diff --git a/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch b/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch new file mode 100644 index 0000000..45c936e --- /dev/null +++ b/SOURCES/0202-Prevent-replica-install-from-overwriting-cert-profil.patch @@ -0,0 +1,70 @@ +From 81d5888a2dc512cd0295b860cf8f408dea2e46a0 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 11 May 2016 16:13:51 +1000 +Subject: [PATCH] Prevent replica install from overwriting cert profiles + +An earlier change that unconditionally triggers import of file-based +profiles to LDAP during server or replica install results in +replicas overwriting FreeIPA-managed profiles with profiles of the +same name shipped with Dogtag. ('caIPAserviceCert' is the affected +profile). + +Avoid this situation by never overwriting existing profiles during +the LDAP import. + +Fixes: https://fedorahosted.org/freeipa/ticket/5881 +Reviewed-By: Jan Cholasta +--- + ipaserver/install/cainstance.py | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index b06760308865aa42afac79d6750f4a422a5c8f95..50ca5d3aeb9be24d8e1e80ad408191fca76a459c 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1763,7 +1763,9 @@ def import_included_profiles(): + conn.add_entry(entry) + profile_data = ipautil.template_file( + '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) +- _create_dogtag_profile(profile_id, profile_data) ++ ++ # Create the profile, replacing any existing profile of same name ++ _create_dogtag_profile(profile_id, profile_data, overwrite=True) + root_logger.info("Imported profile '%s'", profile_id) + + api.Backend.ra_certprofile.override_port = None +@@ -1815,12 +1817,17 @@ def migrate_profiles_to_ldap(dogtag_constants): + profile_data += '\n' + profile_data += 'profileId={}\n'.format(profile_id) + profile_data += 'classId={}\n'.format(class_id) +- _create_dogtag_profile(profile_id, profile_data) ++ ++ # Import the profile, but do not replace it if it already exists. ++ # This prevents replicas from replacing IPA-managed profiles with ++ # Dogtag default profiles of same name. ++ # ++ _create_dogtag_profile(profile_id, profile_data, overwrite=False) + + api.Backend.ra_certprofile.override_port = None + + +-def _create_dogtag_profile(profile_id, profile_data): ++def _create_dogtag_profile(profile_id, profile_data, overwrite): + with api.Backend.ra_certprofile as profile_api: + # import the profile + try: +@@ -1831,9 +1838,8 @@ def _create_dogtag_profile(profile_id, profile_data): + root_logger.debug("Error migrating '{}': {}".format( + profile_id, e)) + +- # conflicting profile; replace it if we are +- # installing IPA, but keep it for upgrades +- if api.env.context == 'installer': ++ # profile already exists ++ if overwrite: + try: + profile_api.disable_profile(profile_id) + except errors.RemoteRetrieveError: +-- +2.5.5 + diff --git a/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch b/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch new file mode 100644 index 0000000..c83ebe6 --- /dev/null +++ b/SOURCES/0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch @@ -0,0 +1,118 @@ +From 1eb9cc7556357b1b8d6d826321cb38b1f96c1b7e Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Wed, 18 May 2016 14:10:39 +1000 +Subject: [PATCH] Detect and repair incorrect caIPAserviceCert config + +A regression caused replica installation to replace the FreeIPA +version of caIPAserviceCert with the version shipped by Dogtag. + +During upgrade, detect and repair occurrences of this problem. + +Part of: https://fedorahosted.org/freeipa/ticket/5881 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/cainstance.py | 49 ++++++++++++++++++++++++++++++++++--- + ipaserver/install/server/upgrade.py | 3 +++ + 2 files changed, 49 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 50ca5d3aeb9be24d8e1e80ad408191fca76a459c..a8a57c4ffdbec453c76a01b88a7d4a188c03be33 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1717,14 +1717,18 @@ def configure_profiles_acl(): + conn.disconnect() + return updated + +-def import_included_profiles(): ++ ++def __get_profile_config(profile_id): + sub_dict = dict( + DOMAIN=ipautil.format_netloc(api.env.domain), + IPA_CA_RECORD=IPA_CA_RECORD, + CRL_ISSUER='CN=Certificate Authority,o=ipaca', + SUBJECT_DN_O=dsinstance.DsInstance().find_subject_base(), + ) ++ return ipautil.template_file( ++ '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + ++def import_included_profiles(): + server_id = installutils.realm_to_serverid(api.env.realm) + dogtag_uri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % server_id + conn = ldap2.ldap2(api, ldap_uri=dogtag_uri) +@@ -1761,10 +1765,9 @@ def import_included_profiles(): + ipacertprofilestoreissued=['TRUE' if store_issued else 'FALSE'], + ) + conn.add_entry(entry) +- profile_data = ipautil.template_file( +- '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict) + + # Create the profile, replacing any existing profile of same name ++ profile_data = __get_profile_config(profile_id) + _create_dogtag_profile(profile_id, profile_data, overwrite=True) + root_logger.info("Imported profile '%s'", profile_id) + +@@ -1772,6 +1775,46 @@ def import_included_profiles(): + conn.disconnect() + + ++def repair_profile_caIPAserviceCert(): ++ """ ++ A regression caused replica installation to replace the FreeIPA ++ version of caIPAserviceCert with the version shipped by Dogtag. ++ ++ This function detects and repairs occurrences of this problem. ++ ++ """ ++ api.Backend.ra_certprofile._read_password() ++ api.Backend.ra_certprofile.override_port = 8443 ++ ++ profile_id = 'caIPAserviceCert' ++ ++ with api.Backend.ra_certprofile as profile_api: ++ try: ++ cur_config = profile_api.read_profile(profile_id).splitlines() ++ except errors.RemoteRetrieveError as e: ++ # no profile there to check/repair ++ api.Backend.ra_certprofile.override_port = None ++ return ++ ++ indicators = [ ++ "policyset.serverCertSet.1.default.params.name=" ++ "CN=$request.req_subject_name.cn$, OU=pki-ipa, O=IPA ", ++ "policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=" ++ "https://ipa.example.com/ipa/crl/MasterCRL.bin", ++ ] ++ need_repair = all(l in cur_config for l in indicators) ++ ++ if need_repair: ++ root_logger.debug( ++ "Detected that profile '{}' has been replaced with " ++ "incorrect version; begin repair.".format(profile_id)) ++ _create_dogtag_profile( ++ profile_id, __get_profile_config(profile_id), overwrite=True) ++ root_logger.debug("Repair of profile '{}' complete.".format(profile_id)) ++ ++ api.Backend.ra_certprofile.override_port = None ++ ++ + def migrate_profiles_to_ldap(dogtag_constants): + """Migrate profiles from filesystem to LDAP. + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index c53b19a937d559b25da256670a5205ab40e0cadb..b0cd789d58408f720774adb276843a1b6ab6007d 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1554,6 +1554,9 @@ def upgrade_configuration(): + ca_import_included_profiles(ca) + add_default_caacl(ca) + ++ if ca.is_configured(): ++ cainstance.repair_profile_caIPAserviceCert() ++ + set_sssd_domain_option('ipa_server_mode', 'True') + + if ds_running and not ds.is_running(): +-- +2.5.5 + diff --git a/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch b/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch new file mode 100644 index 0000000..8b03c3a --- /dev/null +++ b/SOURCES/0204-replica-install-do-not-set-CA-renewal-master-flag.patch @@ -0,0 +1,89 @@ +From d279db85dbf455a6cbdacc48cbbc2081a9be5252 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Mon, 23 May 2016 16:18:02 +0200 +Subject: [PATCH] replica install: do not set CA renewal master flag + +The CA renewal master flag was uncoditionally set on every replica during +replica install. This causes the Dogtag certificates initially shared +among all replicas to differ after renewal. + +Do not set the CA renewal master flag in replica install anymore. On +upgrade, remove the flag from all but one IPA masters. + +https://fedorahosted.org/freeipa/ticket/5902 + +Reviewed-By: Martin Babinsky +--- + ipaserver/install/ca.py | 6 +++++- + ipaserver/install/plugins/ca_renewal_master.py | 24 ++++++++++++++++++++++-- + 2 files changed, 27 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index b4db8dcbfad9d482e7106cd06b3d497ccf8954f0..aa3fe991bd958c59dc369f41d4bd6fdfceee9370 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -191,7 +191,11 @@ def install_step_1(standalone, replica_config, options): + ca.stop(ca.dogtag_constants.PKI_INSTANCE_NAME) + + # We need to ldap_enable the CA now that DS is up and running +- ca.ldap_enable('CA', host_name, dm_password, basedn, ['caRenewalMaster']) ++ if replica_config is None: ++ config = ['caRenewalMaster'] ++ else: ++ config = [] ++ ca.ldap_enable('CA', host_name, dm_password, basedn, config) + + # This is done within stopped_service context, which restarts CA + ca.enable_client_auth_to_db(dogtag_constants.CS_CFG_PATH) +diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py +index dae976f02dc7f963736ca57344345135dbc1fe3b..c0c655c912a6b02da11d0feb333716f7653768ed 100644 +--- a/ipaserver/install/plugins/ca_renewal_master.py ++++ b/ipaserver/install/plugins/ca_renewal_master.py +@@ -42,6 +42,7 @@ class update_ca_renewal_master(Updater): + ldap = self.api.Backend.ldap2 + base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'), + self.api.env.basedn) ++ dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + filter = '(&(cn=CA)(ipaConfigString=caRenewalMaster))' + try: + entries = ldap.get_entries(base_dn=base_dn, filter=filter, +@@ -50,7 +51,27 @@ class update_ca_renewal_master(Updater): + pass + else: + self.debug("found CA renewal master %s", entries[0].dn[1].value) +- return False, [] ++ ++ master = False ++ updates = [] ++ ++ for entry in entries: ++ if entry.dn == dn: ++ master = True ++ continue ++ ++ updates.append({ ++ 'dn': entry.dn, ++ 'updates': [ ++ dict(action='remove', attr='ipaConfigString', ++ value='caRenewalMaster') ++ ], ++ }) ++ ++ if master: ++ return False, updates ++ else: ++ return False, [] + + criteria = { + 'cert-database': paths.HTTPD_ALIAS_DIR, +@@ -96,7 +117,6 @@ class update_ca_renewal_master(Updater): + "assuming local CA is renewal slave", config) + return (False, False, []) + +- dn = DN(('cn', 'CA'), ('cn', self.api.env.host), base_dn) + update = { + 'dn': dn, + 'updates': [ +-- +2.5.5 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 8ff79b0..9f26059 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -35,7 +35,7 @@ Name: ipa Version: 4.2.0 -Release: 15%{?dist}.15 +Release: 15%{?dist}.17 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -43,10 +43,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -252,6 +252,9 @@ Patch0198: 0198-Fix-connections-to-DS-during-installation.patch Patch0199: 0199-Fix-broken-trust-warnings.patch Patch0200: 0200-replica-install-improvements-in-the-handling-of-CA-r.patch Patch0201: 0201-certdb-never-use-the-r-option-of-certutil.patch +Patch0202: 0202-Prevent-replica-install-from-overwriting-cert-profil.patch +Patch0203: 0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch +Patch0204: 0204-replica-install-do-not-set-CA-renewal-master-flag.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -263,7 +266,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Do-not-allow-installation-in-FIPS-mode.patch Patch1010: 1010-WebUI-add-API-browser-is-experimental-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -398,7 +400,7 @@ Requires: systemd-python Requires: %{etc_systemd_dir} Requires: gzip # RHEL spec file only: START -# Requires: redhat-access-plugin-ipa +Requires: redhat-access-plugin-ipa # RHEL spec file only: END Conflicts: %{alt_name}-server @@ -607,10 +609,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END %build @@ -1207,8 +1209,15 @@ fi # RHEL spec file only: DELETED: Do not build tests %changelog -* Thu May 12 2016 CentOS Sources - 4.2.0-15.el7.centos.15 -- Roll in CentOS Branding +* Tue May 24 2016 Jan Cholasta - 4.2.0-15.17 +- Resolves: #1339304 CA installed on replica is always marked as renewal master + - replica install: do not set CA renewal master flag + +* Fri May 20 2016 Jan Cholasta - 4.2.0-15.16 +- Resolves: #1337820 URI details missing and OCSP-URI details are incorrectly + displayed when certificate generated using IPA on RHEL 7.2up2. + - Prevent replica install from overwriting cert profiles + - Detect and repair incorrect caIPAserviceCert config * Mon Apr 18 2016 Jan Cholasta - 4.2.0-15.15 - Related: #1327197 Crash during IPA upgrade due to slapd