import ipa-4.10.0-7.el9_1
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
aab701cce8
commit
5a872dd20c
62
SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
Normal file
62
SOURCES/0015-fix-canonicalization-issue-in-Web-UI.patch
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
From a0928fe164712303a7c24ee61500ac7326bd9e4a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Date: Tue, 23 Aug 2022 16:58:07 +0300
|
||||||
|
Subject: [PATCH] fix canonicalization issue in Web UI
|
||||||
|
|
||||||
|
When Kerberos principal alias is used to login to a Web UI, we end up
|
||||||
|
with a request that is authenticated by a ticket issued in the alias
|
||||||
|
name but metadata processed for the canonical user name. This confuses
|
||||||
|
RPC layer of Web UI code and causes infinite loop to reload the page.
|
||||||
|
|
||||||
|
Fix it by doing two things:
|
||||||
|
|
||||||
|
- force use of canonicalization of an enterprise principal on server
|
||||||
|
side, not just specifying that the principal is an enterprise one;
|
||||||
|
|
||||||
|
- recognize that a principal in the whoami()-returned object can have
|
||||||
|
aliases and the principal returned by the server in the JSON response
|
||||||
|
may be one of those aliases.
|
||||||
|
|
||||||
|
Fixes: https://pagure.io/freeipa/issue/9226
|
||||||
|
|
||||||
|
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||||
|
Reviewed-By: Armando Neto <abiagion@redhat.com>
|
||||||
|
---
|
||||||
|
install/ui/src/freeipa/ipa.js | 8 +++++++-
|
||||||
|
ipaserver/rpcserver.py | 1 +
|
||||||
|
2 files changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
|
||||||
|
index 758db1b00..a08d632e9 100644
|
||||||
|
--- a/install/ui/src/freeipa/ipa.js
|
||||||
|
+++ b/install/ui/src/freeipa/ipa.js
|
||||||
|
@@ -271,7 +271,13 @@ var IPA = function () {
|
||||||
|
var cn = that.whoami.data.krbcanonicalname;
|
||||||
|
if (cn) that.principal = cn[0];
|
||||||
|
if (!that.principal) {
|
||||||
|
- that.principal = that.whoami.data.krbprincipalname[0];
|
||||||
|
+ var principal = data.principal;
|
||||||
|
+ var idx = that.whoami.data.krbprincipalname.indexOf(principal);
|
||||||
|
+ if (idx > -1) {
|
||||||
|
+ that.principal = principal;
|
||||||
|
+ } else {
|
||||||
|
+ that.principal = that.whoami.data.krbprincipalname[0];
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
} else if (entity === 'idoverrideuser') {
|
||||||
|
that.principal = that.whoami.data.ipaoriginaluid[0];
|
||||||
|
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||||
|
index 1f85e9898..4e8a08b66 100644
|
||||||
|
--- a/ipaserver/rpcserver.py
|
||||||
|
+++ b/ipaserver/rpcserver.py
|
||||||
|
@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession):
|
||||||
|
ccache_name,
|
||||||
|
armor_ccache_name=armor_path,
|
||||||
|
enterprise=True,
|
||||||
|
+ canonicalize=True,
|
||||||
|
lifetime=self.api.env.kinit_lifetime)
|
||||||
|
|
||||||
|
if armor_path:
|
||||||
|
--
|
||||||
|
2.37.3
|
||||||
|
|
||||||
@ -198,7 +198,7 @@
|
|||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 6%{?rc_version:.%rc_version}%{?dist}
|
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -232,6 +232,7 @@ Patch0011: 0011-ipatests-Fix-expected-object-classes.patch
|
|||||||
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
|
Patch0012: 0012-doc-Update-LDAP-grace-period-design-with-default-val.patch
|
||||||
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
|
Patch0013: 0013-Set-default-gracelimit-on-group-password-policies-to.patch
|
||||||
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
|
Patch0014: 0014-Set-default-on-group-pwpolicy-with-no-grace-limit-in.patch
|
||||||
|
Patch0015: 0015-fix-canonicalization-issue-in-Web-UI.patch
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
%endif
|
%endif
|
||||||
%endif
|
%endif
|
||||||
@ -1740,6 +1741,10 @@ fi
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Oct 25 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.10.0-7
|
||||||
|
- Resolves: rhbz#2124547 Attempt to log in as "root" user with admin's password in Web UI does not properly fail
|
||||||
|
- Resolves: rhbz#2137555 Attempt to log in as "root" user with admin's password in Web UI does not properly fail [rhel-9.1.0.z]
|
||||||
|
|
||||||
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
|
* Fri Aug 19 2022 Florence Blanc-Renaud <flo@redhat.com> - 4.10.0-6
|
||||||
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
|
- Resolves: rhbz#2110014 ldap bind occurs when admin user changes password with gracelimit=0
|
||||||
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
|
- Resolves: rhbz#2112901 RFE: Allow grace login limit to be set in IPA WebUI
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user