import ipa-4.9.10-9.module+el8.7.0+17437+cf46f77f

This commit is contained in:
CentOS Sources 2023-01-12 03:29:17 -05:00 committed by Stepan Oksanichenko
parent e61384e393
commit 105d30c14d
4 changed files with 677 additions and 2 deletions

View File

@ -0,0 +1,62 @@
From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Aug 2022 16:58:07 +0300
Subject: [PATCH] fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
install/ui/src/freeipa/ipa.js | 8 +++++++-
ipaserver/rpcserver.py | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 758db1b00..a08d632e9 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -271,7 +271,13 @@ var IPA = function () {
var cn = that.whoami.data.krbcanonicalname;
if (cn) that.principal = cn[0];
if (!that.principal) {
- that.principal = that.whoami.data.krbprincipalname[0];
+ var principal = data.principal;
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
+ if (idx > -1) {
+ that.principal = principal;
+ } else {
+ that.principal = that.whoami.data.krbprincipalname[0];
+ }
}
} else if (entity === 'idoverrideuser') {
that.principal = that.whoami.data.ipaoriginaluid[0];
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1f85e9898..4e8a08b66 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
ccache_name,
armor_ccache_name=armor_path,
enterprise=True,
+ canonicalize=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path:
--
2.37.3

View File

@ -0,0 +1,473 @@
From 69413325158a3ea06d1491acd77ee6e0955ee89a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Sep 26 2022 11:48:47 +0000
Subject: Defer creating the final krb5.conf on clients
A temporary krb5.conf is created early during client enrollment
and was previously used only during the initial ipa-join call.
The final krb5.conf was written soon afterward.
If there are multiple servers it is possible that the client
may then choose a different KDC to connect. If the client
is faster than replication then the client may not exist
on all servers and therefore enrollment will fail.
This was seen in performance testing of how many simultaneous
client enrollments are possible.
Use a decorator to wrap the _install() method to ensure the
temporary files created during installation are cleaned up.
https://pagure.io/freeipa/issue/9228
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 920c517..93bc740 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -101,6 +101,37 @@ cli_basedn = None
# end of global variables
+def cleanup(func):
+ def inner(options, tdict):
+ # Add some additional options which contain the temporary files
+ # needed during installation.
+ fd, krb_name = tempfile.mkstemp()
+ os.close(fd)
+ ccache_dir = tempfile.mkdtemp(prefix='krbcc')
+
+ tdict['krb_name'] = krb_name
+ tdict['ccache_dir'] = ccache_dir
+
+ func(options, tdict)
+
+ os.environ.pop('KRB5_CONFIG', None)
+
+ try:
+ os.remove(krb_name)
+ except OSError:
+ logger.error("Could not remove %s", krb_name)
+ try:
+ os.rmdir(ccache_dir)
+ except OSError:
+ pass
+ try:
+ os.remove(krb_name + ".ipabkp")
+ except OSError:
+ logger.error("Could not remove %s.ipabkp", krb_name)
+
+ return inner
+
+
def remove_file(filename):
"""
Deletes a file. If the file does not exist (OSError 2) does nothing.
@@ -2652,7 +2683,7 @@ def restore_time_sync(statestore, fstore):
def install(options):
try:
- _install(options)
+ _install(options, dict())
except ScriptError as e:
if e.rval == CLIENT_INSTALL_ERROR:
if options.force:
@@ -2679,7 +2710,8 @@ def install(options):
pass
-def _install(options):
+@cleanup
+def _install(options, tdict):
env = {'PATH': SECURE_PATH}
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
@@ -2687,6 +2719,9 @@ def _install(options):
statestore.backup_state('installation', 'complete', False)
+ krb_name = tdict['krb_name']
+ ccache_dir = tdict['ccache_dir']
+
if not options.on_master:
# Try removing old principals from the keytab
purge_host_keytab(cli_realm)
@@ -2719,182 +2754,162 @@ def _install(options):
host_principal = 'host/%s@%s' % (hostname, cli_realm)
if not options.on_master:
nolog = tuple()
- # First test out the kerberos configuration
- fd, krb_name = tempfile.mkstemp()
- os.close(fd)
- ccache_dir = tempfile.mkdtemp(prefix='krbcc')
- try:
- configure_krb5_conf(
- cli_realm=cli_realm,
- cli_domain=cli_domain,
- cli_server=cli_server,
- cli_kdc=cli_kdc,
- dnsok=False,
- filename=krb_name,
- client_domain=client_domain,
- client_hostname=hostname,
- configure_sssd=options.sssd,
- force=options.force)
- env['KRB5_CONFIG'] = krb_name
- ccache_name = os.path.join(ccache_dir, 'ccache')
- join_args = [
- paths.SBIN_IPA_JOIN,
- "-s", cli_server[0],
- "-b", str(realm_to_suffix(cli_realm)),
- "-h", hostname,
- "-k", paths.KRB5_KEYTAB
- ]
- if options.debug:
- join_args.append("-d")
- env['XMLRPC_TRACE_CURL'] = 'yes'
- if options.force_join:
- join_args.append("-f")
- if options.principal is not None:
- stdin = None
- principal = options.principal
- if principal.find('@') == -1:
- principal = '%s@%s' % (principal, cli_realm)
- if options.password is not None:
- stdin = options.password
+ configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=False,
+ filename=krb_name,
+ client_domain=client_domain,
+ client_hostname=hostname,
+ configure_sssd=options.sssd,
+ force=options.force)
+ env['KRB5_CONFIG'] = krb_name
+ ccache_name = os.path.join(ccache_dir, 'ccache')
+ join_args = [
+ paths.SBIN_IPA_JOIN,
+ "-s", cli_server[0],
+ "-b", str(realm_to_suffix(cli_realm)),
+ "-h", hostname,
+ "-k", paths.KRB5_KEYTAB
+ ]
+ if options.debug:
+ join_args.append("-d")
+ env['XMLRPC_TRACE_CURL'] = 'yes'
+ if options.force_join:
+ join_args.append("-f")
+ if options.principal is not None:
+ stdin = None
+ principal = options.principal
+ if principal.find('@') == -1:
+ principal = '%s@%s' % (principal, cli_realm)
+ if options.password is not None:
+ stdin = options.password
+ else:
+ if not options.unattended:
+ try:
+ stdin = getpass.getpass(
+ "Password for %s: " % principal)
+ except EOFError:
+ stdin = None
+ if not stdin:
+ raise ScriptError(
+ "Password must be provided for {}.".format(
+ principal),
+ rval=CLIENT_INSTALL_ERROR)
else:
- if not options.unattended:
- try:
- stdin = getpass.getpass(
- "Password for %s: " % principal)
- except EOFError:
- stdin = None
- if not stdin:
- raise ScriptError(
- "Password must be provided for {}.".format(
- principal),
- rval=CLIENT_INSTALL_ERROR)
+ if sys.stdin.isatty():
+ logger.error(
+ "Password must be provided in "
+ "non-interactive mode.")
+ logger.info(
+ "This can be done via "
+ "echo password | ipa-client-install ... "
+ "or with the -w option.")
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
else:
- if sys.stdin.isatty():
- logger.error(
- "Password must be provided in "
- "non-interactive mode.")
- logger.info(
- "This can be done via "
- "echo password | ipa-client-install ... "
- "or with the -w option.")
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- else:
- stdin = sys.stdin.readline()
+ stdin = sys.stdin.readline()
+ try:
+ kinit_password(principal, stdin, ccache_name,
+ config=krb_name)
+ except RuntimeError as e:
+ print_port_conf_info()
+ raise ScriptError(
+ "Kerberos authentication failed: {}".format(e),
+ rval=CLIENT_INSTALL_ERROR)
+ elif options.keytab:
+ join_args.append("-f")
+ if os.path.exists(options.keytab):
try:
- kinit_password(principal, stdin, ccache_name,
- config=krb_name)
- except RuntimeError as e:
+ kinit_keytab(host_principal,
+ options.keytab,
+ ccache_name,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ except gssapi.exceptions.GSSError as e:
print_port_conf_info()
raise ScriptError(
"Kerberos authentication failed: {}".format(e),
rval=CLIENT_INSTALL_ERROR)
- elif options.keytab:
- join_args.append("-f")
- if os.path.exists(options.keytab):
- try:
- kinit_keytab(host_principal,
- options.keytab,
- ccache_name,
- config=krb_name,
- attempts=options.kinit_attempts)
- except gssapi.exceptions.GSSError as e:
- print_port_conf_info()
- raise ScriptError(
- "Kerberos authentication failed: {}".format(e),
- rval=CLIENT_INSTALL_ERROR)
- else:
- raise ScriptError(
- "Keytab file could not be found: {}".format(
- options.keytab),
- rval=CLIENT_INSTALL_ERROR)
- elif options.password:
- nolog = (options.password,)
- join_args.append("-w")
- join_args.append(options.password)
- elif options.prompt_password:
- if options.unattended:
- raise ScriptError(
- "Password must be provided in non-interactive mode",
- rval=CLIENT_INSTALL_ERROR)
- try:
- password = getpass.getpass("Password: ")
- except EOFError:
- password = None
- if not password:
- raise ScriptError(
- "Password must be provided.",
- rval=CLIENT_INSTALL_ERROR)
- join_args.append("-w")
- join_args.append(password)
- nolog = (password,)
-
- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
- # Get the CA certificate
+ else:
+ raise ScriptError(
+ "Keytab file could not be found: {}".format(
+ options.keytab),
+ rval=CLIENT_INSTALL_ERROR)
+ elif options.password:
+ nolog = (options.password,)
+ join_args.append("-w")
+ join_args.append(options.password)
+ elif options.prompt_password:
+ if options.unattended:
+ raise ScriptError(
+ "Password must be provided in non-interactive mode",
+ rval=CLIENT_INSTALL_ERROR)
try:
- os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
- get_ca_certs(fstore, options, cli_server[0], cli_basedn,
- cli_realm)
- del os.environ['KRB5_CONFIG']
- except errors.FileError as e:
- logger.error('%s', e)
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- except Exception as e:
- logger.error("Cannot obtain CA certificate\n%s", e)
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
-
- # Now join the domain
- result = run(
- join_args, raiseonerr=False, env=env, nolog=nolog,
- capture_error=True)
- stderr = result.error_output
+ password = getpass.getpass("Password: ")
+ except EOFError:
+ password = None
+ if not password:
+ raise ScriptError(
+ "Password must be provided.",
+ rval=CLIENT_INSTALL_ERROR)
+ join_args.append("-w")
+ join_args.append(password)
+ nolog = (password,)
- if result.returncode != 0:
- logger.error("Joining realm failed: %s", stderr)
- if not options.force:
- if result.returncode == 13:
- logger.info(
- "Use --force-join option to override the host "
- "entry on the server and force client enrollment.")
- raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- logger.info(
- "Use ipa-getkeytab to obtain a host "
- "principal for this server.")
- else:
- logger.info("Enrolled in IPA realm %s", cli_realm)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
+ # Get the CA certificate
+ try:
+ os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG']
+ get_ca_certs(fstore, options, cli_server[0], cli_basedn,
+ cli_realm)
+ except errors.FileError as e:
+ logger.error('%s', e)
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ except Exception as e:
+ logger.error("Cannot obtain CA certificate\n%s", e)
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- if options.principal is not None:
- run([paths.KDESTROY], raiseonerr=False, env=env)
+ # Now join the domain
+ result = run(
+ join_args, raiseonerr=False, env=env, nolog=nolog,
+ capture_error=True)
+ stderr = result.error_output
- # Obtain the TGT. We do it with the temporary krb5.conf, so that
- # only the KDC we're installing under is contacted.
- # Other KDCs might not have replicated the principal yet.
- # Once we have the TGT, it's usable on any server.
- try:
- kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
- config=krb_name,
- attempts=options.kinit_attempts)
- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
- except gssapi.exceptions.GSSError as e:
- print_port_conf_info()
- logger.error("Failed to obtain host TGT: %s", e)
- # failure to get ticket makes it impossible to login and bind
- # from sssd to LDAP, abort installation and rollback changes
+ if result.returncode != 0:
+ logger.error("Joining realm failed: %s", stderr)
+ if not options.force:
+ if result.returncode == 13:
+ logger.info(
+ "Use --force-join option to override the host "
+ "entry on the server and force client enrollment.")
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
+ logger.info(
+ "Use ipa-getkeytab to obtain a host "
+ "principal for this server.")
+ else:
+ logger.info("Enrolled in IPA realm %s", cli_realm)
- finally:
- try:
- os.remove(krb_name)
- except OSError:
- logger.error("Could not remove %s", krb_name)
- try:
- os.rmdir(ccache_dir)
- except OSError:
- pass
- try:
- os.remove(krb_name + ".ipabkp")
- except OSError:
- logger.error("Could not remove %s.ipabkp", krb_name)
+ if options.principal is not None:
+ run([paths.KDESTROY], raiseonerr=False, env=env)
+
+ # Obtain the TGT. We do it with the temporary krb5.conf, so that
+ # only the KDC we're installing under is contacted.
+ # Other KDCs might not have replicated the principal yet.
+ # Once we have the TGT, it's usable on any server.
+ try:
+ kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE,
+ config=krb_name,
+ attempts=options.kinit_attempts)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE
+ except gssapi.exceptions.GSSError as e:
+ print_port_conf_info()
+ logger.error("Failed to obtain host TGT: %s", e)
+ # failure to get ticket makes it impossible to login and bind
+ # from sssd to LDAP, abort installation and rollback changes
+ raise ScriptError(rval=CLIENT_INSTALL_ERROR)
# Configure ipa.conf
if not options.on_master:
@@ -2931,23 +2946,6 @@ def _install(options):
except gssapi.exceptions.GSSError as e:
logger.error("Failed to obtain host TGT: %s", e)
raise ScriptError(rval=CLIENT_INSTALL_ERROR)
- else:
- # Configure krb5.conf
- fstore.backup_file(paths.KRB5_CONF)
- configure_krb5_conf(
- cli_realm=cli_realm,
- cli_domain=cli_domain,
- cli_server=cli_server,
- cli_kdc=cli_kdc,
- dnsok=dnsok,
- filename=paths.KRB5_CONF,
- client_domain=client_domain,
- client_hostname=hostname,
- configure_sssd=options.sssd,
- force=options.force)
-
- logger.info(
- "Configured /etc/krb5.conf for IPA realm %s", cli_realm)
# Clear out any current session keyring information
try:
@@ -3274,6 +3272,23 @@ def _install(options):
configure_nisdomain(
options=options, domain=cli_domain, statestore=statestore)
+ # Configure the final krb5.conf
+ if not options.on_master:
+ fstore.backup_file(paths.KRB5_CONF)
+ configure_krb5_conf(
+ cli_realm=cli_realm,
+ cli_domain=cli_domain,
+ cli_server=cli_server,
+ cli_kdc=cli_kdc,
+ dnsok=dnsok,
+ filename=paths.KRB5_CONF,
+ client_domain=client_domain,
+ client_hostname=hostname,
+ configure_sssd=options.sssd,
+ force=options.force)
+
+ logger.info("Configured /etc/krb5.conf for IPA realm %s", cli_realm)
+
statestore.delete_state('installation', 'complete')
statestore.backup_state('installation', 'complete', True)
logger.info('Client configuration complete.')

View File

@ -0,0 +1,123 @@
From c643e56e4c45b7cb61aa53989657143627c23e04 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Nov 22 2022 06:56:00 +0000
Subject: Vault: fix interoperability issues with older RHEL systems
AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets.
This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but
setting AES as default ended-up breaking backwards compatibility with older RHEL systems.
This commit is tuning some defaults so that interoperability with older RHEL systems
works again. The new logic reflects:
- when an old client is calling a new server, it doesn't send any value for wrapping_algo
and the old value is used (3DES), so that the client can decrypt using 3DES.
- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC
- when a new client is calling an old server, it doesn't send any value and the default is
to use 3DES.
Finally, as this logic is able to handle overlapping wrapping algorithm between server and
client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa
vault-retrieve --help" commands.
Fixes: https://pagure.io/freeipa/issue/9259
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/API.txt b/API.txt
index 9892211..2bd1cc2 100644
--- a/API.txt
+++ b/API.txt
@@ -6666,7 +6666,7 @@ option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Bytes('vault_data')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
@@ -6766,7 +6766,7 @@ option: Bytes('session_key')
option: Flag('shared?', autofill=True, default=False)
option: Str('username?', cli_name='user')
option: Str('version?')
-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
+option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc'])
output: Entry('result')
output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
output: PrimaryKey('value')
diff --git a/VERSION.m4 b/VERSION.m4
index 7d60b01..b4b1774 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
# #
########################################################
define(IPA_API_VERSION_MAJOR, 2)
-# Last change: add graceperiodlimit
-define(IPA_API_VERSION_MINOR, 248)
+# Last change: fix vault interoperability issues.
+define(IPA_API_VERSION_MINOR, 251)
########################################################
# Following values are auto-generated from values above
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 115171c..d4c84eb 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -687,7 +687,7 @@ class ModVaultData(Local):
default_algo = config.get('wrapping_default_algorithm')
if default_algo is None:
# old server
- wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC
+ wrapping_algo = constants.VAULT_WRAPPING_3DES
elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS:
# try to use server default
wrapping_algo = default_algo
@@ -801,7 +801,8 @@ class vault_archive(ModVaultData):
if option.name not in ('nonce',
'session_key',
'vault_data',
- 'version'):
+ 'version',
+ 'wrapping_algo'):
yield option
for option in super(vault_archive, self).get_options():
yield option
@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData):
def get_options(self):
for option in self.api.Command.vault_retrieve_internal.options():
- if option.name not in ('session_key', 'version'):
+ if option.name not in ('session_key', 'version', 'wrapping_algo'):
yield option
for option in super(vault_retrieve, self).get_options():
yield option
diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index 4d40f66..574c83a 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery):
'wrapping_algo?',
doc=_('Key wrapping algorithm'),
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
- default=VAULT_WRAPPING_DEFAULT_ALGO,
+ default=VAULT_WRAPPING_3DES,
autofill=True,
),
)
@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery):
'wrapping_algo?',
doc=_('Key wrapping algorithm'),
values=VAULT_WRAPPING_SUPPORTED_ALGOS,
- default=VAULT_WRAPPING_DEFAULT_ALGO,
+ default=VAULT_WRAPPING_3DES,
autofill=True,
),
)

View File

@ -191,7 +191,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist} Release: 9%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -221,6 +221,9 @@ Patch0007: 0007-webui-Allow-grace-login-limit_rhbz#2109243.patch
Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch
Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch
Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch
Patch0011: 0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch
Patch0012: 0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch
Patch0013: 0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
%endif %endif
@ -1718,11 +1721,25 @@ fi
%if %{with selinux} %if %{with selinux}
%files selinux %files selinux
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
# with selinux # with selinux
%endif %endif
%changelog %changelog
* Mon Dec 5 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-9
- Exclude installed policy module file from RPM verification
Resolves: RHBZ#2150243
* Fri Dec 2 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-8
- Defer creating the final krb5.conf on clients
Resolves: RHBZ#2150246
- Vault: fix interoperability issues with older RHEL systems
Resolves: RHBZ#2148255
* Thu Oct 13 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-7
- Fix canonicalization issue in Web UI
Resolves: RHBZ#2133050
* Mon Aug 22 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-6 * Mon Aug 22 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-6
- webui: Allow grace login limit - webui: Allow grace login limit
Resolves: RHBZ#2109243 Resolves: RHBZ#2109243