Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Thu, 11 Jul 2013, Ana Krivokapic wrote: On 07/11/2013 12:34 PM, Alexander Bokovoy wrote: On Thu, 11 Jul 2013, Tomas Babej wrote: [snip] > The patch now fixes the issue. > > > > However, we need to bump the dependency in the specfile since now we require > > version 1.3.1.1. > > > > Tomas > Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK The patch does not apply to ipa-3-2, it needs rebasing. Rebased patch attached. Thanks, committed to ipa-3-2. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/11/2013 12:34 PM, Alexander Bokovoy wrote:
> On Thu, 11 Jul 2013, Tomas Babej wrote:
>> [snip]
>>
>>> > The patch now fixes the issue.
>>> >
>>> >
>>> >
>>> > However, we need to bump the dependency in the specfile since now we
>>> > require
>>> >
>>> > version 1.3.1.1.
>>> >
>>> >
>>> >
>>> > Tomas
>>> >
>>>
>>> Thanks, updated patch is attached.
>>>
>>
>> I tested the patch both with clean install and upgrade.
>>
>> ACK
> The patch does not apply to ipa-3-2, it needs rebasing.
>
Rebased patch attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 44cd5e2db5d9441fdd779564c8aea543b7d910ac Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Thu, 11 Jul 2013 12:50:01 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
freeipa.spec.in | 9 +---
ipaserver/install/ipa_replica_prepare.py | 36
2 files changed, 42 insertions(+), 3 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 1f9242ea8b8f41233473db74fd8dac16ae075abd..11365bebebc555fcb4d4c3fc1ec0f60707384fe3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -17,7 +17,7 @@ Source0:freeipa-%{version}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{ONLY_CLIENT}
-BuildRequires: 389-ds-base-devel >= 1.3.1.1
+BuildRequires: 389-ds-base-devel >= 1.3.1.3
BuildRequires: svrcore-devel
BuildRequires: /usr/share/selinux/devel/Makefile
BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER}
@@ -91,7 +91,7 @@ Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release}
Requires: %{name}-server-selinux = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.1.1
+Requires: 389-ds-base >= 1.3.1.3
Requires: openldap-clients > 2.4.35-4
%if 0%{?fedora} == 18
Requires: nss >= 3.14.3-2
@@ -147,7 +147,7 @@ Requires: zip
Requires: policycoreutils >= %{POLICYCOREUTILSVER}
Requires: tar
Requires(pre): certmonger >= 0.65
-Requires(pre): 389-ds-base >= 1.3.0.5
+Requires(pre): 389-ds-base >= 1.3.1.3
# We have a soft-requires on bind. It is an optional part of
# IPA but if it is configured we need a way to require versions
@@ -844,6 +844,9 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Wed Jul 10 2013 Ana Krivokapic - 3.2.99-4
+- Bump minimum version of 389-ds-base to 1.3.1.3 for user password change fix.
+
* Wed Jun 26 2013 Jan Cholasta - 3.2.1-1
- Bump minimum version of 389-ds-base to 1.3.1.1 for SASL mapping priority
support.
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index f6af28e3a550387050ead412b61c8fb58a8b7fe5..a92e9a91608b3deb1e54c6dba4642a424f1a 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, "cacert.p12")
else:
raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -505,3 +510,34 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Thu, 11 Jul 2013, Tomas Babej wrote: [snip] > The patch now fixes the issue. > > > > However, we need to bump the dependency in the specfile since now we require > > version 1.3.1.1. > > > > Tomas > Thanks, updated patch is attached. I tested the patch both with clean install and upgrade. ACK The patch does not apply to ipa-3-2, it needs rebasing. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
[snip] > > The patch now fixes the issue. > > > > > > > > However, we need to bump the dependency in the specfile since now we require > > > > version 1.3.1.1. > > > > > > > > Tomas > > > > Thanks, updated patch is attached. > I tested the patch both with clean install and upgrade. ACK___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/10/2013 01:33 PM, Tomas Babej wrote:
>
> On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
>
> > On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
>
> > > On 06/24/2013 02:27 PM, Tomas Babej wrote:
>
> > >> On 06/11/2013 04:42 PM, Ade Lee wrote:
>
> > >> [snip]
>
> > >>> Just FYI, we plan to do a new release of pki-core today
> > >>> (pki-core-10.0.3-2)
>
> > >>> to address this issue.
>
> > --
>
> > Regards,
>
> >
>
> > Ana Krivokapic
>
> > Associate Software Engineer
>
> > FreeIPA team
>
> > Red Hat Inc.
>
> > >> Ok, so I tested the patch, since pki-core has the PkiExport command fixed
> now.
>
> > >>
>
> > >> I'm getting a little bit further now.
>
> > >>
>
> > >> [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
>
> > >> vm-129.idm.lab.eng.brq.redhat.com
>
> > >> Directory Manager (existing master) password:
>
> > >>
>
> > >> Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
>
> > >> vm-127.idm.lab.eng.brq.redhat.com
>
> > >> Constraint violation: Failed to update password
>
> > >>
>
> > >> With debug output, I get (snipped out irrelevant parts):
>
> > >>
>
> > >> Directory Manager (existing master) password:
>
> > >>
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>
> > >> context.ldap2_57668944
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
> > >> SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
>
> > >> context.ldap2_57668944
>
> > >> ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
>
> > >> ipa: DEBUG: Search failed: [Errno -2] Name or service not known
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>
> > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
> > >> SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
> > >> logging
>
> > >> to a file
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>
> > >> ipa-replica-prepare was invoked with arguments
>
> > >> ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
>
> > >> 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
> None,
>
> > >> 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
>
> > >> '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
> > >> 'password':
>
> > >> None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
>
> > >> 'pkinit_pin': None}
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
>
> > >> replica for vm-129.idm.lab.eng.brq.redhat.com from
>
> > >> vm-127.idm.lab.eng.brq.redhat.com
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>
> > >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
>
> > >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
> > >> SchemaCache
>
> > >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>
> > >> conn=
>
> > >> ipa: DEBUG: Starting external process
>
> > >> ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
>
> > >> /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
>
> > >> ipa: DEBUG: Process finished, return code=0
>
> > >> ipa: DEBUG: stdout=
>
> > >> ipa: DEBUG: stderr=
>
> > >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>
> > >> context.ldap2_139884970376144
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
>
> > >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
>
> > >> return_value = self.run()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 245, in run
>
> > >> self.copy_ds_certificate()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 281, in copy_ds_certificate
>
> > >> self.update_pki_admin_password()
>
> > >> File
>
> > >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>
> > >> line 520, in update_pki_admin_password
>
> > >> ldap.modify_password(dn, self.dirman_password)
>
> > >> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
>
> > >> 332, in modify_password
>
> > >> self.conn.passwd_s(dn, old_pass, new_pass)
>
> > >> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>
> > >> self.gen.throw(type, value, traceback)
>
> > >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 919,
> > >> in
>
> > >> error_handler
>
> > >> raise errors.DatabaseError(desc=desc, info=info)
>
> > >>
>
> > >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrep
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
> On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
> > On 06/24/2013 02:27 PM, Tomas Babej wrote:
> >> On 06/11/2013 04:42 PM, Ade Lee wrote:
> >> [snip]
> >>> Just FYI, we plan to do a new release of pki-core today (pki-
core-10.0.3-2)
> >>> to address this issue.
> --
> Regards,
>
> Ana Krivokapic
> Associate Software Engineer
> FreeIPA team
> Red Hat Inc.
> >> Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
> >>
> >> I'm getting a little bit further now.
> >>
> >> [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
> >> vm-129.idm.lab.eng.brq.redhat.com
> >> Directory Manager (existing master) password:
> >>
> >> Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
> >> vm-127.idm.lab.eng.brq.redhat.com
> >> Constraint violation: Failed to update password
> >>
> >> With debug output, I get (snipped out irrelevant parts):
> >>
> >> Directory Manager (existing master) password:
> >>
> >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
> >> context.ldap2_57668944
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
> >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> >> conn=
> >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
> >> context.ldap2_57668944
> >> ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
> >> ipa: DEBUG: Search failed: [Errno -2] Name or service not known
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
> >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
> >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> >> conn=
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging
> >> to a file
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> >> ipa-replica-prepare was invoked with arguments
> >> ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
> >> 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
> >> 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
> >> '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
'password':
> >> None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
> >> 'pkinit_pin': None}
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
> >> replica for vm-129.idm.lab.eng.brq.redhat.com from
> >> vm-127.idm.lab.eng.brq.redhat.com
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
> >> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
> >> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> >> conn=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
> >> /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
> >> context.ldap2_139884970376144
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
> >> return_value = self.run()
> >> File
> >> "/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py",
> >> line 245, in run
> >> self.copy_ds_certificate()
> >> File
> >> "/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py",
> >> line 281, in copy_ds_certificate
> >> self.update_pki_admin_password()
> >> File
> >> "/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py",
> >> line 520, in update_pki_admin_password
> >> ldap.modify_password(dn, self.dirman_password)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line
> >> 332, in modify_password
> >> self.conn.passwd_s(dn, old_pass, new_pass)
> >> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> >> self.gen.throw(type, value, traceback)
> >> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 919,
in
> >> error_handler
> >> raise errors.DatabaseError(desc=desc, info=info)
> >>
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> >> ipa-replica-prepare command failed, exception: DatabaseError: Constraint
> >> violation: Failed to update password
> >> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint
> >> violation: Failed to update password
> >>
> >> Tomas
> > It seems that this time the culprit is 389-ds-base packages. The password
change
> > is rejected when using the latest version of 389-ds-base
> > (389-d
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
> On 06/24/2013 02:27 PM, Tomas Babej wrote:
>> On 06/11/2013 04:42 PM, Ade Lee wrote:
>> [snip]
>>> Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
>>> to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
>> Ok, so I tested the patch, since pki-core has the PkiExport command fixed
>> now.
>>
>> I'm getting a little bit further now.
>>
>> [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
>> vm-129.idm.lab.eng.brq.redhat.com
>> Directory Manager (existing master) password:
>>
>> Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
>> vm-127.idm.lab.eng.brq.redhat.com
>> Constraint violation: Failed to update password
>>
>> With debug output, I get (snipped out irrelevant parts):
>>
>> Directory Manager (existing master) password:
>>
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>> context.ldap2_57668944
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>> conn=
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
>> context.ldap2_57668944
>> ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
>> ipa: DEBUG: Search failed: [Errno -2] Name or service not known
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
>> SchemaCache
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>> conn=
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
>> to a file
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
>> ipa-replica-prepare was invoked with arguments
>> ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
>> 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
>> None,
>> 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
>> '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
>> None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
>> 'pkinit_pin': None}
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
>> replica for vm-129.idm.lab.eng.brq.redhat.com from
>> vm-127.idm.lab.eng.brq.redhat.com
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
>> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
>> SchemaCache
>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
>> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
>> conn=
>> ipa: DEBUG: Starting external process
>> ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
>> /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
>> ipa: DEBUG: Process finished, return code=0
>> ipa: DEBUG: stdout=
>> ipa: DEBUG: stderr=
>> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
>> context.ldap2_139884970376144
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
>> execute
>> return_value = self.run()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 245, in run
>> self.copy_ds_certificate()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 281, in copy_ds_certificate
>> self.update_pki_admin_password()
>> File
>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
>> line 520, in update_pki_admin_password
>> ldap.modify_password(dn, self.dirman_password)
>> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
>> 332, in modify_password
>> self.conn.passwd_s(dn, old_pass, new_pass)
>> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
>> self.gen.throw(type, value, traceback)
>> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 919, in
>> error_handler
>> raise errors.DatabaseError(desc=desc, info=info)
>>
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
>> ipa-replica-prepare command failed, exception: DatabaseError: Constraint
>> violation: Failed to update password
>> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
>> violation: Failed to update password
>>
>> Tomas
> It seems that this time the culprit is 389-ds-base packages. The password
> change
> is rejected when using the latest version of 389-ds-base
> (389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous
> version
> (389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
>
> I open an upstream ticket for the 389 DS project:
> https://fedorahosted.org/389/ticket/47406.
>
The password change rejecti
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/24/2013 02:27 PM, Tomas Babej wrote:
> On 06/11/2013 04:42 PM, Ade Lee wrote:
> [snip]
>> Just FYI, we plan to do a new release of pki-core today (pki-core-10.0.3-2)
>> to address this issue.
>>> --
>>> Regards,
>>>
>>> Ana Krivokapic
>>> Associate Software Engineer
>>> FreeIPA team
>>> Red Hat Inc.
>>
> Ok, so I tested the patch, since pki-core has the PkiExport command fixed now.
>
> I'm getting a little bit further now.
>
> [tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
> vm-129.idm.lab.eng.brq.redhat.com
> Directory Manager (existing master) password:
>
> Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
> vm-127.idm.lab.eng.brq.redhat.com
> Constraint violation: Failed to update password
>
> With debug output, I get (snipped out irrelevant parts):
>
> Directory Manager (existing master) password:
>
> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
> context.ldap2_57668944
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> conn=
> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
> context.ldap2_57668944
> ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
> ipa: DEBUG: Search failed: [Errno -2] Name or service not known
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> conn=
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not logging
> to a file
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
> ipa-replica-prepare was invoked with arguments
> ['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
> 'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin': None,
> 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
> '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None, 'password':
> None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
> 'pkinit_pin': None}
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
> replica for vm-129.idm.lab.eng.brq.redhat.com from
> vm-127.idm.lab.eng.brq.redhat.com
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
> ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
> SchemaCache
> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for SchemaCache
> url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
> conn=
> ipa: DEBUG: Starting external process
> ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
> /tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
> ipa: DEBUG: Process finished, return code=0
> ipa: DEBUG: stdout=
> ipa: DEBUG: stderr=
> ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
> context.ldap2_139884970376144
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 245, in run
> self.copy_ds_certificate()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 281, in copy_ds_certificate
> self.update_pki_admin_password()
> File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
> line 520, in update_pki_admin_password
> ldap.modify_password(dn, self.dirman_password)
> File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line
> 332, in modify_password
> self.conn.passwd_s(dn, old_pass, new_pass)
> File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
> self.gen.throw(type, value, traceback)
> File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 919, in
> error_handler
> raise errors.DatabaseError(desc=desc, info=info)
>
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
> ipa-replica-prepare command failed, exception: DatabaseError: Constraint
> violation: Failed to update password
> ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR: Constraint
> violation: Failed to update password
>
> Tomas
It seems that this time the culprit is 389-ds-base packages. The password change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389 DS project:
https://fedorahosted.org/389/ticket/47406.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redha
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2) to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command
fixed now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None, 'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None,
'ca_file': '/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12':
None, 'password': None, 'ip_address': CheckedIPAddress('10.34.47.129'),
'dirsrv_pin': None, 'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 245, in run
self.copy_ds_certificate()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py",
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py",
line 332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line
919, in error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint violation: Failed to update password
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Mon, 2013-06-10 at 16:35 +0200, Ana Krivokapic wrote:
> On 06/07/2013 10:23 AM, Tomas Babej wrote:
>
> > On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
> >
> > > On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> > > > On 05/15/2013 12:04 PM, Tomas Babej wrote:
> > > > > On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
> > > > > > Hello,
> > > > > >
> > > > > > See the commit message for details.
