ipa-4.9.6-2
- Resolves: rhbz#1955440 ipa installation fails to configure chrony - Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage - Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add - Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
This commit is contained in:
parent
42299a57bb
commit
2f8d027c58
30
0001-Remove-unneeded-dependency-on-python-coverage.patch
Normal file
30
0001-Remove-unneeded-dependency-on-python-coverage.patch
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
From 01f4b9d7935ca41c93b17e28543054f36e5baf46 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 30 Jun 2021 14:57:32 +0200
|
||||||
|
Subject: [PATCH] Remove unneeded dependency on python-coverage
|
||||||
|
|
||||||
|
The spec file requires python3-coverage although it is not
|
||||||
|
used in the project.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8905
|
||||||
|
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 1 -
|
||||||
|
1 file changed, 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index fdca43a24a6e07f77b9cd8a0feec940a0366f128..fbfe4d09eedc169112dcdc18a953134de67b7731 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -872,7 +872,6 @@ BuildArch: noarch
|
||||||
|
Requires: python3-ipaclient = %{version}-%{release}
|
||||||
|
Requires: python3-ipaserver = %{version}-%{release}
|
||||||
|
Requires: iptables
|
||||||
|
-Requires: python3-coverage
|
||||||
|
Requires: python3-cryptography >= 1.6
|
||||||
|
Requires: python3-pexpect
|
||||||
|
%if 0%{?fedora}
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
134
0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
Normal file
134
0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
Normal file
@ -0,0 +1,134 @@
|
|||||||
|
From dffccae7193b0616cb84792edec480f5f67e1fc6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Mon, 8 Mar 2021 18:15:50 +0100
|
||||||
|
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
|
||||||
|
services
|
||||||
|
|
||||||
|
Authentication indicators should not be enforced against internal
|
||||||
|
IPA services, since not all users of those services are able to produce
|
||||||
|
Kerberos tickets with all the auth indicator options. This includes
|
||||||
|
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
|
||||||
|
If a client that is being promoted to replica has an auth indicator
|
||||||
|
in its host principal then the promotion is aborted.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8206
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
|
||||||
|
ipaserver/plugins/host.py | 5 ++++-
|
||||||
|
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
|
||||||
|
3 files changed, 41 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
|
||||||
|
index 73967a2249d5c8944d70c5c3ca9a9d3b3bfc6b73..f1fb9103687ce9719ef24c8cb3c41088a4003b25 100644
|
||||||
|
--- a/ipaserver/install/server/replicainstall.py
|
||||||
|
+++ b/ipaserver/install/server/replicainstall.py
|
||||||
|
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
|
||||||
|
))
|
||||||
|
|
||||||
|
|
||||||
|
+def promotion_check_host_principal_auth_ind(conn, hostdn):
|
||||||
|
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
|
||||||
|
+ if 'krbprincipalauthind' in entry:
|
||||||
|
+ raise RuntimeError(
|
||||||
|
+ "Client cannot be promoted to a replica if the host principal "
|
||||||
|
+ "has an authentication indicator set."
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@common_cleanup
|
||||||
|
@preserve_enrollment_state
|
||||||
|
def promote_check(installer):
|
||||||
|
@@ -956,6 +965,10 @@ def promote_check(installer):
|
||||||
|
config.master_host_name, None)
|
||||||
|
|
||||||
|
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
||||||
|
+ hostdn = DN(('fqdn', api.env.host),
|
||||||
|
+ api.env.container_host,
|
||||||
|
+ api.env.basedn)
|
||||||
|
+ promotion_check_host_principal_auth_ind(conn, hostdn)
|
||||||
|
|
||||||
|
# Make sure that domain fulfills minimal domain level
|
||||||
|
# requirement
|
||||||
|
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||||
|
index eb1f8ef042faf4b0deadfd5cef47f7688836506e..41fa933e2422184eafc4eae185a163082b96e045 100644
|
||||||
|
--- a/ipaserver/plugins/host.py
|
||||||
|
+++ b/ipaserver/plugins/host.py
|
||||||
|
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
|
||||||
|
LDAPAddAttributeViaOption,
|
||||||
|
LDAPRemoveAttributeViaOption)
|
||||||
|
from .service import (
|
||||||
|
- validate_realm, normalize_principal,
|
||||||
|
+ validate_realm, validate_auth_indicator, normalize_principal,
|
||||||
|
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
|
||||||
|
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
|
||||||
|
rename_ipaallowedtoperform_to_ldap, revoke_certs)
|
||||||
|
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
|
||||||
|
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
|
||||||
|
if 'krbticketflags' in entry_attrs:
|
||||||
|
entry_attrs['objectclass'].append('krbticketpolicyaux')
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
+
|
||||||
|
return dn
|
||||||
|
|
||||||
|
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||||
|
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
|
||||||
|
if 'krbprincipalaux' not in (item.lower() for item in
|
||||||
|
entry_attrs['objectclass']):
|
||||||
|
entry_attrs['objectclass'].append('krbprincipalaux')
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
|
||||||
|
index 1c93478049f5bdfdaf8503e459bd962dbbee9b44..cfbbff3c69c6a92535df58c51767c3d0952c7b0b 100644
|
||||||
|
--- a/ipaserver/plugins/service.py
|
||||||
|
+++ b/ipaserver/plugins/service.py
|
||||||
|
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
|
||||||
|
raise errors.RealmMismatch()
|
||||||
|
|
||||||
|
|
||||||
|
+def validate_auth_indicator(entry):
|
||||||
|
+ new_value = entry.get('krbprincipalauthind', None)
|
||||||
|
+ if not new_value:
|
||||||
|
+ return
|
||||||
|
+ # The following services are considered internal IPA services
|
||||||
|
+ # and shouldn't be allowed to have auth indicators.
|
||||||
|
+ # https://pagure.io/freeipa/issue/8206
|
||||||
|
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
|
||||||
|
+ principal = kerberos.Principal(pkey)
|
||||||
|
+ server = api.Command.server_find(principal.hostname)['result']
|
||||||
|
+ if server:
|
||||||
|
+ prefixes = ("host", "cifs", "ldap", "HTTP")
|
||||||
|
+ else:
|
||||||
|
+ prefixes = ("cifs",)
|
||||||
|
+ if principal.service_name in prefixes:
|
||||||
|
+ raise errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=_('authentication indicators not allowed '
|
||||||
|
+ 'in service "%s"' % principal.service_name)
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def normalize_principal(value):
|
||||||
|
"""
|
||||||
|
Ensure that the name in the principal is lower-case. The realm is
|
||||||
|
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
|
||||||
|
hostname)
|
||||||
|
|
||||||
|
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
if not options.get('force', False):
|
||||||
|
# We know the host exists if we've gotten this far but we
|
||||||
|
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
|
||||||
|
assert isinstance(dn, DN)
|
||||||
|
|
||||||
|
self.obj.validate_ipakrbauthzdata(entry_attrs)
|
||||||
|
+ validate_auth_indicator(entry_attrs)
|
||||||
|
|
||||||
|
# verify certificates
|
||||||
|
certs = entry_attrs.get('usercertificate') or []
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
138
0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
Normal file
138
0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
Normal file
@ -0,0 +1,138 @@
|
|||||||
|
From 538a9992fd1394ed24cbcdf2a2a27694ac28da55 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Antonio Torres <antorres@redhat.com>
|
||||||
|
Date: Mon, 8 Mar 2021 18:20:35 +0100
|
||||||
|
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
|
||||||
|
IPA services
|
||||||
|
|
||||||
|
Authentication indicators should not be added to internal IPA services,
|
||||||
|
since this can lead to a broken IPA setup. In case a client with
|
||||||
|
an auth indicator set in its host principal, promoting it to a replica
|
||||||
|
should fail.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8206
|
||||||
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
---
|
||||||
|
.../test_replica_promotion.py | 38 +++++++++++++++++++
|
||||||
|
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
|
||||||
|
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
|
||||||
|
3 files changed, 69 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
index 0a137dbdcb068811899e7ff7914730f14ea651c1..b9c56f775d08885cb6b1226eeb7bcf105f87cdc1 100644
|
||||||
|
--- a/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
+++ b/ipatests/test_integration/test_replica_promotion.py
|
||||||
|
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
|
||||||
|
assert result.returncode == 1
|
||||||
|
assert expected_err in result.stderr_text
|
||||||
|
|
||||||
|
+ @replicas_cleanup
|
||||||
|
+ def test_install_with_host_auth_ind_set(self):
|
||||||
|
+ """ A client shouldn't be able to be promoted if it has
|
||||||
|
+ any auth indicator set in the host principal.
|
||||||
|
+ https://pagure.io/freeipa/issue/8206
|
||||||
|
+ """
|
||||||
|
+
|
||||||
|
+ client = self.replicas[0]
|
||||||
|
+ # Configure firewall first
|
||||||
|
+ Firewall(client).enable_services(["freeipa-ldap",
|
||||||
|
+ "freeipa-ldaps"])
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa-client-install', '-U',
|
||||||
|
+ '--domain', self.master.domain.name,
|
||||||
|
+ '--realm', self.master.domain.realm,
|
||||||
|
+ '-p', 'admin',
|
||||||
|
+ '-w', self.master.config.admin_password,
|
||||||
|
+ '--server', self.master.hostname,
|
||||||
|
+ '--force-join'])
|
||||||
|
+
|
||||||
|
+ tasks.kinit_admin(client)
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
|
||||||
|
+ client.hostname])
|
||||||
|
+
|
||||||
|
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
|
||||||
|
+ self.master.config.dirman_password],
|
||||||
|
+ raiseonerr=False)
|
||||||
|
+
|
||||||
|
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
|
||||||
|
+ client.hostname])
|
||||||
|
+
|
||||||
|
+ expected_err = ("Client cannot be promoted to a replica if the host "
|
||||||
|
+ "principal has an authentication indicator set.")
|
||||||
|
+ assert res.returncode == 1
|
||||||
|
+ assert expected_err in res.stderr_text
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@replicas_cleanup
|
||||||
|
def test_one_command_installation(self):
|
||||||
|
"""
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
index c66bbc865cd5e1ee5ee5e1874c177a3ea9b08c93..9cfde3565d48e103a0549e2bfb7579e07668f41b 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
|
||||||
|
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
|
||||||
|
error=u'An IPA master host cannot be deleted or disabled')):
|
||||||
|
command()
|
||||||
|
|
||||||
|
+ def test_try_add_auth_ind_master(self, this_host):
|
||||||
|
+ command = this_host.make_update_command({
|
||||||
|
+ u'krbprincipalauthind': u'radius'})
|
||||||
|
+ with raises_exact(errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=u'authentication indicators not allowed '
|
||||||
|
+ 'in service "host"'
|
||||||
|
+ )):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestValidation(XMLRPC_test):
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
index 4c845938c33e2eca4235d53c4f4644c2fcdeda9c..ed634a0455a41dce367ed638634d1fc6d9e47553 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
|
||||||
|
@@ -25,6 +25,7 @@ from ipalib import api, errors
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
|
||||||
|
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
|
||||||
|
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
|
||||||
|
from ipatests.test_xmlrpc import objectclasses
|
||||||
|
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
|
||||||
|
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
|
||||||
|
@@ -1552,6 +1553,15 @@ def indicators_host(request):
|
||||||
|
return tracker.make_fixture(request)
|
||||||
|
|
||||||
|
|
||||||
|
+@pytest.fixture(scope='function')
|
||||||
|
+def this_host(request):
|
||||||
|
+ """Fixture for the current master"""
|
||||||
|
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
|
||||||
|
+ fqdn=api.env.host)
|
||||||
|
+ tracker.exists = True
|
||||||
|
+ return tracker
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def indicators_service(request):
|
||||||
|
tracker = ServiceTracker(
|
||||||
|
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
|
||||||
|
expected_updates={u'krbprincipalauthind': [u'radius']}
|
||||||
|
)
|
||||||
|
|
||||||
|
+ def test_update_indicator_internal_service(self, this_host):
|
||||||
|
+ command = this_host.make_command('service_mod',
|
||||||
|
+ 'ldap/' + this_host.fqdn,
|
||||||
|
+ **dict(krbprincipalauthind='otp'))
|
||||||
|
+ with raises_exact(errors.ValidationError(
|
||||||
|
+ name='krbprincipalauthind',
|
||||||
|
+ error=u'authentication indicators not allowed '
|
||||||
|
+ 'in service "ldap"'
|
||||||
|
+ )):
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.fixture(scope='function')
|
||||||
|
def managing_host(request):
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
57
0004-stageuser-add-ipauserauthtypeclass-when-required.patch
Normal file
57
0004-stageuser-add-ipauserauthtypeclass-when-required.patch
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
From a8d6257b2cf64c3dd2b1c5d7bcf81acc3b766853 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Mon, 5 Jul 2021 09:51:41 +0200
|
||||||
|
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
|
||||||
|
|
||||||
|
The command
|
||||||
|
ipa stageuser-add --user-auth-type=xxx
|
||||||
|
is currently failing because the objectclass ipauserauthtypeclass
|
||||||
|
is missing from the created entry.
|
||||||
|
|
||||||
|
There is code adding the missing objectclass in the
|
||||||
|
pre_common_callback method of user_add, and this code should
|
||||||
|
be common to user_add and stageuser_add. In order to avoid code
|
||||||
|
duplication, it makes more sense to move the existing code to
|
||||||
|
pre_common_callback of baseuser_add, that is called by both
|
||||||
|
classes.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/8909
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipaserver/plugins/baseuser.py | 3 +++
|
||||||
|
ipaserver/plugins/user.py | 4 ----
|
||||||
|
2 files changed, 3 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
|
||||||
|
index ae16a978ab01f9c5c257e9cb5567c918a7fafdc5..6035228f19ef8acaf4992490d5512c126881816d 100644
|
||||||
|
--- a/ipaserver/plugins/baseuser.py
|
||||||
|
+++ b/ipaserver/plugins/baseuser.py
|
||||||
|
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
|
||||||
|
if entry_attrs.get('ipatokenradiususername', None):
|
||||||
|
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
|
||||||
|
entry_attrs, update=False)
|
||||||
|
+ if entry_attrs.get('ipauserauthtype', None):
|
||||||
|
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
|
||||||
|
+ entry_attrs, update=False)
|
||||||
|
|
||||||
|
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
|
||||||
|
assert isinstance(dn, DN)
|
||||||
|
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
|
||||||
|
index 6f7facb5380ba56feab39b71cd265776f3ab57d8..e4ee572b236c288fd7dcf1d44c5adf1f836f63aa 100644
|
||||||
|
--- a/ipaserver/plugins/user.py
|
||||||
|
+++ b/ipaserver/plugins/user.py
|
||||||
|
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
|
||||||
|
'ipauser' not in entry_attrs['objectclass']:
|
||||||
|
entry_attrs['objectclass'].append('ipauser')
|
||||||
|
|
||||||
|
- if 'ipauserauthtype' in entry_attrs and \
|
||||||
|
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
|
||||||
|
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
|
||||||
|
-
|
||||||
|
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
|
||||||
|
if rcl:
|
||||||
|
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
@ -0,0 +1,32 @@
|
|||||||
|
From 932910456e0269edefe396d4af96447f90ff29b3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Mon, 5 Jul 2021 10:22:31 +0200
|
||||||
|
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8909
|
||||||
|
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||||
|
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
---
|
||||||
|
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
|
||||||
|
1 file changed, 6 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
index 5586fc607e134938225c1c982fc39d169847f549..bc606b093c98ce204ad4ea17e5c16273144fa2e7 100644
|
||||||
|
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
|
||||||
|
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
|
||||||
|
result = command()
|
||||||
|
assert result['count'] == 1
|
||||||
|
|
||||||
|
+ def test_create_withuserauthtype(self, stageduser):
|
||||||
|
+ stageduser.ensure_missing()
|
||||||
|
+ command = stageduser.make_create_command(
|
||||||
|
+ options={u'ipauserauthtype': u'password'})
|
||||||
|
+ command()
|
||||||
|
+
|
||||||
|
|
||||||
|
@pytest.mark.tier1
|
||||||
|
class TestCreateInvalidAttributes(XMLRPC_test):
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
40
0006-augeas-bump-version-for-rhel9.patch
Normal file
40
0006-augeas-bump-version-for-rhel9.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From 9144526d2d7e7dcd8503c6c38226e17ebb4ed8b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||||
|
Date: Wed, 7 Jul 2021 10:49:25 +0200
|
||||||
|
Subject: [PATCH] augeas: bump version for rhel9
|
||||||
|
|
||||||
|
augeas 1.12.1-0.1 adds support for the new chony configuration
|
||||||
|
settings.
|
||||||
|
|
||||||
|
Related: https://pagure.io/freeipa/issue/8676
|
||||||
|
Reviewed-By: Francois Cami <fcami@redhat.com>
|
||||||
|
Reviewed-By: Anuja More <amore@redhat.com>
|
||||||
|
---
|
||||||
|
freeipa.spec.in | 5 ++++-
|
||||||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||||
|
index fbfe4d09eedc169112dcdc18a953134de67b7731..ae4af099f39641a9f5163d61cfb37e1c3afb6f4b 100755
|
||||||
|
--- a/freeipa.spec.in
|
||||||
|
+++ b/freeipa.spec.in
|
||||||
|
@@ -162,13 +162,16 @@
|
||||||
|
|
||||||
|
# augeas support for new chrony options
|
||||||
|
# see https://pagure.io/freeipa/issue/8676
|
||||||
|
-# Note: will need to be updated for RHEL9 when a fix is available for
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||||||
|
%if 0%{?fedora} >= 33
|
||||||
|
%global augeas_version 1.12.0-6
|
||||||
|
%else
|
||||||
|
+%if 0%{?rhel} >= 9
|
||||||
|
+%global augeas_version 1.12.1-0
|
||||||
|
+%else
|
||||||
|
%global augeas_version 1.12.0-3
|
||||||
|
%endif
|
||||||
|
+%endif
|
||||||
|
|
||||||
|
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||||
|
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||||
|
--
|
||||||
|
2.26.3
|
||||||
|
|
20
freeipa.spec
20
freeipa.spec
@ -162,13 +162,16 @@
|
|||||||
|
|
||||||
# augeas support for new chrony options
|
# augeas support for new chrony options
|
||||||
# see https://pagure.io/freeipa/issue/8676
|
# see https://pagure.io/freeipa/issue/8676
|
||||||
# Note: will need to be updated for RHEL9 when a fix is available for
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
|
||||||
%if 0%{?fedora} >= 33
|
%if 0%{?fedora} >= 33
|
||||||
%global augeas_version 1.12.0-6
|
%global augeas_version 1.12.0-6
|
||||||
%else
|
%else
|
||||||
|
%if 0%{?rhel} >= 9
|
||||||
|
%global augeas_version 1.12.1-0
|
||||||
|
%else
|
||||||
%global augeas_version 1.12.0-3
|
%global augeas_version 1.12.0-3
|
||||||
%endif
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||||
@ -191,7 +194,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 1%{?rc_version:.%rc_version}%{?dist}
|
Release: 2%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -211,6 +214,12 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
|
|||||||
# RHEL spec file only: START
|
# RHEL spec file only: START
|
||||||
%if %{NON_DEVELOPER_BUILD}
|
%if %{NON_DEVELOPER_BUILD}
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
|
Patch0001: 0001-Remove-unneeded-dependency-on-python-coverage.patch
|
||||||
|
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte.patch
|
||||||
|
Patch0003: 0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
|
||||||
|
Patch0004: 0004-stageuser-add-ipauserauthtypeclass-when-required.patch
|
||||||
|
Patch0005: 0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
|
||||||
|
Patch0006: 0006-augeas-bump-version-for-rhel9.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -866,7 +875,6 @@ BuildArch: noarch
|
|||||||
Requires: python3-ipaclient = %{version}-%{release}
|
Requires: python3-ipaclient = %{version}-%{release}
|
||||||
Requires: python3-ipaserver = %{version}-%{release}
|
Requires: python3-ipaserver = %{version}-%{release}
|
||||||
Requires: iptables
|
Requires: iptables
|
||||||
Requires: python3-coverage
|
|
||||||
Requires: python3-cryptography >= 1.6
|
Requires: python3-cryptography >= 1.6
|
||||||
Requires: python3-pexpect
|
Requires: python3-pexpect
|
||||||
%if 0%{?fedora}
|
%if 0%{?fedora}
|
||||||
@ -1690,6 +1698,12 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Jul 9 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-2
|
||||||
|
- Resolves: rhbz#1955440 ipa installation fails to configure chrony
|
||||||
|
- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage
|
||||||
|
- Resolves: rhbz#1979609 Unable to set ipaUserAuthType with stageuser-add
|
||||||
|
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
|
||||||
|
|
||||||
* Wed Jun 30 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-1
|
* Wed Jun 30 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-1
|
||||||
- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
|
- Resolves: rhbz#1969351 Rebase IPA to latest 4.9.x version
|
||||||
- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
|
- Resolves: rhbz#1976288 ansible-freeipa automember test fails with `automember_add_condition: testgroup: 'objectclass'` due to ldap cache
|
||||||
|
Loading…
Reference in New Issue
Block a user