diff --git a/0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch b/0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch new file mode 100644 index 0000000..51be0a4 --- /dev/null +++ b/0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch @@ -0,0 +1,49 @@ +From e1d517032afa2a8258c1ff8bd6bfdd4175b42327 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 17 Feb 2025 10:21:53 +0100 +Subject: [PATCH] dns: don't populate forwarders with DoT forwarders + +DNS over TLS setup overrides global forwarder to point to Unbound, so no +need to setup regular forwarders. + +Resolves: https://pagure.io/freeipa/issue/9748 +Signed-off-by: Antonio Torres +Reviewed-By: Rob Crittenden +--- + ipaserver/install/dns.py | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py +index 88aff19bcec11f778af5644167c32c45cbcab594..470e1915971f66d84e4e4f279caaf81bd3a85cd3 100644 +--- a/ipaserver/install/dns.py ++++ b/ipaserver/install/dns.py +@@ -360,14 +360,9 @@ def install_check(standalone, api, replica, options, hostname): + + if options.no_forwarders: + options.forwarders = [] +- elif (options.forwarders +- or options.dot_forwarders or options.auto_forwarders): ++ elif options.forwarders or options.auto_forwarders: + if not options.forwarders: +- if options.dot_forwarders: +- options.forwarders = [fw.split("#")[0] +- for fw in options.dot_forwarders] +- else: +- options.forwarders = [] ++ options.forwarders = [] + if options.auto_forwarders: + options.forwarders.extend(dnsforwarders.get_nameservers()) + elif standalone or not replica: +@@ -436,9 +431,6 @@ def install(standalone, replica, options, api=api): + "and IPA CA is not present." + ) + +- if not options.forwarders and options.dot_forwarders: +- options.forwaders = [fw.split("#")[0] for fw in options.dot_forwarders] +- + bind = bindinstance.BindInstance(fstore, api=api) + bind.setup(api.env.host, ip_addresses, api.env.realm, api.env.domain, + options.forwarders, options.forward_policy, +-- +2.49.0 + diff --git a/0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch b/0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch new file mode 100644 index 0000000..bd6e2e3 --- /dev/null +++ b/0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch @@ -0,0 +1,46 @@ +From 3f7d84677775bd9e237b28b08fe961a157b8b14e Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Sat, 8 Mar 2025 14:55:09 +0100 +Subject: [PATCH] Add a check into ipa-cert-fix tool to avoid updating certs if + CA is close to being expired. + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ipa_cert_fix.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py +index 8e02d1e75cc4cb936b77a6c9f3f9df2b8605a58b..960d7b9e08614ff6ee23c948a0a5fa08b109627e 100644 +--- a/ipaserver/install/ipa_cert_fix.py ++++ b/ipaserver/install/ipa_cert_fix.py +@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__) + + + cert_nicknames = { ++ 'ca_issuing': 'caSigningCert cert-pki-ca', + 'sslserver': 'Server-Cert cert-pki-ca', + 'subsystem': 'subsystemCert cert-pki-ca', + 'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca', +@@ -137,6 +138,16 @@ class IPACertFix(AdminTool): + print("Nothing to do.") + return 0 + ++ if any(key == 'ca_issuing' for key, _ in certs): ++ logger.debug("CA signing cert is expired, exiting!") ++ print( ++ "The CA signing certificate is expired or will expire within " ++ "the next two weeks.\n\nipa-cert-fix cannot proceed, please " ++ "refer to the ipa-cacert-manage tool to renew the CA " ++ "certificate before proceeding." ++ ) ++ return 1 ++ + print(msg) + + print_intentions(certs, extra_certs, non_renewed) +-- +2.49.0 + diff --git a/0070-Test-fix-for-the-update.patch b/0070-Test-fix-for-the-update.patch new file mode 100644 index 0000000..047a2ce --- /dev/null +++ b/0070-Test-fix-for-the-update.patch @@ -0,0 +1,41 @@ +From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Sat, 8 Mar 2025 15:04:57 +0100 +Subject: [PATCH] Test fix for the update + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 15d8a81575dc7f2077c34b8907fbeb3e2f6eb66f..d11fd3d611e7e5755569e8fc70de6f261473e3f3 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest): + valid. If CA cert expired, ipa-cert-fix won't work. + + related: https://pagure.io/freeipa/issue/8721 ++ ++ If CA cert is close to expiry, there's no reason to issue new certs ++ with short validity period. So, ipa-cert-fix should fail in this case. ++ ++ related: https://pagure.io/freeipa/issue/9760 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + # check that pki-server cert-fix command fails +- err_msg = ("ERROR: CalledProcessError(Command " +- "['pki-server', 'cert-fix'") ++ err_msg = ("CA signing cert is expired, exiting!") ++ assert result.returncode == 1 + assert err_msg in result.stderr_text + + +-- +2.49.0 + diff --git a/0071-Correct-dnsrecord_-tests-for-raw-structured.patch b/0071-Correct-dnsrecord_-tests-for-raw-structured.patch new file mode 100644 index 0000000..40457f5 --- /dev/null +++ b/0071-Correct-dnsrecord_-tests-for-raw-structured.patch @@ -0,0 +1,90 @@ +From d3e9e35ef73729956c649f2ee0d0ff3963f99e4e Mon Sep 17 00:00:00 2001 +From: David Hanina +Date: Fri, 28 Mar 2025 10:33:15 +0100 +Subject: [PATCH] Correct dnsrecord_* tests for --raw --structured + +Fixes typo in