[freeipa PR#1011][opened] py3: dnssec
by tomaskrizek
URL: https://github.com/freeipa/freeipa/pull/1011
Author: tomaskrizek
Title: #1011: py3: dnssec
Action: opened
PR body:
"""
This PR is a partial fix that should allow DNSSEC installation for master. Keys will not be distributed to replicas. With my limited DNSSEC/IPA knowledge, I wasn't able to verify the data stored in LDAP are actually correct. In case they are not, this would prevent installation of DNSSEC replicas in the future.
Our DNSSEC tests are not passing, thus we can't use them to verify this PR. Given these circumstances, I propose to officially discourage DNSSEC installation in 4.6.0.
This PR supersedes #898. For review, it is highly recommended to rebase on #999.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1011/head:pr1011
git checkout pr1011
6 years, 3 months
[freeipa PR#1343][opened] Don't use admin cert during KRA installation
by frasertweedale
URL: https://github.com/freeipa/freeipa/pull/1343
Author: frasertweedale
Title: #1343: Don't use admin cert during KRA installation
Action: opened
PR body:
"""
KRA installation currently imports the admin cert. FreeIPA does not
track this cert and it may be expired, causing installation to fail.
Do not import the existing admin cert, and discard the new admin
cert that gets created during KRA installation.
Part of: https://pagure.io/freeipa/issue/7287
-----
How to test:
**NOTE** this also requires fix https://github.com/freeipa/freeipa/pull/1334
1. Install ipa master
2. get expiration date from /root/ca-agent.p12:
```
openssl pkcs12 -in ca-agent.p12 -out ca-agent.pem -nodes
cat ca-agent.pem | openssl x509 -noout -enddate
```
3. Move date forward to 20 days before ca-agent.p12 expires
4. Wait for certs to be renewed (watch with ``getcert list``).
You could ``systemctl restart certmonger`` to hurry it along a bit.
5. After resetting the system time and certificates have been renewed, execute
``pki-server subsystem-cert-update ca sslserver``. You will need give it the
``internal`` password from ``/etc/pki/pki-tomcat/password.conf``.
This is needed because of a missing parameter in Dogtag CA's ``CS.cfg``.
It will be dealt with as a separate issue (possibly to fix in Dogtag itself).
6. Move system time to AFTER ca-agent.p12 `notAfter` date.
7. ``ipactl restart``
8. ``ipa-kra-install``
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1343/head:pr1343
git checkout pr1343
6 years, 3 months
Announcing FreeIPA 4.6.2
by Tibor Dudlák
The FreeIPA team would like to announce FreeIPA 4.6.2 release!
It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for
Fedora 26 and 27 will be available in the official
[https://copr.fedorainfracloud.org/coprs/g/freeipa/freeipa-4-6/ COPR
repository].
== Highlights in 4.6.2 ==
=== Enhancements ===
=== Known Issues ===
=== Bug fixes ===
FreeIPA 4.6.2 is a stabilization release for the features delivered as a
part of 4.6.0.
There are more than 20 bug-fixes details of which can be seen in
the list of resolved tickets below.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users
mailing
list (
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...
)
or #freeipa channel on Freenode.
== Resolved tickets ==
* 7275 Viewing DNS Records with WebUI fails
* 7254 test_caless: fix http.p12 is not valid and provide domain_level for
replica tests
* 7226 Remove remaining references to Firefox configuration extension
* 7213 Increase dbus client timeouts during CA install
* 7210 Firefox reports insecure TLS configuration when visiting FreeIPA web
UI after standard server deployment
* 7208 freeipa: binary RPMs require both Python 2 and Python 3
* 7190 Wrong info message from tasks.py
* 7189 make check is failed
* 7187 ipa-replica-manage should provide a debug option
* 7186 testing: get back command outputs when running tests
* 7155 test_caless: add caless to external CA test
* 7154 test_external_ca: switch to python-cryptography
* 7153 Switch "ipa-run-tests" symlink to "ipa-run-tests-3.6"
* 7151 ipa-server-upgrade performs unneeded steps to stop tracking/start
tracking certs
* 7148 py3: ipa cert-request --principal --database fails with
BytesWarning: str() on a bytes instance
* 7142 py3: ipa ca-add fails with 'an internal error has occurred'
* 7134 ipa param-find: command displays internal error
* 7133 tox -e pylint3 fails under Python 3.6
* 7132 [4.6] PyPI packages are broken
* 7124 [ipatests] - forced_client_reenrollment-domlevel-1 test suite fails
due to missing dns records
* 7033 vault: TypeError: ... is not JSON serializable
* 6994 RFE: Remove 389-ds tuning step
* 6858 RFE - Option to add custom OID or display name in IPA Cert
* 6844 ipa-restore fails when umask is set to 0027
* 6702 Update Dogtag to 10.4
* 5887 IDNA domains does not work under py3
* 5442 [tracker] SELinux 'execmem' denials
== Detailed changelog since 4.6.1 ==
=== Alexander Bokovoy (10) ===
* ipaserver/plugins/trust.py: pep8 compliance
* trust: detect and error out when non-AD trust with IPA domain name exists
* ipaserver/plugins/trust.py; fix some indenting issues
* ipa-extdom-extop: refactor nsswitch operations
* test_dns_plugin: cope with missing IPv6 in Travis
* travis-ci: collect logs from cmocka tests
* ipa-kdb: override krb5.conf when testing KDC code in cmocka
* adtrust: filter out subdomains when defining our topology to AD
* ipa-replica-manage: implicitly ignore initial time skew in force-sync
* ds: ignore time skew during initial replication step
=== Abhijeet Kasurde (3) ===
* Trivial typo fix.
* ipatests: Fix interactive prompt in ca_less tests
* tests: correct usage of hostname in logger in tasks
=== Alexander Koksharov (1) ===
* kra-install: better warning message
=== Aleksei Slaikovskii (6) ===
* ipa-restore: Set umask to 0022 while restoring
* View plugin/command help in pager
* Add a notice to restart ipa services after certs are installed
* Fix TypeError while ipa-restore is restoring a backup
* ipaclient.plugins.dns: Cast DNS name to unicode
* Less confusing message for PKINIT configuration during install
=== Christian Heimes (23) ===
* Update IPA_GIT_BRANCH to ipa-4-6
* Add make targets for fast linting and testing
* Add marker needs_ipaapi and option to skip tests
* Add python_requires to Python package metadata
* Remove Custodia keys on uninstall
* Update to python-ldap 3.0.0
* Update builddep command to install Python 3 and tox deps
* Add workaround for pytest 3.3.0 bug
* Fix dict iteration bug in dnsrecord_show
* Reproducer for bug in structured dnsrecord_show
* Use Python 3 on Travis
* Prevent installation of Py2 and Py3 mod_wsgi
* libotp: add libraries after objects
* Require UTF-8 fs encoding
* Run tox tests for PyPI packages on Travis
* Py3: Fix vault tests
* Use namespace-aware meta importer for ipaplatform
* Test script for ipa-custodia
* Remove ignore_import_errors
* Backup ipa-custodia conf and keys
* Py3: fix fetching of tar files
* Use os.path.isfile() and isdir()
* Block PyOpenSSL to prevent SELinux execmem in wsgi
=== David Kupka (2) ===
* schema: Fix internal error in param-{find,show} with nonexistent object
* tests: Add LDAP URI to ldappasswd explicitly
=== Felipe Barreto (6) ===
* Warning the user when using a loopback IP as forwarder
* Removing replica-s4u2proxy.ldif since it's not used anymore
* Fix log capture when running pytests_multihosts commands
* Checks if replica-s4u2proxy.ldif should be applied
* Fixing tox and pylint errors
* Fixing param-{find,show} and output-{find,show} commands
=== Florence Blanc-Renaud (10) ===
* Improve help message for ipa trust-add --range-type
* Fix ca less IPA install on fips mode
* Fix ipa-restore (python2)
* ipa-getkeytab man page: add more details about the -r option
* Py3: fix ipa-replica-conncheck
* Fix ipa-replica-conncheck when called with --principal
* py3: fix ipa cert-request --database ...
* ipa-cacert-manage renew: switch from ext-signed CA to self-signed
* ipa-server-upgrade: do not add untracked certs to the request list
* ipa-server-upgrade: fix the logic for tracking certs
=== Fraser Tweedale (22) ===
* ipa_certupdate: avoid classmethod and staticmethod
* Run certupdate after promoting to CA-ful deployment
* ipa-ca-install: run certupdate as initial step
* CertUpdate: make it easy to invoke from other programs
* renew_ra_cert: fix update of IPA RA user entry
* Use correct version of Python in RPM scripts
* Re-enable some KRA installation tests
* Remove caJarSigningCert profile and related code
* CertDB: remove unused method issue_signing_cert
* Remove XPI and JAR MIME types from httpd config
* Remove mention of firefox plugin after CA-less install
* ipa-cacert-manage: avoid some duplicate string definitions
* ipa-cacert-manage: handle alternative tracking request CA name
* Add tests for external CA profile specifiers
* ipa-cacert-manage: support MS V2 template extension
* certmonger: add support for MS V2 template
* certmonger: refactor 'resubmit_request' and 'modify'
* ipa-ca-install: add --external-ca-profile option
* install: allow specifying external CA template
* Remove duplicate references to external CA type
* cli: simplify parsing of arbitrary types
* py3: fix pkcs7 file processing
=== John Morris (1) ===
* Increase dbus client timeouts during CA install
=== Michal Reznik (12) ===
* test_batch_plugin: fix py2/3 failing assertion
* test_vault: increase WAIT_AFTER_ARCHIVE
* test_caless: fix http.p12 is not valid
* test_caless: fix TypeError on domain_level compare
* manpage: ipa-replica-conncheck - fix minor typo
* test_forced_client: decode get_file_contents() result
* test_external_dns: add missing test cases
* test_caless: open CA cert in binary mode
* tests: add host zone with overlap
* tests_py3: decode get_file_contents() result
* test_caless: add caless to external CA test
* test_external_ca: switch to python-cryptography
=== Mohammad Rizwan Yusuf (1) ===
* ipatest: replica install with existing entry on master
=== Petr Čech (2) ===
* tests: Mark failing tests as failing
* ipatests: Fix on logs collection
=== Pavel Vomacka (1) ===
* WebUI: make Domain Resolution Order writable
=== Rob Crittenden (7) ===
* Run server upgrade in ipactl start/restart
* If the cafile is not present or readable then raise an exception
* Add test to ensure that properties are being set in rpcclient
* Use the CA chain file from the RPC context
* Fix cert-find for CA-less installations
* Use 389-ds provided method for file limits tuning
* Collect group membership without a size limit
=== Rishabh Dave (1) ===
* ipa-ca-install: mention REPLICA_FILE as optional in help
=== Sumit Bose (1) ===
* ipa-kdb: reinit trusted domain data for enterprise principals
=== Stanislav Laznicka (22) ===
* Don't allow OTP or RADIUS in FIPS mode
* caless tests: decode cert bytes in debug log
* caless tests: make debug log of certificates sensible
* Add indexing to improve host-find performance
* Add the sub operation for fqdn index config
* x509: remove subject_base() function
* x509: remove the strip_header() function
* py3: pass raw entries to LDIFWriter
* ipatests: use python3 if built with python3
* PRCI: use a new template for py3 testing
* csrgen_ffi: cast the DN value to unsigned char *
* Remove pkcs10 module contents
* Add tests for CertificateSigningRequest
* parameters: introduce CertificateSigningRequest
* parameters: relax type checks
* csrgen: update docstring for py3
* csrgen: accept public key info as Bytes
* csrgen_ffi: pass bytes where "char *" is required
* travis: pep8 changes to pycodestyle
* p11-kit: add serial number in DER format
* travis: make tests fail if pep8 does not pass
* Remove the `message` attribute from exceptions
=== Thierry Bordaz (1) ===
* 389-ds-base crashed as part of ipa-server-intall in ipa-uuid
=== Tibor Dudlák (3) ===
* Become IPA 4.6.2
* Update Contributors.txt
* Update zanata translations
=== Tomas Krizek (13) ===
* prci: define testing topologies
* prci: start testing PRs on fedora 27
* py3 spec: remove python2 dependencies from server-trust-ad
* py3 spec: remove python2 dependencies from freeipa-server
* py3 spec: use proper python2 package names
* ipatests: fix circular import for collect_logs
* ipatests: collect logs for external_ca test suite
* prci: add external_ca test
* ldap: limit the retro changelog to dns subtree
* spec: bump 389-ds-base to 1.3.7.6-1
* ipatests: set default 389-ds log level to 0
* prci: update F26 template
* 4.6 set back to git snapshot
=== Thorsten Scherf (1) ===
* Add debug option to ipa-replica-manage and remove references to api_env
var.
--
Tibor Dudlák
Identity management - FreeIPA
Brno, TPB-C, 2C403
Red Hat
6 years, 3 months