On 07/11/2013 12:34 PM, Alexander Bokovoy wrote: > On Thu, 11 Jul 2013, Tomas Babej wrote: >> [snip] >> >>> > The patch now fixes the issue. >>> > >>> > >>> > >>> > However, we need to bump the dependency in the specfile since now we >>> > require >>> > >>> > version 1.3.1.1. >>> > >>> > >>> > >>> > Tomas >>> > >>> >>> Thanks, updated patch is attached. >>> >> >> I tested the patch both with clean install and upgrade. >> >> ACK > The patch does not apply to ipa-3-2, it needs rebasing. >
Rebased patch attached. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc.
From 44cd5e2db5d9441fdd779564c8aea543b7d910ac Mon Sep 17 00:00:00 2001 From: Ana Krivokapic <akriv...@redhat.com> Date: Thu, 11 Jul 2013 12:50:01 +0200 Subject: [PATCH] Make sure replication works after DM password is changed Replica information file contains the file `cacert.p12` which is protected by the Directory Manager password of the initial IPA server installation. The DM password of the initial installation is also used for the PKI admin user password. If the DM password is changed after the IPA server installation, the replication fails. To prevent this failure, add the following steps to ipa-replica-prepare: 1. Regenerate the `cacert.p12` file and protect it with the current DM password 2. Update the password of the PKI admin user with the current DM password https://fedorahosted.org/freeipa/ticket/3594 --- freeipa.spec.in | 9 +++++--- ipaserver/install/ipa_replica_prepare.py | 36 ++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 1f9242ea8b8f41233473db74fd8dac16ae075abd..11365bebebc555fcb4d4c3fc1ec0f60707384fe3 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -17,7 +17,7 @@ Source0: freeipa-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.1.1 +BuildRequires: 389-ds-base-devel >= 1.3.1.3 BuildRequires: svrcore-devel BuildRequires: /usr/share/selinux/devel/Makefile BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} @@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-server-selinux = %{version}-%{release} -Requires: 389-ds-base >= 1.3.1.1 +Requires: 389-ds-base >= 1.3.1.3 Requires: openldap-clients > 2.4.35-4 %if 0%{?fedora} == 18 Requires: nss >= 3.14.3-2 @@ -147,7 +147,7 @@ Requires: zip Requires: policycoreutils >= %{POLICYCOREUTILSVER} Requires: tar Requires(pre): certmonger >= 0.65 -Requires(pre): 389-ds-base >= 1.3.0.5 +Requires(pre): 389-ds-base >= 1.3.1.3 # We have a soft-requires on bind. It is an optional part of # IPA but if it is configured we need a way to require versions @@ -844,6 +844,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog +* Wed Jul 10 2013 Ana Krivokapic <akriv...@redhat.com> - 3.2.99-4 +- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix. + * Wed Jun 26 2013 Jan Cholasta <jchol...@redhat.com> - 3.2.1-1 - Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority support. diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py index f6af28e3a550387050ead412b61c8fb58a8b7fe5..a92e9a111191608b3deb1e54c6dba4642a424f1a 100644 --- a/ipaserver/install/ipa_replica_prepare.py +++ b/ipaserver/install/ipa_replica_prepare.py @@ -274,6 +274,11 @@ def copy_ds_certificate(self): self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12") else: if ipautil.file_exists(options.ca_file): + # Since it is possible that the Directory Manager password + # has changed since ipa-server-install, we need to regenerate + # the CA PKCS#12 file and update the pki admin user password + self.regenerate_ca_file(options.ca_file) + self.update_pki_admin_password() self.copy_info_file(options.ca_file, "cacert.p12") else: raise admintool.ScriptError("Root CA PKCS#12 not " @@ -505,3 +510,34 @@ def export_ra_pkcs12(self): db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert") finally: os.remove(agent_name) + + def update_pki_admin_password(self): + ldap = ldap2(shared_instance=False) + ldap.connect( + bind_dn=DN(('cn', 'directory manager')), + bind_pw=self.dirman_password + ) + dn = DN('uid=admin', 'ou=people', 'o=ipaca') + ldap.modify_password(dn, self.dirman_password) + ldap.disconnect() + + def regenerate_ca_file(self, ca_file): + dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password) + + keydb_pwd = '' + with open('/etc/pki/pki-tomcat/password.conf') as f: + for line in f.readlines(): + key, value = line.strip().split('=') + if key == 'internal': + keydb_pwd = value + break + + keydb_pwd_fd = ipautil.write_tmp_file(keydb_pwd) + + ipautil.run([ + '/usr/bin/PKCS12Export', + '-d', '/etc/pki/pki-tomcat/alias/', + '-p', keydb_pwd_fd.name, + '-w', dm_pwd_fd.name, + '-o', ca_file + ]) -- 1.8.1.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel