ipa-4.9.6-2

- Resolves: rhbz#1955440 ipa installation fails to configure chrony - Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage - Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add - Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
2021-07-09 12:56:20 +02:00 · 2021-07-09 12:56:20 +02:00 · 2f8d027c58
parent 42299a57bb
commit 2f8d027c58
7 changed files with 448 additions and 3 deletions
--- a/0001-Remove-unneeded-dependency-on-python-coverage.patch
+++ b/0001-Remove-unneeded-dependency-on-python-coverage.patch
@ -0,0 +1,30 @@
+From 01f4b9d7935ca41c93b17e28543054f36e5baf46 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 30 Jun 2021 14:57:32 +0200
+Subject: [PATCH] Remove unneeded dependency on python-coverage
+
+The spec file requires python3-coverage although it is not
+used in the project.
+
+Fixes: https://pagure.io/freeipa/issue/8905
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Francois Cami <fcami@redhat.com>
+---
+ freeipa.spec.in | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index fdca43a24a6e07f77b9cd8a0feec940a0366f128..fbfe4d09eedc169112dcdc18a953134de67b7731 100755
+--- a/freeipa.spec.in
+++ b/freeipa.spec.in
+@@ -872,7 +872,6 @@ BuildArch: noarch
+ Requires: python3-ipaclient = %{version}-%{release}
+ Requires: python3-ipaserver = %{version}-%{release}
+ Requires: iptables
+-Requires: python3-coverage
+ Requires: python3-cryptography >= 1.6
+ Requires: python3-pexpect
+ %if 0%{?fedora}
+-- 
+2.26.3
+
--- a/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
+++ b/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
@ -0,0 +1,134 @@
+From dffccae7193b0616cb84792edec480f5f67e1fc6 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Mon, 8 Mar 2021 18:15:50 +0100
+Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
+ services
+
+Authentication indicators should not be enforced against internal
+IPA services, since not all users of those services are able to produce
+Kerberos tickets with all the auth indicator options. This includes
+host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
+If a client that is being promoted to replica has an auth indicator
+in its host principal then the promotion is aborted.
+
+Fixes: https://pagure.io/freeipa/issue/8206
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ ipaserver/install/server/replicainstall.py | 13 ++++++++++++
+ ipaserver/plugins/host.py                  |  5 ++++-
+ ipaserver/plugins/service.py               | 24 ++++++++++++++++++++++
+ 3 files changed, 41 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
+index 73967a2249d5c8944d70c5c3ca9a9d3b3bfc6b73..f1fb9103687ce9719ef24c8cb3c41088a4003b25 100644
+--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
+@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
+         ))
+ 
+ 
+def promotion_check_host_principal_auth_ind(conn, hostdn):
+    entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
+    if 'krbprincipalauthind' in entry:
+        raise RuntimeError(
+            "Client cannot be promoted to a replica if the host principal "
+            "has an authentication indicator set."
+        )
+
+
+ @common_cleanup
+ @preserve_enrollment_state
+ def promote_check(installer):
+@@ -956,6 +965,10 @@ def promote_check(installer):
+                                      config.master_host_name, None)
+ 
+         promotion_check_ipa_domain(conn, remote_api.env.basedn)
+        hostdn = DN(('fqdn', api.env.host),
+                    api.env.container_host,
+                    api.env.basedn)
+        promotion_check_host_principal_auth_ind(conn, hostdn)
+ 
+         # Make sure that domain fulfills minimal domain level
+         # requirement
+diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
+index eb1f8ef042faf4b0deadfd5cef47f7688836506e..41fa933e2422184eafc4eae185a163082b96e045 100644
+--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
+@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
+                                      LDAPAddAttributeViaOption,
+                                      LDAPRemoveAttributeViaOption)
+ from .service import (
+-    validate_realm, normalize_principal,
+    validate_realm, validate_auth_indicator, normalize_principal,
+     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
+     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
+     rename_ipaallowedtoperform_to_ldap, revoke_certs)
+@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
+         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
+         if 'krbticketflags' in entry_attrs:
+             entry_attrs['objectclass'].append('krbticketpolicyaux')
+        validate_auth_indicator(entry_attrs)
+
+         return dn
+ 
+     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
+             if 'krbprincipalaux' not in (item.lower() for item in
+                                          entry_attrs['objectclass']):
+                 entry_attrs['objectclass'].append('krbprincipalaux')
+            validate_auth_indicator(entry_attrs)
+ 
+         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
+ 
+diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
+index 1c93478049f5bdfdaf8503e459bd962dbbee9b44..cfbbff3c69c6a92535df58c51767c3d0952c7b0b 100644
+--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
+@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
+         raise errors.RealmMismatch()
+ 
+ 
+def validate_auth_indicator(entry):
+    new_value = entry.get('krbprincipalauthind', None)
+    if not new_value:
+        return
+    # The following services are considered internal IPA services
+    # and shouldn't be allowed to have auth indicators.
