Apply 0025-Fix-OTP-on-s390x patch
This commit is contained in:
parent
704e3549ca
commit
2184916d1f
51
SOURCES/0025-Fix-OTP-on-s390x.patch
Normal file
51
SOURCES/0025-Fix-OTP-on-s390x.patch
Normal file
@ -0,0 +1,51 @@
|
||||
From 7060e3a031fb4e4cdf85f616f1e1a3435d61e696 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Jun 28 2023 15:28:41 +0000
|
||||
Subject: OTP: fix data type to avoid endianness issue
|
||||
|
||||
|
||||
When 389-ds process an OTP authentication, the ipa-pwd-extop
|
||||
plugin reads a buffer to extract the authentication type.
|
||||
The type is stored in an int but the data is a ber_tag_t.
|
||||
|
||||
On big endian machines the type cast does not cause any issue
|
||||
but on s390x the buffer that should return 128 is seen as 0.
|
||||
|
||||
As a consequence, the plugin considers that the method is not
|
||||
LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
|
||||
|
||||
The fix is simple and consists in using the right type
|
||||
(ber_tag_t is an unsigned long).
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9402
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
index 9375941..4562652 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
|
||||
@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
Slapi_DN *target_sdn = NULL;
|
||||
Slapi_DN *sdn = NULL;
|
||||
const char *dn = NULL;
|
||||
- int method = 0;
|
||||
+ ber_tag_t method = 0;
|
||||
bool syncreq;
|
||||
bool otpreq;
|
||||
int ret = 0;
|
||||
@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
|
||||
}
|
||||
|
||||
/* We're only interested in simple authentication. */
|
||||
- if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
|
||||
+ if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) {
|
||||
+ LOG("Not handled (not simple bind or NULL dn/credentials)\n");
|
||||
return 0;
|
||||
+ }
|
||||
|
||||
/* Retrieve the user's entry. */
|
||||
sdn = slapi_sdn_dup(target_sdn);
|
||||
@ -223,7 +223,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 8%{?rc_version:.%rc_version}%{?dist}.alma
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -271,6 +271,11 @@ Patch0021: 0021-ipatests-ensure-that-ipa-automember-rebuild-prints-a.patch
|
||||
Patch0022: 0022-ipatests-fix-tests-in-TestACMEPrune.patch
|
||||
Patch0023: 0023-Tolerate-absence-of-PAC-ticket-signature-depending-o.patch
|
||||
Patch0024: 0024-ipa-kdb-postpone-ticket-checksum-configuration.patch
|
||||
|
||||
# Patch was taken from
|
||||
# https://pagure.io/freeipa/c/7060e3a031fb4e4cdf85f616f1e1a3435d61e696.patch
|
||||
Patch0025: 0025-Fix-OTP-on-s390x.patch
|
||||
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -1758,6 +1763,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Aug 02 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.1-8.alma
|
||||
- Apply 0025-Fix-OTP-on-s390x patch
|
||||
|
||||
* Thu Jun 01 2023 Julien Rische <jrische@redhat.com> - 4.10.1-7
|
||||
- Resolves: rhbz#2211389 Handle PAC signatures based on domain and server capabilities
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user