Commit Graph

189 Commits

Author SHA1 Message Date
Martin Kosek
6a0aabede5 Free NSS objects in --external-ca scenario
In external CA installation, ipa-server-install leaked NSS objects
which caused an installation crash later when a subsequent call of
NSSConnection tried to free them.

Properly freeing the NSS objects avoid this crash.

https://fedorahosted.org/freeipa/ticket/3773
2013-07-26 12:51:10 +02:00
Petr Viktorin
e38816bdaf Add tar and xz dependencies to the freeipa-tests package
The beakerLib plugin collects log files via compressed tarballs,
so these dependencies are needed
2013-07-25 12:32:36 +02:00
Petr Viktorin
00dfd9399b Add the ipa-test-task tool
This script makes common testing tasks such as IPA installation
and uninstallation available outside of Python.

https://fedorahosted.org/freeipa/ticket/3721
2013-07-25 12:32:35 +02:00
Tomas Babej
d094481ea6 Move requirement for keyutils to freeipa-python package
There was already a dependency in server package, however,
the correct place for such dependency is in freeipa-python,
since the relevant code using keyutils resides there.

Both freeipa-server and freeipa-client require freeipa-python.

https://fedorahosted.org/freeipa/ticket/3808
2013-07-24 17:17:56 +02:00
Martin Kosek
9c851019ae Bump minimum SSSD version
Pick up latest SSSD 1.11 Beta development
2013-07-24 13:37:45 +02:00
Nathaniel McCallum
6c0b7f3389 Use libunistring ulc_casecmp() on unicode strings
https://fedorahosted.org/freeipa/ticket/3772
2013-07-18 18:08:53 +02:00
Ana Krivokapic
f98054a31a Bump version of sssd in spec file
https://fedorahosted.org/freeipa/ticket/3652
2013-07-18 17:49:28 +02:00
Martin Kosek
1dcbb3adfa Require new selinux-policy replacing old server-selinux subpackage
Features of the new policy:
- labels /var/lib/ipa/pki-ca/publish as pki_tomcat_cert_t which is
  writeable by PKI and readable by HTTPD
- contains Conflicts with old freeipa-server-selinux package to avoid
  SELinux upgrade issues

https://fedorahosted.org/freeipa/ticket/3788
2013-07-17 16:21:14 +02:00
Tomas Babej
c81849712f Provide ipa-advise tool
Provides a pluggable framework for generating configuration
scriptlets and instructions for various machine setups and use
cases.

Creates a new ipa-advise command, available to root user
on the IPA server.

Also provides an example configuration plugin,
config-fedora-authconfig.

https://fedorahosted.org/freeipa/ticket/3670
2013-07-17 13:49:59 +02:00
Petr Vobornik
2a9be92855 Upstream Web UI tests
Documentation: http://www.freeipa.org/page/Web_UI_Integration_Tests

https://fedorahosted.org/freeipa/ticket/3744
2013-07-16 13:15:59 +02:00
Tomas Babej
7a105604e2 Change group ownership of CRL publish directory
Spec file modified so that /var/lib/ipa/pki-ca/publish/ is no
longer owned by created with package installation. The directory
is rather created/removed with the CA instance itself.

This ensures proper creation/removeal, group ownership
and SELinux context.

https://fedorahosted.org/freeipa/ticket/3727
2013-07-16 12:17:40 +02:00
Petr Viktorin
353f3c62c3 Add a framework for integration testing
Add methods to run commands and copy files to Host objects.
Adds a base class for integration tests which can currently install
and uninstall IPA in a "star" topology with per-test specified number
of hosts.
A simple test for user replication between two masters is provided.
Log files from the remote hosts can be marked for collection, but the
actual collection is left to a Nose plugin.

Part of the work for: https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:06 +02:00
Petr Viktorin
c577420e40 Add a framework for integration test configuration
Integration tests are configured via environment variables.
Add a framework for parsing these variables and storing them
in easy-to-use objects.

Add an `ipa-test-config` executable that loads the configuration
and prints out variables needed in shell scripts.

Part of the work for https://fedorahosted.org/freeipa/ticket/3621
2013-07-15 15:49:05 +02:00
Martin Kosek
57fd275d7a Run server upgrade and restart in posttrans
Running server upgrade or restart in %post or %postun may cause issues when
there are still parts of old FreeIPA software (like entitlements plugin).

https://fedorahosted.org/freeipa/ticket/3739
2013-07-11 18:05:03 +03:00
Tomas Babej
8c16188519 Add libsss_nss_idmap-devel to BuildRequires 2013-07-11 14:41:19 +03:00
Ana Krivokapic
c1e9b6fa1d Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.

If the DM password is changed after the IPA server installation, the replication
fails.

To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password

https://fedorahosted.org/freeipa/ticket/3594
2013-07-11 12:39:29 +03:00
Jan Cholasta
ea7db35b62 Enable SASL mapping fallback.
Assign a default priority of 10 to our SASL mappings.

https://fedorahosted.org/freeipa/ticket/3330
2013-06-27 17:06:51 +02:00
Martin Kosek
77ae4da706 Remove entitlement support
Entitlements code was not tested nor supported upstream since
version 3.0. Remove the associated code.

https://fedorahosted.org/freeipa/ticket/3739
2013-06-26 14:11:42 +02:00
Petr Viktorin
e87807d379 Add ipa-run-tests command
Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:58 +02:00
Petr Viktorin
c60142efda Make an ipa-tests package
Rename the 'tests' directory to 'ipa-tests', and create an ipa-tests RPM
containing the test suite

Part of the work for: https://fedorahosted.org/freeipa/ticket/3654
2013-06-17 19:22:50 +02:00
Martin Kosek
6d66e826c1 Drop redundant directory /var/cache/ipa/sessions
This directory is no longer used as session storage.
2013-06-17 17:35:37 +02:00
Martin Kosek
ad6abdb576 Drop SELinux subpackage
All SELinux policy needed by FreeIPA server is now part of the global
system SELinux policy which makes the subpackage redundant and slowing
down the installation. This patch drops it.

https://fedorahosted.org/freeipa/ticket/3683
https://fedorahosted.org/freeipa/ticket/3684
2013-06-17 17:35:37 +02:00
Nathaniel McCallum
203754691c Add the krb5/FreeIPA RADIUS companion daemon
This daemon listens for RADIUS packets on a well known
UNIX domain socket. When a packet is received, it queries
LDAP to see if the user is configured for RADIUS authentication.
If so, then the packet is forwarded to the 3rd party RADIUS server.
Otherwise, a bind is attempted against the LDAP server.

https://fedorahosted.org/freeipa/ticket/3366
http://freeipa.org/page/V3/OTP
2013-05-17 09:30:51 +02:00
Martin Kosek
58dd5b970e Fix SASL_NOCANON behavior for LDAPI
Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON
behavior for socket based connections (#960222).
2013-05-10 14:18:10 +02:00
Petr Viktorin
8f6e6514c4 Only require libsss_nss_idmap-python in Fedora 19+
The package is only available in Fedora 19.
This means SID resolution in the UI won't work in Fedora 18.
2013-05-07 13:18:48 +02:00
Alexander Bokovoy
03cdc22c94 Resolve SIDs in Web UI
Introduce new command, 'trust-resolve', to aid resolving SIDs to names
in the Web UI.

The command uses new SSSD interface, nss_idmap, to resolve actual SIDs.
SSSD caches resolved data so that future requests to resolve same SIDs
are returned from a memory cache.

Web UI code is using Dojo/Deferred to deliver result of SID resolution
out of band. Once resolved names are available, they replace SID values.

Since Web UI only shows ~20 records per page, up to 20 SIDs are resolved
at the same time. They all sent within the single request to the server.

https://fedorahosted.org/freeipa/ticket/3302
2013-05-06 20:44:00 +02:00
Petr Vobornik
c72d0f5075 Generate plugin index dynamically
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:30 +02:00
Petr Vobornik
74b6099fb0 Web UI plugin loader
https://fedorahosted.org/freeipa/ticket/3235
2013-05-06 16:22:20 +02:00
Rob Crittenden
6e2c3a45a1 Handle a 501 in cert-find from dogtag as a "not supported"
Upgrading from d9 -> d10 does not set up the RESTful interface
in dogtag, they just never coded it. Rather than trying to backport
things they have decided to not support upgrades.

We need to catch this and report a more reasonable error. They are
returning a 501 (HTTP method unimplemented) in this case.

https://fedorahosted.org/freeipa/ticket/3549
2013-05-03 16:05:49 -04:00
Rob Crittenden
bfdcc7c62d Drop uniqueMember mapping with nss-pam-ldapd.
nss-pam-ldapd in 0.8.4 changed the default to map uniqueMember to
member so it is no longer needed in the config file, and in fact
causes an error to be raised.

Add a Conflicts on older versions.

https://fedorahosted.org/freeipa/ticket/3589
2013-05-02 10:43:10 -04:00
Jan Cholasta
ddd8988f1c Add support for OpenSSH 6.2.
Run sss_ssh_authorizedkeyscommand as nobody. Automatically update sshd_config
on openssh-server update.

https://fedorahosted.org/freeipa/ticket/3571
2013-04-30 11:05:39 -04:00
Rob Crittenden
732d1042a3 Require version of NSS that properly parses base64-encoded certs
There were cases where a base64-encoded cert with no header/footer would
not be handled properly and rejected. This was causing the CA install
to fail.

https://fedorahosted.org/freeipa/ticket/3586
2013-04-29 09:49:37 -04:00
Ana Krivokapic
cc3c543265 Fix the spec file
Correct ownership for /etc/ipa and remove unnecessary %config directive.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-22 11:46:59 +02:00
Ana Krivokapic
2a8f1b0b16 Handle missing /etc/ipa in ipa-client-install
Make sure /etc/ipa is created and owned by freeipa-python package.

Report correct error to user if /etc/ipa is missing during client installation.

https://fedorahosted.org/freeipa/ticket/3551
2013-04-19 10:57:07 -04:00
Martin Kosek
cbd00072fd Require new samba and krb5
Require samba 4.0.5 (passdb API changed). Make sure that we use the
right epoch number with samba so that the Requires is correctly
enforced.

Require krb5 1.11.2-1 to fix missing PAC issue.

Also fix backup dir permissions.
2013-04-16 11:05:19 -04:00
Rob Crittenden
c8694cb19f Full system backup and restore
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.

http://freeipa.org/page/V3/Backup_and_Restore

https://fedorahosted.org/freeipa/ticket/3128
2013-04-12 09:59:17 -04:00
Alexander Bokovoy
4dcc947687 spec: detect Kerberos DAL driver ABI change from installed krb5-devel
Find out Kerberos middle version to infer ABI changes in DAL driver.

We cannot load DAL driver into KDC with wrong ABI. This is also needed to
support ipa-devel repository where krb5 1.11 is available for Fedora 18.
2013-04-04 13:31:27 -04:00
Martin Kosek
f1e2465520 Require 389-base-base 1.3.0.5
Pulls the following fixes:
- upgrade deadlock caused by DNA plugin reconfiguration
- CVE-2013-1897: unintended information exposure when rootdse is
  enabled

https://fedorahosted.org/freeipa/ticket/3540
2013-04-02 17:00:17 +02:00
Martin Kosek
d8f75e9e0c Remove syslog.target from ipa.server
This required target is no longer needed as systemd from version 38
has its own journal which is also in the basic set of service unit
requirementes.

https://fedorahosted.org/freeipa/ticket/3511
2013-03-29 08:59:41 +01:00
Martin Kosek
13b1028ac8 Remove build warnings
Fix rpm build warnings report in Fedora 19 build.

https://fedorahosted.org/freeipa/ticket/3500
2013-03-29 08:59:36 +01:00
Martin Kosek
e13a437031 Clean spec file for Fedora 19
This patch includes several cleanups needed for Fedora 19 build:
* ipa-kdb is compatible with both krb5 1.10 and 1.11 which contains
  an updated DAL interface. Remove the conflict from spec file.
* Fix ipa-ldap-updater call to produce errors only to avoid
  cluttering rpm update output
* Remove httpd_conf constant which was not used

https://fedorahosted.org/freeipa/ticket/3502
2013-03-29 08:59:32 +01:00
Martin Kosek
a8a77bfb68 Bump selinux-policy requires
The higher version is reported to fix a Fedora 17 to 18 upgrade issue.

