From 2184916d1fff0a22cf95b2242d66c1f50dcf08e7 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Wed, 2 Aug 2023 17:22:57 +0300
Subject: [PATCH] Apply 0025-Fix-OTP-on-s390x patch

---
 SOURCES/0025-Fix-OTP-on-s390x.patch | 51 +++++++++++++++++++++++++++++
 SPECS/freeipa.spec                  | 10 +++++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/0025-Fix-OTP-on-s390x.patch

diff --git a/SOURCES/0025-Fix-OTP-on-s390x.patch b/SOURCES/0025-Fix-OTP-on-s390x.patch
new file mode 100644
index 0000000..58e3c53
--- /dev/null
+++ b/SOURCES/0025-Fix-OTP-on-s390x.patch
@@ -0,0 +1,51 @@
+From 7060e3a031fb4e4cdf85f616f1e1a3435d61e696 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Jun 28 2023 15:28:41 +0000
+Subject: OTP: fix data type to avoid endianness issue
+
+
+When 389-ds process an OTP authentication, the ipa-pwd-extop
+plugin reads a buffer to extract the authentication type.
+The type is stored in an int but the data is a ber_tag_t.
+
+On big endian machines the type cast does not cause any issue
+but on s390x the buffer that should return 128 is seen as 0.
+
+As a consequence, the plugin considers that the method is not
+LDAP_AUTH_SIMPLE and exits early, without processing the OTP.
+
+The fix is simple and consists in using the right type
+(ber_tag_t is an unsigned long).
+
+Fixes: https://pagure.io/freeipa/issue/9402
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+index 9375941..4562652 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+@@ -1433,7 +1433,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     Slapi_DN *target_sdn = NULL;
+     Slapi_DN *sdn = NULL;
+     const char *dn = NULL;
+-    int method = 0;
++    ber_tag_t method = 0;
+     bool syncreq;
+     bool otpreq;
+     int ret = 0;
+@@ -1454,8 +1454,10 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb)
+     }
+ 
+     /* We're only interested in simple authentication. */
+-    if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0)
++    if (method != LDAP_AUTH_SIMPLE || credentials->bv_len == 0) {
++        LOG("Not handled (not simple bind or NULL dn/credentials)\n");
+         return 0;
++    }
+ 
+     /* Retrieve the user's entry. */
+     sdn = slapi_sdn_dup(target_sdn);
diff --git a/SPECS/freeipa.spec b/SPECS/freeipa.spec
index 21ebbf8..64393a3 100644
--- a/SPECS/freeipa.spec
+++ b/SPECS/freeipa.spec
@@ -223,7 +223,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        7%{?rc_version:.%rc_version}%{?dist}
+Release:        8%{?rc_version:.%rc_version}%{?dist}.alma
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -271,6 +271,11 @@ Patch0021:      0021-ipatests-ensure-that-ipa-automember-rebuild-prints-a.patch
 Patch0022:      0022-ipatests-fix-tests-in-TestACMEPrune.patch
 Patch0023:      0023-Tolerate-absence-of-PAC-ticket-signature-depending-o.patch
 Patch0024:      0024-ipa-kdb-postpone-ticket-checksum-configuration.patch
+
+# Patch was taken from
+# https://pagure.io/freeipa/c/7060e3a031fb4e4cdf85f616f1e1a3435d61e696.patch
+Patch0025:      0025-Fix-OTP-on-s390x.patch
+
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@@ -1758,6 +1763,9 @@ fi
 %endif
 
 %changelog
+* Wed Aug 02 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.10.1-8.alma
+- Apply 0025-Fix-OTP-on-s390x patch
+
 * Thu Jun 01 2023 Julien Rische <jrische@redhat.com> - 4.10.1-7
 - Resolves: rhbz#2211389 Handle PAC signatures based on domain and server capabilities