rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.9.6-3

Browse Source 
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"
- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA
- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage
This commit is contained in:
Florence Blanc-Renaud 2021-07-15 16:59:13 +02:00
parent 2f8d027c58
commit 5a5afdbc6f
11 changed files with 5929 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
0007-man-page-update-ipa-server-upgrade.1.patch Normal file
View File

@ -0,0 +1,35 @@
From ecb407864fde4d917dabe0aae95881561ed384ab Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 14:11:40 +0200
Subject: [PATCH] man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
index 3db19b0f13da1f5a36bd6e8df23fc916d0401a6d..f01e21c6b599499c4c6dbbcf120b19a3431fb3ed 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:
--
2.26.3

2324
0008-Add-basic-support-for-subordinate-user-group-ids.patch Normal file
View File

File diff suppressed because it is too large Load Diff

2906
0009-Redesign-subid-feature.patch Normal file
View File

File diff suppressed because it is too large Load Diff

113
0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch Normal file
View File

@ -0,0 +1,113 @@
From c9bae715b24df0f5476bdb70a2209d5f55e46a93 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 09:26:33 +0200
Subject: [PATCH] Use 389-DS' dnaInterval setting to assign intervals
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
freeipa.spec.in | 3 ++-
install/share/dna.ldif | 1 +
install/updates/73-subid.update | 7 ++-----
ipaserver/plugins/subid.py | 14 +-------------
4 files changed, 6 insertions(+), 19 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 044e3559975c399f6697d4da94b5a059eb5b407c..fa649cf4e1abe8e9928ef340a66d48d78f7e3521 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -106,8 +106,9 @@
%global python_ldap_version 3.1.0-1
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
+# and has DNA interval enabled
%if 0%{?fedora} < 34
-%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
+%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.5-1
%endif
diff --git a/install/share/dna.ldif b/install/share/dna.ldif
index 735faab8261feef59486f7c933b01c57ad511166..9023fcd7db5a2c121c493559e2546c85c0daf69a 100644
--- a/install/share/dna.ldif
+++ b/install/share/dna.ldif
@@ -31,6 +31,7 @@ dnaScope: $SUFFIX
dnaThreshold: eval($SUBID_DNA_THRESHOLD)
dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
dnaExcludeScope: cn=provisioning,$SUFFIX
+dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# dnaIntervalAttr: ipasubuidcount
# dnaIntervalAttr: ipasubgidcount
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index 1aa43822a8b8c220583b81e08d70b648ca594363..e10703aa3f9528751233ddebe00b8c8c8fc5ed3f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -62,12 +62,8 @@ default:member: cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX
# The delete-when-empty check is required because IPA uses MOD_REPLACE to
# set attributes, see https://github.com/389ds/389-ds-base/issues/4597.
#
-# TODO: remove (ipasubuidnumber>=eval($SUBID_RANGE_START) from
-# self-service permission when 389-DS' DNA plugin supports dnaStepAttr and
-# fake_dna_plugin hack has been removed.
-#
dn: cn=subids,cn=accounts,$SUFFIX
-add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=eval($SUBID_RANGE_START))(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=eval($SUBID_RANGE_START))(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
+add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(ipasubuidnumber=-1) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(ipasubgidnumber=-1) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "selfservice: Add subordinate id";allow (add, write) userattr = "ipaowner#SELFDN" and groupdn="ldap:///cn=Self-service subordinate ID,cn=permissions,cn=pbac,$SUFFIX";)
add: aci: (targetfilter = "(objectclass=ipasubordinateidentry)")(targetattr="description || ipaowner || ipauniqueid")(targattrfilters = "add=objectClass:(|(objectClass=top)(objectClass=ipasubordinateid)(objectClass=ipasubordinateidentry)(objectClass=ipasubordinategid)(objectClass=ipasubordinateuid)) && ipasubuidnumber:(|(ipasubuidnumber>=1)(ipasubuidnumber=-1)) && ipasubuidcount:(ipasubuidcount=eval($SUBID_COUNT)) && ipasubgidnumber:(|(ipasubgidnumber>=1)(ipasubgidnumber=-1)) && ipasubgidcount:(ipasubgidcount=eval($SUBID_COUNT)), del=ipasubuidnumber:(!(ipasubuidnumber=*)) && ipasubuidcount:(!(ipasubuidcount=*)) && ipasubgidnumber:(!(ipasubgidnumber=*)) && ipasubgidcount:(!(ipasubgidcount=*))")(version 3.0;acl "Add subordinate ids to any user";allow (add, write) groupdn="ldap:///cn=Subordinate ID Administrators,cn=privileges,cn=pbac,$SUFFIX";)
# DNA plugin and idrange configuration
@@ -90,6 +86,7 @@ default: dnaScope: $SUFFIX
default: dnaThreshold: eval($SUBID_DNA_THRESHOLD)
default: dnaSharedCfgDN: cn=subordinate-ids,cn=dna,cn=ipa,cn=etc,$SUFFIX
default: dnaExcludeScope: cn=provisioning,$SUFFIX
+default: dnaInterval: eval($SUBID_COUNT)
# TODO: enable when 389-DS' DNA plugin supports dnaStepAttr
# add: dnaIntervalAttr: ipasubuidcount
# add: dnaIntervalAttr: ipasubgidcount
diff --git a/ipaserver/plugins/subid.py b/ipaserver/plugins/subid.py
index 7d9a2f33e84bc7cdf17900346343e49d5eda0d8c..440f24ee627f0736100f63026158c564b04520c2 100644
--- a/ipaserver/plugins/subid.py
+++ b/ipaserver/plugins/subid.py
@@ -2,7 +2,6 @@
# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
#
-import random
import uuid
from ipalib import api
@@ -291,12 +290,8 @@ class subid(LDAPObject):
_entry_attrs = ldap.get_entry(dn, ["objectclass"])
entry_attrs["objectclass"] = _entry_attrs["objectclass"]
- # XXX HACK, remove later
- if subuid == DNA_MAGIC:
- subuid = self._fake_dna_plugin(ldap, dn, entry_attrs)
-
entry_attrs["ipasubuidnumber"] = subuid
- # enforice subuid == subgid for now
+ # enforce subuid == subgid for now
entry_attrs["ipasubgidnumber"] = subuid
# hard-coded constants
entry_attrs["ipasubuidcount"] = constants.SUBID_COUNT
@@ -350,13 +345,6 @@ class subid(LDAPObject):
filters.extend(extra_filters)
return ldap.combine_filters(filters, rules=ldap.MATCH_ALL)
- def _fake_dna_plugin(self, ldap, dn, entry_attrs):
- """XXX HACK, remove when 389-DS DNA plugin supports steps"""
- return (
- constants.SUBID_RANGE_START
- + random.randint(1, 32764 - 2) * constants.SUBID_COUNT
- )
-
@register()
class subid_add(LDAPCreate):
--
2.26.3

68
0011-Fix-ipa-server-upgrade.patch Normal file
View File

@ -0,0 +1,68 @@
From 21574b261cf0d346da48e34c0a5383736ca8798b Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 21 May 2021 14:56:32 +0200
Subject: [PATCH] Fix ipa-server-upgrade
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/bootstrap-template.ldif | 2 +-
install/updates/73-subid.update | 2 +-
ipaserver/install/ldapupdate.py | 3 +++
3 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 16f2ef822eaf56dd68d4140b22a607539645b151..325eb8450c786899e7b5e4ae2ef8978f42a8425b 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -491,7 +491,7 @@ cn: ${REALM}_subid_range
ipaBaseID: eval($SUBID_RANGE_START)
ipaIDRangeSize: eval($SUBID_RANGE_SIZE)
# HACK: RIDs to work around adtrust sidgen issue
-ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+ipaBaseRID: eval($SUBID_BASE_RID)
# 738065-838566 = IPA-SUB
ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
diff --git a/install/updates/73-subid.update b/install/updates/73-subid.update
index e10703aa3f9528751233ddebe00b8c8c8fc5ed3f..890eb7f1f6f261af977f26b3457e765ee8e9791f 100644
--- a/install/updates/73-subid.update
+++ b/install/updates/73-subid.update
@@ -102,7 +102,7 @@ default: cn: ${REALM}_subid_range
default: ipaBaseID: $SUBID_RANGE_START
default: ipaIDRangeSize: $SUBID_RANGE_SIZE
# HACK: RIDs to work around adtrust sidgen issue
-default: ipaBaseRID: eval($SUBID_RANGE_START - $IDRANGE_SIZE)
+default: ipaBaseRID: eval($SUBID_BASE_RID)
default: ipaNTTrustedDomainSID: S-1-5-21-738065-838566-$DOMAIN_HASH
# HACK: "ipa-local-subid" range type causes issues with older SSSD clients
# see https://github.com/SSSD/sssd/issues/5571
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index d0516dc3028366df5d03a960866abe72601aa4b6..06cb78e0b7dc2c82f0339c43228045d93b922288 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -59,8 +59,10 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
"""
if idstart is None:
idrange_size = None
+ subid_base_rid = None
else:
idrange_size = idmax - idstart + 1
+ subid_base_rid = constants.SUBID_RANGE_START - idrange_size
return dict(
REALM=realm,
@@ -81,6 +83,7 @@ def get_sub_dict(realm, domain, suffix, fqdn, idstart=None, idmax=None):
SUBID_RANGE_SIZE=constants.SUBID_RANGE_SIZE,
SUBID_RANGE_MAX=constants.SUBID_RANGE_MAX,
SUBID_DNA_THRESHOLD=constants.SUBID_DNA_THRESHOLD,
+ SUBID_BASE_RID=subid_base_rid,
DOMAIN_HASH=murmurhash3(domain, len(domain), 0xdeadbeef),
MAX_DOMAIN_LEVEL=constants.MAX_DOMAIN_LEVEL,
MIN_DOMAIN_LEVEL=constants.MIN_DOMAIN_LEVEL,
--
2.26.3