+    # https://pagure.io/freeipa/issue/8206
+    pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+    principal = kerberos.Principal(pkey)
+    server = api.Command.server_find(principal.hostname)['result']
+    if server:
+        prefixes = ("host", "cifs", "ldap", "HTTP")
+    else:
+        prefixes = ("cifs",)
+    if principal.service_name in prefixes:
+        raise errors.ValidationError(
+            name='krbprincipalauthind',
+            error=_('authentication indicators not allowed '
+                    'in service "%s"' % principal.service_name)
+        )
+
+
+ def normalize_principal(value):
+     """
+     Ensure that the name in the principal is lower-case. The realm is
+@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
+                     hostname)
+ 
+         self.obj.validate_ipakrbauthzdata(entry_attrs)
+        validate_auth_indicator(entry_attrs)
+ 
+         if not options.get('force', False):
+             # We know the host exists if we've gotten this far but we
+@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
+         assert isinstance(dn, DN)
+ 
+         self.obj.validate_ipakrbauthzdata(entry_attrs)
+        validate_auth_indicator(entry_attrs)
+ 
+         # verify certificates
+         certs = entry_attrs.get('usercertificate') or []
+-- 
+2.26.3
+
--- a/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
+++ b/0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
@ -0,0 +1,138 @@
+From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
+From: Antonio Torres <antorres@redhat.com>
+Date: Mon, 8 Mar 2021 18:20:35 +0100
+Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
+ IPA services
+
+Authentication indicators should not be added to internal IPA services,
+since this can lead to a broken IPA setup. In case a client with
+an auth indicator set in its host principal, promoting it to a replica
+should fail.
+
+Related: https://pagure.io/freeipa/issue/8206
+Signed-off-by: Antonio Torres <antorres@redhat.com>
+---
+ .../test_replica_promotion.py                 | 38 +++++++++++++++++++
+ ipatests/test_xmlrpc/test_host_plugin.py      | 10 +++++
+ ipatests/test_xmlrpc/test_service_plugin.py   | 21 ++++++++++
+ 3 files changed, 69 insertions(+)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+         assert result.returncode == 1
+         assert expected_err in result.stderr_text
+ 
+    @replicas_cleanup
+    def test_install_with_host_auth_ind_set(self):
+        """ A client shouldn't be able to be promoted if it has
+        any auth indicator set in the host principal.
+        https://pagure.io/freeipa/issue/8206
+        """
+
+        client = self.replicas[0]
+        # Configure firewall first
+        Firewall(client).enable_services(["freeipa-ldap",
+                                          "freeipa-ldaps"])
+
+        client.run_command(['ipa-client-install', '-U',
+                            '--domain', self.master.domain.name,
+                            '--realm', self.master.domain.realm,
+                            '-p', 'admin',
+                            '-w', self.master.config.admin_password,
+                            '--server', self.master.hostname,
+                            '--force-join'])
+
+        tasks.kinit_admin(client)
+
+        client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+                            client.hostname])
+
+        res = client.run_command(['ipa-replica-install', '-U', '-w',
+                                  self.master.config.dirman_password],
+                                 raiseonerr=False)
+
+        client.run_command(['ipa', 'host-mod', '--auth-ind=',
+                            client.hostname])
+
+        expected_err = ("Client cannot be promoted to a replica if the host "
+                        "principal has an authentication indicator set.")
+        assert res.returncode == 1
+        assert expected_err in res.stderr_text
+
+
+     @replicas_cleanup
+     def test_one_command_installation(self):
+         """
+diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
+index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
+--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
+@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
+                 error=u'An IPA master host cannot be deleted or disabled')):
+             command()
+ 
+    def test_try_add_auth_ind_master(self, this_host):
+        command = this_host.make_update_command({
+            u'krbprincipalauthind': u'radius'})
+        with raises_exact(errors.ValidationError(
+            name='krbprincipalauthind',
+            error=u'authentication indicators not allowed '
+                'in service "host"'
+        )):
+            command()
+
+ 
+ @pytest.mark.tier1
+ class TestValidation(XMLRPC_test):
+diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
+index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
+--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
+@@ -25,6 +25,7 @@ from ipalib import api, errors
+ from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
+ from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
+ from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
+ from ipatests.test_xmlrpc import objectclasses
+ from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
+ from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
+@@ -1552,6 +1553,15 @@ def indicators_host(request):
+     return tracker.make_fixture(request)
+ 
+ 
+@pytest.fixture(scope='function')
+def this_host(request):
+    """Fixture for the current master"""
+    tracker = HostTracker(name=api.env.host.partition('.')[0],
+                          fqdn=api.env.host)
+    tracker.exists = True
+    return tracker
+
+
+ @pytest.fixture(scope='function')
+ def indicators_service(request):
+     tracker = ServiceTracker(
+@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
+             expected_updates={u'krbprincipalauthind': [u'radius']}
+         )
+ 
+    def test_update_indicator_internal_service(self, this_host):
+        command = this_host.make_command('service_mod',
+                                         'ldap/' + this_host.fqdn,
+                                         **dict(krbprincipalauthind='otp'))
+        with raises_exact(errors.ValidationError(
+            name='krbprincipalauthind',
+            error=u'authentication indicators not allowed '
+                 'in service "ldap"'
+        )):
+            command()
+
+ 
+ @pytest.fixture(scope='function')
+ def managing_host(request):
+-- 
+2.26.3
+
--- a/0004-stageuser-add-ipauserauthtypeclass-when-required.patch
+++ b/0004-stageuser-add-ipauserauthtypeclass-when-required.patch
@ -0,0 +1,57 @@
+From a8d6257b2cf64c3dd2b1c5d7bcf81acc3b766853 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 5 Jul 2021 09:51:41 +0200
+Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
+
+The command
+ipa stageuser-add --user-auth-type=xxx
+is currently failing because the objectclass ipauserauthtypeclass
+is missing from the created entry.
+
+There is code adding the missing objectclass in the
+pre_common_callback method of user_add, and this code should
+be common to user_add and stageuser_add. In order to avoid code
+duplication, it makes more sense to move the existing code to
+pre_common_callback of baseuser_add, that is called by both
+classes.