https://fedorahosted.org/freeipa/ticket/3399
2013-03-26 15:26:15 +01:00
Petr Spacek
952a7ac9f5 Add 389 DS plugin for special idnsSOASerial attribute handling
Default value "1" is added to replicated idnsZone objects
if idnsSOASerial attribute is missing.

https://fedorahosted.org/freeipa/ticket/3347

Signed-off-by: Petr Spacek <pspacek@redhat.com>
2013-03-22 14:31:22 +01:00
Petr Viktorin
55cfd06e3a Better logging for AdminTool and ipa-ldap-updater
- Automatically add a "Logging and output options" group with the --quiet,
    --verbose, --log-file options.
- Set up logging based on these options; details are in the setup_logging
    docstring and in the design document.
- Don't bind log methods as individual methods of the class. This means one
    less linter exception.
- Make the help for command line options consistent with optparse's --help and
    --version options.

Design document: http://freeipa.org/page/V3/Logging_and_output
2013-02-01 13:44:55 -05:00
Rob Crittenden
045b6e6ed9 Use new certmonger locking to prevent NSS database corruption.
dogtag opens its NSS database in read/write mode so we need to be very
careful during renewal that we don't also open it up read/write. We
basically need to serialize access to the database. certmonger does the
majority of this work via internal locking from the point where it generates
a new key/submits a rewewal through the pre_save and releases the lock after
the post_save command. This lock is held per NSS database so we're save
from certmonger. dogtag needs to be shutdown in the pre_save state so
certmonger can safely add the certificate and we can manipulate trust
in the post_save command.

Fix a number of bugs in renewal. The CA wasn't actually being restarted
at all due to a naming change upstream. In python we need to reference
services using python-ish names but the service is pki-cad. We need a
translation for non-Fedora systems as well.

Update the CA ou=People entry when he CA subsystem certificate is
renewed. This certificate is used as an identity certificate to bind
to the DS instance.

https://fedorahosted.org/freeipa/ticket/3292
https://fedorahosted.org/freeipa/ticket/3322
2013-01-29 11:16:38 -05:00
Rob Crittenden
41d11f443b Make certmonger a (pre) requires on server, restart it before upgrading
certmonger may provide new CAs, as in the case from upgrading IPA 2.2
to 3.x. We need these new CAs available during the upgrade process.

The certmonger package does its own condrestart as part of %postun
which runs after the %post script of freeipa-server, so we need to
restart it ourselves before upgrading.

https://fedorahosted.org/freeipa/ticket/3378
2013-01-25 10:08:37 +01:00
Petr Vobornik
69c2f077df Fix BuildRequires: rhino replaced with java-1.7.0-openjdk
Rhino is needed for Web UI build. Rhino needs java, but from package perspective
java-1.7.0-openjdk requires rhino. So the correct BuildRequires is
java-1.7.0-openjdk.
2013-01-22 17:05:29 +01:00
Petr Vobornik
c71937fc0c Updated makefiles to build FreeIPA Web UI layer
Updated makefiles to comply to new directory structure and also to use builder
for building Web UI.

FreeIPA package spec is modified to use the output of the builder.

https://fedorahosted.org/freeipa/ticket/112
2013-01-18 15:10:37 +01:00
Timo Aaltonen
ed84963927 convert the base platform modules into packages 2013-01-14 14:39:54 +01:00
Endi Sukma Dewata
dae4ea4c7e Configuring CA with ConfigParser.
The configuration code has been modified to use the ConfigParser to
set the parameters in the CA section in the deployment configuration.
This allows IPA to define additional PKI subsystems in the same
configuration file.

PKI Ticket #399 (https://fedorahosted.org/pki/ticket/399)
2012-12-10 10:27:54 -05:00