29
0012-Fix-oid-of-ipaUserDefaultSubordinateId.patch Normal file
View File

@ -0,0 +1,29 @@
From c8b4fd5bb773a73116350bf8e853246916fe87c2 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 15 Jun 2021 13:25:18 +0200
Subject: [PATCH] Fix oid of ipaUserDefaultSubordinateId
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/60ipaconfig.ldif | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/share/60ipaconfig.ldif b/install/share/60ipaconfig.ldif
index f84b38ead1d70ff408f5669029f1517b0c98ecf1..005c1dd11e37039132620f1d97f9662ffb8c8c59 100644
--- a/install/share/60ipaconfig.ldif
+++ b/install/share/60ipaconfig.ldif
@@ -47,7 +47,7 @@ attributeTypes: ( 2.16.840.1.113730.3.8.3.27 NAME 'ipaSELinuxUserMapOrder' DESC
## ipaMaxHostnameLength - maximum hostname length to allow
attributeTypes: ( 2.16.840.1.113730.3.8.1.28 NAME 'ipaMaxHostnameLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE)
# ipaUserDefaultSubordinateId - if TRUE new user entries gain subordinate id by default
-attributeTypes: ( 2.16.840.1.113730.3.8.3.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
+attributeTypes: ( 2.16.840.1.113730.3.8.23.14 NAME 'ipaUserDefaultSubordinateId' DESC 'Enable adding user entries with subordinate id' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.9')
###############################################
##
## ObjectClasses
--
2.26.3

275
0013-WebUI-Improve-subordinate-ids-user-workflow.patch Normal file
View File

@ -0,0 +1,275 @@
From 10418b7f3ea8c682961fc201545169663d507bf6 Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Thu, 17 Jun 2021 13:56:19 +0200
Subject: [PATCH] WebUI: Improve subordinate ids user workflow
- add "Subordinate ID Statistics" page
- add button for generating subid in "Subordinate ids" tab of user details page
- allow to navigate directly to owner details from subordinate id page
- adjust i18n strings
Ticket: https://pagure.io/freeipa/issue/8361
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/ui/src/freeipa/details.js | 8 ++-
.../ui/src/freeipa/navigation/menu_spec.js | 19 ++++++-
install/ui/src/freeipa/subid.js | 43 +++++++++++++++-
install/ui/src/freeipa/user.js | 49 +++++++++++++++----
ipaserver/plugins/internal.py | 22 ++++++---
5 files changed, 121 insertions(+), 20 deletions(-)
diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index b557bbcef9a427a87eee3216f4345fc853cbaaff..2704cbd0ba98efa877cf5ec8a878e688ee6807e9 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -602,6 +602,12 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
*/
that.facet_group = spec.facet_group || 'settings';
+ /**
+ * Indicates if the details facet depends on pkey
+ * @property {boolean}
+ */
+ that.require_pkey = spec.require_pkey !== undefined ? spec.require_pkey : true;
+
/**
* Widgets
* @property {IPA.widget_container}
@@ -1105,7 +1111,7 @@ exp.details_facet = IPA.details_facet = function(spec, no_init) {
*/
that.refresh = function(on_success, on_error) {
- if (!that.get_pkey() && that.entity.redirect_facet) {
+ if (that.require_pkey && !that.get_pkey() && that.entity.redirect_facet) {
that.redirect();
return;
}
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 6ccd06919fbe04c7e8d2034ff7a1f644f373c607..a205dfade2f9508edbdc23ee6f7247508cc0479c 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -104,7 +104,24 @@ var nav = {};
}
]
},
- { entity: 'subid' }
+ {
+ name: 'subid',
+ label: '@i18n:tabs.subid',
+ children: [
+ {
+ name: 'subid',
+ entity: 'subid',
+ facet: 'search',
+ label: '@i18n:tabs.subid'
+ },
+ {
+ name: 'subid-stats',
+ entity: 'subid',
+ facet: 'stats',
+ label: '@i18n:objects.subid.stats'
+ }
+ ]
+ }
]
},
{
diff --git a/install/ui/src/freeipa/subid.js b/install/ui/src/freeipa/subid.js
index f286165070b08badf77cac6c30e93cab916c2acc..32f75bb7854cd3e84417a66870e99d34d49617e3 100644
--- a/install/ui/src/freeipa/subid.js
+++ b/install/ui/src/freeipa/subid.js
@@ -31,6 +31,7 @@ return {
},
{
$type: 'details',
+ disable_facet_tabs: true,
sections: [
{
name: 'details',
@@ -38,9 +39,11 @@ return {
'ipauniqueid',
'description',
{
+ $type: 'link',
name: 'ipaowner',
label: '@i18n:objects.subid.ipaowner',
- title: '@mo-param:subid:ipaowner:label'
+ title: '@mo-param:subid:ipaowner:label',
+ other_entity: 'user'
},
{
name: 'ipasubgidnumber',
@@ -65,6 +68,44 @@ return {
]
}
]
+ },
+ {
+ $type: 'details',
+ name: 'stats',
+ label: '@i18n:objects.subid.stats',
+ refresh_command_name: 'stats',
+ check_rights: false,
+ no_update: true,
+ disable_facet_tabs: true,
+ disable_breadcrumb: true,
+ require_pkey: false,
+ fields: [
+ {
+ name: 'assigned_subids',
+ label: '@i18n:objects.subid.assigned_subids',
+ read_only: true
+ },
+ {
+ name: 'baseid',
+ label: '@i18n:objects.subid.baseid',
+ read_only: true
+ },
+ {
+ name: 'dna_remaining',
+ label: '@i18n:objects.subid.dna_remaining',
+ read_only: true
+ },
+ {
+ name: 'rangesize',
+ label: '@i18n:objects.subid.rangesize',
+ read_only: true
+ },
+ {
+ name: 'remaining_subids',
+ label: '@i18n:objects.subid.remaining_subids',
+ read_only: true
+ }
+ ]
}
],
adder_dialog: {
diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js
index 56bb6f4feffb637d33a57aecf9a98f08d4639550..6a56320c580f58a1aba84e598736631986421113 100644
--- a/install/ui/src/freeipa/user.js
+++ b/install/ui/src/freeipa/user.js
@@ -464,7 +464,7 @@ return {
},
{
$type: 'subid_generate',
- hide_cond: ['preserved-user'],
+ hide_cond: ['preserved-user', 'self-service-other'],
enable_cond: ['no-subid']
}
],
@@ -556,8 +556,35 @@ return {
{
$type: 'association',
name: 'memberof_subid',
+ columns: [
+ 'ipauniqueid',
+ 'ipasubuidnumber',
+ 'ipasubgidnumber'
+ ],
associator: IPA.serial_associator,
- read_only: true
+ read_only: true,
+ state: {
+ evaluators: [
+ IPA.user.self_service_other_user_evaluator,
+ IPA.user.preserved_user_evaluator,
+ IPA.user.has_subid_evaluator
+ ]
+ },
+ actions: [
+ {
+ $type: 'subid_generate',
+ name: 'subid_generate',
+ hide_cond: ['preserved-user', 'self-service-other'],
+ enable_cond: ['no-subid']
+ }
+ ],
+ control_buttons: [
+ {
+ name: 'subid_generate',
+ label: '@i18n:objects.user.auto_subid',
+ icon: 'fa-plus'
+ }
+ ]
}
],
standard_association_facets: {
@@ -1216,14 +1243,16 @@ IPA.user.subid_generate_action = function(spec) {
var that = IPA.action(spec);
that.execute_action = function(facet) {
-
- var subid_e = reg.entity.get('subid');
- var dialog = subid_e.get_dialog('add');
- dialog.open();
- if (!IPA.is_selfservice) {
- var owner = facet.get_pkey();
- dialog.get_field('ipaowner').set_value([owner]);
- }
+ var owner = facet.get_pkey();
+ var command = rpc.command({
+ entity: 'subid',
+ method: 'generate'
+ });
+ command.set_option('ipaowner', owner);
+ command.on_success = function(data, text_status, xhr) {
+ facet.refresh();
+ };
+ command.execute();
};
return that;
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 5ef940c2b88cc2b132a15d619772349b30731306..29e09f0067ec60d014e61c49313455d64478ef22 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -1364,6 +1364,20 @@ class i18n_messages(Command):
"undel_success": _("${count} user(s) restored"),
"user_categories": _("User categories"),
},
+ "subid": {
+ "add": _("Add subid"),
+ "assigned_subids": _("Assigned subids"),
+ "baseid": _("Base ID"),
+ "dna_remaining": _("DNA remaining"),
+ "ipaowner": _("Owner"),
+ "ipasubgidcount": _("SubGID range size"),
+ "ipasubgidnumber": _("SubGID range start"),
+ "ipasubuidcount": _("SubUID range size"),
+ "ipasubuidnumber": _("SubUID range start"),
+ "rangesize": _("Range size"),
+ "remaining_subids": _("Remaining subids"),
+ "stats": _("Subordinate ID Statistics"),
+ },
"sudocmd": {
"add": _("Add sudo command"),
"add_into_sudocmdgroups": _(
@@ -1547,13 +1561,6 @@ class i18n_messages(Command):
"Drive to mount a home directory"
),
},
- "subid": {
- "identity": _("Subordinate user and group id"),
- "subuidnumber": _("Subordinate user id"),
- "subuidcount": _("Subordinate user id count"),
- "subgidnumber": _("Subordinate group id"),
- "subgidcount": _("Subordinate group id count"),
- },
"trustconfig": {
"options": _("Options"),
},
@@ -1942,6 +1949,7 @@ class i18n_messages(Command):
"network_services": _("Network Services"),
"policy": _("Policy"),
"role": _("Role-Based Access Control"),
+ "subid": _("Subordinate IDs"),
"sudo": _("Sudo"),
"topology": _("Topology"),
"trust": _("Trusts"),
--
2.26.3