> > > > > >
> > > > > > https://fedorahosted.org/freeipa/ticket/3594
> > > > > >
> > > > > >
> > > > > >
> > > > > > ___
> > > > > > Freeipa-devel mailing list
> > > > > > Freeipa-devel@redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > > > +def regenerate_ca_file(self, ca_file):
> > > > > +dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
> > > > > +keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
> > > > > +
> > > > > +os.write(dm_pwd_fd, self.dirman_password)
> > > > > +os.close(dm_pwd_fd)
> > > > > +
> > > > > +keydb_pwd = ''
> > > > > +with open('/etc/pki/pki-tomcat/password.conf') as f:
> > > > > +for line in f.readlines():
> > > > > +key, value = line.strip().split('=')
> > > > > +if key == 'internal':
> > > > > +keydb_pwd = value
> > > > > +break
> > > > > +
> > > > > +os.write(keydb_pwd_fd, keydb_pwd)
> > > > > +os.close(keydb_pwd_fd)
> > > > > +
> > > > > +ipautil.run([
> > > > > +'/usr/bin/PKCS12Export',
> > > > > +'-d', '/etc/pki/pki-tomcat/alias/',
> > > > > +'-p', keydb_pwd_fname,
> > > > > +'-w', dm_pwd_fname,
> > > > > +'-o', ca_file
> > > > > +])
> > > > > +
> > > > >
> > > > > If the PKCS12Export call fails (returns non-zero code), we raise
> > > > > exception here, and the temporary files are never removed.
> > > > >
> > > > > +os.remove(dm_pwd_fname)
> > > > > +os.remove(keydb_pwd_fname)
> > > > >
> > > > > This might not be a big issue since mkstemp() call creates temporary
> > > > > file readable and writable only be given user ID,
> > > > > however, we should not leave files with passwords in plaintext on the
> > > > > disk if it is not necessary.
> > > > >
> > > > > This can be easily prevented by wrapping the call up with
> > > > > try-chatch-finally block, or using raiseonerr=False options of run
> > > > > method.
> > > > Or by using ipautil.write_tmp_file() – the file it creates is always
> > > > removed after it's closed/garbage collected, and it has a name
> > > > attribute.
> > > >
> > > Updated patch uses `ipautil.write_tmp_file()`.
> > >
> > >
> > >
> > > ___
> > > Freeipa-devel mailing list
> > > Freeipa-devel@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > I'm testing on a fairly updated F19 VM:
> >
> > I'm getting the following error when preparing the replica info
> > file:
> >
> > [root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
> > 192.168.122.213
> > Directory Manager (existing master) password:
> >
> > Preparing replica for vm-003.ipa.com from vm-002.ipa.com
> > Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> > -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned
> > non
> >
> > When trying that manually:
> >
> > [root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> > -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
> > Exception in thread "main" java.lang.NoClassDefFoundError:
> > org/mozilla/jss/util/PasswordCallback
> > at java.lang.Class.getDeclaredMethods0(Native Method)
> > at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
> > at java.lang.Class.getMethod0(Class.java:2694)
> > at java.lang.Class.getMethod(Class.java:1622)
> > at
> > sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
> > at
> > sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
> > Caused by: java.lang.ClassNotFoundException:
> > org.mozilla.jss.util.PasswordCallback
> > at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
> > at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
> > at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
> > at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
> > at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
> > ... 6 more
> >
> > We might need to investigate what causes this, and if the issue is
> > not on our side, file appropriate bugs.
> >
> > Tomas
>
> This is an bug in the PKCS12Export utility. I opened a Bugzilla for
> it: https://bugzilla.redhat.com/show_bug.cgi?id=972753.
>
> Below is a workaround, as suggested by Ade:
> as for
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 06/07/2013 10:23 AM, Tomas Babej wrote:
> On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
>> On 05/15/2013 12:29 PM, Petr Viktorin wrote:
>>> On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
> Hello,
>
> See the commit message for details.
>
> https://fedorahosted.org/freeipa/ticket/3594
>
>
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
>>> Or by using ipautil.write_tmp_file() -- the file it creates is always
>>> removed after it's closed/garbage collected, and it has a name attribute.
>>>
>> Updated patch uses `ipautil.write_tmp_file()`.
>>
>>
>>
>> ___
>> Freeipa-devel mailing list
>> Freeipa-devel@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> I'm testing on a fairly updated F19 VM:
>
> I'm getting the following error when preparing the replica info file:
>
> [root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
> 192.168.122.213
> Directory Manager (existing master) password:
>
> Preparing replica for vm-003.ipa.com from vm-002.ipa.com
> Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
> /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
>
> When trying that manually:
>
> [root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/
> -p /tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
> Exception in thread "main" java.lang.NoClassDefFoundError:
> org/mozilla/jss/util/PasswordCallback
> at java.lang.Class.getDeclaredMethods0(Native Method)
> at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
> at java.lang.Class.getMethod0(Class.java:2694)
> at java.lang.Class.getMethod(Class.java:1622)
> at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
> at
> sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
> Caused by: java.lang.ClassNotFoundException:
> org.mozilla.jss.util.PasswordCallback
> at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
> at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
> at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
> at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
> ... 6 more
>
> We might need to investigate what causes this, and if the issue is not
> on our side, file appropriate bugs.
>
> Tomas
This is an bug in the PKCS12Export utility. I opened a Bugzilla for it:
https://bugzilla.redhat.com/show_bug.cgi?id=972753.
Below is a workaround, as suggested by Ade:
as for a workaround, you could simply edit the file that starts
PKCS12Export
edit /usr/bin/PKCS12Export
after line 134, simply add the line : CP=/usr/lib/java/jss4.jar
but thats just a temp fix for f19 only
not the real fix,
you'll need the real fix checked in to pass the patch
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 01:36 PM, Ana Krivokapic wrote:
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run
method.
Or by using ipautil.write_tmp_file() -- the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
Updated patch uses `ipautil.write_tmp_file()`.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
I'm testing on a fairly updated F19 VM:
I'm getting the following error when preparing the replica info file:
[root@vm-002 ~]# ipa-replica-prepare vm-003.ipa.com --ip-address
192.168.122.213
Directory Manager (existing master) password:
Preparing replica for vm-003.ipa.com from vm-002.ipa.com
Command '/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12' returned non
When trying that manually:
[root@vm-002 ~]# /usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmp15Je9R -w /tmp/tmpCGD5Sr -o /root/cacert.p12
Exception in thread "main" java.lang.NoClassDefFoundError:
org/mozilla/jss/util/PasswordCallback
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2451)
at java.lang.Class.getMethod0(Class.java:2694)
at java.lang.Class.getMethod(Class.java:1622)
at sun.launcher.LauncherHelper.getMainMethod(LauncherHelper.java:494)
at
sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:486)
Caused by: java.lang.ClassNotFoundException:
org.mozilla.jss.util.PasswordCallback
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:423)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:356)
... 6 more
We might need to investigate what causes this, and if the issue is not
on our side, file appropriate bugs.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 12:29 PM, Petr Viktorin wrote:
> On 05/15/2013 12:04 PM, Tomas Babej wrote:
>> On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
>>> Hello,
>>>
>>> See the commit message for details.
>>>
>>> https://fedorahosted.org/freeipa/ticket/3594
>>>
>>>
>>>
>>> ___
>>> Freeipa-devel mailing list
>>> Freeipa-devel@redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>> +def regenerate_ca_file(self, ca_file):
>> +dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
>> +keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
>> +
>> +os.write(dm_pwd_fd, self.dirman_password)
>> +os.close(dm_pwd_fd)
>> +
>> +keydb_pwd = ''
>> +with open('/etc/pki/pki-tomcat/password.conf') as f:
>> +for line in f.readlines():
>> +key, value = line.strip().split('=')
>> +if key == 'internal':
>> +keydb_pwd = value
>> +break
>> +
>> +os.write(keydb_pwd_fd, keydb_pwd)
>> +os.close(keydb_pwd_fd)
>> +
>> +ipautil.run([
>> +'/usr/bin/PKCS12Export',
>> +'-d', '/etc/pki/pki-tomcat/alias/',
>> +'-p', keydb_pwd_fname,
>> +'-w', dm_pwd_fname,
>> +'-o', ca_file
>> +])
>> +
>>
>> If the PKCS12Export call fails (returns non-zero code), we raise
>> exception here, and the temporary files are never removed.
>>
>> +os.remove(dm_pwd_fname)
>> +os.remove(keydb_pwd_fname)
>>
>> This might not be a big issue since mkstemp() call creates temporary
>> file readable and writable only be given user ID,
>> however, we should not leave files with passwords in plaintext on the
>> disk if it is not necessary.
>>
>> This can be easily prevented by wrapping the call up with
>> try-chatch-finally block, or using raiseonerr=False options of run
>> method.
>
> Or by using ipautil.write_tmp_file() – the file it creates is always
> removed after it's closed/garbage collected, and it has a name attribute.
>
Updated patch uses `ipautil.write_tmp_file()`.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From ed1d0e1bfec6f13dd92b24ca01f832e183695068 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Wed, 15 May 2013 11:22:41 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
ipaserver/install/ipa_replica_prepare.py | 36
1 file changed, 36 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..eecced1b70a93de802d13bb3a6a36ebb135dddf8 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, "cacert.p12")
else:
raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -504,3 +509,34 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd = ipautil.write_tmp_file(self.dirman_password)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
--
Petr³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From 1354ddec918dd0de235c9a35e2155483c6c1d97a Mon Sep 17 00:00:00 2001
From: Ana Krivokapic
Date: Wed, 15 May 2013 11:22:41 +0200
Subject: [PATCH] Make sure replication works after DM password is changed
Replica information file contains the file `cacert.p12` which is protected by
the Directory Manager password of the initial IPA server installation. The DM
password of the initial installation is also used for the PKI admin user
password.
If the DM password is changed after the IPA server installation, the replication
fails.
To prevent this failure, add the following steps to ipa-replica-prepare:
1. Regenerate the `cacert.p12` file and protect it with the current DM password
2. Update the password of the PKI admin user with the current DM password
https://fedorahosted.org/freeipa/ticket/3594
---
ipaserver/install/ipa_replica_prepare.py | 44
1 file changed, 44 insertions(+)
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index b6b063332a4ea6b87cddd20a0d53de22d4a0a639..6f5e511ad7b3c83e2195832846fc1c9553ed276d 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -274,6 +274,11 @@ def copy_ds_certificate(self):
self.copy_info_file(options.dirsrv_pkcs12, "dscert.p12")
else:
if ipautil.file_exists(options.ca_file):
+# Since it is possible that the Directory Manager password
+# has changed since ipa-server-install, we need to regenerate
+# the CA PKCS#12 file and update the pki admin user password
+self.regenerate_ca_file(options.ca_file)
+self.update_pki_admin_password()
self.copy_info_file(options.ca_file, "cacert.p12")
else:
raise admintool.ScriptError("Root CA PKCS#12 not "
@@ -504,3 +509,42 @@ def export_ra_pkcs12(self):
db.export_pkcs12(pkcs12_fname, agent_name, "ipaCert")
finally:
os.remove(agent_name)
+
+def update_pki_admin_password(self):
+ldap = ldap2(shared_instance=False)
+ldap.connect(
+bind_dn=DN(('cn', 'directory manager')),
+bind_pw=self.dirman_password
+)
+dn = DN('uid=admin', 'ou=people', 'o=ipaca')
+ldap.modify_password(dn, self.dirman_password)
+ldap.disconnect()
+
+def regenerate_ca_file(self, ca_file):
+dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+os.write(dm_pwd_fd, self.dirman_password)
+os.close(dm_pwd_fd)
+
+keydb_pwd = ''
+with open('/etc/pki/pki-tomcat/password.conf') as f:
+for line in f.readlines():
+key, value = line.strip().split('=')
+if key == 'internal':
+keydb_pwd = value
+break
+
+os.write(keydb_pwd_fd, keydb_pwd)
+os.close(keydb_pwd_fd)
+
+ipautil.run([
+'/usr/bin/PKCS12Export',
+'-d', '/etc/pki/pki-tomcat/alias/',
+'-p', keydb_pwd_fname,
+'-w', dm_pwd_fname,
+'-o', ca_file
+])
+
+os.remove(dm_pwd_fname)
+os.remove(keydb_pwd_fname)
--
1.8.1.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
