The nsds5ReplicaReleaseTimeout setting prevents the monopolization of
replicas during initial or busy master-master replication. 389-DS
documentation suggets a timeout of 60 seconds to improve convergence of
replicas.
See: http://directory.fedoraproject.org/docs/389ds/design/repl-conv-design.html
Fixes: https://pagure.io/freeipa/issue/7488
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In replica DL1 installation, the --ip-address option was not passed
down to the ipa-client-install script (when not promoting client).
This resulted in creating DNS records for all of the host's interface
IP adresses instead of just those specified.
This patch passes all the --ip-address options down to the client
installation script.
https://pagure.io/freeipa/issue/7405
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Without ldap_uri, IPAKEMKeys parses /etc/ipa/default.conf. During
uninstallation, the file may no longer contain ldap_uri. This workaround
is required for test case
test_replica_promotion.py::TestReplicaPromotionLevel0::test_promotion_disabled
Fixes: https://pagure.io/freeipa/issue/7474
Co-authored-by: Felipe Barreto <fbarreto@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When there was no ntp-server option specified configuration
of chrony was skipped even in case that there was ntp-pool
option passed to the installation of client/server.
Moved duplicates of prints from client to server.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
FreeIPA will always force chrony service and disable any
other conflicting time synchronization daemon.
Add --ntp-server option to server manpage and note to NTP pool option.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Remove NTP server role from config.py.
Remove uneccesary variables and replaced untrack_file with restore_file.
Update typo in manpages and messages printed while installing.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Removing ntpd configuration files and entry from LDAP.
Add parameter and rename method for restoring forced time
services. Addressing some requests for change too.
Remove unused path for chrony-helper.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This will change behaviour that FreeIPA server will be no more
ntpd server and time service is no longer part of FreeIPA topology.
As dependency for ntpd was completely removed, and there is only
dependency for chrony, FreeIPA will configure every host to
became chronyd service's clients.
FreeIPA have not supported --ntp-server option now it must to
support client configuration of chrony.
Configuration of chrony is moved to client-install therefore
NTP related options are now passed to the ipa-client-install
script method sync_time which now handles configuration of chrony.
Server installation has to configure chrony before handling
certificates so there is call to configure chrony outside of
using server's statestore and filestore.
Removed behavior that there is always --no-ntp option set.
Resolves: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Completely remove ipaserver/install/ntpinstance.py
This is no longer needed as chrony client configuration
is now handled in ipa-client-install.
Part of ipclient/install/client.py related to ntp configuration
has been refactored a bit to not lookup for srv records
and/or run chrony if not necessary.
Addresses: https://pagure.io/freeipa/issue/7024
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit aee0d2180c adds an upgrade step
that adds system crypto policy include to named.conf. This step
omitted the named.conf existence check; upgrade fails when it does
not exist. Add the existence check.
Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.
Part of: https://pagure.io/freeipa/issue/4853
Reviewed-By: Christian Heimes <cheimes@redhat.com>
For redundancy and security against catastrophic failure of a CA
master, there must be more than one CA master in a topology.
Replica installation is a good time to warn about this situation.
Print a warning at the end of ipa-replica-install, if there is only
one CA replica in the topology.
Fixes: https://pagure.io/freeipa/issue/7459
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With e6c707b168 we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Installer now prints runtime of each step / part to install log.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The fix_trust_flags upgrade procedure pertains to the old Apache
mod_nss setup. With the move to mod_ssl, it now raises an
exception, so remove it.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The existing private/public keys are migrated to PEM files
via a PKCS#12 temporary file. This should work for both
IPA-generated and user-provided server certificates.
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Change some built-in assumptions that Apache has an NSS certificate
database.
Configure mod_ssl instead of mod_nss. This is mostly just changing
the directives used with some slight syntactical differences.
Drop mod_nss-specific methods and functions.
There is some mention of upgrades here but this is mostly a
side-effect of removing things necessary for the initial install.
TODO:
- backup and restore
- use user-provided PKCS#12 file for the certificate and key
Related: https://pagure.io/freeipa/issue/3757
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Mocked tests require the mock package for Python 2.7. Python 3 has
unittest.mock in the standard library.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Instead of a package conflict, freeIPA now uses an Apache config file to
enforce the correct wsgi module. The workaround only applies to Fedora
since it is the only platform that permits parallel installation of
Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
Debian doesn't permit installation of both variants.
See: https://pagure.io/freeipa/issue/7161
Fixes: https://pagure.io/freeipa/issue/7394
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Use is_installed() instead of is_configured() because
is_installed() does a config file check to see if the service
is in use.
https://pagure.io/freeipa/issue/7389
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Integration test is failing due to wrong message being
displayed by ipa. This issue was most probably introduced
by PR:
f51869bf52
Error messages for domain level 0 and >=1 cases were basically
swapped. This PR is swapping them back.
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Enabling ephemeral KRA requests will reduce the amount of LDAP
write operations and improve overall performance.
Re-order some imports and shorten some lines to make pep8 happy.
Fixes: https://pagure.io/freeipa/issue/6703
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
During a distro upgrade, e.g. F-26 to F-27, networking may not
be available which will cause the upgrade to fail. Despite this
the IPA service can be subsequently restarted running new code
with old data.
This patch relies on the existing version-check cdoe to determine
when/if an upgrade is required and will do so during an ipactl
start or restart.
The upgrade is now run implicitly in the spec file and will
cause the server to be stopped after the package is installed
if the upgrade fails.
Fixes: https://pagure.io/freeipa/issue/6968
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Currently we do not report what Subject DN or subject base will be
used for the CA installation. This leads to situations where the
administrator wants a different Subject DN later. Display these
data as part of the "summary" prior to the final go/no-go prompt in
ipa-server-install and ipa-ca-install.
The go/no-go prompt in ipa-ca-install is new. It is suppressed for
unattended installations.
Fixes: https://pagure.io/freeipa/issue/7246
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When ipa-replica-install is called in a CA-less environment, the certs,
keys and pins need to be provided with --{http|dirsrv|pkinit}-cert-file and
--{http|dirsrv|pkinit}-pin. If the pin is not provided in the CLI options,
and in interactive mode, the installer prompts for the PIN.
The issue happens when the keys are not protected by any PIN, the installer
does not accept an empty string and keeps on asking for a PIN.
The fix makes sure that the installer accepts an empty PIN. A similar fix
was done for ipa-server-install in
https://pagure.io/freeipa/c/4ee426a68ec60370eee6f5aec917ecce444840c7
Fixes:
https://pagure.io/freeipa/issue/7274
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Adds validation to prevent user to install ipa with single label
domain.
https://pagure.io/freeipa/issue/7207
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
If LDAP or HTTP Server Cert are not issued by ipa ca, they are not tracked.
In this case, it is not necessary to add them to the tracking requests list.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa-server-upgrade needs to configure certmonger with the right options
in order to track PKI, HTTP and LDAP certs (for instance the RA agent cert
location has changed from older releases).
The upgrade code looks for existing tracking requests with the expected
options by using criteria (location of the NSSDB, nickname, CA helper...)
If a tracking request is not found, it means that it is either using wrong
options or not configured. In this case, the upgrade stop tracking
all the certs, reconfigures the helpers, starts tracking the certs so that
the config is up-to-date.
The issue is that the criteria is using the keyword 'ca' instead of
'ca-name' and this leads to upgrade believing that the config needs to be
updated in all the cases.
https://pagure.io/freeipa/issue/7151
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Allow the MS/AD-CS target certificate template to be specified by
name or OID, via the new option --external-ca-profile.
Part of: https://pagure.io/freeipa/issue/6858
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In cases when IPA is installed in two steps (external CA), it's
necessary to check (in the second step) if Dir. Server is
running before continue with the installation. If it's not,
start Directory Server.
https://pagure.io/freeipa/issue/6611
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
- Add check for IPv6 stack to upgrade process
- Change IPv6 checker to also check that localhost resolves to ::1
Part of fixes https://pagure.io/freeipa/issue/7083
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
ipa-server-upgrade fails with Server-Cert not found, when trying to
track httpd/ldap server certificates. There are 2 issues in the upgrade:
- the certificates should be tracked only if they were issued by IPA CA
(it is possible to have CA configured but 3rd part certs)
- the certificate nickname can be different from Server-Cert
The fix provides methods to find the server crt nickname for http and ldap,
and a method to check if the server certs are issued by IPA and need to be
tracked by certmonger.
https://pagure.io/freeipa/issue/7141
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
When promoting a client to a replica we have to change sssd.conf,
deleting _srv_ part from 'ipa_server' property and setting
'ipa_server_mode' to true.
Previously, the wrong domain could be updated since the ipa_domain
variable was not being used properly.
https://pagure.io/freeipa/issue/7127
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Since ipaapi user is now created during RPM install and not in runtime,
we may switch back to shipping tmpfiles.d configuration directly in RPMs
and not create it in runtime, which is a preferred way to handle drop-in
configuration anyway.
This also means that the drop-in config will be shipped in /usr/lib
instead of /etc according to Fedora packaging guidelines.
This partially reverts commit 38c66896de.
https://pagure.io/freeipa/issue/7053
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Python 3 does not allow comparing SetuptoolsVersion and str
instances.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.
Do not rely on /etc/krb5.conf.d to enable the certauth plugin.
This fixes install on platforms which do not have /etc/krb5.conf.d.
https://pagure.io/freeipa/issue/6589
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.
https://pagure.io/freeipa/issue/4317
Reviewed-By: David Kupka <dkupka@redhat.com>