+
+Fixes: https://pagure.io/freeipa/issue/8909
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/plugins/baseuser.py | 3 +++
+ ipaserver/plugins/user.py     | 4 ----
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
+index ae16a978ab01f9c5c257e9cb5567c918a7fafdc5..6035228f19ef8acaf4992490d5512c126881816d 100644
+--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
+@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
+         if entry_attrs.get('ipatokenradiususername', None):
+             add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
+                                      entry_attrs, update=False)
+        if entry_attrs.get('ipauserauthtype', None):
+            add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
+                                     entry_attrs, update=False)
+ 
+     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
+         assert isinstance(dn, DN)
+diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
+index 6f7facb5380ba56feab39b71cd265776f3ab57d8..e4ee572b236c288fd7dcf1d44c5adf1f836f63aa 100644
+--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
+@@ -617,10 +617,6 @@ class user_add(baseuser_add):
+            'ipauser' not in entry_attrs['objectclass']:
+             entry_attrs['objectclass'].append('ipauser')
+ 
+-        if 'ipauserauthtype' in entry_attrs and \
+-           'ipauserauthtypeclass' not in entry_attrs['objectclass']:
+-            entry_attrs['objectclass'].append('ipauserauthtypeclass')
+-
+         rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
+         if rcl:
+             if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
+-- 
+2.26.3
+
--- a/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
+++ b/0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
@ -0,0 +1,32 @@
+From 932910456e0269edefe396d4af96447f90ff29b3 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Mon, 5 Jul 2021 10:22:31 +0200
+Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
+
+Related: https://pagure.io/freeipa/issue/8909
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+index 5586fc607e134938225c1c982fc39d169847f549..bc606b093c98ce204ad4ea17e5c16273144fa2e7 100644
+--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
+@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
+         result = command()
+         assert result['count'] == 1
+ 
+    def test_create_withuserauthtype(self, stageduser):
+        stageduser.ensure_missing()
+        command = stageduser.make_create_command(
+            options={u'ipauserauthtype': u'password'})
+        command()
+
+ 
+ @pytest.mark.tier1
+ class TestCreateInvalidAttributes(XMLRPC_test):
+-- 
+2.26.3
+
--- a/0006-augeas-bump-version-for-rhel9.patch
+++ b/0006-augeas-bump-version-for-rhel9.patch
@ -0,0 +1,40 @@
+From 9144526d2d7e7dcd8503c6c38226e17ebb4ed8b9 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 7 Jul 2021 10:49:25 +0200
+Subject: [PATCH] augeas: bump version for rhel9
+
+augeas 1.12.1-0.1 adds support for the new chony configuration
+settings.
+
+Related: https://pagure.io/freeipa/issue/8676
+Reviewed-By: Francois Cami <fcami@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ freeipa.spec.in | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index fbfe4d09eedc169112dcdc18a953134de67b7731..ae4af099f39641a9f5163d61cfb37e1c3afb6f4b 100755
+--- a/freeipa.spec.in
+++ b/freeipa.spec.in
+@@ -162,13 +162,16 @@
+ 
+ # augeas support for new chrony options
+ # see https://pagure.io/freeipa/issue/8676
+-# Note: will need to be updated for RHEL9 when a fix is available for
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1931787
+ %if 0%{?fedora} >= 33
+ %global augeas_version 1.12.0-6
+ %else
+%if 0%{?rhel} >= 9
+%global augeas_version 1.12.1-0
+%else
+ %global augeas_version 1.12.0-3
+ %endif
+%endif
+ 
+ %global plugin_dir %{_libdir}/dirsrv/plugins
+ %global etc_systemd_dir %{_sysconfdir}/systemd/system
+-- 
+2.26.3
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -162,13 +162,16 @@

 # augeas support for new chrony options
 # see https://pagure.io/freeipa/issue/8676
-# Note: will need to be updated for RHEL9 when a fix is available for
 # https://bugzilla.redhat.com/show_bug.cgi?id=1931787
 %if 0%{?fedora} >= 33
 %global augeas_version 1.12.0-6
 %else
+%if 0%{?rhel} >= 9
+%global augeas_version 1.12.1-0
+%else
 %global augeas_version 1.12.0-3
 %endif
+%endif

 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
@ -191,7 +194,7 @@

 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system

 License:        GPLv3+
@ -211,6 +214,12 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
+Patch0001:      0001-Remove-unneeded-dependency-on-python-coverage.patch
+Patch0002:      0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
+Patch0003:      0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
+Patch0004:      0004-stageuser-add-ipauserauthtypeclass-when-required.patch
+Patch0005:      0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
+Patch0006:      0006-augeas-bump-version-for-rhel9.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
@ -866,7 +875,6 @@ BuildArch: noarch
 Requires: python3-ipaclient = %{version}-%{release}
 Requires: python3-ipaserver = %{version}-%{release}
 Requires: iptables
-Requires: python3-coverage
 Requires: python3-cryptography >= 1.6
 Requires: python3-pexpect
 %if 0%{?fedora}
@ -1690,6 +1698,12 @@ fi
 %endif

 %changelog
+* Fri Jul 9 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-2
+- Resolves: rhbz#1955440 ipa installation fails to configure chrony
+- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage
+- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add
+- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
+
 * Wed Jun 30 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-1
 - Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
 - Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache