import ipa-4.10.0-7.el9_1

This commit is contained in:
CentOS Sources 2022-11-15 10:36:47 -05:00 committed by Stepan Oksanichenko
parent aab701cce8
commit 5a872dd20c
2 changed files with 68 additions and 1 deletions

View File

@ -0,0 +1,62 @@
From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Aug 2022 16:58:07 +0300
Subject: [PATCH] fix canonicalization issue in Web UI
When Kerberos principal alias is used to login to a Web UI, we end up
with a request that is authenticated by a ticket issued in the alias
name but metadata processed for the canonical user name. This confuses
RPC layer of Web UI code and causes infinite loop to reload the page.
Fix it by doing two things:
- force use of canonicalization of an enterprise principal on server
side, not just specifying that the principal is an enterprise one;
- recognize that a principal in the whoami()-returned object can have
aliases and the principal returned by the server in the JSON response
may be one of those aliases.
Fixes: https://pagure.io/freeipa/issue/9226
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
install/ui/src/freeipa/ipa.js | 8 +++++++-
ipaserver/rpcserver.py | 1 +
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 758db1b00..a08d632e9 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -271,7 +271,13 @@ var IPA = function () {
var cn = that.whoami.data.krbcanonicalname;
if (cn) that.principal = cn[0];
if (!that.principal) {
- that.principal = that.whoami.data.krbprincipalname[0];
+ var principal = data.principal;
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
+ if (idx > -1) {
+ that.principal = principal;
+ } else {
+ that.principal = that.whoami.data.krbprincipalname[0];
+ }
}
} else if (entity === 'idoverrideuser') {
that.principal = that.whoami.data.ipaoriginaluid[0];
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 1f85e9898..4e8a08b66 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
ccache_name,
armor_ccache_name=armor_path,
enterprise=True,
+ canonicalize=True,
lifetime=self.api.env.kinit_lifetime)
if armor_path:
--
2.37.3

View File

@ -198,7 +198,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Release: 7%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -232,6 +232,7 @@ Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1740,6 +1741,10 @@ fi
%endif
%changelog
* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI