Hi all,

The attached patches fix #5459[1]: Default CA ACL rule is not
created during ipa-replica-install.

These patches apply on branch ipa-4-2.  There is a (trivial)
conflict in imports when applying to master.

I strongly recommend review / testing of these patches with patches
0042-0043[2] due to the prevalence of the other issue.

[1] https://fedorahosted.org/freeipa/ticket/5459
[2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html

Thanks,
Fraser
From 8c3f2ce4a985e873277b7e84a8b95acca80c0348 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 23 Nov 2015 12:09:32 +1100
Subject: [PATCH 44/45] Do not erroneously reinit NSS in Dogtag interface

The Dogtag interface always attempts to (re)init NSS, which can fail
with SEC_ERROR_BUSY.  Do not reinitialise NSS when it has already
been initialised with the given dbdir.

Part of: https://fedorahosted.org/freeipa/ticket/5459
---
 ipapython/dogtag.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 
3f0d08154d21a3072e344c311c3e70e414d9dee4..75c34db697ec5f7b1aac771de8517937fa09fbdd
 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, 
nickname,
     """
 
     def connection_factory(host, port):
-        conn = nsslib.NSSConnection(host, port, dbdir=secdir,
+        no_init = secdir == nsslib.current_dbdir
+        conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init,
                                     tls_version_min=api.env.tls_version_min,
                                     tls_version_max=api.env.tls_version_max)
         conn.set_debuglevel(0)
-- 
2.4.3

From 2a05260345627e5b636596a715333a20b5631cd1 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftwee...@redhat.com>
Date: Mon, 23 Nov 2015 14:50:45 +1100
Subject: [PATCH 45/45] Add profiles and default CA ACL on migration

Profiles and the default CA ACL were not being added during replica
install from pre-4.2 servers.  Update ipa-replica-install to add
these if they are missing.

Also update the caacl plugin to prevent deletion of the default CA
ACL and instruct the administrator to disable it instead.

Fixes: https://fedorahosted.org/freeipa/ticket/5459
---
 install/updates/50-dogtag10-migration.update |  1 +
 ipalib/plugins/caacl.py                      |  7 +++++++
 ipaserver/install/server/replicainstall.py   |  8 ++++++++
 ipaserver/install/server/upgrade.py          | 28 ++++++++++++++++------------
 4 files changed, 32 insertions(+), 12 deletions(-)

diff --git a/install/updates/50-dogtag10-migration.update 
b/install/updates/50-dogtag10-migration.update
index 
2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270
 100644
--- a/install/updates/50-dogtag10-migration.update
+++ b/install/updates/50-dogtag10-migration.update
@@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow 
(execute) group="Admi
 addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) 
group="Administrators":Admins may execute user operations
 replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow 
(read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed 
to read domain.xml but only Subsystem group is allowed to modify the 
domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) 
user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA 
Administrators" || group="Enterprise KRA Administrators" || group="Enterprise 
RA Administrators" || group="Enterprise OCSP Administrators" || 
group="Enterprise TKS Administrators" || group="Enterprise TPS 
Administrators":Anybody is allowed to read domain.xml but only Subsystem group 
and Enterprise Administrators are allowed to modify the domain.xml
 replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow 
(modify,read) group="Enterprise KRA Administrators":Only Enterprise 
Administrators are allowed to update the connector 
information::certServer.ca.connectorInfo:read,modify:allow (read) 
group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA 
Administrators" || group="Subsystem Group":Only Enterprise Administrators and 
Subsystem Group are allowed to update the connector information
+addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow 
(read,modify) group="Certificate Manager Agents":Certificate Manager agents may 
modify (create/update/delete) and read profiles
diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py
index 
247d6df143aef1fba9f0ee74a9f7d8386bef5180..77bad38cd7e9f3cf10b7476acc7ac16fc6494bdf
 100644
--- a/ipalib/plugins/caacl.py
+++ b/ipalib/plugins/caacl.py
@@ -307,6 +307,13 @@ class caacl_del(LDAPDelete):
 
     msg_summary = _('Deleted CA ACL "%(value)s"')
 
+    def pre_callback(self, ldap, dn, *keys, **options):
+        if keys[0] == 'hosts_services_caIPAserviceCert':
+            raise errors.ValidationError(name='name',
+                error=_("Cannot delete the default CA ACL; disable it 
instead"))
+
+        return dn
+
 
 @register()
 class caacl_mod(LDAPUpdate):
diff --git a/ipaserver/install/server/replicainstall.py 
b/ipaserver/install/server/replicainstall.py
index 
c1edd3e48d36c8ad62c6a72e988604b59c574c0c..a4eded759cc566ba6747b23e04428c0c16d11007
 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -27,6 +27,7 @@ from ipaserver.install import (
     bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance,
     installutils, kra, krbinstance, memcacheinstance, ntpinstance,
     otpdinstance, service)
+from ipaserver.install.server.upgrade import _add_default_caacl
 from ipaserver.install.installutils import create_replica_config
 from ipaserver.install.replication import (
     ReplicationManager, replica_conn_check)
@@ -615,6 +616,13 @@ def install(installer):
         dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME]
         dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME)
 
+        # must add profiles after Dogtag restart to ensure that
+        # resourceACLS are current
+        service.print_msg("Synchronizing certificate profiles")
+        cainstance.migrate_profiles_to_ldap()
+        cainstance.import_included_profiles()
+        _add_default_caacl()
+
     if options.setup_dns:
         api.Backend.ldap2.connect(autobind=True)
         dns.install(False, True, options)
diff --git a/ipaserver/install/server/upgrade.py 
b/ipaserver/install/server/upgrade.py
index 
c8f744c392c7b859459bda63c1f397226553d4ba..bd56fd070e41f9450c48f7f3b9a095de1a665c60
 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1321,22 +1321,26 @@ def add_default_caacl(ca):
         return
 
     if ca.is_configured():
-        if not api.Backend.ldap2.isconnected():
-            try:
-                api.Backend.ldap2.connect(autobind=True)
-            except ipalib.errors.PublicError as e:
-                root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", 
e)
-                return
-
-        if not api.Command.caacl_find()['result']:
-            api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
-                hostcategory=u'all', servicecategory=u'all')
-            api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
-                certprofile=(u'caIPAserviceCert',))
+        _add_default_caacl()
 
     sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True)
 
 
+def _add_default_caacl():
+    if not api.Backend.ldap2.isconnected():
+        try:
+            api.Backend.ldap2.connect(autobind=True)
+        except ipalib.errors.PublicError as e:
+            root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e)
+            return
+
+    if not api.Command.caacl_find()['result']:
+        api.Command.caacl_add(u'hosts_services_caIPAserviceCert',
+            hostcategory=u'all', servicecategory=u'all')
+        api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert',
+            certprofile=(u'caIPAserviceCert',))
+
+
 def upgrade_configuration():
     """
     Execute configuration upgrade of the IPA services
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to