rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-8

Browse Source 
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred
- Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-11-27 19:43:17 +01:00
parent 255a8322a5
commit 1e38d43370
12 changed files with 963 additions and 2 deletions

148
0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch Normal file
View File

@ -0,0 +1,148 @@
From c71e12e902b3912c31245d46ad6f2c2ddee01126 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 1 Oct 2024 11:28:28 +0300
Subject: [PATCH] selinux: allow Cockpit to use HTTP keytab on IPA servers
Cockpit can use GSSAPI authentication and has pretty good definition of
how to enable it: https://cockpit-project.org/guide/latest/sso.html.
These instructions work on IPA clients but they cannot be used on IPA
servers because IPA framework already owns HTTP/.. Kerberos service and
its keytab.
Luckily, there are two changes that need to be done to enable Cockpit
single sign-on with GSSAPI on IPA servers:
- create a symlink /etc/cockpit/krb5.keytab to
/var/lib/ipa/gssproxy/http.keytab
- add SELinux policy to allow cockpit_session_t to operate on
/var/lib/ipa/gssproxy/http.keytab file
For existing installation an upgrade process would restore SELinux
context of the http.keytab file to the new value.
Note that Cockpit documentation above also talks about Kerberos service
modifications to enable delegation. These modifications should not be
done for IPA servers' HTTP services, as these services are already
enabled to handle delegation.
Fixes: https://pagure.io/freeipa/issue/9675
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/server/upgrade.py | 1 +
selinux/ipa.fc | 2 ++
selinux/ipa.if | 24 ++++++++++++++++++++++++
selinux/ipa.te | 19 +++++++++++++++++++
4 files changed, 46 insertions(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 31d4f8398cfb0251cc59ada909eb55635b83e960..d5c466ee2f905eafd15663fef46d052ade30d742 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1124,6 +1124,7 @@ def update_http_keytab(http):
paths.OLD_IPA_KEYTAB, e
)
http.keytab_user.chown(http.keytab)
+ tasks.restore_context(http.keytab)
def ds_enable_sidgen_extdom_plugins(ds):
diff --git a/selinux/ipa.fc b/selinux/ipa.fc
index 47bd19ba77418cad1f0904dc4a9a35ce9d6ff9d2..15e8e41aa50228ff560e338044240b46bc24cc40 100644
--- a/selinux/ipa.fc
+++ b/selinux/ipa.fc
@@ -22,6 +22,8 @@
/var/lib/ipa(/.*)? gen_context(system_u:object_r:ipa_var_lib_t,s0)
+/var/lib/ipa/gssproxy/http.keytab -- gen_context(system_u:object_r:ipa_http_keytab_t,s0)
+
/var/log/ipa(/.*)? gen_context(system_u:object_r:ipa_log_t,s0)
/var/log/ipabackup.log -- gen_context(system_u:object_r:ipa_log_t,s0)
diff --git a/selinux/ipa.if b/selinux/ipa.if
index 8c47e7963af92b1ddcd59d92aa45d6b8e9c0c6cc..8f3147e10bd294665dd41e1c1f99c993d9699d20 100644
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@@ -155,6 +155,7 @@ interface(`ipa_manage_log',`
########################################
## <summary>
## Allow domain to manage ipa lib files/dirs.
+## This includes reading ipa_http_keytab_t files.
## </summary>
## <param name="domain">
## <summary>
@@ -164,10 +165,33 @@ interface(`ipa_manage_log',`
#
interface(`ipa_read_lib',`
gen_require(`
+ type ipa_http_keytab_t;
type ipa_var_lib_t;
')
read_files_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
+ list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
+')
+
+########################################
+## <summary>
+## Allow domain to manage ipa HTTP keytab file.
+## This includes reading ipa_var_lib_t directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ipa_read_http_keytab',`
+ gen_require(`
+ type ipa_http_keytab_t;
+ type ipa_var_lib_t;
+ ')
+
+ read_files_pattern($1, ipa_http_keytab_t, ipa_http_keytab_t)
list_dirs_pattern($1, ipa_var_lib_t, ipa_var_lib_t)
')
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 2546a9bd9468200185c484974a9e71f16f89de71..e4ce66687a48b27e85591cdd8352f7cac94d3151 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -43,6 +43,9 @@ logging_log_file(ipa_log_t)
type ipa_var_lib_t;
files_type(ipa_var_lib_t)
+type ipa_http_keytab_t;
+files_type(ipa_http_keytab_t)
+
type ipa_var_run_t;
files_pid_file(ipa_var_run_t)
@@ -516,3 +519,19 @@ optional_policy(`
')
allow certmonger_t pki_tomcat_etc_rw_t:file { getattr ioctl open read };
')
+
+# gssproxy needs to read http keytab
+optional_policy(`
+ gen_require(`
+ type gssproxy_t;
+ ')
+ ipa_read_http_keytab(gssproxy_t)
+')
+
+# Allow Cockpit to use HTTP keytab on IPA servers for GSSAPI authentication
+optional_policy(`
+ gen_require(`
+ type cockpit_session_t;
+ ')
+ ipa_read_http_keytab(cockpit_session_t)
+')
--
2.47.0

94
0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch Normal file
View File

@ -0,0 +1,94 @@
From 0dadcbb4ac9f6142b5130f025f64d918d6f208a9 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 8 Oct 2024 10:25:08 +0300
Subject: [PATCH] Minimal test for Cockpit integration on IPA master
Add a test to share HTTP service keytab on IPA master between IPA and
Cockpit. The test configures Cockpit with IPA CA-issued certificate and
allows Cockpit to access IPA HTTP service keytab for authentication.
The test then attempts to authenticate with GSSAPI as admin user. A
successful result is when we receive CSRF token from the Cockpit as
the result of this authentication. This means we have logged in
successfully with Kerberos.
Fixes: https://pagure.io/freeipa/issue/9675
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_cockpit.py | 61 +++++++++++++++++++++++
1 file changed, 61 insertions(+)
create mode 100644 ipatests/test_integration/test_cockpit.py
diff --git a/ipatests/test_integration/test_cockpit.py b/ipatests/test_integration/test_cockpit.py
new file mode 100644
index 0000000000000000000000000000000000000000..cdc96170a116536c7aa00be78cc4e0225804e21c
--- /dev/null
+++ b/ipatests/test_integration/test_cockpit.py
@@ -0,0 +1,61 @@
+#
+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
+#
+
+from __future__ import absolute_import
+
+import time
+from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
+from ipaplatform.paths import paths
+
+
+class TestCockpitIntegration(IntegrationTest):
+ topology = "line"
+ reqcert = '/etc/cockpit/ws-certs.d/99-cockpit.cert'
+ reqkey = '/etc/cockpit/ws-certs.d/99-cockpit.key'
+ symlink = '/etc/cockpit/krb5.keytab'
+
+ @classmethod
+ def uninstall(cls, mh):
+ cls.master.run_command(['ipa-getcert', 'stop-tracking', '-f',
+ cls.reqcert], raiseonerr=False)
+ cls.master.run_command(['rm', '-f', cls.symlink], raiseonerr=False)
+ cls.master.run_command(['systemctl', 'disable', '--now',
+ 'cockpit.socket'])
+ super(TestCockpitIntegration, cls).uninstall(mh)
+
+ @classmethod
+ def install(cls, mh):
+ master = cls.master
+
+ # Install Cockpit and configure it to use IPA certificate and keytab
+ master.run_command(['dnf', 'install', '-y', 'cockpit', 'curl'],
+ raiseonerr=False)
+
+ super(TestCockpitIntegration, cls).install(mh)
+
+ master.run_command(['ipa-getcert', 'request', '-f', cls.reqcert, '-k',
+ cls.reqkey, '-D', cls.master.hostname, '-K',
+ 'host/' + cls.master.hostname, '-m', '0640', '-o',
+ 'root:cockpit-ws', '-O', 'root:root', '-M',
+ '0644'], raiseonerr=False)
+
+ master.run_command(['ln', '-s', paths.HTTP_KEYTAB, cls.symlink],
+ raiseonerr=False)
+
+ time.sleep(5)
+ master.run_command(['systemctl', 'enable', '--now', 'cockpit.socket'])
+
+ def test_login_with_kerberos(self):
+ """
+ Login to Cockpit using GSSAPI authentication
+ """
+ master = self.master
+ tasks.kinit_admin(master)
+
+ cockpit_login = f'https://{master.hostname}:9090/cockpit/login'
+ result = master.run_command([paths.BIN_CURL, '-u:', '--negotiate',
+ '--cacert', paths.IPA_CA_CRT,
+ cockpit_login])
+ assert ("csrf-token" in result.stdout_text)
--
2.47.0

42
0035-ipatests-install-master-with-allow-zone-overlap.patch Normal file
View File

@ -0,0 +1,42 @@
From baa9fc3e3e2f6b39db5ec465c92dc597cd5399b9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 12 Nov 2024 16:44:46 +0100
Subject: [PATCH] ipatests: install master with allow-zone-overlap
In the IPA to IPA migration tests, install the destination master
with --setup-dns --allow-zone-overlap to allow installation
even if the zone is already served by the source master.
Fixes: https://pagure.io/freeipa/issue/9697
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
---
ipatests/test_integration/test_ipa_ipa_migration.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index d852ca63a6b3a7e7118d66ce1cd9bb98e56f1a73..0c637a0141d95f34f951c60a9648adf8e87eaa63 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -345,7 +345,8 @@ class MigrationTest(IntegrationTest):
tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
prepare_ipa_server(cls.master)
tasks.install_client(cls.master, cls.clients[0], nameservers=None)
- tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True)
+ tasks.install_master(cls.replicas[0], setup_dns=True, setup_kra=True,
+ extra_args=['--allow-zone-overlap'])
class TestIPAMigrateCLIOptions(MigrationTest):
@@ -1211,7 +1212,7 @@ class TestIPAMigrationWithADtrust(IntegrationTest):
"""
tasks.install_master(
self.replicas[0], setup_dns=True,
- extra_args=['--no-dnssec-validation']
+ extra_args=['--no-dnssec-validation', '--allow-zone-overlap']
)
tasks.install_adtrust(self.replicas[0])
--
2.47.0

38
0036-ipaserver-dcerpc-support-Samba-4.21.patch Normal file
View File

@ -0,0 +1,38 @@
From c306c613399cdd9a2c716b83ce0d47d320aec2a8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Nov 2024 12:57:46 +0200
Subject: [PATCH] ipaserver/dcerpc: support Samba 4.21
Samba 4.21 moved samba.trust_utils module to samba.lsa_utils.
Fixes: https://pagure.io/freeipa/issue/9702
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/dcerpc.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index a28c72361276f12a1a02cd126425ac3c62eddd4f..3344ea226e3cba61912e717f9c375612bb4707e0 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -55,9 +55,13 @@ from samba import ntstatus
import samba
try:
- from samba.trust_utils import CreateTrustedDomainRelax
+ from samba.lsa_utils import CreateTrustedDomainRelax
except ImportError:
- CreateTrustedDomainRelax = None
+ try:
+ from samba.trust_utils import CreateTrustedDomainRelax
+ except ImportError:
+ CreateTrustedDomainRelax = None
+
try:
from samba import arcfour_encrypt
except ImportError:
--
2.47.0

161
0037-Change-default-to-RSN-when-389-ds-uses-the-mdb-backe.patch Normal file
View File

