rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

More fixes to Fedora 28 beta

Browse Source
This commit is contained in:
Alexander Bokovoy 2018-03-21 10:45:19 +02:00
parent 8bb66c5db7
commit 4bae5f4bc8
6 changed files with 190 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
View File

@ -1,7 +1,8 @@
From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001
From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 19 Mar 2018 21:48:04 +0200
Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult
Subject: [PATCH 1/2] Processing of server roles should ignore
errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might

31
0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch
View File

@ -1,31 +0,0 @@
From ffa274fc72e0d56bca3389d3ba973459053c25f3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 20 Mar 2018 09:35:51 +0200
Subject: [PATCH 2/2] Make sure template dictionary has WSGI_PREFIX_DIR when
upgrading ipa.conf.template
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index a38f4115c..807d674d7 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1651,6 +1651,11 @@ def upgrade_configuration():
ds_dirname = dsinstance.config_dirname(ds_serverid)
+ sub_dict['WSGI_PREFIX_DIR'] = paths.WSGI_PREFIX_DIR
+ sub_dict['GSSAPI_SESSION_KEY'] = paths.GSSAPI_SESSION_KEY
+ sub_dict['FONTS_DIR'] = paths.FONTS_DIR
+ sub_dict['IPA_CCACHES'] = paths.IPA_CCACHES
+ sub_dict['IPA_CUSTODIA_SOCKET'] = paths.IPA_CUSTODIA_SOCKET
upgrade_file(sub_dict, paths.HTTPD_IPA_CONF,
os.path.join(paths.USR_SHARE_IPA_DIR,
"ipa.conf.template"))
--
2.14.3

41
0002-Update-template-directory-with-new-variables-when-up.patch Normal file
View File

@ -0,0 +1,41 @@
From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 20 Mar 2018 09:35:51 +0200
Subject: [PATCH 2/2] Update template directory with new variables when
upgrading ipa.conf.template
With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index a38f4115c..5654cc32d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1617,7 +1617,12 @@ def upgrade_configuration():
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
DOGTAG_PORT=8009,
- CLONE='#'
+ CLONE='#',
+ WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
+ GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
+ FONTS_DIR=paths.FONTS_DIR,
+ IPA_CCACHES=paths.IPA_CCACHES,
+ IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET
)
subject_base = find_subject_base()
--
2.14.3

88
0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch Normal file
View File

@ -0,0 +1,88 @@
From c25c5c1c85d4ee3aaea7c62a32134c0af56b9004 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 21 Mar 2018 10:33:32 +0200
Subject: [PATCH] upgrade: Run configuration upgrade under file-based ccache
Use anonymous file-based ccache to prevent upgrade failures
in case KCM: or KEYRING: ccache type is used by default
in krb5.conf and is not available. We don't need any user
credentials during upgrade procedure but kadmin.local
would attempt to resolve default ccache and if that's not
available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 39 +++++++++++++++++++++++++++++++++++--
1 file changed, 37 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index a38f4115c..00389a914 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -11,10 +11,11 @@ import shutil
import pwd
import fileinput
import sys
+from contextlib import contextmanager
from augeas import Augeas
import dns.exception
from ipalib import api, x509
-from ipalib.install import certmonger, sysrestore
+from ipalib.install import certmonger, sysrestore, kinit
import SSSDConfig
import ipalib.util
import ipalib.errors
@@ -1926,6 +1927,32 @@ def upgrade_check(options):
logger.warning("Upgrade without version check may break your system")
+@contextmanager
+def anonymous_ccache():
+ kpath = os.path.join(paths.IPA_CCACHES,
+ "upgrade_ccache_{}".format(os.getpid()))
+
+ try:
+ logger.debug('Obtaining anonymous creds in ccache %s', kpath)
+ kinit.kinit_armor(
+ kpath,
+ pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM],
+ )
+ kdestroy = True
+ except RuntimeError:
+ logger.error("Failed to obtain anonymous creds cache")
+ kdestroy = False
+ old_path = os.getenv('KRB5CCNAME')
+ try:
+ os.environ['KRB5CCNAME'] = kpath
+ yield
+ finally:
+ if old_path:
+ os.environ['KRB5CCNAME'] = old_path
+ if kdestroy:
+ installutils.remove_ccache(kpath)
+
+
def upgrade():
realm = api.env.realm
schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
@@ -1950,7 +1977,15 @@ def upgrade():
print('Upgrading IPA services')
logger.info('Upgrading the configuration of the IPA services')
- upgrade_configuration()
+ # Use anonymous file-based ccache to prevent upgrade failures
+ # in case KCM: or KEYRING: ccache type is used by default
+ # in krb5.conf and is not available. We don't need any user
+ # credentials during upgrade procedure but kadmin.local
+ # would attempt to resolve default ccache and if that's not
+ # available, kadmin.local will fail.
+ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
+ with anonymous_ccache():
+ upgrade_configuration()
logger.info('The IPA services were upgraded')
# store new data version after upgrade
--
2.14.3

49
0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch Normal file
View File

@ -0,0 +1,49 @@
From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 20 Mar 2018 16:40:24 +0200
Subject: [PATCH] use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/otptoken.py | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index d94ae49ff..17b32094d 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate):
# If owner was not specified, default to the person adding this token.
# If managedby was not specified, attempt a sensible default.
if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs:
- result = self.api.Command.user_find(
- whoami=True, no_members=False)['result']
- if result:
- cur_uid = result[0]['uid'][0]
+ cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:])
+ if cur_dn:
+ cur_uid = cur_dn[0].value
prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
if cur_uid == prev_uid:
- entry_attrs.setdefault('managedby', result[0]['dn'])
+ entry_attrs.setdefault('managedby', cur_dn.ldap_text())
# Resolve the owner's dn
_normalize_owner(self.api.Object.user, entry_attrs)
--
2.14.3

11
freeipa.spec
View File

@ -100,7 +100,7 @@
Name: freeipa
Version: %{VERSION}
Release: 4%{?dist}
Release: 5%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -109,7 +109,9 @@ URL: https://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
Patch0002: 0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch
Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch
Patch0003: 0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch
Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -1718,6 +1720,11 @@ fi
%endif # with_ipatests
%changelog
* Tue Mar 20 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-5
- Apply upstream fix for #1558354
- Run upgrade under file-based ccache (#1558818)
- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617
* Tue Mar 20 2018 Adam Williamson <awilliam@redhat.com> - 4.6.90.pre1-4
- Fix upgrades harder (extension of -3 patch) (#1558354)