the tests, --raw --structured is only checked if rest of +the command is correct as well, therefore test changes were required. + +Fixes: https://pagure.io/freeipa/issue/9768 +Signed-off-by: David Hanina +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_xmlrpc/test_dns_plugin.py | 32 ++++++++++++++----------- + 1 file changed, 18 insertions(+), 14 deletions(-) + +diff --git a/ipatests/test_xmlrpc/test_dns_plugin.py b/ipatests/test_xmlrpc/test_dns_plugin.py +index 803b0a9571c2888dd02c4595c68403f37be7fed7..864d5287f8317a5154aec4c792f56deab7ff0120 100644 +--- a/ipatests/test_xmlrpc/test_dns_plugin.py ++++ b/ipatests/test_xmlrpc/test_dns_plugin.py +@@ -3416,20 +3416,11 @@ class test_dns(Declarative): + }, + ), + +- dict( +- desc='Delete zone %r' % zone1, +- command=('dnszone_del', [zone1], {}), +- expected={ +- 'value': [zone1_absolute_dnsname], +- 'summary': u'Deleted DNS zone "%s"' % zone1_absolute, +- 'result': {'failed': []}, +- }, +- ), +- + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-add", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_add', [zone1, name1], ++ {'arecord': arec2, u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3438,7 +3429,8 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-mod", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_mod', [zone1, name1], ++ {'arecord': arec1, u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3447,7 +3439,8 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-show", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_show', [zone1, name1], ++ {u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), +@@ -3456,11 +3449,22 @@ class test_dns(Declarative): + dict( + desc="Ensure --raw and --structure does not work " + "for ipa dnsrecord-find", +- command=('dnrecord_add', [], {u'raw': True, u'structured': True}), ++ command=('dnsrecord_find', [zone1], ++ {u'raw': True, u'structured': True}), + expected=errors.MutuallyExclusiveError( + reason=u"cannot use structured together with raw" + ), + ), ++ ++ dict( ++ desc='Delete zone %r' % zone1, ++ command=('dnszone_del', [zone1], {}), ++ expected={ ++ 'value': [zone1_absolute_dnsname], ++ 'summary': u'Deleted DNS zone "%s"' % zone1_absolute, ++ 'result': {'failed': []}, ++ }, ++ ), + ] + + +-- +2.49.0 + diff --git a/0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch b/0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch new file mode 100644 index 0000000..8d2abb4 --- /dev/null +++ b/0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch @@ -0,0 +1,42 @@ +From 1aac0a5f7e0702e23e0ba6dad726734b5d75710d Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Mon, 31 Mar 2025 11:50:41 +0200 +Subject: [PATCH] ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op + +Also remove unused "search_pb" variable and its associated free +functions. + +Fixes: https://pagure.io/freeipa/issue/9772 +Signed-off-by: Julien Rische +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c +index 99e6b850b04145cefcb7830df5fe4b36adec45de..35ecef228d7fac1e7009dbf97983089755aa6768 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.c +@@ -81,7 +81,6 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) + const char *dn_str; + Slapi_DN *dn = NULL; + struct ipa_sidgen_ctx *ctx; +- Slapi_PBlock *search_pb = NULL; + char *errmsg = NULL; + + ret = slapi_pblock_get(pb, SLAPI_IS_REPLICATED_OPERATION, &is_repl_op); +@@ -152,9 +151,8 @@ static int ipa_sidgen_add_post_op(Slapi_PBlock *pb) + + ret = 0; + done: +- slapi_free_search_results_internal(search_pb); +- slapi_pblock_destroy(search_pb); + slapi_sdn_free(&dn); ++ slapi_entry_free(entry); + + if (ret != 0) { + if (errmsg == NULL) { +-- +2.49.0 + diff --git a/freeipa.spec b/freeipa.spec index aa7bd95..ebf1aaa 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -218,7 +218,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 15%{?rc_version:.%rc_version}%{?dist} +Release: 16%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -309,6 +309,11 @@ Patch0064: 0064-idrange-use-minvalue-0-for-baserid-and-secondarybase.patch Patch0065: 0065-ipatests-Tests-to-check-data-in-journal-log.patch Patch0066: 0066-Disallow-removal-of-dogtag-and-ipa-dnskeysyncd-servi.patch Patch0067: 0067-Don-t-require-certificates-to-have-unique-ipaCertSub.patch +Patch0068: 0068-dns-don-t-populate-forwarders-with-DoT-forwarders.patch +Patch0069: 0069-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating.patch +Patch0070: 0070-Test-fix-for-the-update.patch +Patch0071: 0071-Correct-dnsrecord_-tests-for-raw-structured.patch +Patch0072: 0072-ipa-sidgen-fix-memory-leak-in-ipa_sidgen_add_post_op.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1961,6 +1966,12 @@ fi %endif %changelog +* Tue Apr 29 2025 Florence Blanc-Renaud - 4.12.2-16 +- Resolves: RHEL-88900 [RFE] Add check on CA cert expiry for ipa-cert-fix +- Resolves: RHEL-88037 Server installation: dot-forwarder not added as a forwarder +- Resolves: RHEL-86483 Include latest fixes in python3-ipatests package +- Resolves: RHEL-41178 ipa-sidgen: fix memory leak in ipa_sidgen_add_post_op() + * Tue Mar 25 2025 Florence Blanc-Renaud - 4.12.2-15 - Resolves: RHEL-84481 Protect all IPA service principals - Resolves: RHEL-84277 [RFE] IDM support UIDs up to 4,294,967,293