ipa-4.12.2-17
- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder - Resolves: RHEL-86481 Include latest fixes in python3-ipatests package - Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op() - Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix
This commit is contained in:
parent
518fbd80d0
commit
5bae5ab37a
49
0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
Normal file
49
0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001
|
||||
From: Antonio Torres <antorres@redhat.com>
|
||||
Date: Mon, 17 Feb 2025 10:21:53 +0100
|
||||
Subject: [PATCH] dns: don't populate forwarders with DoT forwarders
|
||||
|
||||
DNS over TLS setup overrides global forwarder to point to Unbound, so no
|
||||
need to setup regular forwarders.
|
||||
|
||||
Resolves: https://pagure.io/freeipa/issue/9748
|
||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipaserver/install/dns.py | 12 ++----------
|
||||
1 file changed, 2 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
|
||||
index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644
|
||||
--- a/ipaserver/install/dns.py
|
||||
+++ b/ipaserver/install/dns.py
|
||||
@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname):
|
||||
|
||||
if options.no_forwarders:
|
||||
options.forwarders = []
|
||||
- elif (options.forwarders
|
||||
- or options.dot_forwarders or options.auto_forwarders):
|
||||
+ elif options.forwarders or options.auto_forwarders:
|
||||
if not options.forwarders:
|
||||
- if options.dot_forwarders:
|
||||
- options.forwarders = [fw.split("#")[0]
|
||||
- for fw in options.dot_forwarders]
|
||||
- else:
|
||||
- options.forwarders = []
|
||||
+ options.forwarders = []
|
||||
if options.auto_forwarders:
|
||||
options.forwarders.extend(dnsforwarders.get_nameservers())
|
||||
elif standalone or not replica:
|
||||
@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api):
|
||||
"and IPA CA is not present."
|
||||
)
|
||||
|
||||
- if not options.forwarders and options.dot_forwarders:
|
||||
- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders]
|
||||
-
|
||||
bind = bindinstance.BindInstance(fstore, api=api)
|
||||
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
|
||||
options.forwarders, options.forward_policy,
|
||||
--
|
||||
2.49.0
|
||||
|
90
0085-Correct-dnsrecord_-tests-for-raw-structured.patch
Normal file
90
0085-Correct-dnsrecord_-tests-for-raw-structured.patch
Normal file
@ -0,0 +1,90 @@
|
||||
From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001
|
||||
From: David Hanina <dhanina@redhat.com>
|
||||
Date: Fri, 28 Mar 2025 10:33:15 +0100
|
||||
Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured
|
||||
|
||||
Fixes typo in the tests, --raw --structured is only checked if rest of
|
||||
the command is correct as well, therefore test changes were required.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9768
|
||||
Signed-off-by: David Hanina <dhanina@redhat.com>
|
||||
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++-----------
|
||||
1 file changed, 18 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
|
||||
index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644
|
||||
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
|
||||
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
|
||||
@@ -3416,20 +3416,11 @@ class test_dns(Declarative):
|
||||
},
|
||||
),
|
||||
|
||||
- dict(
|
||||
- desc='Delete zone %r' % zone1,
|
||||
- command=('dnszone_del', [zone1], {}),
|
||||
- expected={
|
||||
- 'value': [zone1_absolute_dnsname],
|
||||
- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
|
||||
- 'result': {'failed': []},
|
||||
- },
|
||||
- ),
|
||||
-
|
||||
dict(
|
||||
desc="Ensure --raw and --structure does not work "
|
||||
"for ipa dnsrecord-add",
|
||||
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
|
||||
+ command=('dnsrecord_add', [zone1, name1],
|
||||
+ {'arecord': arec2, u'raw': True, u'structured': True}),
|
||||
expected=errors.MutuallyExclusiveError(
|
||||
reason=u"cannot use structured together with raw"
|
||||
),
|
||||
@@ -3438,7 +3429,8 @@ class test_dns(Declarative):
|
||||
dict(
|
||||
desc="Ensure --raw and --structure does not work "
|
||||
"for ipa dnsrecord-mod",
|
||||
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
|
||||
+ command=('dnsrecord_mod', [zone1, name1],
|
||||
+ {'arecord': arec1, u'raw': True, u'structured': True}),
|
||||
expected=errors.MutuallyExclusiveError(
|
||||
reason=u"cannot use structured together with raw"
|
||||
),
|
||||
@@ -3447,7 +3439,8 @@ class test_dns(Declarative):
|
||||
dict(
|
||||
desc="Ensure --raw and --structure does not work "
|
||||
"for ipa dnsrecord-show",
|
||||
