import ipa-4.10.0-7.el9_1
This commit is contained in:
parent
aab701cce8
commit
5a872dd20c
62
SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
Normal file
62
SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
Normal file
@ -0,0 +1,62 @@
|
||||
From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Tue, 23 Aug 2022 16:58:07 +0300
|
||||
Subject: [PATCH] fix canonicalization issue in Web UI
|
||||
|
||||
When Kerberos principal alias is used to login to a Web UI, we end up
|
||||
with a request that is authenticated by a ticket issued in the alias
|
||||
name but metadata processed for the canonical user name. This confuses
|
||||
RPC layer of Web UI code and causes infinite loop to reload the page.
|
||||
|
||||
Fix it by doing two things:
|
||||
|
||||
- force use of canonicalization of an enterprise principal on server
|
||||
side, not just specifying that the principal is an enterprise one;
|
||||
|
||||
- recognize that a principal in the whoami()-returned object can have
|
||||
aliases and the principal returned by the server in the JSON response
|
||||
may be one of those aliases.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9226
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||
---
|
||||
install/ui/src/freeipa/ipa.js | 8 +++++++-
|
||||
ipaserver/rpcserver.py | 1 +
|
||||
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
|
||||
index 758db1b00..a08d632e9 100644
|
||||
--- a/install/ui/src/freeipa/ipa.js
|
||||
+++ b/install/ui/src/freeipa/ipa.js
|
||||
@@ -271,7 +271,13 @@ var IPA = function () {
|
||||
var cn = that.whoami.data.krbcanonicalname;
|
||||
if (cn) that.principal = cn[0];
|
||||
if (!that.principal) {
|
||||
- that.principal = that.whoami.data.krbprincipalname[0];
|
||||
+ var principal = data.principal;
|
||||
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
|
||||
+ if (idx > -1) {
|
||||
+ that.principal = principal;
|
||||
+ } else {
|
||||
+ that.principal = that.whoami.data.krbprincipalname[0];
|
||||
+ }
|
||||
}
|
||||
} else if (entity === 'idoverrideuser') {
|
||||
that.principal = that.whoami.data.ipaoriginaluid[0];
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index 1f85e9898..4e8a08b66 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
|
||||
ccache_name,
|
||||
armor_ccache_name=armor_path,
|
||||
enterprise=True,
|
||||
+ canonicalize=True,
|
||||
lifetime=self.api.env.kinit_lifetime)
|
||||
|
||||
if armor_path:
|
||||
--
|
||||
2.37.3
|
||||
|
@ -198,7 +198,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -232,6 +232,7 @@ Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
|
||||
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
|
||||
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
|
||||
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
|
||||
Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -1740,6 +1741,10 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
|
||||
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
|
||||
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]
|
||||
|
||||
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
|
||||
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
|
||||
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
|
||||
|
Loading…
Reference in New Issue
Block a user