[Freeipa-devel] [freeipa PR#786][closed] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Author: flo-renaud Title: #786: ipa-server-install: fix uninstall Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/786/head:pr786 git checkout pr786 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#786][comment] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall HonzaCholasta commented: """ master: * d9ed2573fd5b4dcdc8ea865f16d81325707e0f9d ipa-server-install: fix uninstall ipa-4-5: * 752e167497eca87632261dec7bbb352cd0e599c8 ipa-server-install: fix uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/786#issuecomment-301756756 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#786][+pushed] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#786][+ack] ipa-server-install: fix uninstall
URL: https://github.com/freeipa/freeipa/pull/786 Title: #786: ipa-server-install: fix uninstall Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT HonzaCholasta commented: """ @stlaz, this seems to be a bug in kinit. When you have a certificate chain root CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the root CA, the validation will always fail. This is the case in external CA setup (the external CA is the root CA, IPA CA is the intermediate CA), but I haven't confirmed it without IPA yet. Without this patchset, both the CA certificates are trusted, which is a bug, but makes kinit work. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-301680152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#758][synchronized] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From fb20f2009298f8e6e79b66b028c28b7e35e5ee03 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/13] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/restart_scripts/restart_httpd | 3 ++- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 9 +++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 5 +++-- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 4 ++-- 12 files changed, 44 insertions(+), 23 deletions(-) diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index b661b82..cd7f120 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -24,6 +24,7 @@ import traceback from ipalib import api from ipaplatform import services from ipaplatform.paths import paths +from ipapython.certdb import TRUSTED_PEER_TRUST_FLAGS from ipaserver.install import certs, installutils @@ -36,7 +37,7 @@ def _main(): nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") # Add trust flag which set certificate trusted for SSL connections. -db.trust_root_cert(nickname, "P,,") +db.trust_root_cert(nickname, TRUSTED_PEER_TRUST_FLAGS) syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,') +tmp_db.add_cert(cert, +'CA certificate %d' % (i + 1), +certdb.EXTERNAL_CA_TRUST_FLAGS) except CalledProcessError: raise ScriptError( "Failed to add CA to temporary NSS database.", diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 4d7f6e7..38f3bf0 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -52,6 +52,11 @@ NSS_FILES = ("cert8.db", "key3.db", "secmod.db", "pwdfile.txt") +EMPTY_TRUST_FLAGS = ',,' +IPA_CA_TRUST_FLAGS = 'CT,C,C' +EXTERNAL_CA_TRUST_FLAGS = 'C,,' +TRUSTED_PEER_TRUST_FLAGS = 'P,,' + def get_ca_nickname(realm, format=CA_NICKNAME_FMT): return format % realm @@ -436,7 +441,7 @@ def import_files(self, files, import_keys=False, key_password=None, cert = x509.load_certificate(cert_pem) nickname = str(DN(cert.subject)) data = cert.public_bytes(serialization.Encoding.DER) -self.add_cert(data, nickname, ',,') +self.add_cert(data, ni
[Freeipa-devel] [freeipa PR#758][comment] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Title: #758: install: fix CA-less PKINIT HonzaCholasta commented: """ @stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props to @dkupka). The "preauthentication failed" with `--no-pkinit` is expected indeed. """ See the full comment at https://github.com/freeipa/freeipa/pull/758#issuecomment-300767441 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires HonzaCholasta commented: """ @tomaskrizek, this PR is for ipa-4-5, the change is already present in master. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300465628 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#765][comment] [4.5 backport] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/765 Title: #765: [4.5 backport] spec file: bump python-netaddr Requires HonzaCholasta commented: """ @tomaskrizek, yes. """ See the full comment at https://github.com/freeipa/freeipa/pull/765#issuecomment-300401586 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#773][comment] [WIP] Warn in cert-request if CSR doesn't contain SAN
URL: https://github.com/freeipa/freeipa/pull/773 Title: #773: [WIP] Warn in cert-request if CSR doesn't contain SAN HonzaCholasta commented: """ @frasertweedale, I'm not aware of any agreement and I'm against this as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/773#issuecomment-300375495 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From c0c79f0b0fdaf0b5a1bfe0d92018f3bf12373907 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d72feb8..97baa60 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -822,7 +822,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 9e9bcaa70bc8e7b307ecd99e247311796b9fd32d Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 28 Feb 2017 10:55:54 + Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. https://pagure.io/freeipa/issue/5799 --- ipaserver/install/server/upgrade.py | 28 +++- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 9aec2d8..84692d3 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http): template = paths.CERTMONGER_COMMAND_TEMPLATE serverid = installutils.realm_to_serverid(api.env.realm) -# bump version when requests is changed -version = 6 requests = [ { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, @@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http): } ] -root_logger.info("[Update certmonger certificate renewal configuration to " - "version %d]" % version) +root_logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): root_logger.info('CA is not configured') return False -state = 'certificate_renewal_update_%d' % version -if sysupgrade.get_upgrade_state('dogtag', state): -return False - # State not set, lets see if we are already configured for request in requests: request_id = certmonger.get_request_id(request) if request_id is None: break else: -sysupgrade.set_upgrade_state('dogtag', state, True) -root_logger.info("Certmonger certificate renewal configuration is " - "already at version %d" % version) return False # Ok, now we need to stop tracking, then we can start tracking them @@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http): ds.stop_tracking_certificates(serverid) http.stop_tracking_certificates() -if not sysupgrade.get_upgrade_state('dogtag', -
[Freeipa-devel] [freeipa PR#758][opened] install: fix CA-less PKINIT
URL: https://github.com/freeipa/freeipa/pull/758 Author: HonzaCholasta Title: #758: install: fix CA-less PKINIT Action: opened PR body: """ **certdb: add named trust flag constants** Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. **certdb, certs: make trust flags argument mandatory** Make the trust flags argument mandatory in all functions in `certdb` and `certs`. **certdb: use custom object for trust flags** Replace trust flag strings with `TrustFlags` objects. The `TrustFlags` class encapsulates `certstore` key policy and has an additional flag indicating the presence of a private key. **install: trust IPA CA for PKINIT** Trust IPA CA to issue PKINIT KDC and client authentication certificates in the IPA certificate store. **client install: fix client PKINIT configuration** Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`. Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs known to IPA. Make sure both bundles are exported in all installation code paths. **server install: fix KDC PKINIT configuration** Make sure `cacert.pem` contains only certificates of CAs trusted to issue PKINIT client certificates and is exported in all installation code paths. Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known to IPA. Use the KDC certificate itself as a PKINIT anchor in `login_password`. **certs: do not export CA certs in install_pem_from_p12** This fixes `kdc.crt` containing the full chain rather than just the KDC certificate in CA-less server install. **server install: fix KDC certificate validation in CA-less** Verify that the provided certificate has the extended key usage and subject alternative name required for KDC. **cacert manage: support PKINIT** Allow installing 3rd party CA certificates trusted to issue PKINIT KDC and/or client certificates. **server certinstall: support PKINIT** Allow replacing the KDC certificate. https://pagure.io/freeipa/issue/6831 https://pagure.io/freeipa/issue/6869 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/758/head:pr758 git checkout pr758 From 6f9b8a737f25c5eb47a3048dfbdb88ed45e024b8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 27 Apr 2017 09:33:25 +0200 Subject: [PATCH 01/10] certdb: add named trust flag constants Add named constants for common trust flag combinations. Use the named constants instead of trust flags strings in the code. https://pagure.io/freeipa/issue/6831 --- install/tools/ipa-replica-conncheck| 4 +++- ipaclient/install/client.py| 9 ++--- ipapython/certdb.py| 8 ++-- ipaserver/install/ca.py| 2 +- ipaserver/install/certs.py | 5 +++-- ipaserver/install/dsinstance.py| 5 +++-- ipaserver/install/httpinstance.py | 3 ++- ipaserver/install/ipa_cacert_manage.py | 16 +++- ipaserver/install/plugins/upload_cacrt.py | 2 +- ipaserver/install/server/replicainstall.py | 3 ++- ipaserver/install/server/upgrade.py| 2 +- 11 files changed, 39 insertions(+), 20 deletions(-) diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck index fdbd4f3..5282422 100755 --- a/install/tools/ipa-replica-conncheck +++ b/install/tools/ipa-replica-conncheck @@ -549,7 +549,9 @@ def main(): data = ca_cert.public_bytes( serialization.Encoding.DER) nss_db.add_cert( -data, str(DN(ca_cert.subject)), 'C,,') +data, +str(DN(ca_cert.subject)), +certdb.EXTERNAL_CA_TRUST_FLAGS) api.bootstrap(context='client', confdir=paths.ETC_IPA, diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index abca692..e78be90 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2318,8 +2318,9 @@ def update_ipa_nssdb(): if not os.path.exists(os.path.join(ipa_db.secdir, 'cert8.db')): create_ipa_nssdb() -for nickname, trust_flags in (('IPA CA', 'CT,C,C'), - ('External CA cert', 'C,,')): +for nickname, trust_flags in ( +('IPA CA', certdb.IPA_CA_TRUST_FLAGS), +('External CA cert', certdb.EXTERNAL_CA_TRUST_FLAGS)): try: cert = sys_db.get_cert(nickname) except RuntimeError: @@ -2680,7 +2681,9 @@ def _install(options): tmp_db.create_db() for i, cert in enumerate(ca_certs): -tmp_db.add_cert(cer
[Freeipa-devel] [freeipa PR#728][synchronized] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From 4f1ef08489013d68304b0cee289290fdcde37422 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d72feb8..97baa60 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -822,7 +822,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 73671930abf599a74908d3ce1414d9dc6df3b059 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 28 Feb 2017 10:55:54 + Subject: [PATCH 2/7] server upgrade: always fix certmonger tracking request Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. https://pagure.io/freeipa/issue/5799 --- ipaserver/install/server/upgrade.py | 28 +++- 1 file changed, 7 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0f27428..8746f00 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -905,8 +905,6 @@ def certificate_renewal_update(ca, ds, http): template = paths.CERTMONGER_COMMAND_TEMPLATE serverid = installutils.realm_to_serverid(api.env.realm) -# bump version when requests is changed -version = 6 requests = [ { 'cert-database': paths.PKI_TOMCAT_ALIAS_DIR, @@ -971,25 +969,17 @@ def certificate_renewal_update(ca, ds, http): } ] -root_logger.info("[Update certmonger certificate renewal configuration to " - "version %d]" % version) +root_logger.info("[Update certmonger certificate renewal configuration]") if not ca.is_configured(): root_logger.info('CA is not configured') return False -state = 'certificate_renewal_update_%d' % version -if sysupgrade.get_upgrade_state('dogtag', state): -return False - # State not set, lets see if we are already configured for request in requests: request_id = certmonger.get_request_id(request) if request_id is None: break else: -sysupgrade.set_upgrade_state('dogtag', state, True) -root_logger.info("Certmonger certificate renewal configuration is " - "already at version %d" % version) return False # Ok, now we need to stop tracking, then we can start tracking them @@ -998,13 +988,11 @@ def certificate_renewal_update(ca, ds, http): ds.stop_tracking_certificates(serverid) http.stop_tracking_certificates() -if not sysupgrade.get_upgrade_state('dogtag', -
[Freeipa-devel] [freeipa PR#694][closed] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ master: * b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry * fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC * 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP * 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache * 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it * 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests * a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status * 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade ipa-4-5: * 31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry * b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC * a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP * fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache * 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it * 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests * 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status * d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297941980 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+pushed] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ Works for me, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf HonzaCholasta commented: """ @pvomacka, CI fails because you forgot to include python-augeas in lint BuildRequires. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Title: #729: Turn on NSSOCSP check in mod_nss conf HonzaCholasta commented: """ @pvomacka, CI fails because you forgot to include python-augeas in lint BuildRequires. """ See the full comment at https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297645225 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][comment] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Title: #731: spec file: bump krb5 Requires for certauth fixes HonzaCholasta commented: """ @martbab, #739. """ See the full comment at https://github.com/freeipa/freeipa/pull/731#issuecomment-297614960 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#739][opened] [4.5] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/739 Author: HonzaCholasta Title: #739: [4.5] spec file: bump krb5 Requires for certauth fixes Action: opened PR body: """ Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/739/head:pr739 git checkout pr739 From 2d14e1147e69e691266cedd7a5c9feb49ad37003 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 25 Apr 2017 12:35:34 + Subject: [PATCH] spec file: bump krb5 Requires for certauth fixes Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 --- freeipa.spec.in | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 978ebb1..3b7410b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -36,11 +36,15 @@ %global alt_name ipa %if 0%{?rhel} +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-4 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 4.6.0-4 %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-7 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 2:4.6.0-4 %global selinux_policy_version 3.13.1-158.4 @@ -82,8 +86,7 @@ BuildRequires: openldap-devel %if 0%{?fedora} > 25 BuildRequires: krb5-kdb-version = 6.1 %endif -# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) -BuildRequires: krb5-devel >= 1.15.1-3 +BuildRequires: krb5-devel >= %{krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel @@ -263,8 +266,9 @@ Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 +Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 -Requires: krb5-pkinit-openssl +Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 @@ -481,7 +485,7 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: krb5-workstation +Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][synchronized] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 From 2d71f070b700b78945dfaac864c0f4413c1f26b5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 25 Apr 2017 12:35:34 + Subject: [PATCH] spec file: bump krb5 Requires for certauth fixes Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 --- freeipa.spec.in | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 2be6ca9..ee9a36b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -33,6 +33,8 @@ %global alt_name ipa %if 0%{?rhel} +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-4 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.5-8 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation @@ -40,6 +42,8 @@ %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else +# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-7 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation @@ -83,8 +87,7 @@ BuildRequires: openldap-devel %if 0%{?fedora} > 25 BuildRequires: krb5-kdb-version = 6.1 %endif -# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) -BuildRequires: krb5-devel >= 1.15.1-3 +BuildRequires: krb5-devel >= %{krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel @@ -267,8 +270,9 @@ Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 +Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 -Requires: krb5-pkinit-openssl +Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 @@ -485,7 +489,7 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: krb5-workstation +Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][synchronized] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 From 8947e4d964eecb82bff901e7218c62ef9256aa69 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 25 Apr 2017 12:35:34 + Subject: [PATCH] spec file: bump krb5 Requires for certauth fixes Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 --- freeipa.spec.in | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 2be6ca9..1d014eb 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -33,6 +33,8 @@ %global alt_name ipa %if 0%{?rhel} +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-4 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.5-8 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation @@ -40,6 +42,8 @@ %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-6 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation @@ -83,8 +87,8 @@ BuildRequires: openldap-devel %if 0%{?fedora} > 25 BuildRequires: krb5-kdb-version = 6.1 %endif -# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) -BuildRequires: krb5-devel >= 1.15.1-3 +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +BuildRequires: krb5-devel >= %{krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel @@ -267,8 +271,9 @@ Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 +Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 -Requires: krb5-pkinit-openssl +Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 @@ -485,7 +490,7 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: krb5-workstation +Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ master: * 38276d3473ecf2a4cc5b5e2a107347f046625626 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches ipa-4-5: * dc4d60c9665408666ab3dfab7023a578c34d65a2 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297338734 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][closed] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Author: redhatrises Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/688/head:pr688 git checkout pr688 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][+pushed] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][+ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ Actually, please remove the change in `VERSION.m4`, as it is not necessary and prevents the patch from applying cleanly on top of ipa-4-5. Also please add the ticket link to commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297025571 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][-ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][+ack] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ Thanks! """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-297024230 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#731][opened] spec file: bump krb5 Requires for certauth fixes
URL: https://github.com/freeipa/freeipa/pull/731 Author: HonzaCholasta Title: #731: spec file: bump krb5 Requires for certauth fixes Action: opened PR body: """ Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/731/head:pr731 git checkout pr731 From 5ff3bc42a4d5f07e1e13a20ee94aa640e1e63f2d Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 25 Apr 2017 12:35:34 + Subject: [PATCH] spec file: bump krb5 Requires for certauth fixes Bump krb5-* Requires to the version which includes the final version of certauth support. https://pagure.io/freeipa/issue/4905 --- freeipa.spec.in | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9d4e81b 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -33,11 +33,15 @@ %global alt_name ipa %if 0%{?rhel} +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-4 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 4.6.0-4 %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +%global krb5_version 1.15.1-6 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 2:4.6.0-4 %global selinux_policy_version 3.13.1-158.4 @@ -79,8 +83,8 @@ BuildRequires: openldap-devel %if 0%{?fedora} > 25 BuildRequires: krb5-kdb-version = 6.1 %endif -# 1.15.1-3: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) -BuildRequires: krb5-devel >= 1.15.1-3 +# 1.15.1-6: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) +BuildRequires: krb5-devel >= ${krb5_version} # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation BuildRequires: xmlrpc-c-devel >= 1.27.4 BuildRequires: popt-devel @@ -263,8 +267,9 @@ Requires: 389-ds-base >= 1.3.5.14 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 +Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 -Requires: krb5-pkinit-openssl +Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-31 @@ -481,7 +486,7 @@ Requires: python2-ipaclient = %{version}-%{release} Requires: python-ldap Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: krb5-workstation +Requires: krb5-workstation >= %{krb5_version} Requires: authconfig Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#725][comment] Fix certificate_out check in CertRetrieveOverride
URL: https://github.com/freeipa/freeipa/pull/725 Title: #725: Fix certificate_out check in CertRetrieveOverride HonzaCholasta commented: """ NACK: ``` $ ipa cert-show 1 ipa: ERROR: Filename is empty ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/725#issuecomment-297013050 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#730][opened] spec file: bump python-netaddr Requires
URL: https://github.com/freeipa/freeipa/pull/730 Author: HonzaCholasta Title: #730: spec file: bump python-netaddr Requires Action: opened PR body: """ Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. https://pagure.io/freeipa/issue/6894 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/730/head:pr730 git checkout pr730 From 934d481cf6ed2510486aed589e973d2833c3bf42 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Tue, 25 Apr 2017 12:13:00 + Subject: [PATCH] spec file: bump python-netaddr Requires Bump python-netaddr Requires to the version which has correct private and reserved IPv4 address ranges. This fixes DNS server install failure when 0.0.0.0 is entered as a forwarder. https://pagure.io/freeipa/issue/6894 --- freeipa.spec.in | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..2be6ca9 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -33,11 +33,15 @@ %global alt_name ipa %if 0%{?rhel} +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.5-8 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 4.6.0-4 %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %else +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 # Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation %global samba_version 2:4.6.0-4 %global selinux_policy_version 3.13.1-158.4 @@ -636,7 +640,7 @@ Requires: gnupg Requires: keyutils Requires: pyOpenSSL Requires: python-cryptography >= 1.6 -Requires: python-netaddr +Requires: python-netaddr >= %{python_netaddr_version} Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 @@ -684,7 +688,7 @@ Requires: gnupg Requires: keyutils Requires: python3-pyOpenSSL Requires: python3-cryptography >= 1.6 -Requires: python3-netaddr +Requires: python3-netaddr >= %{python_netaddr_version} Requires: python3-libipa_hbac Requires: python3-qrcode-core >= 5.0.0 Requires: python3-pyasn1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#688][comment] Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
URL: https://github.com/freeipa/freeipa/pull/688 Title: #688: Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches HonzaCholasta commented: """ I guess it should. Could you please file a ticket? """ See the full comment at https://github.com/freeipa/freeipa/pull/688#issuecomment-296931927 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ @martbab, this sounds like a typical instance of a we will do it later = we will do it never situation. IMO we should remove the superfluous check right away, as that would give us more incentive to actually implement the test. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-296916627 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#728][opened] ipa-cacert-manage: add --external-ca-type
URL: https://github.com/freeipa/freeipa/pull/728 Author: HonzaCholasta Title: #728: ipa-cacert-manage: add --external-ca-type Action: opened PR body: """ **server upgrade: always fix certmonger tracking request** Fix certmonger tracking requests on every run of ipa-server-upgrade rather than only when the tracking configuration has changed and the requests have not yet been updated. This allows fixing broken tracking requests just by re-running ipa-server-upgrade. **cainstance: use correct profile for lightweight CA certificates** Use Dogtag's `caCACert` CA certificate profile rather than the `ipaCACertRenewal` virtual profile for lightweight CA certificates. The `ipaCACertRenewal` virtual profile adds special handling of externally signed CA certificates and LDAP replication of issued certificates on top of `caCACert`, neither of which is relevant for lightweight CA certificates. Remove all of the special casing of lightweight CA certificates from dogtag-ipa-ca-renew-agent-submit. Make sure existing lightweight CA certmonger tracking requests are updated on server upgrade. **renew agent: allow reusing existing certs** Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the existing certificate rather than request a new one from the CA while maintaining LDAP replication of the certificate. Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger CA. This allows redoing the LDAP replication and reexecuting pre- and post-save commands of a tracking request without reissuing the certificate. **renew agent: always export CSR on IPA CA certificate renewal** Make sure a CSR is exported for the IPA CA whenever certmonger detects that the CA certificate is about to expire. This is a pre-requisite for using the `dogtag-ipa-ca-renew-agent-reuse` CA instead of the `ipaCSRExport` virtual profile to export the CSR. **renew agent: get rid of virtual profiles** Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse` and remove profile from the IPA CA certificate tracking request. This prevents virtual profiles from making their way into CSRs and in turn being rejected by certain CAs. This affected the IPA CA CSR with Microsoft CS in particular. **ipa-cacert-manage: add --external-ca-type** Add the `--external-ca-type`, as known from `ipa-server-install` and `ipa-ca-install`, to `ipa-cacert-manage`. This allows creating IPA CA CSRs suitable for use with Microsoft CS using `ipa-cacert-manage`: ``` ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs ``` https://pagure.io/freeipa/issue/5799 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/728/head:pr728 git checkout pr728 From b7ead617441712d6d7286ac66a2b2feea97f72af Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 24 Apr 2017 05:24:24 + Subject: [PATCH 1/7] renew agent: respect CA renewal master setting Do not bypass the renewal master check when a non-virtual profile is used in dogtag-ipa-ca-renew-agent-submit. This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master setting for certificates tracked with a real profile. (Note that there currently aren't any such certificates tracked by us.) Request the RA certificate using dogtag-submit rather than dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not available so early in the install process. https://pagure.io/freeipa/issue/5799 --- install/certmonger/dogtag-ipa-ca-renew-agent-submit | 2 +- ipaserver/install/cainstance.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit b/install/certmonger/dogtag-ipa-ca-renew-agent-submit index 7a3d955..f253fd9 100755 --- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit +++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit @@ -535,7 +535,7 @@ def main(): profile = os.environ.get('CERTMONGER_CA_PROFILE') if is_replicated(): -if profile or is_renewal_master(): +if is_renewal_master(): handler = request_and_store_cert else: handler = retrieve_cert_continuous diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 84d60bf..336299c 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -823,7 +823,7 @@ def __request_ra_certificate(self): "-out", chain_file.name, ], stdin=data, capture_output=False) -agent_args = [paths.DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT, +agent_args = [paths.CERTMONGER_DOGTAG_SUBMIT, "--dbdir", self.tmp_agent_db, "--nickname", "ipa-ca-agent", "--cafile", chain_file.name, From 6a64cc75f17ce029b48
[Freeipa-devel] [freeipa PR#722][+ack] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][closed] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Author: stlaz Title: #722: Fix server upgrade Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/722/head:pr722 git checkout pr722 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][comment] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade HonzaCholasta commented: """ master: * b38750eaa82025aad56f8eca849f47775b2cbc75 Fix CAInstance.import_ra_cert for empty passwords ipa-4-5: * e3f2878909c1f92a0d92ed2a8ce00c96135e1346 Fix CAInstance.import_ra_cert for empty passwords """ See the full comment at https://github.com/freeipa/freeipa/pull/722#issuecomment-295669731 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#722][+pushed] Fix server upgrade
URL: https://github.com/freeipa/freeipa/pull/722 Title: #722: Fix server upgrade Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][comment] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd HonzaCholasta commented: """ Could we put the mod_auth_gssapi session key in `/var/run/ipa/session.key`? `/var/run/ipa` is where we store IPA-specific stuff, including mod_auth_gssapi ccaches. """ See the full comment at https://github.com/freeipa/freeipa/pull/723#issuecomment-295641802 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage HonzaCholasta commented: """ master: * 4322b57e313105611df39e99097993ba4161ab42 configure: fix AC_CHECK_LIB usage ipa-4-5: * 207864a61a748a9032e67bf0f1782379e44fb5aa configure: fix AC_CHECK_LIB usage """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-295279306 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][+pushed] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][closed] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Author: HonzaCholasta Title: #718: configure: fix AC_CHECK_LIB usage Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/718/head:pr718 git checkout pr718 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][closed] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Author: stlaz Title: #721: Fix RA cert import during DL0 replication Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/721/head:pr721 git checkout pr721 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ master: * 6f0a622d83ee22ce712a380d1701cb1f383689e4 Fix RA cert import during DL0 replication ipa-4-5: * 3f70baf2a4811e3eee341aee6da99dfa80c092e6 Fix RA cert import during DL0 replication """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295253863 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][+pushed] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][+ack] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][closed] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Author: stlaz Title: #719: External CA fixes Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/719/head:pr719 git checkout pr719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][+ack] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][comment] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes HonzaCholasta commented: """ master: * 25a33ce8b1c77b0d957772143affd7085757bccb server-install: No double Kerberos install * 7b8503173b253860c1059bd40858f2fdffb4ae33 ext. CA: correctly write the cert chain ipa-4-5: * 2144eaf25ef1148c9353dfb2680f8811fd8c21aa server-install: No double Kerberos install * a6af0033a4d0af387eebdd6500eb1e74c5c29ce7 ext. CA: correctly write the cert chain """ See the full comment at https://github.com/freeipa/freeipa/pull/719#issuecomment-295239924 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#719][+pushed] External CA fixes
URL: https://github.com/freeipa/freeipa/pull/719 Title: #719: External CA fixes Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ ... because you need to apply the same fix to `ReplicaPrepare.export_ra_pkcs12` as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295231831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#721][comment] Fix RA cert import during DL0 replication
URL: https://github.com/freeipa/freeipa/pull/721 Title: #721: Fix RA cert import during DL0 replication HonzaCholasta commented: """ `ipa-replica-install` fails for me: ``` [2/2]: importing RA certificate from PKCS #12 file [error] CalledProcessError: Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Command '/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru' returned non-zero exit status 1 ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information ``` `ipareplica-install.log` says: ``` 2017-04-19T11:28:53Z DEBUG [2/2]: importing RA certificate from PKCS #12 file 2017-04-19T11:28:53Z DEBUG Starting external process 2017-04-19T11:28:53Z DEBUG args=/usr/bin/openssl pkcs12 -in /tmp/tmpPLwmXjipa/realm_info/ra.p12 -nocerts -nodes -out /var/lib/ipa/ra-agent.key -passin file:/tmp/tmpuzigru 2017-04-19T11:28:53Z DEBUG Process finished, return code=1 2017-04-19T11:28:53Z DEBUG stdout= 2017-04-19T11:28:53Z DEBUG stderr=Mac verify error: invalid password? ``` 路 """ See the full comment at https://github.com/freeipa/freeipa/pull/721#issuecomment-295230168 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][closed] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ master: * eb6d4c3037d0cc269a7924745f1cbd8f647e6e1a cert: defer cert-find result post-processing ipa-4-5: * 49f9d799c171c7ae2ac546a33a353c2c40b4719c cert: defer cert-find result post-processing """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295228772 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][+pushed] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][comment] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Title: #677: cert: defer cert-find result post-processing HonzaCholasta commented: """ That might require backporting [issue 6564](https://pagure.io/freeipa/issue/6564) as well. """ See the full comment at https://github.com/freeipa/freeipa/pull/677#issuecomment-295226720 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][comment] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Title: #718: configure: fix AC_CHECK_LIB usage HonzaCholasta commented: """ `info autoconf Libraries` says: > If ACTION-IF-FOUND is not > specified, the default action prepends `-lLIBRARY' to `LIBS' and > defines `HAVE_LIBLIBRARY' (in all capitals). It does not explicitly say what constitutes an unspecified value though. """ See the full comment at https://github.com/freeipa/freeipa/pull/718#issuecomment-294825956 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#718][opened] configure: fix AC_CHECK_LIB usage
URL: https://github.com/freeipa/freeipa/pull/718 Author: HonzaCholasta Title: #718: configure: fix AC_CHECK_LIB usage Action: opened PR body: """ Replace empty string with a single space in the third argument of `AC_CHECK_LIB` (`action-if-found`) where applicable. Empty string in the argument causes `AC_CHECK_LIB` to use the default action when a library is found which includes adding the library to `LIBS`, which specifies libraries to be linked in every binary and library in the project. This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to every binary and library in IPA, even where unused. https://pagure.io/freeipa/issue/6846 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/718/head:pr718 git checkout pr718 From f3fb2b4b918399e31b7d7f2852af6e07c20c59b8 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Wed, 5 Apr 2017 10:24:17 + Subject: [PATCH] configure: fix AC_CHECK_LIB usage Replace empty string with a single space in the third argument of `AC_CHECK_LIB` (`action-if-found`) where applicable. Empty string in the argument causes `AC_CHECK_LIB` to use the default action when a library is found which includes adding the library to `LIBS`, which specifies libraries to be linked in every binary and library in the project. This fixes libkrad, liblber, libldap_r and libsss_nss_idmap being linked to every binary and library in IPA, even where unused. https://pagure.io/freeipa/issue/6846 --- configure.ac | 4 ++-- server.m4| 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 87dfd73..c43759c 100644 --- a/configure.ac +++ b/configure.ac @@ -86,8 +86,8 @@ dnl --- SAVE_CPPFLAGS=$CPPFLAGS CPPFLAGS="$NSPR_CFLAGS $NSS_CFLAGS" -AC_CHECK_LIB([ldap_r], [ldap_search], [], AC_MSG_ERROR([libldap_r not found])) -AC_CHECK_LIB([lber], [ber_peek_tag], [], AC_MSG_ERROR([liblber not found])) +AC_CHECK_LIB([ldap_r], [ldap_search], [ ], AC_MSG_ERROR([libldap_r not found])) +AC_CHECK_LIB([lber], [ber_peek_tag], [ ], AC_MSG_ERROR([liblber not found])) LDAP_LIBS="-lldap_r -llber" LDAP_CFLAGS="" AC_SUBST(LDAP_LIBS) diff --git a/server.m4 b/server.m4 index 346d73e..aa784e0 100644 --- a/server.m4 +++ b/server.m4 @@ -31,7 +31,7 @@ PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) AC_CHECK_LIB([sss_nss_idmap], [sss_nss_getlistbycert], - [], + [ ], [AC_MSG_ERROR([Required sss_nss_getlistbycert symbol in sss_nss_idmap not found])], []) @@ -48,7 +48,7 @@ dnl - Check for KRB5 krad dnl --- AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])]) -AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) +AC_CHECK_LIB(krad, main, [ ], [AC_MSG_ERROR([libkrad not found])]) KRAD_LIBS="-lkrad" krb5rundir="${localstatedir}/run/krb5kdc" AC_SUBST(KRAD_LIBS) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 From 0021d0625fa33b8e27ee68ec8c5de1c62a22e604 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 30 Mar 2017 08:33:30 + Subject: [PATCH] cert: defer cert-find result post-processing Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches when cert-find is executed with the --all option on certificates which won't even be included in the combined result. https://pagure.io/freeipa/issue/6808 --- ipaserver/plugins/cert.py | 93 +++-- ipaserver/plugins/dogtag.py | 10 + 2 files changed, 66 insertions(+), 37 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 5590913..1a425de 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -250,6 +250,11 @@ def normalize_pkidate(value): return datetime.datetime.strptime(value, PKIDATE_FORMAT) +def convert_pkidatetime(value): +value = datetime.datetime.fromtimestamp(int(value) // 1000) +return x509.format_datetime(value) + + def validate_csr(ugettext, csr): """ Ensure the CSR is base64-encoded and can be decoded by our PKCS#10 @@ -1384,18 +1389,7 @@ def _get_cert_key(self, cert): return (DN(cert_obj.issuer), cert_obj.serial_number) -def _get_cert_obj(self, cert, all, raw, pkey_only): -obj = {'certificate': base64.b64encode(cert).decode('ascii')} - -full = not pkey_only and all -if not raw: -self.obj._parse(obj, full) -if not full: -del obj['certificate'] - -return obj - -def _cert_search(self, all, raw, pkey_only, **options): +def _cert_search(self, pkey_only, **options): result = collections.OrderedDict() try: @@ -1404,15 +1398,19 @@ def _cert_search(self, all, raw, pkey_only, **options): return result, False, False try: -key = self._get_cert_key(cert) +issuer, serial_number = self._get_cert_key(cert) except ValueError: return result, True, True -result[key] = self._get_cert_obj(cert, all, raw, pkey_only) +obj = {'serial_number': serial_number} +if not pkey_only: +obj['certificate'] = base64.b64encode(cert).decode('ascii') + +result[issuer, serial_number] = obj return result, False, True -def _ca_search(self, all, raw, pkey_only, exactly, **options): +def _ca_search(self, raw, pkey_only, exactly, **options): ra_options = {} for name in ('revocation_reason', 'issuer', @@ -1445,7 +1443,6 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete ca_objs = self.api.Command.ca_find( -all=all, timelimit=0, sizelimit=0, )['result'] @@ -1465,24 +1462,16 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): obj = {'serial_number': serial_number} else: obj = ra_obj -if all: -obj.update(ra.get_certificate(str(serial_number))) if not raw: obj['issuer'] = issuer obj['subject'] = DN(ra_obj['subject']) +obj['valid_not_before'] = ( +convert_pkidatetime(obj['valid_not_before'])) +obj['valid_not_after'] = ( +convert_pkidatetime(obj['valid_not_after'])) obj['revoked'] = ( ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) -if all: -obj['certificate'] = ( -obj['certificate'].replace('\r\n', '')) -self.obj._parse(obj) - -if 'certificate_chain' in ca_obj: -cert = x509.load_certificate(obj['certificate']) -cert_der = cert.public_bytes(serialization.Encoding.DER) -obj['certificate_chain'] = ( -[cert_der] + ca_obj['certificate_chain']) obj['cacn'] = ca_obj['cn'][0] @@ -1490,7 +1479,7 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete -def _ldap_search(self, all, raw, pkey_only, no_members, **options): +def _ldap_search(self, all, pkey_only, no_members, **options): ldap = self.api.Backend.ldap2 filters = [] @@ -1549,26 +1538,25 @@ def _ldap_search(self
[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation HonzaCholasta commented: """ Ah, right, rpmdiff complained about that. Well, that was 2 years ago, and if it works for sssd it must also work for us, so I guess we should ignore rpmdiff. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292467153 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#698][opened] install: request service certs after host keytab is set up
URL: https://github.com/freeipa/freeipa/pull/698 Author: HonzaCholasta Title: #698: install: request service certs after host keytab is set up Action: opened PR body: """ **dsinstance: reconnect ldap2 after DS is restarted by certmonger** DS is restarted by certmonger in the restart_dirsrv script after the DS certificate is saved. This breaks the ldap2 backend and makes any operation fail with NetworkError until it is reconnected. Reconnect ldap2 after the DS certificate request is finished to fix the issue. Make sure restart_dirsrv waits for the ldapi socket so that the reconnect does not fail. **httpinstance: avoid httpd restart during certificate request** httpd is restarted by certmonger in the restart_httpd script after the httpd certificate is saved if it was previously running. The restart will fail because httpd is not properly configured at this point. Stop httpd at the beginning of httpd install to avoid the restart. **dsinstance, httpinstance: consolidate certificate request code** A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. **install: request service certs after host keytab is set up** The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. **renew agent: revert to host keytab authentication** Fixes an issue where the renew agent uses GSSAPI for LDAP connection but fails because it is not authenticated. This reverts commit 7462adec13c5b25b6868d2863dc38062c97d0ff7. **renew agent, restart scripts: connect to LDAP after kinit** Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/698/head:pr698 git checkout pr698 From a177247344479e1e5636df5f27875d2c5b76fa5e Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Fri, 7 Apr 2017 07:40:19 +0200 Subject: [PATCH 1/6] dsinstance: reconnect ldap2 after DS is restarted by certmonger DS is restarted by certmonger in the restart_dirsrv script after the DS certificate is saved. This breaks the ldap2 backend and makes any operation fail with NetworkError until it is reconnected. Reconnect ldap2 after the DS certificate request is finished to fix the issue. Make sure restart_dirsrv waits for the ldapi socket so that the reconnect does not fail. https://pagure.io/freeipa/issue/6757 --- install/restart_scripts/restart_dirsrv | 2 +- ipaserver/install/dsinstance.py| 4 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/install/restart_scripts/restart_dirsrv b/install/restart_scripts/restart_dirsrv index b4c9490..ff476ca 100644 --- a/install/restart_scripts/restart_dirsrv +++ b/install/restart_scripts/restart_dirsrv @@ -41,7 +41,7 @@ def _main(): try: if services.knownservices.dirsrv.is_running(): -services.knownservices.dirsrv.restart(instance) +services.knownservices.dirsrv.restart(instance, ldapi=True) except Exception as e: syslog.syslog(syslog.LOG_ERR, "Cannot restart dirsrv (instance: '%s'): %s" % (instance, str(e))) diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 79dc90e..fb5f925 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -837,6 +837,10 @@ def __enable_ssl(self): finally: certmonger.modify_ca_helper('IPA', prev_helper) +# restart_dirsrv in the request above restarts DS, reconnect ldap2 +api.Backend.ldap2.disconnect() +api.Backend.ldap2.connect() + self.dercert = dsdb.get_cert_from_db(self.nickname, pem=False) dsdb.create_pin_file() From 1477aff4e733b52f305e466e71e11a2f5730892b Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Fri, 7 Apr 2017 07:40:41 +0200 Subject: [PATCH 2/6] httpinstance: avoid httpd restart during certificate request httpd is restarted by certmonger in the restart_httpd script after the httpd certificate is saved if it was previously running. The restart will fail because httpd is not properly configured at this point. Stop httpd at the beginning of httpd install to avoid the restart. https://pagure.io/freeipa/issue/6757 --- ipaserver/install/httpinstance.py | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 079ea92..d7cd776 100644 --- a/ipaserver/install/htt
