize() + + dm_password = options.password +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index d9bf4f31af5a922dd6f977a5011f50ce7cea8896..369902ad04b197c9e9516503c1f81c4de1ef153b 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -478,7 +478,7 @@ class CAInstance(DogtagInstance): + self.http_proxy) + self.step("restarting certificate server", self.restart_instance) + self.step("migrating certificate profiles to LDAP", +- migrate_profiles_to_ldap) ++ lambda: migrate_profiles_to_ldap(self.dogtag_constants)) + self.step("importing IPA certificate profiles", + import_included_profiles) + self.step("adding default CA ACL", ensure_default_caacl) +@@ -1768,7 +1768,7 @@ def import_included_profiles(): + conn.disconnect() + + +-def migrate_profiles_to_ldap(): ++def migrate_profiles_to_ldap(dogtag_constants): + """Migrate profiles from filesystem to LDAP. + + This must be run *after* switching to the LDAPProfileSubsystem +@@ -1783,7 +1783,7 @@ def migrate_profiles_to_ldap(): + api.Backend.ra_certprofile._read_password() + api.Backend.ra_certprofile.override_port = 8443 + +- with open(dogtag.configured_constants().CS_CFG_PATH) as f: ++ with open(dogtag_constants.CS_CFG_PATH) as f: + cs_cfg = f.read() + match = re.search(r'^profile\.list=(\S*)', cs_cfg, re.MULTILINE) + profile_ids = match.group(1).split(',') +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 1f1cfeb672809c0298c69c121ac38d6c7a482d11..0a46635979497f8028465c2295b22485fd9c0279 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -336,7 +336,7 @@ def ca_enable_ldap_profile_subsystem(ca): + separator='=') + + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) +- cainstance.migrate_profiles_to_ldap() ++ cainstance.migrate_profiles_to_ldap(caconfig) + + return needs_update + +-- +2.5.0 + diff --git a/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch b/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch new file mode 100644 index 0000000..cb659dc --- /dev/null +++ b/SOURCES/0188-fix-standalone-installation-of-externally-signed-CA-.patch @@ -0,0 +1,30 @@ +From 06c2e339f28ab697c830dc1f9d6ef89b833b2d1a Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 26 Jan 2016 13:02:44 +0100 +Subject: [PATCH] fix standalone installation of externally signed CA on IPA + master + +https://fedorahosted.org/freeipa/ticket/5636 + +Reviewed-By: Martin Basti +--- + ipaserver/install/ca.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index 84cbf423246534259cd6b7a8cca25caa16e5594f..d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -46,7 +46,8 @@ def install_check(standalone, replica_config, options): + return + + if standalone: +- if cainstance.is_ca_installed_locally(): ++ if (not options.external_cert_files and ++ cainstance.is_ca_installed_locally()): + sys.exit("CA is already installed on this host.") + elif api.Command.ca_is_enabled()['result']: + sys.exit( +-- +2.5.0 + diff --git a/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch b/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch new file mode 100644 index 0000000..01f3b25 --- /dev/null +++ b/SOURCES/0189-replica-install-validate-DS-and-HTTP-server-certific.patch @@ -0,0 +1,74 @@ +From 8ee71c8aab262ba0041ee9ac84fb862a5fda32cf Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 21 Jan 2016 15:48:30 +0100 +Subject: [PATCH] replica install: validate DS and HTTP server certificates + +Validate the DS and HTTP certificates from the replica info file early in +ipa-replica-install to prevent crashes later. + +https://fedorahosted.org/freeipa/ticket/5598 + +Reviewed-By: Martin Babinsky +--- + ipaserver/install/server/replicainstall.py | 31 +++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index a5d4a77f3daa8110ad0be064085b12b20da853cf..317eda92dd4322542f035c2df4dba919a5898cc7 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -356,6 +356,8 @@ def install_check(installer): + config.setup_ca = options.setup_ca + config.setup_kra = options.setup_kra + ++ ca_enabled = ipautil.file_exists(config.dir + "/cacert.p12") ++ + # Create the management framework config file + # Note: We must do this before bootstraping and finalizing ipalib.api + old_umask = os.umask(022) # must be readable for httpd +@@ -371,7 +373,7 @@ def install_check(installer): + ipautil.format_netloc(config.host_name)) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % + installutils.realm_to_serverid(config.realm_name)) +- if ipautil.file_exists(config.dir + "/cacert.p12"): ++ if ca_enabled: + fd.write("enable_ra=True\n") + fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=%s\n" % +@@ -395,6 +397,33 @@ def install_check(installer): + raise RuntimeError("CA cert file is not available. Please run " + "ipa-replica-prepare to create a new replica file.") + ++ for pkcs12_name, pin_name in (('dscert.p12', 'dirsrv_pin.txt'), ++ ('httpcert.p12', 'http_pin.txt')): ++ pkcs12_info = make_pkcs12_info(config.dir, pkcs12_name, pin_name) ++ tmp_db_dir = tempfile.mkdtemp('ipa') ++ try: ++ tmp_db = certs.CertDB(config.realm_name, ++ nssdir=tmp_db_dir, ++ subject_base=config.subject_base) ++ if ca_enabled: ++ trust_flags = 'CT,C,C' ++ else: ++ trust_flags = None ++ tmp_db.create_from_pkcs12(pkcs12_info[0], pkcs12_info[1], ++ ca_file=cafile, ++ trust_flags=trust_flags) ++ if not tmp_db.find_server_certs(): ++ raise RuntimeError( ++ "Could not find a suitable server cert in import in %s" % ++ pkcs12_info[0]) ++ except Exception as e: ++ root_logger.error('%s', e) ++ raise RuntimeError( ++ "Server cert is not valid. Please run ipa-replica-prepare to " ++ "create a new replica file.") ++ finally: ++ shutil.rmtree(tmp_db_dir) ++ + ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) + remote_api = create_api(mode=None) + remote_api.bootstrap(in_server=True, context='installer', +-- +2.5.0 + diff --git a/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch b/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch new file mode 100644 index 0000000..220c9ce --- /dev/null +++ b/SOURCES/0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch @@ -0,0 +1,294 @@ +From ca08d7d3a7562588b09b78b7079b2c15e572a484 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 6 Jan 2016 14:50:42 +1100 +Subject: [PATCH] Do not decode HTTP reason phrase from Dogtag + +The HTTP reason phrase sent by Dogtag is assumed to be encoded in +UTF-8, but the encoding used by Tomcat is dependent on system +locale, causing decode errors in some locales. + +The reason phrase is optional and will not be sent in a future +version of Tomcat[1], so do not bother decoding and returning it. + +[1] https://github.com/apache/tomcat/commit/707ab1c77f3bc189e1c3f29b641506db4c8bce37 + +Fixes: https://fedorahosted.org/freeipa/ticket/5578 +Reviewed-By: Jan Cholasta +--- + ipapython/dogtag.py | 23 +++++++++++------------ + ipaserver/install/certs.py | 7 +++---- + ipaserver/plugins/dogtag.py | 44 ++++++++++++++++++++++---------------------- + 3 files changed, 36 insertions(+), 38 deletions(-) + +diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py +index 8996902ba92f0fdd6106e2650c2decde375c593b..652bc3d13f2b47b35f6da30579f2df5f083dbff2 100644 +--- a/ipapython/dogtag.py ++++ b/ipapython/dogtag.py +@@ -230,14 +230,14 @@ def ca_status(ca_host=None, use_proxy=True): + ca_port = 443 + else: + ca_port = 8443 +- status, reason, headers, body = unauthenticated_https_request( ++ status, headers, body = unauthenticated_https_request( + ca_host, ca_port, '/ca/admin/ca/getStatus') + if status == 503: + # Service temporarily unavailable +- return reason ++ return status + elif status != 200: + raise errors.RemoteRetrieveError( +- reason=_("Retrieving CA status failed: %s") % reason) ++ reason=_("Retrieving CA status failed with status %d") % status) + return _parse_ca_status(body) + + +@@ -248,8 +248,8 @@ def https_request(host, port, url, secdir, password, nickname, + :param url: The path (not complete URL!) to post to. + :param body: The request body (encodes kw if None) + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform a client authenticated HTTPS request + """ +@@ -277,8 +277,8 @@ def http_request(host, port, url, **kw): + """ + :param url: The path (not complete URL!) to post to. + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform an HTTP request. + """ +@@ -291,8 +291,8 @@ def unauthenticated_https_request(host, port, url, **kw): + """ + :param url: The path (not complete URL!) to post to. + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform an unauthenticated HTTPS request. + """ +@@ -331,15 +331,14 @@ def _httplib_request( + res = conn.getresponse() + + http_status = res.status +- http_reason_phrase = unicode(res.reason, 'utf-8') + http_headers = res.msg.dict + http_body = res.read() + conn.close() + except Exception, e: + raise NetworkError(uri=uri, error=str(e)) + +- root_logger.debug('response status %d %s', http_status, http_reason_phrase) ++ root_logger.debug('response status %d', http_status) + root_logger.debug('response headers %s', http_headers) + root_logger.debug('response body %r', http_body) + +- return http_status, http_reason_phrase, http_headers, http_body ++ return http_status, http_headers, http_body +diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py +index 564332e6fde0698a23884922c5018fab59da7e4d..f8a9c9ecfd2fa1accb792c4748bc69f30701af6a 100644 +--- a/ipaserver/install/certs.py ++++ b/ipaserver/install/certs.py +@@ -402,12 +402,11 @@ class CertDB(object): + dogtag.configured_constants().EE_SECURE_PORT, + "/ca/ee/ca/profileSubmitSSLClient", + self.secdir, password, "ipaCert", **params) +- http_status, http_reason_phrase, http_headers, http_body = result ++ http_status, http_headers, http_body = result + + if http_status != 200: + raise CertificateOperationError( +- error=_('Unable to communicate with CMS (%s)') % +- http_reason_phrase) ++ error=_('Unable to communicate with CMS (status %d)') % http_status) + + # The result is an XML blob. Pull the certificate out of that + doc = xml.dom.minidom.parseString(http_body) +@@ -459,7 +458,7 @@ class CertDB(object): + dogtag.configured_constants().EE_SECURE_PORT, + "/ca/ee/ca/profileSubmitSSLClient", + self.secdir, password, "ipaCert", **params) +- http_status, http_reason_phrase, http_headers, http_body = result ++ http_status, http_headers, http_body = result + if http_status != 200: + raise RuntimeError("Unable to submit cert request") + +diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py +index f5f8eb67067c87f07c06e556fb9fc73792fbbc64..3029a9144d80a9b081853b95259fcd37e35d8c2b 100644 +--- a/ipaserver/plugins/dogtag.py ++++ b/ipaserver/plugins/dogtag.py +@@ -1350,8 +1350,8 @@ class ra(rabase.rabase): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform an HTTP request. + """ +@@ -1361,8 +1361,8 @@ class ra(rabase.rabase): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform an HTTPS request + """ +@@ -1422,7 +1422,7 @@ class ra(rabase.rabase): + self.debug('%s.check_request_status()', self.fullname) + + # Call CMS +- http_status, http_reason_phrase, http_headers, http_body = \ ++ http_status, http_headers, http_body = \ + self._request('/ca/ee/ca/checkRequest', + self.env.ca_port, + requestId=request_id, +@@ -1431,7 +1431,7 @@ class ra(rabase.rabase): + # Parse and handle errors + if http_status != 200: + self.raise_certificate_operation_error('check_request_status', +- detail=http_reason_phrase) ++ detail=http_status) + + parse_result = self.get_parse_result_xml(http_body, parse_check_request_result_xml) + request_status = parse_result['request_status'] +@@ -1507,7 +1507,7 @@ class ra(rabase.rabase): + serial_number = int(serial_number, 0) + + # Call CMS +- http_status, http_reason_phrase, http_headers, http_body = \ ++ http_status, http_headers, http_body = \ + self._sslget('/ca/agent/ca/displayBySerial', + self.env.ca_agent_port, + serialNumber=str(serial_number), +@@ -1517,7 +1517,7 @@ class ra(rabase.rabase): + # Parse and handle errors + if http_status != 200: + self.raise_certificate_operation_error('get_certificate', +- detail=http_reason_phrase) ++ detail=http_status) + + parse_result = self.get_parse_result_xml(http_body, parse_display_cert_xml) + request_status = parse_result['request_status'] +@@ -1575,7 +1575,7 @@ class ra(rabase.rabase): + self.debug('%s.request_certificate()', self.fullname) + + # Call CMS +- http_status, http_reason_phrase, http_headers, http_body = \ ++ http_status, http_headers, http_body = \ + self._sslget('/ca/eeca/ca/profileSubmitSSLClient', + self.env.ca_ee_port, + profileId=profile_id, +@@ -1585,7 +1585,7 @@ class ra(rabase.rabase): + # Parse and handle errors + if http_status != 200: + self.raise_certificate_operation_error('request_certificate', +- detail=http_reason_phrase) ++ detail=http_status) + + parse_result = self.get_parse_result_xml(http_body, parse_profile_submit_result_xml) + # Note different status return, it's not request_status, it's error_code +@@ -1654,7 +1654,7 @@ class ra(rabase.rabase): + serial_number = int(serial_number, 0) + + # Call CMS +- http_status, http_reason_phrase, http_headers, http_body = \ ++ http_status, http_headers, http_body = \ + self._sslget('/ca/agent/ca/doRevoke', + self.env.ca_agent_port, + op='revoke', +@@ -1666,7 +1666,7 @@ class ra(rabase.rabase): + # Parse and handle errors + if http_status != 200: + self.raise_certificate_operation_error('revoke_certificate', +- detail=http_reason_phrase) ++ detail=http_status) + + parse_result = self.get_parse_result_xml(http_body, parse_revoke_cert_xml) + request_status = parse_result['request_status'] +@@ -1717,7 +1717,7 @@ class ra(rabase.rabase): + serial_number = int(serial_number, 0) + + # Call CMS +- http_status, http_reason_phrase, http_headers, http_body = \ ++ http_status, http_headers, http_body = \ + self._sslget('/ca/agent/ca/doUnrevoke', + self.env.ca_agent_port, + serialNumber=str(serial_number), +@@ -1726,7 +1726,7 @@ class ra(rabase.rabase): + # Parse and handle errors + if http_status != 200: + self.raise_certificate_operation_error('take_certificate_off_hold', +- detail=http_reason_phrase) ++ detail=http_status) + + + parse_result = self.get_parse_result_xml(http_body, parse_unrevoke_cert_xml) +@@ -2027,7 +2027,7 @@ class RestClient(Backend): + """Log into the REST API""" + if self.cookie is not None: + return +- status, status_text, resp_headers, resp_body = dogtag.https_request( ++ status, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.override_port or self.env.ca_agent_port, + '/ca/rest/account/login', + self.sec_dir, self.password, self.ipa_certificate_nickname, +@@ -2053,8 +2053,8 @@ class RestClient(Backend): + """ + :param url: The URL to post to. + :param kw: Keyword arguments to encode into POST body. +- :return: (http_status, http_reason_phrase, http_headers, http_body) +- as (integer, unicode, dict, str) ++ :return: (http_status, http_headers, http_body) ++ as (integer, dict, str) + + Perform an HTTPS request + """ +@@ -2068,7 +2068,7 @@ class RestClient(Backend): + resource = os.path.join('/ca/rest', self.path, path) + + # perform main request +- status, status_text, resp_headers, resp_body = dogtag.https_request( ++ status, resp_headers, resp_body = dogtag.https_request( + self.ca_host, self.override_port or self.env.ca_agent_port, + resource, + self.sec_dir, self.password, self.ipa_certificate_nickname, +@@ -2077,10 +2077,10 @@ class RestClient(Backend): + if status < 200 or status >= 300: + explanation = self._parse_dogtag_error(resp_body) or '' + raise errors.RemoteRetrieveError( +- reason=_('Non-2xx response from CA REST API: %(status)d %(status_text)s. %(explanation)s') +- % {'status': status, 'status_text': status_text, 'explanation': explanation} ++ reason=_('Non-2xx response from CA REST API: %(status)d. %(explanation)s') ++ % {'status': status, 'explanation': explanation} + ) +- return (status, status_text, resp_headers, resp_body) ++ return (status, resp_headers, resp_body) + + + class ra_certprofile(RestClient): +@@ -2105,7 +2105,7 @@ class ra_certprofile(RestClient): + """ + Read the profile configuration from Dogtag + """ +- status, status_text, resp_headers, resp_body = self._ssldo( ++ status, resp_headers, resp_body = self._ssldo( + 'GET', profile_id + '/raw') + return resp_body + +-- +2.5.0 + diff --git a/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch b/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch new file mode 100644 index 0000000..db607c5 --- /dev/null +++ b/SOURCES/0191-upgrade-unconditional-import-of-certificate-profiles.patch @@ -0,0 +1,66 @@ +From 52e2e879fa4decf67a19d6c79f4ec409b6a0dce7 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Mon, 22 Feb 2016 13:35:41 +0100 +Subject: [PATCH] upgrade: unconditional import of certificate profiles into + LDAP + +During IPA server upgrade, the migration of Dogtag profiles into LDAP +backend was bound to the update of CS.cfg which enabled the LDAP profile +subsystem. If the subsequent profile migration failed, the subsequent +upgrades were not executing the migration code leaving CA subsystem in +broken state. Therefore the migration code path should be executed +regardless of the status of the main Dogtag config file. + +https://fedorahosted.org/freeipa/ticket/5682 + +Reviewed-By: Fraser Tweedale +Reviewed-By: Jan Cholasta +--- + ipaserver/install/cainstance.py | 8 ++++++-- + ipaserver/install/server/upgrade.py | 4 +++- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 369902ad04b197c9e9516503c1f81c4de1ef153b..1a98c438786ae7dad208212fff23e3a760c95b3c 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1807,7 +1807,6 @@ def migrate_profiles_to_ldap(dogtag_constants): + continue + class_id = match.group(1) + +- root_logger.info("Migrating profile '%s' to LDAP", profile_id) + with open(filename) as f: + profile_data = f.read() + if profile_data[-1] != '\n': +@@ -1824,7 +1823,12 @@ def _create_dogtag_profile(profile_id, profile_data): + # import the profile + try: + profile_api.create_profile(profile_data) +- except errors.RemoteRetrieveError: ++ root_logger.info("Profile '%s' successfully migrated to LDAP", ++ profile_id) ++ except errors.RemoteRetrieveError as e: ++ root_logger.debug("Error migrating '{}': {}".format( ++ profile_id, e)) ++ + # conflicting profile; replace it if we are + # installing IPA, but keep it for upgrades + if api.env.context == 'installer': +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 0a46635979497f8028465c2295b22485fd9c0279..258d976c83844f89c1a939303b685fd6565b79e5 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -336,7 +336,9 @@ def ca_enable_ldap_profile_subsystem(ca): + separator='=') + + ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) +- cainstance.migrate_profiles_to_ldap(caconfig) ++ ++ root_logger.info('[Migrating certificate profiles to LDAP]') ++ cainstance.migrate_profiles_to_ldap(caconfig) + + return needs_update + +-- +2.5.0 + diff --git a/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch b/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch new file mode 100644 index 0000000..c0aee5a --- /dev/null +++ b/SOURCES/0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch @@ -0,0 +1,279 @@ +From c7df4a1856e740e88ac3633344815d5a0ff0d1f2 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Thu, 18 Feb 2016 19:59:50 +0100 +Subject: [PATCH] upgrade: fix config of sidgen and extdom plugins + +During upgrade to IPA 4.2, literally "$SUFFIX" value was added to +configuration of sidgen and extdom plugins. This cause that SID are not properly configured. + +Upgrade must fix "$SUFFIX" to reals suffix DN, and run sidgen task +against IPA domain (if exists). + +All trusts added when plugins configuration was broken must be re-added. + +https://fedorahosted.org/freeipa/ticket/5665 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Tomas Babej +--- + install/updates/90-post_upgrade_plugins.update | 2 + + ipaserver/install/dsinstance.py | 12 +- + ipaserver/install/plugins/adtrust.py | 153 ++++++++++++++++++++++++- + ipaserver/install/server/upgrade.py | 4 +- + 4 files changed, 162 insertions(+), 9 deletions(-) + +diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update +index 3df3a4574705dbd8df8f25149c13877898afb66b..f0d77138520f41376d71478d3633ea4c19f66195 100644 +--- a/install/updates/90-post_upgrade_plugins.update ++++ b/install/updates/90-post_upgrade_plugins.update +@@ -4,6 +4,8 @@ + # middle + plugin: update_dnszones + plugin: update_dns_limits ++plugin: update_sigden_extdom_broken_config ++plugin: update_sids + plugin: update_default_range + plugin: update_default_trust_view + plugin: update_ca_renewal_master +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index d78158532c4c88d9aa9acf3c65d278f5151458d8..7044782bac8068f7470b62bd7489b5319269b119 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -925,9 +925,9 @@ class DsInstance(service.Service): + """ + Add sidgen directory server plugin configuration if it does not already exist. + """ +- self._ldap_mod('ipa-sidgen-conf.ldif', self.sub_dict) ++ self.add_sidgen_plugin(self.sub_dict['SUFFIX']) + +- def add_sidgen_plugin(self): ++ def add_sidgen_plugin(self, suffix): + """ + Add sidgen plugin configuration only if it does not already exist. + """ +@@ -935,7 +935,7 @@ class DsInstance(service.Service): + try: + self.admin_conn.get_entry(dn) + except errors.NotFound: +- self._add_sidgen_plugin() ++ self._ldap_mod('ipa-sidgen-conf.ldif', dict(SUFFIX=suffix)) + else: + root_logger.debug("sidgen plugin is already configured") + +@@ -943,9 +943,9 @@ class DsInstance(service.Service): + """ + Add directory server configuration for the extdom extended operation. + """ +- self._ldap_mod('ipa-extdom-extop-conf.ldif', self.sub_dict) ++ self.add_extdom_plugin(self.sub_dict['SUFFIX']) + +- def add_extdom_plugin(self): ++ def add_extdom_plugin(self, suffix): + """ + Add extdom configuration if it does not already exist. + """ +@@ -953,7 +953,7 @@ class DsInstance(service.Service): + try: + self.admin_conn.get_entry(dn) + except errors.NotFound: +- self._add_extdom_plugin() ++ self._ldap_mod('ipa-extdom-extop-conf.ldif', dict(SUFFIX=suffix)) + else: + root_logger.debug("extdom plugin is already configured") + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 45bcc5f2fe532446342300ff0c5e1e7149cf023b..4990a34f8972a0ffba098642c1ead09f976852e6 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -24,6 +24,7 @@ from ipapython.dn import DN + from ipapython.ipa_log_manager import * + from ipapython import sysrestore + from ipaserver.install import installutils ++from ipaserver.install import sysupgrade + + DEFAULT_ID_RANGE_SIZE = 200000 + +@@ -164,7 +165,6 @@ class update_default_trust_view(Updater): + + return False, [update] + +- + class update_oddjobd_for_adtrust(Updater): + """ + Enables and starts oddjobd daemon if ipa-adtrust-install