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
|
||||
+ command=('dnsrecord_show', [zone1, name1],
|
||||
+ {u'raw': True, u'structured': True}),
|
||||
expected=errors.MutuallyExclusiveError(
|
||||
reason=u"cannot use structured together with raw"
|
||||
),
|
||||
@@ -3456,11 +3449,22 @@ class test_dns(Declarative):
|
||||
dict(
|
||||
desc="Ensure --raw and --structure does not work "
|
||||
"for ipa dnsrecord-find",
|
||||
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
|
||||
+ command=('dnsrecord_find', [zone1],
|
||||
+ {u'raw': True, u'structured': True}),
|
||||
expected=errors.MutuallyExclusiveError(
|
||||
reason=u"cannot use structured together with raw"
|
||||
),
|
||||
),
|
||||
+
|
||||
+ dict(
|
||||
+ desc='Delete zone %r' % zone1,
|
||||
+ command=('dnszone_del', [zone1], {}),
|
||||
+ expected={
|
||||
+ 'value': [zone1_absolute_dnsname],
|
||||
+ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
|
||||
+ 'result': {'failed': []},
|
||||
+ },
|
||||
+ ),
|
||||
]
|
||||
|
||||
|
||||
--
|
||||
2.49.0
|
||||
|
@ -0,0 +1,36 @@
|
||||
From d77c4597a841729cb7c890bb57cc548a70c8724b Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Tue, 1 Apr 2025 12:31:18 +0530
|
||||
Subject: [PATCH] ipatests: Fix for ipa-healthcheck test in FIPS Mode
|
||||
|
||||
Fix https://github.com/freeipa/freeipa-healthcheck/pull/349
|
||||
was added for RHEL10 only causing the tests to
|
||||
fail in RHEL10.1.
|
||||
Hence the if condition has been changed in the testcode.
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index d72808f0f9b6dc7e438a16f9bd7e676f473fd323..8d1b9fce32f8e2e6ac78f9b26f9daf19445c3c8b 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -374,10 +374,10 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
if (
|
||||
parse_version(healthcheck_version) < parse_version("0.17")
|
||||
and osinfo.id == 'rhel'
|
||||
- and osinfo.version_number == (10,0)
|
||||
+ and osinfo.version_number >= (10,0)
|
||||
):
|
||||
# Patch: https://github.com/freeipa/freeipa-healthcheck/pull/349
|
||||
- pytest.xfail("Patch is unavailable for RHEL 10.0 and "
|
||||
+ pytest.xfail("Patch is unavailable for RHEL 10.0 and above"
|
||||
"freeipa-healtheck version 0.16 or less")
|
||||
|
||||
returncode, check = run_healthcheck(self.master,
|
||||
--
|
||||
2.49.0
|
||||
|
@ -0,0 +1,42 @@
|
||||
From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 31 Mar 2025 11:50:41 +0200
|
||||
Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op
|
||||
|
||||
Also remove unused "search_pb" variable and its associated free
|
||||
functions.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9772
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +---
|
||||
1 file changed, 1 insertion(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
|
||||
index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644
|
||||
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
|
||||
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
|
||||
@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
|
||||
const char *dn_str;
|
||||
Slapi_DN *dn = NULL;
|
||||
struct ipa_sidgen_ctx *ctx;
|
||||
- Slapi_PBlock *search_pb = NULL;
|
||||
char *errmsg = NULL;
|
||||
|
||||
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
|
||||
@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
|
||||
|
||||
ret = 0;
|
||||
done:
|
||||
- slapi_free_search_results_internal(search_pb);
|
||||
- slapi_pblock_destroy(search_pb);
|
||||
slapi_sdn_free(&dn);
|
||||
+ slapi_entry_free(entry);
|
||||
|
||||
if (ret != 0) {
|
||||
if (errmsg == NULL) {
|
||||
--
|
||||
2.49.0
|
||||
|
@ -0,0 +1,46 @@
|
||||
From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001
|
||||
From: Aleksandr Sharov <asharov@redhat.com>
|
||||
Date: Sat, 8 Mar 2025 14:55:09 +0100
|
||||
Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if
|
||||
CA is close to being expired.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9760
|
||||
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/ipa_cert_fix.py | 11 +++++++++++
|
||||
1 file changed, 11 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
|
||||
index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644
|
||||
--- a/ipaserver/install/ipa_cert_fix.py
|
||||
+++ b/ipaserver/install/ipa_cert_fix.py
|
||||
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
cert_nicknames = {
|
||||
+ 'ca_issuing': 'caSigningCert cert-pki-ca',
|
||||
'sslserver': 'Server-Cert cert-pki-ca',
|
||||
'subsystem': 'subsystemCert cert-pki-ca',
|
||||
'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
|
||||
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
|
||||
print("Nothing to do.")
|
||||
return 0
|
||||
|
||||
+ if any(key == 'ca_issuing' for key, _ in certs):
|
||||
+ logger.debug("CA signing cert is expired, exiting!")
|
||||
+ print(
|
||||
+ "The CA signing certificate is expired or will expire within "
|
||||
+ "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
|
||||
+ "refer to the ipa-cacert-manage tool to renew the CA "
|
||||
+ "certificate before proceeding."
|
||||
+ )
|
||||
+ return 1
|
||||
+
|
||||
print(msg)
|
||||
|
||||
print_intentions(certs, extra_certs, non_renewed)
|
||||
--
|
||||
2.49.0
|
||||
|
41
0089-Test-fix-for-the-update.patch
Normal file
41
0089-Test-fix-for-the-update.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksandr Sharov <asharov@redhat.com>
|
||||
Date: Sat, 8 Mar 2025 15:04:57 +0100
|
||||
Subject: [PATCH] Test fix for the update
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9760
|
||||
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644
|
||||
--- a/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
|
||||
@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
|
||||
valid. If CA cert expired, ipa-cert-fix won't work.
|
||||
|
||||
related: https://pagure.io/freeipa/issue/8721
|
||||
+
|
||||
+ If CA cert is close to expiry, there's no reason to issue new certs
|
||||
+ with short validity period. So, ipa-cert-fix should fail in this case.
|
||||
+
|
||||
+ related: https://pagure.io/freeipa/issue/9760
|
||||
"""
|
||||
result = self.master.run_command(['ipa-cert-fix', '-v'],
|
||||
stdin_text='yes\n',
|
||||
raiseonerr=False)
|
||||
# check that pki-server cert-fix command fails
|
||||
- err_msg = ("ERROR: CalledProcessError(Command "
|
||||
- "['pki-server', 'cert-fix'")
|
||||
+ err_msg = ("CA signing cert is expired, exiting!")
|
||||
+ assert result.returncode == 1
|
||||
assert err_msg in result.stderr_text
|
||||
|
||||
|
||||
--
|
||||
2.49.0
|
||||
|
14
freeipa.spec
14
freeipa.spec
@ -207,7 +207,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 16%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 17%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
@ -321,6 +321,12 @@ Patch0080: 0080-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch
|
||||
Patch0081: 0081-ipatests-Tests-to-check-data-in-journal-log.patch
|
||||
Patch0082: 0082-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch
|
||||
Patch0083: 0083-Don-t-require-certificates-to-have-unique-ipaCertSub.patch
|
||||
Patch0084: 0084-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
|
||||
Patch0085: 0085-Correct-dnsrecord_-tests-for-raw-structured.patch
|
||||
Patch0086: 0086-ipatests-Fix-for-ipa-healthcheck-test-in-FIPS-Mode.patch
|
||||
Patch0087: 0087-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch
|
||||
Patch0088: 0088-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch
|
||||
Patch0089: 0089-Test-fix-for-the-update.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -1972,6 +1978,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 29 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-17
|
||||
- Resolves: RHEL-88043 Server installation: dot-forwarder not added as a forwarder
|
||||
- Resolves: RHEL-86481 Include latest fixes in python3-ipatests package
|
||||
- Resolves: RHEL-85788 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
|
||||
- Resolves: RHEL-88899 [RFE] Add check on CA cert expiry for ipa-cert-fix
|
||||
|
||||
* Mon Mar 24 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-16
|
||||
- Resolves: RHEL-84648 ipa-cacert-manage install fails with CAs having the same subject DN (subject key mismatch info)
|
||||
- Resolves: RHEL-84279 IPU 9 -> 10: ipa-server breaks the in-place upgrade due to failed scriptlet
|
||||
|
Loading…
Reference in New Issue
Block a user