The upgrade script set the "psearch" directive in some circumstances,
but did not remember that it was set, so later, when setting
minimum_connections, it assumed psearch is not set.
Also, the script did not set minimum_connections if the directive wasn't
already there. It should be set in that case.
Related to https://fedorahosted.org/freeipa/ticket/2554
When setting up agreements we need to be careful in not allowing to
'reconnect' a master that was previously completely deleted as it would
misses entries that are vital for proper functioning. This change in code
fixes 2 problems with the current approach.
1) it removes false positives when we are tryig to reconnect a replica that
was previosuly merely disconnected but was still part of the domain and just
replicating via a different topology and not a direct link
2) adds checks for entries that are deleted when an actual removal is
performed. so that we cannot 'reconnect' previously unrelated replicas when
one of the 2 has been permanently deleted from the masters tree.
Second part of ticket https://fedorahosted.org/freeipa/ticket/2925
This is just a typo, we were checking one side twice and never the other
side. So depending on which side you run the command you'd be able or not
to remove the replication agreement even if it was the last one.
First part of ticket: https://fedorahosted.org/freeipa/ticket/2925
ipa-ldap-updater does a lot of essential LDAP changes and if it
fails, user may be surprised after the upgrade why things does not
work.
Modify ipa-ldap-updater to print ERROR logging messages by default
and modify RPM upgrade scriptlet to show these errors to user. Console
error messages are now formated in a more user-friendly way.
Information message stating that IPA is not configured and i.e. there
is nothing to be updated is not printer to stderr so that it does
not pop up for every freeipa-server package update when IPA is not
configured.
https://fedorahosted.org/freeipa/ticket/2892
SOA serial autoincrement is a requirement for major DNS features,
e.g. zone transfers or DNSSEC. Enable it by default in named.conf
both for new and upgraded installations. Name of the bind-dyndb-ldap
option is "serial_autoincrement".
From now on, idnsSOAserial attribute also has to be put to
replication agreement exclude list as serial will be incremented
on each DNS server separately and won't be shared. Exclude list
has to be updated both for new replication agreements and the
current ones.
Minimum number of connections for bind-dyndb-ldap has been rised
to 4 connections, the setting will be updated during package upgrade.
https://fedorahosted.org/freeipa/ticket/2554
Many functions use low-level socket interface for connection or
various checks. However, most of the time we don't respect
automatic address family detection but rather try to force our
values. This may cause either redundat connection tries when an
address family is disabled on system tries or even crashes
when socket exceptions are not properly caught.
Instead of forcing address families to socket, rather use
getaddrinfo interface to automatically retrieve a list of all
relevant address families and other connection settings when
connecting to remote/local machine or binding to a local port.
Now, we will also fill correctly all connection parameters like
flowinfo and scopeid for IPv6 connections which will for example
prevent issues with scoped IPv6 addresses.
bind_port_responder function was changed to at first try to bind
to IPv6 wildcard address before IPv4 as IPv6 socket is able to
accept both IPv4 and IPv6 connections (unlike IPv4 socket).
nsslib connection was refactored to use nss.io.AddrInfo class to
get all the available connections. Socket is now not created by
default in NSSConnection class initializer, but rather when the
actual connection is being made, becase we do not an address family
where connection is successful.
https://fedorahosted.org/freeipa/ticket/2913https://fedorahosted.org/freeipa/ticket/2695
All service start/restart currently go through ipapython/platform so
move the "wait for service to start" code there as well.
A dictionary of known services and ports to wait on is defined in base.py
This is referenced by the platforms by instance name to determine what
to wait for. For the case of dirsrv if we get that as a plain name
(no specific instance) it is assumed to be the main IPA service.
https://fedorahosted.org/freeipa/ticket/2375https://fedorahosted.org/freeipa/ticket/2610
We need a Requires on openssl, the mod_rewrite syntax has changed so
we can dump some unused configuration and we need a newer version of
mod_auth_kerb to pick up the new location of delegated ccache.
https://fedorahosted.org/freeipa/ticket/2839
Log to the same file as ipa-ldap-updater --upgrade,
/var/log/ipaupgrade.log
Will output basic stauts information if executed from the command-line.
https://fedorahosted.org/freeipa/ticket/2696
From IPA 3.0, persistent search is a preferred mechanism for new DNS
zone detection and is also needed for other features (DNSSEC, SOA
serial updates).
Enable psearch and make sure connections attribute is right. This
step is done just once for a case when user switched the persistent
search back to disabled on purpose.
ipa-upgradeconfig was updated to accept --debug option in case
somebody would want to see debug messages.
From IPA version 3.0, the persistent search is a preferred mechanism
to for DNS zone list management. It will be also a requirement for
several bind-dyndb-ldap features, like SOA serial automatic updates
or DNSSEC.
Make this mechanism default in ipa-server-install and ipa-dns-istall.
https://fedorahosted.org/freeipa/ticket/2524
When IPA package is being updated, some of the configuration files
are also updated. Sometimes it may be useful to store upgrade meta
information for next package upgrades. For example an information
that some config file was already updated and we don't want to
update it again if user purposedly reverted the change.
This patch adds a new StateFile in /var/lib/ipa/sysupgrade which
is capable of holding this information. New sysupgrade.py module
was created to provide simple API to access the upgrade state
information.
Several plugins need restarting the DS (or they currently do
an external bind).
Rather than disabling plugins (possibly partially), refuse
to run them when run as an unprivileged user.
This means running ipa-ldap-updater as non-root requires specifying
a list of files, and omiting the --upgrade and --plugins options.
https://fedorahosted.org/freeipa/ticket/2621
resolve_host() function returns a list of IP addresses. Handle it all rather
than expecting that there is a single address.
It wouldn't hurt to make a common function that takes --ip-address into account
when resolving host addresses and use it everywhere.
All of our install/admin scripts had a try/except block calling the
main function and handling common exceptions. These were copy-pasted
from each other and modified to various levels of sophistication.
This refactors them out of installers to a single function, which
includes a final pass/fail message for all of the scripts.
Non-install scripts that set up the same log handler levels for
stderr and log file are not changed, as it's not possible to log
to only the logfile without changing the logger configuration.
https://fedorahosted.org/freeipa/ticket/2071
We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.
On the client we don't require SELinux at all. If SELinux is enabled
however we need to set things up properly. This is provided by the
policycoreutils package so fail if that isn't available.
https://fedorahosted.org/freeipa/ticket/2368
IPA client and server tool set used authconfig acutil module to
for client DNS operations. This is not optimal DNS interface for
several reasons:
- does not provide native Python object oriented interface
but but rather C-like interface based on functions and
structures which is not easy to use and extend
- acutil is not meant to be used by third parties besides
authconfig and thus can break without notice
Replace the acutil with python-dns package which has a feature rich
interface for dealing with all different aspects of DNS including
DNSSEC. The main target of this patch is to replace all uses of
acutil DNS library with a use python-dns. In most cases, even
though the larger parts of the code are changed, the actual
functionality is changed only in the following cases:
- redundant DNS checks were removed from verify_fqdn function
in installutils to make the whole DNS check simpler and
less error-prone. Logging was improves for the remaining
checks
- improved logging for ipa-client-install DNS discovery
https://fedorahosted.org/freeipa/ticket/2730https://fedorahosted.org/freeipa/ticket/1837
We were inferring that an agreement existed if the host was present
as an IPA host. This was not enough if the replica installation failed
early enough.
https://fedorahosted.org/freeipa/ticket/2030
IPA has some unused code from abandoned features (Radius, ipa 1.x user
input, commant-line tab completion), as well as some duplicate utilities.
This patch cleans up the utility modules.
Duplicate code consolidated into ipapython.ipautil:
{ipalib.util,ipaserver.ipautil,ipapython.ipautil}.realm_to_suffix
{ipaserver,ipapython}.ipautil.CIDict
(with style improvements from the ipaserver version)
{ipapython.entity,ipaserver.ipautil}.utf8_encode_value
{ipapython.entity,ipaserver.ipautil}.utf8_encode_values
ipalib.util.get_fqdn was removed in favor of the same function in
ipaserver.install.installutils
Removed unused code:
ipalib.util:
load_plugins_in_dir
import_plugins_subpackage
make_repr (was imported but unused; also removed from tests)
ipapython.ipautil:
format_list
parse_key_value_pairs
read_pairs_file
read_items_file
user_input_plain
AttributeValueCompleter
ItemCompleter
ipaserver.ipautil:
get_gsserror (a different version exists in ipapython.ipautil)
ipaserver.ipautil ended up empty and is removed entirely.
https://fedorahosted.org/freeipa/ticket/2650
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.
This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.
https://fedorahosted.org/freeipa/ticket/2603
UDP port checks in ipa-replica-conncheck are too strict. The entire
conncheck fails when UDP ports cannot be verified as open. However,
UDP protocol is unrealiable by its nature and the port can also not
be checked if there is an application already bound to it. This can
happen for example when ipa-replica-conncheck is run as a part of
ipa-ca-install and the replica services are thus already running.
This patch changes the behavior of UDP port checks. The conncheck
script now rather reports a warning that UDP port cannot be verified
but does not fail the entire test.
https://fedorahosted.org/freeipa/ticket/2514
Global DNS configuration is a nice tool to maintain a common DNS
settings stored in LDAP which are then used for all enrolled IPA
servers. However, the settings stored in LDAP override local
settings in named.conf on DNS servers.
This patch adds more information about global DNS configuration
options in install scripts and DNS module help.
https://fedorahosted.org/freeipa/ticket/2525
This will add it on upgrades too and any new certs issued will have
a subject key identifier set.
If the user has customized the profile themselves then this won't be
applied.
https://fedorahosted.org/freeipa/ticket/2446
Server framework calls acutil.res_send() to send DNS queries used
for various DNS tests. However, once acutil is imported it does
not change its list of configured resolvers even when
/etc/resolv.conf is changed. This may lead to unexpected
resolution issues.
We should at least reload httpd when we change /etc/resolv.conf to
point to FreeIPA nameserver to force a new import of acutil and
thus workaround this bug until it is resolved in authconfig.
https://fedorahosted.org/freeipa/ticket/2481
We don't want to run the risk of adding a user, uninstalling it,
the system adding a new user (for another package install for example)
and then re-installing IPA. This wreaks havoc with file and directory
ownership.
https://fedorahosted.org/freeipa/ticket/2423
Using ipa-replica-manage del <replica> is irreversible. You can't
turn around and do a connect to it, all heck will break loose. This is
because we clean up all references to the replica when we delete so if
we connect to it again we'll end up deleting all of its principals.
When a connection is deleted then the agreement is removed on both sides.
What isn't removed is the nsDS5ReplicaBindDN so we can use that to
determine if we previously had a connection.
https://fedorahosted.org/freeipa/ticket/2126
memberof is not in the EXCLUDE list of nsDS5ReplicatedAttributeListTotal
so we have no need of running the task, memberof will come with the
data.
If that attribute doesn't exist then this agreement was created with
an older version of 389-ds, we DO need to initialize memberOf.
https://fedorahosted.org/freeipa/ticket/2199
UDP port checks in ipa-replica-conncheck always returns OK even
if they are closed by a firewall. They cannot be reliably checked
in the same way as TCP ports as there is no session management as
in TCP protocol. We cannot guarantee a response on the checked
side without our own echo server bound to checked port.
This patch removes UDP port checks in replica->master direction
as we would have to implement (kerberos) protocol-wise check
to make the other side actually respond. A list of skipped
ports is printed for user.
Direction master->replica was fixed and now it is able to report
error when the port is blocked.
https://fedorahosted.org/freeipa/ticket/2062
We currently only support a single winsync agreement so all we need
to do is check to see if we have one with the remote host.
This also adds some minor exception handling cleanup.
https://fedorahosted.org/freeipa/ticket/2130
force-sync, re-initialize and del were not working because they
all attempted to contact the AD server. winsync agreements are
managed on the local 389-ds instance.
This also:
- requires root to create winsync agreement (for updating NSS db)
- fixes filter in get_replication_agreement() to work with winsync
https://fedorahosted.org/freeipa/ticket/2128
Admin e-mail validator currently requires an email to be in
a second-level domain (hostmaster@example.com). This is too
restrictive. Top level domain e-mails (hostmaster@testrelm)
should also be allowed.
This patch also fixes default zonemgr value in help texts and man
pages.
https://fedorahosted.org/freeipa/ticket/2272
Add support for autobind to services. This is a bit of a special case
so I currently require the caller to specify ldapi separately. It only
makes sense to do this only in upgrade cases.
Also uninstall ipa_memcached when uninstalling the server.
https://fedorahosted.org/freeipa/ticket/2399
The ipa_kpasswd service was deprecated in 2.2, replaced by kadmin. On
upgrade it will be left running by the previous installation, we need
to stop it and uninstall the service.
The dbmodules section needs to reflect that we're now using the new
IPA kdb backend instead of the standard MIT ldap backend.
https://fedorahosted.org/freeipa/ticket/2341
For ssh, VerifyHostKeyDNS option is set to 'yes' if --ssh-trust-dns
ipa-client-install option is used.
For sshd, KerberosAuthentication, GSSAPIAuthentication and UsePAM
options are enabled (this can be disabled using --no-sshd
ipa-client-install option).
ticket 1634