[Freeipa-devel] [freeipa PR#697][comment] Create system users for FreeIPA services during package installation
URL: https://github.com/freeipa/freeipa/pull/697 Title: #697: Create system users for FreeIPA services during package installation HonzaCholasta commented: """ Note that systemd-sysusers is not available in RHEL and CentOS. It might be better to use the sssd approach: https://github.com/SSSD/sssd/blob/master/contrib/sssd.spec.in#L1228. """ See the full comment at https://github.com/freeipa/freeipa/pull/697#issuecomment-292462863 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#677][synchronized] cert: defer cert-find result post-processing
URL: https://github.com/freeipa/freeipa/pull/677 Author: HonzaCholasta Title: #677: cert: defer cert-find result post-processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/677/head:pr677 git checkout pr677 From 2a3a05a076590b7d668d7c56a52d23529029cc19 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 30 Mar 2017 08:33:30 + Subject: [PATCH] cert: defer cert-find result post-processing Rather than post-processing the results of each internal search, post-process the combined result. This avoids expensive per-certificate searches on certificates which won't even be included in the combined result when cert-find is executed with the --all option. https://pagure.io/freeipa/issue/6808 --- ipaserver/plugins/cert.py | 93 +++-- ipaserver/plugins/dogtag.py | 10 + 2 files changed, 66 insertions(+), 37 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 5590913..1a425de 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -250,6 +250,11 @@ def normalize_pkidate(value): return datetime.datetime.strptime(value, PKIDATE_FORMAT) +def convert_pkidatetime(value): +value = datetime.datetime.fromtimestamp(int(value) // 1000) +return x509.format_datetime(value) + + def validate_csr(ugettext, csr): """ Ensure the CSR is base64-encoded and can be decoded by our PKCS#10 @@ -1384,18 +1389,7 @@ def _get_cert_key(self, cert): return (DN(cert_obj.issuer), cert_obj.serial_number) -def _get_cert_obj(self, cert, all, raw, pkey_only): -obj = {'certificate': base64.b64encode(cert).decode('ascii')} - -full = not pkey_only and all -if not raw: -self.obj._parse(obj, full) -if not full: -del obj['certificate'] - -return obj - -def _cert_search(self, all, raw, pkey_only, **options): +def _cert_search(self, pkey_only, **options): result = collections.OrderedDict() try: @@ -1404,15 +1398,19 @@ def _cert_search(self, all, raw, pkey_only, **options): return result, False, False try: -key = self._get_cert_key(cert) +issuer, serial_number = self._get_cert_key(cert) except ValueError: return result, True, True -result[key] = self._get_cert_obj(cert, all, raw, pkey_only) +obj = {'serial_number': serial_number} +if not pkey_only: +obj['certificate'] = base64.b64encode(cert).decode('ascii') + +result[issuer, serial_number] = obj return result, False, True -def _ca_search(self, all, raw, pkey_only, exactly, **options): +def _ca_search(self, raw, pkey_only, exactly, **options): ra_options = {} for name in ('revocation_reason', 'issuer', @@ -1445,7 +1443,6 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete ca_objs = self.api.Command.ca_find( -all=all, timelimit=0, sizelimit=0, )['result'] @@ -1465,24 +1462,16 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): obj = {'serial_number': serial_number} else: obj = ra_obj -if all: -obj.update(ra.get_certificate(str(serial_number))) if not raw: obj['issuer'] = issuer obj['subject'] = DN(ra_obj['subject']) +obj['valid_not_before'] = ( +convert_pkidatetime(obj['valid_not_before'])) +obj['valid_not_after'] = ( +convert_pkidatetime(obj['valid_not_after'])) obj['revoked'] = ( ra_obj['status'] in (u'REVOKED', u'REVOKED_EXPIRED')) -if all: -obj['certificate'] = ( -obj['certificate'].replace('\r\n', '')) -self.obj._parse(obj) - -if 'certificate_chain' in ca_obj: -cert = x509.load_certificate(obj['certificate']) -cert_der = cert.public_bytes(serialization.Encoding.DER) -obj['certificate_chain'] = ( -[cert_der] + ca_obj['certificate_chain']) obj['cacn'] = ca_obj['cn'][0] @@ -1490,7 +1479,7 @@ def _ca_search(self, all, raw, pkey_only, exactly, **options): return result, False, complete -def _ldap_search(self, all, raw, pkey_only, no_members, **options): +def _ldap_search(self, all, pkey_only, no_members, **options): ldap = self.api.Backend.ldap2 filters = [] @@ -1549,26 +1538,25 @@ def _ldap_search(self
[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet HonzaCholasta commented: """ master: * 6c2772dde52c84024d32533b29e6cbd04c69924a IPA-KDB: use relative path in ipa-certmap config snippet ipa-4-5: * fa46a01c37021e7b2b57fd3092383100e39792fb IPA-KDB: use relative path in ipa-certmap config snippet """ See the full comment at https://github.com/freeipa/freeipa/pull/672#issuecomment-291778291 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][closed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Author: sumit-bose Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/672/head:pr672 git checkout pr672 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+pushed] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#672][+ack] IPA-KDB: use relative path in ipa-certmap config snippet
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][comment] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up HonzaCholasta commented: """ master: * 5f5a3b29dba7cc736ba334aefb55484baeefeb76 httpinstance: make sure NSS database is backed up ipa-4-5: * 471dfcbe1cc3f319da788add3661cb6d63e3c0f0 httpinstance: make sure NSS database is backed up """ See the full comment at https://github.com/freeipa/freeipa/pull/684#issuecomment-291428766 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][+pushed] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Title: #684: httpinstance: make sure NSS database is backed up Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][closed] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Author: HonzaCholasta Title: #684: httpinstance: make sure NSS database is backed up Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/684/head:pr684 git checkout pr684 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#685][closed] [4.5] Caless fix
URL: https://github.com/freeipa/freeipa/pull/685 Author: stlaz Title: #685: [4.5] Caless fix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/685/head:pr685 git checkout pr685 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#685][+pushed] [4.5] Caless fix
URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#685][comment] [4.5] Caless fix
URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix HonzaCholasta commented: """ ipa-4-5: * ebf24e783604952e59e557b5537c6d0de6146ce4 Get correct CA cert nickname in CA-less * 99389748beb0158811505efa606c27e1e2e0bc7b Remove publish_ca_cert() method from NSSDatabase """ See the full comment at https://github.com/freeipa/freeipa/pull/685#issuecomment-291137263 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ master: * 8c87014e199b3dbe885c69d40a01d2723f813c3e Get correct CA cert nickname in CA-less * aae9a918b68dc4f9a7b4fb9abf1bb4d26673109d Remove publish_ca_cert() method from NSSDatabase """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291137152 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][closed] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Author: stlaz Title: #650: CA-less installation fix Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/650/head:pr650 git checkout pr650 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][+pushed] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#685][+ack] [4.5] Caless fix
URL: https://github.com/freeipa/freeipa/pull/685 Title: #685: [4.5] Caless fix Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#683][comment] certdb: fix `AttributeError` in `verify_ca_cert_validity`
URL: https://github.com/freeipa/freeipa/pull/683 Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` HonzaCholasta commented: """ master: * 720034f1b440135671d03596368ed5e9e5a0f3c3 certdb: fix `AttributeError` in `verify_ca_cert_validity` """ See the full comment at https://github.com/freeipa/freeipa/pull/683#issuecomment-291131212 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#683][closed] certdb: fix `AttributeError` in `verify_ca_cert_validity`
URL: https://github.com/freeipa/freeipa/pull/683 Author: HonzaCholasta Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/683/head:pr683 git checkout pr683 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#683][+pushed] certdb: fix `AttributeError` in `verify_ca_cert_validity`
URL: https://github.com/freeipa/freeipa/pull/683 Title: #683: certdb: fix `AttributeError` in `verify_ca_cert_validity` Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ @stlaz, please also provide a version of this PR rebased on ipa-4-5. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291122587 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][+ack] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#684][opened] httpinstance: make sure NSS database is backed up
URL: https://github.com/freeipa/freeipa/pull/684 Author: HonzaCholasta Title: #684: httpinstance: make sure NSS database is backed up Action: opened PR body: """ The NSS database at /etc/httpd/alias is not properly initialized and backed up in CA-less replica promotion. This might cause the install to fail after previous install and uninstall. Make sure the NSS database is initialized and backed up even in CA-less replica promotion to fix the issue. https://pagure.io/freeipa/issue/4639 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/684/head:pr684 git checkout pr684 From 29f4c9c290c814f12cf075b51f984ddb02d1199d Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 3 Apr 2017 10:49:26 + Subject: [PATCH] httpinstance: make sure NSS database is backed up The NSS database at /etc/httpd/alias is not properly initialized and backed up in CA-less replica promotion. This might cause the install to fail after previous install and uninstall. Make sure the NSS database is initialized and backed up even in CA-less replica promotion to fix the issue. https://pagure.io/freeipa/issue/4639 --- ipaserver/install/httpinstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 01b55e7..79cd218 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -373,10 +373,11 @@ def disable_system_trust(self): return False def __setup_ssl(self): +truncate = not self.promote or not self.ca_is_configured db = certs.CertDB(self.realm, nssdir=paths.HTTPD_ALIAS_DIR, subject_base=self.subject_base, user="root", group=constants.HTTPD_GROUP, - truncate=(not self.promote)) + truncate=truncate) self.disable_system_trust() if self.pkcs12_info: if self.ca_is_configured: -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][-ack] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][+ack] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ I found additional bugs in CA-less (replica) install, but with this PR, `publish_ca_cert` does not fail anymore. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291102436 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#650][comment] CA-less installation fix
URL: https://github.com/freeipa/freeipa/pull/650 Title: #650: CA-less installation fix HonzaCholasta commented: """ @stlaz, please rebase. """ See the full comment at https://github.com/freeipa/freeipa/pull/650#issuecomment-291080182 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#542][+pushed] Implementation independent interface for CSR generation
URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#542][closed] Implementation independent interface for CSR generation
URL: https://github.com/freeipa/freeipa/pull/542 Author: LiptonB Title: #542: Implementation independent interface for CSR generation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/542/head:pr542 git checkout pr542 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation
URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ master: * 5420e9cfbe7803808b6e26d2dae64f2a6a50149a csrgen: Remove helper abstraction * 136c6c3e2a4f77a27f435efd4a1cd95c9e089314 csrgen: Change to pure openssl config format (no script) * e7588ab2dc73e7f66ebc6cdcfb99470540e37731 csrgen: Modify cert_get_requestdata to return a CertificationRequestInfo * a53e17830c3d4fd59a62248d4447491675c6a80e csrgen: Beginnings of NSS database support """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-291071297 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#542][+ack] Implementation independent interface for CSR generation
URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation
URL: https://github.com/freeipa/freeipa/pull/542 Title: #542: Implementation independent interface for CSR generation HonzaCholasta commented: """ @LiptonB, superb, thank you! Have you made any progress with NSS support? If not, I can add it in a subsequent PR, if you agree. """ See the full comment at https://github.com/freeipa/freeipa/pull/542#issuecomment-291070970 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#621][+ack] Add --password-expiration to allow an admin to force a password change
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --password-expiration to allow an admin to force a password change Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#397][comment] Improve wheel building and provide ipaserver wheel for local testing
URL: https://github.com/freeipa/freeipa/pull/397 Title: #397: Improve wheel building and provide ipaserver wheel for local testing HonzaCholasta commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/397#issuecomment-290632228 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#490][comment] certdb: use certutil and match_hostname for cert verification
URL: https://github.com/freeipa/freeipa/pull/490 Title: #490: certdb: use certutil and match_hostname for cert verification HonzaCholasta commented: """ Awesome indeed! As for your suggestions to improve the validation, I completely agree with them, but the focus of this PR is to refactor the current validation not to use python-nss, which it delivers. Could you please file a ticket for the improvements, so that it gets more visibility and can be properly tracked? """ See the full comment at https://github.com/freeipa/freeipa/pull/490#issuecomment-290390283 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code