57
0014-Test-DNA-plugin-configuration.patch Normal file
View File

@ -0,0 +1,57 @@
From b6ab27acdb07c21f43e9dcc9b777f8fd6a8925e1 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 18 Jun 2021 10:51:54 +0200
Subject: [PATCH] Test DNA plugin configuration
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipatests/test_integration/test_subids.py | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_subids.py b/ipatests/test_integration/test_subids.py
index 48e58c26464f52605438afe865575e5ca4c8f1f8..28cd1f765cd63af944bce83f4676a2b1998f5f5d 100644
--- a/ipatests/test_integration/test_subids.py
+++ b/ipatests/test_integration/test_subids.py
@@ -6,8 +6,11 @@
"""
import os
-from ipalib.constants import SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX
+from ipalib.constants import (
+ SUBID_COUNT, SUBID_RANGE_START, SUBID_RANGE_MAX, SUBID_DNA_THRESHOLD
+)
from ipaplatform.paths import paths
+from ipapython.dn import DN
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
@@ -81,6 +84,23 @@ class TestSubordinateId(IntegrationTest):
cmd.extend(("--owner", uid))
return self.master.run_command(cmd, **kwargs)
+ def test_dna_config(self):
+ conn = self.master.ldap_connect()
+ dna_cfg = DN(
+ "cn=Subordinate IDs,cn=Distributed Numeric Assignment Plugin,"
+ "cn=plugins,cn=config"
+ )
+ entry = conn.get_entry(dna_cfg)
+
+ def single_int(key):
+ return int(entry.single_value[key])
+
+ assert single_int("dnaInterval") == SUBID_COUNT
+ assert single_int("dnaThreshold") == SUBID_DNA_THRESHOLD
+ assert single_int("dnaMagicRegen") == -1
+ assert single_int("dnaMaxValue") == SUBID_RANGE_MAX
+ assert set(entry["dnaType"]) == {"ipasubgidnumber", "ipasubuidnumber"}
+
def test_auto_generate_subid(self):
uid = "testuser_auto1"
passwd = "Secret123"
--
2.26.3

69
0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch Normal file
View File

