Fix FreeIPA installation problems

This release fixes:
- ipa-replica-install crashes due to invalid Python calls
- ipa-server-install and ipa-dns-install may fail to produce log
- ipa-server-install crash due to sslget problem (#771357)

freeipa-2.1.4-logging.patch

@@ -0,0 +1,138 @@
+From 402867038f8664e88e2d9ca42f2c77a46a0be7ae Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Mon, 2 Jan 2012 16:49:59 +0100
+Subject: [PATCH 1/3] Make sure that install tools log
+
+When any log message is emitted before IPA install tools logging is
+configured, it may break and leave install tools log empty. This
+happens for example when
+
+ipa-server-install --ip-address=$IP_ADDRESS
+
+is run.
+
+This patch makes sure that logging is right in these cases.
+
+https://fedorahosted.org/freeipa/ticket/2214
+---
+ install/tools/ipa-ca-install      |    1 +
+ install/tools/ipa-dns-install     |    1 +
+ install/tools/ipa-replica-install |    1 +
+ install/tools/ipa-server-install  |    2 +
+ ipaserver/install/installutils.py |   43 +++++++++++++++++++++++++++++++++++++
+ 5 files changed, 48 insertions(+), 0 deletions(-)
+
+diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
+index 445b0621419b7aa5b4616e154d9f8193a5d517fb..c813659f34f4471132b83fd4159b69b76f5ce487 100755
+--- a/install/tools/ipa-ca-install
++++ b/install/tools/ipa-ca-install
+@@ -70,6 +70,7 @@ def get_dirman_password():
+     return installutils.read_password("Directory Manager (existing master)", confirm=False, validate=False)
+ 
+ def main():
++    installutils.bootstrap_logging()
+     safe_options, options, filename = parse_options()
+     installutils.standard_logging_setup("/var/log/ipareplica-ca-install.log", options.debug)
+     logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
+diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
+index d81b6a2e804a815d5bece8426a286e3190f6dee3..25c1bb0cac251d098e3744afd7b7eeab32a3fe6b 100755
+--- a/install/tools/ipa-dns-install
++++ b/install/tools/ipa-dns-install
+@@ -82,6 +82,7 @@ def parse_options():
+     return safe_options, options
+ 
+ def main():
++    bootstrap_logging()
+     safe_options, options = parse_options()
+ 
+     if os.getegid() != 0:
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index dbc736764f38489df15900c4540a381764d0c261..7310d286292f571ef25b57b29d2a213f4bd855a1 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -286,6 +286,7 @@ def check_bind():
+         sys.exit(1)
+ 
+ def main():
++    installutils.bootstrap_logging()
+     safe_options, options, filename = parse_options()
+     installutils.standard_logging_setup("/var/log/ipareplica-install.log", options.debug)
+     logging.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index 8f156e8dde7fbc4cfde00a0f6a2fc8e23403cc73..755f2772780010c62fdc642125107843bef61668 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -562,6 +562,8 @@ def main():
+     global installation_cleanup
+     ds = None
+ 
++    bootstrap_logging()
++
+     safe_options, options = parse_options()
+ 
+     if os.getegid() != 0:
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 0a36c354e1d2f901bfdef51c151d035ba8ee64ca..d0f611c611847d02f3d264d669a2e90689f5a87b 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -314,7 +314,47 @@ def port_available(port):
+ 
+     return rv
+ 
++class BufferingHandler(logging.Handler):
++    log_queue = []
++
++    def __init__(self):
++        logging.Handler.__init__(self)
++        self.level = logging.DEBUG
++
++    def emit(self, record):
++        self.log_queue.append(record)
++
++    def flush(self):
++        pass
++
++def bootstrap_logging():
++    """
++    Bootstrap logging and create special handler which will buffer any log
++    emitted before standard_logging_setup is called. These will be later
++    processed when the logging is set up.
++    """
++    root_logger = logging.getLogger()
++    root_logger.setLevel(logging.DEBUG)
++    root_logger.addHandler(BufferingHandler())
++
+ def standard_logging_setup(log_filename, debug=False, filemode='w'):
++    """
++    Set up logging. bootstrap_logging() should be called earlier if there
++    is a chance that a log is emitted before this setup.
++    """
++    root_logger = logging.getLogger()
++    log_queue = []
++
++    if root_logger.handlers:
++        # Remove any handlers that may have been set and which may cause
++        # problems with logging in install utils
++        handler_list = list(logging.getLogger().handlers)
++
++        for handler in handler_list:
++            if isinstance(handler, BufferingHandler):
++                log_queue.extend(handler.log_queue)
++            root_logger.removeHandler(handler)
++
+     old_umask = os.umask(077)
+     # Always log everything (i.e., DEBUG) to the log
+     # file.
+@@ -335,6 +375,9 @@ def standard_logging_setup(log_filename, debug=False, filemode='w'):
+     console.setFormatter(formatter)
+     logging.getLogger('').addHandler(console)
+ 
++    for log_record in log_queue:
++        root_logger.handle(log_record)
++
+ def get_password(prompt):
+     if os.isatty(sys.stdin.fileno()):
+         return getpass.getpass(prompt)
+-- 
+1.7.7.5
+

freeipa-2.1.4-replica-install-services.patch

@@ -0,0 +1,72 @@
+From a018ba4013ad18eb75bdfd50887ef12ad2d77972 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 11 Jan 2012 10:07:03 +0100
+Subject: [PATCH 3/3] Prevent service restart failures in ipa-replica-install
+
+Call restart() methods of appropriate services instead of calling
+the system service restart command directly as service() method
+has a capability to wait until the service is fully up. Without
+this patch ipa-replica-install crashed on F-16 because krb5kdc
+service was started before dirsrv service was fully up.
+
+https://fedorahosted.org/freeipa/ticket/2139
+---
+ install/tools/ipa-replica-install |   21 ++++++++++++++++-----
+ 1 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index 7310d286292f571ef25b57b29d2a213f4bd855a1..9c637202917fc67da68cea61ebc1b41169bbf2db 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -155,6 +155,8 @@ def install_krb(config, setup_pkinit=False):
+                        ldappwd_filename, kpasswd_filename,
+                        setup_pkinit, pkcs12_info)
+ 
++    return krb
++
+ def install_ca_cert(config):
+     cafile = config.dir + "/ca.crt"
+     if not ipautil.file_exists(cafile):
+@@ -188,6 +190,8 @@ def install_http(config, auto_redirect):
+             print "error copying files: " + str(e)
+             sys.exit(1)
+ 
++    return http
++
+ def install_bind(config, options):
+     api.Backend.ldap2.connect(bind_dn="cn=Directory Manager",
+                               bind_pw=config.dirman_password)
+@@ -442,8 +446,8 @@ def main():
+         cs.add_simple_service('dogtagldap/%s@%s' % (config.host_name, config.realm_name))
+         cs.add_cert_to_service()
+ 
+-    install_krb(config, setup_pkinit=options.setup_pkinit)
+-    install_http(config, auto_redirect=options.ui_redirect)
++    krb = install_krb(config, setup_pkinit=options.setup_pkinit)
++    http = install_http(config, auto_redirect=options.ui_redirect)
+     if CA:
+         CA.import_ra_cert(dir + "/ra.p12")
+         CA.fix_ra_perms()
+@@ -457,9 +461,16 @@ def main():
+     service.print_msg("Applying LDAP updates")
+     ds.apply_updates()
+ 
+-    ipaservices.knownservices.dirsrv.restart()
+-    ipaservices.knownservices.krb5kdc.restart()
+-    ipaservices.knownservices.httpd.restart()
++    # Restart ds and krb after configurations have been changed
++    service.print_msg("Restarting the directory server")
++    ds.restart()
++
++    service.print_msg("Restarting the KDC")
++    krb.restart()
++
++    # Restart httpd to pick up the new IPA configuration
++    service.print_msg("Restarting the web server")
++    http.restart()
+ 
+     if options.setup_dns:
+         install_bind(config, options)
+-- 
+1.7.7.5
+

freeipa-2.1.4-replication-addentry.patch

@@ -0,0 +1,93 @@
+From e14b13000890ff13cb9c062e6a32e1e127587bc7 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 11 Jan 2012 10:06:39 +0100
+Subject: [PATCH 2/3] Fix LDAP add calls in replication module
+
+Replace conn.add_s(entry) with conn.addEntry(entry) to avoid
+function calls with an invalid number of parameters.
+
+https://fedorahosted.org/freeipa/ticket/2139
+---
+ ipaserver/install/replication.py |   22 +++++++++++-----------
+ 1 files changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
+index a6bd7af37bb7c6761841d68ff733276045a7ddab..8f0f226dbacc0ee3b84357c059c91936af034fed 100644
+--- a/ipaserver/install/replication.py
++++ b/ipaserver/install/replication.py
+@@ -225,8 +225,8 @@ class ReplicationManager(object):
+         ent.setValues("sn", "replication manager pseudo user")
+ 
+         try:
+-            conn.add_s(ent)
+-        except ldap.ALREADY_EXISTS:
++            conn.addEntry(ent)
++        except errors.DuplicateEntry:
+             conn.modify_s(dn, [(ldap.MOD_REPLACE, "userpassword", pw)])
+             pass
+ 
+@@ -275,7 +275,7 @@ class ReplicationManager(object):
+         entry.setValues('nsds5replicabinddn', [replica_binddn])
+         entry.setValues('nsds5replicalegacyconsumer', "off")
+ 
+-        conn.add_s(entry)
++        conn.addEntry(entry)
+ 
+     def setup_changelog(self, conn):
+         dn = "cn=changelog5, cn=config"
+@@ -285,8 +285,8 @@ class ReplicationManager(object):
+         entry.setValues('cn', "changelog5")
+         entry.setValues('nsslapd-changelogdir', dirpath)
+         try:
+-            conn.add_s(entry)
+-        except ldap.ALREADY_EXISTS:
++            conn.addEntry(entry)
++        except errors.DuplicateEntry:
+             return
+ 
+     def setup_chaining_backend(self, conn):
+@@ -308,11 +308,11 @@ class ReplicationManager(object):
+                 entry.setValues('nsmultiplexorbinddn', self.repl_man_dn)
+                 entry.setValues('nsmultiplexorcredentials', self.repl_man_passwd)
+ 
+-                self.conn.add_s(entry)
++                self.conn.addEntry(entry)
+                 done = True
+-            except ldap.ALREADY_EXISTS:
++            except errors.DuplicateEntry:
+                 benum += 1
+-            except ldap.LDAPError, e:
++            except errors.ExecutionError, e:
+                 print "Could not add backend entry " + dn, e
+                 raise
+ 
+@@ -376,7 +376,7 @@ class ReplicationManager(object):
+         entry.setValues("objectclass", ["account", "simplesecurityobject"])
+         entry.setValues("uid", "passsync")
+         entry.setValues("userPassword", password)
+-        conn.add_s(entry)
++        conn.addEntry(entry)
+ 
+         # Add it to the list of users allowed to bypass password policy
+         extop_dn = "cn=ipa_pwd_extop,cn=plugins,cn=config"
+@@ -470,7 +470,7 @@ class ReplicationManager(object):
+         if iswinsync:
+             self.setup_winsync_agmt(entry, win_subtree)
+ 
+-        a_conn.add_s(entry)
++        a_conn.addEntry(entry)
+ 
+         entry = a_conn.waitForEntry(entry)
+ 
+@@ -746,7 +746,7 @@ class ReplicationManager(object):
+         entry.setValues("ipaConfigString", "winsync:%s" % self.hostname)
+ 
+         try:
+-            self.conn.add_s(entry)
++            self.conn.addEntry(entry)
+         except Exception, e:
+             logging.info("Failed to create public entry for winsync replica")
+ 
+-- 
+1.7.7.5
+

freeipa.spec

@@ -14,7 +14,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        2.1.4
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -26,6 +26,9 @@ Patch0:         freeipa-2.1.4-connection-failure-recovery.patch
 Patch1:         freeipa-2.1.4-fix-pylint-f16.patch
 Patch2:         freeipa-2.1.4-slapi-plugins-use-thread-safe-ldap-library.patch
 Patch3:         freeipa-2.1.4-selinux-web-migration-policy.patch
+Patch4:         freeipa-2.1.4-logging.patch
+Patch5:         freeipa-2.1.4-replication-addentry.patch
+Patch6:         freeipa-2.1.4-replica-install-services.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
@@ -77,7 +80,7 @@ Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-server-selinux = %{version}-%{release}
-Requires(pre): 389-ds-base >= 1.2.10-0.4.a4
+Requires(pre): 389-ds-base >= 1.2.10-0.6.a6
 Requires: openldap-clients
 Requires: nss
 Requires: nss-tools
@@ -100,8 +103,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= 3.10.0-31
 Requires(post): selinux-policy-base
 Requires: slapi-nis >= 0.21
-Requires: pki-ca >= 9.0.15
-Requires: pki-silent >= 9.0.15
+Requires: pki-ca >= 9.0.17
+Requires: pki-silent >= 9.0.17
 # Only tomcat6 greater than this version provides proper systemd support
 Requires: tomcat6 >= 6.0.32-17
 Requires: dogtag-pki-common-theme
@@ -224,6 +227,9 @@ cp %{SOURCE1} init/systemd/
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
 
 %build
 export CFLAGS="$CFLAGS %{optflags}"
@@ -545,6 +551,12 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 
 %changelog
+* Wed Jan 11 2012 Martin Kosek <mkosek@redhat.com> - 2.1.4-4
+- Fix ipa-replica-install crashes
+- Fix ipa-server-install and ipa-dns-install logging
+- Set minimum version of pki-ca to 9.0.17 to fix sslget problem
+  caused by FEDORA-2011-17400 update (#771357)
+
 * Wed Dec 21 2011 Alexander Bokovoy <abokovoy@redhat.com> - 2.1.4-3
 - Allow Web-based migration to work with tightened SE Linux policy (#769440)
 - Rebuild slapi plugins against re-enterant version of libldap