rpms/ipa
6
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa-4.12.2-16

Browse Source 
- Resolves: RHEL-88900 [RFE] Add check on CA cert expiry for ipa-cert-fix
- Resolves: RHEL-88037 Server installation: dot-forwarder not added as a forwarder
- Resolves: RHEL-86483 Include latest fixes in python3-ipatests package
- Resolves: RHEL-41178 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
This commit is contained in:
Florence Blanc-Renaud 2025-04-29 18:33:55 +02:00
parent 9744eaabe1
commit 5d25373c66
6 changed files with 280 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch Normal file
View File

@ -0,0 +1,49 @@
From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 17 Feb 2025 10:21:53 +0100
Subject: [PATCH] dns: don't populate forwarders with DoT forwarders
DNS over TLS setup overrides global forwarder to point to Unbound, so no
need to setup regular forwarders.
Resolves: https://pagure.io/freeipa/issue/9748
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/dns.py | 12 ++----------
1 file changed, 2 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname):
if options.no_forwarders:
options.forwarders = []
- elif (options.forwarders
- or options.dot_forwarders or options.auto_forwarders):
+ elif options.forwarders or options.auto_forwarders:
if not options.forwarders:
- if options.dot_forwarders:
- options.forwarders = [fw.split("#")[0]
- for fw in options.dot_forwarders]
- else:
- options.forwarders = []
+ options.forwarders = []
if options.auto_forwarders:
options.forwarders.extend(dnsforwarders.get_nameservers())
elif standalone or not replica:
@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api):
"and IPA CA is not present."
)
- if not options.forwarders and options.dot_forwarders:
- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders]
-
bind = bindinstance.BindInstance(fstore, api=api)
bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain,
options.forwarders, options.forward_policy,
--
2.49.0

46
0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch Normal file
View File

@ -0,0 +1,46 @@
From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 14:55:09 +0100
Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if
CA is close to being expired.
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__)
cert_nicknames = {
+ 'ca_issuing': 'caSigningCert cert-pki-ca',
'sslserver': 'Server-Cert cert-pki-ca',
'subsystem': 'subsystemCert cert-pki-ca',
'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca',
@@ -137,6 +138,16 @@ class IPACertFix(AdminTool):
print("Nothing to do.")
return 0
+ if any(key == 'ca_issuing' for key, _ in certs):
+ logger.debug("CA signing cert is expired, exiting!")
+ print(
+ "The CA signing certificate is expired or will expire within "
+ "the next two weeks.\n\nipa-cert-fix cannot proceed, please "
+ "refer to the ipa-cacert-manage tool to renew the CA "
+ "certificate before proceeding."
+ )
+ return 1
+
print(msg)
print_intentions(certs, extra_certs, non_renewed)
--
2.49.0

41
0070-Test-fix-for-the-update.patch Normal file
View File

@ -0,0 +1,41 @@
From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001
From: Aleksandr Sharov <asharov@redhat.com>
Date: Sat, 8 Mar 2025 15:04:57 +0100
Subject: [PATCH] Test fix for the update
Fixes: https://pagure.io/freeipa/issue/9760
Signed-off-by: Aleksandr Sharov <asharov@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest):
valid. If CA cert expired, ipa-cert-fix won't work.
related: https://pagure.io/freeipa/issue/8721
+
+ If CA cert is close to expiry, there's no reason to issue new certs
+ with short validity period. So, ipa-cert-fix should fail in this case.
+
+ related: https://pagure.io/freeipa/issue/9760
"""
result = self.master.run_command(['ipa-cert-fix', '-v'],
stdin_text='yes\n',
raiseonerr=False)
# check that pki-server cert-fix command fails
- err_msg = ("ERROR: CalledProcessError(Command "
- "['pki-server', 'cert-fix'")
+ err_msg = ("CA signing cert is expired, exiting!")
+ assert result.returncode == 1
assert err_msg in result.stderr_text
--
2.49.0

90
0071-Correct-dnsrecord_-tests-for-raw-structured.patch Normal file
View File

@ -0,0 +1,90 @@
From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001
From: David Hanina <dhanina@redhat.com>
Date: Fri, 28 Mar 2025 10:33:15 +0100
Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured
Fixes typo in the tests, --raw --structured is only checked if rest of
the command is correct as well, therefore test changes were required.
Fixes: https://pagure.io/freeipa/issue/9768
Signed-off-by: David Hanina <dhanina@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++-----------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py
index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644
--- a/ipatests/test_xmlrpc/test_dns_plugin.py
+++ b/ipatests/test_xmlrpc/test_dns_plugin.py
@@ -3416,20 +3416,11 @@ class test_dns(Declarative):
},
),
- dict(
- desc='Delete zone %r' % zone1,
- command=('dnszone_del', [zone1], {}),
- expected={
- 'value': [zone1_absolute_dnsname],
- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
- 'result': {'failed': []},
- },
- ),
-
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-add",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_add', [zone1, name1],
+ {'arecord': arec2, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3438,7 +3429,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-mod",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_mod', [zone1, name1],
+ {'arecord': arec1, u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3447,7 +3439,8 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-show",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_show', [zone1, name1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
@@ -3456,11 +3449,22 @@ class test_dns(Declarative):
dict(
desc="Ensure --raw and --structure does not work "
"for ipa dnsrecord-find",
- command=('dnrecord_add', [], {u'raw': True, u'structured': True}),
+ command=('dnsrecord_find', [zone1],
+ {u'raw': True, u'structured': True}),
expected=errors.MutuallyExclusiveError(
reason=u"cannot use structured together with raw"
),
),
+
+ dict(
+ desc='Delete zone %r' % zone1,
+ command=('dnszone_del', [zone1], {}),
+ expected={
+ 'value': [zone1_absolute_dnsname],
+ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute,
+ 'result': {'failed': []},
+ },
+ ),
]
--
2.49.0

42
0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch Normal file
View File

@ -0,0 +1,42 @@
From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Mon, 31 Mar 2025 11:50:41 +0200
Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op
Also remove unused "search_pb" variable and its associated free
functions.
Fixes: https://pagure.io/freeipa/issue/9772
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c
@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
const char *dn_str;
Slapi_DN *dn = NULL;
struct ipa_sidgen_ctx *ctx;
- Slapi_PBlock *search_pb = NULL;
char *errmsg = NULL;
ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op);
@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb)
ret = 0;
done:
- slapi_free_search_results_internal(search_pb);
- slapi_pblock_destroy(search_pb);
slapi_sdn_free(&dn);
+ slapi_entry_free(entry);
if (ret != 0) {
if (errmsg == NULL) {
--
2.49.0

13
freeipa.spec
View File

@ -218,7 +218,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 15%{?rc_version:.%rc_version}%{?dist}
Release: 16%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -309,6 +309,11 @@ Patch0064: 0064-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch
Patch0065: 0065-ipatests-Tests-to-check-data-in-journal-log.patch
Patch0066: 0066-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch
Patch0067: 0067-Don-t-require-certificates-to-have-unique-ipaCertSub.patch
Patch0068: 0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch
Patch0069: 0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch
Patch0070: 0070-Test-fix-for-the-update.patch
Patch0071: 0071-Correct-dnsrecord_-tests-for-raw-structured.patch
Patch0072: 0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -1961,6 +1966,12 @@ fi
%endif
%changelog
* Tue Apr 29 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-16
- Resolves: RHEL-88900 [RFE] Add check on CA cert expiry for ipa-cert-fix
- Resolves: RHEL-88037 Server installation: dot-forwarder not added as a forwarder
- Resolves: RHEL-86483 Include latest fixes in python3-ipatests package
- Resolves: RHEL-41178 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op()
* Tue Mar 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-15
- Resolves: RHEL-84481 Protect all IPA service principals
- Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293