@ -0,0 +1,69 @@
From 3b7f537dd3022ecb758b2f0f8b2aba530e74bff7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2021 11:02:10 -0400
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/service.py | 5 +++++
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cfbbff3c69c6a92535df58c51767c3d0952c7b0b..498f5e444364c6330e053d1057b727fb5181f70b 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
# and shouldn't be allowed to have auth indicators.
# https://pagure.io/freeipa/issue/8206
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ if pkey == str(entry.dn):
+ # krbcanonicalname may not be set yet if this is a host entry,
+ # try krbprincipalname
+ if 'krbprincipalname' in entry:
+ pkey = entry['krbprincipalname']
principal = kerberos.Principal(pkey)
server = api.Command.server_find(principal.hostname)['result']
if server:
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 9cfde3565d48e103a0549e2bfb7579e07668f41b..ff50e796cd19fca2c7b6c87d73940779db8daa0b 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
)):
command()
+ def test_add_non_master_with_auth_ind(self, host5):
+ host5.ensure_missing()
+ command = host5.make_command(
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
+ force=True
+ )
+ result = command()
+ # The fact that the command succeeds exercises the change but
+ # let's check the indicator as well.
+ assert result['result']['krbprincipalauthind'] == ('radius',)
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
--
2.26.3

30
0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch Normal file
View File

@ -0,0 +1,30 @@
From aa07f41769765e55c1531b52ad9ef5876e97e0e9 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 15 Jul 2021 10:06:56 +0200
Subject: [PATCH] spec file: Trust controller role should pull
sssd-winbind-idmap package
ipa-server-trust-ad subpackage need to pull in sssd-winbind-idmap
Fixes: https://pagure.io/freeipa/issue/8923
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
freeipa.spec.in | 1 +
1 file changed, 1 insertion(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index fa649cf4e1abe8e9928ef340a66d48d78f7e3521..c33d2e216e5b0f13ae4fd3f9f506d4983493f03a 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -597,6 +597,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
+Requires: sssd-winbind-idmap
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
--
2.26.3

26
freeipa.spec
View File

@ -77,7 +77,8 @@
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
%global ds_version 1.4.3.16-12
%else
%global ds_version 2.0.3-3
# DNA interval enabled
%global ds_version 2.0.5-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158
@ -106,8 +107,9 @@
%global python_ldap_version 3.1.0-1
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700
# and has DNA interval enabled
%if 0%{?fedora} < 34
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.16-1'; print(v[rpm.expand('%{fedora}')])}
%global ds_version 1.4.4.16-1
%else
%global ds_version 2.0.5-1
%endif
@ -194,7 +196,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 2%{?rc_version:.%rc_version}%{?dist}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -220,6 +222,16 @@ Patch0003: 0003-ipatests-ensure-auth-indicators-can-t-be-added-to-in.patch
Patch0004: 0004-stageuser-add-ipauserauthtypeclass-when-required.patch
Patch0005: 0005-XMLRPC-test-add-a-test-for-stageuser-add-user-auth-t.patch
Patch0006: 0006-augeas-bump-version-for-rhel9.patch
Patch0007: 0007-man-page-update-ipa-server-upgrade.1.patch
Patch0008: 0008-Add-basic-support-for-subordinate-user-group-ids.patch
Patch0009: 0009-Redesign-subid-feature.patch
Patch0010: 0010-Use-389-DS-dnaInterval-setting-to-assign-intervals.patch
Patch0011: 0011-Fix-ipa-server-upgrade.patch
Patch0012: 0012-Fix-oid-of-ipaUserDefaultSubordinateId.patch
Patch0013: 0013-WebUI-Improve-subordinate-ids-user-workflow.patch
Patch0014: 0014-Test-DNA-plugin-configuration.patch
Patch0015: 0015-Fall-back-to-krbprincipalname-when-validating-host-a.patch
Patch0016: 0016-spec-file-Trust-controller-role-should-pull-sssd-win.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -597,6 +609,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
Requires: sssd-winbind-idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
%endif
@ -1361,6 +1374,7 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@ -1698,6 +1712,12 @@ fi
%endif
%changelog
* Thu Jul 15 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-3
- Resolves: rhbz#1979629 Add checks to prevent assigning authentication indicators to internal IPA services
- Resolves: rhbz#1982212 ipa-trust-add fails with "not enough quota"
- Resolves: rhbz#1952028 [RFE] Add support for managing subuids and subgids in FreeIPA
- Resolves: rhbz#1981789 [man page] contradiction in ipa-server-upgrade command's man page and usage
* Fri Jul 9 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.9.6-2
- Resolves: rhbz#1955440 ipa installation fails to configure chrony
- Resolves: rhbz#1976761 Package python3-ipatests (from CRB repo) Requires python3-coverage