@ -0,0 +1,161 @@
From 3777d2b06299454766ab70ee479a829d5f6b7fc0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 11 Sep 2024 16:32:07 -0400
Subject: [PATCH] Change default to RSN when 389-ds uses the mdb backend
The lmdb performance for VLV indexes is not great so the PKI
team recommended we switch from sequential serial numbers to
Random Serial Numbers (RSN).
The first time a non-bdb backend (future-proofing) is installed
then the replication RSN configuration value is stored. All future
replica installs will use RSN.
We have no way of enforcing ONLY to have RSN across a topology
so it will be up to administrators to retire any sequential CAs.
Fixes: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
install/tools/ipa-ca-install.in | 6 ++++-
install/tools/man/ipa-ca-install.1 | 2 +-
install/tools/man/ipa-server-install.1 | 2 +-
ipaserver/install/cainstance.py | 29 +++++++++++++++++++++++
ipatests/test_xmlrpc/tracker/ca_plugin.py | 6 ++++-
5 files changed, 41 insertions(+), 4 deletions(-)
diff --git a/install/tools/ipa-ca-install.in b/install/tools/ipa-ca-install.in
index 9f3d16669679a245b73e044622ff52321524fcde..3c27a6b27715786fb0d3614a9d5689a145037ad7 100644
--- a/install/tools/ipa-ca-install.in
+++ b/install/tools/ipa-ca-install.in
@@ -301,7 +301,11 @@ def install(safe_options, options):
install_master(safe_options, options)
else:
if options.random_serial_numbers:
- if ca.lookup_random_serial_number_version(api) == 0:
+ ldap_backend = cainstance.lookup_ldap_backend(api)
+ if (
+ ca.lookup_random_serial_number_version(api) == 0
+ and ldap_backend == "bdb"
+ ):
sys.exit(
"\nRandom serial numbers cannot be enabled in an "
"existing CA installation.\n")
diff --git a/install/tools/man/ipa-ca-install.1 b/install/tools/man/ipa-ca-install.1
index 5745d39de440886af3147496eb1ed44edc010621..bbd3ba85d9849eaa50b39273a6e1f6ac089a0d6a 100644
--- a/install/tools/man/ipa-ca-install.1
+++ b/install/tools/man/ipa-ca-install.1
@@ -83,7 +83,7 @@ Signing algorithm of the IPA CA certificate. Possible values are SHA1withRSA, SH
Do not use DNS for hostname lookup during installation
.TP
\fB\-\-random\-serial\-numbers\fR
-Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.
.TP
\fB\-\-token\-name\fR=\fITOKEN_NAME\fR
The PKCS#11 token name if using an HSM to store and generate private keys.
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 215a77d6b54bcf5c44f304a80fc76e1137c66beb..d226cf8d6513ab95ed274d861a1c6ee4b0dfca53 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -126,7 +126,7 @@ If no template is specified, the template name "SubCA" is used.
File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
.TP
\fB\-\-random\-serial\-numbers\fR
-Enable Random Serial Numbers. Random serial numbers cannot be used in a mixed environment. Either all CA's have it enabled or none do.
+Enable Random Serial Numbers (RSN) and certificate pruning. This option is enabled by default if the system is installed with a 389-ds version that supports LMDB or if another CA in the topology is configured with Random Serial Numbers. This option remains present to avoid issues with automation. In mixed environments where existing CA servers are configured with sequential numbers, it is recommended to replace the sequential servers as soon as reasonably possible.
.TP
\fB\-\-no\-pkinit\fR
Disables pkinit setup steps.
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c2c9f8b981cf5d587865f7680e2b231eae655e2..d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -259,6 +259,18 @@ def is_ca_installed_locally():
return os.path.exists(paths.CA_CS_CFG_PATH)
+def lookup_ldap_backend(api):
+ """Look up the LDAP backend database value and return it"""
+ dn = DN("cn=config,cn=ldbm database,cn=plugins,cn=config")
+ try:
+ entry = api.Backend.ldap2.get_entry(dn)
+ except errors.NotFound:
+ ldap_backend = 'bdb'
+ else:
+ ldap_backend = entry.get('nsslapd-backend-implement', ['bdb'])[0]
+ return ldap_backend
+
+
class InconsistentCRLGenConfigException(Exception):
pass
@@ -388,6 +400,15 @@ class CAInstance(DogtagInstance):
self.ca_type = x509.ExternalCAType.GENERIC.value
self.external_ca_profile = external_ca_profile
self.random_serial_numbers = random_serial_numbers
+ ldap_backend = lookup_ldap_backend(api)
+
+ if ldap_backend != 'bdb' and not random_serial_numbers:
+ # override selection for lmdb due to VLV performance issues.
+ logger.info(
+ 'Forcing random serial numbers to be enabled for the %s '
+ 'backend', ldap_backend
+ )
+ self.random_serial_numbers = True
self.no_db_setup = promote
self.use_ldaps = use_ldaps
@@ -507,6 +528,9 @@ class CAInstance(DogtagInstance):
self.step("configuring certmonger renewal for lightweight CAs",
self.add_lightweight_ca_tracking_requests)
+ if self.clone and self.random_serial_numbers:
+ self.step("Recording random serial number state",
+ self.__store_random_serial_number_state)
if minimum_acme_support():
self.step("deploying ACME service", self.setup_acme)
@@ -1650,6 +1674,11 @@ class CAInstance(DogtagInstance):
dn = DN(('cn', ipalib.constants.IPA_CA_CN), api.env.container_ca,
api.env.basedn)
entry_attrs = api.Backend.ldap2.get_entry(dn)
+ version = entry_attrs.single_value.get(
+ "ipaCaRandomSerialNumberVersion", "0"
+ )
+ if str(version) == str(value):
+ return
entry_attrs['ipaCaRandomSerialNumberVersion'] = value
api.Backend.ldap2.update_entry(entry_attrs)
diff --git a/ipatests/test_xmlrpc/tracker/ca_plugin.py b/ipatests/test_xmlrpc/tracker/ca_plugin.py
index 59fb60037d0e2be98f55c85f52fa690b359ada30..f949b5707a38b5524cb543528ad4144e89527568 100644
--- a/ipatests/test_xmlrpc/tracker/ca_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/ca_plugin.py
@@ -4,6 +4,7 @@
from __future__ import absolute_import
import six
+from lib389.utils import get_default_db_lib
from ipapython.dn import DN
from ipatests.test_xmlrpc.tracker.base import Tracker, EnableTracker
@@ -83,7 +84,10 @@ class CATracker(Tracker, EnableTracker):
objectclass=objectclasses.ca
)
if self.description == 'IPA CA':
- self.attrs['ipacarandomserialnumberversion'] = ('0',)
+ if get_default_db_lib() == 'bdb':
+ self.attrs['ipacarandomserialnumberversion'] = ('0',)
+ else:
+ self.attrs['ipacarandomserialnumberversion'] = ('3',)
self.exists = True
def make_disable_command(self):
--
2.47.0

108
0038-ipatests-Test-that-when-lmdb-is-available-enable-RSN.patch Normal file
View File

@ -0,0 +1,108 @@
From ed70380cbb97a355a4d84ca61fd27120cda902b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 12 Sep 2024 13:52:55 -0400
Subject: [PATCH] ipatests: Test that when lmdb is available, enable RSN
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
.../test_random_serial_numbers.py | 71 +++++++++++++++++++
1 file changed, 71 insertions(+)
diff --git a/ipatests/test_integration/test_random_serial_numbers.py b/ipatests/test_integration/test_random_serial_numbers.py
index ab58b1c622b010994ed93a17dd80cfd02095508d..c45d15b583bac0faec80780edd00b60b47e334a9 100644
--- a/ipatests/test_integration/test_random_serial_numbers.py
+++ b/ipatests/test_integration/test_random_serial_numbers.py
@@ -3,10 +3,12 @@
#
import pytest
+import textwrap
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
+from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_installation import (
TestInstallWithCA_DNS1,
TestInstallWithCA_KRA1,
@@ -119,3 +121,72 @@ class TestRSNVault(TestInstallKRA):
if not pki_supports_RSNv3(mh.master):
raise pytest.skip("RSNv3 not supported")
super(TestRSNVault, cls).install(mh)
+
+
+class TestInstall_RSN_MDB(IntegrationTest):
+ """
+ Test installation when the 389-ds mdb backend is used. This has
+ poor performance for VLV compared to the older bdb backend so
+ RSN will be required.
+ """
+ num_replicas = 1
+
+ def disable_rsn(self):
+ """Mark RSN as disabled in the topology by setting
+ ipaCaRandomSerialNumberVersion to 0.
+ """
+ entry_ldif = textwrap.dedent("""
+ dn: cn=ipa,cn=cas,cn=ca,{base_dn}
+ changetype: modify
+ replace: ipaCaRandomSerialNumberVersion
+ ipaCaRandomSerialNumberVersion: 0
+ """).format(base_dn=str(self.master.domain.basedn))
+ tasks.ldapmodify_dm(self.master, entry_ldif)
+
+ def check_rsn_status(self, host):
+ """Verify that RSN is enabled on a host"""
+ base_dn = str(host.domain.basedn)
+ result = tasks.ldapsearch_dm(
+ host,
+ 'cn=ipa,cn=cas,cn=ca,{base_dn}'.format(
+ base_dn=base_dn),
+ ['ipacarandomserialnumberversion',],
+ scope='base'
+ )
+ output = result.stdout_text.lower()
+ assert 'ipacarandomserialnumberversion: 3' in output
+
+ cs_cfg = host.get_file_contents(paths.CA_CS_CFG_PATH)
+ assert "dbs.cert.id.generator=random".encode() in cs_cfg
+
+ @classmethod
+ def install(cls, mh):
+ if not pki_supports_RSNv3(mh.master):
+ raise pytest.skip("RNSv3 not supported")
+ result = cls.replicas[0].run_command(
+ "python -c 'from lib389.utils import get_default_db_lib; "
+ "print(get_default_db_lib())'"
+ )
+ if 'mdb' not in result.stdout_text:
+ raise pytest.skip("MDB not supported")
+ tasks.install_master(cls.master, setup_dns=True)
+
+ def test_replica_install(self):
+ self.disable_rsn()
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=True)
+ self.check_rsn_status(self.replicas[0])
+ tasks.run_server_del(
+ self.master, self.replicas[0].hostname, force=True,
+ ignore_topology_disconnect=True, ignore_last_of_role=True)
+ tasks.uninstall_replica(
+ master=self.master,
+ replica=self.replicas[0]
+ )
+
+ def test_replica_install_noca(self):
+ self.disable_rsn()
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=False)
+ tasks.install_ca(self.replicas[0])
+ self.check_rsn_status(self.replicas[0])
--
2.47.0

34
0039-Set-required-version-of-389-ds-for-VLV-fix-on-F40-41.patch Normal file
View File

@ -0,0 +1,34 @@
From 2cd2b8fe43036a97f1051c5aa76fd5ed28e7ed6c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 16 Oct 2024 15:39:31 -0400
Subject: [PATCH] Set required version of 389-ds for VLV fix on F40/41
Require builds that contain the fixes for VLV handling in
https://bugzilla.redhat.com/show_bug.cgi?id=2317851
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
freeipa.spec.in | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 72d7013a6c49873f4a59734c684c6c5510e669d0..1283ba847f60cd335851d7e846536a4a6c14b071 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -127,6 +127,10 @@
# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
+%elif 0%{?fedora} == 40
+%global ds_version 3.0.4-3
+%elif 0%{?fedora} >= 41
+%global ds_version 3.1.1-3
%else
%global ds_version 2.1.0
%endif
--
2.47.0

57
0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch Normal file
View File

@ -0,0 +1,57 @@
From 6f304bac61eadbacf4f176421c6927b92b74685e Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 11 Sep 2024 16:33:00 -0400
Subject: [PATCH] Enable pruning when Random Serial Numbers are enabled
When using short-lived certs (ACME) along with normal certificate
issuance the expired certs can build over time in the PKI database.
This can cause issues with replication, performance and overall
database size.
Random Serial Numbers v3 (RSNv3) is mandatory to enable pruning
so if we have it enabled then enable pruning to avoid future issues.
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
ipaserver/install/cainstance.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index d0c3b6b940a2b99f0fa747a4dc8c6fc800e4ca12..f3ed9fff8510072f0ad210beaaea151a3099082b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -471,6 +471,8 @@ class CAInstance(DogtagInstance):
self.step(
"Ensuring backward compatibility",
self.__dogtag10_migration)
+ if self.random_serial_numbers:
+ self.step("enable certificate pruning", self.enable_pruning)
if promote:
self.step("destroying installation admin user",
self.teardown_admin)
@@ -790,6 +792,17 @@ class CAInstance(DogtagInstance):
'NSS_ENABLE_PKIX_VERIFY', '1',
quotes=False, separator='=')
+ def enable_pruning(self):
+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+ 'jobsScheduler.enabled', 'true',
+ quotes=False, separator='=')
+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+ 'jobsScheduler.job.pruning.enabled',
+ 'true', quotes=False, separator='=')
+ directivesetter.set_directive(paths.CA_CS_CFG_PATH,
+ 'jobsScheduler.job.pruning.owner',
+ 'ipara', quotes=False, separator='=')
+
def __import_ra_cert(self):
"""
Helper method for IPA domain level 0 replica install
--
2.47.0

65
0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch Normal file
View File

@ -0,0 +1,65 @@
From 0eafb03110b6ae4c80680e5c451661e1cf41db77 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 21 Nov 2024 11:39:12 -0500
Subject: [PATCH] Don't drop certificates in cert-find if the LWCA was removed
The cert-find command wants to return the IPA CA name of the
issued certificates. If the CA was removed then the certificate
is skipped in the output. This basically black holes any certificates
issued by the LWCA.
It is also breaking the cert_find tests with RSNv3 enabled at
times depending on the certificate order returned. Some of them
may be certificates issued by a now-deleted CA.
This was discovered in test_xmlrpc/test_cert.py with the
cert-find tests where the expected number of certificates wasn't
returned. This is because ra.find() retrieved exactly 10 certificates
and then some were removed when trying to identify the CA.
Related: https://pagure.io/freeipa/issue/9661
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rafael Guterres Jeffman <rjeffman@redhat.com>
---
ipaserver/plugins/cert.py | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 6249c6d6f24acdca4fc3e9dd989f58344192b567..b8012c62a7809a85faec9cbb710f187fa16d90f4 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -1721,7 +1721,8 @@ class cert_find(Search, CertMethod):
try:
ca_obj = ca_objs[issuer]
except KeyError:
- continue
+ # A deleted LWCA? Return the issuer DN as a string
+ ca_obj = {'cn': [str(issuer)]}
if pkey_only:
obj = {'serial_number': serial_number}
@@ -1905,8 +1906,16 @@ class cert_find(Search, CertMethod):
try:
ca_obj = ca_objs[cacn]
except KeyError:
- ca_obj = ca_objs[cacn] = (
- self.api.Command.ca_show(cacn, all=True)['result'])
+ try:
+ ca_obj = ca_objs[cacn] = (
+ self.api.Command.ca_show(
+ cacn, all=True)['result'])
+ except errors.NotFound:
+ # If we have inserted a CA DN because the
+ # LWCA was deleted then ca-show of it will
+ # fail as NotFound. There is no chain to
+ # retrieve.
+ ca_obj = []
obj.update(
ra.get_certificate(serial_number)
--
2.47.0

99
0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch Normal file
View File

@ -0,0 +1,99 @@
From fd222273a544f9e8c7a1749ff797880db7edbf25 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 25 Nov 2024 13:14:50 +0100
Subject: [PATCH] ipatests: pruning is enabled by default with LMDB
The test test_acme.py::TestACMEPrune::test_enable_pruning expects
certificate pruning to be disabled by default. That assumption
is valid only if the backend is BDB (if the backend is LMDB,
RSNv3 + cert pruning are enabled by default).
Update the test to be consistent with the new defaults.
Fixes: https://pagure.io/freeipa/issue/9706
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_acme.py | 37 +++++++++++++++++---------
1 file changed, 25 insertions(+), 12 deletions(-)
diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py
index 4032d266a8dc72fae6ee11857c306aa3a21e51bc..709d90715823672a3d85a1ef7896fb10ee63fdc5 100644
--- a/ipatests/test_integration/test_acme.py
+++ b/ipatests/test_integration/test_acme.py
@@ -17,6 +17,7 @@ from ipatests.test_integration.test_random_serial_numbers import (
)
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
+from ipapython.dn import DN
from ipatests.test_integration.test_external_ca import (
install_server_external_ca_step1,
install_server_external_ca_step2,
@@ -144,6 +145,15 @@ def certbot_standalone_cert(host, acme_server, no_of_cert=1):
)
+def get_389ds_backend(host):
+ """ Return the backend type used by 389ds (either 'bdb' or 'lmdb')"""
+ conn = host.ldap_connect()
+ entry = conn.get_entry(
+ DN('cn=config,cn=ldbm database,cn=plugins,cn=config'))
+ backend = entry.single_value.get('nsslapd-backend-implement')
+ return backend
+
+
class TestACME(CALessBase):
"""
Test the FreeIPA ACME service by using ACME clients on a FreeIPA client.
@@ -397,21 +407,22 @@ class TestACME(CALessBase):
assert status == 'disabled'
def test_acme_pruning_no_random_serial(self):
- """This ACME install is configured without random serial
+ """BDB install is configured without random serial
numbers. Verify that we can't enable pruning on it.
-
- This test is located here because by default installs
- don't enable RSNv3.
"""
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
self.master.run_command(['ipa-acme-manage', 'enable'])
- result = self.master.run_command(
- ['ipa-acme-manage', 'pruning', '--enable'],
- raiseonerr=False)
- assert result.returncode == 1
- assert "requires random serial numbers" in result.stderr_text
+
+ # This test is only relevant with BDB backend
+ # as with LMDB, the installer now enable RSNv3 and cert pruning
+ if get_389ds_backend(self.master) == 'bdb':
+ result = self.master.run_command(
+ ['ipa-acme-manage', 'pruning', '--enable'],
+ raiseonerr=False)
+ assert result.returncode == 1
+ assert "requires random serial numbers" in result.stderr_text
@server_install_teardown
def test_third_party_certs(self):
@@ -707,10 +718,12 @@ class TestACMEPrune(IntegrationTest):
if (tasks.get_pki_version(self.master)
< tasks.parse_version('11.3.0')):
raise pytest.skip("Certificate pruning is not available")
- cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
- assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
- self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
+ # Pruning is enabled by default when the host supports lmdb
+ if get_389ds_backend(self.master) == 'bdb':
+ cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
+ assert "jobsScheduler.job.pruning.enabled=false".encode() in cs_cfg
+ self.master.run_command(['ipa-acme-manage', 'pruning', '--enable'])
cs_cfg = self.master.get_file_contents(paths.CA_CS_CFG_PATH)
assert "jobsScheduler.enabled=true".encode() in cs_cfg
--
2.47.0

95
0043-webuitests-adapt-to-Random-Serial-Numbers.patch Normal file
View File

@ -0,0 +1,95 @@
From c8befc9f46b43aec748ede33236ca4f77b2356c6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 26 Nov 2024 09:40:53 +0100
Subject: [PATCH] webuitests: adapt to Random Serial Numbers
The webui tests were written for sequential serial numbers
and expect the certs to be issued with low serial numbers.
Adapt to Random Serial Numbers.
Fixes:https://pagure.io/freeipa/issue/9707
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_webui/test_cert.py | 39 +++++++++++++++++++++++++++++---
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_webui/test_cert.py b/ipatests/test_webui/test_cert.py
index 7a8ffde917c75f4578b1d8f9a1cdcdbb4ba4a1ae..0dc276555b26a2ac4a0d79695f3cd74a3ccd55ec 100644
--- a/ipatests/test_webui/test_cert.py
+++ b/ipatests/test_webui/test_cert.py
@@ -93,6 +93,14 @@ class test_cert(UI_driver):
csr = generate_csr(hostname)
self.navigate_to_entity(ENTITY)
+
+ # Save the existing cert serials before the new one is added
+ # the test will compare before/after in order to find the serial
+ # of the newly generated certificate
+ result = self.execute_api_from_ui('cert_find', [], {})
+ certs = result['result']['result']
+ before = [cert["serial_number"] for cert in certs]
+
self.facet_button_click('request_cert')
self.fill_textbox('principal', 'HTTP/{}'.format(hostname))
self.check_option('add', 'checked')
@@ -100,8 +108,17 @@ class test_cert(UI_driver):
self.dialog_button_click('issue')
self.assert_notification(assert_text='Certificate requested')
self.navigate_to_entity(ENTITY)
+
+ # Save the existing cert serials after the new one is added
+ result = self.execute_api_from_ui('cert_find', [], {})
+ certs = result['result']['result']
+ after = [cert["serial_number"] for cert in certs]
+ new_serial = [serial for serial in after if serial not in before]
+ # Find the cert that was jsut generated
+ index = after.index(new_serial[0])
+
rows = self.get_rows()
- cert = rows[-1]
+ cert = rows[index]
self.navigate_to_row_record(cert)
self.action_list_action('revoke_cert', False)
@@ -212,10 +229,18 @@ class test_cert(UI_driver):
# try searching using -1
check_minimum_serial(self, '-1', 'min_serial_number')
+ # Find the highest serial number and add 1 to be sure there is no
+ # cert with a higher serial number
+ result = self.execute_api_from_ui('cert_find', [], {})
+ certs = result['result']['result']
+ serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+ serials.sort()
+ highest_serial = str(serials[-1] + 1)
+
# try using higher value than no. of certs present
self.navigate_to_entity(ENTITY)
self.select('select[name=search_option]', 'min_serial_number')
- search_pkey(self, '99')
+ search_pkey(self, highest_serial)
rows = self.get_rows()
assert len(rows) == 0
@@ -226,8 +251,16 @@ class test_cert(UI_driver):
"""
self.init_app()
self.navigate_to_entity(ENTITY)
+
+ # Find the second lowest serial number
+ result = self.execute_api_from_ui('cert_find', [], {})
+ certs = result['result']['result']
+ serials = [int(cert["serial_number_hex"], 0) for cert in certs]
+ serials.sort()
+ second_serial = str(serials[1])
+
self.select('select[name=search_option]', 'max_serial_number')
- search_pkey(self, '2')
+ search_pkey(self, second_serial)
rows = self.get_rows()
assert len(rows) == 2
--
2.47.0

24
freeipa.spec
View File

@ -79,7 +79,7 @@
%global selinux_policy_version 3.14.3-107
%else
# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%global ds_version 2.1.0
%global ds_version 3.0.4
%global selinux_policy_version 38.1.1-1
%endif
@ -116,6 +116,10 @@
# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility
%if 0%{?fedora} < 34
%global ds_version 1.4.4.16-1
%elif 0%{?fedora} == 40
%global ds_version 3.0.4-3
%elif 0%{?fedora} >= 41
%global ds_version 3.1.1-3
%else
%global ds_version 2.1.0
%endif
@ -203,7 +207,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Release: 8%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -266,6 +270,17 @@ Patch0029: 0029-vault-handle-pyca-InternalError-exception-for-PKCS-1.patch
Patch0030: 0030-ipatests-Tests-for-ipa-migrate-tool.patch
Patch0031: 0031-Fix-Organization-field-in-Okta-not-required.patch
Patch0032: 0032-Use-OpenSSL-provider-with-BIND-for-Fedora-41-and-RHE.patch
Patch0033: 0033-selinux-allow-Cockpit-to-use-HTTP-keytab-on-IPA-serv.patch
Patch0034: 0034-Minimal-test-for-Cockpit-integration-on-IPA-master.patch
Patch0035: 0035-ipatests-install-master-with-allow-zone-overlap.patch
Patch0036: 0036-ipaserver-dcerpc-support-Samba-4.21.patch
Patch0037: 0037-Change-default-to-RSN-when-389-ds-uses-the-mdb-backe.patch
Patch0038: 0038-ipatests-Test-that-when-lmdb-is-available-enable-RSN.patch
Patch0039: 0039-Set-required-version-of-389-ds-for-VLV-fix-on-F40-41.patch
Patch0040: 0040-Enable-pruning-when-Random-Serial-Numbers-are-enable.patch
Patch0041: 0041-Don-t-drop-certificates-in-cert-find-if-the-LWCA-was.patch
Patch0042: 0042-ipatests-pruning-is-enabled-by-default-with-LMDB.patch
Patch0043: 0043-webuitests-adapt-to-Random-Serial-Numbers.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1884,6 +1899,11 @@ fi
%endif
%changelog
* Wed Nov 27 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-8
- Resolves: RHEL-69300 Support GSSAPI in Cockpit on IPA servers
- Resolves: RHEL-68447 ipa trust-add fails in FIPS mode with an internal error has occurred
- Resolves: RHEL-57674 Use RSNv3 and enable cert pruning by default in RHEL 10.0
* Fri Nov 08 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-7
- Resolves: RHEL-66599 vault-add fails in FIPS mode
- Resolves: RHEL-66598 ipa-migrate should also migrate DNS forward zones