diff --git a/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch b/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch new file mode 100644 index 0000000..b2d6909 --- /dev/null +++ b/SOURCES/0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch @@ -0,0 +1,52 @@ +From 8750c84bbfef36ceeaac8e7c8e3b788c31f68317 Mon Sep 17 00:00:00 2001 +From: Martin Babinsky +Date: Tue, 13 Sep 2016 15:40:04 +0200 +Subject: [PATCH] ipa passwd: use correct normalizer for user principals + +Commit c2af032c0333f7e210c54369159d1d9f5e3fec74 introduced a regression in the +handling of user principals supplied to the`ipa passwd` command. This patch +restores the original behavior which lowercases the username portion of the +principal. + +https://fedorahosted.org/freeipa/ticket/6329 + +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/passwd.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/plugins/passwd.py b/ipaserver/plugins/passwd.py +index 1576c4ca85cb761d2a124a932a26b371b9e87107..ebc41d90009d7145ada75f3cabe3c01c6d25f6ea 100644 +--- a/ipaserver/plugins/passwd.py ++++ b/ipaserver/plugins/passwd.py +@@ -29,7 +29,8 @@ from ipalib.plugable import Registry + from ipalib.request import context + from ipapython import kerberos + from ipapython.dn import DN +-from ipaserver.plugins.service import validate_realm, normalize_principal ++from ipaserver.plugins.baseuser import normalize_user_principal ++from ipaserver.plugins.service import validate_realm + + if six.PY3: + unicode = str +@@ -66,7 +67,7 @@ def get_current_password(principal): + be ignored later. + """ + current_principal = krb_utils.get_principal() +- if current_principal == unicode(normalize_principal(principal)): ++ if current_principal == unicode(normalize_user_principal(principal)): + return None + else: + return MAGIC_VALUE +@@ -84,7 +85,7 @@ class passwd(Command): + primary_key=True, + autofill=True, + default_from=lambda: kerberos.Principal(krb_utils.get_principal()), +- normalizer=lambda value: normalize_principal(value), ++ normalizer=lambda value: normalize_user_principal(value), + ), + Password('password', + label=_('New Password'), +-- +2.10.2 + diff --git a/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch b/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch new file mode 100644 index 0000000..b71c7b7 --- /dev/null +++ b/SOURCES/0136-Keep-NSS-trust-flags-of-existing-certificates.patch @@ -0,0 +1,47 @@ +From 08d3dcb1834fc227dcd9d2071fda58e6dc639394 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Tue, 13 Sep 2016 10:14:47 +0200 +Subject: [PATCH] Keep NSS trust flags of existing certificates + +Backup and restore trust flags of existing certificates during CA +installation. This prevents marking a previously trusted certificate +as untrusted, as was the case when CA-less was converted to CA-full +with external CA when using the same certificate. + +https://fedorahosted.org/freeipa/ticket/5791 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/cainstance.py | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 3551887cd8ff8baa5e17f8969c84fb92d7552ef3..6c57aadfcdc2864f8cdc84c16556dce7163737fc 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -832,6 +832,10 @@ class CAInstance(DogtagInstance): + raise RuntimeError("Unable to retrieve CA chain: %s" % str(e)) + + def __import_ca_chain(self): ++ # Backup NSS trust flags of all already existing certificates ++ certdb = certs.CertDB(self.realm) ++ cert_backup_list = certdb.list_certs() ++ + chain = self.__get_ca_chain() + + # If this chain contains multiple certs then certutil will only import +@@ -882,6 +886,10 @@ class CAInstance(DogtagInstance): + os.remove(chain_name) + subid += 1 + ++ # Restore NSS trust flags of all previously existing certificates ++ for nick, trust_flags in cert_backup_list: ++ certdb.trust_root_cert(nick, trust_flags) ++ + def __request_ra_certificate(self): + # Create a noise file for generating our private key + noise = array.array('B', os.urandom(128)) +-- +2.10.2 + diff --git a/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch b/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch new file mode 100644 index 0000000..6a44a36 --- /dev/null +++ b/SOURCES/0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch @@ -0,0 +1,81 @@ +From 31007eff1b8d858dfc51f730b47a7aaefc8e33e8 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Tue, 27 Sep 2016 14:34:05 -0400 +Subject: [PATCH] Properly handle LDAP socket closures in ipa-otpd + +In at least one case, when an LDAP socket closes, a read event is fired +rather than an error event. Without this patch, ipa-otpd silently +ignores this event and enters a state where all bind auths fail. + +To remedy this problem, we pass error events along the same path as read +events. Should the actual read fail, we exit. + +https://bugzilla.redhat.com/show_bug.cgi?id=1377858 +https://fedorahosted.org/freeipa/ticket/6368 + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-otpd/bind.c | 10 ++++------ + daemons/ipa-otpd/query.c | 13 ++++++------- + 2 files changed, 10 insertions(+), 13 deletions(-) + +diff --git a/daemons/ipa-otpd/bind.c b/daemons/ipa-otpd/bind.c +index 022525b786705b4f58f861bc3b0a745ab8693755..a98312f906a785bfa9c98603a3577561552bfc0a 100644 +--- a/daemons/ipa-otpd/bind.c ++++ b/daemons/ipa-otpd/bind.c +@@ -85,6 +85,9 @@ static void on_bind_readable(verto_ctx *vctx, verto_ev *ev) + if (rslt <= 0) + results = NULL; + ldap_msgfree(results); ++ otpd_log_err(EIO, "IO error received on bind socket"); ++ verto_break(ctx.vctx); ++ ctx.exitstatus = 1; + return; + } + +@@ -137,11 +140,6 @@ void otpd_on_bind_io(verto_ctx *vctx, verto_ev *ev) + flags = verto_get_fd_state(ev); + if (flags & VERTO_EV_FLAG_IO_WRITE) + on_bind_writable(vctx, ev); +- if (flags & VERTO_EV_FLAG_IO_READ) ++ if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR)) + on_bind_readable(vctx, ev); +- if (flags & VERTO_EV_FLAG_IO_ERROR) { +- otpd_log_err(EIO, "IO error received on bind socket"); +- verto_break(ctx.vctx); +- ctx.exitstatus = 1; +- } + } +diff --git a/daemons/ipa-otpd/query.c b/daemons/ipa-otpd/query.c +index 67e2d751d8d1511d077a93d7673439be11812e6f..50e15603322c550a0eb14e1e3c502e1a229d1ebe 100644 +--- a/daemons/ipa-otpd/query.c ++++ b/daemons/ipa-otpd/query.c +@@ -133,7 +133,11 @@ static void on_query_readable(verto_ctx *vctx, verto_ev *ev) + if (i != LDAP_RES_SEARCH_ENTRY && i != LDAP_RES_SEARCH_RESULT) { + if (i <= 0) + results = NULL; +- goto egress; ++ ldap_msgfree(results); ++ otpd_log_err(EIO, "IO error received on query socket"); ++ verto_break(ctx.vctx); ++ ctx.exitstatus = 1; ++ return; + } + + item = otpd_queue_pop_msgid(&ctx.query.responses, ldap_msgid(results)); +@@ -243,11 +247,6 @@ void otpd_on_query_io(verto_ctx *vctx, verto_ev *ev) + flags = verto_get_fd_state(ev); + if (flags & VERTO_EV_FLAG_IO_WRITE) + on_query_writable(vctx, ev); +- if (flags & VERTO_EV_FLAG_IO_READ) ++ if (flags & (VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_IO_ERROR)) + on_query_readable(vctx, ev); +- if (flags & VERTO_EV_FLAG_IO_ERROR) { +- otpd_log_err(EIO, "IO error received on query socket"); +- verto_break(ctx.vctx); +- ctx.exitstatus = 1; +- } + } +-- +2.10.2 + diff --git a/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch b/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch new file mode 100644 index 0000000..44a9376 --- /dev/null +++ b/SOURCES/0138-cert-add-revocation-reason-back-to-cert-find-output.patch @@ -0,0 +1,54 @@ +From c3ceffccc56dea782a3dfac5bc3a14d1d022d33a Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Wed, 12 Oct 2016 12:58:46 +0200 +Subject: [PATCH] cert: add revocation reason back to cert-find output + +In commit c718ef058847bb39e78236e8af0ad69ac961bbcf some param values were +accidentally removed from cert-find output. + +In commit 22d5f579bbd8bb452cf1bf620294ab6ade6e7c47 `serial_number_hex` and +`revoked` were added back. + +Add back `revocation_reason` as well. Also, do not include `revoked` with +--raw, as it's a virtual attribute. + +https://fedorahosted.org/freeipa/ticket/6269 + +Reviewed-By: Pavel Vomacka +--- + ipaserver/plugins/cert.py | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index 00bae4560d601e28e0b983786bff9144bcc1b065..68516391a54aead8e92f3cdeb33463d8fa624bbd 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -1098,16 +1098,17 @@ class cert_find(Search, CertMethod): + obj = {'serial_number': serial_number} + else: + obj = ra_obj +- obj['issuer'] = issuer +- obj['subject'] = DN(ra_obj['subject']) +- obj['revoked'] = ( +- ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) +- + if all: +- ra_obj = ra.get_certificate(str(serial_number)) +- if not raw: ++ obj.update(ra.get_certificate(str(serial_number))) ++ ++ if not raw: ++ obj['issuer'] = issuer ++ obj['subject'] = DN(ra_obj['subject']) ++ obj['revoked'] = ( ++ ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) ++ if all: + obj['certificate'] = ( +- ra_obj['certificate'].replace('\r\n', '')) ++ obj['certificate'].replace('\r\n', '')) + self.obj._parse(obj) + + obj['cacn'] = ca_obj['cn'][0] +-- +2.10.2 + diff --git a/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch b/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch new file mode 100644 index 0000000..d6ad038 --- /dev/null +++ b/SOURCES/0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch @@ -0,0 +1,34 @@ +From 3ea5984f2806958dee1b94fe993d20b09f64b107 Mon Sep 17 00:00:00 2001 +From: Stanislav Laznicka +Date: Tue, 11 Oct 2016 15:48:47 +0200 +Subject: [PATCH] Make httpd publish its CA certificate on DL1 + +httpd did not publish its certificate on DL1 which could +cause issues during client installation in a rare corner +case where there would be no way of getting the certificate +but from a HTTP instance. + +https://fedorahosted.org/freeipa/ticket/6393 + +Reviewed-By: Martin Basti +--- + ipaserver/install/httpinstance.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 00f890175ae583f485797da6f913a7f83b302df3..431671eaf55d4ac63dc01190e254931dac096dec 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -175,8 +175,7 @@ class HTTPInstance(service.Service): + self.step("importing CA certificates from LDAP", self.__import_ca_certs) + if autoconfig: + self.step("setting up browser autoconfig", self.__setup_autoconfig) +- if not self.promote: +- self.step("publish CA cert", self.__publish_ca_cert) ++ self.step("publish CA cert", self.__publish_ca_cert) + self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + if not self.is_kdcproxy_configured(): +-- +2.10.2 + diff --git a/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch b/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch new file mode 100644 index 0000000..be7d0f1 --- /dev/null +++ b/SOURCES/0140-Add-cert-checks-in-ipa-server-certinstall.patch @@ -0,0 +1,88 @@ +From b3512bae94edc33448466cae6f2716a5527f9eed Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 1 Sep 2016 13:56:24 +0200 +Subject: [PATCH] Add cert checks in ipa-server-certinstall + +When ipa-server-certinstall is called to install a new server certificate, +the prerequisite is that the certificate issuer must be already known by IPA. +This fix adds new checks to make sure that the tool exits before +modifying the target NSS database if it is not the case. +The fix consists in creating a temp NSS database with the CA certs from the +target NSS database + the new server cert and checking the new server cert +validity. + +https://fedorahosted.org/freeipa/ticket/6263 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/ipa_server_certinstall.py | 40 +++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py +index 0a8fb214a232e60a89b6c06940b928f97c007b93..7bc39e356ef3082ab229fa66eaeebba85eaa2802 100644 +--- a/ipaserver/install/ipa_server_certinstall.py ++++ b/ipaserver/install/ipa_server_certinstall.py +@@ -25,8 +25,8 @@ import optparse + + from ipaplatform.constants import constants + from ipaplatform.paths import paths +-from ipapython import admintool +-from ipapython.certdb import get_ca_nickname ++from ipapython import admintool, ipautil ++from ipapython.certdb import get_ca_nickname, NSSDatabase + from ipapython.dn import DN + from ipalib import api, errors + from ipalib.constants import CACERT +@@ -157,6 +157,38 @@ class ServerCertInstall(admintool.AdminTool): + os.chown(os.path.join(dirname, 'key3.db'), 0, pent.pw_gid) + os.chown(os.path.join(dirname, 'secmod.db'), 0, pent.pw_gid) + ++ def check_chain(self, pkcs12_filename, pkcs12_pin, nssdb): ++ # create a temp nssdb ++ with NSSDatabase() as tempnssdb: ++ db_password = ipautil.ipa_generate_password() ++ db_pwdfile = ipautil.write_tmp_file(db_password) ++ tempnssdb.create_db(db_pwdfile.name) ++ ++ # import the PKCS12 file, then delete all CA certificates ++ # this leaves only the server certs in the temp db ++ tempnssdb.import_pkcs12( ++ pkcs12_filename, db_pwdfile.name, pkcs12_pin) ++ for nickname, flags in tempnssdb.list_certs(): ++ if 'u' not in flags: ++ while tempnssdb.has_nickname(nickname): ++ tempnssdb.delete_cert(nickname) ++ ++ # import all the CA certs from nssdb into the temp db ++ for nickname, flags in nssdb.list_certs(): ++ if 'u' not in flags: ++ cert = nssdb.get_cert_from_db(nickname) ++ tempnssdb.add_cert(cert, nickname, flags) ++ ++ # now get the server certs from tempnssdb and check their validity ++ try: ++ for nick, flags in tempnssdb.find_server_certs(): ++ tempnssdb.verify_server_cert_validity(nick, api.env.host) ++ except ValueError as e: ++ raise admintool.ScriptError( ++ "Peer's certificate issuer is not trusted (%s). " ++ "Please run ipa-cacert-manage install and ipa-certupdate " ++ "to install the CA certificate." % str(e)) ++ + def import_cert(self, dirname, pkcs12_passwd, old_cert, principal, command): + pkcs12_file, pin, ca_cert = installutils.load_pkcs12( + cert_files=self.args, +@@ -167,6 +199,10 @@ class ServerCertInstall(admintool.AdminTool): + + dirname = os.path.normpath(dirname) + cdb = certs.CertDB(api.env.realm, nssdir=dirname) ++ ++ # Check that the ca_cert is known and trusted ++ self.check_chain(pkcs12_file.name, pin, cdb) ++ + try: + ca_enabled = api.Command.ca_is_enabled()['result'] + if ca_enabled: +-- +2.10.2 + diff --git a/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch b/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch new file mode 100644 index 0000000..079bde0 --- /dev/null +++ b/SOURCES/0141-WebUI-services-without-canonical-name-are-shown-corr.patch @@ -0,0 +1,152 @@ +From 014aab243a4e7185ad5ebdc0a71e7de81553e501 Mon Sep 17 00:00:00 2001 +From: Pavel Vomacka +Date: Mon, 17 Oct 2016 14:33:07 +0200 +Subject: [PATCH] WebUI: services without canonical name are shown correctly + +There is a change introduced in 4.4 that new services have canonical name. The old ones +didn't have it, therefore these services were not correctly displayed in WebUI. + +This patch adds support for this type of services. Service name is taken from +'krbprincipalname' attribute in case that 'krbcanonicalname' attribute is not present +in server response. + +https://fedorahosted.org/freeipa/ticket/6397 + +Reviewed-By: Petr Vobornik +--- + install/ui/src/freeipa/field.js | 41 ++++++++++++++++++++++++++++++ + install/ui/src/freeipa/service.js | 52 ++++++++++++++++++++++++++++++++++++++- + 2 files changed, 92 insertions(+), 1 deletion(-) + +diff --git a/install/ui/src/freeipa/field.js b/install/ui/src/freeipa/field.js +index d8b957f5ab28b5ee4bc4ebce2ae6f454083bc4fd..efa2fb6ef4d4b5384661e9023ace511730954153 100644 +--- a/install/ui/src/freeipa/field.js ++++ b/install/ui/src/freeipa/field.js +@@ -1306,6 +1306,46 @@ field.ObjectAdapter = declare([field.Adapter], { + + + /** ++ * Custom adapter for fields which handles situations when there is no value ++ * for attribute (name) of the field and we want to use alternative attribute ++ * from response. We can set the alternative attribute name to the 'alt_attr' ++ * attribute of the adapter. ++ * This adapter is used i.e. in table in search facet for services. Handles ++ * situations where older services don't have canonical name. ++ * ++ * @class ++ * @extends field.Adapter ++ */ ++field.AlternateAttrFieldAdapter = declare([field.Adapter], { ++ /** ++ * In case that the value is not get using field name then use alternative ++ * name. ++ * @param {Object} data Object which contains the record or the record ++ * @param {string} [attribute] attribute name - overrides `context.param` ++ * @param {Mixed} [def_val] default value - overrides `context.default_value` ++ * @returns {Array} attribute value ++ */ ++ load: function(data, attribute, def_val) { ++ var record = this.get_record(data); ++ var value = null; ++ var attr = attribute || this.context.param; ++ var def = def_val || this.context.default_value; ++ if (record) { ++ value = this.get_value(record, attr); ++ if (util.is_empty(value) && this.context.adapter.alt_attr) { ++ value = this.get_value(record, this.context.adapter.alt_attr); ++ } ++ } ++ if (util.is_empty(value) && !util.is_empty(def)) { ++ value = util.normalize_value(def); ++ } ++ value = rpc.extract_objects(value); ++ return value; ++ } ++}); ++ ++ ++/** + * Field for enabling/disabling entity + * + * - expects radio widget +@@ -1577,6 +1617,7 @@ field.register = function() { + + l.register('adapter', field.Adapter); + l.register('object_adapter', field.ObjectAdapter); ++ l.register('alternate_attr_field_adapter', field.AlternateAttrFieldAdapter); + }; + phases.on('registration', field.register); + +diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js +index 30e336c35b8eece2e5e3ef55629d0c98f097fbf5..a6607d22e83047fb2d0dcc7775891445df4910b7 100644 +--- a/install/ui/src/freeipa/service.js ++++ b/install/ui/src/freeipa/service.js +@@ -58,7 +58,16 @@ return { + facets: [ + { + $type: 'search', +- columns: [ 'krbcanonicalname' ] ++ $factory: IPA.service.search_facet, ++ columns: [ ++ { ++ name: 'krbcanonicalname', ++ adapter: { ++ $type: 'alternate_attr_field_adapter', ++ alt_attr: 'krbprincipalname' ++ } ++ } ++ ] + }, + { + $type: 'details', +@@ -403,6 +412,47 @@ return { + } + };}; + ++ ++/** ++ * Custom search facet for services. It has alternative primary key, in case ++ * that the service doesn't have canonical name. ++ */ ++IPA.service.search_facet = function(spec) { ++ spec = spec || {}; ++ ++ spec.alternative_pkey = spec.alternative_pkey || 'krbprincipalname'; ++ ++ var that = IPA.search_facet(spec); ++ ++ that.alternative_pkey = spec.alternative_pkey; ++ ++ that.get_records_map = function(data) { ++ ++ var records_map = $.ordered_map(); ++ ++ var result = data.result.result; ++ var pkey_name = that.managed_entity.metadata.primary_key || ++ that.primary_key_name; ++ var adapter = builder.build('adapter', 'adapter', {context: that}); ++ ++ for (var i=0; i +Date: Mon, 31 Oct 2016 16:51:49 +0100 +Subject: [PATCH] Fix missing file that fails DL1 replica installation + +Replica installation on DL1 would fail to create a httpd instance +due to missing '/etc/httpd/alias/cacert.asc'. Create this file +in the setup_ssl step to avoid the error. + +https://fedorahosted.org/freeipa/ticket/6393 + +Reviewed-By: Jan Cholasta +--- + ipaserver/install/httpinstance.py | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 431671eaf55d4ac63dc01190e254931dac096dec..aeae10902e6597ca1e494240a625caed9f7b7192 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -343,14 +343,23 @@ class HTTPInstance(service.Service): + self.__set_mod_nss_nickname(nickname) + self.add_cert_to_service() + +- elif not self.promote: +- db.create_password_conf() +- self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, +- ca_db) +- db.track_server_cert(self.cert_nickname, self.principal, +- db.passwd_fname, 'restart_httpd') +- db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) +- self.add_cert_to_service() ++ else: ++ if not self.promote: ++ db.create_password_conf() ++ self.dercert = db.create_server_cert(self.cert_nickname, self.fqdn, ++ ca_db) ++ db.track_server_cert(self.cert_nickname, self.principal, ++ db.passwd_fname, 'restart_httpd') ++ db.create_signing_cert("Signing-Cert", "Object Signing Cert", ca_db) ++ self.add_cert_to_service() ++ ++ server_certs = db.find_server_certs() ++ if not server_certs: ++ raise RuntimeError("Could not find a suitable server cert.") ++ ++ # We only handle one server cert ++ nickname = server_certs[0][0] ++ db.export_ca_cert(nickname) + + # Fix the database permissions + os.chmod(certs.NSS_DIR + "/cert8.db", 0o660) +-- +2.7.4 + diff --git a/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch b/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch new file mode 100644 index 0000000..035a451 --- /dev/null +++ b/SOURCES/0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch @@ -0,0 +1,46 @@ +From 99c93ce55d740fd8c6901dc3cfa3ecbf71edbff8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 31 Oct 2016 18:17:35 +0200 +Subject: [PATCH] trustdomain-del: fix the way how subdomain is searched + +With FreeIPA 4.4 we moved child domains behind the 'trustdomain' topic. +Update 'ipa trustdomain-del' command to properly calculate DN to the +actual child domain and handle the case when it is missing correctly. + +Fixes https://fedorahosted.org/freeipa/ticket/6445 + +Reviewed-By: Martin Babinsky +--- + ipaserver/plugins/trust.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py +index 720a45a4d12d59f00e3e63f2b4f62edd45646065..723dba6a26311752ecde8589d22e2911b72e8044 100644 +--- a/ipaserver/plugins/trust.py ++++ b/ipaserver/plugins/trust.py +@@ -1614,13 +1614,16 @@ class trustdomain_del(LDAPDelete): + # to always receive empty keys. We need to catch the case when root domain is being deleted + + for domain in keys[1]: +- # Fetch the trust to verify that the entered domain is trusted +- self.api.Command.trust_show(domain) ++ try: ++ self.obj.get_dn_if_exists(keys[0], domain, trust_type=u'ad') ++ except errors.NotFound: ++ if keys[0].lower() == domain: ++ raise errors.ValidationError( ++ name='domain', ++ error=_("cannot delete root domain of the trust, " ++ "use trust-del to delete the trust itself")) ++ self.obj.handle_not_found(keys[0], domain) + +- if keys[0].lower() == domain: +- raise errors.ValidationError(name='domain', +- error=_("cannot delete root domain of the trust, " +- "use trust-del to delete the trust itself")) + try: + res = self.api.Command.trustdomain_enable(keys[0], domain) + except errors.AlreadyActive: +-- +2.7.4 + diff --git a/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch b/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch new file mode 100644 index 0000000..953b80e --- /dev/null +++ b/SOURCES/0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch @@ -0,0 +1,40 @@ +From df19f8d314894b747181c5bb360a79e519065798 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 1 Nov 2016 11:36:30 +0100 +Subject: [PATCH] spec file: bump minimal required version of 389-ds-base + +Require 389-ds-base >= 1.3.5.14 for: +https://fedorahosted.org/389/ticket/48992 + +https://fedorahosted.org/freeipa/ticket/6369 + +Reviewed-By: Stanislav Laznicka +--- + freeipa.spec.in | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 7456a9ea77ec289312eb11c05709018b3d6d0c90..dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -135,7 +135,7 @@ Requires: %{name}-client = %{version}-%{release} + Requires: %{name}-admintools = %{version}-%{release} + Requires: %{name}-common = %{version}-%{release} + Requires: python2-ipaserver = %{version}-%{release} +-Requires: 389-ds-base >= 1.3.5.6 ++Requires: 389-ds-base >= 1.3.5.14 + Requires: openldap-clients > 2.4.35-4 + Requires: nss >= 3.14.3-12.0 + Requires: nss-tools >= 3.14.3-12.0 +@@ -167,7 +167,7 @@ Requires: zip + Requires: policycoreutils >= 2.1.12-5 + Requires: tar + Requires(pre): certmonger >= 0.78 +-Requires(pre): 389-ds-base >= 1.3.5.6 ++Requires(pre): 389-ds-base >= 1.3.5.14 + Requires: fontawesome-fonts + Requires: open-sans-fonts + Requires: openssl +-- +2.7.4 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 6264d38..deb823c 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -43,7 +43,7 @@ Name: ipa Version: 4.4.0 -Release: 12%{?dist} +Release: 14%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,10 +51,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -193,6 +193,16 @@ Patch0131: 0131-Fix-regression-introduced-in-ipa-certupdate.patch Patch0132: 0132-Start-named-during-configuration-upgrade.patch Patch0133: 0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch Patch0134: 0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch +Patch0135: 0135-ipa-passwd-use-correct-normalizer-for-user-principal.patch +Patch0136: 0136-Keep-NSS-trust-flags-of-existing-certificates.patch +Patch0137: 0137-Properly-handle-LDAP-socket-closures-in-ipa-otpd.patch +Patch0138: 0138-cert-add-revocation-reason-back-to-cert-find-output.patch +Patch0139: 0139-Make-httpd-publish-its-CA-certificate-on-DL1.patch +Patch0140: 0140-Add-cert-checks-in-ipa-server-certinstall.patch +Patch0141: 0141-WebUI-services-without-canonical-name-are-shown-corr.patch +Patch0142: 0142-Fix-missing-file-that-fails-DL1-replica-installation.patch +Patch0143: 0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch +Patch0144: 0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -204,7 +214,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch -Patch1011: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -300,7 +309,7 @@ Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} -Requires: 389-ds-base >= 1.3.5.6 +Requires: 389-ds-base >= 1.3.5.10-12 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -332,7 +341,7 @@ Requires: zip Requires: policycoreutils >= 2.1.14-37 Requires: tar Requires(pre): certmonger >= 0.78 -Requires(pre): 389-ds-base >= 1.3.5.6 +Requires(pre): 389-ds-base >= 1.3.5.10-12 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl >= 1:1.0.1e-42 @@ -784,10 +793,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END @@ -1523,8 +1532,32 @@ fi %changelog -* Thu Nov 03 2016 CentOS Sources - 4.4.0-12.el7.centos -- Roll in CentOS Branding +* Tue Nov 1 2016 Jan Cholasta - 4.4.0-14 +- Resolves: #1378353 Replica install fails with old IPA master sometimes during + replication process + - spec file: bump minimal required version of 389-ds-base +- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 + - Fix missing file that fails DL1 replica installation +- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade + - WebUI: services without canonical name are shown correctly +- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run + - trustdomain-del: fix the way how subdomain is searched + +* Mon Oct 31 2016 Jan Cholasta - 4.4.0-13 +- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca + - Keep NSS trust flags of existing certificates +- Resolves: #1360813 ipa-server-certinstall does not update all certificate + stores and doesn't set proper trust permissions + - Add cert checks in ipa-server-certinstall +- Resolves: #1371479 cert-find --all does not show information about revocation + - cert: add revocation reason back to cert-find output +- Resolves: #1375133 WinSync users who have First.Last casing creates users who + can have their password set + - ipa passwd: use correct normalizer for user principals +- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers + - Properly handle LDAP socket closures in ipa-otpd +- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 + - Make httpd publish its CA certificate on DL1 * Fri Sep 16 2016 Petr Vobornik - 4.4.0-12 - Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.