has been run +@@ -184,6 +184,157 @@ class update_oddjobd_for_adtrust(Updater): + + return False, [] + ++ ++class update_sigden_extdom_broken_config(Updater): ++ """Fix configuration of sidgen and extdom plugins ++ ++ Upgrade to IPA 4.2+ cause that sidgen and extdom plugins have improperly ++ configured basedn. ++ ++ All trusts which have been added when config was broken must to be ++ re-added manually. ++ ++ https://fedorahosted.org/freeipa/ticket/5665 ++ """ ++ ++ sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config") ++ extdom_config_dn = DN("cn=ipa_extdom_extop,cn=plugins,cn=config") ++ ++ def _fix_config(self): ++ """Due upgrade error configuration of sidgen and extdom plugins may ++ contain literally "$SUFFIX" value instead of real DN in nsslapd-basedn ++ attribute ++ ++ :return: True if config was fixed, False if fix is not needed ++ """ ++ ldap = self.api.Backend.ldap2 ++ basedn_attr = 'nsslapd-basedn' ++ modified = False ++ ++ for dn in (self.sidgen_config_dn, self.extdom_config_dn): ++ try: ++ entry = ldap.get_entry(dn, attrs_list=[basedn_attr]) ++ except errors.NotFound: ++ self.log.debug("configuration for %s not found, skipping", dn) ++ else: ++ configured_suffix = entry.single_value.get(basedn_attr) ++ if configured_suffix is None: ++ raise RuntimeError( ++ "Missing attribute {attr} in {dn}".format( ++ attr=basedn_attr, dn=dn ++ ) ++ ) ++ elif configured_suffix == "$SUFFIX": ++ # configured value is wrong, fix it ++ entry.single_value[basedn_attr] = str(self.api.env.basedn) ++ self.log.debug("updating attribute %s of %s to correct " ++ "value %s", basedn_attr, dn, ++ self.api.env.basedn) ++ ldap.update_entry(entry) ++ modified = True ++ else: ++ self.log.debug("configured basedn for %s is okay", dn) ++ ++ return modified ++ ++ def execute(self, **options): ++ if sysupgrade.get_upgrade_state('sidgen', 'config_basedn_updated'): ++ self.log.debug("Already done, skipping") ++ return False, () ++ ++ restart = False ++ if self._fix_config(): ++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', True) ++ restart = True # DS has to be restarted to apply changes ++ ++ sysupgrade.set_upgrade_state('sidgen', 'config_basedn_updated', True) ++ return restart, () ++ ++ ++class update_sids(Updater): ++ """SIDs may be not created properly if bug with wrong configuration for ++ sidgen and extdom plugins is effective ++ ++ This must be run after "update_sigden_extdom_broken_config" ++ https://fedorahosted.org/freeipa/ticket/5665 ++ """ ++ sidgen_config_dn = DN("cn=IPA SIDGEN,cn=plugins,cn=config") ++ ++ def execute(self, **options): ++ ldap = self.api.Backend.ldap2 ++ ++ if sysupgrade.get_upgrade_state('sidgen', 'update_sids') is not True: ++ self.log.debug("SIDs do not need to be generated") ++ return False, () ++ ++ # check if IPA domain for AD trust has been created, and if we need to ++ # regenerate missing SIDs if attribute 'ipaNTSecurityIdentifier' ++ domain_IPA_AD_dn = DN( ++ ('cn', self.api.env.domain), ++ self.api.env.container_cifsdomains, ++ self.api.env.basedn) ++ attr_name = 'ipaNTSecurityIdentifier' ++ ++ try: ++ entry = ldap.get_entry(domain_IPA_AD_dn, attrs_list=[attr_name]) ++ except errors.NotFound: ++ self.log.debug("IPA domain object %s is not configured", ++ domain_IPA_AD_dn) ++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) ++ return False, () ++ else: ++ if not entry.single_value.get(attr_name): ++ # we need to run sidgen task ++ sidgen_task_dn = DN( ++ "cn=generate domain sid,cn=ipa-sidgen-task,cn=tasks," ++ "cn=config") ++ sidgen_tasks_attr = { ++ "objectclass": ["top", "extensibleObject"], ++ "cn": ["sidgen"], ++ "delay": [0], ++ "nsslapd-basedn": [self.api.env.basedn], ++ } ++ ++ task_entry = ldap.make_entry(sidgen_task_dn, ++ **sidgen_tasks_attr) ++ try: ++ ldap.add_entry(task_entry) ++ except errors.DuplicateEntry: ++ self.log.debug("sidgen task already created") ++ else: ++ self.log.debug("sidgen task has been created") ++ ++ # we have to check all trusts domains which may been affected by the ++ # bug. Symptom is missing 'ipaNTSecurityIdentifier' attribute ++ ++ base_dn = DN(self.api.env.container_adtrusts, self.api.env.basedn) ++ try: ++ trust_domain_entries, truncated = ldap.find_entries( ++ base_dn=base_dn, ++ scope=ldap.SCOPE_ONELEVEL, ++ attrs_list=["cn"], ++ # more types of trusts can be stored under cn=trusts, we need ++ # the type with ipaNTTrustPartner attribute ++ filter="(!(%s=*))" % attr_name ++ ) ++ except errors.NotFound: ++ pass ++ else: ++ if truncated: ++ self.log.warning("update_sids: Search results were truncated") ++ ++ for entry in trust_domain_entries: ++ domain = entry.single_value["cn"] ++ self.log.error( ++ "Your trust to %s is broken. Please re-create it by " ++ "running 'ipa trust-add' again.", domain) ++ ++ sysupgrade.set_upgrade_state('sidgen', 'update_sids', False) ++ return False, () ++ ++ + api.register(update_default_range) + api.register(update_default_trust_view) + api.register(update_oddjobd_for_adtrust) ++api.register(update_sids) ++api.register(update_sigden_extdom_broken_config) +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index 258d976c83844f89c1a939303b685fd6565b79e5..c53b19a937d559b25da256670a5205ab40e0cadb 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1290,8 +1290,8 @@ def ds_enable_sidgen_extdom_plugins(ds): + root_logger.debug('sidgen and extdom plugins are enabled already') + return + +- ds.add_sidgen_plugin() +- ds.add_extdom_plugin() ++ ds.add_sidgen_plugin(api.env.basedn) ++ ds.add_extdom_plugin(api.env.basedn) + sysupgrade.set_upgrade_state('ds', 'enable_ds_sidgen_extdom_plugins', True) + + def ca_upgrade_schema(ca): +-- +2.5.0 + diff --git a/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch b/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch new file mode 100644 index 0000000..03b2239 --- /dev/null +++ b/SOURCES/0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch @@ -0,0 +1,63 @@ +From 6f958201dc32a1043c77632fe98c05307a4ea671 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Mon, 22 Feb 2016 17:36:01 +0100 +Subject: [PATCH] trusts: use ipaNTTrustPartner attribute to detect trust + entries + +Trust entries were found by presence of ipaNTSecurityIdentifier +attribute. Unfortunately this attribute might not be there due the bug. +As replacement for this, attribute ipaNTTrustPartner can be used. + +Note: other non trust entries located in cn=trusts subtree can be +cross-realm principals. + +https://fedorahosted.org/freeipa/ticket/5665 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Tomas Babej +--- + ipalib/plugins/trust.py | 7 +++++-- + ipaserver/install/plugins/adtrust.py | 2 +- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 173463ae7d4134b5bd155cc5fa920bfabd0a6958..ff142591d385e715994f0381c6b23c416763cd03 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -541,7 +541,10 @@ class trust(LDAPObject): + ldap = self.backend + filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] }, + rules=ldap.MATCH_ALL) +- filter = ldap.combine_filters((filter, "ipaNTSecurityIdentifier=*"), rules=ldap.MATCH_ALL) ++ # more type of objects can be located in subtree (for example ++ # cross-realm principals). we need this attr do detect trust ++ # entries ++ filter = ldap.combine_filters((filter, "ipaNTTrustPartner=*"), rules=ldap.MATCH_ALL) + result = ldap.get_entries(DN(self.container_dn, self.env.basedn), + ldap.SCOPE_SUBTREE, filter, ['']) + if len(result) > 1: +@@ -996,7 +999,7 @@ class trust_find(LDAPSearch): + # search needs to be done on a sub-tree scope + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + # list only trust, not trust domains +- trust_filter = '(ipaNTSecurityIdentifier=*)' ++ trust_filter = '(ipaNTTrustPartner=*)' + filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) + return (filter, base_dn, ldap.SCOPE_SUBTREE) + +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 4990a34f8972a0ffba098642c1ead09f976852e6..ea6de5cefe1dc56fc55cca076643867ecbeb08fe 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -315,7 +315,7 @@ class update_sids(Updater): + attrs_list=["cn"], + # more types of trusts can be stored under cn=trusts, we need + # the type with ipaNTTrustPartner attribute +- filter="(!