Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
[snip] The patch now fixes the issue. However, we need to bump the dependency in the specfile since now we require version 1.3.1.1. Tomas Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Thu, 11 Jul 2013, Tomas Babej wrote: [snip] The patch now fixes the issue. However, we need to bump the dependency in the specfile since now we require version 1.3.1.1. Tomas Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK The patch does not apply to ipa-3-2, it needs rebasing. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/11/2013 12:34 PM, Alexander Bokovoy wrote:
On Thu, 11 Jul 2013, Tomas Babej wrote:
[snip]
The patch now fixes the issue.
However, we need to bump the dependency in the specfile since now we
require
version 1.3.1.1.
Tomas
Thanks, updated patch is attached.
I tested the patch both with clean install and upgrade.
ACK
The patch does not apply to ipa-3-2, it needs rebasing.
Rebased patch attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 44cd5e2db5d9441fdd779564c8aea543b7d910ac Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 11 Jul 2013 12:50:01 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
freeipa.spec.in | 9 +---
ipaserver/install/ipa_replica_prepare.py | 36
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1f9242ea8b8f41233473db74fd8dac16ae075abd..11365bebebc555fcb4d4c3fc1ec0f60707384fe3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0:freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel = 1.3.1.1
+BuildRequires: 389-ds-base-devel = 1.3.1.3
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils = %{POLICYCOREUTILSVER}
@@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base = 1.3.1.1
+Requires: 389-ds-base = 1.3.1.3
Requires: openldap-clients 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss = 3.14.3-2
@@ -147,7 +147,7 @@ Requires: zip
Requires: policycoreutils = %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger = 0.65
-Requires(pre): 389-ds-base = 1.3.0.5
+Requires(pre): 389-ds-base = 1.3.1.3
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -844,6 +844,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 10 2013 Ana Krivokapic akriv...@redhat.com - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
* Wed Jun 26 2013 Jan Cholasta jchol...@redhat.com - 3.2.1-1
- Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
support.
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f6af28e3a550387050ead412b61c8fb58a8b7fe5..a92e9a91608b3deb1e54c6dba4642a424f1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, dscert.p12)
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, cacert.p12)
else:
raise admintool.ScriptError(Root CA PKCS#12 not
@@ -505,3 +510,34 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, ipaCert)
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today (pki-
core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py,
line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919,
in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password
change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous
version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/10/2013 01:33 PM, Tomas Babej wrote:
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919,
in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password
change
is
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919, in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password
change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous
version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389 DS project:
https://fedorahosted.org/389/ticket/47406.
The password change rejection problem has been fixed in the new version of
389-ds-base:
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin': None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919, in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389 DS project:
https://fedorahosted.org/389/ticket/47406.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2) to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command
fixed now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None, 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None,
'ca_file': '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12':
None, 'password': None, 'ip_address': CheckedIPAddress('10.34.47.129'),
'dirsrv_pin': None, 'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py,
line 332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line
919, in error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint violation: Failed to update password
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Mon, 2013-06-10 at 16:35 +0200, Ana Krivokapic wrote:
On 06/07/2013 10:23 AM, Tomas Babej wrote:
On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name
attribute.
Updated patch uses `ipautil.write_tmp_file()`.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:
I'm getting the following error when preparing the replica info
file:
[root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
192.168.122.213
Directory Manager (existing master) password:
Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
-p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned
non
When trying that manually:
[root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
-p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread main java.lang.NoClassDefFoundError:
org/mozilla/jss/util/PasswordCallback
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
at java.lang.Class.getMethod0(Class.java:2694)
at java.lang.Class.getMethod(Class.java:1622)
at
sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException:
org.mozilla.jss.util.PasswordCallback
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
We might need to investigate what causes this, and if the issue is
not on our side, file appropriate bugs.
Tomas
This is an bug in the PKCS12Export utility. I opened a Bugzilla for
it: https://bugzilla.redhat.com/show_bug.cgi?id=972753.
Below is a workaround, as suggested by Ade:
alee as for a workaround, you could simply edit the file that starts
PKCS12Export
alee edit /usr/bin/PKCS12Export
alee after line 134, simply add the line :
CP=/usr/lib/java/jss4.jar
alee but thats just a temp fix for f19 only
alee not the real fix,
alee you'll need the real fix checked in to pass the patch
Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2) to address this issue.
--
Regards,
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/07/2013 10:23 AM, Tomas Babej wrote:
On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
Or by using ipautil.write_tmp_file() -- the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
Updated patch uses `ipautil.write_tmp_file()`.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:
I'm getting the following error when preparing the replica info file:
[root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
192.168.122.213
Directory Manager (existing master) password:
Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
When trying that manually:
[root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
-p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread main java.lang.NoClassDefFoundError:
org/mozilla/jss/util/PasswordCallback
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
at java.lang.Class.getMethod0(Class.java:2694)
at java.lang.Class.getMethod(Class.java:1622)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException:
org.mozilla.jss.util.PasswordCallback
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
We might need to investigate what causes this, and if the issue is not
on our side, file appropriate bugs.
Tomas
This is an bug in the PKCS12Export utility. I opened a Bugzilla for it:
https://bugzilla.redhat.com/show_bug.cgi?id=972753.
Below is a workaround, as suggested by Ade:
alee as for a workaround, you could simply edit the file that starts
PKCS12Export
alee edit /usr/bin/PKCS12Export
alee after line 134, simply add the line : CP=/usr/lib/java/jss4.jar
alee but thats just a temp fix for f19 only
alee not the real fix,
alee you'll need the real fix checked in to pass the patch
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
Or by using ipautil.write_tmp_file() -- the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
Updated patch uses `ipautil.write_tmp_file()`.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:
I'm getting the following error when preparing the replica info file:
[root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
192.168.122.213
Directory Manager (existing master) password:
Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
When trying that manually:
[root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread main java.lang.NoClassDefFoundError:
org/mozilla/jss/util/PasswordCallback
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
at java.lang.Class.getMethod0(Class.java:2694)
at java.lang.Class.getMethod(Class.java:1622)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException:
org.mozilla.jss.util.PasswordCallback
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
We might need to investigate what causes this, and if the issue is not
on our side, file appropriate bugs.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 1354ddec918dd0de235c9a35e2155483c6c1d97a Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Wed, 15 May 2013 11:22:41 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
ipaserver/install/ipa_replica_prepare.py | 44
1 file changed, 44 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..6f5e511ad7b3c83e2195832846fc1c9553ed276d 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, dscert.p12)
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, cacert.p12)
else:
raise admintool.ScriptError(Root CA PKCS#12 not
@@ -504,3 +509,42 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, ipaCert)
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
Updated patch uses `ipautil.write_tmp_file()`.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From ed1d0e1bfec6f13dd92b24ca01f832e183695068 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Wed, 15 May 2013 11:22:41 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
ipaserver/install/ipa_replica_prepare.py | 36
1 file changed, 36 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..eecced1b70a93de802d13bb3a6a36ebb135dddf8 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, dscert.p12)
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, cacert.p12)
else:
raise admintool.ScriptError(Root CA PKCS#12 not
@@ -504,3 +509,34 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, ipaCert)
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd)
+
+
