Hi all, The attached patches fix #5459[1]: Default CA ACL rule is not created during ipa-replica-install.
These patches apply on branch ipa-4-2. There is a (trivial) conflict in imports when applying to master. I strongly recommend review / testing of these patches with patches 0042-0043[2] due to the prevalence of the other issue. [1] https://fedorahosted.org/freeipa/ticket/5459 [2] https://www.redhat.com/archives/freeipa-devel/2015-November/msg00298.html Thanks, Fraser
From 8c3f2ce4a985e873277b7e84a8b95acca80c0348 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Mon, 23 Nov 2015 12:09:32 +1100 Subject: [PATCH 44/45] Do not erroneously reinit NSS in Dogtag interface The Dogtag interface always attempts to (re)init NSS, which can fail with SEC_ERROR_BUSY. Do not reinitialise NSS when it has already been initialised with the given dbdir. Part of: https://fedorahosted.org/freeipa/ticket/5459 --- ipapython/dogtag.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 3f0d08154d21a3072e344c311c3e70e414d9dee4..75c34db697ec5f7b1aac771de8517937fa09fbdd 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -255,7 +255,8 @@ def https_request(host, port, url, secdir, password, nickname, """ def connection_factory(host, port): - conn = nsslib.NSSConnection(host, port, dbdir=secdir, + no_init = secdir == nsslib.current_dbdir + conn = nsslib.NSSConnection(host, port, dbdir=secdir, no_init=no_init, tls_version_min=api.env.tls_version_min, tls_version_max=api.env.tls_version_max) conn.set_debuglevel(0) -- 2.4.3
From 2a05260345627e5b636596a715333a20b5631cd1 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale <[email protected]> Date: Mon, 23 Nov 2015 14:50:45 +1100 Subject: [PATCH 45/45] Add profiles and default CA ACL on migration Profiles and the default CA ACL were not being added during replica install from pre-4.2 servers. Update ipa-replica-install to add these if they are missing. Also update the caacl plugin to prevent deletion of the default CA ACL and instruct the administrator to disable it instead. Fixes: https://fedorahosted.org/freeipa/ticket/5459 --- install/updates/50-dogtag10-migration.update | 1 + ipalib/plugins/caacl.py | 7 +++++++ ipaserver/install/server/replicainstall.py | 8 ++++++++ ipaserver/install/server/upgrade.py | 28 ++++++++++++++++------------ 4 files changed, 32 insertions(+), 12 deletions(-) diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update index 2ab9d15bd220540dbc6b3fcd7928fc15c42caf80..0070c308aefc39aa4c27a046d185ce6d268e6270 100644 --- a/install/updates/50-dogtag10-migration.update +++ b/install/updates/50-dogtag10-migration.update @@ -16,3 +16,4 @@ addifexist:resourceACLS:certServer.ca.groups:execute:allow (execute) group="Admi addifexist:resourceACLS:certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations replace:resourceACLS:certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml replace:resourceACLS:certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information +addifexist:resourceACLS:certServer.profile.configuration:read,modify:allow (read,modify) group="Certificate Manager Agents":Certificate Manager agents may modify (create/update/delete) and read profiles diff --git a/ipalib/plugins/caacl.py b/ipalib/plugins/caacl.py index 247d6df143aef1fba9f0ee74a9f7d8386bef5180..77bad38cd7e9f3cf10b7476acc7ac16fc6494bdf 100644 --- a/ipalib/plugins/caacl.py +++ b/ipalib/plugins/caacl.py @@ -307,6 +307,13 @@ class caacl_del(LDAPDelete): msg_summary = _('Deleted CA ACL "%(value)s"') + def pre_callback(self, ldap, dn, *keys, **options): + if keys[0] == 'hosts_services_caIPAserviceCert': + raise errors.ValidationError(name='name', + error=_("Cannot delete the default CA ACL; disable it instead")) + + return dn + @register() class caacl_mod(LDAPUpdate): diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index c1edd3e48d36c8ad62c6a72e988604b59c574c0c..a4eded759cc566ba6747b23e04428c0c16d11007 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -27,6 +27,7 @@ from ipaserver.install import ( bindinstance, ca, cainstance, certs, dns, dsinstance, httpinstance, installutils, kra, krbinstance, memcacheinstance, ntpinstance, otpdinstance, service) +from ipaserver.install.server.upgrade import _add_default_caacl from ipaserver.install.installutils import create_replica_config from ipaserver.install.replication import ( ReplicationManager, replica_conn_check) @@ -615,6 +616,13 @@ def install(installer): dogtag_service = services.knownservices[dogtag_constants.SERVICE_NAME] dogtag_service.restart(dogtag_constants.PKI_INSTANCE_NAME) + # must add profiles after Dogtag restart to ensure that + # resourceACLS are current + service.print_msg("Synchronizing certificate profiles") + cainstance.migrate_profiles_to_ldap() + cainstance.import_included_profiles() + _add_default_caacl() + if options.setup_dns: api.Backend.ldap2.connect(autobind=True) dns.install(False, True, options) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index c8f744c392c7b859459bda63c1f397226553d4ba..bd56fd070e41f9450c48f7f3b9a095de1a665c60 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1321,22 +1321,26 @@ def add_default_caacl(ca): return if ca.is_configured(): - if not api.Backend.ldap2.isconnected(): - try: - api.Backend.ldap2.connect(autobind=True) - except ipalib.errors.PublicError as e: - root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) - return - - if not api.Command.caacl_find()['result']: - api.Command.caacl_add(u'hosts_services_caIPAserviceCert', - hostcategory=u'all', servicecategory=u'all') - api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', - certprofile=(u'caIPAserviceCert',)) + _add_default_caacl() sysupgrade.set_upgrade_state('caacl', 'add_default_caacl', True) +def _add_default_caacl(): + if not api.Backend.ldap2.isconnected(): + try: + api.Backend.ldap2.connect(autobind=True) + except ipalib.errors.PublicError as e: + root_logger.error("Cannot connect to LDAP to add CA ACLs: %s", e) + return + + if not api.Command.caacl_find()['result']: + api.Command.caacl_add(u'hosts_services_caIPAserviceCert', + hostcategory=u'all', servicecategory=u'all') + api.Command.caacl_add_profile(u'hosts_services_caIPAserviceCert', + certprofile=(u'caIPAserviceCert',)) + + def upgrade_configuration(): """ Execute configuration upgrade of the IPA services -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