(%s=*))" % attr_name ++ filter="(&(ipaNTTrustPartner=*)(!(%s=*)))" % attr_name + ) + except errors.NotFound: + pass +-- +2.5.0 + diff --git a/SOURCES/0194-Warn-user-if-trust-is-broken.patch b/SOURCES/0194-Warn-user-if-trust-is-broken.patch new file mode 100644 index 0000000..bab8f9d --- /dev/null +++ b/SOURCES/0194-Warn-user-if-trust-is-broken.patch @@ -0,0 +1,115 @@ +From b08bab80ab8c11681a96a10807930c830a2d096f Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Fri, 19 Feb 2016 14:55:34 +0100 +Subject: [PATCH] Warn user if trust is broken + +Detect missing ipaNTSecurityIdentifier and print message for a user, +that the trust is broken as result of trust-show and trust-find commands. + +https://fedorahosted.org/freeipa/ticket/5665 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Tomas Babej +--- + ipalib/messages.py | 11 +++++++++++ + ipalib/plugins/trust.py | 41 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 52 insertions(+) + +diff --git a/ipalib/messages.py b/ipalib/messages.py +index 58ae1f3ecbbf139f6f584c0ea2ebea6eb92e6e2b..ce92547de78a07f00d40fd850563faf1253826e3 100644 +--- a/ipalib/messages.py ++++ b/ipalib/messages.py +@@ -241,6 +241,17 @@ class DNSSECValidationFailingWarning(PublicMessage): + u"validation on all IPA servers.") + + ++class BrokenTrust(PublicMessage): ++ """ ++ **13018** Trust for a specified domain is broken ++ """ ++ ++ errno = 13018 ++ type = "warning" ++ format = _("Your trust to %(domain)s is broken. Please re-create it by " ++ "running 'ipa trust-add' again.") ++ ++ + def iter_messages(variables, base): + """Return a tuple with all subclasses + """ +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index ff142591d385e715994f0381c6b23c416763cd03..d451325e31e4e1d8d7223f009677bbcb002c65cb 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -18,6 +18,9 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + ++from ipalib.messages import ( ++ add_message, ++ BrokenTrust) + from ipalib.plugable import Registry + from ipalib.plugins.baseldap import * + from ipalib.plugins.dns import dns_container_exists +@@ -554,6 +557,30 @@ class trust(LDAPObject): + dn=make_trust_dn(self.env, trust_type, DN(*sdn)) + return dn + ++ def warning_if_ad_trust_dom_have_missing_SID(self, result, **options): ++ """Due bug https://fedorahosted.org/freeipa/ticket/5665 there might be ++ AD trust domain without generated SID, warn user about it. ++ """ ++ ldap = self.api.Backend.ldap2 ++ ++ try: ++ entries, truncated = ldap.find_entries( ++ base_dn=DN(self.container_dn, self.api.env.basedn), ++ attrs_list=['cn'], ++ filter='(&(ipaNTTrustPartner=*)' ++ '(!(ipaNTSecurityIdentifier=*)))', ++ ) ++ except errors.NotFound: ++ pass ++ else: ++ for entry in entries: ++ add_message( ++ options['version'], ++ result, ++ BrokenTrust(domain=entry.single_value['cn']) ++ ) ++ ++ + @register() + class trust_add(LDAPCreate): + __doc__ = _(''' +@@ -1003,6 +1030,13 @@ class trust_find(LDAPSearch): + filter = ldap.combine_filters((filters, trust_filter), rules=ldap.MATCH_ALL) + return (filter, base_dn, ldap.SCOPE_SUBTREE) + ++ def execute(self, *args, **options): ++ result = super(trust_find, self).execute(*args, **options) ++ ++ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) ++ ++ return result ++ + def post_callback(self, ldap, entries, truncated, *args, **options): + if options.get('pkey_only', False): + return truncated +@@ -1022,6 +1056,13 @@ class trust_show(LDAPRetrieve): + has_output_params = LDAPRetrieve.has_output_params + trust_output_params +\ + (Str('ipanttrusttype'), Str('ipanttrustdirection')) + ++ def execute(self, *keys, **options): ++ result = super(trust_show, self).execute(*keys, **options) ++ ++ self.obj.warning_if_ad_trust_dom_have_missing_SID(result, **options) ++ ++ return result ++ + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + + assert isinstance(dn, DN) +-- +2.5.0 + diff --git a/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch b/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch new file mode 100644 index 0000000..040498d --- /dev/null +++ b/SOURCES/0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch @@ -0,0 +1,39 @@ +From 69322c06e8fd9f21867a9c7aa04f990be47536df Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Tue, 23 Feb 2016 10:37:47 +0100 +Subject: [PATCH] fix upgrade: wait for proper DS socket after DS restart + +DS restart executed by upgrade plugin causes that upgrade framework +is waiting for the improper socket. It leads to TimeoutError because +DS is not listening on 389 port during upgrade. This commit fixes the issue. + +Required for: https://fedorahosted.org/freeipa/ticket/5665 + +Reviewed-By: Alexander Bokovoy +Reviewed-By: Tomas Babej +--- + ipaserver/install/ldapupdate.py | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py +index 6f796dfdc8bbac1bb99a8b5a1bd5a6aaa778db16..0e258612d3060188212fdd2625d7e62b5cb14ebf 100644 +--- a/ipaserver/install/ldapupdate.py ++++ b/ipaserver/install/ldapupdate.py +@@ -44,7 +44,6 @@ from ipaplatform.paths import paths + from ipaplatform import services + from ipapython.dn import DN + from ipapython.ipa_log_manager import * +-from ipapython.ipautil import wait_for_open_socket + + UPDATES_DIR=paths.UPDATES_DIR + +@@ -932,5 +931,4 @@ class LDAPUpdate: + def restart_ds(self): + dirsrv = services.knownservices.dirsrv + self.log.debug('Restarting directory server to apply updates') +- dirsrv.restart() +- wait_for_open_socket(self.socket_name) ++ dirsrv.restart(ldapi=self.ldapi) +-- +2.5.0 + diff --git a/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch b/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch new file mode 100644 index 0000000..f9f9843 --- /dev/null +++ b/SOURCES/0196-slapi-nis-update-configuration-to-allow-external-mem.patch @@ -0,0 +1,61 @@ +From 01ccf0deee2cfa98f76d79eb435be74efecd4626 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 22 Feb 2016 12:40:03 +0200 +Subject: [PATCH] slapi-nis: update configuration to allow external members of + IPA groups + +Currently in an environment with trust to AD the compat tree does not +show AD users as members of IPA groups. The reason is that IPA groups +are read directly from the IPA DS tree and external groups are not +handled. + +slapi-nis project has added support for it in 0.55, make sure we update +configuration for the group map if it exists and depend on 0.55 version. + +https://fedorahosted.org/freeipa/ticket/4403 + +Reviewed-By: Tomas Babej +--- + freeipa.spec.in | 2 +- + install/updates/50-externalmembers.update | 3 +++ + install/updates/Makefile.am | 1 + + 3 files changed, 5 insertions(+), 1 deletion(-) + create mode 100644 install/updates/50-externalmembers.update + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index cd26d4ce66e320f8b8bf6aaa3e738b4c11f89aa9..17b90fc4653bd7694bf389a19d5847d7df544890 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -139,7 +139,7 @@ Requires(pre): systemd-units + Requires(post): systemd-units + Requires: selinux-policy >= %{selinux_policy_version} + Requires(post): selinux-policy-base +-Requires: slapi-nis >= 0.54.2-1 ++Requires: slapi-nis >= 0.55-1 + Requires: pki-ca >= 10.2.5 + Requires: pki-kra >= 10.2.5 + Requires(preun): python systemd-units +diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update +new file mode 100644 +index 0000000000000000000000000000000000000000..6b9c5dd23fac65fd5e9055b255e7c4d41e5cc66b +--- /dev/null ++++ b/install/updates/50-externalmembers.update +@@ -0,0 +1,3 @@ ++dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config ++addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember") ++addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..86799838c8713d04d03a69167a00ee4baa6acd6c 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -45,6 +45,7 @@ app_DATA = \ + 50-krbenctypes.update \ + 50-nis.update \ + 50-ipaconfig.update \ ++ 50-externalmembers.update \ + 55-pbacmemberof.update \ + 59-trusts-sysacount.update \ + 60-trusts.update \ +-- +2.5.0 + diff --git a/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch b/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch new file mode 100644 index 0000000..1d60fc2 --- /dev/null +++ b/SOURCES/0197-Insure-the-admin_conn-is-disconnected-on-stop.patch @@ -0,0 +1,36 @@ +From 431f42703acfb2f22c034a336277dcb2c320928a Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 4 Aug 2015 10:15:36 -0400 +Subject: [PATCH] Insure the admin_conn is disconnected on stop + +If we stop or restart the server insure admin_conn gets reset or other +parts may fail to properly connect/authenticate + +Signed-off-by: Simo Sorce +Reviewed-By: Jan Cholasta +--- + ipaserver/install/dsinstance.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 7044782bac8068f7470b62bd7489b5319269b119..cadf9ccbe8ed0a20813af3fd671b18942a918b0b 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -478,7 +478,14 @@ class DsInstance(service.Service): + # Does not apply with newer DS releases + pass + ++ def stop(self, *args, **kwargs): ++ if self.admin_conn: ++ self.ldap_disconnect() ++ super(DsInstance, self).stop(*args, **kwargs) ++ + def restart(self, instance=''): ++ if self.admin_conn: ++ self.ldap_disconnect() + try: + super(DsInstance, self).restart(instance) + if not is_ds_running(instance): +-- +2.5.0 + diff --git a/SOURCES/0198-Fix-connections-to-DS-during-installation.patch b/SOURCES/0198-Fix-connections-to-DS-during-installation.patch new file mode 100644 index 0000000..8a9e587 --- /dev/null +++ b/SOURCES/0198-Fix-connections-to-DS-during-installation.patch @@ -0,0 +1,42 @@ +From 520e2ed9c5b2cfe3e3231bd616639bddb16d6995 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Tue, 1 Mar 2016 17:36:55 +0100 +Subject: [PATCH] Fix connections to DS during installation + +Regression caused by commit 9818e463f5d0a91b300801ee7c8f31f25de402b2, +admin_conn should be connected in method if there is no connection. + +https://fedorahosted.org/freeipa/ticket/5665 + +Reviewed-By: Petr Vobornik +--- + ipaserver/install/dsinstance.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index cadf9ccbe8ed0a20813af3fd671b18942a918b0b..4ad0f9e7def8a10b1eaffce1b3d9cadd9cdcc689 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -938,6 +938,9 @@ class DsInstance(service.Service): + """ + Add sidgen plugin configuration only if it does not already exist. + """ ++ if not self.admin_conn: ++ self.ldap_connect() ++ + dn = DN('cn=IPA SIDGEN,cn=plugins,cn=config') + try: + self.admin_conn.get_entry(dn) +@@ -956,6 +959,9 @@ class DsInstance(service.Service): + """ + Add extdom configuration if it does not already exist. + """ ++ if not self.admin_conn: ++ self.ldap_connect() ++ + dn = DN('cn=ipa_extdom_extop,cn=plugins,cn=config') + try: + self.admin_conn.get_entry(dn) +-- +2.5.0 + diff --git a/SOURCES/0199-Fix-broken-trust-warnings.patch b/SOURCES/0199-Fix-broken-trust-warnings.patch new file mode 100644 index 0000000..3b650c6 --- /dev/null +++ b/SOURCES/0199-Fix-broken-trust-warnings.patch @@ -0,0 +1,32 @@ +From 9f131566a8218a082b59ec980e04f9193e9c85f7 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Wed, 16 Mar 2016 13:41:51 +0100 +Subject: [PATCH] Fix broken trust warnings + +Warning should be shown only for parent entries of trust domain. Subdomains do not contain ipaNTSecurityIdentifier attribute at all. + +https://fedorahosted.org/freeipa/ticket/5737 + +Reviewed-By: Alexander Bokovoy +--- + ipalib/plugins/trust.py | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index d451325e31e4e1d8d7223f009677bbcb002c65cb..4b3cb7aab665e5cd952704a58e4b58ea55ecab0a 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -565,7 +565,9 @@ class trust(LDAPObject): + + try: + entries, truncated = ldap.find_entries( +- base_dn=DN(self.container_dn, self.api.env.basedn), ++ base_dn=DN(self.api.env.container_adtrusts, ++ self.api.env.basedn), ++ scope=ldap.SCOPE_ONELEVEL, + attrs_list=['cn'], + filter='(&(ipaNTTrustPartner=*)' + '(!(ipaNTSecurityIdentifier=*)))', +-- +2.5.0 + diff --git a/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch b/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch new file mode 100644 index 0000000..e16c0c9 --- /dev/null +++ b/SOURCES/0200-replica-install-improvements-in-the-handling-of-CA-r.patch @@ -0,0 +1,108 @@ +From d1470a8a5d2f39b57d8d66e8d0d7e8437fcd2ae4 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Wed, 2 Dec 2015 12:22:45 +0100 +Subject: [PATCH] replica install: improvements in the handling of CA-related + IPA config entries + +When a CA-less replica is installed, its IPA config file should be updated so +that ca_host points to nearest CA master and all certificate requests are +forwarded to it. A subsequent installation of CA subsystem on the replica +should clear this entry from the config so that all certificate requests are +handled by freshly installed local CA. + +https://fedorahosted.org/freeipa/ticket/5506 + +Reviewed-By: Martin Basti +--- + ipaserver/install/ca.py | 16 ---------------- + ipaserver/install/cainstance.py | 18 ++++++++++++++++++ + ipaserver/install/server/replicainstall.py | 3 +++ + 3 files changed, 21 insertions(+), 16 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index d2fb5feeaf96e8450eddb1bc4e65ef3316b05b38..b4db8dcbfad9d482e7106cd06b3d497ccf8954f0 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -12,7 +12,6 @@ from ipaplatform.paths import paths + from ipaserver.install import installutils, certs + from ipaserver.install.replication import replica_conn_check + from ipalib import api, certstore, x509 +-from ConfigParser import RawConfigParser + from ipapython.dn import DN + from ipapython.ipa_log_manager import root_logger + +@@ -240,21 +239,6 @@ def install_step_1(standalone, replica_config, options): + if standalone: + ca.start(ca.dogtag_constants.PKI_INSTANCE_NAME) + +- # Update config file +- try: +- parser = RawConfigParser() +- parser.read(paths.IPA_DEFAULT_CONF) +- parser.set('global', 'enable_ra', 'True') +- parser.set('global', 'ra_plugin', 'dogtag') +- parser.set('global', 'dogtag_version', +- str(dogtag_constants.DOGTAG_VERSION)) +- with open(paths.IPA_DEFAULT_CONF, 'w') as f: +- parser.write(f) +- except IOError, e: +- print "Failed to update /etc/ipa/default.conf" +- root_logger.error(str(e)) +- sys.exit(1) +- + # We need to restart apache as we drop a new config file in there + services.knownservices.httpd.restart(capture_output=True) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 1a98c438786ae7dad208212fff23e3a760c95b3c..b06760308865aa42afac79d6750f4a422a5c8f95 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -482,6 +482,8 @@ class CAInstance(DogtagInstance): + self.step("importing IPA certificate profiles", + import_included_profiles) + self.step("adding default CA ACL", ensure_default_caacl) ++ self.step("updating IPA configuration", ++ lambda: update_ipa_conf(self.dogtag_constants)) + + self.start_creation(runtime=210) + +@@ -1880,6 +1882,22 @@ def ensure_default_caacl(): + api.Backend.ldap2.disconnect() + + ++def update_ipa_conf(dogtag_constants): ++ """ ++ Update IPA configuration file to ensure that RA plugins are enabled and ++ that CA host points to localhost ++ """ ++ parser = ConfigParser.RawConfigParser() ++ parser.read(paths.IPA_DEFAULT_CONF) ++ parser.set('global', 'enable_ra', 'True') ++ parser.set('global', 'ra_plugin', 'dogtag') ++ parser.set('global', 'dogtag_version', ++ str(dogtag_constants.DOGTAG_VERSION)) ++ parser.remove_option('global', 'ca_host') ++ with open(paths.IPA_DEFAULT_CONF, 'w') as f: ++ parser.write(f) ++ ++ + if __name__ == "__main__": + standard_logging_setup("install.log") + ds = dsinstance.DsInstance() +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 317eda92dd4322542f035c2df4dba919a5898cc7..2ab95add90d33eb191d4e75b62cb4eceac40551b 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -378,6 +378,9 @@ def install_check(installer): + fd.write("ra_plugin=dogtag\n") + fd.write("dogtag_version=%s\n" % + dogtag.install_constants.DOGTAG_VERSION) ++ ++ if not config.setup_ca: ++ fd.write("ca_host={0}\n".format(config.master_host_name)) + else: + fd.write("enable_ra=False\n") + fd.write("ra_plugin=none\n") +-- +2.5.0 + diff --git a/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch b/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch new file mode 100644 index 0000000..48c2bcc --- /dev/null +++ b/SOURCES/0201-certdb-never-use-the-r-option-of-certutil.patch @@ -0,0 +1,49 @@ +From c0598b1af6885b1558ef592d6e2a5250f707e878 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 10 Mar 2016 13:16:41 +0100 +Subject: [PATCH] certdb: never use the -r option of certutil + +The -r option makes certutil output certificates in DER. If there are +multiple certificates sharing the same nickname, certutil will output +them concatenated into a single blob. The blob is not a valid DER +anymore and causes failures further in the code. + +Use the -a option instead to output the certificates in PEM and convert +them to DER on demand. + +https://fedorahosted.org/freeipa/ticket/5117 +https://fedorahosted.org/freeipa/ticket/5720 + +Reviewed-By: David Kupka +--- + ipapython/certdb.py | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/ipapython/certdb.py b/ipapython/certdb.py +index 5a6e494fb8a5963ae9c68c697234e83575bc89ec..63dc4580b43ec11329d2074fc9a33e55dac9cb03 100644 +--- a/ipapython/certdb.py ++++ b/ipapython/certdb.py +@@ -395,15 +395,15 @@ class NSSDatabase(object): + "Setting trust on %s failed" % root_nickname) + + def get_cert(self, nickname, pem=False): +- args = ['-L', '-n', nickname] +- if pem: +- args.append('-a') +- else: +- args.append('-r') ++ args = ['-L', '-n', nickname, '-a'] + try: + cert, err, returncode = self.run_certutil(args) + except ipautil.CalledProcessError: + raise RuntimeError("Failed to get %s" % nickname) ++ if not pem: ++ (cert, start) = find_cert_from_txt(cert, start=0) ++ cert = x509.strip_header(cert) ++ cert = base64.b64decode(cert) + return cert + + def has_nickname(self, nickname): +-- +2.5.0 + diff --git a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch index 4c2fd45..6cb68b1 100644 --- a/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch +++ b/SOURCES/1001-Hide-pkinit-functionality-from-production-version.patch @@ -1,4 +1,4 @@ -From 38e9b66a161f8e5c540c69f46a8bc699d0906636 Mon Sep 17 00:00:00 2001 +From b30152e2225fed9a991423c35506f3aa62b38350 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 5 Sep 2014 11:24:27 +0200 Subject: [PATCH] Hide pkinit functionality from production version @@ -13,7 +13,7 @@ https://fedorahosted.org/freeipa/ticket/616 3 files changed, 8 insertions(+), 17 deletions(-) diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py -index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933eac965cf 100644 +index b9ae60e9bc9d40be5f86e312980846b2ad80f67d..62cc8368abd999bec07154dc2c715431ff0c3b1a 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -65,9 +65,6 @@ class ReplicaPrepare(admintool.AdminTool): @@ -72,10 +72,10 @@ index 5246f5f5469c85571d04c99d872f38018802abaa..3ecf44fffad22e11b5008dadc24c9933 # If any of the PKCS#12 options are selected, all are required. cert_file_req = (options.dirsrv_cert_files, options.http_cert_files) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e943548cd9a30 100644 +index 01dffd08d4c929ebc5ecb6e6b0a8b685c1320dbd..a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py -@@ -1173,6 +1173,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): +@@ -1172,6 +1172,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): no_pkinit = Knob( bool, False, @@ -83,7 +83,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435 description="disables pkinit setup steps", ) -@@ -1196,6 +1197,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): +@@ -1195,6 +1196,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): pkinit_cert_files = Knob( (list, str), None, @@ -91,7 +91,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435 description=("File containing the Kerberos KDC SSL certificate and " "private key"), cli_name='pkinit-cert-file', -@@ -1221,6 +1223,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): +@@ -1220,6 +1222,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): pkinit_pin = Knob( str, None, @@ -99,7 +99,7 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435 sensitive=True, description="The password to unlock the Kerberos KDC private key", cli_aliases=['pkinit_pin'], -@@ -1241,6 +1244,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): +@@ -1240,6 +1243,7 @@ class ServerCA(common.Installable, core.Group, core.Composite): pkinit_cert_name = Knob( str, None, @@ -108,10 +108,10 @@ index 9d7036a7786a35e6aa2429254d62c8afb30970db..95a9b560843cfea9b4f7b2718e4e9435 cli_metavar='NAME', ) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa02fc645a 100644 +index 2ab95add90d33eb191d4e75b62cb4eceac40551b..b000e8ce84df3cb2a6bc90520cb4713ab416f4da 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -658,6 +658,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite): +@@ -690,6 +690,7 @@ class ReplicaCA(common.Installable, core.Group, core.Composite): no_pkinit = Knob( bool, False, @@ -120,5 +120,5 @@ index 6e9157cabc49161ba27983cbf1de1428d1b48b7d..2544db2875cc29b1c0f6f8acd855bcfa ) -- -2.4.3 +2.5.0 diff --git a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch index 877f1c5..681bfbe 100644 --- a/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1004-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From b8aa1e36a06ec183709933e51ef105d7b4a96d6d Mon Sep 17 00:00:00 2001 +From 5e341cea66938c8dfd99d83c869a1f2ba71479be Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 5 Sep 2014 11:46:59 +0200 Subject: [PATCH] Change branding to IPA and Identity Management @@ -54,7 +54,7 @@ Subject: [PATCH] Change branding to IPA and Identity Management 47 files changed, 57 insertions(+), 57 deletions(-) diff --git a/install/html/browserconfig.html b/install/html/browserconfig.html -index d721a4ad2a3b684a4bf45602584fee78f4613360..b0cd570403b1604449887302844c43b1e89b80e2 100644 +index 9c5cf68211281723e12b518f346aac43c1541cdc..14c4ca1f98a60cd8dfe486f8b942fcf9ae9de4c0 100644 --- a/install/html/browserconfig.html +++ b/install/html/browserconfig.html @@ -2,7 +2,7 @@ @@ -723,10 +723,10 @@ index d75a2427352851fecc045707a8cf73f99d05843b..2a42272ef433a1ddb7a040143ff63a31 ''' diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 95a9b560843cfea9b4f7b2718e4e943548cd9a30..f62874f085ee3ae478fc769465fe375abc4465e6 100644 +index a2a22c6334edf442e07ff3a1b4b9b309de2bc8a5..0534be818ecf950d9a9dab8f8a1797209d2dfc7d 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py -@@ -368,7 +368,7 @@ def install_check(installer): +@@ -366,7 +366,7 @@ def install_check(installer): print("=======================================" "=======================================") @@ -736,10 +736,10 @@ index 95a9b560843cfea9b4f7b2718e4e943548cd9a30..f62874f085ee3ae478fc769465fe375a print "This includes:" if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 2d34fdd02b57eb962cdffba508e53cfea0c922e1..55c58335c5bbc6993999da4c465e58f4ce3225aa 100644 +index b000e8ce84df3cb2a6bc90520cb4713ab416f4da..3c13a3e743074e01ca952e114c2374205bdd68f8 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -435,7 +435,7 @@ def install_check(installer): +@@ -467,7 +467,7 @@ def install_check(installer): above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: @@ -749,5 +749,5 @@ index 2d34fdd02b57eb962cdffba508e53cfea0c922e1..55c58335c5bbc6993999da4c465e58f4 "this domain. The Domain Level needs to be " "raised before installing a replica with " -- -2.5.1 +2.5.0 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 4744e1e..4da86e8 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -35,7 +35,7 @@ Name: ipa Version: 4.2.0 -Release: 15.0.1%{?dist}.6.1 +Release: 15%{?dist}.15 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -43,10 +43,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -231,6 +231,27 @@ Patch0177: 0177-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch Patch0178: 0178-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch Patch0179: 0179-ipalib-assume-version-2.0-when-skip_version_check-is.patch Patch0180: 0180-always-start-certmonger-during-IPA-server-configurat.patch +Patch0181: 0181-ipa-kdb-map_groups-consider-all-results.patch +Patch0182: 0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch +Patch0183: 0183-installer-Propagate-option-values-from-components-in.patch +Patch0184: 0184-installer-Fix-logic-of-reading-option-values-from-ca.patch +Patch0185: 0185-Fixed-login-error-message-box-in-LoginScreen-page.patch +Patch0186: 0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch +Patch0187: 0187-CA-install-explicitly-set-dogtag_version-to-10.patch +Patch0188: 0188-fix-standalone-installation-of-externally-signed-CA-.patch +Patch0189: 0189-replica-install-validate-DS-and-HTTP-server-certific.patch +Patch0190: 0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch +Patch0191: 0191-upgrade-unconditional-import-of-certificate-profiles.patch +Patch0192: 0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch +Patch0193: 0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch +Patch0194: 0194-Warn-user-if-trust-is-broken.patch +Patch0195: 0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch +Patch0196: 0196-slapi-nis-update-configuration-to-allow-external-mem.patch +Patch0197: 0197-Insure-the-admin_conn-is-disconnected-on-stop.patch +Patch0198: 0198-Fix-connections-to-DS-during-installation.patch +Patch0199: 0199-Fix-broken-trust-warnings.patch +Patch0200: 0200-replica-install-improvements-in-the-handling-of-CA-r.patch +Patch0201: 0201-certdb-never-use-the-r-option-of-certutil.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -242,7 +263,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -353,7 +373,7 @@ Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= 0.54-3 +Requires: slapi-nis >= 0.54-8 Requires: pki-ca >= 10.2.5-5 Requires: pki-kra >= 10.2.5-5 Requires(preun): python systemd-units @@ -377,7 +397,7 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -480,7 +500,7 @@ Requires: pam_krb5 Requires: wget Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 -Requires: sssd >= 1.13.0-6 +Requires: sssd >= 1.13.0-40.el7_2.2 Requires: python-sssdconfig Requires: certmonger >= 0.78 Requires: nss-tools @@ -586,10 +606,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1186,14 +1206,73 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Tue Apr 12 2016 CentOS Sources - 4.2.0-15.el7.centos.6.1 -- Roll in CentOS Branding -- add .0.1 to release for dist tag change to .el7.centos +* Mon Apr 18 2016 Jan Cholasta - 4.2.0-15.15 +- Related: #1327197 Crash during IPA upgrade due to slapd + - spec file: update minimum required version of slapi-nis -* Wed Apr 06 2016 Alexander Bokovoy - 4.2.0-15.6.1 +* Wed Apr 06 2016 Alexander Bokovoy - 4.2.0-15.14 - Rebuild against newer Samba version - Related: #1322690 +* Tue Apr 5 2016 Jan Cholasta - 4.2.0-15.13 +- Resolves: #1324060 Installers fail when there are multiple versions of the + same certificate + - certdb: never use the -r option of certutil + +* Thu Mar 17 2016 Jan Cholasta - 4.2.0-15.12 +- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA + IPA setup + - replica install: improvements in the handling of CA-related IPA config + entries + +* Thu Mar 17 2016 Jan Cholasta - 4.2.0-15.11 +- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find + returns "0 trusts matched" + - Fix broken trust warnings + +* Wed Mar 2 2016 Jan Cholasta - 4.2.0-15.10 +- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find + returns "0 trusts matched" + - Insure the admin_conn is disconnected on stop + - Fix connections to DS during installation +- Renamed patch 1011 to 0196, as it was merged upstream + +* Wed Feb 24 2016 Jan Cholasta - 4.2.0-15.9 +- Resolves: #1311468 shared certificateProfiles container is missing on a + freshly installed RHEL7.2 system + - upgrade: unconditional import of certificate profiles into LDAP +- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find + returns "0 trusts matched" + - upgrade: fix config of sidgen and extdom plugins + - trusts: use ipaNTTrustPartner attribute to detect trust entries + - Warn user if trust is broken + - fix upgrade: wait for proper DS socket after DS restart +- Resolves: #1311502 [RFE] compat tree: show AD members of IPA groups + - slapi-nis: update configuration to allow external members of IPA groups + +* Tue Feb 23 2016 Jan Cholasta - 4.2.0-15.8 +- Resolves: #1303052 install fails when locale is "fr_FR.UTF-8" + - Do not decode HTTP reason phrase from Dogtag +- Resolves: #1303059 --setup-dns and other options is forgotten for using an + external PKI + - installer: Propagate option values from components instead of copying them. + - installer: Fix logic of reading option values from cache. +- Resolves: #1309362 User should be notified for wrong password in password + reset page + - Fixed login error message box in LoginScreen page +- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA + IPA setup + - ipa-ca-install: print more specific errors when CA is already installed + - cert renewal: import all external CA certs on IPA CA cert renewal + - CA install: explicitly set dogtag_version to 10 + - fix standalone installation of externally signed CA on IPA master + - replica install: validate DS and HTTP server certificates + +* Mon Feb 8 2016 Jan Cholasta - 4.2.0-15.7 +- Resolves: #1304333 In IPA-AD trust environment some secondary IPA based Posix + groups are missing + - ipa-kdb: map_groups() consider all results + * Tue Feb 2 2016 Jan Cholasta - 4.2.0-15.6 - Resolves: #1298103 ipa-server-upgrade fails if certmonger is not running - always start certmonger during IPA server configuration upgrade